fix: add prompt on oidc rp, fix idp and login policy in console (#769)

* fix: add prompt on oidc rp * fix: add prompt on oidc rp * fix: translation * fix: translation * fix: not existing login policy * fix: login policy * fix: identity provider detail * fix: idp update * fix: idps in login policy * fix: lint * fix: scss * fix: external idps on auth user detail * fix: idp create mapping fields * fix: remove idp provider * fix: angular lint * fix: login policy view * fix: translations
2025-08-12 05:07:31 +00:00 · 2020-09-23 16:52:19 +02:00
parent 9887e897ee
commit 0bd27bc8e4
47 changed files with 890 additions and 648 deletions
--- a/internal/admin/repository/eventsourcing/eventstore/iam.go
+++ b/internal/admin/repository/eventsourcing/eventstore/iam.go
@@ -218,7 +218,7 @@ func (repo *IAMRepository) AddIDPProviderToLoginPolicy(ctx context.Context, prov
 	return repo.IAMEventstore.AddIDPProviderToLoginPolicy(ctx, provider)
 }

-func (repo *IAMRepository) RemoveIDPProviderFromIDPProvider(ctx context.Context, provider *iam_model.IDPProvider) error {
+func (repo *IAMRepository) RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error {
 	aggregates := make([]*es_models.Aggregate, 0)
 	provider.AggregateID = repo.SystemDefaults.IamID
 	_, removeAgg, err := repo.IAMEventstore.PrepareRemoveIDPProviderFromLoginPolicy(ctx, provider)
--- a/internal/admin/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/admin/repository/eventsourcing/handler/idp_providers.go
@@ -106,6 +106,7 @@ func (m *IDPProvider) fillData(provider *iam_view_model.IDPProviderView) (err er
 func (m *IDPProvider) fillConfigData(provider *iam_view_model.IDPProviderView, config *iam_model.IDPConfig) {
 	provider.Name = config.Name
 	provider.IDPConfigType = int32(config.Type)
+	provider.IDPState = int32(config.State)
 }

 func (m *IDPProvider) OnError(event *models.Event, err error) error {
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -64,7 +64,7 @@ type loginPolicyViewProvider interface {
 }

 type idpProviderViewProvider interface {
-	IDPProvidersByAggregateID(string) ([]*iam_view_model.IDPProviderView, error)
+	IDPProvidersByAggregateIDAndState(string, iam_model.IDPConfigState) ([]*iam_view_model.IDPProviderView, error)
 }

 type userEventProvider interface {
@@ -553,13 +553,13 @@ func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (

 func getLoginPolicyIDPProviders(provider idpProviderViewProvider, iamID, orgID string, defaultPolicy bool) ([]*iam_model.IDPProviderView, error) {
 	if defaultPolicy {
-		idpProviders, err := provider.IDPProvidersByAggregateID(iamID)
+		idpProviders, err := provider.IDPProvidersByAggregateIDAndState(iamID, iam_model.IDPConfigStateActive)
 		if err != nil {
 			return nil, err
 		}
 		return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
 	}
-	idpProviders, err := provider.IDPProvidersByAggregateID(orgID)
+	idpProviders, err := provider.IDPProvidersByAggregateIDAndState(orgID, iam_model.IDPConfigStateActive)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/auth/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/handler/idp_providers.go
@@ -112,6 +112,7 @@ func (m *IDPProvider) fillData(provider *iam_view_model.IDPProviderView) (err er
 func (m *IDPProvider) fillConfigData(provider *iam_view_model.IDPProviderView, config *iam_model.IDPConfig) {
 	provider.Name = config.Name
 	provider.IDPConfigType = int32(config.Type)
+	provider.IDPState = int32(config.State)
 }

 func (m *IDPProvider) OnError(event *models.Event, err error) error {
--- a/internal/auth/repository/eventsourcing/view/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/view/idp_providers.go
@@ -20,8 +20,8 @@ func (v *View) IDPProvidersByIDPConfigID(idpConfigID string) ([]*model.IDPProvid
 	return view.IDPProvidersByIdpConfigID(v.Db, idpProviderTable, idpConfigID)
 }

