feat(schemas): add IdP initiated SAML SSO sessions table (#6663)

* feat(schemas): add idp-initiated saml sso sessions table add idp-iniaited saml sso sessions table * refactor(schemas): remove nameID index remove nameID index
2024-12-16 20:26:19 -05:00 · 2024-10-14 13:34:35 +08:00 · 2024-10-14 13:34:35 +08:00 · d4f7d098dc
commit d4f7d098dc
parent 17c2a79caf
3 changed files with 68 additions and 1 deletions
--- a/packages/schemas/alterations/next-1728526649-add-idp-initiated-saml-sso-sessions-table.ts
+++ b/packages/schemas/alterations/next-1728526649-add-idp-initiated-saml-sso-sessions-table.ts
@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table idp_initiated_saml_sso_sessions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the assertion record. */
+        id varchar(21) not null,
+        /** The identifier of the SAML SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The SAML assertion. */
+        assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        /** The expiration time of the assertion. */
+        expires_at timestamptz not null,
+        primary key (tenant_id, id)
+      );
+    `);
+    await applyTableRls(pool, 'idp_initiated_saml_sso_sessions');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'idp_initiated_saml_sso_sessions');
+    await pool.query(sql`
+      drop table idp_initiated_saml_sso_sessions;
+    `);
+  },
+};
+
+export default alteration;
--- a/packages/schemas/src/foundations/jsonb-types/sso-connector.ts
+++ b/packages/schemas/src/foundations/jsonb-types/sso-connector.ts
@ -10,6 +10,8 @@ export const ssoBrandingGuard = z.object({
  darkLogo: z.string().optional(),
 });

+export type SsoBranding = z.infer<typeof ssoBrandingGuard>;
+
 export const idpInitiatedAuthParamsGuard = z
  .object({
    resources: z.array(z.string()).optional(),
@ -19,4 +21,17 @@ export const idpInitiatedAuthParamsGuard = z

 export type IdpInitiatedAuthParams = z.infer<typeof idpInitiatedAuthParamsGuard>;

-export type SsoBranding = z.infer<typeof ssoBrandingGuard>;
+export const ssoSamlAssertionContentGuard = z
+  .object({
+    nameID: z.string().optional(),
+    attributes: z.record(z.string().or(z.array(z.string()))).optional(),
+    conditions: z
+      .object({
+        notBefore: z.string(),
+        notOnOrAfter: z.string(),
+      })
+      .optional(),
+  })
+  .catchall(z.unknown());
+
+export type SsoSamlAssertionContent = z.infer<typeof ssoSamlAssertionContentGuard>;
--- a/packages/schemas/tables/idp_initiated_saml_sso_sessions.sql
+++ b/packages/schemas/tables/idp_initiated_saml_sso_sessions.sql
@ -0,0 +1,16 @@
+/* init_order = 2 */
+create table idp_initiated_saml_sso_sessions (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the assertion record. */
+  id varchar(21) not null,
+  /** The identifier of the SAML SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The SAML assertion. */
+  assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  /** The expiration time of the assertion. */
+  expires_at timestamptz not null,
+  primary key (tenant_id, id)
+);