From 11c9be3b8de8685d8bda64471a2bf4a8b08cda20 Mon Sep 17 00:00:00 2001 From: Iraq <66622793+kkrime@users.noreply.github.com> Date: Tue, 18 Mar 2025 15:23:12 +0000 Subject: [PATCH] chore: updating projections.idp_templates6 to projections.idp_templates7 (#9517) # Which Problems Are Solved This was left out as part of https://github.com/zitadel/zitadel/pull/9292 - Closes https://github.com/zitadel/zitadel/issues/9514 --------- Co-authored-by: Iraq Jaber --- cmd/setup/51.go | 27 +++++ cmd/setup/51.sql | 1 + cmd/setup/config.go | 1 + cmd/setup/setup.go | 2 + internal/command/instance_idp.go | 20 ++++ internal/command/instance_idp_test.go | 90 +++++++++++++-- internal/command/org_idp.go | 10 ++ internal/command/org_idp_test.go | 67 ++++++++++- internal/query/idp_template_test.go | 104 +++++++++--------- internal/query/projection/idp_template.go | 4 +- .../query/projection/idp_template_test.go | 14 +-- 11 files changed, 265 insertions(+), 75 deletions(-) create mode 100644 cmd/setup/51.go create mode 100644 cmd/setup/51.sql diff --git a/cmd/setup/51.go b/cmd/setup/51.go new file mode 100644 index 0000000000..799daf744e --- /dev/null +++ b/cmd/setup/51.go @@ -0,0 +1,27 @@ +package setup + +import ( + "context" + _ "embed" + + "github.com/zitadel/zitadel/internal/database" + "github.com/zitadel/zitadel/internal/eventstore" +) + +var ( + //go:embed 51.sql + addRootCA string +) + +type IDPTemplate6RootCA struct { + dbClient *database.DB +} + +func (mig *IDPTemplate6RootCA) Execute(ctx context.Context, _ eventstore.Event) error { + _, err := mig.dbClient.ExecContext(ctx, addRootCA) + return err +} + +func (mig *IDPTemplate6RootCA) String() string { + return "51_idp_templates6_add_root_ca" +} diff --git a/cmd/setup/51.sql b/cmd/setup/51.sql new file mode 100644 index 0000000000..a4146219c4 --- /dev/null +++ b/cmd/setup/51.sql @@ -0,0 +1 @@ +ALTER TABLE IF EXISTS projections.idp_templates6_ldap2 ADD COLUMN IF NOT EXISTS root_ca BYTEA; \ No newline at end of file diff --git a/cmd/setup/config.go b/cmd/setup/config.go index 6706d219e6..3f6c67a910 100644 --- a/cmd/setup/config.go +++ b/cmd/setup/config.go @@ -139,6 +139,7 @@ type Steps struct { s48Apps7SAMLConfigsLoginVersion *Apps7SAMLConfigsLoginVersion s49InitPermittedOrgsFunction *InitPermittedOrgsFunction s50IDPTemplate6UsePKCE *IDPTemplate6UsePKCE + s51IDPTemplate6RootCA *IDPTemplate6RootCA } func MustNewSteps(v *viper.Viper) *Steps { diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go index 9d57928d06..bbabe07122 100644 --- a/cmd/setup/setup.go +++ b/cmd/setup/setup.go @@ -177,6 +177,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string) steps.s48Apps7SAMLConfigsLoginVersion = &Apps7SAMLConfigsLoginVersion{dbClient: dbClient} steps.s49InitPermittedOrgsFunction = &InitPermittedOrgsFunction{eventstoreClient: dbClient} steps.s50IDPTemplate6UsePKCE = &IDPTemplate6UsePKCE{dbClient: dbClient} + steps.s51IDPTemplate6RootCA = &IDPTemplate6RootCA{dbClient: dbClient} err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil) logging.OnError(err).Fatal("unable to start projections") @@ -216,6 +217,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string) steps.s47FillMembershipFields, steps.s49InitPermittedOrgsFunction, steps.s50IDPTemplate6UsePKCE, + steps.s51IDPTemplate6RootCA, } { mustExecuteMigration(ctx, eventstoreClient, step, "migration failed") } diff --git a/internal/command/instance_idp.go b/internal/command/instance_idp.go index cea850dc0e..348f55cd9c 100644 --- a/internal/command/instance_idp.go +++ b/internal/command/instance_idp.go @@ -2,6 +2,7 @@ package command import ( "context" + "crypto/x509" "strings" "github.com/zitadel/saml/pkg/provider/xml" @@ -1532,6 +1533,12 @@ func (c *Commands) prepareAddInstanceLDAPProvider(a *instance.Aggregate, writeMo if len(provider.UserFilters) == 0 { return nil, zerrors.ThrowInvalidArgument(nil, "INST-aAx905n", "Errors.Invalid.Argument") } + if len(provider.RootCA) > 0 { + if err := validateRootCA(provider.RootCA); err != nil { + return nil, err + } + } + return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) { events, err := filter(ctx, writeModel.Query()) if err != nil { @@ -1569,6 +1576,14 @@ func (c *Commands) prepareAddInstanceLDAPProvider(a *instance.Aggregate, writeMo } } +func validateRootCA(pemCerts []byte) error { + rootCAs := x509.NewCertPool() + if ok := rootCAs.AppendCertsFromPEM(pemCerts); !ok { + return zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument") + } + return nil +} + func (c *Commands) prepareUpdateInstanceLDAPProvider(a *instance.Aggregate, writeModel *InstanceLDAPIDPWriteModel, provider LDAPProvider) preparation.Validation { return func() (preparation.CreateCommands, error) { if writeModel.ID = strings.TrimSpace(writeModel.ID); writeModel.ID == "" { @@ -1595,6 +1610,11 @@ func (c *Commands) prepareUpdateInstanceLDAPProvider(a *instance.Aggregate, writ if len(provider.UserFilters) == 0 { return nil, zerrors.ThrowInvalidArgument(nil, "INST-aAx901n", "Errors.Invalid.Argument") } + if len(provider.RootCA) > 0 { + if err := validateRootCA(provider.RootCA); err != nil { + return nil, err + } + } return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) { events, err := filter(ctx, writeModel.Query()) if err != nil { diff --git a/internal/command/instance_idp_test.go b/internal/command/instance_idp_test.go index 8d872561c2..7002598af5 100644 --- a/internal/command/instance_idp_test.go +++ b/internal/command/instance_idp_test.go @@ -87,6 +87,26 @@ var ( `) + validLDAPRootCA = []byte(`-----BEGIN CERTIFICATE----- +MIIDITCCAgmgAwIBAgIUKjAUmxsHO44X+/TKBNciPgNl1GEwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVbXlzZXJ2aWNlLmV4YW1wbGUuY29tMB4XDTI0MTIxOTEz +Mzc1MVoXDTI1MTIxOTEzMzc1MVowIDEeMBwGA1UEAwwVbXlzZXJ2aWNlLmV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0QYuJsayILRI +hVT7G1DlitVSXnt1iw3gEXJZfe81Egz06fUbvXF6Yo1LJmwYpqe/rm+hf4FNUb8e +2O+LH2FieA9FkVe4P2gKOzw87A/KxvpV8stgNgl4LlqRCokbc1AzeE/NiLr5TcTD +RXm3DUcYxXxinprtDu2jftFysaOZmNAukvE/iL6qS3X6ggVEDDM7tY9n5FV2eJ4E +p0ImKfypi2aZYROxOK+v5x9ryFRMl4y07lMDvmtcV45uXYmfGNCgG9PNf91Kk/mh +JxEQbxycJwFoSi9XWljR8ahPdO11LXG7Dsj/RVbY8k2LdKNstl6Ae3aCpbe9u2Pj +vxYs1bVJuQIDAQABo1MwUTAdBgNVHQ4EFgQU+mRVN5HYJWgnpopReaLhf2cMcoYw +HwYDVR0jBBgwFoAU+mRVN5HYJWgnpopReaLhf2cMcoYwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEABJpHVuc9tGhD04infRVlofvqXIUizTlOrjZX +vozW9pIhSWEHX8o+sJP8AMZLnrsdq+bm0HE0HvgYrw7Lb8pd4FpR46TkFHjeukoj +izqfgckjIBl2nwPGlynbKA0/U/rTCSxVt7XiAn+lgYUGIpOzNdk06/hRMitrMNB7 +t2C97NseVC4b1ZgyFrozsefCfUmD8IJF0+XJ4Wzmsh0jRrI8koCtVmPYnKn6vw1b +cZprg/97CWHYrsavd406wOB60CMtYl83Q16ucOF1dretDFqJC5kY+aFLvuqfag2+ +kIaoPV1MnGsxveQyyHdOsEatS5XOv/1OWcmnvePDPxcvb9jCcw== +-----END CERTIFICATE----- +`) ) func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { @@ -4258,6 +4278,34 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { }, }, }, + { + "invalid rootCA", + fields{ + eventstore: expectEventstore(), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), + }, + args{ + ctx: authz.WithInstanceID(context.Background(), "instance1"), + provider: LDAPProvider{ + Name: "name", + Servers: []string{"server"}, + StartTLS: false, + BaseDN: "baseDN", + BindDN: "dn", + BindPassword: "password", + UserBase: "user", + UserObjectClasses: []string{"object"}, + UserFilters: []string{"filter"}, + Timeout: time.Second * 30, + RootCA: []byte("certificate"), + }, + }, + res{ + err: func(err error) bool { + return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument")) + }, + }, + }, { name: "ok", fields: fields{ @@ -4281,7 +4329,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + nil, idp.LDAPAttributes{}, idp.Options{}, ), @@ -4303,7 +4351,6 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { UserObjectClasses: []string{"object"}, UserFilters: []string{"filter"}, Timeout: time.Second * 30, - RootCA: []byte("certificate"), }, }, res: res{ @@ -4334,7 +4381,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + validLDAPRootCA, idp.LDAPAttributes{ IDAttribute: "id", FirstNameAttribute: "firstName", @@ -4375,7 +4422,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { UserObjectClasses: []string{"object"}, UserFilters: []string{"filter"}, Timeout: time.Second * 30, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, LDAPAttributes: idp.LDAPAttributes{ IDAttribute: "id", FirstNameAttribute: "firstName", @@ -4601,6 +4648,32 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { }, }, }, + { + "invalid rootCA", + fields{ + eventstore: expectEventstore(), + }, + args{ + ctx: authz.WithInstanceID(context.Background(), "instance1"), + id: "id1", + provider: LDAPProvider{ + Name: "name", + Servers: []string{"server"}, + BaseDN: "baseDN", + BindDN: "binddn", + BindPassword: "password", + UserBase: "user", + UserObjectClasses: []string{"object"}, + UserFilters: []string{"filter"}, + RootCA: []byte("certificate"), + }, + }, + res{ + err: func(err error) bool { + return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument")) + }, + }, + }, { name: "not found", fields: fields{ @@ -4651,7 +4724,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + validLDAPRootCA, idp.LDAPAttributes{}, idp.Options{}, )), @@ -4671,7 +4744,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { UserObjectClasses: []string{"object"}, UserFilters: []string{"filter"}, Timeout: time.Second * 30, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, }, }, res: res{ @@ -4701,7 +4774,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + nil, idp.LDAPAttributes{}, idp.Options{}, )), @@ -4748,6 +4821,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { IsAutoCreation: &t, IsAutoUpdate: &t, }), + idp.ChangeLDAPRootCA(validLDAPRootCA), }, ) return event @@ -4770,7 +4844,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { UserObjectClasses: []string{"new object"}, UserFilters: []string{"new filter"}, Timeout: time.Second * 20, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, LDAPAttributes: idp.LDAPAttributes{ IDAttribute: "new id", FirstNameAttribute: "new firstName", diff --git a/internal/command/org_idp.go b/internal/command/org_idp.go index d24b0f7840..b72fc1fd77 100644 --- a/internal/command/org_idp.go +++ b/internal/command/org_idp.go @@ -1516,6 +1516,11 @@ func (c *Commands) prepareAddOrgLDAPProvider(a *org.Aggregate, writeModel *OrgLD if len(provider.UserFilters) == 0 { return nil, zerrors.ThrowInvalidArgument(nil, "ORG-aAx9x1n", "Errors.Invalid.Argument") } + if len(provider.RootCA) > 0 { + if err := validateRootCA(provider.RootCA); err != nil { + return nil, err + } + } return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) { events, err := filter(ctx, writeModel.Query()) if err != nil { @@ -1579,6 +1584,11 @@ func (c *Commands) prepareUpdateOrgLDAPProvider(a *org.Aggregate, writeModel *Or if len(provider.UserFilters) == 0 { return nil, zerrors.ThrowInvalidArgument(nil, "ORG-aBx901n", "Errors.Invalid.Argument") } + if len(provider.RootCA) > 0 { + if err := validateRootCA(provider.RootCA); err != nil { + return nil, err + } + } return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) { events, err := filter(ctx, writeModel.Query()) if err != nil { diff --git a/internal/command/org_idp_test.go b/internal/command/org_idp_test.go index 25115f71fe..9959ced97d 100644 --- a/internal/command/org_idp_test.go +++ b/internal/command/org_idp_test.go @@ -4324,6 +4324,35 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { }, }, }, + { + "invalid rootCA", + fields{ + eventstore: expectEventstore(), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), + }, + args{ + ctx: context.Background(), + resourceOwner: "org1", + provider: LDAPProvider{ + Name: "name", + Servers: []string{"server"}, + StartTLS: false, + BaseDN: "baseDN", + BindDN: "dn", + BindPassword: "password", + UserBase: "user", + UserObjectClasses: []string{"object"}, + UserFilters: []string{"filter"}, + Timeout: time.Second * 30, + RootCA: []byte("certificate"), + }, + }, + res{ + err: func(err error) bool { + return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument")) + }, + }, + }, { name: "ok", fields: fields{ @@ -4400,7 +4429,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + validLDAPRootCA, idp.LDAPAttributes{ IDAttribute: "id", FirstNameAttribute: "firstName", @@ -4442,7 +4471,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { UserObjectClasses: []string{"object"}, UserFilters: []string{"filter"}, Timeout: time.Second * 30, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, LDAPAttributes: idp.LDAPAttributes{ IDAttribute: "id", FirstNameAttribute: "firstName", @@ -4677,6 +4706,31 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { }, }, }, + { + "invalid rootCA", + fields{ + eventstore: expectEventstore(), + }, + args{ + ctx: context.Background(), + resourceOwner: "org1", + id: "id1", + provider: LDAPProvider{ + Name: "name", + Servers: []string{"server"}, + BaseDN: "baseDN", + BindDN: "bindDN", + UserBase: "user", + UserObjectClasses: []string{"object"}, + RootCA: []byte("certificate"), + }, + }, + res{ + err: func(err error) bool { + return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "ORG-aBx901n", "")) + }, + }, + }, { name: "not found", fields: fields{ @@ -4728,7 +4782,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + validLDAPRootCA, idp.LDAPAttributes{}, idp.Options{}, )), @@ -4748,7 +4802,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { UserFilters: []string{"filter"}, UserBase: "user", Timeout: time.Second * 30, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, }, }, res: res{ @@ -4778,7 +4832,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { []string{"object"}, []string{"filter"}, time.Second*30, - []byte("certificate"), + nil, idp.LDAPAttributes{}, idp.Options{}, )), @@ -4825,6 +4879,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { IsAutoCreation: &t, IsAutoUpdate: &t, }), + idp.ChangeLDAPRootCA(validLDAPRootCA), }, ) return event @@ -4848,7 +4903,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { UserObjectClasses: []string{"new object"}, UserFilters: []string{"new filter"}, Timeout: time.Second * 20, - RootCA: []byte("certificate"), + RootCA: validLDAPRootCA, LDAPAttributes: idp.LDAPAttributes{ IDAttribute: "new id", FirstNameAttribute: "new firstName", diff --git a/internal/query/idp_template_test.go b/internal/query/idp_template_test.go index bee19e492a..07fb80d78a 100644 --- a/internal/query/idp_template_test.go +++ b/internal/query/idp_template_test.go @@ -100,30 +100,30 @@ var ( ` projections.idp_templates6_saml.name_id_format,` + ` projections.idp_templates6_saml.transient_mapping_attribute_name,` + // ldap - ` projections.idp_templates6_ldap3.idp_id,` + - ` projections.idp_templates6_ldap3.servers,` + - ` projections.idp_templates6_ldap3.start_tls,` + - ` projections.idp_templates6_ldap3.base_dn,` + - ` projections.idp_templates6_ldap3.bind_dn,` + - ` projections.idp_templates6_ldap3.bind_password,` + - ` projections.idp_templates6_ldap3.user_base,` + - ` projections.idp_templates6_ldap3.user_object_classes,` + - ` projections.idp_templates6_ldap3.user_filters,` + - ` projections.idp_templates6_ldap3.timeout,` + - ` projections.idp_templates6_ldap3.rootCA,` + - ` projections.idp_templates6_ldap3.id_attribute,` + - ` projections.idp_templates6_ldap3.first_name_attribute,` + - ` projections.idp_templates6_ldap3.last_name_attribute,` + - ` projections.idp_templates6_ldap3.display_name_attribute,` + - ` projections.idp_templates6_ldap3.nick_name_attribute,` + - ` projections.idp_templates6_ldap3.preferred_username_attribute,` + - ` projections.idp_templates6_ldap3.email_attribute,` + - ` projections.idp_templates6_ldap3.email_verified,` + - ` projections.idp_templates6_ldap3.phone_attribute,` + - ` projections.idp_templates6_ldap3.phone_verified_attribute,` + - ` projections.idp_templates6_ldap3.preferred_language_attribute,` + - ` projections.idp_templates6_ldap3.avatar_url_attribute,` + - ` projections.idp_templates6_ldap3.profile_attribute,` + + ` projections.idp_templates6_ldap2.idp_id,` + + ` projections.idp_templates6_ldap2.servers,` + + ` projections.idp_templates6_ldap2.start_tls,` + + ` projections.idp_templates6_ldap2.base_dn,` + + ` projections.idp_templates6_ldap2.bind_dn,` + + ` projections.idp_templates6_ldap2.bind_password,` + + ` projections.idp_templates6_ldap2.user_base,` + + ` projections.idp_templates6_ldap2.user_object_classes,` + + ` projections.idp_templates6_ldap2.user_filters,` + + ` projections.idp_templates6_ldap2.timeout,` + + ` projections.idp_templates6_ldap2.root_ca,` + + ` projections.idp_templates6_ldap2.id_attribute,` + + ` projections.idp_templates6_ldap2.first_name_attribute,` + + ` projections.idp_templates6_ldap2.last_name_attribute,` + + ` projections.idp_templates6_ldap2.display_name_attribute,` + + ` projections.idp_templates6_ldap2.nick_name_attribute,` + + ` projections.idp_templates6_ldap2.preferred_username_attribute,` + + ` projections.idp_templates6_ldap2.email_attribute,` + + ` projections.idp_templates6_ldap2.email_verified,` + + ` projections.idp_templates6_ldap2.phone_attribute,` + + ` projections.idp_templates6_ldap2.phone_verified_attribute,` + + ` projections.idp_templates6_ldap2.preferred_language_attribute,` + + ` projections.idp_templates6_ldap2.avatar_url_attribute,` + + ` projections.idp_templates6_ldap2.profile_attribute,` + // apple ` projections.idp_templates6_apple.idp_id,` + ` projections.idp_templates6_apple.client_id,` + @@ -142,7 +142,7 @@ var ( ` LEFT JOIN projections.idp_templates6_gitlab_self_hosted ON projections.idp_templates6.id = projections.idp_templates6_gitlab_self_hosted.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab_self_hosted.instance_id` + ` LEFT JOIN projections.idp_templates6_google ON projections.idp_templates6.id = projections.idp_templates6_google.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_google.instance_id` + ` LEFT JOIN projections.idp_templates6_saml ON projections.idp_templates6.id = projections.idp_templates6_saml.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_saml.instance_id` + - ` LEFT JOIN projections.idp_templates6_ldap3 ON projections.idp_templates6.id = projections.idp_templates6_ldap3.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap3.instance_id` + + ` LEFT JOIN projections.idp_templates6_ldap2 ON projections.idp_templates6.id = projections.idp_templates6_ldap2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap2.instance_id` + ` LEFT JOIN projections.idp_templates6_apple ON projections.idp_templates6.id = projections.idp_templates6_apple.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_apple.instance_id` + ` AS OF SYSTEM TIME '-1 ms'` idpTemplateCols = []string{ @@ -240,7 +240,7 @@ var ( "user_object_classes", "user_filters", "timeout", - "rootCA", + "root_ca", "id_attribute", "first_name_attribute", "last_name_attribute", @@ -346,30 +346,30 @@ var ( ` projections.idp_templates6_saml.name_id_format,` + ` projections.idp_templates6_saml.transient_mapping_attribute_name,` + // ldap - ` projections.idp_templates6_ldap3.idp_id,` + - ` projections.idp_templates6_ldap3.servers,` + - ` projections.idp_templates6_ldap3.start_tls,` + - ` projections.idp_templates6_ldap3.base_dn,` + - ` projections.idp_templates6_ldap3.bind_dn,` + - ` projections.idp_templates6_ldap3.bind_password,` + - ` projections.idp_templates6_ldap3.user_base,` + - ` projections.idp_templates6_ldap3.user_object_classes,` + - ` projections.idp_templates6_ldap3.user_filters,` + - ` projections.idp_templates6_ldap3.timeout,` + - ` projections.idp_templates6_ldap3.rootCA,` + - ` projections.idp_templates6_ldap3.id_attribute,` + - ` projections.idp_templates6_ldap3.first_name_attribute,` + - ` projections.idp_templates6_ldap3.last_name_attribute,` + - ` projections.idp_templates6_ldap3.display_name_attribute,` + - ` projections.idp_templates