Public key to not invited state change for project provisioning ui

Patch for update org membership call, hide edit user on self user page
Merge pull request #2143 from Infisical/user-page
2025-03-23 03:03:05 +00:00 · 2024-07-18 20:46:36 +07:00 · 2024-07-18 20:40:12 +07:00 · 2024-07-18 09:01:05 -04:00 · 2024-07-17 19:14:49 -04:00 · 2024-07-17 19:11:55 -04:00
7 changed files with 241 additions and 149 deletions
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -350,7 +350,12 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
              schemas: z.array(z.string()),
              id: z.string().trim(),
              displayName: z.string().trim(),
-              members: z.array(z.any()).length(0),
+              members: z.array(
+                z.object({
+                  value: z.string(),
+                  display: z.string()
+                })
+              ),
              meta: z.object({
                resourceType: z.string().trim()
              })
@ -423,7 +428,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        displayName: z.string().trim(),
        members: z.array(
          z.object({
-            value: z.string(), // infisical orgMembershipId
+            value: z.string(),
            display: z.string()
          })
        )
--- a/backend/src/ee/services/group/user-group-membership-dal.ts
+++ b/backend/src/ee/services/group/user-group-membership-dal.ts
@ -162,17 +162,50 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
    }
  };

-  const findUserGroupMembershipsInOrg = async (userId: string, orgId: string) => {
+  const findGroupMembershipsByUserIdInOrg = async (userId: string, orgId: string) => {
    try {
      const docs = await db
        .replicaNode()(TableName.UserGroupMembership)
        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
        .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .where(`${TableName.Groups}.orgId`, orgId);
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );

      return docs;
    } catch (error) {
-      throw new DatabaseError({ error, name: "findTest" });
+      throw new DatabaseError({ error, name: "Find group memberships by user id in org" });
+    }
+  };
+
+  const findGroupMembershipsByGroupIdInOrg = async (groupId: string, orgId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.UserGroupMembership)
+        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.Groups}.id`, groupId)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find group memberships by group id in org" });
    }
  };

@ -182,6 +215,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
    findUserGroupMembershipsInProject,
    findGroupMembersNotInProject,
    deletePendingUserGroupMembershipsByUserIds,
-    findUserGroupMembershipsInOrg
+    findGroupMembershipsByUserIdInOrg,
+    findGroupMembershipsByGroupIdInOrg
  };
 };
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -9,6 +9,7 @@ import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-grou
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@ -51,6 +52,7 @@ import {
  TListScimUsers,
  TListScimUsersDTO,
  TReplaceScimUserDTO,
+  TScimGroup,
  TScimTokenJwtPayload,
  TUpdateScimGroupNamePatchDTO,
  TUpdateScimGroupNamePutDTO,
@ -83,7 +85,8 @@ type TScimServiceFactoryDep = {
    | "insertMany"
    | "filterProjectsByUserMembership"
    | "delete"
-    | "findUserGroupMembershipsInOrg"
+    | "findGroupMembershipsByUserIdInOrg"
+    | "findGroupMembershipsByGroupIdInOrg"
  >;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@ -252,7 +255,10 @@ export const scimServiceFactory = ({
        status: 403
      });

-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
+      membership.userId,
+      orgId
+    );

    return buildScimUser({
      orgMembershipId: membership.id,
@ -263,7 +269,7 @@ export const scimServiceFactory = ({
      active: membership.isActive,
      groups: groupMembershipsInOrg.map((group) => ({
        value: group.groupId,
-        display: group.name
+        display: group.groupName
      }))
    });
  };
@ -509,7 +515,10 @@ export const scimServiceFactory = ({
      isActive: active
    });

-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
+      membership.userId,
+      orgId
+    );

    return buildScimUser({
      orgMembershipId: membership.id,
@ -520,7 +529,7 @@ export const scimServiceFactory = ({
      active,
      groups: groupMembershipsInOrg.map((group) => ({
        value: group.groupId,
-        display: group.name
+        display: group.groupName
      }))
    });
  };
@ -589,13 +598,20 @@ export const scimServiceFactory = ({
      }
    );

-    const scimGroups = groups.map((group) =>
-      buildScimGroup({
+    const scimGroups: TScimGroup[] = [];
+
+    for await (const group of groups) {
+      const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
+      const scimGroup = buildScimGroup({
        groupId: group.id,
        name: group.name,
-        members: [] // does this need to be populated?
-      })
-    );
+        members: members.map((member) => ({
+          value: member.orgMembershipId,
+          display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+        }))
+      });
+      scimGroups.push(scimGroup);
+    }

    return buildScimGroupList({
      scimGroups,
@ -872,23 +888,27 @@ export const scimServiceFactory = ({
          break;
        }
        case "add": {
-          const orgMemberships = await orgMembershipDAL.find({
-            $in: {
-              id: operation.value.map((member) => member.value)
-            }
-          });
+          try {
+            const orgMemberships = await orgMembershipDAL.find({
+              $in: {
+                id: operation.value.map((member) => member.value)
+              }
+            });

