2020-07-08 11:56:37 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2022-06-24 12:38:22 +00:00
|
|
|
"crypto/tls"
|
2020-07-08 11:56:37 +00:00
|
|
|
"net/http"
|
2024-02-26 10:49:43 +00:00
|
|
|
"sort"
|
2022-02-14 16:22:30 +00:00
|
|
|
"strings"
|
2020-07-08 11:56:37 +00:00
|
|
|
|
2022-02-14 16:22:30 +00:00
|
|
|
"github.com/gorilla/mux"
|
|
|
|
|
"github.com/improbable-eng/grpc-web/go/grpcweb"
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/logging"
|
2020-07-08 11:56:37 +00:00
|
|
|
"google.golang.org/grpc"
|
2023-04-11 13:37:42 +00:00
|
|
|
"google.golang.org/grpc/health"
|
|
|
|
|
healthpb "google.golang.org/grpc/health/grpc_health_v1"
|
2023-04-14 13:34:12 +00:00
|
|
|
"google.golang.org/grpc/reflection"
|
2020-07-08 11:56:37 +00:00
|
|
|
|
2022-04-26 23:01:45 +00:00
|
|
|
internal_authz "github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/api/grpc/server"
|
|
|
|
|
http_util "github.com/zitadel/zitadel/internal/api/http"
|
2023-05-05 08:25:02 +00:00
|
|
|
http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
|
2022-11-09 07:19:05 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/api/ui/login"
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
2022-07-18 08:42:32 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/metrics"
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2023-12-08 14:30:55 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2020-07-08 11:56:37 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type API struct {
|
2023-05-15 06:51:02 +00:00
|
|
|
port uint16
|
|
|
|
|
grpcServer *grpc.Server
|
2023-10-25 15:10:45 +00:00
|
|
|
verifier internal_authz.APITokenVerifier
|
2023-05-15 06:51:02 +00:00
|
|
|
health healthCheck
|
|
|
|
|
router *mux.Router
|
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 15:00:38 +00:00
|
|
|
hostHeaders []string
|
2023-05-15 06:51:02 +00:00
|
|
|
grpcGateway *server.Gateway
|
|
|
|
|
healthServer *health.Server
|
|
|
|
|
accessInterceptor *http_mw.AccessInterceptor
|
|
|
|
|
queries *query.Queries
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
2020-12-02 07:50:59 +00:00
|
|
|
|
2024-02-26 10:49:43 +00:00
|
|
|
func (a *API) ListGrpcServices() []string {
|
|
|
|
|
serviceInfo := a.grpcServer.GetServiceInfo()
|
|
|
|
|
services := make([]string, len(serviceInfo))
|
|
|
|
|
i := 0
|
|
|
|
|
for servicename := range serviceInfo {
|
|
|
|
|
services[i] = servicename
|
|
|
|
|
i++
|
|
|
|
|
}
|
|
|
|
|
sort.Strings(services)
|
|
|
|
|
return services
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *API) ListGrpcMethods() []string {
|
|
|
|
|
serviceInfo := a.grpcServer.GetServiceInfo()
|
|
|
|
|
methods := make([]string, 0)
|
|
|
|
|
for servicename, service := range serviceInfo {
|
|
|
|
|
for _, method := range service.Methods {
|
|
|
|
|
methods = append(methods, "/"+servicename+"/"+method.Name)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
sort.Strings(methods)
|
|
|
|
|
return methods
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 13:37:42 +00:00
|
|
|
type healthCheck interface {
|
2020-08-18 08:04:56 +00:00
|
|
|
Health(ctx context.Context) error
|
2020-07-08 11:56:37 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-15 01:52:11 +00:00
|
|
|
func New(
|
2023-04-11 13:37:42 +00:00
|
|
|
ctx context.Context,
|
2023-02-15 01:52:11 +00:00
|
|
|
port uint16,
|
|
|
|
|
router *mux.Router,
|
|
|
|
|
queries *query.Queries,
|
2023-10-25 15:10:45 +00:00
|
|
|
verifier internal_authz.APITokenVerifier,
|
2023-02-15 01:52:11 +00:00
|
|
|
authZ internal_authz.Config,
|
2024-02-28 10:49:57 +00:00
|
|
|
tlsConfig *tls.Config,
|
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 15:00:38 +00:00
|
|
|
externalDomain string,
|
|
|
|
|
hostHeaders []string,
|
2023-05-15 06:51:02 +00:00
|
|
|
