zitadel/internal/api/ui/login/login.go

package login

import (
	"context"
	"fmt"
	"net/http"

	"github.com/gorilla/csrf"
	"github.com/gorilla/mux"
	"github.com/rakyll/statik/fs"

	"github.com/caos/zitadel/internal/api/authz"
	http_utils "github.com/caos/zitadel/internal/api/http"
	"github.com/caos/zitadel/internal/api/http/middleware"
	_ "github.com/caos/zitadel/internal/api/ui/login/statik"
	auth_repository "github.com/caos/zitadel/internal/auth/repository"
	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
	"github.com/caos/zitadel/internal/command"
	"github.com/caos/zitadel/internal/config/systemdefaults"
	"github.com/caos/zitadel/internal/crypto"
	"github.com/caos/zitadel/internal/domain"
	"github.com/caos/zitadel/internal/form"
	"github.com/caos/zitadel/internal/query"
	"github.com/caos/zitadel/internal/static"
)

type Login struct {
	endpoint      string
	router        http.Handler
	renderer      *Renderer
	parser        *form.Parser
	command       *command.Commands
	query         *query.Queries
	staticStorage static.Storage
	//staticCache         cache.Cache //TODO: enable when storage is implemented again
	authRepo            auth_repository.Repository
	baseURL             string
	consolePath         string
	oidcAuthCallbackURL string
	idpConfigAlg        crypto.EncryptionAlgorithm
	userCodeAlg         crypto.EncryptionAlgorithm
	iamDomain           string
}

type Config struct {
	LanguageCookieName string
	CSRFCookieName     string
	Cache              middleware.CacheConfig
	//StaticCache         cache_config.CacheConfig //TODO: enable when storage is implemented again
}

const (
	login                = "LOGIN"
	HandlerPrefix        = "/ui/login"
	DefaultLoggedOutPath = HandlerPrefix + EndpointLogoutDone
)

func CreateLogin(config Config,
	command *command.Commands,
	query *query.Queries,
	authRepo *eventsourcing.EsRepository,
	staticStorage static.Storage,
	systemDefaults systemdefaults.SystemDefaults,
	consolePath,
	domain,
	baseURL,
	oidcAuthCallbackURL string,
	externalSecure bool,
	userAgentCookie mux.MiddlewareFunc,
	userCodeAlg crypto.EncryptionAlgorithm,
	idpConfigAlg crypto.EncryptionAlgorithm,
	csrfCookieKey []byte,
) (*Login, error) {

	login := &Login{
		oidcAuthCallbackURL: oidcAuthCallbackURL,
		baseURL:             baseURL + HandlerPrefix,
		consolePath:         consolePath,
		command:             command,
		query:               query,
		staticStorage:       staticStorage,
		authRepo:            authRepo,
		iamDomain:           domain,
		idpConfigAlg:        idpConfigAlg,
		userCodeAlg:         userCodeAlg,
	}
	//TODO: enable when storage is implemented again
	//login.staticCache, err = config.StaticCache.Config.NewCache()
	//if err != nil {
	//	return nil, fmt.Errorf("unable to create storage cache: %w", err)
	//}

	statikFS, err := fs.NewWithNamespace("login")
	if err != nil {
		return nil, fmt.Errorf("unable to create filesystem: %w", err)
	}

	csrfInterceptor, err := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())
	if err != nil {
		return nil, fmt.Errorf("unable to create csrfInterceptor: %w", err)
	}
	cacheInterceptor, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge, config.Cache.SharedMaxAge)
	if err != nil {
		return nil, fmt.Errorf("unable to create cacheInterceptor: %w", err)
	}
	security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
	login.router = CreateRouter(login, statikFS, csrfInterceptor, cacheInterceptor, security, userAgentCookie, middleware.TelemetryHandler(EndpointResources))
	login.renderer = CreateRenderer(HandlerPrefix, statikFS, staticStorage, config.LanguageCookieName, systemDefaults.DefaultLanguage)
	login.parser = form.NewParser()
	return login, nil
}

