TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 16:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: tokens on user aggregate (#837)

Browse Source 
* fix: fix remove policies in spoolers

* fix: reread of token by id

* fix: update oidc package

* fix: possible nil pointer on token split

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi 2020-10-15 13:52:41 +02:00 committed by GitHub
parent fbb30840f1
commit 265b491696
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 518 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
go.mod
View File

@ -15,7 +15,7 @@ require (
github.com/aws/aws-sdk-go v1.34.24 // indirect
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
github.com/caos/logging v0.0.2
github.com/caos/oidc v0.10.0
github.com/caos/oidc v0.11.1
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cockroachdb/cockroach-go/v2 v2.0.7
github.com/envoyproxy/protoc-gen-validate v0.4.1
@ -37,6 +37,7 @@ require (
github.com/kevinburke/go.uuid v1.2.0 // indirect
github.com/kevinburke/rest v0.0.0-20200429221318-0d2892b400f8 // indirect
github.com/kevinburke/twilio-go v0.0.0-20200810163702-320748330fac
github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
github.com/lib/pq v1.8.0
github.com/mattn/go-colorable v0.1.7 // indirect
github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect

14
go.sum
View File

@ -73,6 +73,10 @@ github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
github.com/caos/oidc v0.10.0 h1:/GKyQgKHvkc2jNCXzmdJs9hCXDYdArCMm3d5FXaiNWA=
github.com/caos/oidc v0.10.0/go.mod h1:RREtWSRzH/mXQXJkxB63mFDZ/RUNyzoU6czd6UJfvJI=
github.com/caos/oidc v0.11.0 h1:larwR0ur4hcHXkMtlXbHApv4DUr5yu/zbxBeGjcpTXk=
github.com/caos/oidc v0.11.0/go.mod h1:R9UKITZmSo5vNhSLUYcTDH8pAaV2xwPASXg8wpEs2xQ=
github.com/caos/oidc v0.11.1 h1:7Nkup+fiU/zZVN61BfGOTzuloD7aOdqA3V9eNrJv5xc=
github.com/caos/oidc v0.11.1/go.mod h1:R9UKITZmSo5vNhSLUYcTDH8pAaV2xwPASXg8wpEs2xQ=
github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@ -347,6 +351,8 @@ github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4=
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
@ -403,6 +409,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnk
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM=
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee h1:4yd7jl+vXjalO5ztz6Vc1VADv+S/80LGJmyl1ROJ2AI=
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -476,6 +484,8 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20200904194848-62affa334b73 h1:MXfv8rhZWmFeqX3GNZRsd6vOLoaCHjYEX3qkRo3YBUA=
golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201010224723-4f7140c49acb h1:mUVeFHoDKis5nxCAzoAi7E8Ghb86EXh/RK6wtvJIqRY=
golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -512,6 +522,7 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab h1:FvshnhkKW+LO3HWHodML8kuVX8rnJTxKm9dFPuI68UM=
golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -535,6 +546,9 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zr
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642 h1:B6caxRw+hozq68X2MY7jEpZh/cr4/aHLv9xU8Kkadrw=
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201013081832-0aaa2718063a h1:bhXnJ7fn2SiL+C8iOWPfNBJKDTjUByftpPW7b9CX94U=
golang.org/x/sys v0.0.0-20201013081832-0aaa2718063a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

2
internal/api/oidc/auth_request.go
View File

@ -70,7 +70,7 @@ func (o *OPStorage) CreateToken(ctx context.Context, req op.TokenRequest) (strin
if err != nil {
return "", time.Time{}, err
}
return resp.ID, resp.Expiration, nil
return resp.TokenID, resp.Expiration, nil
}
func grantsToScopes(grants []*grant_model.UserGrantView) []string {

4
internal/api/oidc/client.go
View File

@ -65,8 +65,8 @@ func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secr
return o.repo.AuthorizeOIDCApplication(ctx, id, secret)
}
func (o *OPStorage) GetUserinfoFromToken(ctx context.Context, tokenID, origin string) (*oidc.Userinfo, error) {
token, err := o.repo.TokenByID(ctx, tokenID)
func (o *OPStorage) GetUserinfoFromToken(ctx context.Context, tokenID, subject, origin string) (*oidc.Userinfo, error) {
token, err := o.repo.TokenByID(ctx, tokenID, subject)
if err != nil {
return nil, err
}

