feat: session checks with intent (#6031)

* feat: session checks with intent * feat: session checks with intent * fix: integration tests for intent session * fix: integration tests for intent session * fix merge * fix: integration tests for intent session --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 07:47:32 +00:00 · 2023-06-21 16:06:18 +02:00
parent c12d94f7d4
commit 1b5d6ce89e
29 changed files with 727 additions and 153 deletions
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -2,7 +2,6 @@ package user

 import (
 	"context"
-	"encoding/base64"
 	"io"

 	"golang.org/x/text/language"
@@ -205,21 +204,7 @@ func intentToIDPInformationPb(intent *command.IDPIntentWriteModel, alg crypto.En
 }

 func (s *Server) checkIntentToken(token string, intentID string) error {
-	if token == "" {
-		return errors.ThrowPermissionDenied(nil, "IDP-Sfefs", "Errors.Intent.InvalidToken")
-	}
-	data, err := base64.RawURLEncoding.DecodeString(token)
-	if err != nil {
-		return errors.ThrowPermissionDenied(err, "IDP-Swg31", "Errors.Intent.InvalidToken")
-	}
-	decryptedToken, err := s.idpAlg.Decrypt(data, s.idpAlg.EncryptionKeyID())
-	if err != nil {
-		return errors.ThrowPermissionDenied(err, "IDP-Sf4gt", "Errors.Intent.InvalidToken")
-	}
-	if string(decryptedToken) != intentID {
-		return errors.ThrowPermissionDenied(nil, "IDP-dkje3", "Errors.Intent.InvalidToken")
-	}
-	return nil
+	return crypto.CheckToken(s.idpAlg, token, intentID)
 }

 func (s *Server) ListAuthenticationMethodTypes(ctx context.Context, req *user.ListAuthenticationMethodTypesRequest) (*user.ListAuthenticationMethodTypesResponse, error) {
--- a/internal/api/grpc/user/v2/user_integration_test.go
+++ b/internal/api/grpc/user/v2/user_integration_test.go
@@ -13,17 +13,11 @@ import (
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"golang.org/x/oauth2"
 	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc"
-	"github.com/zitadel/zitadel/internal/command"
-	openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
 	"github.com/zitadel/zitadel/internal/integration"
-	"github.com/zitadel/zitadel/internal/repository/idp"
 	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
@@ -50,63 +44,8 @@ func TestMain(m *testing.M) {
 	}())
 }

-func createProvider(t *testing.T) string {
-	ctx := authz.WithInstance(context.Background(), Tester.Instance)
-	id, _, err := Tester.Commands.AddOrgGenericOAuthProvider(ctx, Tester.Organisation.ID, command.GenericOAuthProvider{
-		"idp",
-		"clientID",
-		"clientSecret",
-		"https://example.com/oauth/v2/authorize",
-		"https://example.com/oauth/v2/token",
-		"https://api.example.com/user",
-		[]string{"openid", "profile", "email"},
-		"id",
-		idp.Options{
-			IsLinkingAllowed:  true,
-			IsCreationAllowed: true,
-			IsAutoCreation:    true,
-			IsAutoUpdate:      true,
-		},
-	})
-	require.NoError(t, err)
-	return id
-}
-
-func createIntent(t *testing.T, idpID string) string {
-	ctx := authz.WithInstance(context.Background(), Tester.Instance)
-	id, _, err := Tester.Commands.CreateIntent(ctx, idpID, "https://example.com/success", "https://example.com/failure", Tester.Organisation.ID)
-	require.NoError(t, err)
-	return id
-}
-
-func createSuccessfulIntent(t *testing.T, idpID string) (string, string, time.Time, uint64) {
-	ctx := authz.WithInstance(context.Background(), Tester.Instance)
-	intentID := createIntent(t, idpID)
-	writeModel, err := Tester.Commands.GetIntentWriteModel(ctx, intentID, Tester.Organisation.ID)
-	require.NoError(t, err)
-	idpUser := openid.NewUser(
-		&oidc.UserInfo{
-			Subject: "id",
-			UserInfoProfile: oidc.UserInfoProfile{
-				PreferredUsername: "username",
-			},
-		},
-	)
-	idpSession := &openid.Session{
-		Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
-			Token: &oauth2.Token{
-				AccessToken: "accessToken",
-			},
-			IDToken: "idToken",
-		},
-	}
-	token, err := Tester.Commands.SucceedIDPIntent(ctx, writeModel, idpUser, idpSession, "")
-	require.NoError(t, err)
-	return intentID, token, writeModel.ChangeDate, writeModel.ProcessedSequence
-}
-
 func TestServer_AddHumanUser(t *testing.T) {
-	idpID := createProvider(t)
+	idpID := Tester.AddGenericOAuthProvider(t)
 	type args struct {
 		ctx context.Context
 		req *user.AddHumanUserRequest
@@ -483,7 +422,7 @@ func TestServer_AddHumanUser(t *testing.T) {
 }

 func TestServer_AddIDPLink(t *testing.T) {
-	idpID := createProvider(t)
+	idpID := Tester.AddGenericOAuthProvider(t)
 	type args struct {
 		ctx context.Context
 		req *user.AddIDPLinkRequest
@@ -563,7 +502,7 @@ func TestServer_AddIDPLink(t *testing.T) {
 }

 func TestServer_StartIdentityProviderFlow(t *testing.T) {
-	idpID := createProvider(t)
+	idpID := Tester.AddGenericOAuthProvider(t)
 	type args struct {
 		ctx context.Context
 		req *user.StartIdentityProviderFlowRequest
@@ -627,9 +566,9 @@ func TestServer_StartIdentityProviderFlow(t *testing.T) {
 }

 func TestServer_RetrieveIdentityProviderInformation(t *testing.T) {
-	idpID := createProvider(t)
-	intentID := createIntent(t, idpID)
-	successfulID, token, changeDate, sequence := createSuccessfulIntent(t, idpID)
+	idpID := Tester.AddGenericOAuthProvider(t)
+	intentID := Tester.CreateIntent(t, idpID)
+	successfulID, token, changeDate, sequence := Tester.CreateSuccessfulIntent(t, idpID, "", "id")
 	type args struct {
 		ctx context.Context
 		req *user.RetrieveIdentityProviderInformationRequest