TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 04:57:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add SAML as identity provider (#6454)

Browse Source 
* feat: first implementation for saml sp

* fix: add command side instance and org for saml provider

* fix: add query side instance and org for saml provider

* fix: request handling in event and retrieval of finished intent

* fix: add review changes and integration tests

* fix: add integration tests for saml idp

* fix: correct unit tests with review changes

* fix: add saml session unit test

* fix: add saml session unit test

* fix: add saml session unit test

* fix: changes from review

* fix: changes from review

* fix: proto build error

* fix: proto build error

* fix: proto build error

* fix: proto require metadata oneof

* fix: login with saml provider

* fix: integration test for saml assertion

* lint client.go

* fix json tag

* fix: linting

* fix import

* fix: linting

* fix saml idp query

* fix: linting

* lint: try all issues

* revert linting config

* fix: add regenerate endpoints

* fix: translations

* fix mk.yaml

* ignore acs path for user agent cookie

* fix: add AuthFromProvider test for saml

* fix: integration test for saml retrieve information

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2023-09-29 11:26:14 +02:00
committed by GitHub
parent 2e99d0fe1b
commit 15fd3045e0
82 changed files with 6301 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
internal/query/idp_template.go
View File

@@ -44,6 +44,7 @@ type IDPTemplate struct {
*GoogleIDPTemplate
*LDAPIDPTemplate
*AppleIDPTemplate
*SAMLIDPTemplate
}
type IDPTemplates struct {
@@ -150,6 +151,15 @@ type AppleIDPTemplate struct {
Scopes database.StringArray
}
type SAMLIDPTemplate struct {
IDPID string
Metadata []byte
Key *crypto.CryptoValue
Certificate []byte
Binding string
WithSignedRequest bool
}
var (
idpTemplateTable = table{
name: projection.IDPTemplateTable,
@@ -650,6 +660,41 @@ var (
}
)
var (
samlIdpTemplateTable = table{
name: projection.IDPTemplateSAMLTable,
instanceIDCol: projection.IDPTemplateInstanceIDCol,
}
SAMLIDCol = Column{
name: projection.SAMLIDCol,
table: samlIdpTemplateTable,
}
SAMLInstanceCol = Column{
name: projection.SAMLInstanceIDCol,
table: samlIdpTemplateTable,
}
SAMLMetadataCol = Column{
name: projection.SAMLMetadataCol,
table: samlIdpTemplateTable,
}
SAMLKeyCol = Column{
name: projection.SAMLKeyCol,
table: samlIdpTemplateTable,
}
SAMLCertificateCol = Column{
name: projection.SAMLCertificateCol,
table: samlIdpTemplateTable,
}
SAMLBindingCol = Column{
name: projection.SAMLBindingCol,
table: samlIdpTemplateTable,
}
SAMLWithSignedRequestCol = Column{
name: projection.SAMLWithSignedRequestCol,
table: samlIdpTemplateTable,
}
)
// IDPTemplateByID searches for the requested id
func (q *Queries) IDPTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (template *IDPTemplate, err error) {
ctx, span := tracing.NewSpan(ctx)
@@ -820,6 +865,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
GoogleClientIDCol.identifier(),
GoogleClientSecretCol.identifier(),
GoogleScopesCol.identifier(),
// saml
SAMLIDCol.identifier(),
SAMLMetadataCol.identifier(),
SAMLKeyCol.identifier(),
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
// ldap
LDAPIDCol.identifier(),
LDAPServersCol.identifier(),
@@ -861,6 +913,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
LeftJoin(join(AppleIDCol, IDPTemplateIDCol) + db.Timetravel(call.Took(ctx))).
PlaceholderFormat(sq.Dollar),
@@ -927,6 +980,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
googleClientSecret := new(crypto.CryptoValue)
googleScopes := database.StringArray{}
samlID := sql.NullString{}
var samlMetadata []byte
samlKey := new(crypto.CryptoValue)
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
ldapID := sql.NullString{}
ldapServers := database.StringArray{}
ldapStartTls := sql.NullBool{}
@@ -1030,6 +1090,13 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
&googleClientID,
&googleClientSecret,
&googleScopes,
// saml
&samlID,
&samlMetadata,
&samlKey,
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
// ldap
&ldapID,
&ldapServers,
@@ -1156,6 +1223,16 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
Scopes: googleScopes,
}
}
if samlID.Valid {
idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
IDPID: samlID.String,
Metadata: samlMetadata,
Key: samlKey,
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
}
}
if ldapID.Valid {
idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
IDPID: ldapID.String,
@@ -1273,6 +1350,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
GoogleClientIDCol.identifier(),
GoogleClientSecretCol.identifier(),
GoogleScopesCol.identifier(),
// saml
SAMLIDCol.identifier(),
SAMLMetadataCol.identifier(),
SAMLKeyCol.identifier(),
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
// ldap
LDAPIDCol.identifier(),
LDAPServersCol.identifier(),
@@ -1316,6 +1400,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
LeftJoin(join(AppleIDCol, IDPTemplateIDCol) + db.Timetravel(call.Took(ctx))).
PlaceholderFormat(sq.Dollar),
@@ -1385,6 +1470,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
googleClientSecret := new(crypto.CryptoValue)
googleScopes := database.StringArray{}
samlID := sql.NullString{}
var samlMetadata []byte
samlKey := new(crypto.CryptoValue)
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
ldapID := sql.NullString{}
ldapServers := database.StringArray{}
ldapStartTls := sql.NullBool{}
@@ -1488,6 +1580,13 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
&googleClientID,
&googleClientSecret,
&googleScopes,
// saml
&samlID,
&samlMetadata,
&samlKey,
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
// ldap
&ldapID,
&ldapServers,
@@ -1613,6 +1712,16 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
Scopes: googleScopes,
}
}
if samlID.Valid {
idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
IDPID: samlID.String,
Metadata: samlMetadata,
Key: samlKey,
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
}
}
if ldapID.Valid {
idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
IDPID: ldapID.String,