accessInterceptor *http_mw.AccessInterceptor,
|
2023-04-11 13:37:42 +00:00
|
|
|
) (_ *API, err error) {
|
2020-07-08 11:56:37 +00:00
|
|
|
api := &API{
|
2023-05-15 06:51:02 +00:00
|
|
|
port: port,
|
|
|
|
|
verifier: verifier,
|
|
|
|
|
health: queries,
|
|
|
|
|
router: router,
|
|
|
|
|
queries: queries,
|
|
|
|
|
accessInterceptor: accessInterceptor,
|
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 15:00:38 +00:00
|
|
|
hostHeaders: hostHeaders,
|
feat(queries): use org projection (#2342)
* job queue
* wg improvements
* start handler
* statement
* statements
* imporve handler
* improve statement
* statement in seperate file
* move handlers
* move query/old to query
* handler
* read models
* bulk works
* cleanup
* contrib
* rename readmodel to projection
* rename read_models schema to projections
* rename read_models schema to projections
* search query as func,
bulk iterates as long as new events
* add event sequence less query
* update checks for events between current sequence and sequence of first statement if it has previous sequence 0
* cleanup crdb projection
* refactor projection handler
* start with testing
* tests for handler
* remove todo
* refactor statement: remove table name,
add tests
* improve projection handler shutdown,
no savepoint if noop stmt,
tests for stmt handler
* tests
* start failed events
* seperate branch for contrib
* move statement constructors to crdb pkg
* correct import
* Subscribe for eventtypes (#1800)
* fix: is default (#1737)
* fix: use email as username on global org (#1738)
* fix: use email as username on global org
* Update user_human.go
* Update register_handler.go
* chore(deps): update docusaurus (#1739)
* chore: remove PAT and use GH Token (#1716)
* chore: remove PAT and use GH Token
* fix env
* fix env
* fix env
* md lint
* trigger ci
* change user
* fix GH bug
* replace login part
* chore: add GH Token to sem rel (#1746)
* chore: add GH Token to sem rel
* try branch
* add GH Token
* remove test branch again
* docs: changes acme to acme-caos (#1744)
* changes acme to acme-caos
* Apply suggestions from code review
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
* feat: add additional origins on applications (#1691)
* feat: add additional origins on applications
* app additional redirects
* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console (#1706)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console
Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.2.8 to 11.2.11.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.2.8...v11.2.11)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console (#1703)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console
Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.10.0 to 13.13.1.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.10.0...13.13.1)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console (#1702)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.37 to 15.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console (#1701)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console
Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.14.0...0.15.0)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @types/jasmine from 3.6.9 to 3.6.10 in /console (#1682)
Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.9 to 3.6.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump @types/google-protobuf in /console (#1681)
Bumps [@types/google-protobuf](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/google-protobuf) from 3.7.4 to 3.15.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/google-protobuf)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump grpc from 1.24.5 to 1.24.7 in /console (#1666)
Bumps [grpc](https://github.com/grpc/grpc-node) from 1.24.5 to 1.24.7.
