huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
edf74ee9df0ae3d159df4e01be31a1aef21a841f
speckle-server/packages/server/modules/workspaces/services/management.ts
T
Gergő Jedlicska 08e941f8af Poor man's SSO (#2641) 
* Implemented workspace general page

* Added notifications to user input

* Allowed non-admins to view but not edit

* Added redirect to homeroute

* Fixed validation

* Squashed commit of the following:

commit 7bf14ab8af0f76b4c9d0aa87fc08085af7c34959
Author: Chuck Driesler <chuck@speckle.systems>
Date:   Tue Aug 6 19:40:50 2024 +0200

    mob next [ci-skip] [ci skip] [skip ci]

    lastFile:packages/server/modules/workspacesCore/migrations/20240806160740_workspace_domains.ts

commit 8aa3fb0cb052c10eeeb83bf9874ae0d1c065e480
Author: Alessandro Magionami <alessandro.magionami@gmail.com>
Date:   Tue Aug 6 18:54:15 2024 +0200

    mob next [ci-skip] [ci skip] [skip ci]

    lastFile:packages/server/modules/core/domain/userEmails/operations.ts

commit 66dfd0cf6c15a789c8f96a65a3168323e83a7b9e
Author: Chuck Driesler <chuck@speckle.systems>
Date:   Tue Aug 6 18:30:22 2024 +0200

    mob next [ci-skip] [ci skip] [skip ci]

    lastFile:packages/server/modules/workspacesCore/domain/types.ts

Co-authored-by: Alessandro Magionami <alessandro.magionami@gmail.com>

* Move General to workspaces folder

* feat(workspaces): inputs on security section

* feat(workspaces): add domain to workspace mutation

* chore(workspaces): add blocked domains list

* fix(workspaces): modals with buttons

* feat(workspaceDomains): delete domain

* fix(workspaces): use  mutation

* fix(workspaces): present user verified domains as options

* Moved sidebar menu to a composable

* Added coming soon tag back

* feat(workspaces): create domains resolver for workspace

* chore(workspaces): fix tests

* chore(workspaces): fix types

* chore(workspaces): fix linter

* fix(workspaces): do some delete I think

* chore(workspaces): add domainBasedMembershipProtectionEnabled field to workspace

* chore(workspaces): improve validation for email domain

* fix(workspace): query and do the thing

* chore(workspaces): add graphql schema for domainBasedMembershipProtection

* chore(workspaces): lint and test failures

* fix(workspaces): test issues w new field

* feat(workspaces): add discoverability flag

* chore(workspaces): they made me do it

* feat(workspaces): enable toggling domain protection

* feat(workspaces): add discoverability toggle to workspace settings

* feat(workspace): auto enable discoverability on first domain registration

* feat(workspace): discoverability toggle fixes

* fix(eventBus): fix tests

* feat(workspaces): user discoverable workspaces (#2620)

* feat(workspaces): it works just trust me

* fix(workspaces): don't worry about it

* fix(workspaces); happy path success

* fix(workspaces): almost there

* fix(workspaces): successful tests!

* fix(workspaces): we have DISCOVERED (#2621)

* Fixed linting issue

* Updated query

* Updated validation rules

* Updated validation rules

* Fix unsaved file with type export

* Addressed PR comments

* Updated cache

* Updated item classes, add fragment back

* Gergo/web 1574 join workspaces via discovery (#2623)

* chore(useremails): add find verified emails by user function

* chore(workspace): table helper for workspace domains

* chore(workspace): get workspace with domains function

* chore(workspace): test get workspace with domains function

* feat(workspace): restrict workspace membership when updating workspace role

* chore(workspaces): fix types

* feat(workspaces): WIP join

* feat(workspaces): join button makes u join

* chore(useremails): fix type for find verified emails function

* feat(workspaces): join

* feat(workspace): prevent inviting user without email matching domain

* chore(workspaces): fix linter

* fix(workspaces): invoke join (gergo wrote this)