429
internal/query/idp_template_test.go
View File

@@ -87,6 +87,13 @@ var (
` projections.idp_templates5_google.client_id,` +
` projections.idp_templates5_google.client_secret,` +
` projections.idp_templates5_google.scopes,` +
// saml
` projections.idp_templates5_saml.idp_id,` +
` projections.idp_templates5_saml.metadata,` +
` projections.idp_templates5_saml.key,` +
` projections.idp_templates5_saml.certificate,` +
` projections.idp_templates5_saml.binding,` +
` projections.idp_templates5_saml.with_signed_request,` +
// ldap
` projections.idp_templates5_ldap2.idp_id,` +
` projections.idp_templates5_ldap2.servers,` +
@@ -128,6 +135,7 @@ var (
` LEFT JOIN projections.idp_templates5_gitlab ON projections.idp_templates5.id = projections.idp_templates5_gitlab.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab.instance_id` +
` LEFT JOIN projections.idp_templates5_gitlab_self_hosted ON projections.idp_templates5.id = projections.idp_templates5_gitlab_self_hosted.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab_self_hosted.instance_id` +
` LEFT JOIN projections.idp_templates5_google ON projections.idp_templates5.id = projections.idp_templates5_google.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_google.instance_id` +
` LEFT JOIN projections.idp_templates5_saml ON projections.idp_templates5.id = projections.idp_templates5_saml.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_saml.instance_id` +
` LEFT JOIN projections.idp_templates5_ldap2 ON projections.idp_templates5.id = projections.idp_templates5_ldap2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_ldap2.instance_id` +
` LEFT JOIN projections.idp_templates5_apple ON projections.idp_templates5.id = projections.idp_templates5_apple.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_apple.instance_id` +
` AS OF SYSTEM TIME '-1 ms'`
@@ -203,6 +211,13 @@ var (
"client_id",
"client_secret",
"scopes",
// saml config
"idp_id",
"metadata",
"key",
"certificate",
"binding",
"with_signed_request",
// ldap config
"idp_id",
"servers",
@@ -306,6 +321,13 @@ var (
` projections.idp_templates5_google.client_id,` +
` projections.idp_templates5_google.client_secret,` +
` projections.idp_templates5_google.scopes,` +
// saml
` projections.idp_templates5_saml.idp_id,` +
` projections.idp_templates5_saml.metadata,` +
` projections.idp_templates5_saml.key,` +
` projections.idp_templates5_saml.certificate,` +
` projections.idp_templates5_saml.binding,` +
` projections.idp_templates5_saml.with_signed_request,` +
// ldap
` projections.idp_templates5_ldap2.idp_id,` +
` projections.idp_templates5_ldap2.servers,` +
@@ -348,6 +370,7 @@ var (
` LEFT JOIN projections.idp_templates5_gitlab ON projections.idp_templates5.id = projections.idp_templates5_gitlab.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab.instance_id` +
` LEFT JOIN projections.idp_templates5_gitlab_self_hosted ON projections.idp_templates5.id = projections.idp_templates5_gitlab_self_hosted.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab_self_hosted.instance_id` +
` LEFT JOIN projections.idp_templates5_google ON projections.idp_templates5.id = projections.idp_templates5_google.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_google.instance_id` +
` LEFT JOIN projections.idp_templates5_saml ON projections.idp_templates5.id = projections.idp_templates5_saml.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_saml.instance_id` +
` LEFT JOIN projections.idp_templates5_ldap2 ON projections.idp_templates5.id = projections.idp_templates5_ldap2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_ldap2.instance_id` +
` LEFT JOIN projections.idp_templates5_apple ON projections.idp_templates5.id = projections.idp_templates5_apple.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_apple.instance_id` +
` AS OF SYSTEM TIME '-1 ms'`
@@ -423,6 +446,13 @@ var (
"client_id",
"client_secret",
"scopes",
// saml config
"idp_id",
"metadata",
"key",
"certificate",
"binding",
"with_signed_request",
// ldap config
"idp_id",
"servers",
@@ -566,6 +596,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -705,6 +742,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -842,6 +886,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -978,6 +1029,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1113,6 +1171,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1248,6 +1313,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1384,6 +1456,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
