fix: Self-hosted logic for allowed domains (#4412)

* fix: Self-hosted logic for allowed domains * test
2022-11-11 19:19:46 -08:00
parent 6788005115
commit cff67f4ca7
3 changed files with 390 additions and 378 deletions
--- a/server/commands/accountProvisioner.test.ts
+++ b/server/commands/accountProvisioner.test.ts
@@ -12,9 +12,12 @@ setupTestDatabase();
 describe("accountProvisioner", () => {
  const ip = "127.0.0.1";

-  it("should create a new user and team", async () => {
+  describe("hosted", () => {
+    beforeEach(() => {
      env.DEPLOYMENT = "hosted";
+    });

+    it("should create a new user and team", async () => {
      const spy = jest.spyOn(WelcomeEmail, "schedule");
      const { user, team, isNewTeam, isNewUser } = await accountProvisioner({
        ip,
@@ -235,7 +238,9 @@ describe("accountProvisioner", () => {
    it("should create a new user in an existing team when the domain is allowed", async () => {
      const spy = jest.spyOn(WelcomeEmail, "schedule");
      const { admin, team } = await seed();
-    const authenticationProviders = await team.$get("authenticationProviders");
+      const authenticationProviders = await team.$get(
+        "authenticationProviders"
+      );
      const authenticationProvider = authenticationProviders[0];
      await TeamDomain.create({
        teamId: team.id,
@@ -285,7 +290,9 @@ describe("accountProvisioner", () => {
    it("should create a new user in an existing team", async () => {
      const spy = jest.spyOn(WelcomeEmail, "schedule");
      const team = await buildTeam();
-    const authenticationProviders = await team.$get("authenticationProviders");
+      const authenticationProviders = await team.$get(
+        "authenticationProviders"
+      );
      const authenticationProvider = authenticationProviders[0];
      const { user, isNewUser } = await accountProvisioner({
        ip,
@@ -325,10 +332,14 @@ describe("accountProvisioner", () => {

      spy.mockRestore();
    });
+  });

  describe("self hosted", () => {
-    it("should fail if existing team and domain not in allowed list", async () => {
+    beforeEach(() => {
      env.DEPLOYMENT = undefined;
+    });
+
+    it("should fail if existing team and domain not in allowed list", async () => {
      let error;
      const team = await buildTeam();

@@ -342,6 +353,7 @@ describe("accountProvisioner", () => {
            username: "jtester",
          },
          team: {
+            teamId: team.id,
            name: team.name,
            avatarUrl: team.avatarUrl,
            subdomain: "example",
@@ -366,8 +378,6 @@ describe("accountProvisioner", () => {
    });

    it("should always use existing team if self-hosted", async () => {
-      env.DEPLOYMENT = undefined;
-
      const team = await buildTeam();
      const { user, isNewUser } = await accountProvisioner({
        ip,
@@ -378,6 +388,7 @@ describe("accountProvisioner", () => {
          username: "jtester",
        },
        team: {
+          teamId: team.id,
          name: team.name,
          avatarUrl: team.avatarUrl,
          subdomain: "example",
--- a/server/commands/teamProvisioner.test.ts
+++ b/server/commands/teamProvisioner.test.ts
@@ -9,8 +9,12 @@ setupTestDatabase();
 describe("teamProvisioner", () => {
  const ip = "127.0.0.1";

-  it("should create team and authentication provider", async () => {
+  describe("hosted", () => {
+    beforeEach(() => {
      env.DEPLOYMENT = "hosted";
+    });
+
+    it("should create team and authentication provider", async () => {
      const result = await teamProvisioner({
        name: "Test team",
        subdomain: "example",
@@ -30,8 +34,6 @@ describe("teamProvisioner", () => {
    });

    it("should set subdomain append if unavailable", async () => {
-    env.DEPLOYMENT = "hosted";
-
      await buildTeam({
        subdomain: "myteam",
      });
@@ -52,8 +54,6 @@ describe("teamProvisioner", () => {
    });

    it("should increment subdomain append if unavailable", async () => {
-    env.DEPLOYMENT = "hosted";
-
      await buildTeam({
        subdomain: "myteam",
      });
@@ -75,7 +75,6 @@ describe("teamProvisioner", () => {
    });

    it("should return existing team", async () => {
-    env.DEPLOYMENT = "hosted";
      const authenticationProvider = {
        name: "google",
        providerId: "example.com",
@@ -98,7 +97,6 @@ describe("teamProvisioner", () => {
    });

    it("should error on mismatched team and authentication provider", async () => {
-    env.DEPLOYMENT = "hosted";
      const exampleTeam = await buildTeam({
        subdomain: "example",
        authenticationProviders: [
@@ -126,10 +124,14 @@ describe("teamProvisioner", () => {
      }
      expect(error.id).toEqual("invalid_authentication");
    });
+  });

  describe("self hosted", () => {
-    it("should allow creating first team", async () => {
+    beforeEach(() => {
      env.DEPLOYMENT = undefined;
+    });
+
+    it("should allow creating first team", async () => {
      const { team, isNewTeam } = await teamProvisioner({
        name: "Test team",
        subdomain: "example",
@@ -146,8 +148,7 @@ describe("teamProvisioner", () => {
    });

    it("should not allow creating multiple teams in installation", async () => {
-      env.DEPLOYMENT = undefined;
-      await buildTeam();
+      const team = await buildTeam();
      let error;

      try {
@@ -155,6 +156,7 @@ describe("teamProvisioner", () => {
          name: "Test team",
          subdomain: "example",
          avatarUrl: "http://example.com/logo.png",
+          teamId: team.id,
          authenticationProvider: {
            name: "google",
            providerId: "example.com",
@@ -169,7 +171,6 @@ describe("teamProvisioner", () => {
    });

    it("should return existing team when within allowed domains", async () => {
-      env.DEPLOYMENT = undefined;
      const existing = await buildTeam();
      const user = await buildUser({
        teamId: existing.id,
@@ -183,6 +184,7 @@ describe("teamProvisioner", () => {
        name: "Updated name",
        subdomain: "example",
        domain: "allowed-domain.com",
+        teamId: existing.id,
        authenticationProvider: {
          name: "google",
          providerId: "allowed-domain.com",
@@ -200,7 +202,6 @@ describe("teamProvisioner", () => {
    });

    it("should error when NOT within allowed domains", async () => {
-      env.DEPLOYMENT = undefined;
      const existing = await buildTeam();
      const user = await buildUser({
        teamId: existing.id,
@@ -217,6 +218,7 @@ describe("teamProvisioner", () => {
          name: "Updated name",
          subdomain: "example",
          domain: "other-domain.com",
+          teamId: existing.id,
          authenticationProvider: {
            name: "google",
            providerId: "other-domain.com",
@@ -231,7 +233,6 @@ describe("teamProvisioner", () => {
    });

    it("should return existing team", async () => {
-      env.DEPLOYMENT = undefined;
      const authenticationProvider = {
        name: "google",
        providerId: "example.com",
--- a/server/commands/teamProvisioner.ts
+++ b/server/commands/teamProvisioner.ts
@@ -72,13 +72,13 @@ async function teamProvisioner({
    };
  } else if (teamId) {
    // The user is attempting to log into a team with an unfamiliar SSO provider
+    if (env.DEPLOYMENT === "hosted") {
      throw InvalidAuthenticationError();
    }

    // This team has never been seen before, if self hosted the logic is different
    // to the multi-tenant version, we want to restrict to a single team that MAY
    // have multiple authentication providers
-  if (env.DEPLOYMENT !== "hosted") {
    const team = await Team.findOne();

    // If the self-hosted installation has a single team and the domain for the