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/grpc@1.24.5...grpc@1.24.7)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* lock
* chore(deps-dev): bump @angular/language-service from 11.2.9 to 11.2.12 in /console (#1704)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @angular/language-service in /console
Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.2.9 to 11.2.12.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.2.12/packages/language-service)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* package lock
* downgrade grpc
* downgrade protobuf types
* revert npm packs 🥸
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* docs: update run and start section texts (#1745)
* update run and start section texts
* adds showcase
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
* fix: additional origin list (#1753)
* fix: handle api configs in authz handler (#1755)
* fix(console): add model for api keys, fix toast, binding (#1757)
* fix: add model for api keys, fix toast, binding
* show api clientid
* fix: missing patchvalue (#1758)
* feat: refresh token (#1728)
* begin refresh tokens
* refresh tokens
* list and revoke refresh tokens
* handle remove
* tests for refresh tokens
* uniqueness and default expiration
* rename oidc token methods
* cleanup
* migration version
* Update internal/static/i18n/en.yaml
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fixes
* feat: update oidc pkg for refresh tokens
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fix: correct json name of clientId in key.json (#1760)
* fix: migration version (#1767)
* start subscription
* eventtypes
* fix(login): links (#1778)
* fix(login): href for help
* fix(login): correct link to tos
* fix: access tokens for service users and refresh token infos (#1779)
* fix: access token for service user
* handle info from refresh request
* uniqueness
* postpone access token uniqueness change
* chore(coc): recommend code of conduct (#1782)
* subscribe for events
* feat(console): refresh toggle out of granttype context (#1785)
* refresh toggle
* disable if not code flow, lint
* lint
* fix: change oidc config order
* accept refresh option within flow
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* fix: refresh token activation (#1795)
* fix: oidc grant type check
* docs: add offline_access scope
* docs: update refresh token status in supported grant types
* fix: update oidc pkg
* fix: check refresh token grant type (#1796)
* configuration structs
* org admins
* failed events
* fixes
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* remove comment
* aggregate reducer
* remove eventtypes
* add protoc-get-validate to mod
* fix transaltion
* upsert
* add gender on org admins,
allow to retry failed stmts after configurable time
* remove if
* sub queries
* fix: tests
* add builder to tests
* new search query
* rename searchquerybuilder to builder
* remove comment from code
* test with multiple queries
* add filters test
* current sequences
* make org and org_admins work again
* add aggregate type to current sequence
* fix(contibute): listing
* add validate module
* fix: search queries
* feat(eventstore): previous aggregate root sequence (#1810)
* feat(eventstore): previous aggregate root sequence
* fix tests
* fix: eventstore v1 test
* add col to all mocked rows
* next try
* fix mig
* rename aggregate root to aggregate type
* update comment
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* small refactorings
* allow update multiple current sequences
* unique log id
* fix migrations
* rename org admin to org owner
* improve error handling and logging
* fix(migration): optimize prev agg root seq
* fix: projection handler test
* fix: sub queries
* small fixes
* additional event types
* correct org owner projection
* fix primary key
* feat(eventstore): jobs for projections (#2026)
* fix: template names in login (#1974)
* fix: template names in login
* fix: error.html
* fix: check for features on mgmt only (#1976)
* fix: add sentry in ui, http and projection handlers (#1977)
* fix: add sentry in ui, http and projection handlers
* fix test
* fix(eventstore): sub queries (#1805)
* sub queries
* fix: tests
* add builder to tests
* new search query
* rename searchquerybuilder to builder
* remove comment from code
* test with multiple queries
* add filters test
* fix(contibute): listing
* add validate module
* fix: search queries
* remove unused event type in query
* ignore query if error in marshal
* go mod tidy
* update privacy policy query
* update queries
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* feat: Extend oidc idp with oauth endpoints (#1980)
* feat: add oauth attributes to oidc idp configuration
* feat: return idpconfig id on create idp
* feat: tests
* feat: descriptions
