[SM-378] Enable SM on a user basis (#2590)

* Add support for giving individual users access to secrets manager
2025-07-07 02:52:50 -05:00 · 2023-01-31 18:38:53 +01:00
parent 54353f8b6c
commit cf25d55090
57 changed files with 1419 additions and 400 deletions
--- a/src/Sql/Sql.sqlproj
+++ b/src/Sql/Sql.sqlproj
@ -238,6 +238,7 @@
    <Build Include="dbo\Stored Procedures\OrganizationUser_Activate.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_Create.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_CreateMany.sql" />
+    <Build Include="dbo\Stored Procedures\OrganizationUser_CreateMany2.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_CreateWithCollections.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_Deactivate.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_DeleteById.sql" />
@ -258,6 +259,7 @@
    <Build Include="dbo\Stored Procedures\OrganizationUser_SelectKnownEmails.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_Update.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_UpdateMany.sql" />
+    <Build Include="dbo\Stored Procedures\OrganizationUser_UpdateMany2.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_UpdateWithCollections.sql" />
    <Build Include="dbo\Stored Procedures\Organization_Create.sql" />
    <Build Include="dbo\Stored Procedures\Organization_DeleteById.sql" />
@ -400,6 +402,7 @@
    <Build Include="dbo\User Defined Types\GuidIdArray.sql" />
    <Build Include="dbo\User Defined Types\OrganizationSponsorshipType.sql" />
    <Build Include="dbo\User Defined Types\OrganizationUserType.sql" />
+    <Build Include="dbo\User Defined Types\OrganizationUserType2.sql" />
    <Build Include="dbo\User Defined Types\SelectionReadOnlyArray.sql" />
    <Build Include="dbo\User Defined Types\TwoGuidIdArray.sql" />
    <Build Include="dbo\Views\AuthRequestView.sql" />
--- a/Procedures/OrganizationUser_Create.sql
+++ b/Procedures/OrganizationUser_Create.sql
@ -11,7 +11,8 @@
    @CreationDate DATETIME2(7),
    @RevisionDate DATETIME2(7),
    @Permissions NVARCHAR(MAX),
-    @ResetPasswordKey VARCHAR(MAX)
+    @ResetPasswordKey VARCHAR(MAX),
+    @AccessSecretsManager BIT = 0
 AS
 BEGIN
    SET NOCOUNT ON
@ -30,7 +31,8 @@ BEGIN
        [CreationDate],
        [RevisionDate],
        [Permissions],
-        [ResetPasswordKey]
+        [ResetPasswordKey],
+        [AccessSecretsManager]
    )
    VALUES
    (
@ -46,6 +48,7 @@ BEGIN
        @CreationDate,
        @RevisionDate,
        @Permissions,
-        @ResetPasswordKey
+        @ResetPasswordKey,
+        @AccessSecretsManager
    )
 END
--- a/Procedures/OrganizationUser_CreateMany2.sql
+++ b/Procedures/OrganizationUser_CreateMany2.sql
@ -0,0 +1,42 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_CreateMany2]
+    @OrganizationUsersInput [dbo].[OrganizationUserType2] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationUser]
+        (
+        [Id],
+        [OrganizationId],
+        [UserId],
+        [Email],
+        [Key],
+        [Status],
+        [Type],
+        [AccessAll],
+        [ExternalId],
+        [CreationDate],
+        [RevisionDate],
+        [Permissions],
+        [ResetPasswordKey],
+        [AccessSecretsManager]
+        )
+    SELECT
+        OU.[Id],
+        OU.[OrganizationId],
+        OU.[UserId],
+        OU.[Email],
+        OU.[Key],
+        OU.[Status],
+        OU.[Type],
+        OU.[AccessAll],
+        OU.[ExternalId],
+        OU.[CreationDate],
+        OU.[RevisionDate],
+        OU.[Permissions],
+        OU.[ResetPasswordKey],
+        OU.[AccessSecretsManager]
+    FROM
+        @OrganizationUsersInput OU
+END
+GO
--- a/Procedures/OrganizationUser_CreateWithCollections.sql
+++ b/Procedures/OrganizationUser_CreateWithCollections.sql
@ -12,12 +12,13 @@
    @RevisionDate DATETIME2(7),
    @Permissions NVARCHAR(MAX),
    @ResetPasswordKey VARCHAR(MAX),
-    @Collections AS [dbo].[SelectionReadOnlyArray] READONLY
+    @Collections AS [dbo].[SelectionReadOnlyArray] READONLY,
+    @AccessSecretsManager BIT = 0
 AS
 BEGIN
    SET NOCOUNT ON

-    EXEC [dbo].[OrganizationUser_Create] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey
+    EXEC [dbo].[OrganizationUser_Create] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey, @AccessSecretsManager

    ;WITH [AvailableCollectionsCTE] AS(
        SELECT
--- a/Procedures/OrganizationUser_Update.sql
+++ b/Procedures/OrganizationUser_Update.sql
@ -11,7 +11,8 @@
    @CreationDate DATETIME2(7),
    @RevisionDate DATETIME2(7),
    @Permissions NVARCHAR(MAX),
-    @ResetPasswordKey VARCHAR(MAX)
+    @ResetPasswordKey VARCHAR(MAX),
+    @AccessSecretsManager BIT = 0
 AS
 BEGIN
    SET NOCOUNT ON
@ -30,7 +31,8 @@ BEGIN
        [CreationDate] = @CreationDate,
        [RevisionDate] = @RevisionDate,
        [Permissions] = @Permissions,
-        [ResetPasswordKey] = @ResetPasswordKey
+        [ResetPasswordKey] = @ResetPasswordKey,
+        [AccessSecretsManager] = @AccessSecretsManager
    WHERE
        [Id] = @Id

