feat(sso): protect access with sso sessions

packages/server/modules/workspaces/errors/sso.ts

@@ -1,5 +1,12 @@
 import { BaseError } from '@/modules/shared/errors/base'
 
+export class SsoSessionMissingOrExpiredError extends BaseError {
+  static defaultMessage =
+    'No valid SSO session found for the given workspace. Please sign in.'
+  static code = 'SSO_SESSION_MISSING_OR_EXPIRED_ERROR'
+  static statusCode = 401
+}
+
 export class SsoVerificationCodeMissingError extends BaseError {
   static defaultMessage = 'Cannot find verification token. Restart authentication flow.'
   static code = 'SSO_VERIFICATION_CODE_MISSING_ERROR'

packages/server/modules/workspaces/events/eventListener.ts

@@ -10,6 +10,8 @@ import {
   upsertProjectRoleFactory
 } from '@/modules/core/repositories/streams'
 import {
+  GetWorkspace,
+  GetWorkspaceRoleForUser,
   GetWorkspaceRoles,
   GetWorkspaceRoleToDefaultProjectRoleMapping,
   QueryAllWorkspaceProjects
@@ -35,6 +37,7 @@ import { WorkspaceEvents } from '@/modules/workspacesCore/domain/events'
 import { Knex } from 'knex'
 import {
   getWorkspaceFactory,
+  getWorkspaceRoleForUserFactory,
   getWorkspaceRolesFactory,
   getWorkspaceWithDomainsFactory,
   upsertWorkspaceRoleFactory
@@ -46,6 +49,17 @@ import {
 import { withTransaction } from '@/modules/shared/helpers/dbHelper'
 import { findVerifiedEmailsByUserIdFactory } from '@/modules/core/repositories/userEmails'
 import { GetStream } from '@/modules/core/domain/streams/operations'
+import {
+  GetUserSsoSession,
+  GetWorkspaceSsoProviderRecord
+} from '@/modules/workspaces/domain/sso/operations'
+import { isValidSsoSession } from '@/modules/workspaces/domain/sso/logic'
+import { SsoSessionMissingOrExpiredError } from '@/modules/workspaces/errors/sso'
+import {
+  getUserSsoSessionFactory,
+  getWorkspaceSsoProviderRecordFactory
+} from '@/modules/workspaces/repositories/sso'
+import { WorkspacesNotAuthorizedError } from '@/modules/workspaces/errors/workspace'
 
 export const onProjectCreatedFactory =
   ({
@@ -131,6 +145,35 @@ export const onInviteFinalizedFactory =
     })
   }
 
+export const onWorkspaceAuthorizedFactory =
+  ({
+    getWorkspace,
+    getWorkspaceRoleForUser,
+    getWorkspaceSsoProviderRecord,
+    getUserSsoSession
+  }: {
+    getWorkspace: GetWorkspace
+    getWorkspaceRoleForUser: GetWorkspaceRoleForUser
+    getWorkspaceSsoProviderRecord: GetWorkspaceSsoProviderRecord
+    getUserSsoSession: GetUserSsoSession
+  }) =>
+  async ({ userId, workspaceId }: { userId: string | null; workspaceId: string }) => {
+    if (!userId) throw new WorkspacesNotAuthorizedError()
+
+    // Guests cannot use (and are not restricted by) SSO
+    const workspaceRole = await getWorkspaceRoleForUser({ userId, workspaceId })
+    if (workspaceRole?.role === Roles.Workspace.Guest) return
+
+    const provider = await getWorkspaceSsoProviderRecord({ workspaceId })
+    if (!provider) return
+
+    const session = await getUserSsoSession({ userId, workspaceId })
+    if (!session || !isValidSsoSession(session)) {
+      const workspace = await getWorkspace({ workspaceId })
+      throw new SsoSessionMissingOrExpiredError(workspace?.slug)
+    }
+  }
+
 export const onWorkspaceRoleDeletedFactory =
   ({
     queryAllWorkspaceProjects,
@@ -244,6 +287,15 @@ export const initializeEventListenersFactory =
         })
         await onInviteFinalized(payload)
       }),
+      eventBus.listen(WorkspaceEvents.Authorized, async ({ payload }) => {
+        const onWorkspaceAuthorized = onWorkspaceAuthorizedFactory({
+          getWorkspace: getWorkspaceFactory({ db }),
+          getWorkspaceRoleForUser: getWorkspaceRoleForUserFactory({ db }),
+          getWorkspaceSsoProviderRecord: getWorkspaceSsoProviderRecordFactory({ db }),
+          getUserSsoSession: getUserSsoSessionFactory({ db })
+        })
+        await onWorkspaceAuthorized(payload)
+      }),
       eventBus.listen(WorkspaceEvents.RoleDeleted, async ({ payload }) => {
         const trx = await db.transaction()
         const onWorkspaceRoleDeleted = onWorkspaceRoleDeletedFactory({

