Add SSO config support with admin-only GraphQL directive

Introduces a new @definedOnlyForAdmins directive to restrict certain fields to workspace admins, returning null for non-admins. Adds SSO configuration types, inputs, and resolvers to the workspace schema, including the sso field and updateWorkspaceSso mutation, both protected for admin access. Updates schema wiring to register the new directive and its transformer.

Author: neSpecc

src/directives/definedOnlyForAdmins.ts

@@ -0,0 +1,101 @@
+import { defaultFieldResolver, GraphQLSchema } from 'graphql';
+import { mapSchema, MapperKind, getDirective } from '@graphql-tools/utils';
+import { ResolverContextWithUser, UnknownGraphQLResolverResult } from '../types/graphql';
+import { ForbiddenError, UserInputError } from 'apollo-server-express';
+import WorkspaceModel from '../models/workspace';
+
+/**
+ * Check if user is admin of workspace
+ * @param context - resolver context
+ * @param workspaceId - workspace id to check
+ * @returns true if user is admin, false otherwise
+ */
+async function isUserAdminOfWorkspace(context: ResolverContextWithUser, workspaceId: string): Promise<boolean> {
+  try {
+    const workspace = await context.factories.workspacesFactory.findById(workspaceId);
+
+    if (!workspace) {
+      return false;
+    }
+
+    const member = await workspace.getMemberInfo(context.user.id);
+
+    if (!member || WorkspaceModel.isPendingMember(member)) {
+      return false;
+    }
+
+    return member.isAdmin || false;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Defines directive for fields that are only defined for admins
+ * Returns null for non-admin users instead of throwing error
+ *
+ * Works with object fields where parent object has _id field (workspace id)
+ *
+ * Usage:
+ * type Workspace {
+ *   sso: WorkspaceSsoConfig @definedOnlyForAdmins
+ * }
+ */
+export default function definedOnlyForAdminsDirective(directiveName = 'definedOnlyForAdmins') {
+  return {
+    definedOnlyForAdminsDirectiveTypeDefs: `
+    """
+    Field is only defined for admins. Returns null for non-admin users.
+    Works with object fields where parent object has _id field (workspace id).
+    """
+    directive @${directiveName} on FIELD_DEFINITION
+    `,
+    definedOnlyForAdminsDirectiveTransformer: (schema: GraphQLSchema) =>
+      mapSchema(schema, {
+        [MapperKind.OBJECT_FIELD]: (fieldConfig, fieldName, typeName) => {
+          const definedOnlyForAdminsDirective = getDirective(schema, fieldConfig, directiveName)?.[0];
+
+          if (definedOnlyForAdminsDirective) {
+            const {
+              resolve = defaultFieldResolver,
+            } = fieldConfig;
+
+            /**
+             * New field resolver that checks admin rights
+             * @param resolverArgs - default GraphQL resolver args
+             */
+            fieldConfig.resolve = async (...resolverArgs): UnknownGraphQLResolverResult => {
+              const [parent, , context] = resolverArgs;
+
+              /**
+               * Get workspace ID from parent object
+               * Parent should have _id field (workspace)
+               */
+              if (!parent || !parent._id) {
+                return null;
+              }
+
+              const workspaceId = parent._id.toString();
+
+              /**
+               * Check if user is admin
+               */
+              const isAdmin = await isUserAdminOfWorkspace(context, workspaceId);
+
+              if (!isAdmin) {
+                return null;
+              }
+
+              /**
+               * Call original resolver
+               */
+              return resolve(...resolverArgs);
+            };
+          }
+
+          return fieldConfig;
+        },
+      }),
+  };
+}
+

