zitadel/internal/api/saml/provider.go

package saml

import (
	"fmt"
	"net/http"

	"github.com/zitadel/saml/pkg/provider"

	http_utils "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/api/http/middleware"
	"github.com/zitadel/zitadel/internal/api/ui/login"
	"github.com/zitadel/zitadel/internal/auth/repository"
	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/database"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
	"github.com/zitadel/zitadel/internal/query"
	"github.com/zitadel/zitadel/internal/telemetry/metrics"
)

const (
	HandlerPrefix = "/saml/v2"
)

type Config struct {
	ProviderConfig *provider.Config
}

func NewProvider(
	conf Config,
	externalSecure bool,
	command *command.Commands,
	query *query.Queries,
	repo repository.Repository,
	encAlg crypto.EncryptionAlgorithm,
	certEncAlg crypto.EncryptionAlgorithm,
	es *eventstore.Eventstore,
	projections *database.DB,
	instanceHandler,
	userAgentCookie func(http.Handler) http.Handler,
	accessHandler *middleware.AccessInterceptor,
) (*provider.Provider, error) {
	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}

	provStorage, err := newStorage(
		command,
		query,
		repo,
		encAlg,
		certEncAlg,
		es,
		projections,
	)
	if err != nil {
		return nil, err
	}

	options := []provider.Option{
		provider.WithHttpInterceptors(
			middleware.MetricsHandler(metricTypes),
			middleware.TelemetryHandler(),
			middleware.NoCacheInterceptor().Handler,
			instanceHandler,
			userAgentCookie,
			accessHandler.HandleWithPublicAuthPathPrefixes(publicAuthPathPrefixes(conf.ProviderConfig)),
			http_utils.CopyHeadersToContext,
			middleware.ActivityHandler,
		),
		provider.WithCustomTimeFormat("2006-01-02T15:04:05.999Z"),
	}
	if !externalSecure {
		options = append(options, provider.WithAllowInsecure())
	}

	return provider.NewProvider(
		provStorage,
		HandlerPrefix,
		conf.ProviderConfig,
		options...,
	)
}

func newStorage(
	command *command.Commands,
	query *query.Queries,
	repo repository.Repository,
	encAlg crypto.EncryptionAlgorithm,
	certEncAlg crypto.EncryptionAlgorithm,
	es *eventstore.Eventstore,
	db *database.DB,
) (*Storage, error) {
	return &Storage{
		encAlg:          encAlg,
		certEncAlg:      certEncAlg,
		locker:          crdb.NewLocker(db.DB, locksTable, signingKey),
		eventstore:      es,
		repo:            repo,
		command:         command,
		query:           query,
		defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
	}, nil
}

func publicAuthPathPrefixes(config *provider.Config) []string {
	metadataEndpoint := HandlerPrefix + provider.DefaultMetadataEndpoint
	certificateEndpoint := HandlerPrefix + provider.DefaultCertificateEndpoint
	ssoEndpoint := HandlerPrefix + provider.DefaultSingleSignOnEndpoint
	if config.MetadataConfig != nil && config.MetadataConfig.Path != "" {
		metadataEndpoint = HandlerPrefix + config.MetadataConfig.Path
	}
	if config.IDPConfig == nil || config.IDPConfig.Endpoints == nil {
		return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}
	}
	if config.IDPConfig.Endpoints.Certificate != nil && config.IDPConfig.Endpoints.Certificate.Relative() != "" {
		certificateEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.Certificate.Relative()
	}
	if config.IDPConfig.Endpoints.SingleSignOn != nil && config.IDPConfig.Endpoints.SingleSignOn.Relative() != "" {
		ssoEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.SingleSignOn.Relative()
	}
	return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}
}
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`package saml`

			`import (`
			`"fmt"`
			`"net/http"`

			`"github.com/zitadel/saml/pkg/provider"`

			`http_utils "github.com/zitadel/zitadel/internal/api/http"`
			`"github.com/zitadel/zitadel/internal/api/http/middleware"`
			`"github.com/zitadel/zitadel/internal/api/ui/login"`
			`"github.com/zitadel/zitadel/internal/auth/repository"`
			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/crypto"`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`"github.com/zitadel/zitadel/internal/database"`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`"github.com/zitadel/zitadel/internal/eventstore"`
			`"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"`
			`"github.com/zitadel/zitadel/internal/query"`
			`"github.com/zitadel/zitadel/internal/telemetry/metrics"`
			`)`