packages/server/modules/workspaces/repositories/sso.ts

@@ -167,6 +167,7 @@ export const listWorkspaceSsoMembershipsFactory =
       .where((builder) => {
         builder.where({ userId })
         builder.whereNotNull('providerId')
+        builder.whereNot('role', 'workspace:guest')
       })
     return workspaces
   }

packages/server/modules/workspaces/tests/integration/sso.graph.spec.ts

@@ -0,0 +1,251 @@
+import {
+  assignToWorkspaces,
+  BasicTestWorkspace,
+  createTestOidcProvider,
+  createTestSsoSession,
+  createTestWorkspaces
+} from '@/modules/workspaces/tests/helpers/creation'
+import {
+  BasicTestUser,
+  createAuthTokenForUser,
+  createTestUsers
+} from '@/test/authHelper'
+import {
+  ActiveUserExpiredSsoSessionsDocument,
+  GetActiveUserWorkspacesDocument,
+  GetProjectDocument,
+  GetWorkspaceDocument,
+  GetWorkspaceProjectsDocument,
+  GetWorkspaceSsoDocument
+} from '@/test/graphql/generated/graphql'
+import {
+  createTestContext,
+  testApolloServer,
+  TestApolloServer
+} from '@/test/graphqlHelper'
+import { truncateTables } from '@/test/hooks'
+import { BasicTestStream, createTestStream } from '@/test/speckle-helpers/streamHelper'
+import { AllScopes, Roles } from '@speckle/shared'
+import { expect } from 'chai'
+import cryptoRandomString from 'crypto-random-string'
+
+describe('Workspace SSO', () => {
+  let memberApollo: TestApolloServer
+  let guestApollo: TestApolloServer
+
+  const workspaceAdmin: BasicTestUser = {
+    id: '',
+    name: 'John Admin',
+    email: `${cryptoRandomString({ length: 9 })}@example.org`,
+    role: Roles.Server.Admin
+  }
+
+  const workspaceMember: BasicTestUser = {
+    id: '',
+    name: 'John Member',
+    email: `${cryptoRandomString({ length: 9 })}@example.org`
+  }
+
+  const workspaceGuest: BasicTestUser = {
+    id: '',
+    name: 'John Guest',
+    email: `${cryptoRandomString({ length: 9 })}@example.org`
+  }
+
+  const testWorkspaceWithSso: BasicTestWorkspace = {
+    id: '',
+    ownerId: '',
+    name: 'Test SSO Workspace',
+    slug: 'gql-sso-workspace'
+  }
+  let testWorkspaceWithSsoProviderId = ''
+  let testWorkspaceWithSsoProjectId = ''
+
+  const testWorkspaceWithoutSso: BasicTestWorkspace = {
+    id: '',
+    ownerId: '',
+    name: 'Test Non-SSO Workspace',
+    slug: 'gql-no-sso-workspace'
+  }
+
+  before(async () => {
+    await createTestUsers([workspaceAdmin, workspaceMember, workspaceGuest])
+    await createTestWorkspaces([
+      [testWorkspaceWithSso, workspaceAdmin],
+      [testWorkspaceWithoutSso, workspaceAdmin]
+    ])
+    testWorkspaceWithSsoProviderId = await createTestOidcProvider(
+      testWorkspaceWithSso.id
+    )
+
+    await assignToWorkspaces([
+      [testWorkspaceWithSso, workspaceMember, Roles.Workspace.Member],
+      [testWorkspaceWithSso, workspaceGuest, Roles.Workspace.Guest],
+      [testWorkspaceWithoutSso, workspaceMember, Roles.Workspace.Member],
+      [testWorkspaceWithoutSso, workspaceGuest, Roles.Workspace.Guest]
+    ])
+
+    memberApollo = await testApolloServer({
+      context: createTestContext({
+        auth: true,
+        userId: workspaceMember.id,
+        token: await createAuthTokenForUser(workspaceMember.id),
+        role: Roles.Server.User,
+        scopes: AllScopes
+      })
+    })
+    guestApollo = await testApolloServer({
+      context: createTestContext({
+        auth: true,
+        userId: workspaceGuest.id,
+        token: await createAuthTokenForUser(workspaceGuest.id),
+        role: Roles.Server.User,
+        scopes: AllScopes
+      })
+    })
+
+    const testProject: BasicTestStream = {
+      id: '',
+      ownerId: '',
+      isPublic: false,
+      name: 'Workspace Project',
+      workspaceId: testWorkspaceWithSso.id
+    }
+
+    await createTestStream(testProject, workspaceAdmin)
+    testWorkspaceWithSsoProjectId = testProject.id
+  })
+
+  afterEach(async () => {
+    truncateTables(['user_sso_sessions'])
+  })
+
+  describe('given a workspace with SSO configured', () => {
+    describe('when a workspace member requests workspace information', () => {
+      describe('with a valid SSO session', () => {
+        beforeEach(async () => {
+          await createTestSsoSession(workspaceMember.id, testWorkspaceWithSso.id)
+        })
+
+        it('should allow the request', async () => {