-func (v *View) IDPProvidersByAggregateID(aggregateID string) ([]*model.IDPProviderView, error) {
-	return view.IDPProvidersByAggregateID(v.Db, idpProviderTable, aggregateID)
+func (v *View) IDPProvidersByAggregateIDAndState(aggregateID string, idpConfigState iam_model.IDPConfigState) ([]*model.IDPProviderView, error) {
+	return view.IDPProvidersByAggregateIDAndState(v.Db, idpProviderTable, aggregateID, idpConfigState)
 }

 func (v *View) SearchIDPProviders(request *iam_model.IDPProviderSearchRequest) ([]*model.IDPProviderView, uint64, error) {
--- a/internal/iam/model/idp_provider_view.go
+++ b/internal/iam/model/idp_provider_view.go
@@ -11,6 +11,7 @@ type IDPProviderView struct {
 	IDPProviderType IDPProviderType
 	Name            string
 	IDPConfigType   IdpConfigType
+	IDPState        IDPConfigState

 	CreationDate time.Time
 	ChangeDate   time.Time
@@ -31,6 +32,7 @@ const (
 	IDPProviderSearchKeyUnspecified IDPProviderSearchKey = iota
 	IDPProviderSearchKeyAggregateID
 	IDPProviderSearchKeyIdpConfigID
+	IDPProviderSearchKeyState
 )

 type IDPProviderSearchQuery struct {
--- a/internal/iam/repository/view/idp_provider_view.go
+++ b/internal/iam/repository/view/idp_provider_view.go
@@ -38,7 +38,7 @@ func IDPProvidersByIdpConfigID(db *gorm.DB, table string, idpConfigID string) ([
 	return providers, nil
 }

-func IDPProvidersByAggregateID(db *gorm.DB, table string, aggregateID string) ([]*model.IDPProviderView, error) {
+func IDPProvidersByAggregateIDAndState(db *gorm.DB, table string, aggregateID string, idpConfigState iam_model.IDPConfigState) ([]*model.IDPProviderView, error) {
 	providers := make([]*model.IDPProviderView, 0)
 	queries := []*iam_model.IDPProviderSearchQuery{
 		{
@@ -46,6 +46,11 @@ func IDPProvidersByAggregateID(db *gorm.DB, table string, aggregateID string) ([
 			Value:  aggregateID,
 			Method: global_model.SearchMethodEquals,
 		},
+		{
+			Key:    iam_model.IDPProviderSearchKeyState,
+			Value:  int(idpConfigState),
+			Method: global_model.SearchMethodEquals,
+		},
 	}
 	query := repository.PrepareSearchQuery(table, model.IDPProviderSearchRequest{Queries: queries})
 	_, err := query(db, &providers)
--- a/internal/iam/repository/view/model/idp_config.go
+++ b/internal/iam/repository/view/model/idp_config.go
@@ -47,6 +47,7 @@ func IDPConfigViewFromModel(idp *model.IDPConfigView) *IDPConfigView {
 	return &IDPConfigView{
 		IDPConfigID:               idp.IDPConfigID,
 		AggregateID:               idp.AggregateID,
+		IDPState:                  int32(idp.State),
 		Name:                      idp.Name,
 		LogoSrc:                   idp.LogoSrc,
 		Sequence:                  idp.Sequence,
@@ -67,6 +68,7 @@ func IDPConfigViewToModel(idp *IDPConfigView) *model.IDPConfigView {
 	return &model.IDPConfigView{
 		IDPConfigID:               idp.IDPConfigID,
 		AggregateID:               idp.AggregateID,
+		State:                     model.IDPConfigState(idp.IDPState),
 		Name:                      idp.Name,
 		LogoSrc:                   idp.LogoSrc,
 		Sequence:                  idp.Sequence,
--- a/internal/iam/repository/view/model/idp_provider.go
+++ b/internal/iam/repository/view/model/idp_provider.go
@@ -16,6 +16,7 @@ import (
 const (
 	IDPProviderKeyAggregateID = "aggregate_id"
 	IDPProviderKeyIdpConfigID = "idp_config_id"
+	IDPProviderKeyState       = "idp_state"
 )

 type IDPProviderView struct {
@@ -28,33 +29,36 @@ type IDPProviderView struct {
 	Name            string `json:"-" gorm:"column:name"`
 	IDPConfigType   int32  `json:"-" gorm:"column:idp_config_type"`
 	IDPProviderType int32  `json:"idpProviderType" gorm:"column:idp_provider_type"`
+	IDPState        int32  `json:"-" gorm:"column:idp_state"`