* fuck

* fix(workspaces): properly get discoverable workspaces

* fix(workspaces): test

---------

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
Co-authored-by: Chuck Driesler <chuck@speckle.systems>

* fix(workspaces): some query stuff

* fix(workspaces): mutate cache instead of refetch

* fix(workspaces): more adjustments to gql query and fragment structure

* fix(workspaces): queries, style, structure

* fix(workspaces): match discoverability with current styles

* chore(workspaces): lint lint lint

* fix(workspaces): got it twisted

* chore(workspaces): fix test

* fix(workspaces): route to joined workspace on join

---------

Co-authored-by: Mike Tasset <mike.tasset@gmail.com>
Co-authored-by: Chuck Driesler <chuck@speckle.systems>
Co-authored-by: Alessandro Magionami <alessandro.magionami@gmail.com>
2024-08-26 13:33:16 +02:00

469 lines
14 KiB
TypeScript
Raw Blame History

import { WorkspaceEvents } from '@/modules/workspacesCore/domain/events'
import {
DeleteWorkspace,
EmitWorkspaceEvent,
GetWorkspace,
StoreWorkspaceDomain,
QueryAllWorkspaceProjects,
UpsertWorkspace,
UpsertWorkspaceRole,
GetWorkspaceWithDomains,
GetWorkspaceDomains
} from '@/modules/workspaces/domain/operations'
import {
Workspace,
WorkspaceAcl,
WorkspaceDomain
} from '@/modules/workspacesCore/domain/types'
import { MaybeNullOrUndefined, Roles } from '@speckle/shared'
import cryptoRandomString from 'crypto-random-string'
import {
deleteStream,
grantStreamPermissions as repoGrantStreamPermissions,
revokeStreamPermissions as repoRevokeStreamPermissions
} from '@/modules/core/repositories/streams'
import { getStreams as serviceGetStreams } from '@/modules/core/services/streams'
import {
DeleteWorkspaceRole,
GetWorkspaceRoleForUser,
GetWorkspaceRoles
} from '@/modules/workspaces/domain/operations'
import {
WorkspaceAdminRequiredError,
WorkspaceDomainBlockedError,
WorkspaceNotFoundError,
WorkspaceProtectedError,
WorkspaceUnverifiedDomainError,
WorkspaceInvalidDescriptionError
} from '@/modules/workspaces/errors/workspace'
import {
isUserLastWorkspaceAdmin,
mapWorkspaceRoleToProjectRole
} from '@/modules/workspaces/helpers/roles'
import { queryAllWorkspaceProjectsFactory } from '@/modules/workspaces/services/projects'
import { EventBus } from '@/modules/shared/services/eventBus'
import { removeNullOrUndefinedKeys } from '@speckle/shared'
import { isNewResourceAllowed } from '@/modules/core/helpers/token'
import {
TokenResourceIdentifier,
TokenResourceIdentifierType
} from '@/modules/core/domain/tokens/types'
import { ForbiddenError } from '@/modules/shared/errors'
import { validateImageString } from '@/modules/workspaces/helpers/images'
import {
FindEmailsByUserId,
FindVerifiedEmailsByUserId
} from '@/modules/core/domain/userEmails/operations'
import { blockedDomains } from '@/modules/workspaces/helpers/blockedDomains'
import { DeleteAllResourceInvites } from '@/modules/serverinvites/domain/operations'
import { WorkspaceInviteResourceType } from '@/modules/workspaces/domain/constants'
import { ProjectInviteResourceType } from '@/modules/serverinvites/domain/constants'
import { chunk, isEmpty } from 'lodash'
type WorkspaceCreateArgs = {
userId: string
workspaceInput: {
name: string
description: string | null
logo: string | null
defaultLogoIndex: number
}
