2023-07-10 15:27:00 +02:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"time"
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
"golang.org/x/text/language"
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/oidcsession"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2023-07-10 15:27:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type OIDCSessionWriteModel struct {
|
|
|
|
eventstore.WriteModel
|
|
|
|
|
|
|
|
UserID string
|
2024-05-16 08:07:56 +03:00
|
|
|
UserResourceOwner string
|
|
|
|
PreferredLanguage *language.Tag
|
2023-07-10 15:27:00 +02:00
|
|
|
SessionID string
|
|
|
|
ClientID string
|
|
|
|
Audience []string
|
|
|
|
Scope []string
|
2023-07-12 14:24:01 +02:00
|
|
|
AuthMethods []domain.UserAuthMethodType
|
2023-07-10 15:27:00 +02:00
|
|
|
AuthTime time.Time
|
2024-05-16 08:07:56 +03:00
|
|
|
Nonce string
|
|
|
|
UserAgent *domain.UserAgent
|
2023-07-10 15:27:00 +02:00
|
|
|
State domain.OIDCSessionState
|
2023-07-17 14:33:37 +02:00
|
|
|
AccessTokenID string
|
2023-07-14 13:16:16 +02:00
|
|
|
AccessTokenCreation time.Time
|
2023-07-10 15:27:00 +02:00
|
|
|
AccessTokenExpiration time.Time
|
2024-03-20 12:18:46 +02:00
|
|
|
AccessTokenReason domain.TokenReason
|
|
|
|
AccessTokenActor *domain.TokenActor
|
2023-07-10 15:27:00 +02:00
|
|
|
RefreshTokenID string
|
2023-07-17 14:33:37 +02:00
|
|
|
RefreshToken string
|
2023-07-10 15:27:00 +02:00
|
|
|
RefreshTokenExpiration time.Time
|
|
|
|
RefreshTokenIdleExpiration time.Time
|
|
|
|
|
|
|
|
aggregate *eventstore.Aggregate
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewOIDCSessionWriteModel(id string, resourceOwner string) *OIDCSessionWriteModel {
|
|
|
|
return &OIDCSessionWriteModel{
|
|
|
|
WriteModel: eventstore.WriteModel{
|
|
|
|
AggregateID: id,
|
|
|
|
ResourceOwner: resourceOwner,
|
|
|
|
},
|
|
|
|
aggregate: &oidcsession.NewAggregate(id, resourceOwner).Aggregate,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) Reduce() error {
|
|
|
|
for _, event := range wm.Events {
|
|
|
|
switch e := event.(type) {
|
|
|
|
case *oidcsession.AddedEvent:
|
|
|
|
wm.reduceAdded(e)
|
|
|
|
case *oidcsession.AccessTokenAddedEvent:
|
|
|
|
wm.reduceAccessTokenAdded(e)
|
2023-07-17 14:33:37 +02:00
|
|
|
case *oidcsession.AccessTokenRevokedEvent:
|
|
|
|
wm.reduceAccessTokenRevoked(e)
|
2023-07-10 15:27:00 +02:00
|
|
|
case *oidcsession.RefreshTokenAddedEvent:
|
|
|
|
wm.reduceRefreshTokenAdded(e)
|
|
|
|
case *oidcsession.RefreshTokenRenewedEvent:
|
|
|
|
wm.reduceRefreshTokenRenewed(e)
|
2023-07-17 14:33:37 +02:00
|
|
|
case *oidcsession.RefreshTokenRevokedEvent:
|
|
|
|
wm.reduceRefreshTokenRevoked(e)
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return wm.WriteModel.Reduce()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
|
|
AddQuery().
|
|
|
|
AggregateTypes(oidcsession.AggregateType).
|
|
|
|
AggregateIDs(wm.AggregateID).
|
|
|
|
EventTypes(
|
|
|
|
oidcsession.AddedType,
|
|
|
|
oidcsession.AccessTokenAddedType,
|
|
|
|
oidcsession.RefreshTokenAddedType,
|
|
|
|
oidcsession.RefreshTokenRenewedType,
|
2023-07-17 14:33:37 +02:00
|
|
|
oidcsession.RefreshTokenRevokedType,
|
2023-07-10 15:27:00 +02:00
|
|
|
).