* feat: docs
* feat: tests
* docs: update to beta 3 (#1984)
* fix: role assertion (#1986)
* fix: enum to display access token role assertion
* improve assertion descriptions
* fix nil pointer
* docs: eventstore (#1982)
* docs: eventstore
* Apply suggestions from code review
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Florian Forster <florian@caos.ch>
* fix(sentry): trigger sentry release (#1989)
* feat(send sentry release): send sentry release
* fix(moved step and added releasetag): moved step and added releasetag
* fix: set version for sentry release (#1990)
* feat(send sentry release): send sentry release
* fix(moved step and added releasetag): moved step and added releasetag
* fix(corrected var name): corrected var name
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* fix: log error reason on terminate session (#1973)
* fix: return default language file, if requested lang does not exist for default login texts (#1988)
* fix: return default language file, if requested lang doesnt exists
* feat: read default translation file
* feat: docs
* fix: race condition in auth request unmarshalling (#1993)
* feat: handle ui_locales in login (#1994)
* fix: handle ui_locales in login
* move supportedlanguage func into i18n package
* update oidc pkg
* fix: handle closed channels on unsubscribe (#1995)
* fix: give restore more time (#1997)
* fix: translation file read (#2009)
* feat: translation file read
* feat: readme
* fix: enable idp add button for iam users (#2010)
* fix: filter event_data (#2011)
* feat: Custom message files (#1992)
* feat: add get custom message text to admin api
* feat: read custom message texts from files
* feat: get languages in apis
* feat: get languages in apis
* feat: get languages in apis
* feat: pr feedback
* feat: docs
* feat: merge main
* fix: sms notification (#2013)
* fix: phone verifications
* feat: fix password reset as sms
* fix: phone verification
* fix: grpc status in sentry and validation interceptors (#2012)
* fix: remove oauth endpoints from oidc config proto (#2014)
* try with view
* fix(console): disable sw (#2021)
* fix: disable sw
* angular.json disable sw
* project projections
* fix typos
* customize projections
* customizable projections,
add change date to projects
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>
* env file
* typo
* correct users
* correct migration
* fix: merge fail
* fix test
* fix(tests): unordered matcher
* improve currentSequenceMatcher
* correct certs
* correct certs
* add zitadel database on database list
* refctor switch in match
* enable all handlers
* Delete io.env
* cleanup
* add handlers
* rename view to projection
* rename view to projection
* fix type typo
* remove unnecessary logs
* refactor stmts
* simplify interval calculation
* fix tests
* fix unlock test
* fix migration
* migs
* fix(operator): update cockroach and flyway versions (#2138)
* chore(deps): bump k8s.io/apiextensions-apiserver from 0.19.2 to 0.21.3
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.19.2 to 0.21.3.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.19.2...v0.21.3)
---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump google.golang.org/api from 0.34.0 to 0.52.0
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.34.0 to 0.52.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.34.0...v0.52.0)
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* start update dependencies
* update mods and otlp
* fix(build): update to go 1.16
* old version for k8s mods
* update k8s versions
* update orbos
* fix(operator): update cockroach and flyway version
* Update images.go
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>
* fix import
* fix typo
* fix(migration): add org projection
* fix(projection): correct table for org events in org owners
* better insert stmt
* fix typo
* fix typo
* set max connection lifetime
* set max conns and conn lifetime in eventstore v1
* configure sql connection settings
* add mig for agg type index
* fix replace tab in yaml
* handler interfaces
* subscription
* first try
* handler
* move sql client initialization
* first part implemented
* removed all occurencies of org by id and search orgs
* fix merge issues
* cleanup code
* fix: queries implements orgviewprovider
* cleanup
* refactor text comparison
* remove unused file
* remove unused code
* log
* remove unused code
* remove unused field
* remove unused file
* refactor
* tests for search query
* remove try
* simplify state change mappers
* projection tests
* query functions
* move reusable objects to separate files
* rename domain column to primar_domain
* fix tests
* add current sequence
* remove log prints
* fix tests
* fix: verifier
* fix test
* rename domain col migrations
* simplify search response
