From 78824b059eecc2eee56c6a879eeb5a7df09a1cdf Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Mon, 25 Apr 2022 23:11:18 -0700
Subject: [PATCH] turn off sso flag if an update removes sso options

ff-iii used to have LDAP but we removed it. in the database, 'sso'
is still true. the migration here will reset it back to false.
for future situations like these, we sync the sso flag on app update itself.

this ensures correct behavior when yet another update add back sso support.
in ff-iii case, a future update is bringing in proxyAuth based sso!

we don't store the 'sso' bit in backupdb, so user choice of sso is
lost if restore changes sso addons.
---
 ...20220426060528-make-apps-sso-consistent.js | 22 +++++++++++++++++++
 src/apps.js                                   |  5 ++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 migrations/20220426060528-make-apps-sso-consistent.js

diff --git a/migrations/20220426060528-make-apps-sso-consistent.js b/migrations/20220426060528-make-apps-sso-consistent.js
new file mode 100644
index 000000000..eca598114
--- /dev/null
+++ b/migrations/20220426060528-make-apps-sso-consistent.js
@@ -0,0 +1,22 @@
+'use strict';
+
+const async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM apps', function (error, apps) {
+        if (error) return callback(error);
+
+        async.eachSeries(apps, function (app, iteratorDone) {
+            const manifest = JSON.parse(app.manifestJson);
+            const hasSso = !!manifest.addons['proxyAuth'] || !!manifest.addons['ldap'];
+            if (hasSso || !app.sso) return iteratorDone();
+
+            console.log(`Unsetting sso flag of ${app.id}`);
+            db.runSql('UPDATE apps SET sso=? WHERE id=?', [ 0, app.id ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
diff --git a/src/apps.js b/src/apps.js
index ff7edb5d8..86b854ef3 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -1284,7 +1284,7 @@ async function install(data, auditSource) {
     let sso = 'sso' in data ? data.sso : null;
     if ('sso' in data && !('optionalSso' in manifest)) throw new BoxError(BoxError.BAD_FIELD, 'sso can only be specified for apps with optionalSso');
     // if sso was unspecified, enable it by default if possible
-    if (sso === null) sso = !!manifest.addons['ldap'] || !!manifest.addons['proxyAuth'];
+    if (sso === null) sso = !!manifest.addons?.ldap || !!manifest.addons?.proxyAuth;
 
     error = validateEnv(env);
     if (error) throw error;
@@ -1850,6 +1850,9 @@ async function updateApp(app, data, auditSource) {
         values.mailboxDomain = app.domain;
     }
 
+    const hasSso = !!updateConfig.manifest.addons?.proxyAuth || !!updateConfig.manifest.addons?.ldap;
+    if (!hasSso && app.sso) values.sso = false; // turn off sso flag, if the update removes sso options
+
     const task = {
         args: { updateConfig },
         values