fix snapshots grant filtering to account for sso provider id

Author: GregorShear

…4cae60b21aa971908b01eb16ff4770bf29b.json …b11d833f6ab21e90f89bbf5dce433a4293d.json.sqlx/query-e60eb5d6aec7b22576ff88a5862784cae60b21aa971908b01eb16ff4770bf29b.json renamed to .sqlx/query-33c43cf8dd44d4e448fdac5a9f128b11d833f6ab21e90f89bbf5dce433a4293d.json .sqlx/query-e60eb5d6aec7b22576ff88a5862784cae60b21aa971908b01eb16ff4770bf29b.json renamed to .sqlx/query-33c43cf8dd44d4e448fdac5a9f128b11d833f6ab21e90f89bbf5dce433a4293d.json

@@ -0,0 +1,45 @@
+-- Sets up SSO-enforced tenants with users whose identities do/don't match.
+-- Alice has an SSO identity matching acmeCo's provider — her grant should be included.
+-- Bob has an SSO identity for a *different* provider — his grant should be excluded.
+-- Carol has no SSO identity at all — her grant should be excluded.
+-- All three have grants on openCo (no SSO enforcement) — those should be included.
+do $$
+declare
+  provider_acme uuid := 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
+  provider_other uuid := 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb';
+
+  alice_uid uuid := '11111111-1111-1111-1111-111111111111';
+  bob_uid uuid := '22222222-2222-2222-2222-222222222222';
+  carol_uid uuid := '33333333-3333-3333-3333-333333333333';
+begin
+
+  insert into auth.sso_providers (id) values (provider_acme), (provider_other);
+
+  insert into auth.users (id, email, is_sso_user) values
+    (alice_uid, 'alice@acme.co', true),
+    (bob_uid, 'bob@other.co', true),
+    (carol_uid, 'carol@example.com', false)
+  ;
+
+  -- Alice has the correct SSO identity for acmeCo's provider.
+  insert into auth.identities (user_id, provider, provider_id, identity_data) values
+    (alice_uid, 'sso', provider_acme::text, '{}'::jsonb),
+    (bob_uid, 'sso', provider_other::text, '{}'::jsonb)
+  ;
+
+  insert into public.tenants (tenant, sso_provider_id, enforce_sso) values
+    ('acmeCo/', provider_acme, true),
+    ('openCo/', null, false)
+  ;
+
+  insert into public.user_grants (user_id, object_role, capability) values
+    (alice_uid, 'acmeCo/', 'admin'),
+    (bob_uid, 'acmeCo/', 'admin'),
+    (carol_uid, 'acmeCo/', 'admin'),
+    (alice_uid, 'openCo/', 'read'),
+    (bob_uid, 'openCo/', 'read'),
+    (carol_uid, 'openCo/', 'read')
+  ;
+
+end
+$$;

.sqlx/query-59b5d98e5cc0ce441ddefa0b32eef6820b1db95156c6206e773362e4477fc2dd.json

@@ -500,7 +500,12 @@ pub async fn try_fetch(
             SELECT 1 FROM tenants t
             WHERE t.tenant ^@ g.object_role
               AND t.enforce_sso
-              AND NOT coalesce((SELECT au.is_sso_user FROM auth.users au WHERE au.id = g.user_id), false)
+              AND NOT EXISTS (
+                SELECT 1 FROM auth.identities ai
+                WHERE ai.user_id = g.user_id
+                  AND ai.provider = 'sso'
+                  AND ai.provider_id = t.sso_provider_id::text
+              )
         )
         "#,
     )
@@ -609,6 +614,39 @@ mod tests {
         );
     }
 
+    #[sqlx::test(
+        migrations = "../../supabase/migrations",
+        fixtures(path = "../fixtures", scripts("data_planes", "sso_tenant"))
+    )]
+    async fn test_snapshot_sso_enforcement(pool: sqlx::PgPool) {
+        let mut decrypted_keys = HashMap::new();
+        let result = try_fetch(&pool, &mut decrypted_keys)
+            .await
+            .expect("snapshot refresh should succeed");
+
+        let alice_uid: uuid::Uuid = "11111111-1111-1111-1111-111111111111".parse().unwrap();
+        let bob_uid: uuid::Uuid = "22222222-2222-2222-2222-222222222222".parse().unwrap();
+        let carol_uid: uuid::Uuid = "33333333-3333-3333-3333-333333333333".parse().unwrap();
+
+        let grants_for = |uid: uuid::Uuid| -> Vec<String> {
+            result
+                .user_grants
+                .iter()
+                .filter(move |g| g.user_id == uid)
+                .map(|g| g.object_role.to_string())
+                .collect()
+        };
+
+        // Alice has matching SSO identity — sees both tenants.
+        assert_eq!(grants_for(alice_uid), vec!["acmeCo/", "openCo/"]);
+
+        // Bob has SSO identity for a *different* provider — excluded from acmeCo.
+        assert_eq!(grants_for(bob_uid), vec!["openCo/"]);
+
+        // Carol has no SSO identity — excluded from acmeCo.
+        assert_eq!(grants_for(carol_uid), vec!["openCo/"]);
+    }
+
     #[test]
     fn test_task_lookups() {
         let snapshot = Snapshot::build_fixture(None);

.sqlx/query-a5697a9097f21c69f3da2850fd08cd9aa7102b964071bad56e9b82bb9e82bce1.json

@@ -27,14 +27,23 @@ BEGIN
         -- Roles are cluster-wide and already exist from migrations applied to the
         -- primary `postgres` database. We only need to stub Supabase schemas.
 
-        -- Create auth schema with minimal users table stub.
+        -- Create auth schema with minimal table stubs.
         create schema auth;
         create table auth.users (
             id uuid primary key,
             email text,
             is_sso_user boolean,
             raw_user_meta_data jsonb
         );
+        create table auth.sso_providers (
+            id uuid primary key
+        );
+        create table auth.identities (
+            user_id uuid references auth.users(id),
+            provider text,
+            provider_id text,
+            identity_data jsonb
+        );
 
         -- Stub for auth.uid() function.
         create function auth.uid() returns uuid as $uid$