zitadel/internal/notification/channels/set/channel.go

package set

import (
	"context"
	"encoding/json"
	"io"
	"net/http"
	"strings"
	"time"

	"github.com/zitadel/logging"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/notification/channels"
	"github.com/zitadel/zitadel/internal/notification/messages"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func InitChannel(ctx context.Context, cfg Config) (channels.NotificationChannel, error) {
	if err := cfg.Validate(); err != nil {
		return nil, err
	}

	logging.Debug("successfully initialized security event token json channel")
	return channels.HandleMessageFunc(func(message channels.Message) error {
		requestCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
		defer cancel()
		msg, ok := message.(*messages.Form)
		if !ok {
			return zerrors.ThrowInternal(nil, "SET-K686U", "message is not SET")
		}
		payload, err := msg.GetContent()
		if err != nil {
			return err
		}
		req, err := http.NewRequestWithContext(requestCtx, http.MethodPost, cfg.CallURL, strings.NewReader(payload))
		if err != nil {
			return err
		}
		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
		resp, err := http.DefaultClient.Do(req)
		if err != nil {
			return err
		}
		logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "calling_url", cfg.CallURL).Debug("security event token called")
		if resp.StatusCode == http.StatusOK ||
			resp.StatusCode == http.StatusAccepted ||
			resp.StatusCode == http.StatusNoContent {
			return nil
		}
		body, err := mapResponse(resp)
		logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "callURL", cfg.CallURL).
			OnError(err).Debug("error mapping response")
		if resp.StatusCode == http.StatusBadRequest {
			logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "callURL", cfg.CallURL, "status", resp.Status, "body", body).
				Error("security event token didn't return a success status")
			return nil
		}
		return zerrors.ThrowInternalf(err, "SET-DF3dq", "security event token to %s didn't return a success status: %s (%v)", cfg.CallURL, resp.Status, body)
	}), nil
}

func mapResponse(resp *http.Response) (map[string]any, error) {
	defer resp.Body.Close()
	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return nil, err
	}
	requestError := make(map[string]any)
	err = json.Unmarshal(body, &requestError)
	if err != nil {
		return nil, err
	}
	return requestError, nil
}
feat(OIDC): add back channel logout (#8837) # Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl> 2024-10-31 14:57:17 +00:00			`package set`

			`import (`
			`"context"`
			`"encoding/json"`
			`"io"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/zitadel/logging"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/notification/channels"`
			`"github.com/zitadel/zitadel/internal/notification/messages"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`)`

			`func InitChannel(ctx context.Context, cfg Config) (channels.NotificationChannel, error) {`
			`if err := cfg.Validate(); err != nil {`
			`return nil, err`
			`}`

			`logging.Debug("successfully initialized security event token json channel")`
			`return channels.HandleMessageFunc(func(message channels.Message) error {`
			`requestCtx, cancel := context.WithTimeout(ctx, 5*time.Second)`
			`defer cancel()`
			`msg, ok := message.(*messages.Form)`
			`if !ok {`
			`return zerrors.ThrowInternal(nil, "SET-K686U", "message is not SET")`
			`}`
			`payload, err := msg.GetContent()`
			`if err != nil {`
			`return err`
			`}`
			`req, err := http.NewRequestWithContext(requestCtx, http.MethodPost, cfg.CallURL, strings.NewReader(payload))`
			`if err != nil {`
			`return err`
			`}`
			`req.Header.Set("Content-Type", "application/x-www-form-urlencoded")`
			`resp, err := http.DefaultClient.Do(req)`
			`if err != nil {`
			`return err`
			`}`
			`logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "calling_url", cfg.CallURL).Debug("security event token called")`
			`if resp.StatusCode == http.StatusOK \|\|`
			`resp.StatusCode == http.StatusAccepted \|\|`
			`resp.StatusCode == http.StatusNoContent {`
			`return nil`
			`}`
			`body, err := mapResponse(resp)`
			`logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "callURL", cfg.CallURL).`
			`OnError(err).Debug("error mapping response")`
			`if resp.StatusCode == http.StatusBadRequest {`
			`logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "callURL", cfg.CallURL, "status", resp.Status, "body", body).`
			`Error("security event token didn't return a success status")`
			`return nil`
			`}`
			`return zerrors.ThrowInternalf(err, "SET-DF3dq", "security event token to %s didn't return a success status: %s (%v)", cfg.CallURL, resp.Status, body)`
			`}), nil`
			`}`

			`func mapResponse(resp *http.Response) (map[string]any, error) {`
			`defer resp.Body.Close()`
			`body, err := io.ReadAll(resp.Body)`
			`if err != nil {`
			`return nil, err`
			`}`
			`requestError := make(map[string]any)`
			`err = json.Unmarshal(body, &requestError)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return requestError, nil`
			`}`