2023-12-14 04:25:17 -05:00
|
|
|
/**
|
|
|
|
* @fileoverview A preparation for the update of using organizations to manage tenants in the admin
|
|
|
|
* tenant. This script will do the following in the admin tenant:
|
|
|
|
*
|
2023-12-15 03:50:14 -05:00
|
|
|
* 1. Create organization template roles and scopes.
|
|
|
|
* 2. Create organizations for existing tenants.
|
|
|
|
* 3. Add membership records and assign organization roles to existing users.
|
|
|
|
* 4. Create machine-to-machine Management API role for each tenant.
|
|
|
|
* 5. Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it.
|
2023-12-14 04:25:17 -05:00
|
|
|
*
|
|
|
|
* The `down` script will revert the changes.
|
2023-12-15 03:50:14 -05:00
|
|
|
*
|
|
|
|
* NOTE: In order to avoid unnecessary dirty data, it's recommended disabling the registration of
|
|
|
|
* new tenants before running this script and deploying the changes.
|
2023-12-14 04:25:17 -05:00
|
|
|
*/
|
|
|
|
|
|
|
|
import { ConsoleLog, generateStandardId } from '@logto/shared';
|
|
|
|
import { sql } from 'slonik';
|
|
|
|
|
|
|
|
import { type AlterationScript } from '../lib/types/alteration.js';
|
|
|
|
|
|
|
|
const adminTenantId = 'admin';
|
|
|
|
const consoleLog = new ConsoleLog();
|
|
|
|
|
|
|
|
const alteration: AlterationScript = {
|
|
|
|
up: async (transaction) => {
|
|
|
|
consoleLog.info('=== Sync tenant organizations ===');
|
|
|
|
|
|
|
|
consoleLog.info('Create organization template roles and scopes');
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organization_roles (id, tenant_id, name, description)
|
|
|
|
values
|
|
|
|
('owner', ${adminTenantId}, 'owner', 'Owner of the tenant, who has all permissions.'),
|
2023-12-15 03:50:14 -05:00
|
|
|
('admin', ${adminTenantId}, 'admin', 'Admin of the tenant, who has all permissions except managing the tenant settings.'),
|
|
|
|
('member', ${adminTenantId}, 'member', 'Member of the tenant, who has limited permissions on reading and writing the tenant data.');
|
2023-12-14 04:25:17 -05:00
|
|
|
`);
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organization_scopes (id, tenant_id, name, description)
|
|
|
|
values
|
2023-12-15 03:50:14 -05:00
|
|
|
('read-data', ${adminTenantId}, 'read:data', 'Read the tenant data.'),
|
|
|
|
('write-data', ${adminTenantId}, 'write:data', 'Write the tenant data, including creating and updating the tenant.'),
|
|
|
|
('delete-data', ${adminTenantId}, 'delete:data', 'Delete data of the tenant.'),
|
2023-12-14 04:25:17 -05:00
|
|
|
('invite-member', ${adminTenantId}, 'invite:member', 'Invite members to the tenant.'),
|
|
|
|
('remove-member', ${adminTenantId}, 'remove:member', 'Remove members from the tenant.'),
|
|
|
|
('update-member-role', ${adminTenantId}, 'update:member:role', 'Update the role of a member in the tenant.'),
|
|
|
|
('manage-tenant', ${adminTenantId}, 'manage:tenant', 'Manage the tenant settings, including name, billing, etc.');
|
|
|
|
`);
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
|
|
|
|
values
|
2023-12-15 03:50:14 -05:00
|
|
|
(${adminTenantId}, 'owner', 'read-data'),
|
|
|
|
(${adminTenantId}, 'owner', 'write-data'),
|
|
|
|
(${adminTenantId}, 'owner', 'delete-data'),
|
2023-12-14 04:25:17 -05:00
|
|
|
(${adminTenantId}, 'owner', 'invite-member'),
|
|
|
|
(${adminTenantId}, 'owner', 'remove-member'),
|
|
|
|
(${adminTenantId}, 'owner', 'update-member-role'),
|
|
|
|
(${adminTenantId}, 'owner', 'manage-tenant'),
|
2023-12-15 03:50:14 -05:00
|
|
|
(${adminTenantId}, 'admin', 'read-data'),
|
|
|
|
(${adminTenantId}, 'admin', 'write-data'),
|
|
|
|
(${adminTenantId}, 'admin', 'delete-data'),
|
2023-12-14 04:25:17 -05:00
|
|
|
(${adminTenantId}, 'admin', 'invite-member'),
|
|
|
|
(${adminTenantId}, 'admin', 'remove-member'),
|
|
|
|