 	Sequence uint64 `json:"-" gorm:"column:sequence"`
 }

-func IDPProviderViewFromModel(policy *model.IDPProviderView) *IDPProviderView {
+func IDPProviderViewFromModel(provider *model.IDPProviderView) *IDPProviderView {
 	return &IDPProviderView{
-		AggregateID:     policy.AggregateID,
-		Sequence:        policy.Sequence,
-		CreationDate:    policy.CreationDate,
-		ChangeDate:      policy.ChangeDate,
-		Name:            policy.Name,
-		IDPConfigID:     policy.IDPConfigID,
-		IDPConfigType:   int32(policy.IDPConfigType),
-		IDPProviderType: int32(policy.IDPProviderType),
+		AggregateID:     provider.AggregateID,
+		Sequence:        provider.Sequence,
+		CreationDate:    provider.CreationDate,
+		ChangeDate:      provider.ChangeDate,
+		Name:            provider.Name,
+		IDPConfigID:     provider.IDPConfigID,
+		IDPConfigType:   int32(provider.IDPConfigType),
+		IDPProviderType: int32(provider.IDPProviderType),
+		IDPState:        int32(provider.IDPState),
 	}
 }

-func IDPProviderViewToModel(policy *IDPProviderView) *model.IDPProviderView {
+func IDPProviderViewToModel(provider *IDPProviderView) *model.IDPProviderView {
 	return &model.IDPProviderView{
-		AggregateID:     policy.AggregateID,
-		Sequence:        policy.Sequence,
-		CreationDate:    policy.CreationDate,
-		ChangeDate:      policy.ChangeDate,
-		Name:            policy.Name,
-		IDPConfigID:     policy.IDPConfigID,
-		IDPConfigType:   model.IdpConfigType(policy.IDPConfigType),
-		IDPProviderType: model.IDPProviderType(policy.IDPProviderType),
+		AggregateID:     provider.AggregateID,
+		Sequence:        provider.Sequence,
+		CreationDate:    provider.CreationDate,
+		ChangeDate:      provider.ChangeDate,
+		Name:            provider.Name,
+		IDPConfigID:     provider.IDPConfigID,
+		IDPConfigType:   model.IdpConfigType(provider.IDPConfigType),
+		IDPProviderType: model.IDPProviderType(provider.IDPProviderType),
+		IDPState:        model.IDPConfigState(provider.IDPState),
 	}
 }

--- a/internal/iam/repository/view/model/idp_provider_query.go
+++ b/internal/iam/repository/view/model/idp_provider_query.go
@@ -55,6 +55,8 @@ func (key IDPProviderSearchKey) ToColumnName() string {
 		return IDPProviderKeyAggregateID
 	case iam_model.IDPProviderSearchKeyIdpConfigID:
 		return IDPProviderKeyIdpConfigID
+	case iam_model.IDPProviderSearchKeyState:
+		return IDPProviderKeyState
 	default:
 		return ""
 	}
--- a/internal/management/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/management/repository/eventsourcing/handler/idp_providers.go
@@ -112,6 +112,7 @@ func (m *IDPProvider) fillData(provider *iam_view_model.IDPProviderView) (err er
 func (m *IDPProvider) fillConfigData(provider *iam_view_model.IDPProviderView, config *iam_model.IDPConfig) {
 	provider.Name = config.Name
 	provider.IDPConfigType = int32(config.Type)
+	provider.IDPState = int32(config.State)
 }

 func (m *IDPProvider) OnError(event *models.Event, err error) error {
--- a/internal/org/repository/eventsourcing/eventstore.go
+++ b/internal/org/repository/eventsourcing/eventstore.go
@@ -716,7 +716,7 @@ func (es *OrgEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo

 func (es *OrgEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	if policy == nil || !policy.IsValid() {
-		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.LoginPolicyInvalid")
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.LoginPolicy.Invalid")
 	}
 	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
@@ -736,13 +736,17 @@ func (es *OrgEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.L

 func (es *OrgEventstore) ChangeLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	if policy == nil || !policy.IsValid() {
-		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.Org.LoginPolicyInvalid")
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.Org.LoginPolicy.Invalid")
 	}
 	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return nil, err
 	}

+	if existing.LoginPolicy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.Org.LoginPolicy.NotExisting")
+	}
+
 	repoOrg := model.OrgFromModel(existing)
 	repoLoginPolicy := iam_es_model.LoginPolicyFromModel(policy)