-          await addUsersToGroupByUserIds({
-            group,
-            userIds: orgMemberships.map((membership) => membership.userId as string),
-            userDAL,
-            userGroupMembershipDAL,
-            orgDAL,
-            groupProjectDAL,
-            projectKeyDAL,
-            projectDAL,
-            projectBotDAL
-          });
+            await addUsersToGroupByUserIds({
+              group,
+              userIds: orgMemberships.map((membership) => membership.userId as string),
+              userDAL,
+              userGroupMembershipDAL,
+              orgDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              projectDAL,
+              projectBotDAL
+            });
+          } catch {
+            logger.info("Repeat SCIM user-group add operation");
+          }

          break;
        }
@ -916,10 +936,15 @@ export const scimServiceFactory = ({
      }
    }

+    const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
+
    return buildScimGroup({
      groupId: group.id,
      name: group.name,
-      members: []
+      members: members.map((member) => ({
+        value: member.orgMembershipId,
+        display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+      }))
    });
  };

--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@ -57,7 +57,7 @@ type TOrgServiceFactoryDep = {
  projectDAL: TProjectDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findProjectMembershipsByUserId" | "delete">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById" | "findOne">;
  incidentContactDAL: TIncidentContactsDALFactory;
  samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne" | "findEnforceableSamlCfg">;
  smtpService: TSmtpService;
@ -379,7 +379,10 @@ export const orgServiceFactory = ({
    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Member);

-    const [foundMembership] = await orgDAL.findMembership({ id: membershipId, orgId });
+    const foundMembership = await orgMembershipDAL.findOne({
+      id: membershipId,
+      orgId
+    });
    if (!foundMembership) throw new NotFoundError({ message: "Failed to find organization membership" });
    if (foundMembership.userId === userId)
      throw new BadRequestError({ message: "Cannot update own organization membership" });
--- a/docs/self-hosting/ee.mdx
+++ b/docs/self-hosting/ee.mdx
@ -15,15 +15,30 @@ This guide walks through how you can use these paid features on a self hosted in
    </Step>
    <Step title="Activate the license">
        Depending on whether or not the environment where Infisical is deployed has internet access, you may be issued a regular license or an offline license.
-        
-        - If using a regular license, you should set the value of the environment variable `LICENSE_KEY` in Infisical to the issued license key.
-        - If using an offline license, you should set the value of the environment variable `LICENSE_KEY_OFFLINE` in Infisical to the issued license key.

-        <Note>
-            How you set the environment variable will depend on the deployment method you used. Please refer to the documentation of your deployment method for specific instructions.
-        </Note>
+        
+        <Tabs>
+            <Tab title="Regular License">
+            - Assign the issued license key to the `LICENSE_KEY` environment variable in your Infisical instance.
+
+            - Your Infisical instance will need to communicate with the Infisical license server to validate the license key. 
+            If you want to limit outgoing connections only to the Infisical license server, you can use the following IP addresses: `13.248.249.247` and `35.71.190.59`
+
+            <Note>
+                Ensure that your firewall or network settings allow outbound connections to these IP addresses to avoid any issues with license validation.
+            </Note>
+            </Tab>
+            <Tab title="Offline License">
+            - Assign the issued license key to the `LICENSE_KEY_OFFLINE` environment variable in your Infisical instance.
+
+            <Note>
+                How you set the environment variable will depend on the deployment method you used. Please refer to the documentation of your deployment method for specific instructions.
+            </Note>
+            </Tab>
+        </Tabs>

        Once your instance starts up, the license key will be validated and you’ll be able to use the paid features. 
        However, when the license expires, Infisical will continue to run, but EE features will be disabled until the license is renewed or a new one is purchased.
    </Step>
 </Steps>
+
--- a/frontend/src/views/Org/UserPage/UserPage.tsx
+++ b/frontend/src/views/Org/UserPage/UserPage.tsx
@ -16,7 +16,12 @@ import {
  Tooltip,
  UpgradePlanModal
 } from "@app/components/v2";
-import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import {
+  OrgPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useUser
+} from "@app/context";
 import { withPermission } from "@app/hoc";
 import {
  useDeleteOrgMembership,
@ -31,7 +36,10 @@ export const UserPage = withPermission(
  () => {
    const router = useRouter();
    const membershipId = router.query.membershipId as string;
+    const { user } = useUser();
    const { currentOrg } = useOrganization();
+
+    const userId = user?.id || "";
    const orgId = currentOrg?.id || "";