75
internal/auth/repository/eventsourcing/eventstore/token.go
View File

@ -2,38 +2,83 @@ package eventstore
import (
"context"
"github.com/caos/logging"
"github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/eventstore/models"
usr_model "github.com/caos/zitadel/internal/user/model"
user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
"github.com/caos/zitadel/internal/user/repository/view/model"
"time"
"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
token_model "github.com/caos/zitadel/internal/token/model"
token_view_model "github.com/caos/zitadel/internal/token/repository/view/model"
)
type TokenRepo struct {
View *view.View
UserEvents *user_event.UserEventstore
View *view.View
}
func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*token_model.Token, error) {
func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
preferredLanguage := ""
user, _ := repo.View.UserByID(userID)
if user != nil {
preferredLanguage = user.PreferredLanguage
}
token, err := repo.View.CreateToken(agentID, applicationID, userID, preferredLanguage, audience, scopes, lifetime)
if err != nil {
return nil, err
now := time.Now().UTC()
token := &usr_model.Token{
ObjectRoot: models.ObjectRoot{
AggregateID: userID,
},
UserAgentID: agentID,
ApplicationID: applicationID,
Audience: audience,
Scopes: scopes,
Expiration: now.Add(lifetime),
PreferredLanguage: preferredLanguage,
}
return token_view_model.TokenToModel(token), nil
return repo.UserEvents.TokenAdded(ctx, token)
}
func (repo *TokenRepo) IsTokenValid(ctx context.Context, tokenID string) (bool, error) {
return repo.View.IsTokenValid(tokenID)
func (repo *TokenRepo) IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error) {
token, err := repo.TokenByID(ctx, userID, tokenID)
if err == nil {
return token.Expiration.After(time.Now().UTC()), nil
}
if errors.IsNotFound(err) {
return false, nil
}
return false, err
}
func (repo *TokenRepo) TokenByID(ctx context.Context, tokenID string) (*token_model.Token, error) {
token, err := repo.View.TokenByID(tokenID)
if err != nil {
return nil, err
func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error) {
token, viewErr := repo.View.TokenByID(tokenID)
if viewErr != nil && !errors.IsNotFound(viewErr) {
return nil, viewErr
}
return token_view_model.TokenToModel(token), nil
if errors.IsNotFound(viewErr) {
token = new(model.TokenView)
token.ID = tokenID
token.UserID = userID
}
events, esErr := repo.UserEvents.UserEventsByID(ctx, userID, token.Sequence)
if errors.IsNotFound(viewErr) && len(events) == 0 {
return nil, errors.ThrowNotFound(nil, "EVENT-4T90g", "Errors.Token.NotFound")
}
if esErr != nil {
logging.Log("EVENT-5Nm9s").WithError(viewErr).Debug("error retrieving new events")
return model.TokenViewToModel(token), nil
}
viewToken := *token
for _, event := range events {
err := token.AppendEventIfMyToken(event)
if err != nil {
return model.TokenViewToModel(&viewToken), nil
}
}
if !token.Expiration.After(time.Now().UTC()) || token.Deactivated {
return nil, errors.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.Token.NotFound")
}
return model.TokenViewToModel(token), nil
}

7
internal/auth/repository/eventsourcing/handler/token.go
View File

@ -43,6 +43,13 @@ func (u *Token) EventQuery() (*models.SearchQuery, error) {
func (u *Token) Reduce(event *models.Event) (err error) {
switch event.Type {
case user_es_model.UserTokenAdded:
token := new(view_model.TokenView)
err := token.AppendEvent(event)
if err != nil {
return err
}
return u.view.PutToken(token)
case user_es_model.UserProfileChanged,
user_es_model.HumanProfileChanged:
user := new(view_model.UserView)

5
internal/auth/repository/eventsourcing/repository.go
View File

@ -143,7 +143,10 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
MfaHardwareCheckLifeTime: systemDefaults.VerificationLifetimes.MfaHardwareCheck.Duration,
IAMID: systemDefaults.IamID,
},
eventstore.TokenRepo{View: view},
eventstore.TokenRepo{
UserEvents: user,
View: view,
},
eventstore.KeyRepository{
KeyEvents: key,
View: view,

