TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 01:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: App API v2 (#10077)

Browse Source 
# Which Problems Are Solved

This PR *partially* addresses #9450 . Specifically, it implements the
resource based API for the apps. APIs for app keys ARE not part of this
PR.

# How the Problems Are Solved

- `CreateApplication`, `PatchApplication` (update) and
`RegenerateClientSecret` endpoints are now unique for all app types:
API, SAML and OIDC apps.
  - All new endpoints have integration tests
  - All new endpoints are using permission checks V2

# Additional Changes

- The `ListApplications` endpoint allows to do sorting (see protobuf for
details) and filtering by app type (see protobuf).
- SAML and OIDC update endpoint can now receive requests for partial
updates

# Additional Context

Partially addresses #9450
This commit is contained in:
Marco A.
2025-06-27 17:25:44 +02:00
committed by GitHub
parent 016676e1dc
commit 2691dae2b6
48 changed files with 6845 additions and 603 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
internal/domain/application_oidc.go
View File

@@ -1,6 +1,7 @@
package domain
import (
"slices"
"strings"
"time"
@@ -32,22 +33,22 @@ type OIDCApp struct {
RedirectUris []string
ResponseTypes []OIDCResponseType
GrantTypes []OIDCGrantType
ApplicationType OIDCApplicationType
AuthMethodType OIDCAuthMethodType
ApplicationType *OIDCApplicationType
AuthMethodType *OIDCAuthMethodType
PostLogoutRedirectUris []string
OIDCVersion OIDCVersion
OIDCVersion *OIDCVersion
Compliance *Compliance
DevMode bool
AccessTokenType OIDCTokenType
AccessTokenRoleAssertion bool
IDTokenRoleAssertion bool
IDTokenUserinfoAssertion bool
ClockSkew time.Duration
DevMode *bool
AccessTokenType *OIDCTokenType
AccessTokenRoleAssertion *bool
IDTokenRoleAssertion *bool
IDTokenUserinfoAssertion *bool
ClockSkew *time.Duration
AdditionalOrigins []string
SkipNativeAppSuccessPage bool
BackChannelLogoutURI string
LoginVersion LoginVersion
LoginBaseURI string
SkipNativeAppSuccessPage *bool
BackChannelLogoutURI *string
LoginVersion *LoginVersion
LoginBaseURI *string
State AppState
}
@@ -69,7 +70,7 @@ func (a *OIDCApp) setClientSecret(encodedHash string) {
}
func (a *OIDCApp) requiresClientSecret() bool {
return a.AuthMethodType == OIDCAuthMethodTypeBasic || a.AuthMethodType == OIDCAuthMethodTypePost
return a.AuthMethodType != nil && (*a.AuthMethodType == OIDCAuthMethodTypeBasic || *a.AuthMethodType == OIDCAuthMethodTypePost)
}
type OIDCVersion int32
@@ -137,7 +138,7 @@ const (
)
func (a *OIDCApp) IsValid() bool {
if a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 || !a.OriginsValid() {
if (a.ClockSkew != nil && (*a.ClockSkew > time.Second*5 || *a.ClockSkew < time.Second*0)) || !a.OriginsValid() {
return false
}
grantTypes := a.getRequiredGrantTypes()
@@ -204,30 +205,25 @@ func ContainsOIDCGrantTypes(shouldContain, list []OIDCGrantType) bool {
}
func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
for _, gt := range grantTypes {
if gt == grantType {
return true
}
}
return false
return slices.Contains(grantTypes, grantType)
}
func (a *OIDCApp) FillCompliance() {
a.Compliance = GetOIDCCompliance(a.OIDCVersion, a.ApplicationType, a.GrantTypes, a.ResponseTypes, a.AuthMethodType, a.RedirectUris)
}
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
switch version {
case OIDCVersionV1:
func GetOIDCCompliance(version *OIDCVersion, appType *OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod *OIDCAuthMethodType, redirectUris []string) *Compliance {
if version != nil && *version == OIDCVersionV1 {
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
}
return &Compliance{
NoneCompliant: true,
Problems: []string{"Application.OIDC.UnsupportedVersion"},
}
}
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
