cal.pub0.org/packages/features/ee/sso/lib/saml.ts

import type { SAMLSSORecord, OIDCSSORecord } from "@boxyhq/saml-jackson";
import { PrismaClient } from "@prisma/client";

import { HOSTED_CAL_FEATURES } from "@calcom/lib/constants";
import { isTeamAdmin } from "@calcom/lib/server/queries/teams";
import { TRPCError } from "@calcom/trpc/server";

export const samlDatabaseUrl = process.env.SAML_DATABASE_URL || "";
export const isSAMLLoginEnabled = samlDatabaseUrl.length > 0;

export const samlTenantID = "Cal.com";
export const samlProductID = "Cal.com";
export const samlAudience = "https://saml.cal.com";
export const samlPath = "/api/auth/saml/callback";
export const oidcPath = "/api/auth/oidc";
export const clientSecretVerifier = process.env.SAML_CLIENT_SECRET_VERIFIER || "dummy";

export const hostedCal = Boolean(HOSTED_CAL_FEATURES);
export const tenantPrefix = "team-";

const samlAdmins = (process.env.SAML_ADMINS || "").split(",");

export const isSAMLAdmin = (email: string) => {
  for (const admin of samlAdmins) {
    if (admin.toLowerCase() === email.toLowerCase() && admin.toUpperCase() === email.toUpperCase()) {
      return true;
    }
  }

  return false;
};

export const samlTenantProduct = async (prisma: PrismaClient, email: string) => {
  const user = await prisma.user.findUnique({
    where: {
      email,
    },
    select: {
      id: true,
      invitedTo: true,
    },
  });

  if (!user) {
    throw new TRPCError({
      code: "UNAUTHORIZED",
      message: "no_account_exists",
    });
  }

  if (!user.invitedTo) {
    throw new TRPCError({
      code: "BAD_REQUEST",
      message:
        "Could not find a SAML Identity Provider for your email. Please contact your admin to ensure you have been given access to Cal",
    });
  }

  return {
    tenant: tenantPrefix + user.invitedTo,
    product: samlProductID,
  };
};

export const canAccess = async (user: { id: number; email: string }, teamId: number | null) => {
  const { id: userId, email } = user;

  if (!isSAMLLoginEnabled) {
    return {
      message: "To enable this feature, add value for `SAML_DATABASE_URL` and `SAML_ADMINS` to your `.env`",
      access: false,
    };
  }

  // Hosted
  if (HOSTED_CAL_FEATURES) {
    if (teamId === null || !(await isTeamAdmin(userId, teamId))) {
      return {
        message: "dont_have_permission",
        access: false,
      };
    }
  }

  // Self-hosted
  if (!HOSTED_CAL_FEATURES) {
    if (!isSAMLAdmin(email)) {
      return {
        message: "dont_have_permission",
        access: false,
      };
    }
  }

  return {
    message: "success",
    access: true,
  };
};

export type SSOConnection = (SAMLSSORecord | OIDCSSORecord) & {
  type: string;
  acsUrl: string | null;
  entityId: string | null;
  callbackUrl: string | null;
};
Support OIDC (#6661) * Support OIDC * tweak to the Configure button * fix the type import 2023-01-24 20:02:43 +00:00			`import type { SAMLSSORecord, OIDCSSORecord } from "@boxyhq/saml-jackson";`
Deprecates user plan (#5942) * Remove isMissingSeat * Removes user plan * Deprecates User Plan * Updates website * Update eventTypes.tsx 2022-12-08 23:20:24 +00:00			`import { PrismaClient } from "@prisma/client";`
Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00
Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00			`import { HOSTED_CAL_FEATURES } from "@calcom/lib/constants";`
			`import { isTeamAdmin } from "@calcom/lib/server/queries/teams";`
Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00			`import { TRPCError } from "@calcom/trpc/server";`

			`export const samlDatabaseUrl = process.env.SAML_DATABASE_URL \|\| "";`
			`export const isSAMLLoginEnabled = samlDatabaseUrl.length > 0;`

