diff --git a/packages/schemas/alterations/next-1731901231-add-saml-application-secrets-table.ts b/packages/schemas/alterations/next-1731901231-add-saml-application-secrets-table.ts new file mode 100644 index 000000000..5b48d070c --- /dev/null +++ b/packages/schemas/alterations/next-1731901231-add-saml-application-secrets-table.ts @@ -0,0 +1,40 @@ +import { sql } from '@silverhand/slonik'; + +import type { AlterationScript } from '../lib/types/alteration.js'; + +import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js'; + +const alteration: AlterationScript = { + up: async (pool) => { + await pool.query(sql` + create table saml_application_secrets ( + id varchar(21) not null, + tenant_id varchar(21) not null + references tenants (id) on update cascade on delete cascade, + application_id varchar(21) not null + references applications (id) on update cascade on delete cascade, + private_key text not null, + certificate text not null, + created_at timestamptz not null default now(), + expires_at timestamptz not null, + active boolean not null, + primary key (id), + constraint application_type + check (check_application_type(application_id, 'SAML')) + ); + + create unique index saml_application_secrets__unique_active_secret + on saml_application_secrets (application_id, active) + where active; + `); + await applyTableRls(pool, 'saml_application_secrets'); + }, + down: async (pool) => { + await dropTableRls(pool, 'saml_application_secrets'); + await pool.query(sql` + drop table saml_application_secrets; + `); + }, +}; + +export default alteration; diff --git a/packages/schemas/tables/saml_application_secrets.sql b/packages/schemas/tables/saml_application_secrets.sql new file mode 100644 index 000000000..998e8bf41 --- /dev/null +++ b/packages/schemas/tables/saml_application_secrets.sql @@ -0,0 +1,22 @@ +/* init_order = 2 */ + +create table saml_application_secrets ( + id varchar(21) not null, + tenant_id varchar(21) not null + references tenants (id) on update cascade on delete cascade, + application_id varchar(21) not null + references applications (id) on update cascade on delete cascade, + private_key text not null, + certificate text not null, + created_at timestamptz not null default now(), + expires_at timestamptz not null, + active boolean not null, + primary key (id), + constraint application_type + check (check_application_type(application_id, 'SAML')) +); + +-- Only one active secret per application +create unique index saml_application_secrets__unique_active_secret + on saml_application_secrets (application_id, active) + where active;