6_ldap3.nick_name_attribute,` + - ` projections.idp_templates6_ldap3.preferred_username_attribute,` + - ` projections.idp_templates6_ldap3.email_attribute,` + - ` projections.idp_templates6_ldap3.email_verified,` + - ` projections.idp_templates6_ldap3.phone_attribute,` + - ` projections.idp_templates6_ldap3.phone_verified_attribute,` + - ` projections.idp_templates6_ldap3.preferred_language_attribute,` + - ` projections.idp_templates6_ldap3.avatar_url_attribute,` + - ` projections.idp_templates6_ldap3.profile_attribute,` + + ` projections.idp_templates6_ldap2.idp_id,` + + ` projections.idp_templates6_ldap2.servers,` + + ` projections.idp_templates6_ldap2.start_tls,` + + ` projections.idp_templates6_ldap2.base_dn,` + + ` projections.idp_templates6_ldap2.bind_dn,` + + ` projections.idp_templates6_ldap2.bind_password,` + + ` projections.idp_templates6_ldap2.user_base,` + + ` projections.idp_templates6_ldap2.user_object_classes,` + + ` projections.idp_templates6_ldap2.user_filters,` + + ` projections.idp_templates6_ldap2.timeout,` + + ` projections.idp_templates6_ldap2.root_ca,` + + ` projections.idp_templates6_ldap2.id_attribute,` + + ` projections.idp_templates6_ldap2.first_name_attribute,` + + ` projections.idp_templates6_ldap2.last_name_attribute,` + + ` projections.idp_templates6_ldap2.display_name_attribute,` + + ` projections.idp_templates6_ldap2.nick_name_attribute,` + + ` projections.idp_templates6_ldap2.preferred_username_attribute,` + + ` projections.idp_templates6_ldap2.email_attribute,` + + ` projections.idp_templates6_ldap2.email_verified,` + + ` projections.idp_templates6_ldap2.phone_attribute,` + + ` projections.idp_templates6_ldap2.phone_verified_attribute,` + + ` projections.idp_templates6_ldap2.preferred_language_attribute,` + + ` projections.idp_templates6_ldap2.avatar_url_attribute,` + + ` projections.idp_templates6_ldap2.profile_attribute,` + // apple ` projections.idp_templates6_apple.idp_id,` + ` projections.idp_templates6_apple.client_id,` + @@ -389,7 +389,7 @@ var ( ` LEFT JOIN projections.idp_templates6_gitlab_self_hosted ON projections.idp_templates6.id = projections.idp_templates6_gitlab_self_hosted.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab_self_hosted.instance_id` + ` LEFT JOIN projections.idp_templates6_google ON projections.idp_templates6.id = projections.idp_templates6_google.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_google.instance_id` + ` LEFT JOIN projections.idp_templates6_saml ON projections.idp_templates6.id = projections.idp_templates6_saml.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_saml.instance_id` + - ` LEFT JOIN projections.idp_templates6_ldap3 ON projections.idp_templates6.id = projections.idp_templates6_ldap3.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap3.instance_id` + + ` LEFT JOIN projections.idp_templates6_ldap2 ON projections.idp_templates6.id = projections.idp_templates6_ldap2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap2.instance_id` + ` LEFT JOIN projections.idp_templates6_apple ON projections.idp_templates6.id = projections.idp_templates6_apple.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_apple.instance_id` + ` AS OF SYSTEM TIME '-1 ms'` idpTemplatesCols = []string{ @@ -487,7 +487,7 @@ var ( "user_object_classes", "user_filters", "timeout", - "rootCA", + "root_ca", "id_attribute", "first_name_attribute", "last_name_attribute", diff --git a/internal/query/projection/idp_template.go b/internal/query/projection/idp_template.go index 47033e6bbb..55c74b851c 100644 --- a/internal/query/projection/idp_template.go +++ b/internal/query/projection/idp_template.go @@ -40,7 +40,7 @@ const ( IDPTemplateGitLabSuffix = "gitlab" IDPTemplateGitLabSelfHostedSuffix = "gitlab_self_hosted" IDPTemplateGoogleSuffix = "google" - IDPTemplateLDAPSuffix = "ldap3" + IDPTemplateLDAPSuffix = "ldap2" IDPTemplateAppleSuffix = "apple" IDPTemplateSAMLSuffix = "saml" @@ -141,7 +141,7 @@ const ( LDAPUserObjectClassesCol = "user_object_classes" LDAPUserFiltersCol = "user_filters" LDAPTimeoutCol = "timeout" - LDAPRootCACol = "rootCA" + LDAPRootCACol = "root_ca" LDAPIDAttributeCol = "id_attribute" LDAPFirstNameAttributeCol = "first_name_attribute" LDAPLastNameAttributeCol = "last_name_attribute" diff --git a/internal/query/projection/idp_template_test.go b/internal/query/projection/idp_template_test.go index 74adfe22c0..cebf3f8791 100644 --- a/internal/query/projection/idp_template_test.go +++ b/internal/query/projection/idp_template_test.go @@ -2123,7 +2123,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { "userObjectClasses": ["object"], "userFilters": ["filter"], "timeout": 30000000000, - "rootcA": `+stringToJSONByte("certificate")+`, + "rootCA": `+stringToJSONByte("certificate")+`, "idAttribute": "id", "firstNameAttribute": "first", "lastNameAttribute": "last", @@ -2172,7 +2172,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { }, }, { - expectedStmt: "INSERT INTO projections.idp_templates6_ldap3 (idp_id, instance_id, servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, rootCA, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)", + expectedStmt: "INSERT INTO projections.idp_templates6_ldap2 (idp_id, instance_id, servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, root_ca, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)", expectedArgs: []interface{}{ "idp-id", "instance-id", @@ -2228,7 +2228,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { "userObjectClasses": ["object"], "userFilters": ["filter"], "timeout": 30000000000, - "rootcA": `+stringToJSONByte("certificate")+`, + "rootCA": `+stringToJSONByte("certificate")+`, "idAttribute": "id", "firstNameAttribute": "first", "lastNameAttribute": "last", @@ -2277,7 +2277,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { }, }, { - expectedStmt: "INSERT INTO projections.idp_templates6_ldap3 (idp_id, instance_id, servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, rootCA, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)", + expectedStmt: "INSERT INTO projections.idp_templates6_ldap2 (idp_id, instance_id, servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, root_ca, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)", expectedArgs: []interface{}{ "idp-id", "instance-id", @@ -2341,7 +2341,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { }, }, { - expectedStmt: "UPDATE projections.idp_templates6_ldap3 SET base_dn = $1 WHERE (idp_id = $2) AND (instance_id = $3)", + expectedStmt: "UPDATE projections.idp_templates6_ldap2 SET base_dn = $1 WHERE (idp_id = $2) AND (instance_id = $3)", expectedArgs: []interface{}{ "basedn", "idp-id", @@ -2375,7 +2375,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { "userObjectClasses": ["object"], "userFilters": ["filter"], "timeout": 30000000000, - "rootcA": `+stringToJSONByte("certificate")+`, + "rootCA": `+stringToJSONByte("certificate")+`, "idAttribute": "id", "firstNameAttribute": "first", "lastNameAttribute": "last", @@ -2419,7 +2419,7 @@ func TestIDPTemplateProjection_reducesLDAP(t *testing.T) { }, }, { - expectedStmt: "UPDATE projections.idp_templates6_ldap3 SET (servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, rootCA, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23) WHERE (idp_id = $24) AND (instance_id = $25)", + expectedStmt: "UPDATE projections.idp_templates6_ldap2 SET (servers, start_tls, base_dn, bind_dn, bind_password, user_base, user_object_classes, user_filters, timeout, root_ca, id_attribute, first_name_attribute, last_name_attribute, display_name_attribute, nick_name_attribute, preferred_username_attribute, email_attribute, email_verified, phone_attribute, phone_verified_attribute, preferred_language_attribute, avatar_url_attribute, profile_attribute) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23) WHERE (idp_id = $24) AND (instance_id = $25)", expectedArgs: []interface{}{ database.TextArray[string]{"server"}, false,