Phase 4: Enforce SSO

[GregorShear]

Summary

Enforce SSO at the authorization layer so that when a tenant has enforce_sso = true, non-SSO users' grants on that tenant are excluded.

• Add sso_provider_id and enforce_sso columns to the tenants table
• Update internal.user_roles() to filter out user grants, block transitive grants to non-sso users from sso tenants
• Apply the same SSO filtering to the snapshot query (user_grants fetch) used by the GraphQL API

Test plan

• Verify that a non-SSO user loses access to an SSO-enforced tenant's resources via both GraphQL and PostgREST
• Verify that SSO users retain access to SSO-enforced tenants
• Verify transitive grants through SSO-enforced tenants are also excluded for non-SSO users

closes #2766

[GregorShear]

Need to check these SSO users who each have access to 2 tenants - are both of those SSO tenants? if so, how do we resolve the one sso user to one sso tenant constraint?

[
  {
    "id": "0214efc9-08e8-41e4-bbd2-7a935c34c2c4",
    "email": "fabio.bricchi@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "24e836af-8b6e-493c-9833-fa084882a0df",
    "email": "kbinder@aaalife.com",
    "tenant_count": 2,
    "tenants": "{AAA_Life/,AAA_Life_Insurance_Company/}"
  },
  {
    "id": "2b76e63b-5408-43a7-94b6-ad9cfc9f59cc",
    "email": "mlaporta.sys.ca@firstlight.net",
    "tenant_count": 2,
    "tenants": "{FirstLightFiber/,FirstLight_POC/}"
  },
  {
    "id": "42146fef-6128-4c67-90c4-fa7215656aa7",
    "email": "leonardo.massari@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "42b4b67d-d923-4089-b705-9b7d0364bfe6",
    "email": "rreddygangireddy@aaalife.com",
    "tenant_count": 2,
    "tenants": "{AAALI/,AAA_Life/}"
  },
  {
    "id": "4706869f-1739-4123-bdc8-2f0ce4b08c63",
    "email": "tommaso.ruta.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "4dcf393b-3531-4d9b-ac39-2508187adb15",
    "email": "francesco.surace.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "51aa6826-0112-4921-959e-41b553b3b307",
    "email": "denise.trovato.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "63408de3-04b7-42cb-a8aa-2f2f3aeec570",
    "email": "tbarlow@aaalife.com",
    "tenant_count": 2,
    "tenants": "{AAALifeInsurance/,AAA_Life/}"
  },
  {
    "id": "a3f168f0-6669-4896-8bc0-c3b80850655c",
    "email": "antonio.grande.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "a458f8d5-6259-4b7d-8f94-59af26b2f685",
    "email": "massimo.iovine.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "a9a7b590-c9e6-406a-a080-734c279910d7",
    "email": "dreyling@aaalife.com",
    "tenant_count": 2,
    "tenants": "{AAA_Life/,aaa-life/}"
  },
  {
    "id": "ce7c7165-004e-44ba-8e8b-3a770fcae4c1",
    "email": "antonio.pollidori.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  },
  {
    "id": "e46278f8-cb38-4faf-9e62-71a93f91580f",
    "email": "luigi.dauria.external@openfiber.it",
    "tenant_count": 2,
    "tenants": "{OpenFiber_AWS/,OpenFiber_Test/}"
  }
]