src/resolvers/workspace.js

@@ -329,6 +329,61 @@ module.exports = {
       return true;
     },
 
+    /**
+     * Update workspace SSO configuration (admin only)
+     * Protected by @requireAdmin directive - admin check is done by directive
+     * @param {ResolverObj} _obj - object that contains the result returned from the resolver on the parent field
+     * @param {String} workspaceId - workspace ID
+     * @param {Object} config - SSO configuration
+     * @param {ContextFactories} factories - factories for working with models
+     * @return {Promise<Boolean>}
+     */
+    async updateWorkspaceSso(_obj, { workspaceId, config }, { factories }) {
+      const workspace = await factories.workspacesFactory.findById(workspaceId);
+
+      if (!workspace) {
+        throw new UserInputError('Workspace not found');
+      }
+
+      /**
+       * Validate configuration
+       */
+      if (config.enabled && !config.saml) {
+        throw new UserInputError('SAML configuration is required when SSO is enabled');
+      }
+
+      /**
+       * Prepare update data
+       * If enabled=false, preserve existing SSO config and only update enabled flag
+       * If enabled=true, update full SSO configuration
+       */
+      const updateData = {
+        ...workspace,
+        sso: config.enabled ? {
+          enabled: config.enabled,
+          enforced: config.enforced || false,
+          type: 'saml',
+          saml: {
+            idpEntityId: config.saml.idpEntityId,
+            ssoUrl: config.saml.ssoUrl,
+            x509Cert: config.saml.x509Cert,
+            nameIdFormat: config.saml.nameIdFormat,
+            attributeMapping: {
+              email: config.saml.attributeMapping.email,
+              name: config.saml.attributeMapping.name,
+            },
+          },
+        } : workspace.sso ? {
+          ...workspace.sso,
+          enabled: false,
+        } : undefined,
+      };
+
+      await workspace.updateWorkspace(updateData);
+
+      return true;
+    },
+
     /**
      * Change workspace plan for default plan mutation implementation
      *
@@ -493,6 +548,28 @@ module.exports = {
 
       return new PlanModel(plan);
     },
+
+    /**
+     * SSO configuration (admin only)
+     * Protected by @definedOnlyForAdmins directive - returns null for non-admin users
+     * @param {WorkspaceDBScheme} workspace - result from resolver above (parent workspace object)
+     * @param _args - empty list of args
+     * @param {UserInContext} context - resolver context
+     * @returns {Promise<WorkspaceSsoConfig | null>}
+     */
+    async sso(workspace, _args, { factories }) {
+      /**
+       * Get workspace model to access SSO config
+       * Admin check is done by @definedOnlyForAdmins directive
+       */
+      const workspaceModel = await factories.workspacesFactory.findById(workspace._id.toString());
+
+      if (!workspaceModel) {
+        return null;
+      }
+
+      return workspaceModel.sso || null;
+    },
   },
 
   /**

src/schema.ts

@@ -9,6 +9,7 @@ import uploadImageDirective from './directives/uploadImageDirective';
 import allowAnonDirective from './directives/allowAnon';
 import requireAdminDirective from './directives/requireAdmin';
 import requireUserInWorkspaceDirective from './directives/requireUserInWorkspace';
+import definedOnlyForAdminsDirective from './directives/definedOnlyForAdmins';
 
 const { renameFromDirectiveTypeDefs, renameFromDirectiveTransformer } = renameFromDirective();
 const { defaultValueDirectiveTypeDefs, defaultValueDirectiveTransformer } = defaultValueDirective();
@@ -17,6 +18,7 @@ const { uploadImageDirectiveTypeDefs, uploadImageDirectiveTransformer } = upload
 const { allowAnonDirectiveTypeDefs, allowAnonDirectiveTransformer } = allowAnonDirective();
 const { requireAdminDirectiveTypeDefs, requireAdminDirectiveTransformer } = requireAdminDirective();
 const { requireUserInWorkspaceDirectiveTypeDefs, requireUserInWorkspaceDirectiveTransformer } = requireUserInWorkspaceDirective();
+const { definedOnlyForAdminsDirectiveTypeDefs, definedOnlyForAdminsDirectiveTransformer } = definedOnlyForAdminsDirective();
 
 let schema = makeExecutableSchema({
   typeDefs: mergeTypeDefs([
@@ -27,6 +29,7 @@ let schema = makeExecutableSchema({
     allowAnonDirectiveTypeDefs,
     requireAdminDirectiveTypeDefs,
     requireUserInWorkspaceDirectiveTypeDefs,
+    definedOnlyForAdminsDirectiveTypeDefs,
     ...typeDefs,
   ]),
   resolvers,
@@ -39,5 +42,6 @@ schema = uploadImageDirectiveTransformer(schema);
 schema = requireAdminDirectiveTransformer(schema);
 schema = allowAnonDirectiveTransformer(schema);
 schema = requireUserInWorkspaceDirectiveTransformer(schema);
+schema = definedOnlyForAdminsDirectiveTransformer(schema);
 
 export default schema;