"client_id",
nil,
database.StringArray{"profile"},
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1440,6 +1519,150 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
},
},
},
{
name: "prepareIDPTemplateByIDQuery saml idp",
prepare: prepareIDPTemplateByIDQuery,
want: want{
sqlExpectations: mockQuery(
regexp.QuoteMeta(idpTemplateQuery),
idpTemplateCols,
[]driver.Value{
"idp-id",
"ro",
testNow,
testNow,
uint64(20211109),
domain.IDPConfigStateActive,
"idp-name",
domain.IDPTypeSAML,
domain.IdentityProviderTypeOrg,
true,
true,
true,
true,
// oauth
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
nil,
nil,
nil,
nil,
// jwt
nil,
nil,
nil,
nil,
nil,
// azure
nil,
nil,
nil,
nil,
nil,
nil,
// github
nil,
nil,
nil,
nil,
// github enterprise
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// gitlab
nil,
nil,
nil,
nil,
// gitlab self hosted
nil,
nil,
nil,
nil,
nil,
// google
nil,
nil,
nil,
nil,
// saml
"idp-id",
[]byte("metadata"),
nil,
nil,
"binding",
false,
// ldap config
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// apple
nil,
nil,
nil,
nil,
nil,
nil,
},
),
},
object: &IDPTemplate{
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211109,
ResourceOwner: "ro",
ID: "idp-id",
State: domain.IDPStateActive,
Name: "idp-name",
Type: domain.IDPTypeSAML,
OwnerType: domain.IdentityProviderTypeOrg,
IsCreationAllowed: true,
IsLinkingAllowed: true,
IsAutoCreation: true,
IsAutoUpdate: true,
SAMLIDPTemplate: &SAMLIDPTemplate{
IDPID: "idp-id",
Metadata: []byte("metadata"),
Key: nil,
Certificate: nil,
Binding: "binding",
WithSignedRequest: false,
},
},
},
{
name: "prepareIDPTemplateByIDQuery ldap idp",
prepare: prepareIDPTemplateByIDQuery,
@@ -1519,6 +1742,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
"idp-id",
database.StringArray{"server"},
@@ -1674,6 +1904,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1811,6 +2048,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1976,6 +2220,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
"idp-id",
database.StringArray{"server"},
@@ -2140,6 +2391,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2278,6 +2536,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
"idp-id-ldap",
database.StringArray{"server"},
@@ -2310,6 +2575,117 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
},
{
"idp-id-saml",
"ro",
testNow,
testNow,
uint64(20211109),
domain.IDPConfigStateActive,
"idp-name",
domain.IDPTypeSAML,
domain.IdentityProviderTypeOrg,
true,
true,
true,
true,
// oauth
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
nil,
nil,
nil,
nil,
// jwt
nil,
nil,
nil,
nil,
nil,
// azure
nil,
nil,
nil,
nil,
nil,
nil,
// github
nil,
nil,
nil,
nil,
// github enterprise
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// gitlab
nil,
nil,
nil,
nil,
// gitlab self hosted
nil,
nil,
nil,
nil,
nil,
// google
nil,
nil,
nil,
nil,
// saml
"idp-id-saml",
[]byte("metadata"),
nil,
nil,
"binding",
false,
// ldap config
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
nil,
// apple
nil,
nil,
nil,
nil,
nil,
nil,
},
{
"idp-id-google",
"ro",
@@ -2382,6 +2758,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
"client_id",
nil,
database.StringArray{"profile"},
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2486,6 +2869,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2590,6 +2980,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2694,6 +3091,13 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
// saml
nil,
nil,
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2731,7 +3135,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
},
object: &IDPTemplates{
SearchResponse: SearchResponse{
Count: 5,
Count: 6,
},
Templates: []*IDPTemplate{
{
@@ -2775,6 +3179,29 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
},
},
},
{
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211109,
ResourceOwner: "ro",
ID: "idp-id-saml",
State: domain.IDPStateActive,
Name: "idp-name",
Type: domain.IDPTypeSAML,
OwnerType: domain.IdentityProviderTypeOrg,
IsCreationAllowed: true,
IsLinkingAllowed: true,
IsAutoCreation: true,
IsAutoUpdate: true,
SAMLIDPTemplate: &SAMLIDPTemplate{
IDPID: "idp-id-saml",
Metadata: []byte("metadata"),
Key: nil,
Certificate: nil,
Binding: "binding",
WithSignedRequest: false,
},
},
{
CreationDate: testNow,
ChangeDate: testNow,