    const { data: membership } = useGetOrgMembership(orgId, membershipId);
@ -115,116 +123,118 @@ export const UserPage = withPermission(
                  ? `${membership.user.firstName} ${membership.user.lastName}`
                  : "-"}
              </p>
-              <DropdownMenu>
-                <DropdownMenuTrigger asChild className="rounded-lg">
-                  <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
-                    <Tooltip content="More options">
-                      <FontAwesomeIcon size="sm" icon={faEllipsis} />
-                    </Tooltip>
-                  </div>
-                </DropdownMenuTrigger>
-                <DropdownMenuContent align="start" className="p-1">
-                  <OrgPermissionCan
-                    I={OrgPermissionActions.Edit}
-                    a={OrgPermissionSubjects.Identity}
-                  >
-                    {(isAllowed) => (
-                      <DropdownMenuItem
-                        className={twMerge(
-                          !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
-                        )}
-                        onClick={() =>
-                          handlePopUpOpen("orgMembership", {
-                            membershipId: membership.id,
-                            role: membership.role
-                          })
-                        }
-                        disabled={!isAllowed}
-                      >
-                        Edit User
-                      </DropdownMenuItem>
-                    )}
-                  </OrgPermissionCan>
-                  <OrgPermissionCan
-                    I={OrgPermissionActions.Delete}
-                    a={OrgPermissionSubjects.Member}
-                  >
-                    {(isAllowed) => (
-                      <DropdownMenuItem
-                        className={
-                          membership.isActive
-                            ? twMerge(
-                                isAllowed
-                                  ? "hover:!bg-red-500 hover:!text-white"
-                                  : "pointer-events-none cursor-not-allowed opacity-50"
-                              )
-                            : ""
-                        }
-                        onClick={async () => {
-                          if (currentOrg?.scimEnabled) {
-                            createNotification({
-                              text: "You cannot manage users from Infisical when SCIM is enabled for your organization",
-                              type: "error"
-                            });
-                            return;
+              {userId !== membership.user.id && (
+                <DropdownMenu>
+                  <DropdownMenuTrigger asChild className="rounded-lg">
+                    <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
+                      <Tooltip content="More options">
+                        <FontAwesomeIcon size="sm" icon={faEllipsis} />
+                      </Tooltip>
+                    </div>
+                  </DropdownMenuTrigger>
+                  <DropdownMenuContent align="start" className="p-1">
+                    <OrgPermissionCan
+                      I={OrgPermissionActions.Edit}
+                      a={OrgPermissionSubjects.Identity}
+                    >
+                      {(isAllowed) => (
+                        <DropdownMenuItem
+                          className={twMerge(
+                            !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
+                          )}
+                          onClick={() =>
+                            handlePopUpOpen("orgMembership", {
+                              membershipId: membership.id,
+                              role: membership.role
+                            })
                          }
-
-                          if (!membership.isActive) {
-                            // activate user
-                            await updateOrgMembership({
-                              organizationId: orgId,
-                              membershipId,
-                              isActive: true
-                            });
-
-                            return;
+                          disabled={!isAllowed}
+                        >
+                          Edit User
+                        </DropdownMenuItem>
+                      )}
+                    </OrgPermissionCan>
+                    <OrgPermissionCan
+                      I={OrgPermissionActions.Delete}
+                      a={OrgPermissionSubjects.Member}
+                    >
+                      {(isAllowed) => (
+                        <DropdownMenuItem
+                          className={
+                            membership.isActive
+                              ? twMerge(
+                                  isAllowed
+                                    ? "hover:!bg-red-500 hover:!text-white"
+                                    : "pointer-events-none cursor-not-allowed opacity-50"
+                                )
+                              : ""
                          }
+                          onClick={async () => {
+                            if (currentOrg?.scimEnabled) {
+                              createNotification({
+                                text: "You cannot manage users from Infisical when SCIM is enabled for your organization",
+                                type: "error"
+                              });
+                              return;
+                            }

