feat(schemas): create sso_connectors table (#4694)

* feat(schemas): create sso_connectors table

create sso_connectors table

* chore(schemas): add comments

add comments

* fix(schemas): remove dummy comments

remove dummy comments

* fix(schemas): fix schema typo

fix schema typo

* fix(schemas): adjust the alteration column order

adjust the alteration column order

* fix(schemas): drop policy

drop policy

* chore: fix the db alteration compare job tag version

fix the db alteration compare job tag version

* fix(schemas): set sso table order

set sso table order

* fix(schemas): fix alteration script

fix alteration script

.github/workflows/main.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-      - 'push-action/**'
+      - "push-action/**"
   pull_request:
 
 concurrency:
@@ -100,7 +100,7 @@ jobs:
       # Fetch the current version by finding the latest tag starts with "v", e.g. "v1.0.0-beta.19"
       - id: version
         working-directory: ./fresh
-        run: echo "current=$(git describe --match "@logto/schemas@*" --abbrev=0)" >> $GITHUB_OUTPUT
+        run: echo "current=$(git describe --match "@logto/core@*" --abbrev=0)" >> $GITHUB_OUTPUT
 
       - uses: actions/checkout@v4
         with:

packages/schemas/alterations/next-1697683802-add-sso-connectors-table.ts

@@ -0,0 +1,66 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRoleId = getId(`logto_tenant_${database}`);
+
+    await pool.query(sql`
+      create table sso_connectors (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(128) not null,
+        provider_name varchar(128) not null,
+        connector_name varchar(128) not null,
+        config jsonb not null default '{}'::jsonb,
+        domains jsonb not null default '[]'::jsonb,
+        branding jsonb not null default '{}'::jsonb,
+        sync_profile boolean not null default FALSE,
+        sso_only boolean not null default FALSE,
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index sso_connectors__id
+        on sso_connectors (tenant_id, id);
+
+      create index sso_connectors__id__provider_name
+        on sso_connectors (tenant_id, id, provider_name);
+
+      create trigger set_tenant_id before insert on sso_connectors
+        for each row execute procedure set_tenant_id();
+
+      alter table sso_connectors enable row level security;
+
+      create policy sso_connectors_tenant_id on sso_connectors
+        as restrictive
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      create policy sso_connectors_modification on sso_connectors
+        using (true);
+
+      grant select, insert, update, delete on sso_connectors to ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop policy sso_connectors_modification on sso_connectors;
+      drop policy sso_connectors_tenant_id on sso_connectors;
+      drop table sso_connectors;
+    `);
+  },
+};
+
+export default alteration;

packages/schemas/src/foundations/jsonb-types/index.ts

@@ -9,6 +9,7 @@ export * from './phrases.js';
 export * from './sign-in-experience.js';
 export * from './sentinel.js';
 export * from './users.js';
+export * from './sso-connector.js';
 
 export {
   configurableConnectorMetadataGuard,

packages/schemas/src/foundations/jsonb-types/sso-connector.ts

@@ -0,0 +1,12 @@
+import { z } from 'zod';
+
+export const ssoDomainsGuard = z.array(z.string());
+
+export type SsoDomains = z.infer<typeof ssoDomainsGuard>;
+
+export const ssoBrandingGuard = z.object({
+  logo: z.string().optional(),
+  darkLogo: z.string().optional(),
+});
+
+export type SsoBranding = z.infer<typeof ssoBrandingGuard>;

packages/schemas/tables/sso_connectors.sql

@@ -0,0 +1,29 @@
+create table sso_connectors (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the SSO connector. */
+  id varchar(128) not null,
+  /** The connector factory name of the SSO provider. */
+  provider_name varchar(128) not null,
+  /** The name of the SSO provider for display. */
+  connector_name varchar(128) not null,
+  /** The connector configuration. Different schemas for different provide type */
+  config jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  /** The SSO email domains. */
+  domains jsonb /* @use SsoDomains */ not null default '[]'::jsonb,
+  /** The SSO branding. */
+  branding jsonb /* @use SsoBranding */ not null default '{}'::jsonb,
+  /** Determines whether to synchronize the user's profile on each login. */
+  sync_profile boolean not null default FALSE,
+  /** Determines whether SSO is the restricted sign-in method for users with the SSO registered email domains */
+  sso_only boolean not null default FALSE,
+  /** When the SSO connector was created. */
+  created_at timestamptz not null default(now()),
+  primary key (id)
+);
+
+create index sso_connectors__id
+  on sso_connectors (tenant_id, id);
+
+create index sso_connectors__id__provider_name
+  on sso_connectors (tenant_id, id, provider_name);