57
internal/auth/repository/eventsourcing/view/token.go
View File

@ -1,62 +1,33 @@
package view
import (
usr_view "github.com/caos/zitadel/internal/user/repository/view"
"github.com/caos/zitadel/internal/user/repository/view/model"
"github.com/caos/zitadel/internal/view/repository"
"time"
"github.com/caos/zitadel/internal/token/repository/view"
"github.com/caos/zitadel/internal/token/repository/view/model"
)
const (
tokenTable = "auth.tokens"
)
func (v *View) TokenByID(tokenID string) (*model.Token, error) {
return view.TokenByID(v.Db, tokenTable, tokenID)
func (v *View) TokenByID(tokenID string) (*model.TokenView, error) {
return usr_view.TokenByID(v.Db, tokenTable, tokenID)
}
func (v *View) TokensByUserID(userID string) ([]*model.Token, error) {
return view.TokensByUserID(v.Db, tokenTable, userID)
func (v *View) TokensByUserID(userID string) ([]*model.TokenView, error) {
return usr_view.TokensByUserID(v.Db, tokenTable, userID)
}
func (v *View) IsTokenValid(tokenID string) (bool, error) {
return view.IsTokenValid(v.Db, tokenTable, tokenID)
}
func (v *View) CreateToken(agentID, applicationID, userID, preferredLanguage string, audience, scopes []string, lifetime time.Duration) (*model.Token, error) {
id, err := v.idGenerator.Next()
if err != nil {
return nil, err
}
now := time.Now().UTC()
token := &model.Token{
ID: id,
CreationDate: now,
UserID: userID,
ApplicationID: applicationID,
UserAgentID: agentID,
Scopes: scopes,
Audience: audience,
Expiration: now.Add(lifetime),
PreferredLanguage: preferredLanguage,
}
if err := view.PutToken(v.Db, tokenTable, token); err != nil {
return nil, err
}
return token, nil
}
func (v *View) PutToken(token *model.Token) error {
err := view.PutToken(v.Db, tokenTable, token)
func (v *View) PutToken(token *model.TokenView) error {
err := usr_view.PutToken(v.Db, tokenTable, token)
if err != nil {
return err
}
return v.ProcessedTokenSequence(token.Sequence)
}
func (v *View) PutTokens(token []*model.Token, sequence uint64) error {
err := view.PutTokens(v.Db, tokenTable, token...)
func (v *View) PutTokens(token []*model.TokenView, sequence uint64) error {
err := usr_view.PutTokens(v.Db, tokenTable, token...)
if err != nil {
return err
}
@ -64,7 +35,7 @@ func (v *View) PutTokens(token []*model.Token, sequence uint64) error {
}
func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
err := view.DeleteToken(v.Db, tokenTable, tokenID)
err := usr_view.DeleteToken(v.Db, tokenTable, tokenID)
if err != nil {
return nil
}
@ -72,7 +43,7 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
}
func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
err := usr_view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
if err != nil {
return nil
}
@ -80,7 +51,7 @@ func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64)
}
func (v *View) DeleteUserTokens(userID string, eventSequence uint64) error {
err := view.DeleteUserTokens(v.Db, tokenTable, userID)
err := usr_view.DeleteUserTokens(v.Db, tokenTable, userID)
if err != nil {
return nil
}
@ -88,7 +59,7 @@ func (v *View) DeleteUserTokens(userID string, eventSequence uint64) error {
}
func (v *View) DeleteApplicationTokens(eventSequence uint64, ids ...string) error {
err := view.DeleteApplicationTokens(v.Db, tokenTable, ids)
err := usr_view.DeleteApplicationTokens(v.Db, tokenTable, ids)
if err != nil {
return nil
}

9
internal/auth/repository/token.go
View File

@ -2,13 +2,12 @@ package repository
import (
"context"
usr_model "github.com/caos/zitadel/internal/user/model"
"time"
"github.com/caos/zitadel/internal/token/model"
)
type TokenRepository interface {
CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*model.Token, error)
IsTokenValid(ctx context.Context, tokenID string) (bool, error)
TokenByID(ctx context.Context, tokenID string) (*model.Token, error)
CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error)
TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
}

48
internal/authz/repository/eventsourcing/eventstore/token_verifier.go
View File