+          const res = await memberApollo.execute(GetWorkspaceDocument, {
+            workspaceId: testWorkspaceWithSso.id
+          })
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.workspace.slug).to.equal('gql-sso-workspace')
+        })
+
+        it('should provide active SSO session information on workspace type', async () => {
+          const res = await memberApollo.execute(GetWorkspaceSsoDocument, {
+            id: testWorkspaceWithSso.id
+          })
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.workspace.sso).to.not.be.undefined
+          expect(res.data?.workspace.sso?.provider?.id).to.equal(
+            testWorkspaceWithSsoProviderId
+          )
+          expect(res.data?.workspace.sso?.session).to.not.be.undefined
+        })
+      })
+
+      describe('without a valid SSO session', () => {
+        it('should throw and provide redirect information', async () => {
+          const resA = await memberApollo.execute(GetWorkspaceDocument, {
+            workspaceId: testWorkspaceWithSso.id
+          })
+          const resB = await memberApollo.execute(GetWorkspaceProjectsDocument, {
+            id: testWorkspaceWithSso.id
+          })
+          const resC = await memberApollo.execute(GetProjectDocument, {
+            id: testWorkspaceWithSsoProjectId
+          })
+
+          for (const res of [resA, resB, resC]) {
+            expect(res).to.haveGraphQLErrors({ message: 'gql-sso-workspace' })
+            expect(res).to.haveGraphQLErrors({
+              code: 'SSO_SESSION_MISSING_OR_EXPIRED_ERROR'
+            })
+          }
+        })
+
+        it('should allow limited access to workspace memberships', async () => {
+          const res = await memberApollo.execute(GetActiveUserWorkspacesDocument, {})
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.activeUser?.workspaces.items.length).to.equal(2)
+        })
+
+        it('should surface expired session', async () => {
+          const res = await memberApollo.execute(
+            ActiveUserExpiredSsoSessionsDocument,
+            {}
+          )
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.activeUser?.expiredSsoSessions.length).to.equal(1)
+          expect(res.data?.activeUser?.expiredSsoSessions[0].slug).to.equal(
+            'gql-sso-workspace'
+          )
+        })
+      })
+    })
+
+    describe('when a workspace guest requests workspace information', () => {
+      describe('without a valid SSO session', () => {
+        it('should allow the request', async () => {
+          const res = await guestApollo.execute(GetWorkspaceDocument, {
+            workspaceId: testWorkspaceWithSso.id
+          })
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.workspace.slug).to.equal('gql-sso-workspace')
+        })
+
+        it('should not show the workspace as an expired SSO session', async () => {
+          const res = await guestApollo.execute(
+            ActiveUserExpiredSsoSessionsDocument,
+            {}
+          )
+
+          expect(res).to.not.haveGraphQLErrors()
+          expect(res.data?.activeUser?.expiredSsoSessions.length).to.equal(0)
+        })
+      })
+    })
+  })
+
+  describe('given a workspace without SSO configured', () => {
+    describe('when a workspace member requests workspace information', () => {
+      it('should allow the request', async () => {
+        const res = await memberApollo.execute(GetWorkspaceDocument, {
+          workspaceId: testWorkspaceWithoutSso.id
+        })
+
+        expect(res).to.not.haveGraphQLErrors()
+        expect(res.data?.workspace.slug).to.equal('gql-no-sso-workspace')
+      })
+
+      it('should return workspace provider information as `null`', async () => {
+        const res = await memberApollo.execute(GetWorkspaceSsoDocument, {
+          id: testWorkspaceWithoutSso.id
+        })
+
+        expect(res).to.not.haveGraphQLErrors()
+        expect(res.data?.workspace.sso).to.be.null
+      })
+    })
+
+    describe('when a workspace guest requests workspace information', () => {
+      it('should allow the request', async () => {
+        const res = await guestApollo.execute(GetWorkspaceDocument, {
+          workspaceId: testWorkspaceWithoutSso.id
+        })
+
+        expect(res).to.not.haveGraphQLErrors()
+        expect(res.data?.workspace.slug).to.equal('gql-no-sso-workspace')
+      })
+    })
+  })
+})