zitadel/internal/ui/login/handler/external_register_handler.go

package handler

import (
	"github.com/caos/oidc/pkg/oidc"
	"github.com/caos/oidc/pkg/rp"
	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
	"github.com/caos/zitadel/internal/auth_request/model"
	caos_errors "github.com/caos/zitadel/internal/errors"
	"github.com/caos/zitadel/internal/eventstore/models"
	iam_model "github.com/caos/zitadel/internal/iam/model"
	org_model "github.com/caos/zitadel/internal/org/model"
	usr_model "github.com/caos/zitadel/internal/user/model"
	"net/http"
	"strings"
)

func (l *Login) handleExternalRegister(w http.ResponseWriter, r *http.Request) {
	data := new(externalIDPData)
	authReq, err := l.getAuthRequestAndParseData(r, data)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	if authReq == nil {
		http.Redirect(w, r, l.zitadelURL, http.StatusFound)
		return
	}
	idpConfig, err := l.getIDPConfigByID(r, data.IDPConfigID)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID)
	if err != nil {
		l.renderLogin(w, r, authReq, err)
		return
	}
	if !idpConfig.IsOIDC {
		l.renderError(w, r, authReq, caos_errors.ThrowInternal(nil, "LOGIN-Rio9s", "Errors.User.ExternalIDP.IDPTypeNotImplemented"))
		return
	}
	l.handleOIDCAuthorize(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)
}

func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Request) {
	data := new(externalIDPCallbackData)
	err := l.getParseData(r, data)
	if err != nil {
		l.renderError(w, r, nil, err)
		return
	}
	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	provider := l.getRPConfig(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)
	tokens, err := rp.CodeExchange(r.Context(), data.Code, provider)
	if err != nil {
		l.renderRegisterOption(w, r, authReq, err)
		return
	}
	l.handleExternalUserRegister(w, r, authReq, idpConfig, userAgentID, tokens)
}

func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
	orgIamPolicy, err := l.getOrgIamPolicy(r, authReq.GetScopeOrgID())
	if err != nil {
		l.renderRegisterOption(w, r, authReq, err)
		return
	}
	iam, err := l.authRepo.GetIAM(r.Context())
	if err != nil {
		l.renderRegisterOption(w, r, authReq, err)
		return
	}
	resourceOwner := iam.GlobalOrgID
	member := &org_model.OrgMember{
		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
		Roles:      []string{orgProjectCreatorRole},
	}
	if authReq.GetScopeOrgID() != iam.GlobalOrgID && authReq.GetScopeOrgID() != "" {
		member = nil
		resourceOwner = authReq.GetScopeOrgID()
	}

	user, externalIDP := l.mapTokenToLoginUserAndExternalIDP(orgIamPolicy, tokens, idpConfig)
	_, err = l.authRepo.RegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, resourceOwner)
	if err != nil {
		l.renderRegisterOption(w, r, authReq, err)
		return
	}
	l.renderNextStep(w, r, authReq)
}

func (l *Login) mapTokenToLoginUserAndExternalIDP(orgIamPolicy *org_model.OrgIAMPolicy, tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*usr_model.User, *usr_model.ExternalIDP) {
	username := tokens.IDTokenClaims.PreferredUsername
	switch idpConfig.OIDCUsernameMapping {
	case iam_model.OIDCMappingFieldEmail:
		if tokens.IDTokenClaims.EmailVerified && tokens.IDTokenClaims.Email != "" {
			username = tokens.IDTokenClaims.Email
		}
	}

	if orgIamPolicy.UserLoginMustBeDomain {
		splittedUsername := strings.Split(username, "@")
		if len(splittedUsername) > 1 {
			username = splittedUsername[0]
		}
	}

	user := &usr_model.User{
		UserName: username,
		Human: &usr_model.Human{
			Profile: &usr_model.Profile{
				FirstName:         tokens.IDTokenClaims.GivenName,
				LastName:          tokens.IDTokenClaims.FamilyName,
				PreferredLanguage: tokens.IDTokenClaims.Locale,
				NickName:          tokens.IDTokenClaims.Nickname,
			},
			Email: &usr_model.Email{
				EmailAddress:    tokens.IDTokenClaims.Email,
				IsEmailVerified: tokens.IDTokenClaims.EmailVerified,
			},
		},
	}
	if tokens.IDTokenClaims.PhoneNumber != "" {
		user.Phone = &usr_model.Phone{
			PhoneNumber:     tokens.IDTokenClaims.PhoneNumber,
			IsPhoneVerified: tokens.IDTokenClaims.PhoneNumberVerified,
		}
	}