@ -2,6 +2,11 @@ package eventstore
import (
"context"
"github.com/caos/logging"
usr_model "github.com/caos/zitadel/internal/user/model"
usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
"github.com/caos/zitadel/internal/user/repository/view/model"
"strings"
"time"
"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
@ -16,16 +21,55 @@ type TokenVerifierRepo struct {
IAMID string
IAMEvents *iam_event.IAMEventstore
ProjectEvents *proj_event.ProjectEventstore
UserEvents *usr_event.UserEventstore
View *view.View
}
func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID string) (*usr_model.TokenView, error) {
token, viewErr := repo.View.TokenByID(tokenID)
if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
return nil, viewErr
}
if caos_errs.IsNotFound(viewErr) {
token = new(model.TokenView)
token.ID = tokenID
token.UserID = userID
}
events, esErr := repo.UserEvents.UserEventsByID(ctx, userID, token.Sequence)
if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
return nil, caos_errs.ThrowNotFound(nil, "EVENT-4T90g", "Errors.Token.NotFound")
}
if esErr != nil {
logging.Log("EVENT-5Nm9s").WithError(viewErr).Debug("error retrieving new events")
return model.TokenViewToModel(token), nil
}
viewToken := *token
for _, event := range events {
err := token.AppendEventIfMyToken(event)
if err != nil {
return model.TokenViewToModel(&viewToken), nil
}
}
if !token.Expiration.After(time.Now().UTC()) || token.Deactivated {
return nil, caos_errs.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.Token.NotFound")
}
return model.TokenViewToModel(token), nil
}
func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang string, err error) {
//TODO: use real key
tokenID, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32]))
tokenIDSubject, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32]))
if err != nil {
return "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
}
token, err := repo.View.TokenByID(tokenID)
splittedToken := strings.Split(tokenIDSubject, ":")
if len(splittedToken) != 2 {
return "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token")
}
token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1])
if err != nil {
return "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
}

12
internal/authz/repository/eventsourcing/repository.go
View File

@ -2,6 +2,7 @@ package eventsourcing
import (
"context"
es_user "github.com/caos/zitadel/internal/user/repository/eventsourcing"
"github.com/caos/zitadel/internal/api/authz"
"github.com/caos/zitadel/internal/auth_request/repository/cache"
@ -65,6 +66,16 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults) (*
if err != nil {
return nil, err
}
user, err := es_user.StartUser(
es_user.UserConfig{
Eventstore: es,
Cache: conf.Eventstore.Cache,
},
systemDefaults,
)
if err != nil {
return nil, err
}
repos := handler.EventstoreRepos{IamEvents: iam}
spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, repos, systemDefaults)
@ -85,6 +96,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults) (*
IAMID: systemDefaults.IamID,
IAMEvents: iam,
ProjectEvents: project,
UserEvents: user,
View: view,
},
}, nil

20
internal/authz/repository/eventsourcing/view/token.go
View File

@ -1,8 +1,8 @@
package view
import (
"github.com/caos/zitadel/internal/token/repository/view"
"github.com/caos/zitadel/internal/token/repository/view/model"
usr_view "github.com/caos/zitadel/internal/user/repository/view"
usr_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
"github.com/caos/zitadel/internal/view/repository"
)
@ -10,16 +10,12 @@ const (
tokenTable = "auth.tokens"
)
func (v *View) TokenByID(tokenID string) (*model.Token, error) {
return view.TokenByID(v.Db, tokenTable, tokenID)
func (v *View) TokenByID(tokenID string) (*usr_view_model.TokenView, error) {
return usr_view.TokenByID(v.Db, tokenTable, tokenID)
}
func (v *View) IsTokenValid(tokenID string) (bool, error) {
return view.IsTokenValid(v.Db, tokenTable, tokenID)
}
func (v *View) PutToken(token *model.Token) error {
err := view.PutToken(v.Db, tokenTable, token)
func (v *View) PutToken(token *usr_view_model.TokenView) error {
err := usr_view.PutToken(v.Db, tokenTable, token)
if err != nil {
return err
}
@ -27,7 +23,7 @@ func (v *View) PutToken(token *model.Token) error {
}
func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
err := view.DeleteToken(v.Db, tokenTable, tokenID)
err := usr_view.DeleteToken(v.Db, tokenTable, tokenID)
if err != nil {
return nil
}
@ -35,7 +31,7 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
}
func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
err := usr_view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
if err != nil {
return nil
}

1
internal/project/repository/view/model/application.go
View File

@ -162,6 +162,7 @@ func (a *ApplicationView) AppendEventIfMyApp(event *models.Event) (err error) {
}
return nil
}
func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
a.Sequence = event.Sequence
a.ChangeDate = event.CreationDate