			`export const samlTenantID = "Cal.com";`
			`export const samlProductID = "Cal.com";`
Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00			`export const samlAudience = "https://saml.cal.com";`
			`export const samlPath = "/api/auth/saml/callback";`
Support OIDC (#6661) * Support OIDC * tweak to the Configure button * fix the type import 2023-01-24 20:02:43 +00:00			`export const oidcPath = "/api/auth/oidc";`
Add Idp-Initiated SSO (#6781) * wip idp enabled login * add route to handle callback from IdP * update the new provider * cleanup * fix the type * add suggested changes * make the suggested changes * use client secret verifier * Make [...nextauth] a little easier to read --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-07 21:31:39 +00:00			`export const clientSecretVerifier = process.env.SAML_CLIENT_SECRET_VERIFIER \|\| "dummy";`
Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00
Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00			`export const hostedCal = Boolean(HOSTED_CAL_FEATURES);`
Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00			`export const tenantPrefix = "team-";`

Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00			`const samlAdmins = (process.env.SAML_ADMINS \|\| "").split(",");`

Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00			`export const isSAMLAdmin = (email: string) => {`
			`for (const admin of samlAdmins) {`
			`if (admin.toLowerCase() === email.toLowerCase() && admin.toUpperCase() === email.toUpperCase()) {`
			`return true;`
			`}`
			`}`

			`return false;`
			`};`

			`export const samlTenantProduct = async (prisma: PrismaClient, email: string) => {`
			`const user = await prisma.user.findUnique({`
			`where: {`
			`email,`
			`},`
			`select: {`
			`id: true,`
			`invitedTo: true,`
			`},`
			`});`

			`if (!user) {`
			`throw new TRPCError({`
			`code: "UNAUTHORIZED",`
Fix the "Sign in with SAML" button on the login page (#5089) * Remove the unused component * Fix the login with SAML 2022-10-19 15:50:25 +00:00			`message: "no_account_exists",`
Migrates all tRPC code to a monorepo package (#3484) * WIP * WIP * Type and migration fixes * Adds missing default import * Fixes import * Fixes tRPC imports in App Store * Migrate stripe helpers * WIP * Type fixes * Type fix? * Test fixes * Adds missing stripe packages * Moved queries to lib instead Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-07-22 17:27:06 +00:00			`});`
			`}`

			`if (!user.invitedTo) {`
			`throw new TRPCError({`
			`code: "BAD_REQUEST",`
			`message:`
			`"Could not find a SAML Identity Provider for your email. Please contact your admin to ensure you have been given access to Cal",`
			`});`
			`}`

			`return {`
			`tenant: tenantPrefix + user.invitedTo,`
			`product: samlProductID,`
			`};`
			`};`
Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00
Deprecates user plan (#5942) * Remove isMissingSeat * Removes user plan * Deprecates User Plan * Updates website * Update eventTypes.tsx 2022-12-08 23:20:24 +00:00			`export const canAccess = async (user: { id: number; email: string }, teamId: number \| null) => {`
			`const { id: userId, email } = user;`
Reintroduce SAML SSO (#4938) * wip reintroduce SAML SSO * Fix the imports * wip * Some tweaks * Fix the type * Reduce the textarea height * Cleanup * Fix the access issues * Make the SAML SSO active on the sidebar * Add SP's instructions * Remove the console.log * Add the condition to check SAML SSO is enabled * Replace SAML SSO with Single Sign-On * Update to SAML feature * Upgrade the @boxyhq/saml-jackson * Fix the SAML part and other cleanup * Tweaks to SAML SSO setup * Fix the type * Fix the import path * Remove samlLoginUrl * Import fixes * Simplifies endpoints Co-authored-by: zomars <zomars@me.com> 2022-10-18 20:34:32 +00:00
			`if (!isSAMLLoginEnabled) {`
			`return {`
			message: "To enable this feature, add value for `SAML_DATABASE_URL` and `SAML_ADMINS` to your `.env`",
			`access: false,`
			`};`
			`}`

			`// Hosted`
			`if (HOSTED_CAL_FEATURES) {`
			`if (teamId === null \|\| !(await isTeamAdmin(userId, teamId))) {`
			`return {`
			`message: "dont_have_permission",`
			`access: false,`
			`};`
			`}`
			`}`

			`// Self-hosted`
			`if (!HOSTED_CAL_FEATURES) {`
			`if (!isSAMLAdmin(email)) {`
			`return {`
			`message: "dont_have_permission",`
			`access: false,`
			`};`
			`}`
			`}`

			`return {`
			`message: "success",`
			`access: true,`
			`};`
			`};`
Support OIDC (#6661) * Support OIDC * tweak to the Configure button * fix the type import 2023-01-24 20:02:43 +00:00
			`export type SSOConnection = (SAMLSSORecord \| OIDCSSORecord) & {`
			`type: string;`
			`acsUrl: string \| null;`
			`entityId: string \| null;`
			`callbackUrl: string \| null;`
			`};`