From fa7587900e56a4dcb5a03c52a2d6daa59866e30f Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Thu, 18 Apr 2024 10:57:25 -0700 Subject: [PATCH 1/7] Finish preliminary capability for adding incomplete users to groups --- backend/src/@types/knex.d.ts | 8 + .../20240417032913_pending-group-addition.ts | 25 + backend/src/db/schemas/index.ts | 1 + backend/src/db/schemas/models.ts | 1 + .../src/db/schemas/pending-group-additions.ts | 20 + backend/src/ee/routes/v1/scim-router.ts | 43 +- backend/src/ee/services/group/group-dal.ts | 62 +- backend/src/ee/services/group/group-fns.ts | 701 ++++++++++++++++++ .../src/ee/services/group/group-service.ts | 202 ++--- backend/src/ee/services/group/group-types.ts | 91 +++ .../group/pending-group-addition-dal.ts | 55 ++ .../group/user-group-membership-dal.ts | 40 +- .../src/ee/services/license/licence-fns.ts | 6 +- .../src/ee/services/license/license-types.ts | 6 +- backend/src/ee/services/scim/scim-service.ts | 248 ++++++- backend/src/ee/services/scim/scim-types.ts | 9 + backend/src/server/routes/index.ts | 14 + .../src/services/auth/auth-signup-service.ts | 57 ++ backend/src/services/project/project-dal.ts | 4 +- backend/src/services/user/user-dal.ts | 14 + .../OrgGroupsSection/OrgGroupMembersModal.tsx | 294 ++++---- 21 files changed, 1510 insertions(+), 391 deletions(-) create mode 100644 backend/src/db/migrations/20240417032913_pending-group-addition.ts create mode 100644 backend/src/db/schemas/pending-group-additions.ts create mode 100644 backend/src/ee/services/group/group-fns.ts create mode 100644 backend/src/ee/services/group/pending-group-addition-dal.ts diff --git a/backend/src/@types/knex.d.ts b/backend/src/@types/knex.d.ts index 2c8b8be5a5..93c8cb1eb6 100644 --- a/backend/src/@types/knex.d.ts +++ b/backend/src/@types/knex.d.ts @@ -86,6 +86,9 @@ import { TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate, + TPendingGroupAdditions, + TPendingGroupAdditionsInsert, + TPendingGroupAdditionsUpdate, TProjectBots, TProjectBotsInsert, TProjectBotsUpdate, @@ -212,6 +215,11 @@ declare module "knex/types/tables" { interface Tables { [TableName.Users]: Knex.CompositeTableType; [TableName.Groups]: Knex.CompositeTableType; + [TableName.PendingGroupAddition]: Knex.CompositeTableType< + TPendingGroupAdditions, + TPendingGroupAdditionsInsert, + TPendingGroupAdditionsUpdate + >; [TableName.UserGroupMembership]: Knex.CompositeTableType< TUserGroupMembership, TUserGroupMembershipInsert, diff --git a/backend/src/db/migrations/20240417032913_pending-group-addition.ts b/backend/src/db/migrations/20240417032913_pending-group-addition.ts new file mode 100644 index 0000000000..e720abd2ff --- /dev/null +++ b/backend/src/db/migrations/20240417032913_pending-group-addition.ts @@ -0,0 +1,25 @@ +import { Knex } from "knex"; + +import { TableName } from "../schemas"; +import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils"; + +export async function up(knex: Knex): Promise { + if (!(await knex.schema.hasTable(TableName.PendingGroupAddition))) { + await knex.schema.createTable(TableName.PendingGroupAddition, (t) => { + t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); + t.uuid("userId").notNullable(); + t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE"); + t.uuid("groupId").notNullable(); + t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE"); + t.unique(["userId", "groupId"]); + t.timestamps(true, true, true); + }); + } + + await createOnUpdateTrigger(knex, TableName.PendingGroupAddition); +} + +export async function down(knex: Knex): Promise { + await knex.schema.dropTableIfExists(TableName.PendingGroupAddition); + await dropOnUpdateTrigger(knex, TableName.PendingGroupAddition); +} diff --git a/backend/src/db/schemas/index.ts b/backend/src/db/schemas/index.ts index b9dab06bae..9a7772d5d3 100644 --- a/backend/src/db/schemas/index.ts +++ b/backend/src/db/schemas/index.ts @@ -27,6 +27,7 @@ export * from "./org-bots"; export * from "./org-memberships"; export * from "./org-roles"; export * from "./organizations"; +export * from "./pending-group-additions"; export * from "./project-bots"; export * from "./project-environments"; export * from "./project-keys"; diff --git a/backend/src/db/schemas/models.ts b/backend/src/db/schemas/models.ts index d5cf1b8867..ea1925eb2a 100644 --- a/backend/src/db/schemas/models.ts +++ b/backend/src/db/schemas/models.ts @@ -3,6 +3,7 @@ import { z } from "zod"; export enum TableName { Users = "users", Groups = "groups", + PendingGroupAddition = "pending_group_additions", GroupProjectMembership = "group_project_memberships", GroupProjectMembershipRole = "group_project_membership_roles", UserGroupMembership = "user_group_membership", diff --git a/backend/src/db/schemas/pending-group-additions.ts b/backend/src/db/schemas/pending-group-additions.ts new file mode 100644 index 0000000000..b665f8841e --- /dev/null +++ b/backend/src/db/schemas/pending-group-additions.ts @@ -0,0 +1,20 @@ +// Code generated by automation script, DO NOT EDIT. +// Automated by pulling database and generating zod schema +// To update. Just run npm run generate:schema +// Written by akhilmhdh. + +import { z } from "zod"; + +import { TImmutableDBKeys } from "./models"; + +export const PendingGroupAdditionsSchema = z.object({ + id: z.string().uuid(), + userId: z.string().uuid(), + groupId: z.string().uuid(), + createdAt: z.date(), + updatedAt: z.date() +}); + +export type TPendingGroupAdditions = z.infer; +export type TPendingGroupAdditionsInsert = Omit, TImmutableDBKeys>; +export type TPendingGroupAdditionsUpdate = Partial, TImmutableDBKeys>>; diff --git a/backend/src/ee/routes/v1/scim-router.ts b/backend/src/ee/routes/v1/scim-router.ts index 80ece7e85a..67209e7742 100644 --- a/backend/src/ee/routes/v1/scim-router.ts +++ b/backend/src/ee/routes/v1/scim-router.ts @@ -192,6 +192,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`GET /Users/${req.params.userId}`); const user = await req.server.services.scim.getScimUser({ userId: req.params.userId, orgId: req.permission.orgId @@ -246,6 +247,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`POST /Users req.body: `, req.body); const primaryEmail = req.body.emails?.find((email) => email.primary)?.value; const user = await req.server.services.scim.createScimUser({ @@ -273,6 +275,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`DELETE /Users/${req.params.userId}`); const user = await req.server.services.scim.deleteScimUser({ userId: req.params.userId, orgId: req.permission.orgId @@ -289,14 +292,28 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { body: z.object({ schemas: z.array(z.string()), displayName: z.string().trim(), - members: z.array(z.any()).length(0).optional() // okta-specific + members: z + .array( + z.object({ + value: z.string(), + display: z.string() + }) + ) + .optional() // okta-specific }), response: { 200: z.object({ schemas: z.array(z.string()), id: z.string().trim(), displayName: z.string().trim(), - members: z.array(z.any()).length(0), + members: z + .array( + z.object({ + value: z.string(), + display: z.string() + }) + ) + .optional(), meta: z.object({ resourceType: z.string().trim() }) @@ -305,9 +322,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`POST /Groups req.body: `, req.body); const group = await req.server.services.scim.createScimGroup({ - displayName: req.body.displayName, - orgId: req.permission.orgId + orgId: req.permission.orgId, + ...req.body }); return group; @@ -345,6 +363,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`GET /Groups req.query: `, req.query); const groups = await req.server.services.scim.listScimGroups({ orgId: req.permission.orgId, offset: req.query.startIndex, @@ -381,6 +400,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`GET /Groups/${req.params.groupId}`); const group = await req.server.services.scim.getScimGroup({ groupId: req.params.groupId, orgId: req.permission.orgId @@ -400,7 +420,12 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { schemas: z.array(z.string()), id: z.string().trim(), displayName: z.string().trim(), - members: z.array(z.any()).length(0) + members: z.array( + z.object({ + value: z.string(), // infisical userId + display: z.string() + }) + ) // note: is this where members are added to group? }), response: { 200: z.object({ @@ -421,10 +446,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`PUT /Groups/${req.params.groupId} req.body: `, req.body); const group = await req.server.services.scim.updateScimGroupNamePut({ groupId: req.params.groupId, orgId: req.permission.orgId, - displayName: req.body.displayName + ...req.body }); return group; @@ -482,8 +508,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - // console.log("PATCH /Groups/:groupId req.body: ", req.body); - // console.log("PATCH /Groups/:groupId req.body: ", req.body.Operations[0]); + console.log(`PATCH /Groups/:${req.params.groupId} req.body: `, req.body); const group = await req.server.services.scim.updateScimGroupNamePatch({ groupId: req.params.groupId, orgId: req.permission.orgId, @@ -507,6 +532,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`DELETE /Groups/:${req.params.groupId}`); const group = await req.server.services.scim.deleteScimGroup({ groupId: req.params.groupId, orgId: req.permission.orgId @@ -557,6 +583,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { + console.log(`PUT /Users/:${req.params.userId} req.body: `, req.body); const user = await req.server.services.scim.replaceScimUser({ userId: req.params.userId, orgId: req.permission.orgId, diff --git a/backend/src/ee/services/group/group-dal.ts b/backend/src/ee/services/group/group-dal.ts index 55afd4e10f..3392bad320 100644 --- a/backend/src/ee/services/group/group-dal.ts +++ b/backend/src/ee/services/group/group-dal.ts @@ -59,13 +59,13 @@ export const groupDALFactory = (db: TDbClient) => { } }; - const countAllGroupMembers = async ({ orgId, groupId }: { orgId: string; groupId: string }) => { + const countGroupMembers = async ({ orgId, groupId }: { orgId: string; groupId: string }) => { try { interface CountResult { count: string; } - const doc = await db(TableName.OrgMembership) + const directCount = await db(TableName.OrgMembership) .where(`${TableName.OrgMembership}.orgId`, orgId) .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`) .leftJoin(TableName.UserGroupMembership, function () { @@ -75,13 +75,18 @@ export const groupDALFactory = (db: TDbClient) => { db.raw("?", [groupId]) ); }) - .where({ isGhost: false }) + .where({ isGhost: false, isAccepted: true }) .count(`${TableName.Users}.id`) .first(); - return parseInt((doc?.count as string) || "0", 10); + const pendingCount = await db(TableName.PendingGroupAddition) + .where(`${TableName.PendingGroupAddition}.groupId`, groupId) + .count("*") + .first(); + + return parseInt((directCount?.count as string) || "0", 10) + parseInt((pendingCount?.count as string) || "0", 10); } catch (err) { - throw new DatabaseError({ error: err, name: "Count all group members" }); + throw new DatabaseError({ error: err, name: "Count all direct group members" }); } }; @@ -110,14 +115,36 @@ export const groupDALFactory = (db: TDbClient) => { db.raw("?", [groupId]) ); }) - .select( + .leftJoin(TableName.PendingGroupAddition, function () { + this.on(`${TableName.PendingGroupAddition}.userId`, "=", `${TableName.Users}.id`).andOn( + `${TableName.PendingGroupAddition}.groupId`, + "=", + db.raw("?", [groupId]) + ); + }) + .select< + { + id: string; + groupId: string; + email: string; + username: string; + firstName: string; + lastName: string; + userId: string; + isPartOfGroup: boolean; + }[] + >( db.ref("id").withSchema(TableName.OrgMembership), db.ref("groupId").withSchema(TableName.UserGroupMembership), db.ref("email").withSchema(TableName.Users), db.ref("username").withSchema(TableName.Users), db.ref("firstName").withSchema(TableName.Users), db.ref("lastName").withSchema(TableName.Users), - db.ref("id").withSchema(TableName.Users).as("userId") + db.ref("id").withSchema(TableName.Users).as("userId"), + db.raw('CASE WHEN ?? IS NOT NULL OR ?? IS NOT NULL THEN TRUE ELSE FALSE END AS "isPartOfGroup"', [ + `${TableName.UserGroupMembership}.groupId`, + `${TableName.PendingGroupAddition}.groupId` + ]) ) .where({ isGhost: false }) .offset(offset); @@ -132,16 +159,15 @@ export const groupDALFactory = (db: TDbClient) => { const members = await query; - return members.map( - ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({ - id: userId, - email, - username: memberUsername, - firstName, - lastName, - isPartOfGroup: !!memberGroupId - }) - ); + return members.map(({ email, username: memberUsername, firstName, lastName, userId, isPartOfGroup }) => ({ + // TODO: fix type + id: userId, + email, + username: memberUsername, + firstName, + lastName, + isPartOfGroup + })); } catch (error) { throw new DatabaseError({ error, name: "Find all org members" }); } @@ -150,7 +176,7 @@ export const groupDALFactory = (db: TDbClient) => { return { findGroups, findByOrgId, - countAllGroupMembers, + countGroupMembers, findAllGroupMembers, ...groupOrm }; diff --git a/backend/src/ee/services/group/group-fns.ts b/backend/src/ee/services/group/group-fns.ts new file mode 100644 index 0000000000..ae488edcf6 --- /dev/null +++ b/backend/src/ee/services/group/group-fns.ts @@ -0,0 +1,701 @@ +import { Knex } from "knex"; + +import { SecretKeyEncoding, TUsers } from "@app/db/schemas"; +import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption"; +import { BadRequestError, ScimRequestError } from "@app/lib/errors"; + +import { + TAddUsersToGroupByUserIds, + TAddUsersToGroupDirectly, + TAddUsersToPendingGroupAdditions, + TConvertPendingGroupAdditionsToGroupMemberships, + TRemoveUsersFromGroupByUserIds, + TRemoveUsersFromGroupDirectly, + TRemoveUsersFromPendingGroupAdditions +} from "./group-types"; + +// TODO: write docstrings + +/** + * Add users with usernames [usernames] to group [group] + * @param {group} group - group to add user to + * @param {string[]} usernames - username(s) of user(s) to add to group + * @returns {Promise} - user that was added to group + */ +export const addUsersToGroupDirectly = async ({ + group, + usernames, + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx: outerTx +}: TAddUsersToGroupDirectly) => { + const processAddition = async (tx: Knex) => { + const users = await userDAL.findUserEncKeyByUsernameBatch( + { + usernames + }, + tx + ); + + const usersUsernamesSet = new Set(users.map((u) => u.username)); + usernames.forEach((username) => { + if (!usersUsernamesSet.has(username)) { + throw new BadRequestError({ + message: `Failed to find user with username ${username}` + }); + } + }); + + const userIds = users.map((u) => { + if (!u.isAccepted) { + throw new BadRequestError({ + message: `User ${u.username} cannot be added to group because they have not confirmed their account` + }); + } + + return u.userId; + }); + + // check if user(s) group membership(s) already exists + const existingUserGroupMemberships = await userGroupMembershipDAL.find( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + { tx } + ); + + if (existingUserGroupMemberships.length) { + throw new BadRequestError({ + message: `User(s) are already part of the group ${group.slug}` + }); + } + + // check if all user(s) are part of the organization + const existingUserOrgMemberships = await orgDAL.findMembership( + { + orgId: group.orgId, + $in: { + userId: userIds + } + }, + { tx } + ); + + const existingUserOrgMembershipsUsernamesSet = new Set(existingUserOrgMemberships.map((u) => u.username)); + + usernames.forEach((username) => { + if (!existingUserOrgMembershipsUsernamesSet.has(username)) + throw new BadRequestError({ + message: `User ${username} is not part of the organization` + }); + }); + + await userGroupMembershipDAL.insertMany( + userIds.map((userId) => ({ + userId, + groupId: group.id + })), + tx + ); + + // check which projects the group is part of + const projectIds = Array.from( + new Set( + ( + await groupProjectDAL.find( + { + groupId: group.id + }, + { tx } + ) + ).map((gp) => gp.projectId) + ) + ); + + const keys = await projectKeyDAL.find( + { + $in: { + projectId: projectIds, + receiverId: userIds + } + }, + { tx } + ); + + const userKeysSet = new Set(keys.map((k) => `${k.projectId}-${k.receiverId}`)); + + for await (const projectId of projectIds) { + const usersToAddProjectKeyFor = users.filter((u) => !userKeysSet.has(`${projectId}-${u.userId}`)); + + if (usersToAddProjectKeyFor.length) { + // there are users who need to be shared keys + // process adding bulk users to projects for each project individually + const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx); + + if (!ghostUser) { + throw new BadRequestError({ + message: "Failed to find sudo user" + }); + } + + const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx); + + if (!ghostUserLatestKey) { + throw new BadRequestError({ + message: "Failed to find sudo user latest key" + }); + } + + const bot = await projectBotDAL.findOne({ projectId }, tx); + + if (!bot) { + throw new BadRequestError({ + message: "Failed to find bot" + }); + } + + const botPrivateKey = infisicalSymmetricDecrypt({ + keyEncoding: bot.keyEncoding as SecretKeyEncoding, + iv: bot.iv, + tag: bot.tag, + ciphertext: bot.encryptedPrivateKey + }); + + const plaintextProjectKey = decryptAsymmetric({ + ciphertext: ghostUserLatestKey.encryptedKey, + nonce: ghostUserLatestKey.nonce, + publicKey: ghostUserLatestKey.sender.publicKey, + privateKey: botPrivateKey + }); + + const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => { + const { ciphertext: encryptedKey, nonce } = encryptAsymmetric( + plaintextProjectKey, + user.publicKey, + botPrivateKey + ); + return { + encryptedKey, + nonce, + senderId: ghostUser.id, + receiverId: user.userId, + projectId + }; + }); + + await projectKeyDAL.insertMany(projectKeysToAdd, tx); + } + } + + return users; + }; + + if (outerTx) { + return processAddition(outerTx); + } + return userDAL.transaction(async (tx) => { + return processAddition(tx); + }); +}; + +export const addUsersToPendingGroupAdditions = async ({ + group, + userIds, + pendingGroupAdditionDAL, + userDAL, + orgDAL, + tx: outerTx +}: TAddUsersToPendingGroupAdditions) => { + const processAddition = async (tx: Knex) => { + const users = await userDAL.find( + { + $in: { + id: userIds + } + }, + { tx } + ); + + const usersUserIdsSet = new Set(users.map((u) => u.id)); + userIds.forEach((userId) => { + if (!usersUserIdsSet.has(userId)) { + throw new BadRequestError({ + message: `Failed to find user with id ${userId}` + }); + } + }); + + users.map((u) => { + if (u.isAccepted) { + throw new BadRequestError({ + message: `User ${u.username} cannot be added to a pending group addition because they have confirmed their account` + }); + } + + return u.id; + }); + + // check if user(s) pending group addition(s) already exist + const existingPendingGroupAdditions = await pendingGroupAdditionDAL.find( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + { tx } + ); + + if (existingPendingGroupAdditions.length) { + throw new BadRequestError({ + message: `User(s) are already part of the group ${group.slug}` + }); + } + + // check if all user(s) are part of the organization + const existingUserOrgMemberships = await orgDAL.findMembership( + { + orgId: group.orgId, + $in: { + userId: userIds + } + }, + { tx } + ); + + const existingUserOrgMembershipsUserIdsSet = new Set(existingUserOrgMemberships.map((u) => u.userId)); + + userIds.forEach((userId) => { + if (!existingUserOrgMembershipsUserIdsSet.has(userId)) + throw new BadRequestError({ + message: `User with id ${userId} is not part of the organization` + }); + }); + + await pendingGroupAdditionDAL.insertMany( + users.map((user) => ({ + userId: user.id, + groupId: group.id + })), + tx + ); + + return users; + }; + + if (outerTx) { + return processAddition(outerTx); + } + return userDAL.transaction(async (tx) => { + return processAddition(tx); + }); +}; + +export const addUsersToGroupByUserIds = async ({ + group, + userIds, + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx: outerTx +}: TAddUsersToGroupByUserIds) => { + const processAddition = async (tx: Knex) => { + const foundMembers = await userDAL.find({ + $in: { + id: userIds + } + }); + + const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id)); + + const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId)); + + if (!isCompleteMatch) { + throw new ScimRequestError({ + detail: "Members not found", + status: 404 + }); + } + + const membersToAddToGroupDirectly: TUsers[] = []; + const membersToAddToGroupPending: TUsers[] = []; + + foundMembers.forEach((member) => { + if (member.isAccepted) { + // add accepted member to group + membersToAddToGroupDirectly.push(member); + } else { + // add incomplete member to pending group addition + membersToAddToGroupPending.push(member); + } + }); + + let addedUsers: TUsers[] = []; + + if (membersToAddToGroupDirectly.length) { + addedUsers = addedUsers.concat( + await addUsersToGroupDirectly({ + group, + usernames: membersToAddToGroupDirectly.map((member) => member.username), + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }) + ); + } + + if (membersToAddToGroupPending.length) { + addedUsers = addedUsers.concat( + await addUsersToPendingGroupAdditions({ + group, + userIds: membersToAddToGroupPending.map((member) => member.id), + pendingGroupAdditionDAL, + userDAL, + orgDAL, + tx + }) + ); + } + + return addedUsers; + }; + + if (outerTx) { + return processAddition(outerTx); + } + return userDAL.transaction(async (tx) => { + return processAddition(tx); + }); +}; + +export const removeUsersFromGroupDirectly = async ({ + group, + userIds, + userDAL, + userGroupMembershipDAL, + groupProjectDAL, + projectKeyDAL, + tx: outerTx +}: TRemoveUsersFromGroupDirectly) => { + const processRemoval = async (tx: Knex) => { + const users = await userDAL.find( + { + $in: { + id: userIds + } + }, + { tx } + ); + + const usersUserIdsSet = new Set(users.map((u) => u.id)); + userIds.forEach((userId) => { + if (!usersUserIdsSet.has(userId)) { + throw new BadRequestError({ + message: `Failed to find user with id ${userId}` + }); + } + }); + + // check if user group membership already exists + const existingUserGroupMemberships = await userGroupMembershipDAL.find( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + { tx } + ); + + const existingUserGroupMembershipsUserIdsSet = new Set(existingUserGroupMemberships.map((u) => u.userId)); + + userIds.forEach((userId) => { + if (!existingUserGroupMembershipsUserIdsSet.has(userId)) + throw new BadRequestError({ + message: `User(s) are not part of the group ${group.slug}` + }); + }); + + // check which projects the group is part of + const projectIds = Array.from( + new Set( + ( + await groupProjectDAL.find( + { + groupId: group.id + }, + { tx } + ) + ).map((gp) => gp.projectId) + ) + ); + + // TODO: this part can be optimized + for await (const userId of userIds) { + const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx); + const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p)); + + if (projectsToDeleteKeyFor.length) { + await projectKeyDAL.delete( + { + receiverId: userId, + $in: { + projectId: projectsToDeleteKeyFor + } + }, + tx + ); + } + + await userGroupMembershipDAL.delete( + { + groupId: group.id, + userId + }, + tx + ); + } + + return users; + }; + + if (outerTx) { + return processRemoval(outerTx); + } + return userDAL.transaction(async (tx) => { + return processRemoval(tx); + }); +}; + +export const removeUsersFromPendingGroupAdditions = async ({ + group, + userIds, + userDAL, + pendingGroupAdditionDAL, + tx: outerTx +}: TRemoveUsersFromPendingGroupAdditions) => { + const processRemoval = async (tx: Knex) => { + const users = await userDAL.find( + { + $in: { + id: userIds + } + }, + { tx } + ); + + const usersUserIdsSet = new Set(users.map((u) => u.id)); + userIds.forEach((userId) => { + if (!usersUserIdsSet.has(userId)) { + throw new BadRequestError({ + message: `Failed to find user with id ${userId}` + }); + } + }); + + // check if user pending group addition already exists + const existingPendingGroupAdditions = await pendingGroupAdditionDAL.find( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + { tx } + ); + + const existingPendingGroupAdditionsUserIdsSet = new Set(existingPendingGroupAdditions.map((u) => u.userId)); + + userIds.forEach((userId) => { + if (!existingPendingGroupAdditionsUserIdsSet.has(userId)) + throw new BadRequestError({ + message: `User(s) are not part of the group ${group.slug}` + }); + }); + + await pendingGroupAdditionDAL.delete( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + tx + ); + + return users; + }; + + if (outerTx) { + return processRemoval(outerTx); + } + return userDAL.transaction(async (tx) => { + return processRemoval(tx); + }); +}; + +export const convertPendingGroupAdditionsToGroupMemberships = async ({ + userIds, + userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx: outerTx +}: TConvertPendingGroupAdditionsToGroupMemberships) => { + const processConversion = async (tx: Knex) => { + const users = await userDAL.find( + { + $in: { + id: userIds + } + }, + { tx } + ); + + const usersUserIdsSet = new Set(users.map((u) => u.id)); + userIds.forEach((userId) => { + if (!usersUserIdsSet.has(userId)) { + throw new BadRequestError({ + message: `Failed to find user with id ${userId}` + }); + } + }); + + users.forEach((user) => { + if (!user.isAccepted) { + throw new BadRequestError({ + message: `Failed to convert pending group additions to group memberships for user ${user.username} because they have not confirmed their account` + }); + } + }); + + const pendingGroupAdditions = await pendingGroupAdditionDAL.deletePendingGroupAdditionsByUserIds(userIds, tx); + + for await (const pendingGroupAddition of pendingGroupAdditions) { + await addUsersToGroupDirectly({ + group: pendingGroupAddition.group, + usernames: [pendingGroupAddition.user.username], + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); + } + }; + + if (outerTx) { + return processConversion(outerTx); + } + return userDAL.transaction(async (tx) => { + await processConversion(tx); + }); +}; + +export const removeUsersFromGroupByUserIds = async ({ + group, + userIds, + userDAL, + userGroupMembershipDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + tx: outerTx +}: TRemoveUsersFromGroupByUserIds) => { + const processRemoval = async (tx: Knex) => { + const foundMembers = await userDAL.find({ + $in: { + id: userIds + } + }); + + const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id)); + + const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId)); + + if (!isCompleteMatch) { + throw new ScimRequestError({ + detail: "Members not found", + status: 404 + }); + } + + const membersToRemoveFromGroupDirectly: TUsers[] = []; + const membersToRemoveFromGroupPending: TUsers[] = []; + + foundMembers.forEach((member) => { + if (member.isAccepted) { + // remove accepted member from group + membersToRemoveFromGroupDirectly.push(member); + } else { + // remove incomplete member from pending group addition + membersToRemoveFromGroupPending.push(member); + } + }); + + console.log("removeUsersFromGroupByUserIds membersToRemoveFromGroupDirectly: ", membersToRemoveFromGroupDirectly); + console.log("removeUsersFromGroupByUserIds membersToRemoveFromGroupPending: ", membersToRemoveFromGroupPending); + + let removedUsers: TUsers[] = []; + + if (membersToRemoveFromGroupDirectly.length) { + removedUsers = removedUsers.concat( + await removeUsersFromGroupDirectly({ + group, + userIds: membersToRemoveFromGroupDirectly.map((member) => member.id), + userDAL, + userGroupMembershipDAL, + groupProjectDAL, + projectKeyDAL, + tx + }) + ); + } + + if (membersToRemoveFromGroupPending.length) { + removedUsers = removedUsers.concat( + await removeUsersFromPendingGroupAdditions({ + group, + userIds: membersToRemoveFromGroupPending.map((member) => member.id), + pendingGroupAdditionDAL, + userDAL, + tx + }) + ); + } + + return removedUsers; + }; + + if (outerTx) { + return processRemoval(outerTx); + } + return userDAL.transaction(async (tx) => { + return processRemoval(tx); + }); +}; diff --git a/backend/src/ee/services/group/group-service.ts b/backend/src/ee/services/group/group-service.ts index 285403bcde..5bb6aa9d6a 100644 --- a/backend/src/ee/services/group/group-service.ts +++ b/backend/src/ee/services/group/group-service.ts @@ -1,22 +1,23 @@ import { ForbiddenError } from "@casl/ability"; import slugify from "@sindresorhus/slugify"; -import { OrgMembershipRole, SecretKeyEncoding, TOrgRoles } from "@app/db/schemas"; +import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas"; +import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { isAtLeastAsPrivileged } from "@app/lib/casl"; -import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption"; import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors"; import { alphaNumericNanoId } from "@app/lib/nanoid"; +import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal"; +import { TOrgDALFactory } from "@app/services/org/org-dal"; +import { TProjectDALFactory } from "@app/services/project/project-dal"; +import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal"; +import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal"; +import { TUserDALFactory } from "@app/services/user/user-dal"; -import { TGroupProjectDALFactory } from "../../../services/group-project/group-project-dal"; -import { TOrgDALFactory } from "../../../services/org/org-dal"; -import { TProjectDALFactory } from "../../../services/project/project-dal"; -import { TProjectBotDALFactory } from "../../../services/project-bot/project-bot-dal"; -import { TProjectKeyDALFactory } from "../../../services/project-key/project-key-dal"; -import { TUserDALFactory } from "../../../services/user/user-dal"; import { TLicenseServiceFactory } from "../license/license-service"; import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission"; import { TPermissionServiceFactory } from "../permission/permission-service"; import { TGroupDALFactory } from "./group-dal"; +import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns"; import { TAddUserToGroupDTO, TCreateGroupDTO, @@ -28,20 +29,21 @@ import { import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal"; type TGroupServiceFactoryDep = { - userDAL: Pick; + userDAL: Pick; groupDAL: Pick< TGroupDALFactory, - "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "countAllGroupMembers" + "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "countGroupMembers" >; groupProjectDAL: Pick; orgDAL: Pick; userGroupMembershipDAL: Pick< TUserGroupMembershipDALFactory, - "findOne" | "create" | "delete" | "filterProjectsByUserMembership" + "findOne" | "delete" | "filterProjectsByUserMembership" | "transaction" | "insertMany" | "find" >; projectDAL: Pick; projectBotDAL: Pick; - projectKeyDAL: Pick; + projectKeyDAL: Pick; + pendingGroupAdditionDAL: TPendingGroupAdditionDALFactory; // remove? permissionService: Pick; licenseService: Pick; }; @@ -57,6 +59,7 @@ export const groupServiceFactory = ({ projectDAL, projectBotDAL, projectKeyDAL, + pendingGroupAdditionDAL, permissionService, licenseService }: TGroupServiceFactoryDep) => { @@ -227,7 +230,7 @@ export const groupServiceFactory = ({ username }); - const totalCount = await groupDAL.countAllGroupMembers({ + const totalCount = await groupDAL.countGroupMembers({ orgId: group.orgId, groupId: group.id }); @@ -272,111 +275,23 @@ export const groupServiceFactory = ({ if (!hasRequiredPriviledges) throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" }); - // get user with username - const user = await userDAL.findUserEncKeyByUsername({ - username + const user = await userDAL.findOne({ username }); + if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` }); + + const users = await addUsersToGroupByUserIds({ + group, + userIds: [user.id], + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + projectDAL, + projectBotDAL }); - if (!user) - throw new BadRequestError({ - message: `Failed to find user with username ${username}` - }); - - // check if user group membership already exists - const existingUserGroupMembership = await userGroupMembershipDAL.findOne({ - groupId: group.id, - userId: user.userId - }); - - if (existingUserGroupMembership) - throw new BadRequestError({ - message: `User ${username} is already part of the group ${groupSlug}` - }); - - // check if user is even part of the organization - const existingUserOrgMembership = await orgDAL.findMembership({ - userId: user.userId, - orgId: actorOrgId - }); - - if (!existingUserOrgMembership) - throw new BadRequestError({ - message: `User ${username} is not part of the organization` - }); - - await userGroupMembershipDAL.create({ - userId: user.userId, - groupId: group.id - }); - - // check which projects the group is part of - const projectIds = ( - await groupProjectDAL.find({ - groupId: group.id - }) - ).map((gp) => gp.projectId); - - const keys = await projectKeyDAL.find({ - receiverId: user.userId, - $in: { - projectId: projectIds - } - }); - - const keysSet = new Set(keys.map((k) => k.projectId)); - const projectsToAddKeyFor = projectIds.filter((p) => !keysSet.has(p)); - - for await (const projectId of projectsToAddKeyFor) { - const ghostUser = await projectDAL.findProjectGhostUser(projectId); - - if (!ghostUser) { - throw new BadRequestError({ - message: "Failed to find sudo user" - }); - } - - const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId); - - if (!ghostUserLatestKey) { - throw new BadRequestError({ - message: "Failed to find sudo user latest key" - }); - } - - const bot = await projectBotDAL.findOne({ projectId }); - - if (!bot) { - throw new BadRequestError({ - message: "Failed to find bot" - }); - } - - const botPrivateKey = infisicalSymmetricDecrypt({ - keyEncoding: bot.keyEncoding as SecretKeyEncoding, - iv: bot.iv, - tag: bot.tag, - ciphertext: bot.encryptedPrivateKey - }); - - const plaintextProjectKey = decryptAsymmetric({ - ciphertext: ghostUserLatestKey.encryptedKey, - nonce: ghostUserLatestKey.nonce, - publicKey: ghostUserLatestKey.sender.publicKey, - privateKey: botPrivateKey - }); - - const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, user.publicKey, botPrivateKey); - - await projectKeyDAL.create({ - encryptedKey, - nonce, - senderId: ghostUser.id, - receiverId: user.userId, - projectId - }); - } - - return user; + return users[0]; }; const removeUserFromGroup = async ({ @@ -416,51 +331,20 @@ export const groupServiceFactory = ({ if (!hasRequiredPriviledges) throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" }); - const user = await userDAL.findOne({ - username + const user = await userDAL.findOne({ username }); + if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` }); + + const users = await removeUsersFromGroupByUserIds({ + group, + userIds: [user.id], + userDAL, + userGroupMembershipDAL, + pendingGroupAdditionDAL, + groupProjectDAL, + projectKeyDAL }); - if (!user) - throw new BadRequestError({ - message: `Failed to find user with username ${username}` - }); - - // check if user group membership already exists - const existingUserGroupMembership = await userGroupMembershipDAL.findOne({ - groupId: group.id, - userId: user.id - }); - - if (!existingUserGroupMembership) - throw new BadRequestError({ - message: `User ${username} is not part of the group ${groupSlug}` - }); - - const projectIds = ( - await groupProjectDAL.find({ - groupId: group.id - }) - ).map((gp) => gp.projectId); - - const t = await userGroupMembershipDAL.filterProjectsByUserMembership(user.id, group.id, projectIds); - - const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p)); - - if (projectsToDeleteKeyFor.length) { - await projectKeyDAL.delete({ - receiverId: user.id, - $in: { - projectId: projectsToDeleteKeyFor - } - }); - } - - await userGroupMembershipDAL.delete({ - groupId: group.id, - userId: user.id - }); - - return user; + return users[0]; }; return { diff --git a/backend/src/ee/services/group/group-types.ts b/backend/src/ee/services/group/group-types.ts index e2fbbe63e4..301e12cdc5 100644 --- a/backend/src/ee/services/group/group-types.ts +++ b/backend/src/ee/services/group/group-types.ts @@ -1,4 +1,15 @@ +import { Knex } from "knex"; + +import { TGroups } from "@app/db/schemas"; +import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; +import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TGenericPermission } from "@app/lib/types"; +import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal"; +import { TOrgDALFactory } from "@app/services/org/org-dal"; +import { TProjectDALFactory } from "@app/services/project/project-dal"; +import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal"; +import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal"; +import { TUserDALFactory } from "@app/services/user/user-dal"; export type TCreateGroupDTO = { name: string; @@ -35,3 +46,83 @@ export type TRemoveUserFromGroupDTO = { groupSlug: string; username: string; } & TGenericPermission; + +// group fns types + +export type TAddUsersToGroupByUserIds = { + group: TGroups; + userIds: string[]; + userDAL: Pick; + userGroupMembershipDAL: Pick; + orgDAL: Pick; + groupProjectDAL: Pick; + pendingGroupAdditionDAL: Pick; + projectKeyDAL: Pick; + projectDAL: Pick; + projectBotDAL: Pick; + tx?: Knex; +}; + +export type TAddUsersToGroupDirectly = { + group: TGroups; + usernames: string[]; + userDAL: Pick; + userGroupMembershipDAL: Pick; + orgDAL: Pick; + groupProjectDAL: Pick; + projectKeyDAL: Pick; + projectDAL: Pick; + projectBotDAL: Pick; + tx?: Knex; +}; + +export type TAddUsersToPendingGroupAdditions = { + userIds: string[]; + group: TGroups; + pendingGroupAdditionDAL: Pick; + userDAL: Pick; + orgDAL: Pick; + tx?: Knex; +}; + +export type TRemoveUsersFromGroupByUserIds = { + group: TGroups; + userIds: string[]; + userDAL: Pick; + userGroupMembershipDAL: Pick; + pendingGroupAdditionDAL: Pick; + groupProjectDAL: Pick; + projectKeyDAL: Pick; + tx?: Knex; +}; + +export type TRemoveUsersFromGroupDirectly = { + group: TGroups; + userIds: string[]; + userDAL: Pick; + userGroupMembershipDAL: Pick; + groupProjectDAL: Pick; + projectKeyDAL: Pick; + tx?: Knex; +}; + +export type TRemoveUsersFromPendingGroupAdditions = { + group: TGroups; + userIds: string[]; + pendingGroupAdditionDAL: Pick; + userDAL: Pick; + tx?: Knex; +}; + +export type TConvertPendingGroupAdditionsToGroupMemberships = { + userIds: string[]; + pendingGroupAdditionDAL: Pick; + userDAL: Pick; + userGroupMembershipDAL: Pick; + orgDAL: Pick; + groupProjectDAL: Pick; + projectKeyDAL: Pick; + projectDAL: Pick; + projectBotDAL: Pick; + tx?: Knex; +}; diff --git a/backend/src/ee/services/group/pending-group-addition-dal.ts b/backend/src/ee/services/group/pending-group-addition-dal.ts new file mode 100644 index 0000000000..579cbb6e56 --- /dev/null +++ b/backend/src/ee/services/group/pending-group-addition-dal.ts @@ -0,0 +1,55 @@ +import { Knex } from "knex"; + +import { TDbClient } from "@app/db"; +import { TableName } from "@app/db/schemas"; +import { DatabaseError } from "@app/lib/errors"; +import { ormify } from "@app/lib/knex"; + +export type TPendingGroupAdditionDALFactory = ReturnType; + +export const pendingGroupAdditionDALFactory = (db: TDbClient) => { + const pendingGroupAdditionOrm = ormify(db, TableName.PendingGroupAddition); + + // special query + const deletePendingGroupAdditionsByUserIds = async (userIds: string[], tx?: Knex) => { + try { + const pendingGroupAdditions = await (tx || db)(TableName.PendingGroupAddition) + .whereIn(`${TableName.PendingGroupAddition}.userId`, userIds) + .join(TableName.Groups, `${TableName.PendingGroupAddition}.groupId`, `${TableName.Groups}.id`) + .join(TableName.Users, `${TableName.PendingGroupAddition}.userId`, `${TableName.Users}.id`); + + await pendingGroupAdditionOrm.delete( + { + $in: { + userId: userIds + } + }, + tx + ); + + return pendingGroupAdditions.map(({ userId, username, groupId, orgId, name, slug, role, roleId }) => ({ + user: { + id: userId, + username + }, + group: { + id: groupId, + orgId, + name, + slug, + role, + roleId, + createdAt: new Date(), + updatedAt: new Date() + } + })); + } catch (error) { + throw new DatabaseError({ error, name: "Filter projects by user membership" }); + } + }; + + return { + ...pendingGroupAdditionOrm, + deletePendingGroupAdditionsByUserIds + }; +}; diff --git a/backend/src/ee/services/group/user-group-membership-dal.ts b/backend/src/ee/services/group/user-group-membership-dal.ts index e8a262c3e5..d4f8fecd7a 100644 --- a/backend/src/ee/services/group/user-group-membership-dal.ts +++ b/backend/src/ee/services/group/user-group-membership-dal.ts @@ -1,3 +1,5 @@ +import { Knex } from "knex"; + import { TDbClient } from "@app/db"; import { TableName, TUserEncryptionKeys } from "@app/db/schemas"; import { DatabaseError } from "@app/lib/errors"; @@ -14,24 +16,28 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => { * - The user is a member of a group that is a member of the project, excluding projects that they are part of * through the group with id [groupId]. */ - const filterProjectsByUserMembership = async (userId: string, groupId: string, projectIds: string[]) => { - const userProjectMemberships: string[] = await db(TableName.ProjectMembership) - .where(`${TableName.ProjectMembership}.userId`, userId) - .whereIn(`${TableName.ProjectMembership}.projectId`, projectIds) - .pluck(`${TableName.ProjectMembership}.projectId`); + const filterProjectsByUserMembership = async (userId: string, groupId: string, projectIds: string[], tx?: Knex) => { + try { + const userProjectMemberships: string[] = await (tx || db)(TableName.ProjectMembership) + .where(`${TableName.ProjectMembership}.userId`, userId) + .whereIn(`${TableName.ProjectMembership}.projectId`, projectIds) + .pluck(`${TableName.ProjectMembership}.projectId`); - const userGroupMemberships: string[] = await db(TableName.UserGroupMembership) - .where(`${TableName.UserGroupMembership}.userId`, userId) - .whereNot(`${TableName.UserGroupMembership}.groupId`, groupId) - .join( - TableName.GroupProjectMembership, - `${TableName.UserGroupMembership}.groupId`, - `${TableName.GroupProjectMembership}.groupId` - ) - .whereIn(`${TableName.GroupProjectMembership}.projectId`, projectIds) - .pluck(`${TableName.GroupProjectMembership}.projectId`); + const userGroupMemberships: string[] = await (tx || db)(TableName.UserGroupMembership) + .where(`${TableName.UserGroupMembership}.userId`, userId) + .whereNot(`${TableName.UserGroupMembership}.groupId`, groupId) + .join( + TableName.GroupProjectMembership, + `${TableName.UserGroupMembership}.groupId`, + `${TableName.GroupProjectMembership}.groupId` + ) + .whereIn(`${TableName.GroupProjectMembership}.projectId`, projectIds) + .pluck(`${TableName.GroupProjectMembership}.projectId`); - return new Set(userProjectMemberships.concat(userGroupMemberships)); + return new Set(userProjectMemberships.concat(userGroupMemberships)); + } catch (error) { + throw new DatabaseError({ error, name: "Filter projects by user membership" }); + } }; // special query @@ -45,7 +51,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => { ) .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`) .where(`${TableName.GroupProjectMembership}.projectId`, projectId) - .whereIn(`${TableName.Users}.username`, usernames) // TODO: pluck usernames + .whereIn(`${TableName.Users}.username`, usernames) .pluck(`${TableName.Users}.id`); return usernameDocs; diff --git a/backend/src/ee/services/license/licence-fns.ts b/backend/src/ee/services/license/licence-fns.ts index 8a4de57f1e..17a538881e 100644 --- a/backend/src/ee/services/license/licence-fns.ts +++ b/backend/src/ee/services/license/licence-fns.ts @@ -24,10 +24,10 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({ customAlerts: false, auditLogs: false, auditLogsRetentionDays: 0, - samlSSO: false, - scim: false, + samlSSO: true, + scim: true, ldap: false, - groups: false, + groups: true, status: null, trial_end: null, has_used_trial: true, diff --git a/backend/src/ee/services/license/license-types.ts b/backend/src/ee/services/license/license-types.ts index 1cea39a834..efc1c18dd2 100644 --- a/backend/src/ee/services/license/license-types.ts +++ b/backend/src/ee/services/license/license-types.ts @@ -40,10 +40,10 @@ export type TFeatureSet = { customAlerts: false; auditLogs: false; auditLogsRetentionDays: 0; - samlSSO: false; - scim: false; + samlSSO: true; + scim: true; ldap: false; - groups: false; + groups: true; status: null; trial_end: null; has_used_trial: true; diff --git a/backend/src/ee/services/scim/scim-service.ts b/backend/src/ee/services/scim/scim-service.ts index 15ca67a109..588159acfc 100644 --- a/backend/src/ee/services/scim/scim-service.ts +++ b/backend/src/ee/services/scim/scim-service.ts @@ -4,15 +4,21 @@ import jwt from "jsonwebtoken"; import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas"; import { TGroupDALFactory } from "@app/ee/services/group/group-dal"; +import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns"; +import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; +import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TScimDALFactory } from "@app/ee/services/scim/scim-dal"; import { getConfig } from "@app/lib/config/env"; import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors"; import { alphaNumericNanoId } from "@app/lib/nanoid"; import { TOrgPermission } from "@app/lib/types"; import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type"; +import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal"; import { TOrgDALFactory } from "@app/services/org/org-dal"; import { deleteOrgMembership } from "@app/services/org/org-fns"; import { TProjectDALFactory } from "@app/services/project/project-dal"; +import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal"; +import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal"; import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal"; import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service"; import { TUserDALFactory } from "@app/services/user/user-dal"; @@ -42,14 +48,22 @@ import { type TScimServiceFactoryDep = { scimDAL: Pick; - userDAL: Pick; + userDAL: Pick; orgDAL: Pick< TOrgDALFactory, "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" >; - projectDAL: Pick; + projectDAL: Pick; projectMembershipDAL: Pick; - groupDAL: Pick; + groupDAL: Pick< + TGroupDALFactory, + "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction" + >; + groupProjectDAL: Pick; + userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick + projectKeyDAL: Pick; + projectBotDAL: Pick; + pendingGroupAdditionDAL: TPendingGroupAdditionDALFactory; // TODO: Pick licenseService: Pick; permissionService: Pick; smtpService: TSmtpService; @@ -65,6 +79,11 @@ export const scimServiceFactory = ({ projectDAL, projectMembershipDAL, groupDAL, + groupProjectDAL, + userGroupMembershipDAL, + projectKeyDAL, + projectBotDAL, + pendingGroupAdditionDAL, permissionService, smtpService }: TScimServiceFactoryDep) => { @@ -473,7 +492,19 @@ export const scimServiceFactory = ({ }; const listScimGroups = async ({ orgId, offset, limit }: TListScimGroupsDTO) => { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to list SCIM groups due to plan restriction. Upgrade plan to list SCIM groups." + }); + const org = await orgDAL.findById(orgId); + if (!org) { + throw new ScimRequestError({ + detail: "Organization Not Found", + status: 404 + }); + } if (!org.scimEnabled) throw new ScimRequestError({ @@ -500,30 +531,77 @@ export const scimServiceFactory = ({ }); }; - const createScimGroup = async ({ displayName, orgId }: TCreateScimGroupDTO) => { + const createScimGroup = async ({ displayName, orgId, members }: TCreateScimGroupDTO) => { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to create a SCIM group due to plan restriction. Upgrade plan to create a SCIM group." + }); + const org = await orgDAL.findById(orgId); + if (!org) { + throw new ScimRequestError({ + detail: "Organization Not Found", + status: 404 + }); + } + if (!org.scimEnabled) throw new ScimRequestError({ detail: "SCIM is disabled for the organization", status: 403 }); - const group = await groupDAL.create({ - name: displayName, - slug: slugify(`${displayName}-${alphaNumericNanoId(4)}`), - orgId, - role: OrgMembershipRole.NoAccess + const newGroup = await groupDAL.transaction(async (tx) => { + const group = await groupDAL.create( + { + name: displayName, + slug: slugify(`${displayName}-${alphaNumericNanoId(4)}`), + orgId, + role: OrgMembershipRole.NoAccess + }, + tx + ); + + if (members && members.length) { + const newMembers = await addUsersToGroupByUserIds({ + group, + userIds: members.map((member) => member.value), + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); + + return { group, newMembers }; + } + + return { group, newMembers: [] }; }); return buildScimGroup({ - groupId: group.id, - name: group.name, - members: [] + groupId: newGroup.group.id, + name: newGroup.group.name, + members: newGroup.newMembers.map((member) => ({ + value: member.id, + display: `${member.firstName} ${member.lastName}` + })) }); }; const getScimGroup = async ({ groupId, orgId }: TGetScimGroupDTO) => { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to get SCIM group due to plan restriction. Upgrade plan to get SCIM group." + }); + const group = await groupDAL.findOne({ id: groupId, orgId @@ -536,6 +614,7 @@ export const scimServiceFactory = ({ }); } + // TODO: update to include pending group additions const users = await groupDAL.findAllGroupMembers({ orgId: group.orgId, groupId: group.id @@ -553,35 +632,130 @@ export const scimServiceFactory = ({ }); }; - const updateScimGroupNamePut = async ({ groupId, orgId, displayName }: TUpdateScimGroupNamePutDTO) => { - const [group] = await groupDAL.update( - { - id: groupId, - orgId - }, - { - name: displayName - } - ); + const updateScimGroupNamePut = async ({ groupId, orgId, displayName, members }: TUpdateScimGroupNamePutDTO) => { + console.log("updateScimGroupNamePut args: ", { + groupId, + orgId, + displayName, + members + }); - if (!group) { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to update SCIM group due to plan restriction. Upgrade plan to update SCIM group." + }); + + const org = await orgDAL.findById(orgId); + if (!org) { throw new ScimRequestError({ - detail: "Group Not Found", + detail: "Organization Not Found", status: 404 }); } + if (!org.scimEnabled) + throw new ScimRequestError({ + detail: "SCIM is disabled for the organization", + status: 403 + }); + + const updatedGroup = await groupDAL.transaction(async (tx) => { + const [group] = await groupDAL.update( + { + id: groupId, + orgId + }, + { + name: displayName + } + ); + + if (!group) { + throw new ScimRequestError({ + detail: "Group Not Found", + status: 404 + }); + } + + if (members) { + const membersIdsSet = new Set(members.map((member) => member.value)); + + const directMemberUserIds = ( + await userGroupMembershipDAL.find({ + groupId: group.id + }) + ).map((membership) => membership.userId); + + const pendingGroupAdditionsUserIds = ( + await pendingGroupAdditionDAL.find({ + groupId: group.id + }) + ).map((pendingGroupAddition) => pendingGroupAddition.userId); + + const allMembersUserIds = directMemberUserIds.concat(pendingGroupAdditionsUserIds); + const allMembersUserIdsSet = new Set(allMembersUserIds); + + const toAddUserIds = members.filter((member) => !allMembersUserIdsSet.has(member.value)); + const toRemoveUserIds = allMembersUserIds.filter((userId) => !membersIdsSet.has(userId)); + + if (toAddUserIds.length) { + await addUsersToGroupByUserIds({ + group, + userIds: toAddUserIds.map((member) => member.value), + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); + } + + if (toRemoveUserIds.length) { + await removeUsersFromGroupByUserIds({ + group, + userIds: toRemoveUserIds, + userDAL, + userGroupMembershipDAL, + groupProjectDAL, + pendingGroupAdditionDAL, + projectKeyDAL, + tx + }); + } + } + + return group; + }); + return buildScimGroup({ - groupId: group.id, - name: group.name, - members: [] + groupId: updatedGroup.id, + name: updatedGroup.name, + members }); }; // TODO: add support for add/remove op const updateScimGroupNamePatch = async ({ groupId, orgId, operations }: TUpdateScimGroupNamePatchDTO) => { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to update SCIM group due to plan restriction. Upgrade plan to update SCIM group." + }); + const org = await orgDAL.findById(orgId); + if (!org) { + throw new ScimRequestError({ + detail: "Organization Not Found", + status: 404 + }); + } + if (!org.scimEnabled) throw new ScimRequestError({ detail: "SCIM is disabled for the organization", @@ -635,6 +809,26 @@ export const scimServiceFactory = ({ }; const deleteScimGroup = async ({ groupId, orgId }: TDeleteScimGroupDTO) => { + const plan = await licenseService.getPlan(orgId); + if (!plan.groups) + throw new BadRequestError({ + message: "Failed to delete SCIM group due to plan restriction. Upgrade plan to delete SCIM group." + }); + + const org = await orgDAL.findById(orgId); + if (!org) { + throw new ScimRequestError({ + detail: "Organization Not Found", + status: 404 + }); + } + + if (!org.scimEnabled) + throw new ScimRequestError({ + detail: "SCIM is disabled for the organization", + status: 403 + }); + const [group] = await groupDAL.delete({ id: groupId, orgId diff --git a/backend/src/ee/services/scim/scim-types.ts b/backend/src/ee/services/scim/scim-types.ts index fc5df0b2ea..73d0ebe786 100644 --- a/backend/src/ee/services/scim/scim-types.ts +++ b/backend/src/ee/services/scim/scim-types.ts @@ -81,6 +81,11 @@ export type TListScimGroups = { export type TCreateScimGroupDTO = { displayName: string; orgId: string; + members?: { + // TODO: account for members with value and display (is this optional?) + value: string; + display: string; + }[]; }; export type TGetScimGroupDTO = { @@ -92,6 +97,10 @@ export type TUpdateScimGroupNamePutDTO = { groupId: string; orgId: string; displayName: string; + members: { + value: string; + display: string; + }[]; }; export type TUpdateScimGroupNamePatchDTO = { diff --git a/backend/src/server/routes/index.ts b/backend/src/server/routes/index.ts index 5d77c340b9..7d2a8fd938 100644 --- a/backend/src/server/routes/index.ts +++ b/backend/src/server/routes/index.ts @@ -13,6 +13,7 @@ import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic- import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service"; import { groupDALFactory } from "@app/ee/services/group/group-dal"; import { groupServiceFactory } from "@app/ee/services/group/group-service"; +import { pendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal"; import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service"; @@ -217,6 +218,7 @@ export const registerRoutes = async ( const groupProjectDAL = groupProjectDALFactory(db); const groupProjectMembershipRoleDAL = groupProjectMembershipRoleDALFactory(db); const userGroupMembershipDAL = userGroupMembershipDALFactory(db); + const pendingGroupAdditionDAL = pendingGroupAdditionDALFactory(db); const secretScanningDAL = secretScanningDALFactory(db); const licenseDAL = licenseDALFactory(db); const dynamicSecretDAL = dynamicSecretDALFactory(db); @@ -268,6 +270,7 @@ export const registerRoutes = async ( projectDAL, projectBotDAL, projectKeyDAL, + pendingGroupAdditionDAL, permissionService, licenseService }); @@ -290,6 +293,11 @@ export const registerRoutes = async ( projectDAL, projectMembershipDAL, groupDAL, + groupProjectDAL, + userGroupMembershipDAL, + projectKeyDAL, + projectBotDAL, + pendingGroupAdditionDAL, permissionService, smtpService }); @@ -344,6 +352,12 @@ export const registerRoutes = async ( smtpService, authDAL, userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + groupProjectDAL, orgDAL, orgService, licenseService diff --git a/backend/src/services/auth/auth-signup-service.ts b/backend/src/services/auth/auth-signup-service.ts index 3db935769f..c2f024290f 100644 --- a/backend/src/services/auth/auth-signup-service.ts +++ b/backend/src/services/auth/auth-signup-service.ts @@ -1,10 +1,17 @@ import jwt from "jsonwebtoken"; import { OrgMembershipStatus } from "@app/db/schemas"; +import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns"; +import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; +import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TLicenseServiceFactory } from "@app/ee/services/license/license-service"; import { getConfig } from "@app/lib/config/env"; import { BadRequestError } from "@app/lib/errors"; import { isDisposableEmail } from "@app/lib/validator"; +import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal"; +import { TProjectDALFactory } from "@app/services/project/project-dal"; +import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal"; +import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal"; import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service"; import { TokenType } from "../auth-token/auth-token-types"; @@ -20,6 +27,12 @@ import { AuthMethod, AuthTokenType } from "./auth-type"; type TAuthSignupDep = { authDAL: TAuthDALFactory; userDAL: TUserDALFactory; + pendingGroupAdditionDAL: Pick; + userGroupMembershipDAL: Pick; + projectKeyDAL: Pick; + projectDAL: Pick; + projectBotDAL: Pick; + groupProjectDAL: Pick; orgService: Pick; orgDAL: TOrgDALFactory; tokenService: TAuthTokenServiceFactory; @@ -31,6 +44,12 @@ export type TAuthSignupFactory = ReturnType; export const authSignupServiceFactory = ({ authDAL, userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + groupProjectDAL, tokenService, smtpService, orgService, @@ -168,6 +187,20 @@ export const authSignupServiceFactory = ({ const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))]; await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId))); + console.log("conv A"); + await convertPendingGroupAdditionsToGroupMemberships({ + userIds: [user.id], + userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL + }); + console.log("conv B"); + const tokenSession = await tokenService.getUserTokenSession({ userAgent, ip, @@ -225,13 +258,16 @@ export const authSignupServiceFactory = ({ encryptedPrivateKeyTag, authorization }: TCompleteAccountInviteDTO) => { + console.log("conv 0"); const user = await userDAL.findUserByUsername(email); if (!user || (user && user.isAccepted)) { throw new Error("Failed to complete account for complete user"); } + console.log("conv 1"); validateSignUpAuthorization(authorization, user.id); + console.log("conv 2"); const [orgMembership] = await orgDAL.findMembership({ inviteEmail: email, status: OrgMembershipStatus.Invited @@ -242,9 +278,12 @@ export const authSignupServiceFactory = ({ name: "complete account invite" }); + console.log("conv 3"); const updateduser = await authDAL.transaction(async (tx) => { + console.log("conv 4"); const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx); if (!us) throw new Error("User not found"); + console.log("conv 5"); const userEncKey = await userDAL.upsertUserEncryptionKey( us.id, { @@ -261,15 +300,33 @@ export const authSignupServiceFactory = ({ }, tx ); + console.log("conv 6"); const updatedMembersips = await orgDAL.updateMembership( { inviteEmail: email, status: OrgMembershipStatus.Invited }, { userId: us.id, status: OrgMembershipStatus.Accepted }, tx ); + console.log("conv 7"); const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))]; + console.log("conv 8"); await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId))); + console.log("conv AA"); + await convertPendingGroupAdditionsToGroupMemberships({ + userIds: [user.id], + userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); + console.log("conv BB"); + return { info: us, key: userEncKey }; }); diff --git a/backend/src/services/project/project-dal.ts b/backend/src/services/project/project-dal.ts index 42cc54393b..a4ec991571 100644 --- a/backend/src/services/project/project-dal.ts +++ b/backend/src/services/project/project-dal.ts @@ -81,9 +81,9 @@ export const projectDALFactory = (db: TDbClient) => { } }; - const findProjectGhostUser = async (projectId: string) => { + const findProjectGhostUser = async (projectId: string, tx?: Knex) => { try { - const ghostUser = await db(TableName.ProjectMembership) + const ghostUser = await (tx || db)(TableName.ProjectMembership) .where({ projectId }) .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`) .select(selectAllTableCols(TableName.Users)) diff --git a/backend/src/services/user/user-dal.ts b/backend/src/services/user/user-dal.ts index 425e8215c6..4c61c3174f 100644 --- a/backend/src/services/user/user-dal.ts +++ b/backend/src/services/user/user-dal.ts @@ -34,6 +34,19 @@ export const userDALFactory = (db: TDbClient) => { } }; + const findUserEncKeyByUsernameBatch = async ({ usernames }: { usernames: string[] }, tx?: Knex) => { + try { + return await (tx || db)(TableName.Users) + .where({ + isGhost: false + }) + .whereIn("username", usernames) + .join(TableName.UserEncryptionKey, `${TableName.Users}.id`, `${TableName.UserEncryptionKey}.userId`); + } catch (error) { + throw new DatabaseError({ error, name: "Find user enc by email batch" }); + } + }; + const findUserEncKeyByUserId = async (userId: string) => { try { const user = await db(TableName.Users) @@ -123,6 +136,7 @@ export const userDALFactory = (db: TDbClient) => { ...userOrm, findUserByUsername, findUserEncKeyByUsername, + findUserEncKeyByUsernameBatch, // TODO: if successful, replace findUserEncKeyByUsername with this findUserEncKeyByUserId, updateUserEncryptionByUserId, findUserByProjectMembershipId, diff --git a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx index 8c15643b7d..d9aa4c3e0d 100644 --- a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx +++ b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx @@ -1,32 +1,27 @@ import { useState } from "react"; -import { faMagnifyingGlass,faUsers } from "@fortawesome/free-solid-svg-icons"; +import { faMagnifyingGlass, faUsers } from "@fortawesome/free-solid-svg-icons"; import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"; import { createNotification } from "@app/components/notifications"; import { OrgPermissionCan } from "@app/components/permissions"; import { - Button, - EmptyState, - Input, - Modal, - ModalContent, - Pagination, - Table, - TableContainer, - TableSkeleton, - TBody, - Td, - Th, - THead, - Tr} from "@app/components/v2"; -import { - OrgPermissionActions, - OrgPermissionSubjects -} from "@app/context"; -import { - useAddUserToGroup, - useListGroupUsers, - useRemoveUserFromGroup} from "@app/hooks/api"; + Button, + EmptyState, + Input, + Modal, + ModalContent, + Pagination, + Table, + TableContainer, + TableSkeleton, + TBody, + Td, + Th, + THead, + Tr +} from "@app/components/v2"; +import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context"; +import { useAddUserToGroup, useListGroupUsers, useRemoveUserFromGroup } from "@app/hooks/api"; import { UsePopUpState } from "@app/hooks/usePopUp"; type Props = { @@ -34,136 +29,127 @@ type Props = { handlePopUpToggle: (popUpName: keyof UsePopUpState<["groupMembers"]>, state?: boolean) => void; }; -export const OrgGroupMembersModal = ({ - popUp, - handlePopUpToggle -}: Props) => { - const [page, setPage] = useState(1); - const [perPage, setPerPage] = useState(10); - const [searchMemberFilter, setSearchMemberFilter] = useState(""); - - const popUpData = popUp?.groupMembers?.data as { - slug: string; - }; - - const { data, isLoading } = useListGroupUsers({ - groupSlug: popUpData?.slug, - offset: (page - 1) * perPage, - limit: perPage, - username: searchMemberFilter - }); - - const { mutateAsync: assignMutateAsync } = useAddUserToGroup(); - const { mutateAsync: unassignMutateAsync } = useRemoveUserFromGroup(); - - const handleAssignment = async (username: string, assign: boolean) => { - try { - if (!popUpData?.slug) return; - - if (assign) { - await assignMutateAsync({ - username, - slug: popUpData.slug - }); - } else { - await unassignMutateAsync({ - username, - slug: popUpData.slug - }); - } +export const OrgGroupMembersModal = ({ popUp, handlePopUpToggle }: Props) => { + const [page, setPage] = useState(1); + const [perPage, setPerPage] = useState(10); + const [searchMemberFilter, setSearchMemberFilter] = useState(""); - createNotification({ - text: `Successfully ${assign ? "assigned" : "removed "} user ${assign ? "to" : "from"} group`, - type: "success" - }); - } catch (err) { - createNotification({ - text: `Failed to ${assign ? "assigned" : "remove"} user ${assign ? "to" : "from"} group`, - type: "error" - }); - } + const popUpData = popUp?.groupMembers?.data as { + slug: string; + }; + + const { data, isLoading } = useListGroupUsers({ + groupSlug: popUpData?.slug, + offset: (page - 1) * perPage, + limit: perPage, + username: searchMemberFilter + }); + + const { mutateAsync: assignMutateAsync } = useAddUserToGroup(); + const { mutateAsync: unassignMutateAsync } = useRemoveUserFromGroup(); + + const handleAssignment = async (username: string, assign: boolean) => { + try { + if (!popUpData?.slug) return; + + if (assign) { + await assignMutateAsync({ + username, + slug: popUpData.slug + }); + } else { + await unassignMutateAsync({ + username, + slug: popUpData.slug + }); + } + + createNotification({ + text: `Successfully ${assign ? "assigned" : "removed "} user ${ + assign ? "to" : "from" + } group`, + type: "success" + }); + } catch (err) { + createNotification({ + text: `Failed to ${assign ? "assigned" : "remove"} user ${assign ? "to" : "from"} group`, + type: "error" + }); } - - return ( - { - handlePopUpToggle("groupMembers", isOpen); - }} - > - - setSearchMemberFilter(e.target.value)} - leftIcon={} - placeholder="Search members..." - /> - - - - - - - - - {isLoading && } - {!isLoading && data?.users?.map(({ - id, - firstName, - lastName, - username, - isPartOfGroup - }) => { - return ( - - - - - ); - })} - -
User -
-

{`${firstName} ${lastName}`}

-

{username}

- 		- - {(isAllowed) => { - return ( - - ); - }} - -
- {!isLoading && data?.totalCount !== undefined && ( - setPage(newPage)} - onChangePerPage={(newPerPage) => setPerPage(newPerPage)} - /> - )} - {!isLoading && !data?.users?.length && ( - - )} - - - - ); -} \ No newline at end of file + }; + + return ( + { + handlePopUpToggle("groupMembers", isOpen); + }} + > + + setSearchMemberFilter(e.target.value)} + leftIcon={} + placeholder="Search members..." + /> + + + + + + + + + {isLoading && } + {!isLoading && + data?.users?.map(({ id, firstName, lastName, username, isPartOfGroup }) => { + return ( + + + + + ); + })} + +
User +
+

{`${firstName ?? "-"} ${lastName ?? ""}`}

+

{username}

+ 		+ + {(isAllowed) => { + return ( + + ); + }} + +
+ {!isLoading && data?.totalCount !== undefined && ( + setPage(newPage)} + onChangePerPage={(newPerPage) => setPerPage(newPerPage)} + /> + )} + {!isLoading && !data?.users?.length && ( + + )} + + + + ); +}; From 6e3d5a8c7cb05883c9f6ea9fc21d649d8e89203e Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Thu, 18 Apr 2024 13:51:47 -0700 Subject: [PATCH 2/7] Remove print statements, cleanup --- backend/src/ee/routes/v1/scim-router.ts | 10 ---------- backend/src/ee/services/group/group-fns.ts | 3 --- backend/src/ee/services/license/licence-fns.ts | 6 +++--- backend/src/ee/services/license/license-types.ts | 6 +++--- backend/src/ee/services/scim/scim-service.ts | 7 ------- backend/src/services/auth/auth-signup-service.ts | 13 ------------- backend/src/services/org/org-service.ts | 2 +- 7 files changed, 7 insertions(+), 40 deletions(-) diff --git a/backend/src/ee/routes/v1/scim-router.ts b/backend/src/ee/routes/v1/scim-router.ts index 67209e7742..dea0e3d70a 100644 --- a/backend/src/ee/routes/v1/scim-router.ts +++ b/backend/src/ee/routes/v1/scim-router.ts @@ -192,7 +192,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`GET /Users/${req.params.userId}`); const user = await req.server.services.scim.getScimUser({ userId: req.params.userId, orgId: req.permission.orgId @@ -247,7 +246,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`POST /Users req.body: `, req.body); const primaryEmail = req.body.emails?.find((email) => email.primary)?.value; const user = await req.server.services.scim.createScimUser({ @@ -275,7 +273,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`DELETE /Users/${req.params.userId}`); const user = await req.server.services.scim.deleteScimUser({ userId: req.params.userId, orgId: req.permission.orgId @@ -322,7 +319,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`POST /Groups req.body: `, req.body); const group = await req.server.services.scim.createScimGroup({ orgId: req.permission.orgId, ...req.body @@ -363,7 +359,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`GET /Groups req.query: `, req.query); const groups = await req.server.services.scim.listScimGroups({ orgId: req.permission.orgId, offset: req.query.startIndex, @@ -400,7 +395,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`GET /Groups/${req.params.groupId}`); const group = await req.server.services.scim.getScimGroup({ groupId: req.params.groupId, orgId: req.permission.orgId @@ -446,7 +440,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`PUT /Groups/${req.params.groupId} req.body: `, req.body); const group = await req.server.services.scim.updateScimGroupNamePut({ groupId: req.params.groupId, orgId: req.permission.orgId, @@ -508,7 +501,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`PATCH /Groups/:${req.params.groupId} req.body: `, req.body); const group = await req.server.services.scim.updateScimGroupNamePatch({ groupId: req.params.groupId, orgId: req.permission.orgId, @@ -532,7 +524,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`DELETE /Groups/:${req.params.groupId}`); const