From 0f300f248408cac22f2f6ae35bbd02bf97d3aa57 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Tue, 22 Apr 2025 06:58:24 -0700
Subject: [PATCH] fix(portal): Prevent dupe sync adapters (#8887)

Prevents more than one sync-enabled adapter per account in order to
prepare for eventually adding a unique constraint on
`provider_identifier` for identities and groups per account.

Related: #6294

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Brian Manifold <bmanifold@users.noreply.github.com>
---
 .../domain/lib/domain/auth/provider/changeset.ex   |  4 ++++
 ..._unique_index_auth_provider_account_adapter.exs | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs

diff --git a/elixir/apps/domain/lib/domain/auth/provider/changeset.ex b/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
index f939ee54d..957379b7d 100644
--- a/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
+++ b/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
@@ -85,6 +85,10 @@ defmodule Domain.Auth.Provider.Changeset do
       name: :auth_providers_account_id_oidc_adapter_index,
       message: "this provider is already connected"
     )
+    |> unique_constraint(:base,
+      name: :unique_account_adapter_index,
+      message: "only one of this adapter type may be enabled per account"
+    )
     |> validate_provisioner()
     |> validate_required(@required_fields)
   end
diff --git a/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs b/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs
new file mode 100644
index 000000000..2670e44bd
--- /dev/null
+++ b/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs
@@ -0,0 +1,14 @@
+defmodule Domain.Repo.Migrations.CreateUniqueIndexAuthProviderAccountAdapter do
+  use Ecto.Migration
+
+  def change do
+    create(
+      index(:auth_providers, [:account_id, :adapter],
+        unique: true,
+        name: :unique_account_adapter_index,
+        where:
+          "deleted_at IS NULL AND adapter IN ('mock', 'google_workspace', 'okta', 'jumpcloud', 'microsoft_entra')"
+      )
+    )
+  end
+end