(${adminTenantId}, 'admin', 'update-member-role'),
|
2023-12-15 03:50:14 -05:00
|
|
|
(${adminTenantId}, 'member', 'read-data'),
|
|
|
|
(${adminTenantId}, 'member', 'write-data'),
|
2023-12-14 04:25:17 -05:00
|
|
|
(${adminTenantId}, 'member', 'invite-member')
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('Create organizations for existing tenants');
|
|
|
|
const tenants = await transaction.any<{ id: string }>(sql`
|
|
|
|
select id
|
|
|
|
from public.tenants;
|
|
|
|
`);
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organizations (id, tenant_id, name)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
tenants.map(
|
|
|
|
(tenant) => sql`(${`t-${tenant.id}`}, ${adminTenantId}, ${`Tenant ${tenant.id}`})`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
|
|
|
|
const usersRoles = await transaction.any<{ userId: string; roleName: string }>(sql`
|
|
|
|
select
|
|
|
|
public.users.id as "userId",
|
|
|
|
public.roles.name as "roleName"
|
|
|
|
from public.users
|
|
|
|
join public.users_roles on public.users_roles.user_id = public.users.id
|
|
|
|
join public.roles on public.roles.id = public.users_roles.role_id
|
|
|
|
where public.roles.tenant_id = ${adminTenantId}
|
|
|
|
and public.roles.name like '%:admin';
|
|
|
|
`);
|
|
|
|
|
2023-12-16 01:48:01 -05:00
|
|
|
if (usersRoles.length === 0) {
|
|
|
|
consoleLog.warn(
|
|
|
|
'No existing admin users found, skip adding membership records for tenant organizations.'
|
|
|
|
);
|
|
|
|
} else {
|
|
|
|
consoleLog.info('Add membership records and assign organization roles to existing users');
|
|
|
|
|
|
|
|
// Add membership records
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organization_user_relations (tenant_id, organization_id, user_id)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
usersRoles.map(
|
|
|
|
(userRole) =>
|
|
|
|
sql`(${adminTenantId}, ${`t-${userRole.roleName.slice(0, -6)}`}, ${
|
|
|
|
userRole.userId
|
|
|
|
})`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
// We treat all existing users as the owner of the tenant
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.organization_role_user_relations (tenant_id, organization_id, user_id, organization_role_id)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
usersRoles.map(
|
|
|
|
(userRole) =>
|
|
|
|
sql`
|
|
|
|
(
|
|
|
|
${adminTenantId},
|
|
|
|
${`t-${userRole.roleName.slice(0, -6)}`},
|
|
|
|
${userRole.userId},
|
|
|
|
'owner'
|
|
|
|
)
|
|
|
|
`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
}
|
2023-12-14 04:25:17 -05:00
|
|
|
|
|
|
|
consoleLog.info('Create machine-to-machine Management API role for each tenant');
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.roles (id, tenant_id, name, description, type)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
tenants.map(
|
|
|
|
(tenant) =>
|
|
|
|
sql`
|
|
|
|
(
|
|
|
|
${`m-${tenant.id}`},
|
|
|
|
${adminTenantId},
|
|
|
|
${`machine:mapi:${tenant.id}`},
|
|
|
|
${`Machine-to-machine role for accessing Management API of tenant '${tenant.id}'.`},
|
|
|
|
'MachineToMachine'
|
|
|
|
)
|
|
|
|
`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
|
|
|
|
const managementApiScopes = await transaction.any<{ id: string; indicator: string }>(sql`
|
|
|
|
select public.scopes.id, public.resources.indicator
|
|
|
|
from public.resources
|
|
|
|
join public.scopes on public.scopes.resource_id = public.resources.id
|
|
|
|
where public.resources.indicator like 'https://%.logto.app/api'
|
|
|
|
and public.scopes.name = 'all'
|
|
|
|
and public.resources.tenant_id = ${adminTenantId};
|
|
|
|
`);
|
|
|
|
|
|
|
|
const assertScopeId = (forTenantId: string) => {
|
|
|
|
const scope = managementApiScopes.find(
|
|
|
|
(scope) => scope.indicator === `https://${forTenantId}.logto.app/api`
|
|
|
|
);
|
|
|