userResourceAccessLimits: MaybeNullOrUndefined<TokenResourceIdentifier[]>
}
export const createWorkspaceFactory =
({
upsertWorkspace,
upsertWorkspaceRole,
emitWorkspaceEvent
}: {
upsertWorkspace: UpsertWorkspace
upsertWorkspaceRole: UpsertWorkspaceRole
emitWorkspaceEvent: EventBus['emit']
}) =>
async ({
userId,
workspaceInput,
userResourceAccessLimits
}: WorkspaceCreateArgs): Promise<Workspace> => {
if (
!isNewResourceAllowed({
resourceType: TokenResourceIdentifierType.Workspace,
resourceAccessRules: userResourceAccessLimits
})
) {
throw new ForbiddenError('You are not authorized to create a workspace')
}
const workspace = {
...workspaceInput,
id: cryptoRandomString({ length: 10 }),
createdAt: new Date(),
updatedAt: new Date(),
domainBasedMembershipProtectionEnabled: false,
discoverabilityEnabled: false
}
await upsertWorkspace({ workspace })
// assign the creator as workspace administrator
await upsertWorkspaceRole({
userId,
role: Roles.Workspace.Admin,
workspaceId: workspace.id
})
// emit a workspace created event
await emitWorkspaceEvent({
eventName: WorkspaceEvents.Created,
payload: { ...workspace, createdByUserId: userId }
})
return { ...workspace }
}
type WorkspaceUpdateArgs = {
workspaceId: string
workspaceInput: {
name?: string | null
description?: string | null
logo?: string | null
defaultLogoIndex?: number | null
discoverabilityEnabled?: boolean | null
domainBasedMembershipProtectionEnabled?: boolean | null
}
}
export const updateWorkspaceFactory =
({
getWorkspace,
upsertWorkspace,
emitWorkspaceEvent
}: {
getWorkspace: GetWorkspace
upsertWorkspace: UpsertWorkspace
emitWorkspaceEvent: EventBus['emit']
}) =>
async ({ workspaceId, workspaceInput }: WorkspaceUpdateArgs): Promise<Workspace> => {
// Get existing workspace to merge with incoming changes
const currentWorkspace = await getWorkspace({ workspaceId })
if (!currentWorkspace) {
throw new WorkspaceNotFoundError()
}
// Validate incoming changes
if (!!workspaceInput.logo) {
validateImageString(workspaceInput.logo)
}
if (isEmpty(workspaceInput.name)) {
// Do not allow setting an empty name (empty descriptions allowed)
delete workspaceInput.name
}
if (!!workspaceInput.description && workspaceInput.description.length > 512) {
throw new WorkspaceInvalidDescriptionError()
}
const workspace = {
...currentWorkspace,
...removeNullOrUndefinedKeys(workspaceInput),
updatedAt: new Date()
}
await upsertWorkspace({ workspace })
await emitWorkspaceEvent({ eventName: WorkspaceEvents.Updated, payload: workspace })
return workspace
}
type WorkspaceDeleteArgs = {
workspaceId: string
}
export const deleteWorkspaceFactory =
({
deleteWorkspace,
deleteProject,
queryAllWorkspaceProjects,
deleteAllResourceInvites
}: {
deleteWorkspace: DeleteWorkspace
deleteProject: typeof deleteStream
queryAllWorkspaceProjects: QueryAllWorkspaceProjects
deleteAllResourceInvites: DeleteAllResourceInvites
}) =>
async ({ workspaceId }: WorkspaceDeleteArgs): Promise<void> => {
// Cache project ids for post-workspace-delete cleanup
const projectIds: string[] = []
for await (const projects of queryAllWorkspaceProjects({ workspaceId })) {
projectIds.push(...projects.map((project) => project.id))
}
await Promise.all([
deleteWorkspace({ workspaceId }),
deleteAllResourceInvites({
resourceId: workspaceId,
resourceType: WorkspaceInviteResourceType
}),
...projectIds.map((projectId) =>