@@ -756,7 +760,7 @@ func (es *OrgEventstore) ChangeLoginPolicy(ctx context.Context, policy *iam_mode

 func (es *OrgEventstore) RemoveLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) error {
 	if policy == nil || !policy.IsValid() {
-		return errors.ThrowPreconditionFailed(nil, "EVENT-O0s9e", "Errors.Org.LoginPolicyInvalid")
+		return errors.ThrowPreconditionFailed(nil, "EVENT-O0s9e", "Errors.Org.LoginPolicy.Invalid")
 	}
 	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -84,6 +84,7 @@ Errors:
    OIDCConfigInvalid: OIDC IDP Konfiguration ist ungültig
    IdpIsNotOIDC: IDP Konfiguration ist nicht vom Typ OIDC
    LoginPolicy:
+      Invalid: Login Policy ist ungültig
      NotExisting: Login Policy existiert nicht auf dieser Organisation
      AlreadyExists: Login Policy existiert bereits
      IdpProviderAlreadyExisting: Idp Provider existiert bereits
@@ -133,6 +134,7 @@ Errors:
    OIDCConfigInvalid: OIDC IDP Konfiguration ist ungültig
    IdpIsNotOIDC: IDP Konfiguration ist nicht vom Typ OIDC
    LoginPolicyInvalid: Login Policy ist ungültig
+    LoginPolicyNotExisting: Login Policy nicht vorhanden
    IdpProviderInvalid: Idp Provider ist ungültig
    LoginPolicy:
      NotExisting: Default Login Policy existiert nicht
@@ -181,12 +183,11 @@ EventTypes:
        added: E-Mail Code generiert
        sent: E-Mail Code gesendet
    machine:
-      machine:
-        added: Technischer Benutzer hinzugefügt
-        changed: Technischer Benutzer geändert
-        key:
-          added: Key added
-          removed: Key removed
+      added: Technischer Benutzer hinzugefügt
+      changed: Technischer Benutzer geändert
+      key:
+        added: Key added
+        removed: Key removed
    human:
      added: Benutzer hinzugefügt
      selfregistered: Benutzer hat sich selbst registriert
@@ -216,6 +217,11 @@ EventTypes:
        check:
          succeeded: Passwortvalidierung erfolgreich
          failed: Passwortvalidierung fehlgeschlagen
+      externalidp:
+        added: Externer IDP wurde hinzugefügt
+        removed: Externer IDP wurde gelöscht
+        cascade:
+          removed: Externer IDP wurde kaskadiert gelöscht
      phone:
        changed: Telefonnummer geändert
        verified: Telefonnummer verifiziert
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -84,6 +84,7 @@ Errors:
    OIDCConfigInvalid: OIDC IDP configuration is invalid
    IdpIsNotOIDC: IDP configuration is not of type oidc
    LoginPolicy:
+      Invalid: Login Policy is invalid
      NotExisting: Login Policy not existig
      AlreadyExists: Login Policy already exists
      IdpProviderAlreadyExisting: Idp Provider already existing
@@ -133,6 +134,7 @@ Errors:
    OIDCConfigInvalid: OIDC IDP configuration is invalid
    IdpIsNotOIDC: IDP configuration is not of type oidc
    LoginPolicyInvalid: Login Policy is invalid
+    LoginPolicyNotExisting: Login Policy doesn't exist
    IdpProviderInvalid: Idp Provider is invalid
    LoginPolicy:
      NotExisting: Default Login Policy not existig
@@ -181,12 +183,11 @@ EventTypes:
        added: Email address verification code generated
        sent: Email address verification code sent
    machine:
-      machine:
-        added: Technical user added
-        changed: Technical user changed
-        key:
-          added: Key added
-          removed: Key removed
+      added: Technical user added
+      changed: Technical user changed
+      key:
+        added: Key added
+        removed: Key removed
    human:
      added: Person added
      selfregistered: Person registered himself
@@ -216,6 +217,11 @@ EventTypes:
        check:
          succeeded: Password check succeeded
          failed: Password check failed
+      externalidp:
+        added: Externer IDP added
+        removed: Externer IDP removed
+        cascade:
+          removed: Externer IDP cascade removed
      phone:
        changed: Phone number changed
        verified: Phone number verified
--- a/internal/ui/login/handler/external_login_handler.go
+++ b/internal/ui/login/handler/external_login_handler.go
@@ -70,7 +70,7 @@ func (l *Login) handleExternalLogin(w http.ResponseWriter, r *http.Request) {

 func (l *Login) handleOIDCAuthorize(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) {
 	provider := l.getRPConfig(w, r, authReq, idpConfig, callbackEndpoint)
-	http.Redirect(w, r, rp.AuthURL(authReq.ID, provider), http.StatusFound)
+	http.Redirect(w, r, rp.AuthURL(authReq.ID, provider, rp.WithPrompt(oidc.PromptSelectAccount)), http.StatusFound)
 }

 func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Request) {