156
internal/query/projection/idp_template.go
View File

@@ -29,6 +29,7 @@ const (
IDPTemplateGoogleTable = IDPTemplateTable + "_" + IDPTemplateGoogleSuffix
IDPTemplateLDAPTable = IDPTemplateTable + "_" + IDPTemplateLDAPSuffix
IDPTemplateAppleTable = IDPTemplateTable + "_" + IDPTemplateAppleSuffix
IDPTemplateSAMLTable = IDPTemplateTable + "_" + IDPTemplateSAMLSuffix
IDPTemplateOAuthSuffix = "oauth2"
IDPTemplateOIDCSuffix = "oidc"
@@ -41,6 +42,7 @@ const (
IDPTemplateGoogleSuffix = "google"
IDPTemplateLDAPSuffix = "ldap2"
IDPTemplateAppleSuffix = "apple"
IDPTemplateSAMLSuffix = "saml"
IDPTemplateIDCol = "id"
IDPTemplateCreationDateCol = "creation_date"
@@ -157,6 +159,14 @@ const (
AppleKeyIDCol = "key_id"
ApplePrivateKeyCol = "private_key"
AppleScopesCol = "scopes"
SAMLIDCol = "idp_id"
SAMLInstanceIDCol = "instance_id"
SAMLMetadataCol = "metadata"
SAMLKeyCol = "key"
SAMLCertificateCol = "certificate"
SAMLBindingCol = "binding"
SAMLWithSignedRequestCol = "with_signed_request"
)
type idpTemplateProjection struct {
@@ -344,6 +354,19 @@ func newIDPTemplateProjection(ctx context.Context, config crdb.StatementHandlerC
IDPTemplateAppleSuffix,
crdb.WithForeignKey(crdb.NewForeignKeyOfPublicKeys()),
),
crdb.NewSuffixedTable([]*crdb.Column{
crdb.NewColumn(SAMLIDCol, crdb.ColumnTypeText),
crdb.NewColumn(SAMLInstanceIDCol, crdb.ColumnTypeText),
crdb.NewColumn(SAMLMetadataCol, crdb.ColumnTypeBytes),
crdb.NewColumn(SAMLKeyCol, crdb.ColumnTypeJSONB),
crdb.NewColumn(SAMLCertificateCol, crdb.ColumnTypeBytes),
crdb.NewColumn(SAMLBindingCol, crdb.ColumnTypeText, crdb.Nullable()),
crdb.NewColumn(SAMLWithSignedRequestCol, crdb.ColumnTypeBool, crdb.Nullable()),
},
crdb.NewPrimaryKey(SAMLInstanceIDCol, SAMLIDCol),
IDPTemplateSAMLSuffix,
crdb.WithForeignKey(crdb.NewForeignKeyOfPublicKeys()),
),
)
p.StatementHandler = crdb.NewStatementHandler(ctx, config)
return p
@@ -474,6 +497,14 @@ func (p *idpTemplateProjection) reducers() []handler.AggregateReducer {
Event: instance.AppleIDPChangedEventType,
Reduce: p.reduceAppleIDPChanged,
},
{
Event: instance.SAMLIDPAddedEventType,
Reduce: p.reduceSAMLIDPAdded,
},
{
Event: instance.SAMLIDPChangedEventType,
Reduce: p.reduceSAMLIDPChanged,
},
{
Event: instance.IDPConfigRemovedEventType,
Reduce: p.reduceIDPConfigRemoved,
@@ -611,6 +642,14 @@ func (p *idpTemplateProjection) reducers() []handler.AggregateReducer {
Event: org.AppleIDPChangedEventType,
Reduce: p.reduceAppleIDPChanged,
},
{
Event: org.SAMLIDPAddedEventType,
Reduce: p.reduceSAMLIDPAdded,
},
{
Event: org.SAMLIDPChangedEventType,
Reduce: p.reduceSAMLIDPChanged,
},
{
Event: org.IDPConfigRemovedEventType,
Reduce: p.reduceIDPConfigRemoved,
@@ -1898,6 +1937,97 @@ func (p *idpTemplateProjection) reduceLDAPIDPChanged(event eventstore.Event) (*h