func GetOIDCV1Compliance(appType *OIDCApplicationType, grantTypes []OIDCGrantType, authMethod *OIDCAuthMethodType, redirectUris []string) *Compliance {
compliance := &Compliance{NoneCompliant: false}
checkGrantTypesCombination(compliance, grantTypes)
@@ -247,7 +243,7 @@ func checkGrantTypesCombination(compliance *Compliance, grantTypes []OIDCGrantTy
}
}
func checkRedirectURIs(compliance *Compliance, grantTypes []OIDCGrantType, appType OIDCApplicationType, redirectUris []string) {
func checkRedirectURIs(compliance *Compliance, grantTypes []OIDCGrantType, appType *OIDCApplicationType, redirectUris []string) {
// See #5684 for OIDCGrantTypeDeviceCode and redirectUris further explanation
if len(redirectUris) == 0 && (!containsOIDCGrantType(grantTypes, OIDCGrantTypeDeviceCode) || (containsOIDCGrantType(grantTypes, OIDCGrantTypeDeviceCode) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode))) {
compliance.NoneCompliant = true
@@ -266,53 +262,58 @@ func checkRedirectURIs(compliance *Compliance, grantTypes []OIDCGrantType, appTy
}
}
func checkApplicationType(compliance *Compliance, appType OIDCApplicationType, authMethod OIDCAuthMethodType) {
switch appType {
case OIDCApplicationTypeNative:
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeUserAgent:
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
func checkApplicationType(compliance *Compliance, appType *OIDCApplicationType, authMethod *OIDCAuthMethodType) {
if appType != nil {
switch *appType {
case OIDCApplicationTypeNative:
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeUserAgent:
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeWeb:
return
}
}
if compliance.NoneCompliant {
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
}
}
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod *OIDCAuthMethodType) {
if authMethod != nil && *authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
}
}
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod *OIDCAuthMethodType) {
if authMethod != nil && *authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
}
}
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
func CheckRedirectUrisCode(compliance *Compliance, appType *OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeUserAgent {
if appType != nil && *appType == OIDCApplicationTypeUserAgent {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if appType == OIDCApplicationTypeNative && !onlyLocalhostIsHttp(redirectUris) {
if appType != nil && *appType == OIDCApplicationTypeNative && !onlyLocalhostIsHttp(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
}
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
if containsCustom(redirectUris) && appType != nil && *appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
}
}
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
func CheckRedirectUrisImplicit(compliance *Compliance, appType *OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
@@ -321,7 +322,7 @@ func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationTy
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeNative {
if appType != nil && *appType == OIDCApplicationTypeNative {
if !onlyLocalhostIsHttp(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
@@ -333,20 +334,20 @@ func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationTy
}
}
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType *OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
if containsCustom(redirectUris) && appType != nil && *appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeUserAgent {
if appType != nil && *appType == OIDCApplicationTypeUserAgent {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if !onlyLocalhostIsHttp(redirectUris) && appType == OIDCApplicationTypeNative {
if !onlyLocalhostIsHttp(redirectUris) && appType != nil && *appType == OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
}

