zitadel/internal/command/setup_step1.go

324 lines
9.7 KiB
Go
Raw Normal View History

package command
import (
"context"
"github.com/caos/zitadel/internal/eventstore"
"github.com/caos/zitadel/internal/eventstore/v1/models"
"github.com/caos/logging"
"github.com/caos/zitadel/internal/domain"
caos_errs "github.com/caos/zitadel/internal/errors"
iam_repo "github.com/caos/zitadel/internal/repository/iam"
)
const (
OIDCResponseTypeCode = "CODE"
OIDCResponseTypeIDToken = "ID_TOKEN"
OIDCResponseTypeToken = "ID_TOKEN TOKEN"
OIDCGrantTypeAuthorizationCode = "AUTHORIZATION_CODE"
OIDCGrantTypeImplicit = "IMPLICIT"
OIDCGrantTypeRefreshToken = "REFRESH_TOKEN"
OIDCApplicationTypeNative = "NATIVE"
OIDCApplicationTypeUserAgent = "USER_AGENT"
OIDCApplicationTypeWeb = "WEB"
AuthMethodTypeNone = "NONE"
AuthMethodTypeBasic = "BASIC"
AuthMethodTypePost = "POST"
AuthMethodTypePrivateKeyJWT = "PRIVATE_KEY_JWT"
)
type Step1 struct {
GlobalOrg string
IAMProject string
DefaultLoginPolicy LoginPolicy
Orgs []Org
}
func (s *Step1) Step() domain.Step {
return domain.Step1
}
func (s *Step1) execute(ctx context.Context, commandSide *Commands) error {
return commandSide.SetupStep1(ctx, s)
}
type LoginPolicy struct {
AllowRegister bool
AllowUsernamePassword bool
AllowExternalIdp bool
}
type User struct {
FirstName string
LastName string
UserName string
Email string
Password string
}
type Org struct {
Name string
Domain string
OrgIamPolicy bool
Owner User
Projects []Project
}
type Project struct {
Name string
Users []User
Members []string
OIDCApps []OIDCApp
APIs []API
}
type OIDCApp struct {
Name string
RedirectUris []string
ResponseTypes []string
GrantTypes []string
ApplicationType string
AuthMethodType string
PostLogoutRedirectUris []string
DevMode bool
}
type API struct {
Name string
AuthMethodType string
}
func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
var events []eventstore.EventPusher
iamWriteModel := NewIAMWriteModel()
iamAgg := IAMAggregateFromWriteModel(&iamWriteModel.WriteModel)
//create default login policy
loginPolicyEvent, err := c.addDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(),
&domain.LoginPolicy{
AllowUsernamePassword: step1.DefaultLoginPolicy.AllowUsernamePassword,
AllowRegister: step1.DefaultLoginPolicy.AllowRegister,
AllowExternalIDP: step1.DefaultLoginPolicy.AllowExternalIdp,
})
if err != nil {
return err
}
events = append(events, loginPolicyEvent)
logging.Log("SETUP-sd2hj").Info("default login policy set up")
//create orgs
for _, organisation := range step1.Orgs {
orgIAMPolicy := &domain.OrgIAMPolicy{UserLoginMustBeDomain: true}
if organisation.OrgIamPolicy {
orgIAMPolicy.UserLoginMustBeDomain = false
}
pwPolicy := &domain.PasswordComplexityPolicy{
MinLength: 1,
}
feat: protos refactoring * start with user * user first try done in all services * user, org, idp for discussion * remove unused stuff * bla * dockerbuild * rename search, get multiple to list... * add annotation * update proto dependencies * update proto dependencies * change proto imports * replace all old imports * fix go out * remove unused lines * correct protoc flags * grpc and openapi flags * go out source path relative * -p * remove dead code * sourcepath relative * ls * is onenapi the problem? * hobla * authoption output * wrong field name * gopf * correct option, add correct flags * small improvments * SIMPLYFY * relative path * gopf bin ich en tubel * correct path * default policies in admin * grpc generation in one file * remove non ascii * metadata on manipulations * correct auth_option import * fixes * larry * idp provider to idp * fix generate * admin and auth nearly done * admin and auth nearly done * gen * healthz * imports * deleted too much imports * fix org * add import * imports * import * naming * auth_opt * gopf * management * imports * _TYPE_UNSPECIFIED * improts * auth opts * management policies * imports * passwordlessType to MFAType * auth_opt * add user grant calls * add missing messages * result * fix option * improvements * ids * fix http * imports * fixes * fields * body * add fields * remove wrong member query * fix request response * fixes * add copy files * variable versions * generate all files * improvements * add dependencies * factors * user session * oidc information, iam * remove unused file * changes * enums * dockerfile * fix build * remove unused folder * update readme for build * move old server impl * add event type to change * some changes * start admin * remove wrong field * admin only list calls missing * fix proto numbers * surprisingly it compiles * service ts changes * admin mgmt * mgmt * auth manipulation and gets done, lists missing * validations and some field changes * validations * enum validations * remove todo * move proto files to proto/zitadel * change proto path in dockerfile * it compiles! * add validate import * remove duplicate import * fix protos * fix import * tests * cleanup * remove unimplemented methods * iam member multiple queries * all auth and admin calls * add initial password on crate human * message names * management user server * machine done * fix: todos (#1346) * fix: pub sub in new eventstore * fix: todos * fix: todos * fix: todos * fix: todos * fix: todos * fix tests * fix: search method domain * admin service, user import type typescript * admin changes * admin changes * fix: search method domain * more user grpc and begin org, fix configs * fix: return object details * org grpc * remove creation date add details * app * fix: return object details * fix: return object details * mgmt service, project members * app * fix: convert policies * project, members, granted projects, searches * fix: convert usergrants * fix: convert usergrants * auth user detail, user detail, mfa, second factor, auth * fix: convert usergrants * mfa, memberships, password, owned proj detail * fix: convert usergrants * project grant * missing details * changes, userview * idp table, keys * org list and user table filter * unify rest paths (#1381) * unify rest paths * post for all searches, mfa to multi_factor, secondfactor to second_factor * remove v1 * fix tests * rename api client key to app key * machine keys, age policy * user list, machine keys, changes * fix: org states * add default flag to policy * second factor to type * idp id * app type * unify ListQuery, ListDetails, ObjectDetails field names * user grants, apps, memberships * fix type params * metadata to detail, linke idps * api create, membership, app detail, create * idp, app, policy * queries, multi -> auth factors and missing fields * update converters * provider to user, remove old mgmt refs * temp remove authfactor dialog, build finish Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2021-03-09 09:30:11 +00:00
orgAgg, _, humanWriteModel, _, setUpOrgEvents, err := c.setUpOrg(ctx,
&domain.Org{
Name: organisation.Name,
Domains: []*domain.OrgDomain{{Domain: organisation.Domain}},
},
&domain.Human{
Username: organisation.Owner.UserName,
Profile: &domain.Profile{
FirstName: organisation.Owner.FirstName,
LastName: organisation.Owner.LastName,
},
Password: &domain.Password{
SecretString: organisation.Owner.Password,
},
Email: &domain.Email{
EmailAddress: organisation.Owner.Email,
IsEmailVerified: true,
},
}, orgIAMPolicy, pwPolicy, nil)
if err != nil {
return err
}
events = append(events, setUpOrgEvents...)
logging.LogWithFields("SETUP-Gdsfg", "id", orgAgg.ID, "name", organisation.Name).Info("org set up")
if organisation.OrgIamPolicy {
orgIAMPolicyEvent, err := c.addOrgIAMPolicy(ctx, orgAgg, NewORGOrgIAMPolicyWriteModel(orgAgg.ID), orgIAMPolicy)
if err != nil {
return err
}
events = append(events, orgIAMPolicyEvent)
}
if organisation.Name == step1.GlobalOrg {
globalOrgEvent, err := c.setGlobalOrg(ctx, iamAgg, iamWriteModel, orgAgg.ID)
if err != nil {
return err
}
events = append(events, globalOrgEvent)
logging.Log("SETUP-BDn52").Info("global org set")
}
//projects
for _, proj := range organisation.Projects {
project := &domain.Project{Name: proj.Name}
projectEvents, projectWriteModel, err := c.addProject(ctx, project, orgAgg.ID, humanWriteModel.AggregateID)
if err != nil {
return err
}
events = append(events, projectEvents...)
if project.Name == step1.IAMProject {
iamProjectEvent, err := c.setIAMProject(ctx, iamAgg, iamWriteModel, projectWriteModel.AggregateID)
if err != nil {
return err
}
events = append(events, iamProjectEvent)
logging.Log("SETUP-Bdfs1").Info("IAM project set")
iamEvent, err := c.addIAMMember(ctx, iamAgg, NewIAMMemberWriteModel(humanWriteModel.AggregateID), domain.NewMember(iamAgg.ID, humanWriteModel.AggregateID, domain.RoleIAMOwner))
if err != nil {
return err
}
events = append(events, iamEvent)
logging.Log("SETUP-BSf2h").Info("IAM owner set")
}
//create applications
for _, app := range proj.OIDCApps {
applicationEvents, err := setUpOIDCApplication(ctx, c, projectWriteModel, project, app, orgAgg.ID)
if err != nil {
return err
}
events = append(events, applicationEvents...)
}
for _, app := range proj.APIs {
applicationEvents, err := setUpAPI(ctx, c, projectWriteModel, project, app, orgAgg.ID)
if err != nil {
return err
}
events = append(events, applicationEvents...)