* add custom column constructors
* fix: org projection table const
* fix: full column name
* feat: text query extension
* fix: tests for query
* number query
* add deprection message
* column in a single place (#2416)
* column in a single place
* use projection for columns
* query column with aliases
* rename methods
* remove unused code
* column for current sequences
* global counter column
* fix is org unique
* fix: merge main and change actions / flow projections to new query side (#2434)
* feat: actions (#2377)
* feat(actions): begin api
* feat(actions): begin api
* api and projections
* fix: handle multiple statements for a single event in projections
* export func type
* fix test
* update to new reduce interface
* flows in login
* feat: jwt idp
* feat: command side
* feat: add tests
* actions and flows
* fill idp views with jwt idps and return apis
* add jwtEndpoint to jwt idp
* begin jwt request handling
* add feature
* merge
* merge
* handle jwt idp
* cleanup
* bug fixes
* autoregister
* get token from specific header name
* fix: proto
* fixes
* i18n
* begin tests
* fix and log http proxy
* remove docker cache
* fixes
* usergrants in actions api
* tests adn cleanup
* cleanup
* fix add user grant
* set login context
* i18n
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
* change actions / flow projections to new query side
* fixes
* enable org projection
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
* fixes
* cleanup
* add tests
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2021-09-29 11:20:57 +00:00
|
|
|
}
|
2023-02-15 01:52:11 +00:00
|
|
|
|
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 15:00:38 +00:00
|
|
|
api.grpcServer = server.CreateServer(api.verifier, authZ, queries, externalDomain, tlsConfig, accessInterceptor.AccessService())
|
|
|
|
|
api.grpcGateway, err = server.CreateGateway(ctx, port, hostHeaders, accessInterceptor, tlsConfig)
|
2023-04-11 13:37:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
api.registerHealthServer()
|
2022-02-14 16:22:30 +00:00
|
|
|
|
2023-04-11 13:37:42 +00:00
|
|
|
api.RegisterHandlerOnPrefix("/debug", api.healthHandler())
|
2022-11-09 07:19:05 +00:00
|
|
|
api.router.Handle("/", http.RedirectHandler(login.HandlerPrefix, http.StatusFound))
|
2020-07-08 11:56:37 +00:00
|
|
|
|
2023-04-14 13:34:12 +00:00
|
|
|
reflection.Register(api.grpcServer)
|
2023-04-11 13:37:42 +00:00
|
|
|
return api, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RegisterServer registers a grpc service on the grpc server,
|
|
|
|
|
// creates a new grpc gateway and registers it as a separate http handler
|
|
|
|
|
//
|
|
|
|
|
// used for v1 api (system, admin, mgmt, auth)
|
2023-11-09 10:30:15 +00:00
|
|
|
func (a *API) RegisterServer(ctx context.Context, grpcServer server.WithGatewayPrefix, tlsConfig *tls.Config) error {
|
2023-04-11 13:37:42 +00:00
|
|
|
grpcServer.RegisterServer(a.grpcServer)
|
2023-05-11 07:24:44 +00:00
|
|
|
handler, prefix, err := server.CreateGatewayWithPrefix(
|
|
|
|
|
ctx,
|
|
|
|
|
grpcServer,
|
|
|
|
|
a.port,
|
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 15:00:38 +00:00
|
|
|
a.hostHeaders,
|
2023-05-15 06:51:02 +00:00
|
|
|
a.accessInterceptor,
|
2023-11-09 10:30:15 +00:00
|
|
|
tlsConfig,
|
2023-05-11 07:24:44 +00:00
|
|
|
)
|
2023-04-11 13:37:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
a.RegisterHandlerOnPrefix(prefix, handler)
|
|
|
|
|
a.verifier.RegisterServer(grpcServer.AppName(), grpcServer.MethodPrefix(), grpcServer.AuthMethods())
|
|
|
|
|
a.healthServer.SetServingStatus(grpcServer.MethodPrefix(), healthpb.HealthCheckResponse_SERVING)
|
|
|
|
|
return nil
|
2020-07-08 11:56:37 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 13:37:42 +00:00
|
|
|
// RegisterService registers a grpc service on the grpc server,
|
|
|
|
|
// and its gateway on the gateway handler
|
|
|
|
|
//
|
|
|
|
|
// used for >= v2 api (e.g. user, session, ...)
|
|
|
|
|
func (a *API) RegisterService(ctx context.Context, grpcServer server.Server) error {
|
2022-02-14 16:22:30 +00:00
|
|
|
grpcServer.RegisterServer(a.grpcServer)
|
2023-04-11 13:37:42 +00:00
|
|
|
err := server.RegisterGateway(ctx, a.grpcGateway, grpcServer)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-05-30 11:38:30 +00:00
|
|
|
a.verifier.RegisterServer(grpcServer.AppName(), grpcServer.MethodPrefix(), grpcServer.AuthMethods())
|
2023-04-11 13:37:42 +00:00
|
|
|
a.healthServer.SetServingStatus(grpcServer.MethodPrefix(), healthpb.HealthCheckResponse_SERVING)
|
2022-02-14 16:22:30 +00:00
|
|
|
return nil
|
2020-07-08 11:56:37 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-19 08:46:02 +00:00
|
|
|
// HandleFunc allows registering a [http.HandlerFunc] on an exact
|
|
|
|
|
// path, instead of prefix like RegisterHandlerOnPrefix.