	displayName := tokens.IDTokenClaims.PreferredUsername
	switch idpConfig.OIDCIDPDisplayNameMapping {
	case iam_model.OIDCMappingFieldEmail:
		if tokens.IDTokenClaims.EmailVerified && tokens.IDTokenClaims.Email != "" {
			displayName = tokens.IDTokenClaims.Email
		}
	}

	externalIDP := &usr_model.ExternalIDP{
		IDPConfigID: idpConfig.IDPConfigID,
		UserID:      tokens.IDTokenClaims.Subject,
		DisplayName: displayName,
	}
	return user, externalIDP
}
feat: Identity brokering (#730) * feat: add/ remove external idps * feat: external idp add /remove * fix: auth proto * fix: handle login * feat: loginpolicy on authrequest * feat: idp providers on login * feat: link external idp * fix: check login policy on check username * feat: add mapping fields for idp config * feat: use user org id if existing * feat: use user org id if existing * feat: register external user * feat: register external user * feat: user linking * feat: user linking * feat: design external login * feat: design external login * fix: tests * fix: regenerate login design * feat: next step test linking process * feat: next step test linking process * feat: cascade remove external idps on user * fix: tests * fix: tests * feat: external idp requsts on users * fix: generate protos * feat: login styles * feat: login styles * fix: link user * fix: register user on specifig org * fix: user linking * fix: register external, linking auto * fix: remove unnecessary request from proto * fix: tests * fix: new oidc package * fix: migration version * fix: policy permissions * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * Update internal/ui/login/handler/link_users_handler.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * fix: pr requests * fix: pr requests * fix: login name size * fix: profile image light * fix: colors * fix: pr requests * fix: remove redirect uri validator * fix: remove redirect uri validator Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2020-09-18 13:26:28 +02:00			`package handler`

			`import (`
			`"github.com/caos/oidc/pkg/oidc"`
			`"github.com/caos/oidc/pkg/rp"`
			`http_mw "github.com/caos/zitadel/internal/api/http/middleware"`
			`"github.com/caos/zitadel/internal/auth_request/model"`
			`caos_errors "github.com/caos/zitadel/internal/errors"`
			`"github.com/caos/zitadel/internal/eventstore/models"`
			`iam_model "github.com/caos/zitadel/internal/iam/model"`
			`org_model "github.com/caos/zitadel/internal/org/model"`
			`usr_model "github.com/caos/zitadel/internal/user/model"`
			`"net/http"`
			`"strings"`
			`)`

			`func (l Login) handleExternalRegister(w http.ResponseWriter, r http.Request) {`
			`data := new(externalIDPData)`
			`authReq, err := l.getAuthRequestAndParseData(r, data)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`if authReq == nil {`
			`http.Redirect(w, r, l.zitadelURL, http.StatusFound)`
			`return`
			`}`
			`idpConfig, err := l.getIDPConfigByID(r, data.IDPConfigID)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())`
			`err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID)`
			`if err != nil {`
			`l.renderLogin(w, r, authReq, err)`
			`return`
			`}`
			`if !idpConfig.IsOIDC {`
			`l.renderError(w, r, authReq, caos_errors.ThrowInternal(nil, "LOGIN-Rio9s", "Errors.User.ExternalIDP.IDPTypeNotImplemented"))`
			`return`
			`}`
			`l.handleOIDCAuthorize(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)`
			`}`

			`func (l Login) handleExternalRegisterCallback(w http.ResponseWriter, r http.Request) {`
			`data := new(externalIDPCallbackData)`
			`err := l.getParseData(r, data)`
			`if err != nil {`
			`l.renderError(w, r, nil, err)`
			`return`
			`}`
			`userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())`
			`authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`provider := l.getRPConfig(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)`
			`tokens, err := rp.CodeExchange(r.Context(), data.Code, provider)`
			`if err != nil {`
			`l.renderRegisterOption(w, r, authReq, err)`
			`return`
			`}`
			`l.handleExternalUserRegister(w, r, authReq, idpConfig, userAgentID, tokens)`
			`}`