67
internal/token/repository/view/model/token.go
View File

@ -1,67 +0,0 @@
package model
import (
"time"
"github.com/lib/pq"
"github.com/caos/zitadel/internal/token/model"
)
const (
TokenKeyTokenID = "id"
TokenKeyUserID = "user_id"
TokenKeyApplicationID = "application_id"
TokenKeyUserAgentID = "user_agent_id"
TokenKeyExpiration = "expiration"
TokenKeyResourceOwner = "resource_owner"
)
type Token struct {
ID string `json:"-" gorm:"column:id;primary_key"`
CreationDate time.Time `json:"-" gorm:"column:creation_date"`
ChangeDate time.Time `json:"-" gorm:"column:change_date"`
ResourceOwner string `json:"-" gorm:"column:resource_owner"`
UserID string `json:"-" gorm:"column:user_id"`
ApplicationID string `json:"-" gorm:"column:application_id"`
UserAgentID string `json:"-" gorm:"column:user_agent_id"`
Audience pq.StringArray `json:"-" gorm:"column:audience"`
Scopes pq.StringArray `json:"-" gorm:"column:scopes"`
Expiration time.Time `json:"-" gorm:"column:expiration"`
Sequence uint64 `json:"-" gorm:"column:sequence"`
PreferredLanguage string `json:"-" gorm:"column:preferred_language"`
}
func TokenFromModel(token *model.Token) *Token {
return &Token{
ID: token.ID,
CreationDate: token.CreationDate,
ChangeDate: token.ChangeDate,
ResourceOwner: token.ResourceOwner,
UserID: token.UserID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
Sequence: token.Sequence,
PreferredLanguage: token.PreferredLanguage,
}
}
func TokenToModel(token *Token) *model.Token {
return &model.Token{
ID: token.ID,
CreationDate: token.CreationDate,
ChangeDate: token.ChangeDate,
ResourceOwner: token.ResourceOwner,
UserID: token.UserID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
Sequence: token.Sequence,
PreferredLanguage: token.PreferredLanguage,
}
}

85
internal/token/repository/view/token.go
View File

@ -1,85 +0,0 @@
package view
import (
"time"
"github.com/caos/zitadel/internal/errors"
global_model "github.com/caos/zitadel/internal/model"
token_model "github.com/caos/zitadel/internal/token/model"
"github.com/caos/zitadel/internal/token/repository/view/model"
"github.com/caos/zitadel/internal/view/repository"
"github.com/jinzhu/gorm"
"github.com/lib/pq"
)
func TokenByID(db *gorm.DB, table, tokenID string) (*model.Token, error) {
token := new(model.Token)
query := repository.PrepareGetByKey(table, model.TokenSearchKey(token_model.TokenSearchKeyTokenID), tokenID)
err := query(db, token)
if errors.IsNotFound(err) {
return nil, errors.ThrowNotFound(nil, "VIEW-6ub3p", "Errors.Token.NotFound")
}
return token, err
}
func TokensByUserID(db *gorm.DB, table, userID string) ([]*model.Token, error) {
tokens := make([]*model.Token, 0)
userIDQuery := &token_model.TokenSearchQuery{
Key: token_model.TokenSearchKeyUserID,
Method: global_model.SearchMethodEquals,
Value: userID,
}
query := repository.PrepareSearchQuery(table, model.TokenSearchRequest{
Queries: []*token_model.TokenSearchQuery{userIDQuery},
})
_, err := query(db, &tokens)
return tokens, err
}
func IsTokenValid(db *gorm.DB, table, tokenID string) (bool, error) {
token, err := TokenByID(db, table, tokenID)
if err == nil {
return token.Expiration.After(time.Now().UTC()), nil
}
if errors.IsNotFound(err) {
return false, nil
}
return false, err
}
func PutToken(db *gorm.DB, table string, token *model.Token) error {
save := repository.PrepareSave(table)
return save(db, token)
}
func PutTokens(db *gorm.DB, table string, tokens ...*model.Token) error {
save := repository.PrepareBulkSave(table)
t := make([]interface{}, len(tokens))
for i, token := range tokens {
t[i] = token
}
return save(db, t...)
}
func DeleteToken(db *gorm.DB, table, tokenID string) error {
delete := repository.PrepareDeleteByKey(table, model.TokenSearchKey(token_model.TokenSearchKeyTokenID), tokenID)
return delete(db)
}
func DeleteSessionTokens(db *gorm.DB, table, agentID, userID string) error {
delete := repository.PrepareDeleteByKeys(table,
repository.Key{Key: model.TokenSearchKey(token_model.TokenSearchKeyUserAgentID), Value: agentID},
repository.Key{Key: model.TokenSearchKey(token_model.TokenSearchKeyUserID), Value: userID},
)
return delete(db)
}
func DeleteUserTokens(db *gorm.DB, table, userID string) error {
delete := repository.PrepareDeleteByKey(table, model.TokenSearchKey(token_model.TokenSearchKeyUserID), userID)
return delete(db)
}
func DeleteApplicationTokens(db *gorm.DB, table string, appIDs []string) error {
delete := repository.PrepareDeleteByKey(table, model.TokenSearchKey(token_model.TokenSearchKeyApplicationID), pq.StringArray(appIDs))
return delete(db)
}