|
|
|
|
|
func (a *API) HandleFunc(path string, f http.HandlerFunc) {
|
|
|
|
|
a.router.HandleFunc(path, f)
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 13:37:42 +00:00
|
|
|
// RegisterHandlerOnPrefix registers a http handler on a path prefix
|
|
|
|
|
// the prefix will not be passed to the actual handler
|
|
|
|
|
func (a *API) RegisterHandlerOnPrefix(prefix string, handler http.Handler) {
|
2022-02-14 16:22:30 +00:00
|
|
|
prefix = strings.TrimSuffix(prefix, "/")
|
2022-04-26 10:13:16 +00:00
|
|
|
subRouter := a.router.PathPrefix(prefix).Name(prefix).Subrouter()
|
|
|
|
|
subRouter.PathPrefix("").Handler(http.StripPrefix(prefix, handler))
|
2022-02-14 16:22:30 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 13:37:42 +00:00
|
|
|
// RegisterHandlerPrefixes registers a http handler on a multiple path prefixes
|
|
|
|
|
// the prefix will remain when calling the actual handler
|
|
|
|
|
func (a *API) RegisterHandlerPrefixes(handler http.Handler, prefixes ...string) {
|
|
|
|
|
for _, prefix := range prefixes {
|
|
|
|
|
prefix = strings.TrimSuffix(prefix, "/")
|
|
|
|
|
subRouter := a.router.PathPrefix(prefix).Name(prefix).Subrouter()
|
|
|
|
|
subRouter.PathPrefix("").Handler(handler)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *API) registerHealthServer() {
|
|
|
|
|
healthServer := health.NewServer()
|
|
|
|
|
healthpb.RegisterHealthServer(a.grpcServer, healthServer)
|
|
|
|
|
a.healthServer = healthServer
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *API) RouteGRPC() {
|
2022-04-27 11:10:44 +00:00
|
|
|
http2Route := a.router.
|
2022-02-14 16:22:30 +00:00
|
|
|
MatcherFunc(func(r *http.Request, _ *mux.RouteMatch) bool {
|
|
|
|
|
return r.ProtoMajor == 2
|
|
|
|
|
}).
|
2023-04-11 13:37:42 +00:00
|
|
|
Subrouter().
|
|
|
|
|
Name("grpc")
|
2022-04-27 11:10:44 +00:00
|
|
|
http2Route.
|
|
|
|
|
Methods(http.MethodPost).
|
2024-07-12 09:54:02 +00:00
|
|
|
HeadersRegexp(http_util.ContentType, `^application\/grpc(\+proto|\+json)?$`).
|
2022-04-27 11:10:44 +00:00
|
|
|
Handler(a.grpcServer)
|
2022-02-14 16:22:30 +00:00
|
|
|
|
2023-03-08 18:33:43 +00:00
|
|
|
a.routeGRPCWeb()
|
2023-04-11 13:37:42 +00:00
|
|
|
a.router.NewRoute().
|
|
|
|
|
Handler(a.grpcGateway.Handler()).
|
|
|
|
|
Name("grpc-gateway")
|
2020-07-08 11:56:37 +00:00
|
|
|
}
|
|
|
|
|
|
2023-03-08 18:33:43 +00:00
|
|
|
func (a *API) routeGRPCWeb() {
|
|
|
|
|
grpcWebServer := grpcweb.WrapServer(a.grpcServer,
|
|
|
|
|
grpcweb.WithAllowedRequestHeaders(
|
|
|
|
|
[]string{
|
|
|
|
|
http_util.Origin,
|
|
|
|
|
http_util.ContentType,
|
|
|
|
|
http_util.Accept,
|
|
|
|
|
http_util.AcceptLanguage,
|
|
|
|
|
http_util.Authorization,
|
|
|
|
|
http_util.ZitadelOrgID,
|
|
|
|
|
http_util.XUserAgent,
|
|
|
|
|
http_util.XGrpcWeb,
|
|
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
grpcweb.WithOriginFunc(func(_ string) bool {
|
|
|
|
|
return true
|
|
|
|
|
}),
|
|
|
|
|
)
|
2023-05-05 08:25:02 +00:00
|
|
|
a.router.Use(http_mw.RobotsTagHandler)
|
2023-03-08 18:33:43 +00:00
|
|
|
a.router.NewRoute().
|
2022-04-27 11:10:44 +00:00
|
|
|
Methods(http.MethodPost, http.MethodOptions).
|
|
|
|
|
MatcherFunc(
|
|
|
|
|
func(r *http.Request, _ *mux.RouteMatch) bool {
|
2023-03-08 18:33:43 +00:00
|
|
|
return grpcWebServer.IsGrpcWebRequest(r) || grpcWebServer.IsAcceptableGrpcCorsRequest(r)
|
2022-04-27 11:10:44 +00:00
|
|
|
}).
|
2023-04-11 13:37:42 +00:00
|
|
|
Handler(grpcWebServer).