deleteAllResourceInvites({
resourceId: projectId,
resourceType: ProjectInviteResourceType
})
)
])
// Workspace delete cascades project delete, but some manual cleanup is required
// We re-use `deleteStream` (and re-delete the project) to DRY this manual cleanup
for (const projectIdsChunk of chunk(projectIds, 25)) {
await Promise.all(projectIdsChunk.map((projectId) => deleteProject(projectId)))
}
}
type WorkspaceRoleDeleteArgs = {
userId: string
workspaceId: string
}
export const deleteWorkspaceRoleFactory =
({
getWorkspaceRoles,
deleteWorkspaceRole,
emitWorkspaceEvent,
getStreams,
revokeStreamPermissions
}: {
getWorkspaceRoles: GetWorkspaceRoles
deleteWorkspaceRole: DeleteWorkspaceRole
emitWorkspaceEvent: EmitWorkspaceEvent
getStreams: typeof serviceGetStreams
revokeStreamPermissions: typeof repoRevokeStreamPermissions
}) =>
async ({
workspaceId,
userId
}: WorkspaceRoleDeleteArgs): Promise<WorkspaceAcl | null> => {
// Protect against removing last admin
const workspaceRoles = await getWorkspaceRoles({ workspaceId })
if (isUserLastWorkspaceAdmin(workspaceRoles, userId)) {
throw new WorkspaceAdminRequiredError()
}
// Perform delete
const deletedRole = await deleteWorkspaceRole({ userId, workspaceId })
if (!deletedRole) {
return null
}
// Delete workspace project roles
const queryAllWorkspaceProjectsGenerator = queryAllWorkspaceProjectsFactory({
getStreams
})
for await (const projectsPage of queryAllWorkspaceProjectsGenerator({
workspaceId
})) {
await Promise.all(
projectsPage.map(({ id: streamId }) =>
revokeStreamPermissions({ streamId, userId })
)
)
}
// Emit deleted role
await emitWorkspaceEvent({
eventName: WorkspaceEvents.RoleDeleted,
payload: deletedRole
})
return deletedRole
}
type WorkspaceRoleGetArgs = {
userId: string
workspaceId: string
}
export const getWorkspaceRoleFactory =
({ getWorkspaceRoleForUser }: { getWorkspaceRoleForUser: GetWorkspaceRoleForUser }) =>
async ({
userId,
workspaceId
}: WorkspaceRoleGetArgs): Promise<WorkspaceAcl | null> => {
return await getWorkspaceRoleForUser({ userId, workspaceId })
}
export const updateWorkspaceRoleFactory =
({
getWorkspaceRoles,
getWorkspaceWithDomains,
findVerifiedEmailsByUserId,
upsertWorkspaceRole,
emitWorkspaceEvent,
getStreams,
grantStreamPermissions
}: {
getWorkspaceRoles: GetWorkspaceRoles
getWorkspaceWithDomains: GetWorkspaceWithDomains
findVerifiedEmailsByUserId: FindVerifiedEmailsByUserId
upsertWorkspaceRole: UpsertWorkspaceRole
emitWorkspaceEvent: EmitWorkspaceEvent
// TODO: Create `core` domain and import type from there
getStreams: typeof serviceGetStreams
grantStreamPermissions: typeof repoGrantStreamPermissions
}) =>
async ({
workspaceId,
userId,
role,
skipProjectRoleUpdatesFor
}: WorkspaceAcl & {
/**
* If this gets triggered from a project role update, we don't want to override that project's role to the default one
*/
skipProjectRoleUpdatesFor?: string[]
}): Promise<void> => {
// Protect against removing last admin
const workspaceRoles = await getWorkspaceRoles({ workspaceId })
if (
isUserLastWorkspaceAdmin(workspaceRoles, userId) &&
role !== Roles.Workspace.Admin
) {
throw new WorkspaceAdminRequiredError()
}
if (role !== Roles.Workspace.Guest) {
const workspace = await getWorkspaceWithDomains({ id: workspaceId })
const verifiedDomains = workspace?.domains.filter((domain) => domain?.verified)
if (
