zitadel/internal/command/project_application_saml.go

package command

import (
	"context"

	"github.com/zitadel/saml/pkg/provider/xml"

	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/repository/project"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func (c *Commands) AddSAMLApplication(ctx context.Context, application *domain.SAMLApp, resourceOwner string) (_ *domain.SAMLApp, err error) {
	if application == nil || application.AggregateID == "" {
		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-35Fn0", "Errors.Project.App.Invalid")
	}

	if _, err := c.checkProjectExists(ctx, application.AggregateID, resourceOwner); err != nil {
		return nil, err
	}
	addedApplication := NewSAMLApplicationWriteModel(application.AggregateID, resourceOwner)
	projectAgg := ProjectAggregateFromWriteModel(&addedApplication.WriteModel)
	events, err := c.addSAMLApplication(ctx, projectAgg, application)
	if err != nil {
		return nil, err
	}
	addedApplication.AppID = application.AppID
	postCommit, err := c.applicationCreatedMilestone(ctx, &events)
	if err != nil {
		return nil, err
	}
	pushedEvents, err := c.eventstore.Push(ctx, events...)
	if err != nil {
		return nil, err
	}
	postCommit(ctx)
	err = AppendAndReduce(addedApplication, pushedEvents...)
	if err != nil {
		return nil, err
	}
	result := samlWriteModelToSAMLConfig(addedApplication)
	return result, nil
}

func (c *Commands) addSAMLApplication(ctx context.Context, projectAgg *eventstore.Aggregate, samlApp *domain.SAMLApp) (events []eventstore.Command, err error) {

	if samlApp.AppName == "" || !samlApp.IsValid() {
		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-1n9df", "Errors.Project.App.Invalid")
	}

	if samlApp.Metadata == nil && samlApp.MetadataURL == "" {
		return nil, zerrors.ThrowInvalidArgument(nil, "SAML-podix9", "Errors.Project.App.SAMLMetadataMissing")
	}

	if samlApp.MetadataURL != "" {
		data, err := xml.ReadMetadataFromURL(c.httpClient, samlApp.MetadataURL)
		if err != nil {
			return nil, zerrors.ThrowInvalidArgument(err, "SAML-wmqlo1", "Errors.Project.App.SAMLMetadataMissing")
		}
		samlApp.Metadata = data
	}

	entity, err := xml.ParseMetadataXmlIntoStruct(samlApp.Metadata)
	if err != nil {
		return nil, zerrors.ThrowInvalidArgument(err, "SAML-bquso", "Errors.Project.App.SAMLMetadataFormat")
	}

	samlApp.AppID, err = c.idGenerator.Next()
	if err != nil {
		return nil, err
	}

	return []eventstore.Command{
		project.NewApplicationAddedEvent(ctx, projectAgg, samlApp.AppID, samlApp.AppName),
		project.NewSAMLConfigAddedEvent(ctx,
			projectAgg,
			samlApp.AppID,
			string(entity.EntityID),
			samlApp.Metadata,
			samlApp.MetadataURL,
			samlApp.LoginVersion,
			samlApp.LoginBaseURI,
		),
	}, nil
}

func (c *Commands) ChangeSAMLApplication(ctx context.Context, samlApp *domain.SAMLApp, resourceOwner string) (*domain.SAMLApp, error) {
	if !samlApp.IsValid() || samlApp.AppID == "" || samlApp.AggregateID == "" {
		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-5n9fs", "Errors.Project.App.SAMLConfigInvalid")
	}

	existingSAML, err := c.getSAMLAppWriteModel(ctx, samlApp.AggregateID, samlApp.AppID, resourceOwner)
	if err != nil {
		return nil, err
	}
	if existingSAML.State == domain.AppStateUnspecified || existingSAML.State == domain.AppStateRemoved {
		return nil, zerrors.ThrowNotFound(nil, "COMMAND-2n8uU", "Errors.Project.App.NotExisting")
	}
	if !existingSAML.IsSAML() {
		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-GBr35", "Errors.Project.App.IsNotSAML")
	}
	projectAgg := ProjectAggregateFromWriteModel(&existingSAML.WriteModel)

	if samlApp.MetadataURL != "" {
		data, err := xml.ReadMetadataFromURL(c.httpClient, samlApp.MetadataURL)
		if err != nil {
			return nil, zerrors.ThrowInvalidArgument(err, "SAML-J3kg3", "Errors.Project.App.SAMLMetadataMissing")
		}
		samlApp.Metadata = data
	}

	entity, err := xml.ParseMetadataXmlIntoStruct(samlApp.Metadata)
	if err != nil {
		return nil, zerrors.ThrowInvalidArgument(err, "SAML-3fk2b", "Errors.Project.App.SAMLMetadataFormat")
	}