), nil
}
func (p *idpTemplateProjection) reduceSAMLIDPAdded(event eventstore.Event) (*handler.Statement, error) {
var idpEvent idp.SAMLIDPAddedEvent
var idpOwnerType domain.IdentityProviderType
switch e := event.(type) {
case *org.SAMLIDPAddedEvent:
idpEvent = e.SAMLIDPAddedEvent
idpOwnerType = domain.IdentityProviderTypeOrg
case *instance.SAMLIDPAddedEvent:
idpEvent = e.SAMLIDPAddedEvent
idpOwnerType = domain.IdentityProviderTypeSystem
default:
return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-9s02m1", "reduce.wrong.event.type %v", []eventstore.EventType{org.SAMLIDPAddedEventType, instance.SAMLIDPAddedEventType})
}
return crdb.NewMultiStatement(
&idpEvent,
crdb.AddCreateStatement(
[]handler.Column{
handler.NewCol(IDPTemplateIDCol, idpEvent.ID),
handler.NewCol(IDPTemplateCreationDateCol, idpEvent.CreationDate()),
handler.NewCol(IDPTemplateChangeDateCol, idpEvent.CreationDate()),
handler.NewCol(IDPTemplateSequenceCol, idpEvent.Sequence()),
handler.NewCol(IDPTemplateResourceOwnerCol, idpEvent.Aggregate().ResourceOwner),
handler.NewCol(IDPTemplateInstanceIDCol, idpEvent.Aggregate().InstanceID),
handler.NewCol(IDPTemplateStateCol, domain.IDPStateActive),
handler.NewCol(IDPTemplateNameCol, idpEvent.Name),
handler.NewCol(IDPTemplateOwnerTypeCol, idpOwnerType),
handler.NewCol(IDPTemplateTypeCol, domain.IDPTypeSAML),
handler.NewCol(IDPTemplateIsCreationAllowedCol, idpEvent.IsCreationAllowed),
handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
},
),
crdb.AddCreateStatement(
[]handler.Column{
handler.NewCol(SAMLIDCol, idpEvent.ID),
handler.NewCol(SAMLInstanceIDCol, idpEvent.Aggregate().InstanceID),
handler.NewCol(SAMLMetadataCol, idpEvent.Metadata),
handler.NewCol(SAMLKeyCol, idpEvent.Key),
handler.NewCol(SAMLCertificateCol, idpEvent.Certificate),
handler.NewCol(SAMLBindingCol, idpEvent.Binding),
handler.NewCol(SAMLWithSignedRequestCol, idpEvent.WithSignedRequest),
},
crdb.WithTableSuffix(IDPTemplateSAMLSuffix),
),
), nil
}
func (p *idpTemplateProjection) reduceSAMLIDPChanged(event eventstore.Event) (*handler.Statement, error) {
var idpEvent idp.SAMLIDPChangedEvent
switch e := event.(type) {
case *org.SAMLIDPChangedEvent:
idpEvent = e.SAMLIDPChangedEvent
case *instance.SAMLIDPChangedEvent:
idpEvent = e.SAMLIDPChangedEvent
default:
return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-o7c0fii4ad", "reduce.wrong.event.type %v", []eventstore.EventType{org.SAMLIDPChangedEventType, instance.SAMLIDPChangedEventType})
}
ops := make([]func(eventstore.Event) crdb.Exec, 0, 2)
ops = append(ops,
crdb.AddUpdateStatement(
reduceIDPChangedTemplateColumns(idpEvent.Name, idpEvent.CreationDate(), idpEvent.Sequence(), idpEvent.OptionChanges),
[]handler.Condition{