group = await req.server.services.scim.deleteScimGroup({ groupId: req.params.groupId, orgId: req.permission.orgId @@ -583,7 +574,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.SCIM_TOKEN]), handler: async (req) => { - console.log(`PUT /Users/:${req.params.userId} req.body: `, req.body); const user = await req.server.services.scim.replaceScimUser({ userId: req.params.userId, orgId: req.permission.orgId, diff --git a/backend/src/ee/services/group/group-fns.ts b/backend/src/ee/services/group/group-fns.ts index ae488edcf6..07152fe367 100644 --- a/backend/src/ee/services/group/group-fns.ts +++ b/backend/src/ee/services/group/group-fns.ts @@ -658,9 +658,6 @@ export const removeUsersFromGroupByUserIds = async ({ } }); - console.log("removeUsersFromGroupByUserIds membersToRemoveFromGroupDirectly: ", membersToRemoveFromGroupDirectly); - console.log("removeUsersFromGroupByUserIds membersToRemoveFromGroupPending: ", membersToRemoveFromGroupPending); - let removedUsers: TUsers[] = []; if (membersToRemoveFromGroupDirectly.length) { diff --git a/backend/src/ee/services/license/licence-fns.ts b/backend/src/ee/services/license/licence-fns.ts index 17a538881e..8a4de57f1e 100644 --- a/backend/src/ee/services/license/licence-fns.ts +++ b/backend/src/ee/services/license/licence-fns.ts @@ -24,10 +24,10 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({ customAlerts: false, auditLogs: false, auditLogsRetentionDays: 0, - samlSSO: true, - scim: true, + samlSSO: false, + scim: false, ldap: false, - groups: true, + groups: false, status: null, trial_end: null, has_used_trial: true, diff --git a/backend/src/ee/services/license/license-types.ts b/backend/src/ee/services/license/license-types.ts index efc1c18dd2..1cea39a834 100644 --- a/backend/src/ee/services/license/license-types.ts +++ b/backend/src/ee/services/license/license-types.ts @@ -40,10 +40,10 @@ export type TFeatureSet = { customAlerts: false; auditLogs: false; auditLogsRetentionDays: 0; - samlSSO: true; - scim: true; + samlSSO: false; + scim: false; ldap: false; - groups: true; + groups: false; status: null; trial_end: null; has_used_trial: true; diff --git a/backend/src/ee/services/scim/scim-service.ts b/backend/src/ee/services/scim/scim-service.ts index 588159acfc..bc7fd25289 100644 --- a/backend/src/ee/services/scim/scim-service.ts +++ b/backend/src/ee/services/scim/scim-service.ts @@ -633,13 +633,6 @@ export const scimServiceFactory = ({ }; const updateScimGroupNamePut = async ({ groupId, orgId, displayName, members }: TUpdateScimGroupNamePutDTO) => { - console.log("updateScimGroupNamePut args: ", { - groupId, - orgId, - displayName, - members - }); - const plan = await licenseService.getPlan(orgId); if (!plan.groups) throw new BadRequestError({ diff --git a/backend/src/services/auth/auth-signup-service.ts b/backend/src/services/auth/auth-signup-service.ts index c2f024290f..be80c4c401 100644 --- a/backend/src/services/auth/auth-signup-service.ts +++ b/backend/src/services/auth/auth-signup-service.ts @@ -187,7 +187,6 @@ export const authSignupServiceFactory = ({ const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))]; await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId))); - console.log("conv A"); await convertPendingGroupAdditionsToGroupMemberships({ userIds: [user.id], userDAL, @@ -199,7 +198,6 @@ export const authSignupServiceFactory = ({ projectDAL, projectBotDAL }); - console.log("conv B"); const tokenSession = await tokenService.getUserTokenSession({ userAgent, @@ -258,16 +256,13 @@ export const authSignupServiceFactory = ({ encryptedPrivateKeyTag, authorization }: TCompleteAccountInviteDTO) => { - console.log("conv 0"); const user = await userDAL.findUserByUsername(email); if (!user || (user && user.isAccepted)) { throw new Error("Failed to complete account for complete user"); } - console.log("conv 1"); validateSignUpAuthorization(authorization, user.id); - console.log("conv 2"); const [orgMembership] = await orgDAL.findMembership({ inviteEmail: email, status: OrgMembershipStatus.Invited @@ -278,12 +273,9 @@ export const authSignupServiceFactory = ({ name: "complete account invite" }); - console.log("conv 3"); const updateduser = await authDAL.transaction(async (tx) => { - console.log("conv 4"); const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx); if (!us) throw new Error("User not found"); - console.log("conv 5"); const userEncKey = await userDAL.upsertUserEncryptionKey( us.id, { @@ -300,19 +292,15 @@ export const authSignupServiceFactory = ({ }, tx ); - console.log("conv 6"); const updatedMembersips = await orgDAL.updateMembership( { inviteEmail: email, status: OrgMembershipStatus.Invited }, { userId: us.id, status: OrgMembershipStatus.Accepted }, tx ); - console.log("conv 7"); const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))]; - console.log("conv 8"); await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId))); - console.log("conv AA"); await convertPendingGroupAdditionsToGroupMemberships({ userIds: [user.id], userDAL, @@ -325,7 +313,6 @@ export const authSignupServiceFactory = ({ projectBotDAL, tx }); - console.log("conv BB"); return { info: us, key: userEncKey }; }); diff --git a/backend/src/services/org/org-service.ts b/backend/src/services/org/org-service.ts index c03fe17481..996a08c4d9 100644 --- a/backend/src/services/org/org-service.ts +++ b/backend/src/services/org/org-service.ts @@ -248,7 +248,7 @@ export const orgServiceFactory = ({ ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim); } - if (authEnforced || scimEnabled) { + if (authEnforced) { const samlCfg = await samlConfigDAL.findEnforceableSamlCfg(orgId); if (!samlCfg) throw new BadRequestError({ From e1407cc09317251bcabec1936a8ad1042ef573f6 Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Thu, 18 Apr 2024 14:14:08 -0700 Subject: [PATCH 3/7] Add comments for group-fns --- backend/src/ee/services/group/group-fns.ts | 174 ++++++++++++--------- 1 file changed, 104 insertions(+), 70 deletions(-) diff --git a/backend/src/ee/services/group/group-fns.ts b/backend/src/ee/services/group/group-fns.ts index 07152fe367..383b44a6eb 100644 --- a/backend/src/ee/services/group/group-fns.ts +++ b/backend/src/ee/services/group/group-fns.ts @@ -14,13 +14,11 @@ import { TRemoveUsersFromPendingGroupAdditions } from "./group-types"; -// TODO: write docstrings - /** - * Add users with usernames [usernames] to group [group] - * @param {group} group - group to add user to + * Add users with usernames [usernames] to group [group] directly. + * - Users must have finished completing their account and have private key(s). + * @param {group} group - group to add user(s) to * @param {string[]} usernames - username(s) of user(s) to add to group - * @returns {Promise} - user that was added to group */ export const addUsersToGroupDirectly = async ({ group, @@ -206,6 +204,12 @@ export const addUsersToGroupDirectly = async ({ }); }; +/** + * Add users with user ids [userIds] to group [group] via pending group additions. + * - Users must have not finished completing their accounts (i.e. they don't have private key(s) yet). + * @param {group} group - group to add user(s) to + * @param {string[]} userIds - id(s) of user(s) to add to group + */ export const addUsersToPendingGroupAdditions = async ({ group, userIds, @@ -299,6 +303,13 @@ export const addUsersToPendingGroupAdditions = async ({ }); }; +/** + * Add users with user ids [userIds] to group [group]. + * - Users may or may not have finished completing their accounts; this function will + * handle both adding users to groups directly and via pending group additions. + * @param {group} group - group to add user(s) to + * @param {string[]} userIds - id(s) of user(s) to add to group + */ export const addUsersToGroupByUserIds = async ({ group, userIds, @@ -386,6 +397,12 @@ export const addUsersToGroupByUserIds = async ({ }); }; +/** + * Remove users with user ids [userIds] from group [group]. + * - Users must be directly added to the group. + * @param {group} group - group to remove user(s) from + * @param {string[]} userIds - id(s) of user(s) to remove from group + */ export const removeUsersFromGroupDirectly = async ({ group, userIds, @@ -485,6 +502,12 @@ export const removeUsersFromGroupDirectly = async ({ }); }; +/** + * Remove users with user ids [userIds] from group [group] via pending group additions. + * - Users must have pending group additions to the group. + * @param {group} group - group to remove user(s) from + * @param {string[]} userIds - id(s) of user(s) to remove from group + */ export const removeUsersFromPendingGroupAdditions = async ({ group, userIds, @@ -552,71 +575,13 @@ export const removeUsersFromPendingGroupAdditions = async ({ }); }; -export const convertPendingGroupAdditionsToGroupMemberships = async ({ - userIds, - userDAL, - pendingGroupAdditionDAL, - userGroupMembershipDAL, - orgDAL, - groupProjectDAL, - projectKeyDAL, - projectDAL, - projectBotDAL, - tx: outerTx -}: TConvertPendingGroupAdditionsToGroupMemberships) => { - const processConversion = async (tx: Knex) => { - const users = await userDAL.find( - { - $in: { - id: userIds - } - }, - { tx } - ); - - const usersUserIdsSet = new Set(users.map((u) => u.id)); - userIds.forEach((userId) => { - if (!usersUserIdsSet.has(userId)) { - throw new BadRequestError({ - message: `Failed to find user with id ${userId}` - }); - } - }); - - users.forEach((user) => { - if (!user.isAccepted) { - throw new BadRequestError({ - message: `Failed to convert pending group additions to group memberships for user ${user.username} because they have not confirmed their account` - }); - } - }); - - const pendingGroupAdditions = await pendingGroupAdditionDAL.deletePendingGroupAdditionsByUserIds(userIds, tx); - - for await (const pendingGroupAddition of pendingGroupAdditions) { - await addUsersToGroupDirectly({ - group: pendingGroupAddition.group, - usernames: [pendingGroupAddition.user.username], - userDAL, - userGroupMembershipDAL, - orgDAL, - groupProjectDAL, - projectKeyDAL, - projectDAL, - projectBotDAL, - tx - }); - } - }; - - if (outerTx) { - return processConversion(outerTx); - } - return userDAL.transaction(async (tx) => { - await processConversion(tx); - }); -}; - +/** + * Remove users with user ids [userIds] from group [group]. + * - Users may be part of the group directly or via pending group additions; + * this function will handle both cases. + * @param {group} group - group to remove user(s) from + * @param {string[]} userIds - id(s) of user(s) to remove from group + */ export const removeUsersFromGroupByUserIds = async ({ group, userIds, @@ -696,3 +661,72 @@ export const removeUsersFromGroupByUserIds = async ({ return processRemoval(tx); }); }; + +/** + * Convert pending group additions for users with ids [userIds] to group memberships. + * @param {string[]} userIds - id(s) of user(s) to try to convert pending group additions to group memberships + */ +export const convertPendingGroupAdditionsToGroupMemberships = async ({ + userIds, + userDAL, + pendingGroupAdditionDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx: outerTx +}: TConvertPendingGroupAdditionsToGroupMemberships) => { + const processConversion = async (tx: Knex) => { + const users = await userDAL.find( + { + $in: { + id: userIds + } + }, + { tx } + ); + + const usersUserIdsSet = new Set(users.map((u) => u.id)); + userIds.forEach((userId) => { + if (!usersUserIdsSet.has(userId)) { + throw new BadRequestError({ + message: `Failed to find user with id ${userId}` + }); + } + }); + + users.forEach((user) => { + if (!user.isAccepted) { + throw new BadRequestError({ + message: `Failed to convert pending group additions to group memberships for user ${user.username} because they have not confirmed their account` + }); + } + }); + + const pendingGroupAdditions = await pendingGroupAdditionDAL.deletePendingGroupAdditionsByUserIds(userIds, tx); + + for await (const pendingGroupAddition of pendingGroupAdditions) { + await addUsersToGroupDirectly({ + group: pendingGroupAddition.group, + usernames: [pendingGroupAddition.user.username], + userDAL, + userGroupMembershipDAL, + orgDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); + } + }; + + if (outerTx) { + return processConversion(outerTx); + } + return userDAL.transaction(async (tx) => { + await processConversion(tx); + }); +}; From 1dd451f2215845713eb25a7c4a6a2a45bfbc3fda Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Thu, 18 Apr 2024 14:54:02 -0700 Subject: [PATCH 4/7] Update groups count fn, type check --- backend/src/ee/services/group/group-dal.ts | 33 ------------------- .../src/ee/services/group/group-service.ts | 14 +++----- .../server/routes/v2/organization-router.ts | 1 - backend/src/services/org/org-dal.ts | 20 +++++++++++ .../OrgGroupsSection/OrgGroupModal.tsx | 5 ++- 5 files changed, 28 insertions(+), 45 deletions(-) diff --git a/backend/src/ee/services/group/group-dal.ts b/backend/src/ee/services/group/group-dal.ts index 3392bad320..26a5d688ea 100644 --- a/backend/src/ee/services/group/group-dal.ts +++ b/backend/src/ee/services/group/group-dal.ts @@ -59,37 +59,6 @@ export const groupDALFactory = (db: TDbClient) => { } }; - const countGroupMembers = async ({ orgId, groupId }: { orgId: string; groupId: string }) => { - try { - interface CountResult { - count: string; - } - - const directCount = await db(TableName.OrgMembership) - .where(`${TableName.OrgMembership}.orgId`, orgId) - .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`) - .leftJoin(TableName.UserGroupMembership, function () { - this.on(`${TableName.UserGroupMembership}.userId`, "=", `${TableName.Users}.id`).andOn( - `${TableName.UserGroupMembership}.groupId`, - "=", - db.raw("?", [groupId]) - ); - }) - .where({ isGhost: false, isAccepted: true }) - .count(`${TableName.Users}.id`) - .first(); - - const pendingCount = await db(TableName.PendingGroupAddition) - .where(`${TableName.PendingGroupAddition}.groupId`, groupId) - .count("*") - .first(); - - return parseInt((directCount?.count as string) || "0", 10) + parseInt((pendingCount?.count as string) || "0", 10); - } catch (err) { - throw new DatabaseError({ error: err, name: "Count all direct group members" }); - } - }; - // special query const findAllGroupMembers = async ({ orgId, @@ -160,7 +129,6 @@ export const groupDALFactory = (db: TDbClient) => { const members = await query; return members.map(({ email, username: memberUsername, firstName, lastName, userId, isPartOfGroup }) => ({ - // TODO: fix type id: userId, email, username: memberUsername, @@ -176,7 +144,6 @@ export const groupDALFactory = (db: TDbClient) => { return { findGroups, findByOrgId, - countGroupMembers, findAllGroupMembers, ...groupOrm }; diff --git a/backend/src/ee/services/group/group-service.ts b/backend/src/ee/services/group/group-service.ts index 5bb6aa9d6a..b9ec680135 100644 --- a/backend/src/ee/services/group/group-service.ts +++ b/backend/src/ee/services/group/group-service.ts @@ -30,12 +30,9 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal"; type TGroupServiceFactoryDep = { userDAL: Pick; - groupDAL: Pick< - TGroupDALFactory, - "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "countGroupMembers" - >; + groupDAL: Pick; groupProjectDAL: Pick; - orgDAL: Pick; + orgDAL: Pick; userGroupMembershipDAL: Pick< TUserGroupMembershipDALFactory, "findOne" | "delete" | "filterProjectsByUserMembership" | "transaction" | "insertMany" | "find" @@ -230,12 +227,9 @@ export const groupServiceFactory = ({ username }); - const totalCount = await groupDAL.countGroupMembers({ - orgId: group.orgId, - groupId: group.id - }); + const count = await orgDAL.countAllOrgMembers(group.orgId); - return { users, totalCount }; + return { users, totalCount: count }; }; const addUserToGroup = async ({ diff --git a/backend/src/server/routes/v2/organization-router.ts b/backend/src/server/routes/v2/organization-router.ts index a4a66e9923..ae132316ae 100644 --- a/backend/src/server/routes/v2/organization-router.ts +++ b/backend/src/server/routes/v2/organization-router.ts @@ -45,7 +45,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => { onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]), handler: async (req) => { if (req.auth.actor !== ActorType.USER) return; - const users = await server.services.org.findAllOrgMembers( req.permission.id, req.params.organizationId, diff --git a/backend/src/services/org/org-dal.ts b/backend/src/services/org/org-dal.ts index 3b1daa8277..4dc76b6128 100644 --- a/backend/src/services/org/org-dal.ts +++ b/backend/src/services/org/org-dal.ts @@ -89,6 +89,25 @@ export const orgDALFactory = (db: TDbClient) => { } }; + const countAllOrgMembers = async (orgId: string) => { + try { + interface CountResult { + count: string; + } + + const count = await db(TableName.OrgMembership) + .where(`${TableName.OrgMembership}.orgId`, orgId) + .count("*") + .