	changedEvent, hasChanged, err := existingSAML.NewChangedEvent(
		ctx,
		projectAgg,
		samlApp.AppID,
		string(entity.EntityID),
		samlApp.Metadata,
		samlApp.MetadataURL,
		samlApp.LoginVersion,
		samlApp.LoginBaseURI,
	)
	if err != nil {
		return nil, err
	}
	if !hasChanged {
		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-1m88i", "Errors.NoChangesFound")
	}

	pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
	if err != nil {
		return nil, err
	}
	err = AppendAndReduce(existingSAML, pushedEvents...)
	if err != nil {
		return nil, err
	}

	return samlWriteModelToSAMLConfig(existingSAML), nil
}

func (c *Commands) getSAMLAppWriteModel(ctx context.Context, projectID, appID, resourceOwner string) (*SAMLApplicationWriteModel, error) {
	appWriteModel := NewSAMLApplicationWriteModelWithAppID(projectID, appID, resourceOwner)
	err := c.eventstore.FilterToQueryReducer(ctx, appWriteModel)
	if err != nil {
		return nil, err
	}
	return appWriteModel, nil
}
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`package command`

			`import (`
			`"context"`

			`"github.com/zitadel/saml/pkg/provider/xml"`

			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/eventstore"`
			`"github.com/zitadel/zitadel/internal/repository/project"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`"github.com/zitadel/zitadel/internal/zerrors"`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`)`

			`func (c Commands) AddSAMLApplication(ctx context.Context, application domain.SAMLApp, resourceOwner string) (_ *domain.SAMLApp, err error) {`
			`if application == nil \|\| application.AggregateID == "" {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-35Fn0", "Errors.Project.App.Invalid")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`if _, err := c.checkProjectExists(ctx, application.AggregateID, resourceOwner); err != nil {`
fix: no project owner at project creation and cleanup (#9317) # Which Problems Are Solved Project creation always requires a user as project owner, in case of a system user creating the project, there is no valid user existing at that moment. # How the Problems Are Solved Remove the initially created project owner membership, as this is something which was necessary in old versions, and all should work perfectly without. The call to add a project automatically designates the calling user as the project owner, which is irrelevant currently, as this user always already has higher permissions to be able to even create the project. # Additional Changes Cleanup of the existing checks for the project, which can be improved through the usage of the fields table. # Additional Context Closes #9182 2025-02-12 12:48:28 +01:00			`return nil, err`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`
			`addedApplication := NewSAMLApplicationWriteModel(application.AggregateID, resourceOwner)`
			`projectAgg := ProjectAggregateFromWriteModel(&addedApplication.WriteModel)`
			`events, err := c.addSAMLApplication(ctx, projectAgg, application)`
			`if err != nil {`
			`return nil, err`
			`}`
			`addedApplication.AppID = application.AppID`
perf(milestones): refactor (#8788) # Which Problems Are Solved Milestones used existing events from a number of aggregates. OIDC session is one of them. We noticed in load-tests that the reduction of the oidc_session.added event into the milestone projection is a costly business with payload based conditionals. A milestone is reached once, but even then we remain subscribed to the OIDC events. This requires the projections.current_states to be updated continuously. # How the Problems Are Solved The milestone creation is refactored to use dedicated events instead. The command side decides when a milestone is reached and creates the reached event once for each milestone when required. # Additional Changes In order to prevent reached milestones being created twice, a migration script is provided. When the old `projections.milestones` table exist, the state is read from there and `v2` milestone aggregate events are created, with the original reached and pushed dates. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/8800 2024-10-28 09:29:34 +01:00			`postCommit, err := c.applicationCreatedMilestone(ctx, &events)`
			`if err != nil {`
			`return nil, err`
			`}`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`pushedEvents, err := c.eventstore.Push(ctx, events...)`
			`if err != nil {`
			`return nil, err`
			`}`
perf(milestones): refactor (#8788) # Which Problems Are Solved Milestones used existing events from a number of aggregates. OIDC session is one of them. We noticed in load-tests that the reduction of the oidc_session.added event into the milestone projection is a costly business with payload based conditionals. A milestone is reached once, but even then we remain subscribed to the OIDC events. This requires the projections.current_states to be updated continuously. # How the Problems Are Solved The milestone creation is refactored to use dedicated events instead. The command side decides when a milestone is reached and creates the reached event once for each milestone when required. # Additional Changes In order to prevent reached milestones being created twice, a migration script is provided. When the old `projections.milestones` table exist, the state is read from there and `v2` milestone aggregate events are created, with the original reached and pushed dates. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/8800 2024-10-28 09:29:34 +01:00			`postCommit(ctx)`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`err = AppendAndReduce(addedApplication, pushedEvents...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`result := samlWriteModelToSAMLConfig(addedApplication)`
			`return result, nil`
			`}`

			`func (c Commands) addSAMLApplication(ctx context.Context, projectAgg eventstore.Aggregate, samlApp *domain.SAMLApp) (events []eventstore.Command, err error) {`

			`if samlApp.AppName == "" \|\| !samlApp.IsValid() {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-1n9df", "Errors.Project.App.Invalid")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`if samlApp.Metadata == nil && samlApp.MetadataURL == "" {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(nil, "SAML-podix9", "Errors.Project.App.SAMLMetadataMissing")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`if samlApp.MetadataURL != "" {`
			`data, err := xml.ReadMetadataFromURL(c.httpClient, samlApp.MetadataURL)`
			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(err, "SAML-wmqlo1", "Errors.Project.App.SAMLMetadataMissing")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`
			`samlApp.Metadata = data`
			`}`

			`entity, err := xml.ParseMetadataXmlIntoStruct(samlApp.Metadata)`
			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(err, "SAML-bquso", "Errors.Project.App.SAMLMetadataFormat")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`samlApp.AppID, err = c.idGenerator.Next()`
			`if err != nil {`
			`return nil, err`
			`}`

			`return []eventstore.Command{`
			`project.NewApplicationAddedEvent(ctx, projectAgg, samlApp.AppID, samlApp.AppName),`
			`project.NewSAMLConfigAddedEvent(ctx,`
			`projectAgg,`
			`samlApp.AppID,`
			`string(entity.EntityID),`
			`samlApp.Metadata,`
			`samlApp.MetadataURL,`
feat: saml application configuration for login version (#9351) # Which Problems Are Solved OIDC applications can configure the used login version, which is currently not possible for SAML applications. # How the Problems Are Solved Add the same functionality dependent on the feature-flag for SAML applications. # Additional Changes None # Additional Context Closes #9267 Follow up issue for frontend changes #9354 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-02-13 17:03:05 +01:00			`samlApp.LoginVersion,`
			`samlApp.LoginBaseURI,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`),`
			`}, nil`
			`}`

			`func (c Commands) ChangeSAMLApplication(ctx context.Context, samlApp domain.SAMLApp, resourceOwner string) (*domain.SAMLApp, error) {`
			`if !samlApp.IsValid() \|\| samlApp.AppID == "" \|\| samlApp.AggregateID == "" {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-5n9fs", "Errors.Project.App.SAMLConfigInvalid")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`existingSAML, err := c.getSAMLAppWriteModel(ctx, samlApp.AggregateID, samlApp.AppID, resourceOwner)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if existingSAML.State == domain.AppStateUnspecified \|\| existingSAML.State == domain.AppStateRemoved {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowNotFound(nil, "COMMAND-2n8uU", "Errors.Project.App.NotExisting")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`
			`if !existingSAML.IsSAML() {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-GBr35", "Errors.Project.App.IsNotSAML")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`
			`projectAgg := ProjectAggregateFromWriteModel(&existingSAML.WriteModel)`

			`if samlApp.MetadataURL != "" {`
			`data, err := xml.ReadMetadataFromURL(c.httpClient, samlApp.MetadataURL)`
			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(err, "SAML-J3kg3", "Errors.Project.App.SAMLMetadataMissing")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`
			`samlApp.Metadata = data`
			`}`

			`entity, err := xml.ParseMetadataXmlIntoStruct(samlApp.Metadata)`
			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowInvalidArgument(err, "SAML-3fk2b", "Errors.Project.App.SAMLMetadataFormat")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`changedEvent, hasChanged, err := existingSAML.NewChangedEvent(`
			`ctx,`
			`projectAgg,`
			`samlApp.AppID,`
			`string(entity.EntityID),`
			`samlApp.Metadata,`
feat: saml application configuration for login version (#9351) # Which Problems Are Solved OIDC applications can configure the used login version, which is currently not possible for SAML applications. # How the Problems Are Solved Add the same functionality dependent on the feature-flag for SAML applications. # Additional Changes None # Additional Context Closes #9267 Follow up issue for frontend changes #9354 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-02-13 17:03:05 +01:00			`samlApp.MetadataURL,`
			`samlApp.LoginVersion,`
			`samlApp.LoginBaseURI,`
			`)`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`if err != nil {`
			`return nil, err`
			`}`
			`if !hasChanged {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 16:30:55 +02:00			`return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-1m88i", "Errors.NoChangesFound")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`}`

			`pushedEvents, err := c.eventstore.Push(ctx, changedEvent)`
			`if err != nil {`
			`return nil, err`
			`}`
			`err = AppendAndReduce(existingSAML, pushedEvents...)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return samlWriteModelToSAMLConfig(existingSAML), nil`
			`}`

			`func (c Commands) getSAMLAppWriteModel(ctx context.Context, projectID, appID, resourceOwner string) (SAMLApplicationWriteModel, error) {`
			`appWriteModel := NewSAMLApplicationWriteModelWithAppID(projectID, appID, resourceOwner)`
			`err := c.eventstore.FilterToQueryReducer(ctx, appWriteModel)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return appWriteModel, nil`
			`}`