|
if (!scope) {
|
|
|
|
throw new Error(`Cannot find Management API scope for tenant '${forTenantId}'.`);
|
|
|
|
}
|
|
|
|
return scope.id;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Insert role - scope relations
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.roles_scopes (tenant_id, id, role_id, scope_id)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
tenants.map(
|
|
|
|
(tenant) =>
|
|
|
|
sql`
|
|
|
|
(
|
|
|
|
${adminTenantId},
|
|
|
|
${generateStandardId()},
|
|
|
|
${`m-${tenant.id}`},
|
|
|
|
${assertScopeId(tenant.id)}
|
|
|
|
)
|
|
|
|
`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info(
|
|
|
|
'Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it'
|
|
|
|
);
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.applications (id, tenant_id, secret, name, description, type, oidc_client_metadata)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
tenants.map(
|
|
|
|
(tenant) =>
|
|
|
|
sql`
|
|
|
|
(
|
|
|
|
${`m-${tenant.id}`},
|
|
|
|
${adminTenantId},
|
|
|
|
${generateStandardId(32)},
|
|
|
|
${`Management API access for ${tenant.id}`},
|
|
|
|
${`Machine-to-machine app for accessing Management API of tenant '${tenant.id}'.`},
|
|
|
|
'MachineToMachine',
|
|
|
|
${sql.jsonb({
|
|
|
|
redirectUris: [],
|
|
|
|
postLogoutRedirectUris: [],
|
|
|
|
})}
|
|
|
|
)
|
|
|
|
`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
await transaction.query(sql`
|
|
|
|
insert into public.applications_roles (tenant_id, id, application_id, role_id)
|
|
|
|
values
|
|
|
|
${sql.join(
|
|
|
|
tenants.map(
|
|
|
|
(tenant) =>
|
|
|
|
sql`
|
|
|
|
(
|
|
|
|
${adminTenantId},
|
|
|
|
${generateStandardId()},
|
|
|
|
${`m-${tenant.id}`},
|
|
|
|
${`m-${tenant.id}`}
|
|
|
|
)
|
|
|
|
`
|
|
|
|
),
|
|
|
|
sql`, `
|
|
|
|
)};
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('=== Sync tenant organizations done ===');
|
|
|
|
},
|
|
|
|
down: async (transaction) => {
|
|
|
|
consoleLog.info('=== Revert sync tenant organizations ===');
|
|
|
|
|
|
|
|
consoleLog.info('Remove machine-to-machine apps');
|
|
|
|
await transaction.query(sql`
|
|
|
|
delete from public.applications
|
|
|
|
where public.applications.tenant_id = ${adminTenantId}
|
|
|
|
and public.applications.id like 'm-%';
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('Remove machine-to-machine roles');
|
|
|
|
await transaction.query(sql`
|
|
|
|
delete from public.roles
|
|
|
|
where public.roles.tenant_id = ${adminTenantId}
|
|
|
|
and public.roles.id like 'm-%';
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('Remove organizations');
|
|
|
|
await transaction.query(sql`
|
|
|
|
delete from public.organizations
|
|
|
|
where public.organizations.tenant_id = ${adminTenantId}
|
|
|
|
and public.organizations.id like 't-%';
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('Remove organization roles');
|
|
|
|
await transaction.query(sql`
|
|
|
|
delete from public.organization_roles
|
|
|
|
where public.organization_roles.tenant_id = ${adminTenantId}
|
|
|
|
and public.organization_roles.id in ('owner', 'admin', 'member');
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('Remove organization scopes');
|
|
|
|
await transaction.query(sql`
|
|
|
|
delete from public.organization_scopes
|
|
|
|
where public.organization_scopes.tenant_id = ${adminTenantId}
|
|
|
|
and public.organization_scopes.id in (
|
2023-12-15 03:50:14 -05:00
|
|
|
'read-data',
|
|
|
|
'write-data',
|
|
|
|
'delete-data',
|
2023-12-14 04:25:17 -05:00
|
|
|
'invite-member',
|
|
|
|
'remove-member',
|
|
|
|
'update-member-role',
|
|
|
|
'manage-tenant'
|
|
|
|
);
|
|
|
|
`);
|
|
|
|
|
|
|
|
consoleLog.info('=== Revert sync tenant organizations done ===');
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
export default alteration;
|