feat(sso): allow to use OIDC and SAML (#7246)

## What it does ### Backend - [x] Add a mutation to create OIDC and SAML configuration - [x] Add a mutation to delete an SSO config - [x] Add a feature flag to toggle SSO - [x] Add a mutation to activate/deactivate an SSO config - [x] Add a mutation to delete an SSO config - [x] Add strategy to use OIDC or SAML - [ ] Improve error management ### Frontend - [x] Add section "security" in settings - [x] Add page to list SSO configurations - [x] Add page and forms to create OIDC or SAML configuration - [x] Add field to "connect with SSO" in the signin/signup process - [x] Trigger auth when a user switch to a workspace with SSO enable - [x] Add an option on the security page to activate/deactivate the global invitation link - [ ] Add new Icons for SSO Identity Providers (okta, Auth0, Azure, Microsoft) --------- Co-authored-by: Félix Malfait <felix@twenty.com> Co-authored-by: Charles Bochet <charles@twenty.com>
2024-10-21 20:07:08 +02:00
parent 11c3f1c399
commit 0f0a7966b1
132 changed files with 5245 additions and 306 deletions
--- a/packages/twenty-front/src/modules/settings/security/utils/tests/parseSAMLMetadataFromXMLFile.test.ts
+++ b/packages/twenty-front/src/modules/settings/security/utils/tests/parseSAMLMetadataFromXMLFile.test.ts
@ -0,0 +1,39 @@
+/* @license Enterprise */
+
+import { parseSAMLMetadataFromXMLFile } from '../parseSAMLMetadataFromXMLFile';
+
+describe('parseSAMLMetadataFromXMLFile', () => {
+  it('should parse SAML metadata from XML file', () => {
+    const xmlString = `<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com" validUntil="2026-02-04T17:46:23.000Z">
+    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:X509Data>
+                    <ds:X509Certificate>test</ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com"/>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.com"/>
+    </md:IDPSSODescriptor>
+</md:EntityDescriptor>`;
+    const result = parseSAMLMetadataFromXMLFile(xmlString);
+    expect(result).toEqual({
+      success: true,
+      data: {
+        entityID: 'https://test.com',
+        ssoUrl: 'https://test.com',
+        certificate: 'test',
+      },
+    });
+  });
+  it('should return error if XML is invalid', () => {
+    const xmlString = 'invalid xml';
+    const result = parseSAMLMetadataFromXMLFile(xmlString);
+    expect(result).toEqual({
+      success: false,
+      error: new Error('Error parsing XML'),
+    });
+  });
+});
--- a/packages/twenty-front/src/modules/settings/security/utils/getColorBySSOIdentityProviderStatus.ts
+++ b/packages/twenty-front/src/modules/settings/security/utils/getColorBySSOIdentityProviderStatus.ts
@ -0,0 +1,13 @@
+/* @license Enterprise */
+
+import { ThemeColor } from 'twenty-ui';
+import { SsoIdentityProviderStatus } from '~/generated/graphql';
+
+export const getColorBySSOIdentityProviderStatus: Record<
+  SsoIdentityProviderStatus,
+  ThemeColor
+> = {
+  Active: 'green',
+  Inactive: 'gray',
+  Error: 'red',
+};
--- a/packages/twenty-front/src/modules/settings/security/utils/guessSSOIdentityProviderIconByUrl.ts
+++ b/packages/twenty-front/src/modules/settings/security/utils/guessSSOIdentityProviderIconByUrl.ts
@ -0,0 +1,13 @@
+/* @license Enterprise */
+
+import { IconComponent, IconGoogle, IconKey } from 'twenty-ui';
+
+export const guessSSOIdentityProviderIconByUrl = (
+  url: string,
+): IconComponent => {
+  if (url.includes('google')) {
+    return IconGoogle;
+  }
+
+  return IconKey;
+};
--- a/packages/twenty-front/src/modules/settings/security/utils/parseSAMLMetadataFromXMLFile.ts
+++ b/packages/twenty-front/src/modules/settings/security/utils/parseSAMLMetadataFromXMLFile.ts
@ -0,0 +1,59 @@
+/* @license Enterprise */
+
+import { z } from 'zod';
+
+const validator = z.object({
+  entityID: z.string().url(),
+  ssoUrl: z.string().url(),
+  certificate: z.string().min(1),
+});
+
+export const parseSAMLMetadataFromXMLFile = (
+  xmlString: string,
+):
+  | { success: true; data: z.infer<typeof validator> }
+  | { success: false; error: unknown } => {
+  try {
+    const parser = new DOMParser();
+    const xmlDoc = parser.parseFromString(xmlString, 'application/xml');
+
+    if (xmlDoc.getElementsByTagName('parsererror').length > 0) {
+      throw new Error('Error parsing XML');
+    }
+
+    const entityDescriptor = xmlDoc.getElementsByTagName(
+      'md:EntityDescriptor',
+    )?.[0];
+    const idpSSODescriptor = xmlDoc.getElementsByTagName(
+      'md:IDPSSODescriptor',
+    )?.[0];
+    const keyDescriptor = xmlDoc.getElementsByTagName('md:KeyDescriptor')[0];
+    const keyInfo = keyDescriptor.getElementsByTagName('ds:KeyInfo')[0];
+    const x509Data = keyInfo.getElementsByTagName('ds:X509Data')[0];
+    const x509Certificate = x509Data
+      .getElementsByTagName('ds:X509Certificate')?.[0]
+      .textContent?.trim();
+
+    const singleSignOnServices = Array.from(
+      idpSSODescriptor.getElementsByTagName('md:SingleSignOnService'),
+    ).map((service) => ({
+      Binding: service.getAttribute('Binding'),
+      Location: service.getAttribute('Location'),
+    }));
+
+    const result = {
+      ssoUrl: singleSignOnServices.find((singleSignOnService) => {
+        return (
+          singleSignOnService.Binding ===
+          'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+        );
+      })?.Location,
+      certificate: x509Certificate,
+      entityID: entityDescriptor?.getAttribute('entityID'),
+    };
+
+    return { success: true, data: validator.parse(result) };
+  } catch (error) {
+    return { success: false, error };
+  }
+};
--- a/packages/twenty-front/src/modules/settings/security/utils/sSOIdentityProviderDefaultValues.ts
+++ b/packages/twenty-front/src/modules/settings/security/utils/sSOIdentityProviderDefaultValues.ts
@ -0,0 +1,25 @@
+/* @license Enterprise */
+
+import { SettingSecurityNewSSOIdentityFormValues } from '@/settings/security/types/SSOIdentityProvider';
+import { IdpType } from '~/generated/graphql';
+
+export const sSOIdentityProviderDefaultValues: Record<
+  IdpType,
+  () => SettingSecurityNewSSOIdentityFormValues
+> = {
+  SAML: () => ({
+    type: 'SAML',
+    ssoURL: '',
+    name: '',
+    id: crypto.randomUUID(),
+    certificate: '',
+    issuer: '',
+  }),
+  OIDC: () => ({
+    type: 'OIDC',
+    name: '',
+    clientID: '',
+    clientSecret: '',
+    issuer: '',
+  }),
+};