18
internal/user/model/token.go Normal file
View File

@ -0,0 +1,18 @@
package model
import (
es_models "github.com/caos/zitadel/internal/eventstore/models"
"time"
)
type Token struct {
es_models.ObjectRoot
TokenID string
ApplicationID string
UserAgentID string
Audience []string
Expiration time.Time
Scopes []string
PreferredLanguage string
}

2
internal/token/model/token.go → internal/user/model/token_view.go
View File

@ -6,7 +6,7 @@ import (
"github.com/caos/zitadel/internal/model"
)
type Token struct {
type TokenView struct {
ID string
CreationDate time.Time
ChangeDate time.Time

21
internal/user/repository/eventsourcing/eventstore.go
View File

@ -634,6 +634,27 @@ func (es *UserEventstore) ExternalLoginChecked(ctx context.Context, userID strin
return nil
}
func (es *UserEventstore) TokenAdded(ctx context.Context, token *usr_model.Token) (*usr_model.Token, error) {
user, err := es.UserByID(ctx, token.AggregateID)
if err != nil {
return nil, err
}
id, err := es.idGenerator.Next()
if err != nil {
return nil, err
}
token.TokenID = id
repoUser := model.UserFromModel(user)
repoToken := model.TokenFromModel(token)
agg := TokenAddedAggregate(es.AggregateCreator(), repoUser, repoToken)
err = es_sdk.Push(ctx, es.PushAggregates, repoToken.AppendEvents, agg)
if err != nil {
return nil, err
}
es.userCache.cacheUser(repoUser)
return model.TokenToModel(repoToken), nil
}
func (es *UserEventstore) ChangeMachine(ctx context.Context, machine *usr_model.Machine) (*usr_model.Machine, error) {
user, err := es.UserByID(ctx, machine.AggregateID)
if err != nil {

80
internal/user/repository/eventsourcing/model/token.go Normal file
View File

@ -0,0 +1,80 @@
package model
import (
"encoding/json"
"time"
"github.com/caos/logging"
caos_errs "github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
"github.com/caos/zitadel/internal/user/model"
)
type Token struct {
es_models.ObjectRoot
TokenID string `json:"tokenId" gorm:"column:token_id"`
ApplicationID string `json:"applicationId" gorm:"column:application_id"`
UserAgentID string `json:"userAgentId" gorm:"column:user_agent_id"`
Audience []string `json:"audience" gorm:"column:audience"`
Scopes []string `json:"scopes" gorm:"column:scopes"`
Expiration time.Time `json:"expiration" gorm:"column:expiration"`
PreferredLanguage string `json:"preferredLanguage" gorm:"column:preferred_language"`
}
func TokenFromModel(token *model.Token) *Token {
return &Token{
ObjectRoot: token.ObjectRoot,
TokenID: token.TokenID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
PreferredLanguage: token.PreferredLanguage,
}
}
func TokenToModel(token *Token) *model.Token {
return &model.Token{
ObjectRoot: token.ObjectRoot,
TokenID: token.TokenID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
PreferredLanguage: token.PreferredLanguage,
}
}
func (t *Token) AppendEvents(events ...*es_models.Event) error {
for _, event := range events {
if err := t.AppendEvent(event); err != nil {
return err
}
}
return nil
}
func (t *Token) AppendEvent(event *es_models.Event) error {
switch event.Type {
case UserTokenAdded:
err := t.setData(event)
if err != nil {
return err
}
t.CreationDate = event.CreationDate
}
return nil
}
func (t *Token) setData(event *es_models.Event) error {
t.ObjectRoot.AppendEvent(event)
if err := json.Unmarshal(event.Data, t); err != nil {
logging.Log("EVEN-4Fm9s").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(err, "MODEL-5Gms9", "could not unmarshal event")
}
return nil
}

2
internal/user/repository/eventsourcing/model/types.go
View File

@ -67,6 +67,8 @@ const (
UserDeactivated models.EventType = "user.deactivated"
UserReactivated models.EventType = "user.reactivated"
UserRemoved models.EventType = "user.removed"
UserTokenAdded models.EventType = "user.token.added"
)
// the following consts are for user(v2).human

10
internal/user/repository/eventsourcing/user.go
View File

@ -474,6 +474,16 @@ func ExternalLoginCheckSucceededAggregate(aggCreator *es_models.AggregateCreator
}
}
func TokenAddedAggregate(aggCreator *es_models.AggregateCreator, user *model.User, token *model.Token) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
agg, err := UserAggregateOverwriteContext(ctx, aggCreator, user, user.ResourceOwner, user.AggregateID)
if err != nil {
return nil, err
}
return agg.AppendEvent(model.UserTokenAdded, token)
}
}
func MachineChangeAggregate(aggCreator *es_models.AggregateCreator, user *model.User, machine *model.Machine) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if machine == nil {