}
}
}
events = append(events, iam_repo.NewSetupStepDoneEvent(ctx, iamAgg, domain.Step1))
_, err = c.eventstore.PushEvents(ctx, events...)
if err != nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-Gr2hh", "Setup Step1 failed")
}
return nil
}
func setUpOIDCApplication(ctx context.Context, r *Commands, projectWriteModel *ProjectWriteModel, project *domain.Project, oidcApp OIDCApp, resourceOwner string) ([]eventstore.EventPusher, error) {
app := &domain.OIDCApp{
ObjectRoot: models.ObjectRoot{
AggregateID: projectWriteModel.AggregateID,
},
AppName: oidcApp.Name,
RedirectUris: oidcApp.RedirectUris,
ResponseTypes: getOIDCResponseTypes(oidcApp.ResponseTypes),
GrantTypes: getOIDCGrantTypes(oidcApp.GrantTypes),
ApplicationType: getOIDCApplicationType(oidcApp.ApplicationType),
AuthMethodType: getOIDCAuthMethod(oidcApp.AuthMethodType),
DevMode: oidcApp.DevMode,
}
projectAgg := ProjectAggregateFromWriteModel(&projectWriteModel.WriteModel)
events, _, err := r.addOIDCApplication(ctx, projectAgg, project, app, resourceOwner)
if err != nil {
return nil, err
}
logging.LogWithFields("SETUP-Edgw4", "name", app.AppName, "clientID", app.ClientID).Info("application set up")
return events, nil
}
func setUpAPI(ctx context.Context, r *Commands, projectWriteModel *ProjectWriteModel, project *domain.Project, apiApp API, resourceOwner string) ([]eventstore.EventPusher, error) {
app := &domain.APIApp{
ObjectRoot: models.ObjectRoot{
AggregateID: projectWriteModel.AggregateID,
},
AppName: apiApp.Name,
AuthMethodType: getAPIAuthMethod(apiApp.AuthMethodType),
}
projectAgg := ProjectAggregateFromWriteModel(&projectWriteModel.WriteModel)
events, _, err := r.addAPIApplication(ctx, projectAgg, project, app, resourceOwner)
if err != nil {
return nil, err
}
logging.LogWithFields("SETUP-Dbgsf", "name", app.AppName, "clientID", app.ClientID).Info("application set up")
return events, nil
}
func getOIDCResponseTypes(responseTypes []string) []domain.OIDCResponseType {
types := make([]domain.OIDCResponseType, len(responseTypes))
for i, t := range responseTypes {
types[i] = getOIDCResponseType(t)
}
return types
}
func getOIDCResponseType(responseType string) domain.OIDCResponseType {
switch responseType {
case OIDCResponseTypeCode:
return domain.OIDCResponseTypeCode
case OIDCResponseTypeIDToken:
return domain.OIDCResponseTypeIDToken
case OIDCResponseTypeToken:
return domain.OIDCResponseTypeIDTokenToken
}
return domain.OIDCResponseTypeCode
}
func getOIDCGrantTypes(grantTypes []string) []domain.OIDCGrantType {
types := make([]domain.OIDCGrantType, len(grantTypes))
for i, t := range grantTypes {
types[i] = getOIDCGrantType(t)
}
return types
}
func getOIDCGrantType(grantTypes string) domain.OIDCGrantType {
switch grantTypes {
case OIDCGrantTypeAuthorizationCode:
return domain.OIDCGrantTypeAuthorizationCode
case OIDCGrantTypeImplicit:
return domain.OIDCGrantTypeImplicit
case OIDCGrantTypeRefreshToken:
return domain.OIDCGrantTypeRefreshToken
}
return domain.OIDCGrantTypeAuthorizationCode
}
func getOIDCApplicationType(appType string) domain.OIDCApplicationType {
switch appType {
case OIDCApplicationTypeNative:
return domain.OIDCApplicationTypeNative
case OIDCApplicationTypeUserAgent:
return domain.OIDCApplicationTypeUserAgent
case OIDCApplicationTypeWeb:
return domain.OIDCApplicationTypeWeb
}
return domain.OIDCApplicationTypeWeb
}
func getOIDCAuthMethod(authMethod string) domain.OIDCAuthMethodType {
switch authMethod {
case AuthMethodTypeNone:
return domain.OIDCAuthMethodTypeNone
case AuthMethodTypeBasic:
return domain.OIDCAuthMethodTypeBasic
case AuthMethodTypePost:
return domain.OIDCAuthMethodTypePost
case AuthMethodTypePrivateKeyJWT:
return domain.OIDCAuthMethodTypePrivateKeyJWT
}
return domain.OIDCAuthMethodTypeBasic
}
func getAPIAuthMethod(authMethod string) domain.APIAuthMethodType {
switch authMethod {
case AuthMethodTypeBasic:
return domain.APIAuthMethodTypeBasic
case AuthMethodTypePrivateKeyJWT:
return domain.APIAuthMethodTypePrivateKeyJWT
}
return domain.APIAuthMethodTypePrivateKeyJWT
}