214 lines
5.5 KiB
JavaScript
214 lines
5.5 KiB
JavaScript
/**
|
|
* Tenant Model for Multi-Tenant Support
|
|
* Stores tenant-specific configuration including authentication providers
|
|
*/
|
|
|
|
const { DataTypes, Op } = require('sequelize');
|
|
|
|
module.exports = (sequelize) => {
|
|
const Tenant = sequelize.define('Tenant', {
|
|
id: {
|
|
type: DataTypes.UUID,
|
|
defaultValue: DataTypes.UUIDV4,
|
|
primaryKey: true
|
|
},
|
|
name: {
|
|
type: DataTypes.STRING,
|
|
allowNull: false,
|
|
comment: 'Human-readable tenant name'
|
|
},
|
|
slug: {
|
|
type: DataTypes.STRING,
|
|
allowNull: false,
|
|
unique: true,
|
|
validate: {
|
|
is: /^[a-z0-9-]+$/i // Alphanumeric and hyphens only
|
|
},
|
|
comment: 'URL-safe tenant identifier (subdomain/path)'
|
|
},
|
|
domain: {
|
|
type: DataTypes.STRING,
|
|
allowNull: true,
|
|
comment: 'Custom domain for this tenant'
|
|
},
|
|
subscription_type: {
|
|
type: DataTypes.ENUM('free', 'basic', 'premium', 'enterprise'),
|
|
defaultValue: 'basic',
|
|
comment: 'Subscription tier'
|
|
},
|
|
is_active: {
|
|
type: DataTypes.BOOLEAN,
|
|
defaultValue: true,
|
|
comment: 'Whether tenant is active'
|
|
},
|
|
|
|
// Authentication Configuration
|
|
auth_provider: {
|
|
type: DataTypes.ENUM('local', 'saml', 'oauth', 'ldap', 'custom_sso'),
|
|
defaultValue: 'local',
|
|
comment: 'Primary authentication provider'
|
|
},
|
|
auth_config: {
|
|
type: DataTypes.JSONB,
|
|
allowNull: true,
|
|
comment: 'Authentication provider configuration (encrypted)'
|
|
},
|
|
user_mapping: {
|
|
type: DataTypes.JSONB,
|
|
allowNull: true,
|
|
comment: 'User attribute mapping from external provider'
|
|
},
|
|
role_mapping: {
|
|
type: DataTypes.JSONB,
|
|
allowNull: true,
|
|
comment: 'Role mapping from external provider to internal roles'
|
|
},
|
|
|
|
// Tenant Customization
|
|
branding: {
|
|
type: DataTypes.JSONB,
|
|
allowNull: true,
|
|
comment: 'Tenant-specific branding (logo, colors, etc.)'
|
|
},
|
|
features: {
|
|
type: DataTypes.JSONB,
|
|
defaultValue: {
|
|
max_devices: 10,
|
|
max_users: 5,
|
|
api_rate_limit: 1000,
|
|
data_retention_days: 90,
|
|
features: ['basic_detection', 'alerts', 'dashboard']
|
|
},
|
|
comment: 'Tenant feature limits and enabled features'
|
|
},
|
|
|
|
// Contact Information
|
|
admin_email: {
|
|
type: DataTypes.STRING,
|
|
allowNull: true,
|
|
validate: {
|
|
isEmail: true
|
|
},
|
|
comment: 'Primary admin email for this tenant'
|
|
},
|
|
admin_phone: {
|
|
type: DataTypes.STRING,
|
|
allowNull: true,
|
|
comment: 'Primary admin phone for this tenant'
|
|
},
|
|
|
|
// Billing Information
|
|
billing_email: {
|
|
type: DataTypes.STRING,
|
|
allowNull: true,
|
|
validate: {
|
|
isEmail: true
|
|
}
|
|
},
|
|
payment_method_id: {
|
|
type: DataTypes.STRING,
|
|
allowNull: true,
|
|
comment: 'Stripe/payment provider customer ID'
|
|
},
|
|
|
|
// Metadata
|
|
metadata: {
|
|
type: DataTypes.JSONB,
|
|
allowNull: true,
|
|
comment: 'Additional tenant metadata'
|
|
},
|
|
|
|
created_at: {
|
|
type: DataTypes.DATE,
|
|
defaultValue: DataTypes.NOW
|
|
},
|
|
updated_at: {
|
|
type: DataTypes.DATE,
|
|
defaultValue: DataTypes.NOW
|
|
}
|
|
}, {
|
|
tableName: 'tenants',
|
|
timestamps: true,
|
|
createdAt: 'created_at',
|
|
updatedAt: 'updated_at',
|
|
indexes: [
|
|
{
|
|
fields: ['slug'],
|
|
unique: true
|
|
},
|
|
{
|
|
fields: ['domain'],
|
|
unique: true,
|
|
where: { domain: { [Op.ne]: null } }
|
|
},
|
|
{
|
|
fields: ['is_active']
|
|
},
|
|
{
|
|
fields: ['auth_provider']
|
|
}
|
|
],
|
|
hooks: {
|
|
beforeSave: (tenant) => {
|
|
// Encrypt sensitive auth configuration
|
|
if (tenant.auth_config && typeof tenant.auth_config === 'object') {
|
|
// In production, encrypt sensitive fields like client_secret, private_key, etc.
|
|
const sensitiveFields = ['client_secret', 'private_key', 'bind_password', 'admin_password'];
|
|
sensitiveFields.forEach(field => {
|
|
if (tenant.auth_config[field]) {
|
|
// Simple base64 encoding for demo - use proper encryption in production
|
|
tenant.auth_config[field] = Buffer.from(tenant.auth_config[field]).toString('base64');
|
|
}
|
|
});
|
|
}
|
|
},
|
|
afterFind: (tenants) => {
|
|
// Decrypt auth configuration after retrieval
|
|
const processOne = (tenant) => {
|
|
if (tenant.auth_config && typeof tenant.auth_config === 'object') {
|
|
const sensitiveFields = ['client_secret', 'private_key', 'bind_password', 'admin_password'];
|
|
sensitiveFields.forEach(field => {
|
|
if (tenant.auth_config[field]) {
|
|
try {
|
|
tenant.auth_config[field] = Buffer.from(tenant.auth_config[field], 'base64').toString();
|
|
} catch (e) {
|
|
// Field might not be encrypted, leave as-is
|
|
}
|
|
}
|
|
});
|
|
}
|
|
};
|
|
|
|
if (Array.isArray(tenants)) {
|
|
tenants.forEach(processOne);
|
|
} else if (tenants) {
|
|
processOne(tenants);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
// Associations
|
|
Tenant.associate = (models) => {
|
|
// A tenant has many users
|
|
Tenant.hasMany(models.User, {
|
|
foreignKey: 'tenant_id',
|
|
as: 'users'
|
|
});
|
|
|
|
// A tenant has many devices
|
|
Tenant.hasMany(models.Device, {
|
|
foreignKey: 'tenant_id',
|
|
as: 'devices'
|
|
});
|
|
|
|
// A tenant has many alert rules
|
|
Tenant.hasMany(models.AlertRule, {
|
|
foreignKey: 'tenant_id',
|
|
as: 'alertRules'
|
|
});
|
|
};
|
|
|
|
return Tenant;
|
|
};
|