			`const (`
			`HandlerPrefix = "/saml/v2"`
			`)`

			`type Config struct {`
			`ProviderConfig *provider.Config`
			`}`

			`func NewProvider(`
			`conf Config,`
			`externalSecure bool,`
			`command *command.Commands,`
			`query *query.Queries,`
			`repo repository.Repository,`
			`encAlg crypto.EncryptionAlgorithm,`
			`certEncAlg crypto.EncryptionAlgorithm,`
			`es *eventstore.Eventstore,`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`projections *database.DB,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`instanceHandler,`
perf: project quotas and usages (#6441) * project quota added * project quota removed * add periods table * make log record generic * accumulate usage * query usage * count action run seconds * fix filter in ReportQuotaUsage * fix existing tests * fix logstore tests * fix typo * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * move notifications into debouncer and improve limit querying * cleanup * comment * fix: add quota unit tests command side * fix remaining quota usage query * implement InmemLogStorage * cleanup and linting * improve test * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * action notifications and fixes for notifications query * revert console prefix * fix: add quota unit tests command side * fix: add quota integration tests * improve accountable requests * improve accountable requests * fix: add quota integration tests * fix: add quota integration tests * fix: add quota integration tests * comment * remove ability to store logs in db and other changes requested from review * changes requested from review * changes requested from review * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * tests: fix quotas integration tests * improve incrementUsageStatement * linting * fix: delete e2e tests as intergation tests cover functionality * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * backup * fix conflict * create rc * create prerelease * remove issue release labeling * fix tracing --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-09-15 14:58:45 +00:00			`userAgentCookie func(http.Handler) http.Handler,`
			`accessHandler *middleware.AccessInterceptor,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`) (*provider.Provider, error) {`
			`metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}`

			`provStorage, err := newStorage(`
			`command,`
			`query,`
			`repo,`
			`encAlg,`
			`certEncAlg,`
			`es,`
			`projections,`
			`)`
			`if err != nil {`
			`return nil, err`
			`}`

			`options := []provider.Option{`
			`provider.WithHttpInterceptors(`
			`middleware.MetricsHandler(metricTypes),`
			`middleware.TelemetryHandler(),`
			`middleware.NoCacheInterceptor().Handler,`
			`instanceHandler,`
			`userAgentCookie,`
feat: block instances (#7129) * docs: fix init description typos * feat: block instances using limits * translate * unit tests * fix translations * redirect /ui/login * fix http interceptor * cleanup * fix http interceptor * fix: delete cookies on gateway 200 * add integration tests * add command test * docs * fix integration tests * add bulk api and integration test * optimize bulk set limits * unit test bulk limits * fix broken link * fix assets middleware * fix broken link * validate instance id format * Update internal/eventstore/search_query.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove support for owner bulk limit commands * project limits to instances * migrate instances projection * Revert "migrate instances projection" This reverts commit 214218732a56e6df823beac1972adfcf8beeded5. * join limits, remove owner * remove todo * use optional bool * normally validate instance ids * use 302 * cleanup * cleanup * Update internal/api/grpc/system/limits_converter.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove owner * remove owner from reset --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-01-17 10:16:48 +00:00			`accessHandler.HandleWithPublicAuthPathPrefixes(publicAuthPathPrefixes(conf.ProviderConfig)),`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`http_utils.CopyHeadersToContext,`
fix: add https status to activity log (#6978) * fix: add https status to activity log * create prerelease * create RC * pass info from gateway to grpc server * fix: update releaserc to create RC version * cleanup --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-11-28 15:56:29 +00:00			`middleware.ActivityHandler,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`),`
fix: update saml to v0.0.11 (#5628) * fix: update saml to v0.0.11 * chore: remove unused sum --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-11 07:39:12 +00:00			`provider.WithCustomTimeFormat("2006-01-02T15:04:05.999Z"),`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`
			`if !externalSecure {`
			`options = append(options, provider.WithAllowInsecure())`
			`}`

			`return provider.NewProvider(`
			`provStorage,`
			`HandlerPrefix,`
			`conf.ProviderConfig,`
			`options...,`
			`)`
			`}`