|
|
|
|
Builder()
|
|
|
|
|
|
|
|
if wm.ResourceOwner != "" {
|
|
|
|
query.ResourceOwner(wm.ResourceOwner)
|
|
|
|
}
|
|
|
|
return query
|
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) reduceAdded(e *oidcsession.AddedEvent) {
|
|
|
|
wm.UserID = e.UserID
|
2024-05-16 08:07:56 +03:00
|
|
|
wm.UserResourceOwner = e.UserResourceOwner
|
2023-07-10 15:27:00 +02:00
|
|
|
wm.SessionID = e.SessionID
|
|
|
|
wm.ClientID = e.ClientID
|
|
|
|
wm.Audience = e.Audience
|
|
|
|
wm.Scope = e.Scope
|
2023-07-12 14:24:01 +02:00
|
|
|
wm.AuthMethods = e.AuthMethods
|
2023-07-10 15:27:00 +02:00
|
|
|
wm.AuthTime = e.AuthTime
|
2024-05-16 08:07:56 +03:00
|
|
|
wm.Nonce = e.Nonce
|
|
|
|
wm.PreferredLanguage = e.PreferredLanguage
|
|
|
|
wm.UserAgent = e.UserAgent
|
2023-07-10 15:27:00 +02:00
|
|
|
wm.State = domain.OIDCSessionStateActive
|
2023-07-14 13:16:16 +02:00
|
|
|
// the write model might be initialized without resource owner,
|
|
|
|
// so update the aggregate
|
|
|
|
if wm.ResourceOwner == "" {
|
|
|
|
wm.aggregate = &oidcsession.NewAggregate(wm.AggregateID, e.Aggregate().ResourceOwner).Aggregate
|
|
|
|
}
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) reduceAccessTokenAdded(e *oidcsession.AccessTokenAddedEvent) {
|
2023-07-17 14:33:37 +02:00
|
|
|
wm.AccessTokenID = e.ID
|
2023-07-10 15:27:00 +02:00
|
|
|
wm.AccessTokenExpiration = e.CreationDate().Add(e.Lifetime)
|
2024-03-20 12:18:46 +02:00
|
|
|
wm.AccessTokenReason = e.Reason
|
|
|
|
wm.AccessTokenActor = e.Actor
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
|
2023-07-17 14:33:37 +02:00
|
|
|
func (wm *OIDCSessionWriteModel) reduceAccessTokenRevoked(e *oidcsession.AccessTokenRevokedEvent) {
|
|
|
|
wm.AccessTokenID = ""
|
|
|
|
wm.AccessTokenExpiration = e.CreationDate()
|
|
|
|
}
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func (wm *OIDCSessionWriteModel) reduceRefreshTokenAdded(e *oidcsession.RefreshTokenAddedEvent) {
|
|
|
|
wm.RefreshTokenID = e.ID
|
|
|
|
wm.RefreshTokenExpiration = e.CreationDate().Add(e.Lifetime)
|
|
|
|
wm.RefreshTokenIdleExpiration = e.CreationDate().Add(e.IdleLifetime)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) reduceRefreshTokenRenewed(e *oidcsession.RefreshTokenRenewedEvent) {
|
|
|
|
wm.RefreshTokenID = e.ID
|
|
|
|
wm.RefreshTokenIdleExpiration = e.CreationDate().Add(e.IdleLifetime)
|
|
|
|
}
|
|
|
|
|
2023-07-17 14:33:37 +02:00
|
|
|
func (wm *OIDCSessionWriteModel) reduceRefreshTokenRevoked(e *oidcsession.RefreshTokenRevokedEvent) {
|
|
|
|
wm.RefreshTokenID = ""
|
|
|
|
wm.RefreshTokenExpiration = e.CreationDate()
|
|
|
|
wm.RefreshTokenIdleExpiration = e.CreationDate()
|
|
|
|
wm.AccessTokenID = ""
|
|
|
|
wm.AccessTokenExpiration = e.CreationDate()
|
|
|
|
}
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func (wm *OIDCSessionWriteModel) CheckRefreshToken(refreshTokenID string) error {
|
|
|
|
if wm.State != domain.OIDCSessionStateActive {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-s3hjk", "Errors.OIDCSession.RefreshTokenInvalid")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
if wm.RefreshTokenID != refreshTokenID {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-28ubl", "Errors.OIDCSession.RefreshTokenInvalid")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
now := time.Now()
|
|
|
|
if wm.RefreshTokenExpiration.Before(now) || wm.RefreshTokenIdleExpiration.Before(now) {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-3jt2w", "Errors.OIDCSession.RefreshTokenInvalid")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2023-07-17 14:33:37 +02:00
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) CheckAccessToken(accessTokenID string) error {
|
|
|
|
if wm.State != domain.OIDCSessionStateActive {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-KL2pk", "Errors.OIDCSession.Token.Invalid")
|
2023-07-17 14:33:37 +02:00
|
|
|
}
|
|
|
|
if wm.AccessTokenID != accessTokenID {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-JLKW2", "Errors.OIDCSession.Token.Invalid")
|
2023-07-17 14:33:37 +02:00
|
|
|
}
|
|
|
|
if wm.AccessTokenExpiration.Before(time.Now()) {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-3j3md", "Errors.OIDCSession.Token.Invalid")
|
2023-07-17 14:33:37 +02:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) CheckClient(clientID string) error {
|
|
|
|
for _, aud := range wm.Audience {
|
|
|
|
if aud == clientID {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDCS-SKjl3", "Errors.OIDCSession.InvalidClient")
|
2023-07-17 14:33:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (wm *OIDCSessionWriteModel) OIDCRefreshTokenID(refreshTokenID string) string {
|
|
|
|
return wm.AggregateID + TokenDelimiter + refreshTokenID
|
|
|
|
}
|