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`) + .where({ isGhost: false }) + .first(); + + return parseInt((count as unknown as CountResult).count || "0", 10); + } catch (error) { + throw new DatabaseError({ error, name: "Count all org members" }); + } + }; + const findOrgMembersByUsername = async (orgId: string, usernames: string[]) => { try { const members = await db(TableName.OrgMembership) @@ -269,6 +288,7 @@ export const orgDALFactory = (db: TDbClient) => { ...orgOrm, findOrgByProjectId, findAllOrgMembers, + countAllOrgMembers, findOrgById, findAllOrgsByUserId, ghostUserExists, diff --git a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupModal.tsx b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupModal.tsx index 7791eaa06b..85a5c0c239 100644 --- a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupModal.tsx +++ b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupModal.tsx @@ -19,7 +19,10 @@ import { UsePopUpState } from "@app/hooks/usePopUp"; const GroupFormSchema = z.object({ name: z.string().min(1, "Name cannot be empty").max(50, "Name must be 50 characters or fewer"), - slug: z.string().min(5, "Slug cannot be empty").max(36, "Slug must be 36 characters or fewer"), + slug: z + .string() + .min(5, "Slug must be at least 5 characters long") + .max(36, "Slug must be 36 characters or fewer"), role: z.string() }); From 032c5b56207484ef6b5f4176bad768f08a83554f Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Mon, 22 Apr 2024 10:37:24 -0700 Subject: [PATCH 5/7] Convert pending group addition table into isPending field --- backend/src/@types/knex.d.ts | 8 - .../20240417032913_pending-group-addition.ts | 22 +- backend/src/db/schemas/index.ts | 1 - backend/src/db/schemas/models.ts | 1 - .../src/db/schemas/pending-group-additions.ts | 20 - .../src/db/schemas/user-group-membership.ts | 3 +- backend/src/ee/services/group/group-dal.ts | 44 +- backend/src/ee/services/group/group-fns.ts | 758 ++++++------------ .../src/ee/services/group/group-service.ts | 7 +- backend/src/ee/services/group/group-types.ts | 66 +- .../group/pending-group-addition-dal.ts | 55 -- .../group/user-group-membership-dal.ts | 41 +- backend/src/ee/services/scim/scim-service.ts | 17 +- backend/src/server/routes/index.ts | 5 - .../src/services/auth/auth-signup-service.ts | 12 +- backend/src/services/user/user-dal.ts | 8 +- 16 files changed, 333 insertions(+), 735 deletions(-) delete mode 100644 backend/src/db/schemas/pending-group-additions.ts delete mode 100644 backend/src/ee/services/group/pending-group-addition-dal.ts diff --git a/backend/src/@types/knex.d.ts b/backend/src/@types/knex.d.ts index 93c8cb1eb6..2c8b8be5a5 100644 --- a/backend/src/@types/knex.d.ts +++ b/backend/src/@types/knex.d.ts @@ -86,9 +86,6 @@ import { TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate, - TPendingGroupAdditions, - TPendingGroupAdditionsInsert, - TPendingGroupAdditionsUpdate, TProjectBots, TProjectBotsInsert, TProjectBotsUpdate, @@ -215,11 +212,6 @@ declare module "knex/types/tables" { interface Tables { [TableName.Users]: Knex.CompositeTableType; [TableName.Groups]: Knex.CompositeTableType; - [TableName.PendingGroupAddition]: Knex.CompositeTableType< - TPendingGroupAdditions, - TPendingGroupAdditionsInsert, - TPendingGroupAdditionsUpdate - >; [TableName.UserGroupMembership]: Knex.CompositeTableType< TUserGroupMembership, TUserGroupMembershipInsert, diff --git a/backend/src/db/migrations/20240417032913_pending-group-addition.ts b/backend/src/db/migrations/20240417032913_pending-group-addition.ts index e720abd2ff..70fe227277 100644 --- a/backend/src/db/migrations/20240417032913_pending-group-addition.ts +++ b/backend/src/db/migrations/20240417032913_pending-group-addition.ts @@ -1,25 +1,15 @@ import { Knex } from "knex"; import { TableName } from "../schemas"; -import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils"; export async function up(knex: Knex): Promise { - if (!(await knex.schema.hasTable(TableName.PendingGroupAddition))) { - await knex.schema.createTable(TableName.PendingGroupAddition, (t) => { - t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); - t.uuid("userId").notNullable(); - t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE"); - t.uuid("groupId").notNullable(); - t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE"); - t.unique(["userId", "groupId"]); - t.timestamps(true, true, true); - }); - } - - await createOnUpdateTrigger(knex, TableName.PendingGroupAddition); + await knex.schema.alterTable(TableName.UserGroupMembership, (t) => { + t.boolean("isPending").notNullable().defaultTo(false); + }); } export async function down(knex: Knex): Promise { - await knex.schema.dropTableIfExists(TableName.PendingGroupAddition); - await dropOnUpdateTrigger(knex, TableName.PendingGroupAddition); + await knex.schema.alterTable(TableName.UserGroupMembership, (t) => { + t.dropColumn("isPending"); + }); } diff --git a/backend/src/db/schemas/index.ts b/backend/src/db/schemas/index.ts index 9a7772d5d3..b9dab06bae 100644 --- a/backend/src/db/schemas/index.ts +++ b/backend/src/db/schemas/index.ts @@ -27,7 +27,6 @@ export * from "./org-bots"; export * from "./org-memberships"; export * from "./org-roles"; export * from "./organizations"; -export * from "./pending-group-additions"; export * from "./project-bots"; export * from "./project-environments"; export * from "./project-keys"; diff --git a/backend/src/db/schemas/models.ts b/backend/src/db/schemas/models.ts index ea1925eb2a..d5cf1b8867 100644 --- a/backend/src/db/schemas/models.ts +++ b/backend/src/db/schemas/models.ts @@ -3,7 +3,6 @@ import { z } from "zod"; export enum TableName { Users = "users", Groups = "groups", - PendingGroupAddition = "pending_group_additions", GroupProjectMembership = "group_project_memberships", GroupProjectMembershipRole = "group_project_membership_roles", UserGroupMembership = "user_group_membership", diff --git a/backend/src/db/schemas/pending-group-additions.ts b/backend/src/db/schemas/pending-group-additions.ts deleted file mode 100644 index b665f8841e..0000000000 --- a/backend/src/db/schemas/pending-group-additions.ts +++ /dev/null @@ -1,20 +0,0 @@ -// Code generated by automation script, DO NOT EDIT. -// Automated by pulling database and generating zod schema -// To update. Just run npm run generate:schema -// Written by akhilmhdh. - -import { z } from "zod"; - -import { TImmutableDBKeys } from "./models"; - -export const PendingGroupAdditionsSchema = z.object({ - id: z.string().uuid(), - userId: z.string().uuid(), - groupId: z.string().uuid(), - createdAt: z.date(), - updatedAt: z.date() -}); - -export type TPendingGroupAdditions = z.infer; -export type TPendingGroupAdditionsInsert = Omit, TImmutableDBKeys>; -export type TPendingGroupAdditionsUpdate = Partial, TImmutableDBKeys>>; diff --git a/backend/src/db/schemas/user-group-membership.ts b/backend/src/db/schemas/user-group-membership.ts index b6345d85af..6b5fccd46d 100644 --- a/backend/src/db/schemas/user-group-membership.ts +++ b/backend/src/db/schemas/user-group-membership.ts @@ -12,7 +12,8 @@ export const UserGroupMembershipSchema = z.object({ userId: z.string().uuid(), groupId: z.string().uuid(), createdAt: z.date(), - updatedAt: z.date() + updatedAt: z.date(), + isPending: z.boolean().default(false) }); export type TUserGroupMembership = z.infer; diff --git a/backend/src/ee/services/group/group-dal.ts b/backend/src/ee/services/group/group-dal.ts index 26a5d688ea..3da1f242c3 100644 --- a/backend/src/ee/services/group/group-dal.ts +++ b/backend/src/ee/services/group/group-dal.ts @@ -84,36 +84,14 @@ export const groupDALFactory = (db: TDbClient) => { db.raw("?", [groupId]) ); }) - .leftJoin(TableName.PendingGroupAddition, function () { - this.on(`${TableName.PendingGroupAddition}.userId`, "=", `${TableName.Users}.id`).andOn( - `${TableName.PendingGroupAddition}.groupId`, - "=", - db.raw("?", [groupId]) - ); - }) - .select< - { - id: string; - groupId: string; - email: string; - username: string; - firstName: string; - lastName: string; - userId: string; - isPartOfGroup: boolean; - }[] - >( + .select( db.ref("id").withSchema(TableName.OrgMembership), db.ref("groupId").withSchema(TableName.UserGroupMembership), db.ref("email").withSchema(TableName.Users), db.ref("username").withSchema(TableName.Users), db.ref("firstName").withSchema(TableName.Users), db.ref("lastName").withSchema(TableName.Users), - db.ref("id").withSchema(TableName.Users).as("userId"), - db.raw('CASE WHEN ?? IS NOT NULL OR ?? IS NOT NULL THEN TRUE ELSE FALSE END AS "isPartOfGroup"', [ - `${TableName.UserGroupMembership}.groupId`, - `${TableName.PendingGroupAddition}.groupId` - ]) + db.ref("id").withSchema(TableName.Users).as("userId") ) .where({ isGhost: false }) .offset(offset); @@ -128,14 +106,16 @@ export const groupDALFactory = (db: TDbClient) => { const members = await query; - return members.map(({ email, username: memberUsername, firstName, lastName, userId, isPartOfGroup }) => ({ - id: userId, - email, - username: memberUsername, - firstName, - lastName, - isPartOfGroup - })); + return members.map( + ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({ + id: userId, + email, + username: memberUsername, + firstName, + lastName, + isPartOfGroup: !!memberGroupId + }) + ); } catch (error) { throw new DatabaseError({ error, name: "Find all org members" }); } diff --git a/backend/src/ee/services/group/group-fns.ts b/backend/src/ee/services/group/group-fns.ts index 383b44a6eb..8b37de300d 100644 --- a/backend/src/ee/services/group/group-fns.ts +++ b/backend/src/ee/services/group/group-fns.ts @@ -5,24 +5,143 @@ import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from import { BadRequestError, ScimRequestError } from "@app/lib/errors"; import { + TAddUsersToGroup, TAddUsersToGroupByUserIds, - TAddUsersToGroupDirectly, - TAddUsersToPendingGroupAdditions, TConvertPendingGroupAdditionsToGroupMemberships, - TRemoveUsersFromGroupByUserIds, - TRemoveUsersFromGroupDirectly, - TRemoveUsersFromPendingGroupAdditions + TRemoveUsersFromGroupByUserIds } from "./group-types"; -/** - * Add users with usernames [usernames] to group [group] directly. - * - Users must have finished completing their account and have private key(s). - * @param {group} group - group to add user(s) to - * @param {string[]} usernames - username(s) of user(s) to add to group - */ -export const addUsersToGroupDirectly = async ({ +const addAcceptedUsersToGroup = async ({ + userIds, group, - usernames, + userGroupMembershipDAL, + userDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx +}: TAddUsersToGroup) => { + console.log("addAcceptedUsersToGroup args: ", { + userIds, + group + }); + const users = await userDAL.findUserEncKeyByUserIdsBatch( + { + userIds + }, + tx + ); + + await userGroupMembershipDAL.insertMany( + users.map((user) => ({ + userId: user.userId, + groupId: group.id, + isPending: false + })), + tx + ); + + // check which projects the group is part of + const projectIds = Array.from( + new Set( + ( + await groupProjectDAL.find( + { + groupId: group.id + }, + { tx } + ) + ).map((gp) => gp.projectId) + ) + ); + + const keys = await projectKeyDAL.find( + { + $in: { + projectId: projectIds, + receiverId: users.map((u) => u.id) + } + }, + { tx } + ); + + const userKeysSet = new Set(keys.map((k) => `${k.projectId}-${k.receiverId}`)); + + for await (const projectId of projectIds) { + const usersToAddProjectKeyFor = users.filter((u) => !userKeysSet.has(`${projectId}-${u.userId}`)); + + if (usersToAddProjectKeyFor.length) { + // there are users who need to be shared keys + // process adding bulk users to projects for each project individually + const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx); + + if (!ghostUser) { + throw new BadRequestError({ + message: "Failed to find sudo user" + }); + } + + const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx); + + if (!ghostUserLatestKey) { + throw new BadRequestError({ + message: "Failed to find sudo user latest key" + }); + } + + const bot = await projectBotDAL.findOne({ projectId }, tx); + + if (!bot) { + throw new BadRequestError({ + message: "Failed to find bot" + }); + } + + const botPrivateKey = infisicalSymmetricDecrypt({ + keyEncoding: bot.keyEncoding as SecretKeyEncoding, + iv: bot.iv, + tag: bot.tag, + ciphertext: bot.encryptedPrivateKey + }); + + const plaintextProjectKey = decryptAsymmetric({ + ciphertext: ghostUserLatestKey.encryptedKey, + nonce: ghostUserLatestKey.nonce, + publicKey: ghostUserLatestKey.sender.publicKey, + privateKey: botPrivateKey + }); + + const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => { + const { ciphertext: encryptedKey, nonce } = encryptAsymmetric( + plaintextProjectKey, + user.publicKey, + botPrivateKey + ); + return { + encryptedKey, + nonce, + senderId: ghostUser.id, + receiverId: user.userId, + projectId + }; + }); + + await projectKeyDAL.insertMany(projectKeysToAdd, tx); + } + } +}; + +/** + * Add users with user ids [userIds] to group [group]. + * - Users may or may not have finished completing their accounts; this function will + * handle both adding users to groups directly and via pending group additions. + * @param {group} group - group to add user(s) to + * @param {string[]} userIds - id(s) of user(s) to add to group + */ +export const addUsersToGroupByUserIds = async ({ + group, + userIds, userDAL, userGroupMembershipDAL, orgDAL, @@ -31,33 +150,27 @@ export const addUsersToGroupDirectly = async ({ projectDAL, projectBotDAL, tx: outerTx -}: TAddUsersToGroupDirectly) => { +}: TAddUsersToGroupByUserIds) => { const processAddition = async (tx: Knex) => { - const users = await userDAL.findUserEncKeyByUsernameBatch( + const foundMembers = await userDAL.find( { - usernames + $in: { + id: userIds + } }, - tx + { tx } ); - const usersUsernamesSet = new Set(users.map((u) => u.username)); - usernames.forEach((username) => { - if (!usersUsernamesSet.has(username)) { - throw new BadRequestError({ - message: `Failed to find user with username ${username}` - }); - } - }); + const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id)); - const userIds = users.map((u) => { - if (!u.isAccepted) { - throw new BadRequestError({ - message: `User ${u.username} cannot be added to group because they have not confirmed their account` - }); - } + const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId)); - return u.userId; - }); + if (!isCompleteMatch) { + throw new ScimRequestError({ + detail: "Members not found", + status: 404 + }); + } // check if user(s) group membership(s) already exists const existingUserGroupMemberships = await userGroupMembershipDAL.find( @@ -87,194 +200,6 @@ export const addUsersToGroupDirectly = async ({ { tx } ); - const existingUserOrgMembershipsUsernamesSet = new Set(existingUserOrgMemberships.map((u) => u.username)); - - usernames.forEach((username) => { - if (!existingUserOrgMembershipsUsernamesSet.has(username)) - throw new BadRequestError({ - message: `User ${username} is not part of the organization` - }); - }); - - await userGroupMembershipDAL.insertMany( - userIds.map((userId) => ({ - userId, - groupId: group.id - })), - tx - ); - - // check which projects the group is part of - const projectIds = Array.from( - new Set( - ( - await groupProjectDAL.find( - { - groupId: group.id - }, - { tx } - ) - ).map((gp) => gp.projectId) - ) - ); - - const keys = await projectKeyDAL.find( - { - $in: { - projectId: projectIds, - receiverId: userIds - } - }, - { tx } - ); - - const userKeysSet = new Set(keys.map((k) => `${k.projectId}-${k.receiverId}`)); - - for await (const projectId of projectIds) { - const usersToAddProjectKeyFor = users.filter((u) => !userKeysSet.has(`${projectId}-${u.userId}`)); - - if (usersToAddProjectKeyFor.length) { - // there are users who need to be shared keys - // process adding bulk users to projects for each project individually - const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx); - - if (!ghostUser) { - throw new BadRequestError({ - message: "Failed to find sudo user" - }); - } - - const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx); - - if (!ghostUserLatestKey) { - throw new BadRequestError({ - message: "Failed to find sudo user latest key" - }); - } - - const bot = await projectBotDAL.findOne({ projectId }, tx); - - if (!bot) { - throw new BadRequestError({ - message: "Failed to find bot" - }); - } - - const botPrivateKey = infisicalSymmetricDecrypt({ - keyEncoding: bot.keyEncoding as SecretKeyEncoding, - iv: bot.iv, - tag: bot.tag, - ciphertext: bot.encryptedPrivateKey - }); - - const plaintextProjectKey = decryptAsymmetric({ - ciphertext: ghostUserLatestKey.encryptedKey, - nonce: ghostUserLatestKey.nonce, - publicKey: ghostUserLatestKey.sender.publicKey, - privateKey: botPrivateKey - }); - - const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => { - const { ciphertext: encryptedKey, nonce } = encryptAsymmetric( - plaintextProjectKey, - user.publicKey, - botPrivateKey - ); - return { - encryptedKey, - nonce, - senderId: ghostUser.id, - receiverId: user.userId, - projectId - }; - }); - - await projectKeyDAL.insertMany(projectKeysToAdd, tx); - } - } - - return users; - }; - - if (outerTx) { - return processAddition(outerTx); - } - return userDAL.transaction(async (tx) => { - return processAddition(tx); - }); -}; - -/** - * Add users with user ids [userIds] to group [group] via pending group additions. - * - Users must have not finished completing their accounts (i.e. they don't have private key(s) yet). - * @param {group} group - group to add user(s) to - * @param {string[]} userIds - id(s) of user(s) to add to group - */ -export const addUsersToPendingGroupAdditions = async ({ - group, - userIds, - pendingGroupAdditionDAL, - userDAL, - orgDAL, - tx: outerTx -}: TAddUsersToPendingGroupAdditions) => { - const processAddition = async (tx: Knex) => { - const users = await userDAL.find( - { - $in: { - id: userIds - } - }, - { tx } - ); - - const usersUserIdsSet = new Set(users.map((u) => u.id)); - userIds.forEach((userId) => { - if (!usersUserIdsSet.has(userId)) { - throw new BadRequestError({ - message: `Failed to find user with id ${userId}` - }); - } - }); - - users.map((u) => { - if (u.isAccepted) { - throw new BadRequestError({ - message: `User ${u.username} cannot be added to a pending group addition because they have confirmed their account` - }); - } - - return u.id; - }); - - // check if user(s) pending group addition(s) already exist - const existingPendingGroupAdditions = await pendingGroupAdditionDAL.find( - { - groupId: group.id, - $in: { - userId: userIds - } - }, - { tx } - ); - - if (existingPendingGroupAdditions.length) { - throw new BadRequestError({ - message: `User(s) are already part of the group ${group.slug}` - }); - } - - // check if all user(s) are part of the organization - const existingUserOrgMemberships = await orgDAL.findMembership( - { - orgId: group.orgId, - $in: { - userId: userIds - } - }, - { tx } - ); - const existingUserOrgMembershipsUserIdsSet = new Set(existingUserOrgMemberships.map((u) => u.userId)); userIds.forEach((userId) => { @@ -284,109 +209,45 @@ export const addUsersToPendingGroupAdditions = async ({ }); }); - await pendingGroupAdditionDAL.insertMany( - users.map((user) => ({ - userId: user.id, - groupId: group.id - })), - tx - ); - - return users; - }; - - if (outerTx) { - return processAddition(outerTx); - } - return userDAL.transaction(async (tx) => { - return processAddition(tx); - }); -}; - -/** - * Add users with user ids [userIds] to group [group]. - * - Users may or may not have finished completing their accounts; this function will - * handle both adding users to groups directly and via pending group additions. - * @param {group} group - group to add user(s) to - * @param {string[]} userIds - id(s) of user(s) to add to group - */ -export const addUsersToGroupByUserIds = async ({ - group, - userIds, - userDAL, - userGroupMembershipDAL, - orgDAL, - groupProjectDAL, - pendingGroupAdditionDAL, - projectKeyDAL, - projectDAL, - projectBotDAL, - tx: outerTx -}: TAddUsersToGroupByUserIds) => { - const processAddition = async (tx: Knex) => { - const foundMembers = await userDAL.find({ - $in: { - id: userIds - } - }); - - const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id)); - - const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId)); - - if (!isCompleteMatch) { - throw new ScimRequestError({ - detail: "Members not found", - status: 404 - }); - } - - const membersToAddToGroupDirectly: TUsers[] = []; + const membersToAddToGroupNonPending: TUsers[] = []; const membersToAddToGroupPending: TUsers[] = []; foundMembers.forEach((member) => { if (member.isAccepted) { // add accepted member to group - membersToAddToGroupDirectly.push(member); + membersToAddToGroupNonPending.push(member); } else { // add incomplete member to pending group addition membersToAddToGroupPending.push(member); } }); - let addedUsers: TUsers[] = []; - - if (membersToAddToGroupDirectly.length) { - addedUsers = addedUsers.concat( - await addUsersToGroupDirectly({ - group, - usernames: membersToAddToGroupDirectly.map((member) => member.username), - userDAL, - userGroupMembershipDAL, - orgDAL, - groupProjectDAL, - projectKeyDAL, - projectDAL, - projectBotDAL, - tx - }) - ); + if (membersToAddToGroupNonPending.length) { + await addAcceptedUsersToGroup({ + userIds: membersToAddToGroupNonPending.map((member) => member.id), + group, + userDAL, + userGroupMembershipDAL, + groupProjectDAL, + projectKeyDAL, + projectDAL, + projectBotDAL, + tx + }); } if (membersToAddToGroupPending.length) { - addedUsers = addedUsers.concat( - await addUsersToPendingGroupAdditions({ - group, - userIds: membersToAddToGroupPending.map((member) => member.id), - pendingGroupAdditionDAL, - userDAL, - orgDAL, - tx - }) + await userGroupMembershipDAL.insertMany( + membersToAddToGroupPending.map((member) => ({ + userId: member.id, + groupId: group.id, + isPending: true + })), + tx ); } - return addedUsers; + return membersToAddToGroupNonPending.concat(membersToAddToGroupPending); }; if (outerTx) { @@ -399,185 +260,7 @@ export const addUsersToGroupByUserIds = async ({ /** * Remove users with user ids [userIds] from group [group]. - * - Users must be directly added to the group. - * @param {group} group - group to remove user(s) from - * @param {string[]} userIds - id(s) of user(s) to remove from group - */ -export const removeUsersFromGroupDirectly = async ({ - group, - userIds, - userDAL, - userGroupMembershipDAL, - groupProjectDAL, - projectKeyDAL, - tx: outerTx -}: TRemoveUsersFromGroupDirectly) => { - const processRemoval = async (tx: Knex) => { - const users = await userDAL.find( - { - $in: { - id: userIds - } - }, - { tx } - ); - - const usersUserIdsSet = new Set(users.map((u) => u.id)); - userIds.forEach((userId) => { - if (!usersUserIdsSet.has(userId)) { - throw new BadRequestError({ - message: `Failed to find user with id ${userId}` - }); - } - }); - - // check if user group membership already exists - const existingUserGroupMemberships = await userGroupMembershipDAL.find( - { - groupId: group.id, - $in: { - userId: userIds - } - }, - { tx } - ); - - const existingUserGroupMembershipsUserIdsSet = new Set(existingUserGroupMemberships.map((u) => u.userId)); - - userIds.forEach((userId) => { - if (!existingUserGroupMembershipsUserIdsSet.has(userId)) - throw new BadRequestError({ - message: `User(s) are not part of the group ${group.slug}` - }); - }); - - // check which projects the group is part of - const projectIds = Array.from( - new Set( - ( - await groupProjectDAL.find( - { - groupId: group.id - }, - { tx } - ) - ).map((gp) => gp.projectId) - ) - ); - - // TODO: this part can be optimized - for await (const userId of userIds) { - const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx); - const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p)); - - if (projectsToDeleteKeyFor.length) { - await projectKeyDAL.delete( - { - receiverId: userId, - $in: { - projectId: projectsToDeleteKeyFor - } - }, - tx - ); - } - - await userGroupMembershipDAL.delete( - { - groupId: group.id, - userId - }, - tx - ); - } - - return users; - }; - - if (outerTx) { - return processRemoval(outerTx); - } - return userDAL.transaction(async (tx) => { - return processRemoval(tx); - }); -}; - -/** - * Remove users with user ids [userIds] from group [group] via pending group additions. - * - Users must have pending group additions to the group. - * @param {group} group - group to remove user(s) from - * @param {string[]} userIds - id(s) of user(s) to remove from group - */ -export const removeUsersFromPendingGroupAdditions = async ({ - group, - userIds, - userDAL, - pendingGroupAdditionDAL, - tx: outerTx -}: TRemoveUsersFromPendingGroupAdditions) => { - const processRemoval = async (tx: Knex) => { - const users = await userDAL.find( - { - $in: { - id: userIds - } - }, - { tx } - ); - - const usersUserIdsSet = new Set(users.map((u) => u.id)); - userIds.forEach((userId) => { - if (!usersUserIdsSet.has(userId)) { - throw new BadRequestError({ - message: `Failed to find user with id ${userId}` - }); - } - }); - - // check if user pending group addition already exists - const existingPendingGroupAdditions = await pendingGroupAdditionDAL.find( - { - groupId: group.id, - $in: { - userId: userIds - } - }, - { tx } - ); - - const existingPendingGroupAdditionsUserIdsSet = new Set(existingPendingGroupAdditions.map((u) => u.userId)); - - userIds.forEach((userId) => { - if (!existingPendingGroupAdditionsUserIdsSet.has(userId)) - throw new BadRequestError({ - message: `User(s) are not part of the group ${group.slug}` - }); - }); - - await pendingGroupAdditionDAL.delete( - { - groupId: group.id, - $in: { - userId: userIds - } - }, - tx - ); - - return users; - }; - - if (outerTx) { - return processRemoval(outerTx); - } - return userDAL.transaction(async (tx) => { - return processRemoval(tx); - }); -}; - -/** - * Remove users with user ids [userIds] from group [group]. - * - Users may be part of the group directly or via pending group additions; + * - Users may be part of the group (non-pending + pending); * this function will handle both cases. * @param {group} group - group to remove user(s) from * @param {string[]} userIds - id(s) of user(s) to remove from group @@ -588,7 +271,6 @@ export const removeUsersFromGroupByUserIds = async ({ userDAL, userGroupMembershipDAL, groupProjectDAL, - pendingGroupAdditionDAL, projectKeyDAL, tx: outerTx }: TRemoveUsersFromGroupByUserIds) => { @@ -610,48 +292,91 @@ export const removeUsersFromGroupByUserIds = async ({ }); } - const membersToRemoveFromGroupDirectly: TUsers[] = []; + // check if user group membership already exists + const existingUserGroupMemberships = await userGroupMembershipDAL.find( + { + groupId: group.id, + $in: { + userId: userIds + } + }, + { tx } + ); + + const existingUserGroupMembershipsUserIdsSet = new Set(existingUserGroupMemberships.map((u) => u.userId)); + + userIds.forEach((userId) => { + if (!existingUserGroupMembershipsUserIdsSet.has(userId)) + throw new BadRequestError({ + message: `User(s) are not part of the group ${group.slug}` + }); + }); + + const membersToRemoveFromGroupNonPending: TUsers[] = []; const membersToRemoveFromGroupPending: TUsers[] = []; foundMembers.forEach((member) => { if (member.isAccepted) { // remove accepted member from group - membersToRemoveFromGroupDirectly.push(member); + membersToRemoveFromGroupNonPending.push(member); } else { // remove incomplete member from pending group addition membersToRemoveFromGroupPending.push(member); } }); - let removedUsers: TUsers[] = []; - - if (membersToRemoveFromGroupDirectly.length) { - removedUsers = removedUsers.concat( - await removeUsersFromGroupDirectly({ - group, - userIds: membersToRemoveFromGroupDirectly.map((member) => member.id), - userDAL, - userGroupMembershipDAL, - groupProjectDAL, - projectKeyDAL, - tx - }) + if (membersToRemoveFromGroupNonPending.length) { + // check which projects the group is part of + const projectIds = Array.from( + new Set( + ( + await groupProjectDAL.find( + { + groupId: group.id + }, + { tx } + ) + ).map((gp) => gp.projectId) + ) ); + + // TODO: this part can be optimized + for await (const userId of userIds) { + const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx); + const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p)); + + if (projectsToDeleteKeyFor.length) { + await projectKeyDAL.delete( + { + receiverId: userId, + $in: { + projectId: projectsToDeleteKeyFor + } + }, + tx + ); + } + + await userGroupMembershipDAL.delete( + { + groupId: group.id, + userId + }, + tx + ); + } } if (membersToRemoveFromGroupPending.length) { - removedUsers = removedUsers.concat( - await removeUsersFromPendingGroupAdditions({ - group, - userIds: membersToRemoveFromGroupPending.map((member) => member.id), - pendingGroupAdditionDAL, - userDAL, - tx - }) - ); + await userGroupMembershipDAL.delete({ + groupId: group.id, + $in: { + userId: membersToRemoveFromGroupPending.map((member) => member.id) + } + }); } - return removedUsers; + return membersToRemoveFromGroupNonPending.concat(membersToRemoveFromGroupPending); }; if (outerTx) { @@ -669,9 +394,7 @@ export const removeUsersFromGroupByUserIds = async ({ export const convertPendingGroupAdditionsToGroupMemberships = async ({ userIds, userDAL, - pendingGroupAdditionDAL, userGroupMembershipDAL, - orgDAL, groupProjectDAL, projectKeyDAL, projectDAL, @@ -705,15 +428,14 @@ export const convertPendingGroupAdditionsToGroupMemberships = async ({ } }); - const pendingGroupAdditions = await pendingGroupAdditionDAL.deletePendingGroupAdditionsByUserIds(userIds, tx); + const pendingGroupAdditions = await userGroupMembershipDAL.deletePendingUserGroupMembershipsByUserIds(userIds, tx); for await (const pendingGroupAddition of pendingGroupAdditions) { - await addUsersToGroupDirectly({ + await addAcceptedUsersToGroup({ + userIds: [pendingGroupAddition.user.id], group: pendingGroupAddition.group, - usernames: [pendingGroupAddition.user.username], userDAL, userGroupMembershipDAL, - orgDAL, groupProjectDAL, projectKeyDAL, projectDAL, diff --git a/backend/src/ee/services/group/group-service.ts b/backend/src/ee/services/group/group-service.ts index b9ec680135..e6a151bf75 100644 --- a/backend/src/ee/services/group/group-service.ts +++ b/backend/src/ee/services/group/group-service.ts @@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability"; import slugify from "@sindresorhus/slugify"; import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas"; -import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { isAtLeastAsPrivileged } from "@app/lib/casl"; import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors"; import { alphaNumericNanoId } from "@app/lib/nanoid"; @@ -29,7 +28,7 @@ import { import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal"; type TGroupServiceFactoryDep = { - userDAL: Pick; + userDAL: Pick; groupDAL: Pick; groupProjectDAL: Pick; orgDAL: Pick; @@ -40,7 +39,6 @@ type TGroupServiceFactoryDep = { projectDAL: Pick; projectBotDAL: Pick; projectKeyDAL: Pick; - pendingGroupAdditionDAL: TPendingGroupAdditionDALFactory; // remove? permissionService: Pick; licenseService: Pick; }; @@ -56,7 +54,6 @@ export const groupServiceFactory = ({ projectDAL, projectBotDAL, projectKeyDAL, - pendingGroupAdditionDAL, permissionService, licenseService }: TGroupServiceFactoryDep) => { @@ -279,7 +276,6 @@ export const groupServiceFactory = ({ userGroupMembershipDAL, orgDAL, groupProjectDAL, - pendingGroupAdditionDAL, projectKeyDAL, projectDAL, projectBotDAL @@ -333,7 +329,6 @@ export const groupServiceFactory = ({ userIds: [user.id], userDAL, userGroupMembershipDAL, - pendingGroupAdditionDAL, groupProjectDAL, projectKeyDAL }); diff --git a/backend/src/ee/services/group/group-types.ts b/backend/src/ee/services/group/group-types.ts index 301e12cdc5..ca9831ffbb 100644 --- a/backend/src/ee/services/group/group-types.ts +++ b/backend/src/ee/services/group/group-types.ts @@ -1,7 +1,6 @@ import { Knex } from "knex"; import { TGroups } from "@app/db/schemas"; -import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TGenericPermission } from "@app/lib/types"; import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal"; @@ -49,24 +48,22 @@ export type TRemoveUserFromGroupDTO = { // group fns types +export type TAddUsersToGroup = { + userIds: string[]; + group: TGroups; + userDAL: Pick; + userGroupMembershipDAL: Pick; + groupProjectDAL: Pick; + projectKeyDAL: Pick; + projectDAL: Pick; + projectBotDAL: Pick; + tx: Knex; +}; + export type TAddUsersToGroupByUserIds = { group: TGroups; userIds: string[]; - userDAL: Pick; - userGroupMembershipDAL: Pick; - orgDAL: Pick; - groupProjectDAL: Pick; - pendingGroupAdditionDAL: Pick; - projectKeyDAL: Pick; - projectDAL: Pick; - projectBotDAL: Pick; - tx?: Knex; -}; - -export type TAddUsersToGroupDirectly = { - group: TGroups; - usernames: string[]; - userDAL: Pick; + userDAL: Pick; userGroupMembershipDAL: Pick; orgDAL: Pick; groupProjectDAL: Pick; @@ -76,50 +73,23 @@ export type TAddUsersToGroupDirectly = { tx?: Knex; }; -export type TAddUsersToPendingGroupAdditions = { - userIds: string[]; - group: TGroups; - pendingGroupAdditionDAL: Pick; - userDAL: Pick; - orgDAL: Pick; - tx?: Knex; -}; - export type TRemoveUsersFromGroupByUserIds = { group: TGroups; userIds: string[]; userDAL: Pick; userGroupMembershipDAL: Pick; - pendingGroupAdditionDAL: Pick; groupProjectDAL: Pick; projectKeyDAL: Pick; tx?: Knex; }; -export type TRemoveUsersFromGroupDirectly = { - group: TGroups; - userIds: string[]; - userDAL: Pick; - userGroupMembershipDAL: Pick; - groupProjectDAL: Pick; - projectKeyDAL: Pick; - tx?: Knex; -}; - -export type TRemoveUsersFromPendingGroupAdditions = { - group: TGroups; - userIds: string[]; - pendingGroupAdditionDAL: Pick; - userDAL: Pick; - tx?: Knex; -}; - export type TConvertPendingGroupAdditionsToGroupMemberships = { userIds: string[]; - pendingGroupAdditionDAL: Pick; - userDAL: Pick; - userGroupMembershipDAL: Pick; - orgDAL: Pick; + userDAL: Pick; + userGroupMembershipDAL: Pick< + TUserGroupMembershipDALFactory, + "find" | "transaction" | "insertMany" | "deletePendingUserGroupMembershipsByUserIds" + >; groupProjectDAL: Pick; projectKeyDAL: Pick; projectDAL: Pick; diff --git a/backend/src/ee/services/group/pending-group-addition-dal.ts b/backend/src/ee/services/group/pending-group-addition-dal.ts deleted file mode 100644 index 579cbb6e56..0000000000 --- a/backend/src/ee/services/group/pending-group-addition-dal.ts +++ /dev/null @@ -1,55 +0,0 @@ -import { Knex } from "knex"; - -import { TDbClient } from "@app/db"; -import { TableName } from "@app/db/schemas"; -import { DatabaseError } from "@app/lib/errors"; -import { ormify } from "@app/lib/knex"; - -export type TPendingGroupAdditionDALFactory = ReturnType; - -export const pendingGroupAdditionDALFactory = (db: TDbClient) => { - const pendingGroupAdditionOrm = ormify(db, TableName.PendingGroupAddition); - - // special query - const deletePendingGroupAdditionsByUserIds = async (userIds: string[], tx?: Knex) => { - try { - const pendingGroupAdditions = await (tx || db)(TableName.PendingGroupAddition) - .whereIn(`${TableName.PendingGroupAddition}.userId`, userIds) - .join(TableName.Groups, `${TableName.PendingGroupAddition}.groupId`, `${TableName.Groups}.id`) - .join(TableName.Users, `${TableName.PendingGroupAddition}.userId`, `${TableName.Users}.id`); - - await pendingGroupAdditionOrm.delete( - { - $in: { - userId: userIds - } - }, - tx - ); - - return pendingGroupAdditions.map(({ userId, username, groupId, orgId, name, slug, role, roleId }) => ({ - user: { - id: userId, - username - }, - group: { - id: groupId, - orgId, - name, - slug, - role, - roleId, - createdAt: new Date(), - updatedAt: new Date() - } - })); - } catch (error) { - throw new DatabaseError({ error, name: "Filter projects by user membership" }); - } - }; - - return { - ...pendingGroupAdditionOrm, - deletePendingGroupAdditionsByUserIds - }; -}; diff --git a/backend/src/ee/services/group/user-group-membership-dal.ts b/backend/src/ee/services/group/user-group-membership-dal.ts index d4f8fecd7a..122c585615 100644 --- a/backend/src/ee/services/group/user-group-membership-dal.ts +++ b/backend/src/ee/services/group/user-group-membership-dal.ts @@ -122,10 +122,49 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => { } }; + const deletePendingUserGroupMembershipsByUserIds = async (userIds: string[], tx?: Knex) => { + try { + const members = await (tx || db)(TableName.UserGroupMembership) + .whereIn(`${TableName.UserGroupMembership}.userId`, userIds) + .where(`${TableName.UserGroupMembership}.isPending`, true) + .