127
internal/user/repository/view/model/token.go Normal file
View File

@ -0,0 +1,127 @@
package model
import (
"encoding/json"
"github.com/caos/logging"
caos_errs "github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/eventstore/models"
es_models "github.com/caos/zitadel/internal/eventstore/models"
usr_model "github.com/caos/zitadel/internal/user/model"
usr_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
"time"
"github.com/lib/pq"
)
const (
TokenKeyTokenID = "id"
TokenKeyUserID = "user_id"
TokenKeyApplicationID = "application_id"
TokenKeyUserAgentID = "user_agent_id"
TokenKeyExpiration = "expiration"
TokenKeyResourceOwner = "resource_owner"
)
type TokenView struct {
ID string `json:"tokenId" gorm:"column:id;primary_key"`
CreationDate time.Time `json:"-" gorm:"column:creation_date"`
ChangeDate time.Time `json:"-" gorm:"column:change_date"`
ResourceOwner string `json:"-" gorm:"column:resource_owner"`
UserID string `json:"-" gorm:"column:user_id"`
ApplicationID string `json:"applicationId" gorm:"column:application_id"`
UserAgentID string `json:"userAgentId" gorm:"column:user_agent_id"`
Audience pq.StringArray `json:"audience" gorm:"column:audience"`
Scopes pq.StringArray `json:"scopes" gorm:"column:scopes"`
Expiration time.Time `json:"expiration" gorm:"column:expiration"`
Sequence uint64 `json:"-" gorm:"column:sequence"`
PreferredLanguage string `json:"preferredLanguage" gorm:"column:preferred_language"`
Deactivated bool `json:"-" gorm:"-"`
}
func TokenViewFromModel(token *usr_model.TokenView) *TokenView {
return &TokenView{
ID: token.ID,
CreationDate: token.CreationDate,
ChangeDate: token.ChangeDate,
ResourceOwner: token.ResourceOwner,
UserID: token.UserID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
Sequence: token.Sequence,
PreferredLanguage: token.PreferredLanguage,
}
}
func TokenViewToModel(token *TokenView) *usr_model.TokenView {
return &usr_model.TokenView{
ID: token.ID,
CreationDate: token.CreationDate,
ChangeDate: token.ChangeDate,
ResourceOwner: token.ResourceOwner,
UserID: token.UserID,
ApplicationID: token.ApplicationID,
UserAgentID: token.UserAgentID,
Audience: token.Audience,
Scopes: token.Scopes,
Expiration: token.Expiration,
Sequence: token.Sequence,
PreferredLanguage: token.PreferredLanguage,
}
}
func (t *TokenView) AppendEventIfMyToken(event *models.Event) (err error) {
view := new(TokenView)
switch event.Type {
case usr_es_model.UserTokenAdded:
view.setRootData(event)
err = view.setData(event)
case usr_es_model.UserRemoved,
usr_es_model.UserDeactivated,
usr_es_model.UserLocked:
t.Deactivated = true
return nil
case usr_es_model.UserUnlocked,
usr_es_model.UserReactivated:
if t.ID != "" && event.CreationDate.Before(t.CreationDate) {
t.Deactivated = false
}
return nil
default:
return nil
}
if view.ID == t.ID {
return t.AppendEvent(event)
}
return nil
}
func (t *TokenView) AppendEvent(event *es_models.Event) error {
t.ChangeDate = event.CreationDate
t.Sequence = event.Sequence
switch event.Type {
case usr_es_model.UserTokenAdded:
t.setRootData(event)
err := t.setData(event)
if err != nil {
return err
}
t.CreationDate = event.CreationDate
}
return nil
}
func (t *TokenView) setRootData(event *models.Event) {
t.UserID = event.AggregateID
t.ResourceOwner = event.ResourceOwner
}
func (t *TokenView) setData(event *es_models.Event) error {
if err := json.Unmarshal(event.Data, t); err != nil {
logging.Log("EVEN-3Gm9s").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(err, "MODEL-5Gms9", "could not unmarshal event")
}
return nil
}

24
internal/token/repository/view/model/token_query.go → internal/user/repository/view/model/token_query.go
View File

