cal.pub0.org/packages/trpc/server/routers/viewer/sso.tsx

import { z } from "zod";

import jackson from "@calcom/features/ee/sso/lib/jackson";
import {
  samlProductID,
  samlTenantID,
  tenantPrefix,
  canAccess,
  oidcPath,
} from "@calcom/features/ee/sso/lib/saml";

import { TRPCError } from "@trpc/server";

import { router, authedProcedure } from "../../trpc";

export const ssoRouter = router({
  // Retrieve SSO Connection
  get: authedProcedure
    .input(
      z.object({
        teamId: z.union([z.number(), z.null()]),
      })
    )
    .query(async ({ ctx, input }) => {
      const { teamId } = input;

      const { message, access } = await canAccess(ctx.user, teamId);

      if (!access) {
        throw new TRPCError({
          code: "BAD_REQUEST",
          message,
        });
      }

      const { connectionController, samlSPConfig } = await jackson();

      // Retrieve the SP SAML Config
      const SPConfig = await samlSPConfig.get();

      try {
        const connections = await connectionController.getConnections({
          tenant: teamId ? tenantPrefix + teamId : samlTenantID,
          product: samlProductID,
        });

        if (connections.length === 0) {
          return null;
        }

        const type = "idpMetadata" in connections[0] ? "saml" : "oidc";

        return {
          ...connections[0],
          type,
          acsUrl: type === "saml" ? SPConfig.acsUrl : null,
          entityId: type === "saml" ? SPConfig.entityId : null,
          callbackUrl: type === "oidc" ? `${process.env.NEXT_PUBLIC_WEBAPP_URL}${oidcPath}` : null,
        };
      } catch (err) {
        console.error("Error getting SSO connection", err);
        throw new TRPCError({ code: "BAD_REQUEST", message: "Fetching SSO connection failed." });
      }
    }),
  // Update the SAML Connection
  update: authedProcedure
    .input(
      z.object({
        encodedRawMetadata: z.string(),
        teamId: z.union([z.number(), z.null()]),
      })
    )
    .mutation(async ({ ctx, input }) => {
      const { connectionController } = await jackson();

      const { encodedRawMetadata, teamId } = input;

      const { message, access } = await canAccess(ctx.user, teamId);

      if (!access) {
        throw new TRPCError({
          code: "BAD_REQUEST",
          message,
        });
      }

      try {
        return await connectionController.createSAMLConnection({
          encodedRawMetadata,
          defaultRedirectUrl: `${process.env.NEXT_PUBLIC_WEBAPP_URL}/auth/saml-idp`,
          redirectUrl: JSON.stringify([`${process.env.NEXT_PUBLIC_WEBAPP_URL}/*`]),
          tenant: teamId ? tenantPrefix + teamId : samlTenantID,
          product: samlProductID,
        });
      } catch (err) {
        console.error("Error updating SAML connection", err);
        throw new TRPCError({ code: "BAD_REQUEST", message: "Updating SAML Connection failed." });
      }
    }),
  // Delete the SAML Connection
  delete: authedProcedure
    .input(
      z.object({
        teamId: z.union([z.number(), z.null()]),
      })
    )
    .mutation(async ({ ctx, input }) => {
      const { connectionController } = await jackson();

      const { teamId } = input;

      const { message, access } = await canAccess(ctx.user, teamId);

      if (!access) {
        throw new TRPCError({
          code: "BAD_REQUEST",
          message,
        });
      }

      try {
        return await connectionController.deleteConnections({
          tenant: teamId ? tenantPrefix + teamId : samlTenantID,
          product: samlProductID,
        });
      } catch (err) {
        console.error("Error deleting SAML connection", err);
        throw new TRPCError({ code: "BAD_REQUEST", message: "Deleting SAML Connection failed." });
      }
    }),

  // Update the OIDC Connection
  updateOIDC: authedProcedure
    .input(
      z.object({
        teamId: z.union([z.number(), z.null()]),
        clientId: z.string(),
        clientSecret: z.string(),
        wellKnownUrl: z.string(),
      })
    )
    .mutation(async ({ ctx, input }) => {
      const { teamId, clientId, clientSecret, wellKnownUrl } = input;

      const { message, access } = await canAccess(ctx.user, teamId);

      if (!access) {
        throw new TRPCError({
          code: "BAD_REQUEST",
          message,
        });
      }

      const { connectionController } = await jackson();

      try {
        return await connectionController.createOIDCConnection({
          defaultRedirectUrl: `${process.env.NEXT_PUBLIC_WEBAPP_URL}/api/auth/saml/idp`,
          redirectUrl: JSON.stringify([`${process.env.NEXT_PUBLIC_WEBAPP_URL}/*`]),
          tenant: teamId ? tenantPrefix + teamId : samlTenantID,
          product: samlProductID,
          oidcClientId: clientId,
          oidcClientSecret: clientSecret,
          oidcDiscoveryUrl: wellKnownUrl,
        });
      } catch (err) {
        console.error("Error updating OIDC connection", err);
        throw new TRPCError({ code: "BAD_REQUEST", message: "Updating OIDC Connection failed." });
      }
    }),
});