|
|
|
|
|
Name("grpc-web")
|
2020-07-08 11:56:37 +00:00
|
|
|
}
|
2020-08-18 08:04:56 +00:00
|
|
|
|
|
|
|
|
func (a *API) healthHandler() http.Handler {
|
|
|
|
|
checks := []ValidationFunction{
|
|
|
|
|
func(ctx context.Context) error {
|
|
|
|
|
if err := a.health.Health(ctx); err != nil {
|
2023-12-08 14:30:55 +00:00
|
|
|
return zerrors.ThrowInternal(err, "API-F24h2", "DB CONNECTION ERROR")
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
handler := http.NewServeMux()
|
|
|
|
|
handler.HandleFunc("/healthz", handleHealth)
|
|
|
|
|
handler.HandleFunc("/ready", handleReadiness(checks))
|
2020-11-20 09:09:17 +00:00
|
|
|
handler.HandleFunc("/validate", handleValidate(checks))
|
2022-07-18 08:42:32 +00:00
|
|
|
handler.Handle("/metrics", metricsExporter())
|
2020-08-18 08:04:56 +00:00
|
|
|
|
|
|
|
|
return handler
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func handleHealth(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
_, err := w.Write([]byte("ok"))
|
2022-02-14 16:22:30 +00:00
|
|
|
logging.WithFields("traceID", tracing.TraceIDFromCtx(r.Context())).OnError(err).Error("error writing ok for health")
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func handleReadiness(checks []ValidationFunction) func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2022-02-14 16:22:30 +00:00
|
|
|
errs := validate(r.Context(), checks)
|
|
|
|
|
if len(errs) == 0 {
|
feat: policies on aggregates (#799)
* feat: move pw policy
* feat: default pw complexity policy
* fix: org password complexity policy
* fix: org password complexity policy
* fix: pw complexity policy with setup
* fix: age and lockout policies on aggregates
* fix: migration
* fix: org iam policy
* fix: org iam policy
* fix: org iam policy
* fix: tests
* fix: policy request
* fix: merge master
* fix(console): policies frontend (#817)
* fix policy build
* fix: age, complexity, lockout policies
* fix: ready return err of setup not done
* fix: fix remove policies in spoolers
* fix: fix remove policies in spoolers
* feat(console): policy settings for iam and org (#824)
* fix policy build
* fix: age, complexity, lockout policies
* fix pwd complexity
* policy remove action
* add imports
* fix accounts card, enable mgmt login policy
* lint
* add iam policy to admin
* toasts, i18n, show default
* routing, i18n
* reset policy, toast i18n, cleanup, routing
* policy delete permission
* lint style
* delete iam policy
* delete non project from grid list, i18n
* lint ts, style
* fix: remove instead delete
* feat(console): delete external idp from user (#835)
* dialog i18n, delete column and function
* dialog i18n
* fix rm button
* Update console/src/assets/i18n/de.json
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* Update console/src/assets/i18n/de.json
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fix: revert env, rename policy, remove comments
* fix: lowercase sich
* fix: pr requests
* Update internal/iam/repository/eventsourcing/eventstore_test.go
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* fix: tests
* fix: tests
* fix(console): policies (#839)
* fix: nil pointer on get userdata (#815)
* fix: external login (#818)
* fix: external login
* fix: external login
* feat(console): delete user (#819)
* add action col to user table, i18n
* delete user from detail component
* lint
* fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808)
* fix: remove user.write guard for filtering
* border color
* fix user routing from member tables
* idp detail layout
* generic contact component
* fix redirect to auth user, user grant disable
* disable policy action without permission, i18n
* user-create flex fix, contact ng-content
* rm unused styles
* sidenav divider
* lint
* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806)
* fix: user session with external login (#797)
* fix: user session with external login
* fix: tests
* fix: tests
* fix: change idp config name
* fix(container): stop copying / and instead only copy zitadel (#691)
* chore: stop copying / and instead only copy zitadel
* Update Dockerfile
* Update release.yml
* enable anchors debug
* fix(container): don't copy alpine content into scratch execpt pwd
* chore: remove need step
* merge master
* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console
Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805)
* fix: user session with external login (#797)
* fix: user session with external login
* fix: tests
* fix: tests
* fix: change idp config name
* fix(container): stop copying / and instead only copy zitadel (#691)
* chore: stop copying / and instead only copy zitadel
* Update Dockerfile
* Update release.yml
* enable anchors debug
* fix(container): don't copy alpine content into scratch execpt pwd
* chore: remove need step
* merge master
* chore(deps-dev): bump @angular/language-service in /console
Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804)
* fix: user session with external login (#797)
* fix: user session with external login
* fix: tests
* fix: tests
* fix: change idp config name
* fix(container): stop copying / and instead only copy zitadel (#691)
* chore: stop copying / and instead only copy zitadel
* Update Dockerfile
* Update release.yml
* enable anchors debug
* fix(container): don't copy alpine content into scratch execpt pwd
* chore: remove need step
* merge master
* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console
Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/mgechev/codelyzer/releases)
- [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803)
* fix: user session with external login (#797)
* fix: user session with external login
* fix: tests
* fix: tests
* fix: change idp config name
* fix(container): stop copying / and instead only copy zitadel (#691)
* chore: stop copying / and instead only copy zitadel
* Update Dockerfile
* Update release.yml
* enable anchors debug
* fix(container): don't copy alpine content into scratch execpt pwd
* chore: remove need step
* merge master
* chore(deps-dev): bump @angular-devkit/build-angular in /console
Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802)
* fix: user session with external login (#797)
* fix: user session with external login
* fix: tests
* fix: tests
* fix: change idp config name
* fix(container): stop copying / and instead only copy zitadel (#691)
* chore: stop copying / and instead only copy zitadel
* Update Dockerfile
* Update release.yml
* enable anchors debug
* fix(container): don't copy alpine content into scratch execpt pwd
* chore: remove need step
* merge master
* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console
Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* create memberstable as common component
* iam member cleanup
* iam + org m table, user table service user avatar
* toast config
* fix selection emitter
* fix project grant table width
* project grant members refactor
* theme optimizations
* member table col delete
* lint
* fix table row color
* refactor grey color
* lint scss
* org list redirect on click, fix user table undef
* refresh table after grant add
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
* fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820)
* i18n interceptor, set language to browser lang
* nullcheck
* rm external idp log
* fix module imports, rm user displayname from i18n
* Update console/src/assets/i18n/de.json
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fix: delete external idps from users (#822)
* fix(console): permission regex, account switcher null check, restrict app and member create access (#821)
* fix member table disable, gerneal regexp
* fix user session card, app disable
* memberships max count
* fix policy permissions
* permission check for member add dialog
* lint
* rm accounts log
* rm id regex
* fix: handle usermemberships on project and project grant delete (#825)
* fix: go handler
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
* fix: tests
* fix: not needed error handling
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
2020-10-15 08:27:13 +00:00
|
|
|
http_util.MarshalJSON(w, "ok", nil, http.StatusOK)
|
2020-08-18 08:04:56 +00:00
|
|
|
return
|
|
|
|
|
}
|
2022-02-14 16:22:30 +00:00
|
|
|
http_util.MarshalJSON(w, nil, errs[0], http.StatusPreconditionFailed)
|
2020-11-20 09:09:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func handleValidate(checks []ValidationFunction) func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2022-02-14 16:22:30 +00:00
|
|
|
errs := validate(r.Context(), checks)
|
|
|
|
|
if len(errs) == 0 {
|
2020-11-20 09:09:17 +00:00
|
|
|
http_util.MarshalJSON(w, "ok", nil, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-02-14 16:22:30 +00:00
|
|
|
http_util.MarshalJSON(w, errs, nil, http.StatusOK)
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type ValidationFunction func(ctx context.Context) error
|
|
|
|
|
|
2020-11-20 09:09:17 +00:00
|
|
|
func validate(ctx context.Context, validations []ValidationFunction) []error {
|
2022-02-14 16:22:30 +00:00
|
|
|
errs := make([]error, 0)
|
2020-08-18 08:04:56 +00:00
|
|
|
for _, validation := range validations {
|
|
|
|
|
if err := validation(ctx); err != nil {
|
2022-02-14 16:22:30 +00:00
|
|
|
logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).WithError(err).Error("validation failed")
|
|
|
|
|
errs = append(errs, err)
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
2022-02-14 16:22:30 +00:00
|
|
|
return errs
|
2020-08-18 08:04:56 +00:00
|
|
|
}
|
2022-07-18 08:42:32 +00:00
|
|
|
|
|
|
|
|
func metricsExporter() http.Handler {
|
|
|
|
|
exporter := metrics.GetExporter()
|
|
|
|
|
if exporter == nil {
|
|
|
|
|
return http.NotFoundHandler()
|
|
|
|
|
}
|
|
|
|
|
return exporter
|
|
|
|
|
}
|