@ -2,13 +2,13 @@ package model
import (
global_model "github.com/caos/zitadel/internal/model"
token_model "github.com/caos/zitadel/internal/token/model"
"github.com/caos/zitadel/internal/user/model"
"github.com/caos/zitadel/internal/view/repository"
)
type TokenSearchRequest token_model.TokenSearchRequest
type TokenSearchQuery token_model.TokenSearchQuery
type TokenSearchKey token_model.TokenSearchKey
type TokenSearchRequest model.TokenSearchRequest
type TokenSearchQuery model.TokenSearchQuery
type TokenSearchKey model.TokenSearchKey
func (req TokenSearchRequest) GetLimit() uint64 {
return req.Limit
@ -19,7 +19,7 @@ func (req TokenSearchRequest) GetOffset() uint64 {
}
func (req TokenSearchRequest) GetSortingColumn() repository.ColumnKey {
if req.SortingColumn == token_model.TokenSearchKeyUnspecified {
if req.SortingColumn == model.TokenSearchKeyUnspecified {
return nil
}
return TokenSearchKey(req.SortingColumn)
@ -50,18 +50,18 @@ func (req TokenSearchQuery) GetValue() interface{} {
}
func (key TokenSearchKey) ToColumnName() string {
switch token_model.TokenSearchKey(key) {
case token_model.TokenSearchKeyTokenID:
switch model.TokenSearchKey(key) {
case model.TokenSearchKeyTokenID:
return TokenKeyTokenID
case token_model.TokenSearchKeyUserAgentID:
case model.TokenSearchKeyUserAgentID:
return TokenKeyUserAgentID
case token_model.TokenSearchKeyUserID:
case model.TokenSearchKeyUserID:
return TokenKeyUserID
case token_model.TokenSearchKeyApplicationID:
case model.TokenSearchKeyApplicationID:
return TokenKeyApplicationID
case token_model.TokenSearchKeyExpiration:
case model.TokenSearchKeyExpiration:
return TokenKeyExpiration
case token_model.TokenSearchKeyResourceOwner:
case model.TokenSearchKeyResourceOwner:
return TokenKeyResourceOwner
default:
return ""

72
internal/user/repository/view/token_view.go Normal file
View File

@ -0,0 +1,72 @@
package view
import (
"github.com/caos/zitadel/internal/errors"
global_model "github.com/caos/zitadel/internal/model"
"github.com/caos/zitadel/internal/user/model"
usr_model "github.com/caos/zitadel/internal/user/repository/view/model"
"github.com/caos/zitadel/internal/view/repository"
"github.com/jinzhu/gorm"
"github.com/lib/pq"
)
func TokenByID(db *gorm.DB, table, tokenID string) (*usr_model.TokenView, error) {
token := new(usr_model.TokenView)
query := repository.PrepareGetByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyTokenID), tokenID)
err := query(db, token)
if errors.IsNotFound(err) {
return nil, errors.ThrowNotFound(nil, "VIEW-6ub3p", "Errors.Token.NotFound")
}
return token, err
}
func TokensByUserID(db *gorm.DB, table, userID string) ([]*usr_model.TokenView, error) {
tokens := make([]*usr_model.TokenView, 0)
userIDQuery := &model.TokenSearchQuery{
Key: model.TokenSearchKeyUserID,
Method: global_model.SearchMethodEquals,
Value: userID,
}
query := repository.PrepareSearchQuery(table, usr_model.TokenSearchRequest{
Queries: []*model.TokenSearchQuery{userIDQuery},
})
_, err := query(db, &tokens)
return tokens, err
}
func PutToken(db *gorm.DB, table string, token *usr_model.TokenView) error {
save := repository.PrepareSave(table)
return save(db, token)
}
func PutTokens(db *gorm.DB, table string, tokens ...*usr_model.TokenView) error {
save := repository.PrepareBulkSave(table)
t := make([]interface{}, len(tokens))
for i, token := range tokens {
t[i] = token
}
return save(db, t...)
}
func DeleteToken(db *gorm.DB, table, tokenID string) error {
delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyTokenID), tokenID)
return delete(db)
}
func DeleteSessionTokens(db *gorm.DB, table, agentID, userID string) error {
delete := repository.PrepareDeleteByKeys(table,
repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserAgentID), Value: agentID},
repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserID), Value: userID},
)
return delete(db)
}
func DeleteUserTokens(db *gorm.DB, table, userID string) error {
delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyUserID), userID)
return delete(db)
}
func DeleteApplicationTokens(db *gorm.DB, table string, appIDs []string) error {
delete := repository.PrepareDeleteByKey(table, usr_model.TokenSearchKey(model.TokenSearchKeyApplicationID), pq.StringArray(appIDs))
return delete(db)
}