			`func (l Login) handleExternalUserRegister(w http.ResponseWriter, r http.Request, authReq model.AuthRequest, idpConfig iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {`
			`orgIamPolicy, err := l.getOrgIamPolicy(r, authReq.GetScopeOrgID())`
			`if err != nil {`
			`l.renderRegisterOption(w, r, authReq, err)`
			`return`
			`}`
			`iam, err := l.authRepo.GetIAM(r.Context())`
			`if err != nil {`
			`l.renderRegisterOption(w, r, authReq, err)`
			`return`
			`}`
			`resourceOwner := iam.GlobalOrgID`
			`member := &org_model.OrgMember{`
			`ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},`
			`Roles: []string{orgProjectCreatorRole},`
			`}`
			`if authReq.GetScopeOrgID() != iam.GlobalOrgID && authReq.GetScopeOrgID() != "" {`
			`member = nil`
			`resourceOwner = authReq.GetScopeOrgID()`
			`}`

			`user, externalIDP := l.mapTokenToLoginUserAndExternalIDP(orgIamPolicy, tokens, idpConfig)`
			`_, err = l.authRepo.RegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, resourceOwner)`
			`if err != nil {`
			`l.renderRegisterOption(w, r, authReq, err)`
			`return`
			`}`
			`l.renderNextStep(w, r, authReq)`
			`}`

			`func (l Login) mapTokenToLoginUserAndExternalIDP(orgIamPolicy org_model.OrgIAMPolicy, tokens oidc.Tokens, idpConfig iam_model.IDPConfigView) (usr_model.User, usr_model.ExternalIDP) {`
			`username := tokens.IDTokenClaims.PreferredUsername`
			`switch idpConfig.OIDCUsernameMapping {`
			`case iam_model.OIDCMappingFieldEmail:`
			`if tokens.IDTokenClaims.EmailVerified && tokens.IDTokenClaims.Email != "" {`
			`username = tokens.IDTokenClaims.Email`
			`}`
			`}`

			`if orgIamPolicy.UserLoginMustBeDomain {`
			`splittedUsername := strings.Split(username, "@")`
			`if len(splittedUsername) > 1 {`
			`username = splittedUsername[0]`
			`}`
			`}`

			`user := &usr_model.User{`
			`UserName: username,`
			`Human: &usr_model.Human{`
			`Profile: &usr_model.Profile{`
			`FirstName: tokens.IDTokenClaims.GivenName,`
			`LastName: tokens.IDTokenClaims.FamilyName,`
			`PreferredLanguage: tokens.IDTokenClaims.Locale,`
			`NickName: tokens.IDTokenClaims.Nickname,`
			`},`
			`Email: &usr_model.Email{`
			`EmailAddress: tokens.IDTokenClaims.Email,`
			`IsEmailVerified: tokens.IDTokenClaims.EmailVerified,`
			`},`
			`},`
			`}`
			`if tokens.IDTokenClaims.PhoneNumber != "" {`
			`user.Phone = &usr_model.Phone{`
			`PhoneNumber: tokens.IDTokenClaims.PhoneNumber,`
			`IsPhoneVerified: tokens.IDTokenClaims.PhoneNumberVerified,`
			`}`
			`}`

			`displayName := tokens.IDTokenClaims.PreferredUsername`
			`switch idpConfig.OIDCIDPDisplayNameMapping {`
			`case iam_model.OIDCMappingFieldEmail:`
			`if tokens.IDTokenClaims.EmailVerified && tokens.IDTokenClaims.Email != "" {`
			`displayName = tokens.IDTokenClaims.Email`
			`}`
			`}`

			`externalIDP := &usr_model.ExternalIDP{`
			`IDPConfigID: idpConfig.IDPConfigID,`
			`UserID: tokens.IDTokenClaims.Subject,`
			`DisplayName: displayName,`
			`}`
			`return user, externalIDP`
			`}`