func csp() *middleware.CSP {
	csp := middleware.DefaultSCP
	csp.ObjectSrc = middleware.CSPSourceOptsSelf()
	csp.StyleSrc = csp.StyleSrc.AddNonce()
	csp.ScriptSrc = csp.ScriptSrc.AddNonce()
	return &csp
}

func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) (func(http.Handler) http.Handler, error) {
	path := "/"
	return csrf.Protect(csrfCookieKey,
		csrf.Secure(externalSecure),
		csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
		csrf.Path(path),
		csrf.ErrorHandler(errorHandler),
	), nil
}

func (l *Login) Handler() http.Handler {
	return l.router
}

func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string) ([]string, error) {
	loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+domain.NewIAMDomainName(orgName, l.iamDomain), query.TextEndsWithIgnoreCase)
	if err != nil {
		return nil, err
	}
	users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}})
	if err != nil {
		return nil, err
	}
	userIDs := make([]string, len(users.Users))
	for i, user := range users.Users {
		userIDs[i] = user.ID
	}
	return userIDs, nil
}

func setContext(ctx context.Context, resourceOwner string) context.Context {
	data := authz.CtxData{
		UserID: login,
		OrgID:  resourceOwner,
	}
	return authz.SetCtxData(ctx, data)
}
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`package login`

			`import (`
			`"context"`
			`"fmt"`
			`"net/http"`

			`"github.com/gorilla/csrf"`
			`"github.com/gorilla/mux"`
			`"github.com/rakyll/statik/fs"`

			`"github.com/caos/zitadel/internal/api/authz"`
			`http_utils "github.com/caos/zitadel/internal/api/http"`
			`"github.com/caos/zitadel/internal/api/http/middleware"`
			`_ "github.com/caos/zitadel/internal/api/ui/login/statik"`
			`auth_repository "github.com/caos/zitadel/internal/auth/repository"`
			`"github.com/caos/zitadel/internal/auth/repository/eventsourcing"`
			`"github.com/caos/zitadel/internal/command"`
			`"github.com/caos/zitadel/internal/config/systemdefaults"`
			`"github.com/caos/zitadel/internal/crypto"`
			`"github.com/caos/zitadel/internal/domain"`
			`"github.com/caos/zitadel/internal/form"`
			`"github.com/caos/zitadel/internal/query"`
			`"github.com/caos/zitadel/internal/static"`
			`)`

			`type Login struct {`
			`endpoint string`
			`router http.Handler`
			`renderer *Renderer`
			`parser *form.Parser`
			`command *command.Commands`
			`query *query.Queries`
			`staticStorage static.Storage`
			`//staticCache cache.Cache //TODO: enable when storage is implemented again`
			`authRepo auth_repository.Repository`
			`baseURL string`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`consolePath string`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`oidcAuthCallbackURL string`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`idpConfigAlg crypto.EncryptionAlgorithm`
			`userCodeAlg crypto.EncryptionAlgorithm`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`iamDomain string`
			`}`

			`type Config struct {`
			`LanguageCookieName string`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`CSRFCookieName string`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`Cache middleware.CacheConfig`
			`//StaticCache cache_config.CacheConfig //TODO: enable when storage is implemented again`
			`}`

			`const (`
			`login = "LOGIN"`
			`HandlerPrefix = "/ui/login"`
			`DefaultLoggedOutPath = HandlerPrefix + EndpointLogoutDone`
			`)`

feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`func CreateLogin(config Config,`
			`command *command.Commands,`
			`query *query.Queries,`
			`authRepo *eventsourcing.EsRepository,`
			`staticStorage static.Storage,`
			`systemDefaults systemdefaults.SystemDefaults,`
			`consolePath,`
			`domain,`
			`baseURL,`
			`oidcAuthCallbackURL string,`
			`externalSecure bool,`
			`userAgentCookie mux.MiddlewareFunc,`
			`userCodeAlg crypto.EncryptionAlgorithm,`
			`idpConfigAlg crypto.EncryptionAlgorithm,`
			`csrfCookieKey []byte,`
			`) (*Login, error) {`

feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`login := &Login{`
			`oidcAuthCallbackURL: oidcAuthCallbackURL,`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`baseURL: baseURL + HandlerPrefix,`
			`consolePath: consolePath,`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`command: command,`
			`query: query,`
			`staticStorage: staticStorage,`
			`authRepo: authRepo,`
			`iamDomain: domain,`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`idpConfigAlg: idpConfigAlg,`
			`userCodeAlg: userCodeAlg,`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`}`
			`//TODO: enable when storage is implemented again`
			`//login.staticCache, err = config.StaticCache.Config.NewCache()`
			`//if err != nil {`
			`// return nil, fmt.Errorf("unable to create storage cache: %w", err)`
			`//}`

			`statikFS, err := fs.NewWithNamespace("login")`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to create filesystem: %w", err)`
			`}`

feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`csrfInterceptor, err := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`if err != nil {`
			`return nil, fmt.Errorf("unable to create csrfInterceptor: %w", err)`
			`}`
			`cacheInterceptor, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge, config.Cache.SharedMaxAge)`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to create cacheInterceptor: %w", err)`
			`}`
			`security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)`
			`login.router = CreateRouter(login, statikFS, csrfInterceptor, cacheInterceptor, security, userAgentCookie, middleware.TelemetryHandler(EndpointResources))`
			`login.renderer = CreateRenderer(HandlerPrefix, statikFS, staticStorage, config.LanguageCookieName, systemDefaults.DefaultLanguage)`
			`login.parser = form.NewParser()`
			`return login, nil`
			`}`

			`func csp() *middleware.CSP {`
			`csp := middleware.DefaultSCP`
			`csp.ObjectSrc = middleware.CSPSourceOptsSelf()`
			`csp.StyleSrc = csp.StyleSrc.AddNonce()`
			`csp.ScriptSrc = csp.ScriptSrc.AddNonce()`
			`return &csp`
			`}`

feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) (func(http.Handler) http.Handler, error) {`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`path := "/"`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`return csrf.Protect(csrfCookieKey,`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`csrf.Secure(externalSecure),`
feat: encryption keys in database (#3265) * enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message 2022-03-14 07:55:09 +01:00			`csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),`
feat: run on a single port (#3163) * start v2 * start * run * some cleanup * remove v2 pkg again * simplify * webauthn * remove unused config * fix login path in Dockerfile * fix asset_generator.go * health handler * fix grpc web * refactor * merge * build new main.go * run new main.go * update logging pkg * fix error msg * update logging * cleanup * cleanup * go mod tidy * change localDevMode * fix customEndpoints * update logging * comments * change local flag to external configs * fix location generated go code * fix Co-authored-by: fforootd <florian@caos.ch> 2022-02-14 17:22:30 +01:00			`csrf.Path(path),`
			`csrf.ErrorHandler(errorHandler),`
			`), nil`
			`}`

			`func (l *Login) Handler() http.Handler {`
			`return l.router`
			`}`

			`func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string) ([]string, error) {`
			`loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+domain.NewIAMDomainName(orgName, l.iamDomain), query.TextEndsWithIgnoreCase)`
			`if err != nil {`
			`return nil, err`
			`}`
			`users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}})`
			`if err != nil {`
			`return nil, err`
			`}`
			`userIDs := make([]string, len(users.Users))`
			`for i, user := range users.Users {`
			`userIDs[i] = user.ID`
			`}`
			`return userIDs, nil`
			`}`

			`func setContext(ctx context.Context, resourceOwner string) context.Context {`
			`data := authz.CtxData{`
			`UserID: login,`
			`OrgID: resourceOwner,`
			`}`
			`return authz.SetCtxData(ctx, data)`
			`}`