--- a/Procedures/OrganizationUser_UpdateMany2.sql
+++ b/Procedures/OrganizationUser_UpdateMany2.sql
@ -0,0 +1,34 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_UpdateMany2]
+    @OrganizationUsersInput [dbo].[OrganizationUserType2] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        OU
+    SET
+        [OrganizationId] = OUI.[OrganizationId],
+        [UserId] = OUI.[UserId],
+        [Email] = OUI.[Email],
+        [Key] = OUI.[Key],
+        [Status] = OUI.[Status],
+        [Type] = OUI.[Type],
+        [AccessAll] = OUI.[AccessAll],
+        [ExternalId] = OUI.[ExternalId],
+        [CreationDate] = OUI.[CreationDate],
+        [RevisionDate] = OUI.[RevisionDate],
+        [Permissions] = OUI.[Permissions],
+        [ResetPasswordKey] = OUI.[ResetPasswordKey],
+        [AccessSecretsManager] = OUI.[AccessSecretsManager]
+    FROM
+        [dbo].[OrganizationUser] OU
+    INNER JOIN
+        @OrganizationUsersInput OUI ON OU.Id = OUI.Id
+
+    EXEC [dbo].[User_BumpManyAccountRevisionDates]
+    (
+        SELECT UserId
+        FROM @OrganizationUsersInput
+    )
+END
+GO
--- a/Procedures/OrganizationUser_UpdateWithCollections.sql
+++ b/Procedures/OrganizationUser_UpdateWithCollections.sql
@ -12,12 +12,13 @@
    @RevisionDate DATETIME2(7),
    @Permissions NVARCHAR(MAX),
    @ResetPasswordKey VARCHAR(MAX),
-    @Collections AS [dbo].[SelectionReadOnlyArray] READONLY
+    @Collections AS [dbo].[SelectionReadOnlyArray] READONLY,
+    @AccessSecretsManager BIT = 0
 AS
 BEGIN
    SET NOCOUNT ON

-    EXEC [dbo].[OrganizationUser_Update] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey
+    EXEC [dbo].[OrganizationUser_Update] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey, @AccessSecretsManager
    -- Update
    UPDATE
        [Target]
--- a/src/Sql/dbo/Tables/OrganizationUser.sql
+++ b/src/Sql/dbo/Tables/OrganizationUser.sql
@ -12,6 +12,7 @@
    [CreationDate]                  DATETIME2 (7)       NOT NULL,
    [RevisionDate]                  DATETIME2 (7)       NOT NULL,
    [Permissions]                   NVARCHAR (MAX)      NULL,
+    [AccessSecretsManager]          BIT                 NOT NULL CONSTRAINT [DF_OrganizationUser_SecretsManager] DEFAULT (0),
    CONSTRAINT [PK_OrganizationUser] PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [FK_OrganizationUser_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]) ON DELETE CASCADE,
    CONSTRAINT [FK_OrganizationUser_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id])
--- a/Types/OrganizationUserType2.sql
+++ b/Types/OrganizationUserType2.sql
@ -0,0 +1,16 @@
+CREATE TYPE [dbo].[OrganizationUserType2] AS TABLE(
+    [Id] UNIQUEIDENTIFIER,
+    [OrganizationId] UNIQUEIDENTIFIER,
+    [UserId] UNIQUEIDENTIFIER,
+    [Email] NVARCHAR(256),
+    [Key] VARCHAR(MAX),
+    [Status] SMALLINT,
+    [Type] TINYINT,
+    [AccessAll] BIT,
+    [ExternalId] NVARCHAR(300),
+    [CreationDate] DATETIME2(7),
+    [RevisionDate] DATETIME2(7),
+    [Permissions] NVARCHAR(MAX),
+    [ResetPasswordKey] VARCHAR(MAX),
+    [AccessSecretsManager] BIT
+)
--- a/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
@ -39,7 +39,8 @@ SELECT
    OS.[FriendlyName] FamilySponsorshipFriendlyName,
    OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
    OS.[ToDelete] FamilySponsorshipToDelete,
-    OS.[ValidUntil] FamilySponsorshipValidUntil
+    OS.[ValidUntil] FamilySponsorshipValidUntil,
+    OU.[AccessSecretsManager]
 FROM
    [dbo].[OrganizationUser] OU
 LEFT JOIN
--- a/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
@ -11,6 +11,7 @@ SELECT
    OU.[Status],
    OU.[Type],
    OU.[AccessAll],
+    OU.[AccessSecretsManager],
    OU.[ExternalId],
    SU.[ExternalId] SsoExternalId,
    OU.[Permissions],
--- a/Procedures/OrganizationUser_CreateMany.sql
+++ b/Procedures/OrganizationUser_CreateMany.sql
@ -0,0 +1,2 @@
+-- Created 2023-01
+-- DELETE FILE
--- a/Procedures/OrganizationUser_UpdateMany.sql
+++ b/Procedures/OrganizationUser_UpdateMany.sql
@ -0,0 +1,2 @@
+-- Created 2023-01
+-- DELETE FILE
--- a/Types/OrganizationUserType.sql
+++ b/Types/OrganizationUserType.sql
@ -0,0 +1,2 @@
+-- Created 2023-01
+-- DELETE FILE