feat: add org domain whitelisting

raystack · Aug 1, 2023 · b2c3cb0 · b2c3cb0
1 parent 6b20a5b
commit b2c3cb0
Show file tree

Hide file tree

Showing 2 changed files with 180 additions and 1 deletion.
diff --git a/raystack/frontier/v1beta1/models.proto b/raystack/frontier/v1beta1/models.proto
@@ -138,6 +138,50 @@ message Project {
   }];
 }
 
+message Domain {
+  string id = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The domain id",
+      example: "\"943e4567-e89b-12d3-a456-426655440000\""
+    }
+  ];
+  string name = 2 [
+    (validate.rules).string = {
+      min_len: 2,
+    },
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The domain name",
+      example: "\"raystack.org\""
+  }
+  ];
+  string org_id = 3 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The organization id",
+      example: "\"123e4567-e89b-12d3-a456-426655440000\""
+    }
+  ];
+  string token = 4 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The dns TXT record token to verify the domain",
+      example: "\"_frontier-challenge:1234567890123456\""
+    }
+  ];
+  bool verified = 5 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "true if the domain is verified, false otherwise",
+      example: "true"
+    }
+  ];
+  google.protobuf.Timestamp created_at = 6 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+    description: "The time the domain whitelist request was created",
+    example: "\"2023-06-07T05:39:56.961Z\""
+  }];
+  google.protobuf.Timestamp verified_at = 7 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+    description: "The time the org domain was verified",
+    example: "\"2023-06-07T05:39:56.961Z\""
+  }];
+}
+
 message Policy {
   reserved 3, 4, 7, 9;
 

diff --git a/raystack/frontier/v1beta1/shield.proto b/raystack/frontier/v1beta1/shield.proto
@@ -665,7 +665,7 @@ service FrontierService {
     option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
       tags: "Organization";
       summary: "Invite user"
-      description: "Invite users to an organization, if the user doesn't exists, it will be created and notified. Invitations expire in 7 days";
+      description: "Invite users to an organization, if user is not registered on the platform, it will be notified. Invitations expire in 7 days";
     };
   }
 
@@ -696,6 +696,57 @@ service FrontierService {
     };
   }
 
+  rpc ListOrganizationDomains(ListOrganizationDomainsRequest) returns (ListOrganizationDomainsResponse) {
+    option (google.api.http) = {get: "/v1beta1/organizations/{org_id}/domains"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Organization";
+      summary: "List org domains";
+      description: "Returns all trusted domains for an organization, which are used to allow users to sign up with a specific email domain without invitation. The domain ownership must be verified before it can be used as a trusted domain. Use the verified filter to get only the verified domains.";
+    };
+  }
+
+  rpc AddOrganizationDomain(AddOrganizationDomainRequest) returns (AddOrganizationDomainResponse) {
+    option (google.api.http) = {
+      post: "/v1beta1/organizations/{org_id}/domains",
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Organization";
+      summary: "Add org domain";
+      description: "Add a domain to an organization which if verified allows all users of the same domain to be signed up to the organization without invitation. This API generates a verification token for a domain which must be added to your domain's DNS provider as a TXT record should be verified with Frontier VerifyOrgDomain API before it can be used as an Organization's trusted domain to sign up users.";
+    };
+  }
+
+  rpc RemoveOrganizationDomain(RemoveOrganizationDomainRequest) returns (RemoveOrganizationDomainResponse) {
+    option (google.api.http) = {delete: "/v1beta1/organizations/{org_id}/domains/{id}/remove"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Organization";
+      summary: "Remove org domain";
+      description: "Remove a domain from the list of an organization's trusted domains list";
+    };
+  }
+
+  rpc GetOrganizationDomain(GetOrganizationDomainRequest) returns (GetOrganizationDomainResponse) {
+    option (google.api.http) = {get: "/v1beta1/organizations/{org_id}/domains/{id}"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Organization";
+      summary: "Get org domain";
+      description: "Get a domain from the list of an organization's whitelisted domains. Returns both verified and unverified domains by their ID";
+    };
+  }
+
+  rpc VerifyOrgDomain(VerifyOrgDomainRequest) returns (VerifyOrgDomainResponse) {
+    option (google.api.http) = {
+      post: "/v1beta1/organizations/{org_id}/domains/{id}/verify", 
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Organization";
+      summary: "Verify org domain";
+      description: "Verify a domain for an organization with a verification token generated by Frontier GenerateDomainVerificationToken API. The token must be added to your domain's DNS provider as a TXT record before it can be verified.";
+    };
+  }
+
   rpc EnableOrganization(EnableOrganizationRequest) returns (EnableOrganizationResponse) {
     option (google.api.http) = {
       post: "/v1beta1/organizations/{id}/enable",
@@ -1688,6 +1739,90 @@ message DeleteOrganizationInvitationRequest {
   string org_id = 2;
 }
 
+message ListOrganizationDomainsRequest{
+  string org_id = 1 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the organization for which whitelisted domains are to be listed"}
+  ];
+  bool verified = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "filter to list only verified domains. If not provided, all domains for an org will be listed"}
+  ];
+}
+
+message ListOrganizationDomainsResponse{
+  repeated Domain domains = 1;
+}
+
+message GetOrganizationDomainRequest{
+  string id = 1 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the domain to be retrieved"}
+  ];
+  string org_id = 2 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the organization for which whitelisted domain is to be retrieved"}
+  ];
+}
+
+message GetOrganizationDomainResponse{
+  Domain domain = 1;
+}
+
+message AddOrganizationDomainRequest{
+  string id = 1 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the organization for which whitelisted domains are to be added"}
+  ];
+  string domain = 2 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "domain name to be added to the trusted domain list",
+      example: "raystack.org"
+    }
+  ];
+}
+
+message AddOrganizationDomainResponse{
+  Domain domain = 1;
+}
+
+message RemoveOrganizationDomainRequest{
+  string id = 1 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the domain to be deleted"}
+  ];
+  string org_id = 2 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the organization for which whitelisted domains are to be deleted"}
+  ];
+}
+
+message RemoveOrganizationDomainResponse{}
+
+message VerifyOrgDomainRequest {
+  string org_id = 1 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the organization for which whitelisted domains are to be verified"}
+  ];
+  string id = 2 [
+    (validate.rules).string.min_len = 3,
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "unique id of the domain to be verified"}
+  ];
+}
+
+message VerifyOrgDomainResponse {
+  bool verified = 1;
+}
+
 message DeleteOrganizationInvitationResponse {}
 
 message EnableOrganizationRequest {