-                          // deactivate user
-                          handlePopUpOpen("deactivateMember", {
-                            orgMembershipId: membershipId,
-                            username: membership.user.username
-                          });
-                        }}
-                        disabled={!isAllowed}
-                      >
-                        {`${membership.isActive ? "Deactivate" : "Activate"} User`}
-                      </DropdownMenuItem>
-                    )}
-                  </OrgPermissionCan>
-                  <OrgPermissionCan
-                    I={OrgPermissionActions.Delete}
-                    a={OrgPermissionSubjects.Member}
-                  >
-                    {(isAllowed) => (
-                      <DropdownMenuItem
-                        className={twMerge(
-                          isAllowed
-                            ? "hover:!bg-red-500 hover:!text-white"
-                            : "pointer-events-none cursor-not-allowed opacity-50"
-                        )}
-                        onClick={() => {
-                          if (currentOrg?.scimEnabled) {
-                            createNotification({
-                              text: "You cannot manage users from Infisical when SCIM is enabled for your organization",
-                              type: "error"
+                            if (!membership.isActive) {
+                              // activate user
+                              await updateOrgMembership({
+                                organizationId: orgId,
+                                membershipId,
+                                isActive: true
+                              });
+
+                              return;
+                            }
+
+                            // deactivate user
+                            handlePopUpOpen("deactivateMember", {
+                              orgMembershipId: membershipId,
+                              username: membership.user.username
                            });
-                            return;
-                          }
+                          }}
+                          disabled={!isAllowed}
+                        >
+                          {`${membership.isActive ? "Deactivate" : "Activate"} User`}
+                        </DropdownMenuItem>
+                      )}
+                    </OrgPermissionCan>
+                    <OrgPermissionCan
+                      I={OrgPermissionActions.Delete}
+                      a={OrgPermissionSubjects.Member}
+                    >
+                      {(isAllowed) => (
+                        <DropdownMenuItem
+                          className={twMerge(
+                            isAllowed
+                              ? "hover:!bg-red-500 hover:!text-white"
+                              : "pointer-events-none cursor-not-allowed opacity-50"
+                          )}
+                          onClick={() => {
+                            if (currentOrg?.scimEnabled) {
+                              createNotification({
+                                text: "You cannot manage users from Infisical when SCIM is enabled for your organization",
+                                type: "error"
+                              });
+                              return;
+                            }

-                          handlePopUpOpen("removeMember", {
-                            orgMembershipId: membershipId,
-                            username: membership.user.username
-                          });
-                        }}
-                        disabled={!isAllowed}
-                      >
-                        Remove User
-                      </DropdownMenuItem>
-                    )}
-                  </OrgPermissionCan>
-                </DropdownMenuContent>
-              </DropdownMenu>
+                            handlePopUpOpen("removeMember", {
+                              orgMembershipId: membershipId,
+                              username: membership.user.username
+                            });
+                          }}
+                          disabled={!isAllowed}
+                        >
+                          Remove User
+                        </DropdownMenuItem>
+                      )}
+                    </OrgPermissionCan>
+                  </DropdownMenuContent>
+                </DropdownMenu>
+              )}
            </div>
            <div className="flex">
              <div className="mr-4 w-96">
--- a/frontend/src/views/Org/UserPage/components/UserProjectsSection/UserProjectsSection.tsx
+++ b/frontend/src/views/Org/UserPage/components/UserProjectsSection/UserProjectsSection.tsx
@ -3,7 +3,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";

 import { createNotification } from "@app/components/notifications";
 import { DeleteActionModal, IconButton } from "@app/components/v2";
-import { useOrganization,useUser } from "@app/context";
+import { useOrganization, useUser } from "@app/context";
 import { useDeleteUserFromWorkspace, useGetOrgMembership } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";

@ -51,7 +51,7 @@ export const UserProjectsSection = ({ membershipId }: Props) => {
    <div className="w-full rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
      <div className="flex items-center justify-between border-b border-mineshaft-400 pb-4">
        <h3 className="text-lg font-semibold text-mineshaft-100">Projects</h3>
-        {userId !== membership.user.id && (
+        {userId !== membership.user.id && membership.status !== "invited" && (
          <IconButton
            ariaLabel="copy icon"
            variant="plain"
Author	SHA1	Message	Date
Tuan Dang	ebe6b08cab	Public key to not invited state change for project provisioning ui	2024-07-18 20:46:36 +07:00
Tuan Dang	43b14d0091	Patch for update org membership call, hide edit user on self user page	2024-07-18 20:40:12 +07:00
Maidul Islam	20387cff35	Merge pull request #2143 from Infisical/user-page Add Manual User Deactivation/Activation + User Page	2024-07-18 09:01:05 -04:00
Maidul Islam	95a4661787	Merge pull request #2145 from Infisical/maidul-dqwdfffwr312 add ips for whitelisting	2024-07-17 19:14:49 -04:00
Maidul Islam	7e9c846ba3	add ips for whitelisting	2024-07-17 19:11:55 -04:00
BlackMagiq	c141b916d3	Merge pull request #2138 from Infisical/further-scim-smoothening Further SCIM Smoothening	2024-07-17 18:04:25 +07:00
Tuan Dang	1ae375188b	Correct database error message	2024-07-17 11:27:09 +07:00
Tuan Dang	22b954b657	Further smoothen scim	2024-07-17 11:24:57 +07:00