57
internal/domain/application_oidc_test.go
View File

@@ -6,6 +6,8 @@ import (
"testing"
"time"
"github.com/muhlemmer/gu"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
)
@@ -25,7 +27,7 @@ func TestApplicationValid(t *testing.T) {
ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
AppID: "AppID",
AppName: "AppName",
ClockSkew: time.Minute * 1,
ClockSkew: gu.Ptr(time.Minute * 1),
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
GrantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
},
@@ -39,7 +41,7 @@ func TestApplicationValid(t *testing.T) {
ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
AppID: "AppID",
AppName: "AppName",
ClockSkew: time.Minute * -1,
ClockSkew: gu.Ptr(time.Minute * -1),
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
GrantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
},
@@ -190,9 +192,9 @@ func TestApplicationValid(t *testing.T) {
func TestGetOIDCV1Compliance(t *testing.T) {
type args struct {
appType OIDCApplicationType
appType *OIDCApplicationType
grantTypes []OIDCGrantType
authMethod OIDCAuthMethodType
authMethod *OIDCAuthMethodType
redirectUris []string
}
tests := []struct {
@@ -266,7 +268,7 @@ func Test_checkGrantTypesCombination(t *testing.T) {
func Test_checkRedirectURIs(t *testing.T) {
type args struct {
grantTypes []OIDCGrantType
appType OIDCApplicationType
appType *OIDCApplicationType
redirectUris []string
}
tests := []struct {
@@ -304,7 +306,7 @@ func Test_checkRedirectURIs(t *testing.T) {
args: args{
redirectUris: []string{"http://redirect.to/me"},
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
appType: OIDCApplicationTypeUserAgent,
appType: gu.Ptr(OIDCApplicationTypeUserAgent),
},
},
{
@@ -316,7 +318,7 @@ func Test_checkRedirectURIs(t *testing.T) {
args: args{
redirectUris: []string{"http://redirect.to/me"},
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
appType: OIDCApplicationTypeUserAgent,
appType: gu.Ptr(OIDCApplicationTypeUserAgent),
},
},
}
@@ -338,7 +340,7 @@ func Test_checkRedirectURIs(t *testing.T) {
func Test_CheckRedirectUrisImplicitAndCode(t *testing.T) {
type args struct {
appType OIDCApplicationType
appType *OIDCApplicationType
redirectUris []string
}
tests := []struct {
@@ -356,17 +358,6 @@ func Test_CheckRedirectUrisImplicitAndCode(t *testing.T) {
redirectUris: []string{"https://redirect.to/me"},
},
},
// {
// name: "custom protocol, not native",
// want: &Compliance{
// NoneCompliant: true,
// Problems: []string{"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed"},
// },
// args: args{
// redirectUris: []string{"protocol://redirect.to/me"},
// appType: OIDCApplicationTypeWeb,
// },
// },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -386,7 +377,7 @@ func Test_CheckRedirectUrisImplicitAndCode(t *testing.T) {
func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
type args struct {
appType OIDCApplicationType
appType *OIDCApplicationType
redirectUris []string
}
tests := []struct {
@@ -402,7 +393,7 @@ func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
{
name: "custom protocol not native app",
args: args{
appType: OIDCApplicationTypeWeb,
appType: gu.Ptr(OIDCApplicationTypeWeb),
redirectUris: []string{"custom://nirvana.com"},
},
want: &Compliance{
@@ -413,7 +404,7 @@ func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
{
name: "http localhost user agent app",
args: args{
appType: OIDCApplicationTypeUserAgent,
appType: gu.Ptr(OIDCApplicationTypeUserAgent),
redirectUris: []string{"http://localhost:9009"},
},
want: &Compliance{
@@ -424,7 +415,7 @@ func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
{
name: "http, not only localhost native app",
args: args{
appType: OIDCApplicationTypeNative,
appType: gu.Ptr(OIDCApplicationTypeNative),
redirectUris: []string{"http://nirvana.com", "http://localhost:9009"},
},
want: &Compliance{
@@ -435,7 +426,7 @@ func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
{
