zitadel/internal/query/oidc_client.go

package query

import (
	"context"
	"database/sql"
	_ "embed"
	"errors"
	"time"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/database"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

type OIDCClient struct {
	InstanceID               string                     `json:"instance_id,omitempty"`
	AppID                    string                     `json:"app_id,omitempty"`
	State                    domain.AppState            `json:"state,omitempty"`
	ClientID                 string                     `json:"client_id,omitempty"`
	ClientSecret             *crypto.CryptoValue        `json:"client_secret,omitempty"`
	RedirectURIs             []string                   `json:"redirect_uris,omitempty"`
	ResponseTypes            []domain.OIDCResponseType  `json:"response_types,omitempty"`
	GrantTypes               []domain.OIDCGrantType     `json:"grant_types,omitempty"`
	ApplicationType          domain.OIDCApplicationType `json:"application_type,omitempty"`
	AuthMethodType           domain.OIDCAuthMethodType  `json:"auth_method_type,omitempty"`
	PostLogoutRedirectURIs   []string                   `json:"post_logout_redirect_uris,omitempty"`
	IsDevMode                bool                       `json:"is_dev_mode,omitempty"`
	AccessTokenType          domain.OIDCTokenType       `json:"access_token_type,omitempty"`
	AccessTokenRoleAssertion bool                       `json:"access_token_role_assertion,omitempty"`
	IDTokenRoleAssertion     bool                       `json:"id_token_role_assertion,omitempty"`
	IDTokenUserinfoAssertion bool                       `json:"id_token_userinfo_assertion,omitempty"`
	ClockSkew                time.Duration              `json:"clock_skew,omitempty"`
	AdditionalOrigins        []string                   `json:"additional_origins,omitempty"`
	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
	ProjectID                string                     `json:"project_id,omitempty"`
	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
	Settings                 *OIDCSettings              `json:"settings,omitempty"`
}

//go:embed embed/oidc_client_by_id.sql
var oidcClientQuery string

func (q *Queries) GetOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,
		authz.GetInstance(ctx).InstanceID(), clientID, getKeys,
	)
	if errors.Is(err, sql.ErrNoRows) {
		return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")
	}
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")
	}
	return client, err
}
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`package query`

			`import (`
			`"context"`
			`"database/sql"`
			`_ "embed"`
			`"errors"`
			`"time"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/crypto"`
			`"github.com/zitadel/zitadel/internal/database"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`"github.com/zitadel/zitadel/internal/zerrors"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`)`

			`type OIDCClient struct {`
			InstanceID string `json:"instance_id,omitempty"`
			AppID string `json:"app_id,omitempty"`
			State domain.AppState `json:"state,omitempty"`
			ClientID string `json:"client_id,omitempty"`
			ClientSecret *crypto.CryptoValue `json:"client_secret,omitempty"`
			RedirectURIs []string `json:"redirect_uris,omitempty"`
			ResponseTypes []domain.OIDCResponseType `json:"response_types,omitempty"`
			GrantTypes []domain.OIDCGrantType `json:"grant_types,omitempty"`
			ApplicationType domain.OIDCApplicationType `json:"application_type,omitempty"`
			AuthMethodType domain.OIDCAuthMethodType `json:"auth_method_type,omitempty"`
			PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"`
			IsDevMode bool `json:"is_dev_mode,omitempty"`
			AccessTokenType domain.OIDCTokenType `json:"access_token_type,omitempty"`
			AccessTokenRoleAssertion bool `json:"access_token_role_assertion,omitempty"`
			IDTokenRoleAssertion bool `json:"id_token_role_assertion,omitempty"`
			IDTokenUserinfoAssertion bool `json:"id_token_userinfo_assertion,omitempty"`
			ClockSkew time.Duration `json:"clock_skew,omitempty"`
			AdditionalOrigins []string `json:"additional_origins,omitempty"`
			PublicKeys map[string][]byte `json:"public_keys,omitempty"`
			ProjectID string `json:"project_id,omitempty"`
			ProjectRoleKeys []string `json:"project_role_keys,omitempty"`
fix(oidc): return clients without instance settings (#7036) 2023-12-07 09:43:45 +00:00			Settings *OIDCSettings `json:"settings,omitempty"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`}`

			`//go:embed embed/oidc_client_by_id.sql`
			`var oidcClientQuery string`

			`func (q Queries) GetOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client OIDCClient, err error) {`
			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

			`client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,`
			`authz.GetInstance(ctx).InstanceID(), clientID, getKeys,`
			`)`
			`if errors.Is(err, sql.ErrNoRows) {`
			`return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")`
			`}`
			`if err != nil {`
			`return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")`
			`}`
			`return client, err`
			`}`