handler.NewCond(IDPTemplateIDCol, idpEvent.ID),
handler.NewCond(IDPTemplateInstanceIDCol, idpEvent.Aggregate().InstanceID),
},
),
)
SAMLCols := reduceSAMLIDPChangedColumns(idpEvent)
if len(SAMLCols) > 0 {
ops = append(ops,
crdb.AddUpdateStatement(
SAMLCols,
[]handler.Condition{
handler.NewCond(SAMLIDCol, idpEvent.ID),
handler.NewCond(SAMLInstanceIDCol, idpEvent.Aggregate().InstanceID),
},
crdb.WithTableSuffix(IDPTemplateSAMLSuffix),
),
)
}
return crdb.NewMultiStatement(
&idpEvent,
ops...,
), nil
}
func (p *idpTemplateProjection) reduceAppleIDPAdded(event eventstore.Event) (*handler.Statement, error) {
var idpEvent idp.AppleIDPAddedEvent
var idpOwnerType domain.IdentityProviderType
@@ -2067,7 +2197,7 @@ func reduceIDPChangedTemplateColumns(name *string, creationDate time.Time, seque
}
func reduceOAuthIDPChangedColumns(idpEvent idp.OAuthIDPChangedEvent) []handler.Column {
oauthCols := make([]handler.Column, 0, 6)
oauthCols := make([]handler.Column, 0, 7)
if idpEvent.ClientID != nil {
oauthCols = append(oauthCols, handler.NewCol(OAuthClientIDCol, *idpEvent.ClientID))
}
@@ -2093,7 +2223,7 @@ func reduceOAuthIDPChangedColumns(idpEvent idp.OAuthIDPChangedEvent) []handler.C
}
func reduceOIDCIDPChangedColumns(idpEvent idp.OIDCIDPChangedEvent) []handler.Column {
oidcCols := make([]handler.Column, 0, 4)
oidcCols := make([]handler.Column, 0, 5)
if idpEvent.ClientID != nil {
oidcCols = append(oidcCols, handler.NewCol(OIDCClientIDCol, *idpEvent.ClientID))
}
@@ -2232,7 +2362,7 @@ func reduceGoogleIDPChangedColumns(idpEvent idp.GoogleIDPChangedEvent) []handler
}
func reduceLDAPIDPChangedColumns(idpEvent idp.LDAPIDPChangedEvent) []handler.Column {
ldapCols := make([]handler.Column, 0, 4)
ldapCols := make([]handler.Column, 0, 22)
if idpEvent.Servers != nil {
ldapCols = append(ldapCols, handler.NewCol(LDAPServersCol, database.StringArray(idpEvent.Servers)))
}
@@ -2321,3 +2451,23 @@ func reduceAppleIDPChangedColumns(idpEvent idp.AppleIDPChangedEvent) []handler.C
}
return appleCols
}
func reduceSAMLIDPChangedColumns(idpEvent idp.SAMLIDPChangedEvent) []handler.Column {
SAMLCols := make([]handler.Column, 0, 5)
if idpEvent.Metadata != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLMetadataCol, idpEvent.Metadata))
}
if idpEvent.Key != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLKeyCol, idpEvent.Key))
}
if idpEvent.Certificate != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLCertificateCol, idpEvent.Certificate))
}
if idpEvent.Binding != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLBindingCol, *idpEvent.Binding))
}
if idpEvent.WithSignedRequest != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLWithSignedRequestCol, *idpEvent.WithSignedRequest))
}
return SAMLCols
}

