estuary
diff --git a/‎.sqlx/query-59b5d98e5cc0ce441ddefa0b32eef6820b1db95156c6206e773362e4477fc2dd.json‎
Lines changed: 94 additions & 0 deletions b/‎.sqlx/query-59b5d98e5cc0ce441ddefa0b32eef6820b1db95156c6206e773362e4477fc2dd.json‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎.sqlx/query-a5697a9097f21c69f3da2850fd08cd9aa7102b964071bad56e9b82bb9e82bce1.json‎
Lines changed: 94 additions & 0 deletions b/‎.sqlx/query-a5697a9097f21c69f3da2850fd08cd9aa7102b964071bad56e9b82bb9e82bce1.json‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎…6ceee073f467105083ec751a75c11478adf.json‎ ‎…4cae60b21aa971908b01eb16ff4770bf29b.json‎.sqlx/query-bf114fcbbb3b0c8bd057869c92b7c6ceee073f467105083ec751a75c11478adf.json renamed to .sqlx/query-e60eb5d6aec7b22576ff88a5862784cae60b21aa971908b01eb16ff4770bf29b.json
Lines changed: 2 additions & 2 deletions b/‎…6ceee073f467105083ec751a75c11478adf.json‎ ‎…4cae60b21aa971908b01eb16ff4770bf29b.json‎.sqlx/query-bf114fcbbb3b0c8bd057869c92b7c6ceee073f467105083ec751a75c11478adf.json renamed to .sqlx/query-e60eb5d6aec7b22576ff88a5862784cae60b21aa971908b01eb16ff4770bf29b.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/control-plane-api/src/server/public/graphql/snapshots/control_plane_api__server__public__graphql__invite_links__test__list_unauthorized.snap‎
Lines changed: 22 additions & 0 deletions b/‎crates/control-plane-api/src/server/public/graphql/snapshots/control_plane_api__server__public__graphql__invite_links__test__list_unauthorized.snap‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎crates/control-plane-api/src/server/snapshot.rs‎
Lines changed: 7 additions & 1 deletion b/‎crates/control-plane-api/src/server/snapshot.rs‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎supabase/migrations/20260310120000_enforce_sso_authz.sql‎
Lines changed: 61 additions & 0 deletions b/‎supabase/migrations/20260310120000_enforce_sso_authz.sql‎
Lines changed: 61 additions & 0 deletions
@@ -0,0 +1,22 @@
+---
+source: crates/control-plane-api/src/server/public/graphql/invite_links.rs
+assertion_line: 882
+expression: unauthorized_list
+---
+{
+  "data": null,
+  "errors": [
+    {
+      "locations": [
+        {
+          "column": 25,
+          "line": 3
+        }
+      ],
+      "message": "PermissionDenied: bob@example.test is not authorized to access prefix or name 'aliceCo/' with required capability admin",
+      "path": [
+        "inviteLinks"
+      ]
+    }
+  ]
+}
@@ -496,11 +496,17 @@ pub async fn try_fetch(
             g.object_role AS "object_role: models::Prefix",
             g.capability AS "capability: models::Capability"
         FROM user_grants g
+        WHERE NOT EXISTS (
+            SELECT 1 FROM tenants t
+            WHERE t.tenant ^@ g.object_role
+              AND t.enforce_sso
+              AND NOT coalesce((SELECT au.is_sso_user FROM auth.users au WHERE au.id = g.user_id), false)
+        )
         "#,
     )
     .fetch_all(pg_pool)
     .await
-    .context("failed to fetch role_grants")?;
+    .context("failed to fetch user_grants")?;
 
     let tasks = sqlx::query_as!(
         SnapshotTask,
 
@@ -0,0 +1,61 @@
+-- Phase 4: Enforce SSO at the authorization layer.
+--
+-- When a tenant has enforce_sso = true, grants on that tenant are excluded
+-- unless the user has an SSO identity matching the tenant's configured provider.
+-- This is enforced in the base case of internal.user_roles(), so transitive
+-- grants through SSO-enforced tenants are also excluded.
+
+begin;
+
+-- Add SSO columns to tenants.
+alter table public.tenants
+  add column sso_provider_id uuid references auth.sso_providers(id),
+  add column enforce_sso boolean not null default false;
+
+comment on column public.tenants.sso_provider_id is
+  'The SSO provider configured for this tenant, if any';
+comment on column public.tenants.enforce_sso is
+  'When true, only SSO-authenticated users may access this tenant''s resources';
+
+-- Replace internal.user_roles to exclude grants on SSO-enforced tenants unless
+-- the user authenticated via the tenant's specific SSO provider.
+create or replace function internal.user_roles(
+  target_user_id uuid,
+  min_capability public.grant_capability default 'x_00'::public.grant_capability
+)
+returns table(role_prefix public.catalog_prefix, capability public.grant_capability)
+language sql stable
+as $$
+  with recursive
+  all_roles(role_prefix, capability) as (
+      select object_role, capability from user_grants
+      where user_id = target_user_id
+        and capability >= min_capability
+        -- Exclude grants on SSO-enforced tenants unless the user has an
+        -- identity linked to that tenant's specific SSO provider.
+        and not exists (
+          select 1 from tenants t
+          where t.tenant ^@ user_grants.object_role
+            and t.enforce_sso
+            and not exists (
+              select 1 from auth.identities ai
+              where ai.user_id = target_user_id
+                and ai.provider = 'sso'
+                and ai.provider_id = t.sso_provider_id::text
+            )
+        )
+    union
+      -- Recursive case: for each object_role granted as 'admin',
+      -- project through grants where object_role acts as the subject_role.
+      select role_grants.object_role, role_grants.capability
+      from role_grants, all_roles
+      where role_grants.subject_role ^@ all_roles.role_prefix
+        and role_grants.capability >= min_capability
+        and all_roles.capability = 'admin'
+  )
+  select role_prefix, max(capability) from all_roles
+  group by role_prefix
+  order by role_prefix;
+$$;
+
+commit;