name: "not allowed combination",
args: args{
appType: OIDCApplicationTypeNative,
appType: gu.Ptr(OIDCApplicationTypeNative),
redirectUris: []string{"https://nirvana.com", "cutom://nirvana.com"},
},
want: &Compliance{
@@ -461,7 +452,7 @@ func TestCheckRedirectUrisImplicitAndCode(t *testing.T) {
func TestCheckRedirectUrisImplicit(t *testing.T) {
type args struct {
appType OIDCApplicationType
appType *OIDCApplicationType
redirectUris []string
}
tests := []struct {
@@ -488,7 +479,7 @@ func TestCheckRedirectUrisImplicit(t *testing.T) {
name: "only http protocol, app type native, not only localhost",
args: args{
redirectUris: []string{"http://nirvana.com"},
appType: OIDCApplicationTypeNative,
appType: gu.Ptr(OIDCApplicationTypeNative),
},
want: &Compliance{
NoneCompliant: true,
@@ -499,7 +490,7 @@ func TestCheckRedirectUrisImplicit(t *testing.T) {
name: "only http protocol, app type native, only localhost",
args: args{
redirectUris: []string{"http://localhost:8080"},
appType: OIDCApplicationTypeNative,
appType: gu.Ptr(OIDCApplicationTypeNative),
},
want: &Compliance{
NoneCompliant: false,
@@ -510,7 +501,7 @@ func TestCheckRedirectUrisImplicit(t *testing.T) {
name: "only http protocol, app type web",
args: args{
redirectUris: []string{"http://nirvana.com"},
appType: OIDCApplicationTypeWeb,
appType: gu.Ptr(OIDCApplicationTypeWeb),
},
want: &Compliance{
NoneCompliant: true,
@@ -535,7 +526,7 @@ func TestCheckRedirectUrisImplicit(t *testing.T) {
func TestCheckRedirectUrisCode(t *testing.T) {
type args struct {
appType OIDCApplicationType
appType *OIDCApplicationType
redirectUris []string
}
tests := []struct {
@@ -552,7 +543,7 @@ func TestCheckRedirectUrisCode(t *testing.T) {
name: "custom prefix, app type web",
args: args{
redirectUris: []string{"custom://nirvana.com"},
appType: OIDCApplicationTypeWeb,
appType: gu.Ptr(OIDCApplicationTypeWeb),
},
want: &Compliance{
NoneCompliant: true,
@@ -563,7 +554,7 @@ func TestCheckRedirectUrisCode(t *testing.T) {
name: "only http protocol, app type user agent",
args: args{
redirectUris: []string{"http://nirvana.com"},
appType: OIDCApplicationTypeUserAgent,
appType: gu.Ptr(OIDCApplicationTypeUserAgent),
},
want: &Compliance{
NoneCompliant: true,
@@ -574,7 +565,7 @@ func TestCheckRedirectUrisCode(t *testing.T) {
name: "only http protocol, app type native, only localhost",
args: args{
redirectUris: []string{"http://localhost:8080", "http://nirvana.com:8080"},
appType: OIDCApplicationTypeNative,
appType: gu.Ptr(OIDCApplicationTypeNative),
},
want: &Compliance{
NoneCompliant: true,
@@ -585,7 +576,7 @@ func TestCheckRedirectUrisCode(t *testing.T) {
name: "custom protocol, not native",
args: args{
redirectUris: []string{"custom://nirvana.com"},
appType: OIDCApplicationTypeWeb,
appType: gu.Ptr(OIDCApplicationTypeWeb),
},
want: &Compliance{
NoneCompliant: true,

13
internal/domain/application_saml.go
View File

@@ -11,9 +11,9 @@ type SAMLApp struct {
AppName string
EntityID string
Metadata []byte
MetadataURL string
LoginVersion LoginVersion
LoginBaseURI string
MetadataURL *string
LoginVersion *LoginVersion
LoginBaseURI *string
State AppState
}
@@ -31,11 +31,14 @@ func (a *SAMLApp) GetMetadata() []byte {
}
func (a *SAMLApp) GetMetadataURL() string {
return a.MetadataURL
if a.MetadataURL != nil {
return *a.MetadataURL
}
return ""
}
func (a *SAMLApp) IsValid() bool {
if a.MetadataURL == "" && a.Metadata == nil {
if (a.MetadataURL == nil || *a.MetadataURL == "") && a.Metadata == nil {
return false
}
return true

3
internal/domain/permission.go
View File

@@ -47,6 +47,9 @@ const (
PermissionProjectRoleWrite = "project.role.write"
PermissionProjectRoleRead = "project.role.read"
PermissionProjectRoleDelete = "project.role.delete"
PermissionProjectAppWrite = "project.app.write"
PermissionProjectAppDelete = "project.app.delete"
PermissionProjectAppRead = "project.app.read"
)
// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.