297
internal/query/projection/idp_template_test.go
View File

@@ -1,6 +1,7 @@
package projection
import (
"encoding/json"
"testing"
"time"
@@ -2696,6 +2697,297 @@ func TestIDPTemplateProjection_reducesApple(t *testing.T) {
}
}
func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
type args struct {
event func(t *testing.T) eventstore.Event
}
tests := []struct {
name string
args args
reduce func(event eventstore.Event) (*handler.Statement, error)
want wantReduce
}{
{
name: "instance reduceSAMLIDPAdded",
args: args{
event: getEvent(testEvent(
repository.EventType(instance.SAMLIDPAddedEventType),
instance.AggregateType,
[]byte(`{
"id": "idp-id",
"name": "custom-zitadel-instance",
"metadata": `+stringToJSONByte("metadata")+`,
"key": {
"cryptoType": 0,
"algorithm": "RSA-265",
"keyId": "key-id"
},
"certificate": `+stringToJSONByte("certificate")+`,
"binding": "binding",
"withSignedRequest": true,
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true
}`),
), instance.SAMLIDPAddedEventMapper),
},
reduce: (&idpTemplateProjection{}).reduceSAMLIDPAdded,
want: wantReduce{
aggregateType: eventstore.AggregateType("instance"),
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: idpTemplateInsertStmt,
expectedArgs: []interface{}{
"idp-id",
anyArg{},
anyArg{},
uint64(15),
"ro-id",
"instance-id",
domain.IDPStateActive,
"custom-zitadel-instance",
domain.IdentityProviderTypeSystem,
domain.IDPTypeSAML,
true,
true,
true,
true,
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates5_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request) VALUES ($1, $2, $3, $4, $5, $6, $7)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
[]byte("metadata"),
anyArg{},
anyArg{},
"binding",
true,
},
},
},
},
},
},
{
name: "org reduceSAMLIDPAdded",
args: args{
event: getEvent(testEvent(
repository.EventType(org.SAMLIDPAddedEventType),
org.AggregateType,
[]byte(`{
"id": "idp-id",
"name": "custom-zitadel-instance",
"metadata": `+stringToJSONByte("metadata")+`,
"key": {
"cryptoType": 0,
"algorithm": "RSA-265",
"keyId": "key-id"
},
"certificate": `+stringToJSONByte("certificate")+`,
"binding": "binding",
"withSignedRequest": true,
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true
}`),
), org.SAMLIDPAddedEventMapper),
},
reduce: (&idpTemplateProjection{}).reduceSAMLIDPAdded,
want: wantReduce{
aggregateType: eventstore.AggregateType("org"),
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: idpTemplateInsertStmt,
expectedArgs: []interface{}{
"idp-id",
anyArg{},
anyArg{},
uint64(15),
"ro-id",
"instance-id",
domain.IDPStateActive,
"custom-zitadel-instance",
domain.IdentityProviderTypeOrg,
domain.IDPTypeSAML,
true,
true,
true,
true,
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates5_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request) VALUES ($1, $2, $3, $4, $5, $6, $7)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
[]byte("metadata"),
anyArg{},
anyArg{},
"binding",
true,
},
},
},
},
},
},
{
name: "instance reduceSAMLIDPChanged minimal",
args: args{
event: getEvent(testEvent(
repository.EventType(instance.SAMLIDPChangedEventType),