workspace &&
verifiedDomains &&
workspace?.domainBasedMembershipProtectionEnabled &&
verifiedDomains.length > 0
) {
const domains = new Set<string>(verifiedDomains.map((vd) => vd.domain))
const verifiedUserEmails = await findVerifiedEmailsByUserId({ userId })
const domainMatching = verifiedUserEmails.find((userEmail) =>
domains.has(userEmail.email.split('@')[1])
)
if (!domainMatching) {
throw new WorkspaceProtectedError()
}
}
}
// Perform upsert
await upsertWorkspaceRole({ userId, workspaceId, role })
// Emit new role
await emitWorkspaceEvent({
eventName: WorkspaceEvents.RoleUpdated,
payload: { userId, workspaceId, role }
})
// Apply initial project role to existing workspace projects
const isFirstWorkspaceRole = !workspaceRoles.some((role) => role.userId === userId)
if (!isFirstWorkspaceRole || role === Roles.Workspace.Guest) {
// Guests do not get roles for existing workspace projects
return
}
const queryAllWorkspaceProjectsGenerator = queryAllWorkspaceProjectsFactory({
getStreams
})
const projectRole = mapWorkspaceRoleToProjectRole(role)
for await (const projectsPage of queryAllWorkspaceProjectsGenerator({
workspaceId
})) {
await Promise.all(
projectsPage.map(({ id: streamId }) => {
if (skipProjectRoleUpdatesFor?.includes(streamId)) {
return
}
return grantStreamPermissions({ streamId, userId, role: projectRole })
})
)
}
}
export const addDomainToWorkspaceFactory =
({
findEmailsByUserId,
storeWorkspaceDomain,
getWorkspace,
upsertWorkspace,
emitWorkspaceEvent,
getDomains
}: {
findEmailsByUserId: FindEmailsByUserId
storeWorkspaceDomain: StoreWorkspaceDomain
getWorkspace: GetWorkspace
upsertWorkspace: UpsertWorkspace
getDomains: GetWorkspaceDomains
emitWorkspaceEvent: EventBus['emit']
}) =>
async ({
userId,
domain,
workspaceId
}: {
userId: string
domain: string
workspaceId: string
}) => {
// this function makes the assumption, that the user has a workspace admin role
const sanitizedDomain = domain.toLowerCase().trim()
if (blockedDomains.includes(sanitizedDomain))
throw new WorkspaceDomainBlockedError()
const userEmails = await findEmailsByUserId({
userId
})
const email = userEmails.find(
(userEmail) =>
userEmail.verified && userEmail.email.split('@')[1] === sanitizedDomain
)
if (!email) {
throw new WorkspaceUnverifiedDomainError()
}
// we're treating all user owned domains as verified, cause they have it in their verified emails list
const verified = true
const workspaceWithRole = await getWorkspace({ workspaceId, userId })
if (!workspaceWithRole) throw new WorkspaceAdminRequiredError()
const { role, ...workspace } = workspaceWithRole
if (role !== Roles.Workspace.Admin) {
throw new WorkspaceAdminRequiredError()
}
const domains = await getDomains({ workspaceIds: [workspaceId] })
// idempotent operation
if (domains.find((domain) => domain.domain === sanitizedDomain)) return
const workspaceDomain: WorkspaceDomain = {
workspaceId,
id: cryptoRandomString({ length: 10 }),
domain: sanitizedDomain,
createdByUserId: userId,
createdAt: new Date(),
updatedAt: new Date(),
verified
}
await storeWorkspaceDomain({ workspaceDomain })
if (domains.length === 0) {
await upsertWorkspace({
workspace: { ...workspace, discoverabilityEnabled: true }
})
}
await emitWorkspaceEvent({
eventName: WorkspaceEvents.Updated,
payload: workspace
})
}
Reference in New Issue View Git Blame Copy Permalink