			`func newStorage(`
			`command *command.Commands,`
			`query *query.Queries,`
			`repo repository.Repository,`
			`encAlg crypto.EncryptionAlgorithm,`
			`certEncAlg crypto.EncryptionAlgorithm,`
			`es *eventstore.Eventstore,`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`db *database.DB,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`) (*Storage, error) {`
			`return &Storage{`
			`encAlg: encAlg,`
			`certEncAlg: certEncAlg,`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`locker: crdb.NewLocker(db.DB, locksTable, signingKey),`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`eventstore: es,`
			`repo: repo,`
			`command: command,`
			`query: query,`
			`defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),`
			`}, nil`
			`}`
perf: project quotas and usages (#6441) * project quota added * project quota removed * add periods table * make log record generic * accumulate usage * query usage * count action run seconds * fix filter in ReportQuotaUsage * fix existing tests * fix logstore tests * fix typo * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * move notifications into debouncer and improve limit querying * cleanup * comment * fix: add quota unit tests command side * fix remaining quota usage query * implement InmemLogStorage * cleanup and linting * improve test * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * action notifications and fixes for notifications query * revert console prefix * fix: add quota unit tests command side * fix: add quota integration tests * improve accountable requests * improve accountable requests * fix: add quota integration tests * fix: add quota integration tests * fix: add quota integration tests * comment * remove ability to store logs in db and other changes requested from review * changes requested from review * changes requested from review * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * tests: fix quotas integration tests * improve incrementUsageStatement * linting * fix: delete e2e tests as intergation tests cover functionality * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * backup * fix conflict * create rc * create prerelease * remove issue release labeling * fix tracing --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-09-15 14:58:45 +00:00
feat: block instances (#7129) * docs: fix init description typos * feat: block instances using limits * translate * unit tests * fix translations * redirect /ui/login * fix http interceptor * cleanup * fix http interceptor * fix: delete cookies on gateway 200 * add integration tests * add command test * docs * fix integration tests * add bulk api and integration test * optimize bulk set limits * unit test bulk limits * fix broken link * fix assets middleware * fix broken link * validate instance id format * Update internal/eventstore/search_query.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove support for owner bulk limit commands * project limits to instances * migrate instances projection * Revert "migrate instances projection" This reverts commit 214218732a56e6df823beac1972adfcf8beeded5. * join limits, remove owner * remove todo * use optional bool * normally validate instance ids * use 302 * cleanup * cleanup * Update internal/api/grpc/system/limits_converter.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove owner * remove owner from reset --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-01-17 10:16:48 +00:00			`func publicAuthPathPrefixes(config *provider.Config) []string {`
perf: project quotas and usages (#6441) * project quota added * project quota removed * add periods table * make log record generic * accumulate usage * query usage * count action run seconds * fix filter in ReportQuotaUsage * fix existing tests * fix logstore tests * fix typo * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * move notifications into debouncer and improve limit querying * cleanup * comment * fix: add quota unit tests command side * fix remaining quota usage query * implement InmemLogStorage * cleanup and linting * improve test * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * action notifications and fixes for notifications query * revert console prefix * fix: add quota unit tests command side * fix: add quota integration tests * improve accountable requests * improve accountable requests * fix: add quota integration tests * fix: add quota integration tests * fix: add quota integration tests * comment * remove ability to store logs in db and other changes requested from review * changes requested from review * changes requested from review * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * tests: fix quotas integration tests * improve incrementUsageStatement * linting * fix: delete e2e tests as intergation tests cover functionality * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * backup * fix conflict * create rc * create prerelease * remove issue release labeling * fix tracing --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-09-15 14:58:45 +00:00			`metadataEndpoint := HandlerPrefix + provider.DefaultMetadataEndpoint`
			`certificateEndpoint := HandlerPrefix + provider.DefaultCertificateEndpoint`
			`ssoEndpoint := HandlerPrefix + provider.DefaultSingleSignOnEndpoint`
			`if config.MetadataConfig != nil && config.MetadataConfig.Path != "" {`
			`metadataEndpoint = HandlerPrefix + config.MetadataConfig.Path`
			`}`
			`if config.IDPConfig == nil \|\| config.IDPConfig.Endpoints == nil {`
			`return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}`
			`}`
			`if config.IDPConfig.Endpoints.Certificate != nil && config.IDPConfig.Endpoints.Certificate.Relative() != "" {`
			`certificateEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.Certificate.Relative()`
			`}`
			`if config.IDPConfig.Endpoints.SingleSignOn != nil && config.IDPConfig.Endpoints.SingleSignOn.Relative() != "" {`
			`ssoEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.SingleSignOn.Relative()`
			`}`
			`return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}`
			`}`