From 252e59d5cd6bffbd7d31ae3bc800023847b932af Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Thu, 14 Mar 2024 09:49:10 +0100 Subject: [PATCH] fix: get orgID when missing on trigger logs (#7555) --- internal/activity/activity.go | 42 ++++++++++++++++++++++++++++++- internal/api/oidc/auth_request.go | 14 +++++------ internal/api/saml/storage.go | 2 +- internal/command/session.go | 2 +- 4 files changed, 50 insertions(+), 10 deletions(-) diff --git a/internal/activity/activity.go b/internal/activity/activity.go index b62b3094c5..85095c7593 100644 --- a/internal/activity/activity.go +++ b/internal/activity/activity.go @@ -10,6 +10,8 @@ import ( "github.com/zitadel/zitadel/internal/api/authz" http_utils "github.com/zitadel/zitadel/internal/api/http" "github.com/zitadel/zitadel/internal/api/info" + "github.com/zitadel/zitadel/internal/eventstore" + "github.com/zitadel/zitadel/internal/repository/user" ) const ( @@ -50,7 +52,10 @@ func (t TriggerMethod) String() string { } // Trigger is used to log a specific events for a user (e.g. session or oidc token creation) -func Trigger(ctx context.Context, orgID, userID string, trigger TriggerMethod) { +func Trigger(ctx context.Context, orgID, userID string, trigger TriggerMethod, reducer func(ctx context.Context, r eventstore.QueryReducer) error) { + if orgID == "" && userID != "" { + orgID = getOrgOfUser(ctx, userID, reducer) + } ai := info.ActivityInfoFromContext(ctx) triggerLog( authz.GetInstance(ctx).InstanceID(), @@ -99,3 +104,38 @@ func triggerLog(instanceID, orgID, userID, domain string, trigger TriggerMethod, "isSystemUser", isSystemUser, ).Info(Activity) } + +func getOrgOfUser(ctx context.Context, userID string, reducer func(ctx context.Context, r eventstore.QueryReducer) error) string { + org := &orgIDOfUser{userID: userID} + err := reducer(ctx, org) + if err != nil { + logging.WithError(err).Error("could not get org id of user for trigger log") + return "" + } + return org.orgID +} + +type orgIDOfUser struct { + eventstore.WriteModel + + userID string + orgID string +} + +func (u *orgIDOfUser) Query() *eventstore.SearchQueryBuilder { + return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent). + OrderDesc(). + Limit(1). + AddQuery(). + AggregateTypes(user.AggregateType). + AggregateIDs(u.userID). + Builder() +} + +func (u *orgIDOfUser) Reduce() error { + if len(u.Events) == 0 { + return nil + } + u.orgID = u.Events[0].Aggregate().ResourceOwner + return nil +} diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go index fb5bd1080f..093d0d91bc 100644 --- a/internal/api/oidc/auth_request.go +++ b/internal/api/oidc/auth_request.go @@ -216,7 +216,7 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) userOrgID = authReq.UserOrgID case *AuthRequestV2: // trigger activity log for authentication for user - activity.Trigger(ctx, "", authReq.CurrentAuthRequest.UserID, activity.OIDCAccessToken) + activity.Trigger(ctx, "", authReq.CurrentAuthRequest.UserID, activity.OIDCAccessToken, o.eventstore.FilterToQueryReducer) return o.command.AddOIDCSessionAccessToken(setContextUserSystem(ctx), authReq.GetID()) case op.IDTokenRequest: applicationID = authReq.GetClientID() @@ -233,7 +233,7 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) } // trigger activity log for authentication for user - activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCAccessToken) + activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCAccessToken, o.eventstore.FilterToQueryReducer) return resp.TokenID, resp.Expiration, nil } @@ -248,11 +248,11 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok switch tokenReq := req.(type) { case *AuthRequestV2: // trigger activity log for authentication for user - activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken) + activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) return o.command.AddOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.GetID()) case *RefreshTokenRequestV2: // trigger activity log for authentication for user - activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken) + activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) return o.command.ExchangeOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.OIDCSessionWriteModel.AggregateID, refreshToken, tokenReq.RequestedScopes) } @@ -281,7 +281,7 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok } // trigger activity log for authentication for user - activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCRefreshToken) + activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) return resp.TokenID, token, resp.Expiration, nil } @@ -315,7 +315,7 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken return nil, err } // trigger activity log for authentication for user - activity.Trigger(ctx, "", oidcSession.UserID, activity.OIDCRefreshToken) + activity.Trigger(ctx, "", oidcSession.UserID, activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) return &RefreshTokenRequestV2{OIDCSessionWriteModel: oidcSession}, nil } @@ -325,7 +325,7 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken } // trigger activity log for use of refresh token for user - activity.Trigger(ctx, tokenView.ResourceOwner, tokenView.UserID, activity.OIDCRefreshToken) + activity.Trigger(ctx, tokenView.ResourceOwner, tokenView.UserID, activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) return RefreshTokenRequestFromBusiness(tokenView), nil } diff --git a/internal/api/saml/storage.go b/internal/api/saml/storage.go index 49c95b5d05..542be9d6bc 100644 --- a/internal/api/saml/storage.go +++ b/internal/api/saml/storage.go @@ -151,7 +151,7 @@ func (p *Storage) SetUserinfoWithUserID(ctx context.Context, applicationID strin setUserinfo(user, userinfo, attributes, customAttributes) // trigger activity log for authentication for user - activity.Trigger(ctx, user.ResourceOwner, user.ID, activity.SAMLResponse) + activity.Trigger(ctx, user.ResourceOwner, user.ID, activity.SAMLResponse, p.eventstore.FilterToQueryReducer) return nil } diff --git a/internal/command/session.go b/internal/command/session.go index 147921b550..ae63f3d6ec 100644 --- a/internal/command/session.go +++ b/internal/command/session.go @@ -228,7 +228,7 @@ func (s *SessionCommands) OTPEmailChecked(ctx context.Context, checkedAt time.Ti func (s *SessionCommands) SetToken(ctx context.Context, tokenID string) { // trigger activity log for session for user - activity.Trigger(ctx, s.sessionWriteModel.UserResourceOwner, s.sessionWriteModel.UserID, activity.SessionAPI) + activity.Trigger(ctx, s.sessionWriteModel.UserResourceOwner, s.sessionWriteModel.UserID, activity.SessionAPI, s.eventstore.FilterToQueryReducer) s.eventCommands = append(s.eventCommands, session.NewTokenSetEvent(ctx, s.sessionWriteModel.aggregate, tokenID)) }