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`) + .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`); + + await userGroupMembershipOrm.delete( + { + $in: { + userId: userIds + } + }, + tx + ); + + return members.map(({ userId, username, groupId, orgId, name, slug, role, roleId }) => ({ + user: { + id: userId, + username + }, + group: { + id: groupId, + orgId, + name, + slug, + role, + roleId, + createdAt: new Date(), + updatedAt: new Date() + } + })); + } catch (error) { + throw new DatabaseError({ error, name: "Delete pending user group memberships by user ids" }); + } + }; + return { ...userGroupMembershipOrm, filterProjectsByUserMembership, findUserGroupMembershipsInProject, - findGroupMembersNotInProject + findGroupMembersNotInProject, + deletePendingUserGroupMembershipsByUserIds }; }; diff --git a/backend/src/ee/services/scim/scim-service.ts b/backend/src/ee/services/scim/scim-service.ts index bc7fd25289..d56c00a0ca 100644 --- a/backend/src/ee/services/scim/scim-service.ts +++ b/backend/src/ee/services/scim/scim-service.ts @@ -5,7 +5,6 @@ import jwt from "jsonwebtoken"; import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas"; import { TGroupDALFactory } from "@app/ee/services/group/group-dal"; import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns"; -import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TScimDALFactory } from "@app/ee/services/scim/scim-dal"; import { getConfig } from "@app/lib/config/env"; @@ -48,7 +47,7 @@ import { type TScimServiceFactoryDep = { scimDAL: Pick; - userDAL: Pick; + userDAL: Pick; orgDAL: Pick< TOrgDALFactory, "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" @@ -63,7 +62,6 @@ type TScimServiceFactoryDep = { userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick projectKeyDAL: Pick; projectBotDAL: Pick; - pendingGroupAdditionDAL: TPendingGroupAdditionDALFactory; // TODO: Pick licenseService: Pick; permissionService: Pick; smtpService: TSmtpService; @@ -83,7 +81,6 @@ export const scimServiceFactory = ({ userGroupMembershipDAL, projectKeyDAL, projectBotDAL, - pendingGroupAdditionDAL, permissionService, smtpService }: TScimServiceFactoryDep) => { @@ -572,7 +569,6 @@ export const scimServiceFactory = ({ userGroupMembershipDAL, orgDAL, groupProjectDAL, - pendingGroupAdditionDAL, projectKeyDAL, projectDAL, projectBotDAL, @@ -614,7 +610,6 @@ export const scimServiceFactory = ({ }); } - // TODO: update to include pending group additions const users = await groupDAL.findAllGroupMembers({ orgId: group.orgId, groupId: group.id @@ -676,13 +671,15 @@ export const scimServiceFactory = ({ const directMemberUserIds = ( await userGroupMembershipDAL.find({ - groupId: group.id + groupId: group.id, + isPending: false }) ).map((membership) => membership.userId); const pendingGroupAdditionsUserIds = ( - await pendingGroupAdditionDAL.find({ - groupId: group.id + await userGroupMembershipDAL.find({ + groupId: group.id, + isPending: true }) ).map((pendingGroupAddition) => pendingGroupAddition.userId); @@ -700,7 +697,6 @@ export const scimServiceFactory = ({ userGroupMembershipDAL, orgDAL, groupProjectDAL, - pendingGroupAdditionDAL, projectKeyDAL, projectDAL, projectBotDAL, @@ -715,7 +711,6 @@ export const scimServiceFactory = ({ userDAL, userGroupMembershipDAL, groupProjectDAL, - pendingGroupAdditionDAL, projectKeyDAL, tx }); diff --git a/backend/src/server/routes/index.ts b/backend/src/server/routes/index.ts index 7d2a8fd938..5ed2589f64 100644 --- a/backend/src/server/routes/index.ts +++ b/backend/src/server/routes/index.ts @@ -13,7 +13,6 @@ import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic- import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service"; import { groupDALFactory } from "@app/ee/services/group/group-dal"; import { groupServiceFactory } from "@app/ee/services/group/group-service"; -import { pendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal"; import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service"; @@ -218,7 +217,6 @@ export const registerRoutes = async ( const groupProjectDAL = groupProjectDALFactory(db); const groupProjectMembershipRoleDAL = groupProjectMembershipRoleDALFactory(db); const userGroupMembershipDAL = userGroupMembershipDALFactory(db); - const pendingGroupAdditionDAL = pendingGroupAdditionDALFactory(db); const secretScanningDAL = secretScanningDALFactory(db); const licenseDAL = licenseDALFactory(db); const dynamicSecretDAL = dynamicSecretDALFactory(db); @@ -270,7 +268,6 @@ export const registerRoutes = async ( projectDAL, projectBotDAL, projectKeyDAL, - pendingGroupAdditionDAL, permissionService, licenseService }); @@ -297,7 +294,6 @@ export const registerRoutes = async ( userGroupMembershipDAL, projectKeyDAL, projectBotDAL, - pendingGroupAdditionDAL, permissionService, smtpService }); @@ -352,7 +348,6 @@ export const registerRoutes = async ( smtpService, authDAL, userDAL, - pendingGroupAdditionDAL, userGroupMembershipDAL, projectKeyDAL, projectDAL, diff --git a/backend/src/services/auth/auth-signup-service.ts b/backend/src/services/auth/auth-signup-service.ts index be80c4c401..9bd8db0028 100644 --- a/backend/src/services/auth/auth-signup-service.ts +++ b/backend/src/services/auth/auth-signup-service.ts @@ -2,7 +2,6 @@ import jwt from "jsonwebtoken"; import { OrgMembershipStatus } from "@app/db/schemas"; import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns"; -import { TPendingGroupAdditionDALFactory } from "@app/ee/services/group/pending-group-addition-dal"; import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal"; import { TLicenseServiceFactory } from "@app/ee/services/license/license-service"; import { getConfig } from "@app/lib/config/env"; @@ -27,8 +26,10 @@ import { AuthMethod, AuthTokenType } from "./auth-type"; type TAuthSignupDep = { authDAL: TAuthDALFactory; userDAL: TUserDALFactory; - pendingGroupAdditionDAL: Pick; - userGroupMembershipDAL: Pick; + userGroupMembershipDAL: Pick< + TUserGroupMembershipDALFactory, + "find" | "transaction" | "insertMany" | "deletePendingUserGroupMembershipsByUserIds" + >; projectKeyDAL: Pick; projectDAL: Pick; projectBotDAL: Pick; @@ -44,7 +45,6 @@ export type TAuthSignupFactory = ReturnType; export const authSignupServiceFactory = ({ authDAL, userDAL, - pendingGroupAdditionDAL, userGroupMembershipDAL, projectKeyDAL, projectDAL, @@ -190,9 +190,7 @@ export const authSignupServiceFactory = ({ await convertPendingGroupAdditionsToGroupMemberships({ userIds: [user.id], userDAL, - pendingGroupAdditionDAL, userGroupMembershipDAL, - orgDAL, groupProjectDAL, projectKeyDAL, projectDAL, @@ -304,9 +302,7 @@ export const authSignupServiceFactory = ({ await convertPendingGroupAdditionsToGroupMemberships({ userIds: [user.id], userDAL, - pendingGroupAdditionDAL, userGroupMembershipDAL, - orgDAL, groupProjectDAL, projectKeyDAL, projectDAL, diff --git a/backend/src/services/user/user-dal.ts b/backend/src/services/user/user-dal.ts index 4c61c3174f..530ca3ad1a 100644 --- a/backend/src/services/user/user-dal.ts +++ b/backend/src/services/user/user-dal.ts @@ -34,16 +34,16 @@ export const userDALFactory = (db: TDbClient) => { } }; - const findUserEncKeyByUsernameBatch = async ({ usernames }: { usernames: string[] }, tx?: Knex) => { + const findUserEncKeyByUserIdsBatch = async ({ userIds }: { userIds: string[] }, tx?: Knex) => { try { return await (tx || db)(TableName.Users) .where({ isGhost: false }) - .whereIn("username", usernames) + .whereIn(`${TableName.Users}.id`, userIds) .join(TableName.UserEncryptionKey, `${TableName.Users}.id`, `${TableName.UserEncryptionKey}.userId`); } catch (error) { - throw new DatabaseError({ error, name: "Find user enc by email batch" }); + throw new DatabaseError({ error, name: "Find user enc by user ids batch" }); } }; @@ -136,7 +136,7 @@ export const userDALFactory = (db: TDbClient) => { ...userOrm, findUserByUsername, findUserEncKeyByUsername, - findUserEncKeyByUsernameBatch, // TODO: if successful, replace findUserEncKeyByUsername with this + findUserEncKeyByUserIdsBatch, findUserEncKeyByUserId, updateUserEncryptionByUserId, findUserByProjectMembershipId, From 0a124093d677a0dc930131de89c110fd6b51b3b8 Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Mon, 22 Apr 2024 11:59:17 -0700 Subject: [PATCH 6/7] Patch adding groups to project for invited users, add transactions for adding/removing groups to/from projects --- .../group/user-group-membership-dal.ts | 9 +- .../group-project/group-project-service.ts | 149 +++++++++--------- 2 files changed, 83 insertions(+), 75 deletions(-) diff --git a/backend/src/ee/services/group/user-group-membership-dal.ts b/backend/src/ee/services/group/user-group-membership-dal.ts index 122c585615..1ab1839c55 100644 --- a/backend/src/ee/services/group/user-group-membership-dal.ts +++ b/backend/src/ee/services/group/user-group-membership-dal.ts @@ -61,7 +61,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => { }; /** - * Return list of users that are part of the group with id [groupId] + * Return list of completed/accepted users that are part of the group with id [groupId] * that have not yet been added individually to project with id [projectId]. * * Note: Filters out users that are part of other groups in the project. @@ -69,18 +69,19 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => { * @param projectId * @returns */ - const findGroupMembersNotInProject = async (groupId: string, projectId: string) => { + const findGroupMembersNotInProject = async (groupId: string, projectId: string, tx?: Knex) => { try { // get list of groups in the project with id [projectId] // that that are not the group with id [groupId] - const groups: string[] = await db(TableName.GroupProjectMembership) + const groups: string[] = await (tx || db)(TableName.GroupProjectMembership) .where(`${TableName.GroupProjectMembership}.projectId`, projectId) .whereNot(`${TableName.GroupProjectMembership}.groupId`, groupId) .pluck(`${TableName.GroupProjectMembership}.groupId`); // main query - const members = await db(TableName.UserGroupMembership) + const members = await (tx || db)(TableName.UserGroupMembership) .where(`${TableName.UserGroupMembership}.groupId`, groupId) + .where(`${TableName.UserGroupMembership}.isPending`, false) .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`) .leftJoin(TableName.ProjectMembership, function () { this.on(`${TableName.Users}.id`, "=", `${TableName.ProjectMembership}.userId`).andOn( diff --git a/backend/src/services/group-project/group-project-service.ts b/backend/src/services/group-project/group-project-service.ts index 589d0e474d..17862dd6f6 100644 --- a/backend/src/services/group-project/group-project-service.ts +++ b/backend/src/services/group-project/group-project-service.ts @@ -32,7 +32,7 @@ type TGroupProjectServiceFactoryDep = { TGroupProjectMembershipRoleDALFactory, "create" | "transaction" | "insertMany" | "delete" >; - userGroupMembershipDAL: TUserGroupMembershipDALFactory; + userGroupMembershipDAL: Pick; projectDAL: Pick; projectKeyDAL: Pick; projectRoleDAL: Pick; @@ -116,68 +116,69 @@ export const groupProjectServiceFactory = ({ }, tx ); + + // share project key with users in group that have not + // individually been added to the project and that are not part of + // other groups that are in the project + const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx); + + if (groupMembers.length) { + const ghostUser = await projectDAL.findProjectGhostUser(project.id, tx); + + if (!ghostUser) { + throw new BadRequestError({ + message: "Failed to find sudo user" + }); + } + + const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, project.id, tx); + + if (!ghostUserLatestKey) { + throw new BadRequestError({ + message: "Failed to find sudo user latest key" + }); + } + + const bot = await projectBotDAL.findOne({ projectId: project.id }, tx); + + if (!bot) { + throw new BadRequestError({ + message: "Failed to find bot" + }); + } + + const botPrivateKey = infisicalSymmetricDecrypt({ + keyEncoding: bot.keyEncoding as SecretKeyEncoding, + iv: bot.iv, + tag: bot.tag, + ciphertext: bot.encryptedPrivateKey + }); + + const plaintextProjectKey = decryptAsymmetric({ + ciphertext: ghostUserLatestKey.encryptedKey, + nonce: ghostUserLatestKey.nonce, + publicKey: ghostUserLatestKey.sender.publicKey, + privateKey: botPrivateKey + }); + + const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => { + const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, publicKey, botPrivateKey); + + return { + encryptedKey, + nonce, + senderId: ghostUser.id, + receiverId: id, + projectId: project.id + }; + }); + + await projectKeyDAL.insertMany(projectKeyData, tx); + } + return groupProjectMembership; }); - // share project key with users in group that have not - // individually been added to the project and that are not part of - // other groups that are in the project - const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id); - - if (groupMembers.length) { - const ghostUser = await projectDAL.findProjectGhostUser(project.id); - - if (!ghostUser) { - throw new BadRequestError({ - message: "Failed to find sudo user" - }); - } - - const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, project.id); - - if (!ghostUserLatestKey) { - throw new BadRequestError({ - message: "Failed to find sudo user latest key" - }); - } - - const bot = await projectBotDAL.findOne({ projectId: project.id }); - - if (!bot) { - throw new BadRequestError({ - message: "Failed to find bot" - }); - } - - const botPrivateKey = infisicalSymmetricDecrypt({ - keyEncoding: bot.keyEncoding as SecretKeyEncoding, - iv: bot.iv, - tag: bot.tag, - ciphertext: bot.encryptedPrivateKey - }); - - const plaintextProjectKey = decryptAsymmetric({ - ciphertext: ghostUserLatestKey.encryptedKey, - nonce: ghostUserLatestKey.nonce, - publicKey: ghostUserLatestKey.sender.publicKey, - privateKey: botPrivateKey - }); - - const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => { - const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, publicKey, botPrivateKey); - - return { - encryptedKey, - nonce, - senderId: ghostUser.id, - receiverId: id, - projectId: project.id - }; - }); - - await projectKeyDAL.insertMany(projectKeyData); - } - return projectGroup; }; @@ -287,20 +288,26 @@ export const groupProjectServiceFactory = ({ ); ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups); - const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id); + const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => { + const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx); - if (groupMembers.length) { - await projectKeyDAL.delete({ - projectId: project.id, - $in: { - receiverId: groupMembers.map(({ user: { id } }) => id) - } - }); - } + if (groupMembers.length) { + await projectKeyDAL.delete( + { + projectId: project.id, + $in: { + receiverId: groupMembers.map(({ user: { id } }) => id) + } + }, + tx + ); + } - const [deletedGroup] = await groupProjectDAL.delete({ groupId: group.id, projectId: project.id }); + const [projectGroup] = await groupProjectDAL.delete({ groupId: group.id, projectId: project.id }, tx); + return projectGroup; + }); - return deletedGroup; + return deletedProjectGroup; }; const listGroupsInProject = async ({ From 8c566a5ff7f99419d1bc40a002c71aa33740d98e Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Mon, 22 Apr 2024 12:01:29 -0700 Subject: [PATCH 7/7] Fix wording for group project addition/removal --- .../components/OrgGroupsSection/OrgGroupMembersModal.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx index d9aa4c3e0d..d6b1c515f7 100644 --- a/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx +++ b/frontend/src/views/Org/MembersPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupMembersModal.tsx @@ -65,14 +65,14 @@ export const OrgGroupMembersModal = ({ popUp, handlePopUpToggle }: Props) => { } createNotification({ - text: `Successfully ${assign ? "assigned" : "removed "} user ${ + text: `Successfully ${assign ? "assigned" : "removed"} user ${ assign ? "to" : "from" } group`, type: "success" }); } catch (err) { createNotification({ - text: `Failed to ${assign ? "assigned" : "remove"} user ${assign ? "to" : "from"} group`, + text: `Failed to ${assign ? "assign" : "remove"} user ${assign ? "to" : "from"} group`, type: "error" }); }