instance.AggregateType,
[]byte(`{
"id": "idp-id",
"name": "custom-zitadel-instance",
"binding": "binding"
}`),
), instance.SAMLIDPChangedEventMapper),
},
reduce: (&idpTemplateProjection{}).reduceSAMLIDPChanged,
want: wantReduce{
aggregateType: eventstore.AggregateType("instance"),
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: "UPDATE projections.idp_templates5 SET (name, change_date, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
expectedArgs: []interface{}{
"custom-zitadel-instance",
anyArg{},
uint64(15),
"idp-id",
"instance-id",
},
},
{
expectedStmt: "UPDATE projections.idp_templates5_saml SET binding = $1 WHERE (idp_id = $2) AND (instance_id = $3)",
expectedArgs: []interface{}{
"binding",
"idp-id",
"instance-id",
},
},
},
},
},
},
{
name: "instance reduceSAMLIDPChanged",
args: args{
event: getEvent(testEvent(
repository.EventType(instance.SAMLIDPChangedEventType),
instance.AggregateType,
[]byte(`{
"id": "idp-id",
"name": "custom-zitadel-instance",
"metadata": `+stringToJSONByte("metadata")+`,
"key": {
"cryptoType": 0,
"algorithm": "RSA-265",
"keyId": "key-id"
},
"certificate": `+stringToJSONByte("certificate")+`,
"binding": "binding",
"withSignedRequest": true,
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true
}`),
), instance.SAMLIDPChangedEventMapper),
},
reduce: (&idpTemplateProjection{}).reduceSAMLIDPChanged,
want: wantReduce{
aggregateType: eventstore.AggregateType("instance"),
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: idpTemplateUpdateStmt,
expectedArgs: []interface{}{
"custom-zitadel-instance",
true,
true,
true,
true,
anyArg{},
uint64(15),
"idp-id",
"instance-id",
},
},
{
expectedStmt: "UPDATE projections.idp_templates5_saml SET (metadata, key, certificate, binding, with_signed_request) = ($1, $2, $3, $4, $5) WHERE (idp_id = $6) AND (instance_id = $7)",
expectedArgs: []interface{}{
[]byte("metadata"),
anyArg{},
anyArg{},
"binding",
true,
"idp-id",
"instance-id",
},
},
},
},
},
},
{
name: "org.reduceOwnerRemoved",
reduce: (&idpProjection{}).reduceOwnerRemoved,
args: args{
event: getEvent(testEvent(
repository.EventType(org.OrgRemovedEventType),
org.AggregateType,
nil,
), org.OrgRemovedEventMapper),
},
want: wantReduce{
aggregateType: eventstore.AggregateType("org"),
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: "DELETE FROM projections.idp_templates5 WHERE (instance_id = $1) AND (resource_owner = $2)",
expectedArgs: []interface{}{
"instance-id",
"agg-id",
},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
event := baseEvent(t)
got, err := tt.reduce(event)
if !errors.IsErrorInvalidArgument(err) {
t.Errorf("no wrong event mapping: %v, got: %v", err, got)
}
event = tt.args.event(t)
got, err = tt.reduce(event)
assertReduce(t, got, err, IDPTemplateTable, tt.want)
})
}
}
func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
type args struct {
event func(t *testing.T) eventstore.Event
@@ -4058,3 +4350,8 @@ func TestIDPTemplateProjection_reducesJWT(t *testing.T) {
})
}
}
func stringToJSONByte(data string) string {
jsondata, _ := json.Marshal([]byte(data))
return string(jsondata)
}