feat: add saml custom attribute action and translations (#6341)

* feat: add saml custom attribute action and translations * chore: update saml dependency * fix: apply suggestions from code review Co-authored-by: Livio Spring <livio.a@gmail.com> * fix: custom attribute action with variadic parameter * docs: add customize saml response docs * docs: update docs/docs/apis/actions/customize-samlresponse.md Co-authored-by: Livio Spring <livio.a@gmail.com> * docs: update docs/docs/apis/actions/customize-samlresponse.md Co-authored-by: Livio Spring <livio.a@gmail.com> --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 16:47:32 +00:00 · 2023-08-15 17:04:45 +02:00
parent d83681a928
commit 26b28ed2af
20 changed files with 243 additions and 26 deletions
--- a/internal/api/grpc/action/action.go
+++ b/internal/api/grpc/action/action.go
@@ -19,6 +19,8 @@ func FlowTypeToDomain(flowType string) domain.FlowType {
 		return domain.FlowTypeCustomiseToken
 	case domain.FlowTypeInternalAuthentication.ID():
 		return domain.FlowTypeInternalAuthentication
+	case domain.FlowTypeCustomizeSAMLResponse.ID():
+		return domain.FlowTypeCustomizeSAMLResponse
 	default:
 		return domain.FlowTypeUnspecified
 	}
@@ -47,6 +49,8 @@ func TriggerTypeToDomain(triggerType string) domain.TriggerType {
 		return domain.TriggerTypePreAccessTokenCreation
 	case domain.TriggerTypePreUserinfoCreation.ID():
 		return domain.TriggerTypePreUserinfoCreation
+	case domain.TriggerTypePreSAMLResponseCreation.ID():
+		return domain.TriggerTypePreSAMLResponseCreation
 	default:
 		return domain.TriggerTypeUnspecified
 	}
--- a/internal/api/grpc/management/flow.go
+++ b/internal/api/grpc/management/flow.go
@@ -18,6 +18,7 @@ func (s *Server) ListFlowTypes(ctx context.Context, _ *mgmt_pb.ListFlowTypesRequ
 			action_grpc.FlowTypeToPb(domain.FlowTypeExternalAuthentication),
 			action_grpc.FlowTypeToPb(domain.FlowTypeCustomiseToken),
 			action_grpc.FlowTypeToPb(domain.FlowTypeInternalAuthentication),
+			action_grpc.FlowTypeToPb(domain.FlowTypeCustomizeSAMLResponse),
 		},
 	}, nil
 }
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -386,7 +386,7 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo *oidc.UserInfo, us
 	}
 	o.setUserInfoRoleClaims(userInfo, projectRoles)

-	return o.userinfoFlows(ctx, user.ResourceOwner, userGrants, userInfo)
+	return o.userinfoFlows(ctx, user, userGrants, userInfo)
 }

 func (o *OPStorage) setUserInfoProfile(ctx context.Context, userInfo *oidc.UserInfo, user *query.User) {
@@ -457,8 +457,8 @@ func (o *OPStorage) setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projec
 	}
 }

-func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, userGrants *query.UserGrants, userInfo *oidc.UserInfo) error {
-	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, resourceOwner, false)
+func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGrants *query.UserGrants, userInfo *oidc.UserInfo) error {
+	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, user.ResourceOwner, false)
 	if err != nil {
 		return err
 	}
@@ -468,17 +468,13 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use
 			actions.SetFields("claims", userinfoClaims(userInfo)),
 			actions.SetFields("getUser", func(c *actions.FieldConfig) interface{} {
 				return func(call goja.FunctionCall) goja.Value {
-					user, err := o.query.GetUserByID(ctx, true, userInfo.Subject, false)
-					if err != nil {
-						panic(err)
-					}
 					return object.UserFromQuery(c, user)
 				}
 			}),
 			actions.SetFields("user",
 				actions.SetFields("getMetadata", func(c *actions.FieldConfig) interface{} {
 					return func(goja.FunctionCall) goja.Value {
-						resourceOwnerQuery, err := query.NewUserMetadataResourceOwnerSearchQuery(resourceOwner)
+						resourceOwnerQuery, err := query.NewUserMetadataResourceOwnerSearchQuery(user.ResourceOwner)
 						if err != nil {
 							logging.WithError(err).Debug("unable to create search query")
 							panic(err)
@@ -552,7 +548,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use
 							Key:   key,
 							Value: value,
 						}
-						if _, err = o.command.SetUserMetadata(ctx, metadata, userInfo.Subject, resourceOwner); err != nil {
+						if _, err = o.command.SetUserMetadata(ctx, metadata, userInfo.Subject, user.ResourceOwner); err != nil {
 							logging.WithError(err).Info("unable to set md in action")
 							panic(err)
 						}
@@ -665,10 +661,6 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG
 			}),
 			actions.SetFields("getUser", func(c *actions.FieldConfig) interface{} {
 				return func(call goja.FunctionCall) goja.Value {
-					user, err := o.query.GetUserByID(ctx, true, userID, false)
-					if err != nil {
-						panic(err)
-					}
 					return object.UserFromQuery(c, user)
 				}
 			}),
@@ -807,7 +799,7 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 		}
 		return grants, roles, nil
 	}
-	// now specific roles were requested, so convert any grants into roles
+	// no specific roles were requested, so convert any grants into roles
 	for _, grant := range grants.UserGrants {
 		for _, role := range grant.Roles {
 			roles.Add(grant.ProjectID, role, grant.ResourceOwner, grant.OrgPrimaryDomain, grant.ProjectID == projectID)
--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@@ -2,14 +2,19 @@ package saml

 import (
 	"context"
+	"encoding/json"
 	"time"

+	"github.com/dop251/goja"
+	"github.com/zitadel/logging"
 	"github.com/zitadel/saml/pkg/provider"
 	"github.com/zitadel/saml/pkg/provider/key"
 	"github.com/zitadel/saml/pkg/provider/models"
 	"github.com/zitadel/saml/pkg/provider/serviceprovider"
 	"github.com/zitadel/saml/pkg/provider/xml/samlp"

+	"github.com/zitadel/zitadel/internal/actions"
+	"github.com/zitadel/zitadel/internal/actions/object"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/auth/repository"
 	"github.com/zitadel/zitadel/internal/command"
@@ -124,7 +129,7 @@ func (p *Storage) AuthRequestByID(ctx context.Context, id string) (_ models.Auth
 	return AuthRequestFromBusiness(resp)
 }

-func (p *Storage) SetUserinfoWithUserID(ctx context.Context, userinfo models.AttributeSetter, userID string, attributes []int) (err error) {
+func (p *Storage) SetUserinfoWithUserID(ctx context.Context, applicationID string, userinfo models.AttributeSetter, userID string, attributes []int) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	user, err := p.query.GetUserByID(ctx, true, userID, false)
@@ -132,7 +137,17 @@ func (p *Storage) SetUserinfoWithUserID(ctx context.Context, userinfo models.Att
 		return err
 	}

-	setUserinfo(user, userinfo, attributes)
+	userGrants, err := p.getGrants(ctx, userID, applicationID)
+	if err != nil {
+		return err
+	}
+
+	customAttributes, err := p.getCustomAttributes(ctx, user, userGrants)
+	if err != nil {
+		return err
+	}
+
+	setUserinfo(user, userinfo, attributes, customAttributes)
 	return nil
 }

@@ -149,11 +164,14 @@ func (p *Storage) SetUserinfoWithLoginName(ctx context.Context, userinfo models.
 		return err
 	}

-	setUserinfo(user, userinfo, attributes)
+	setUserinfo(user, userinfo, attributes, map[string]*customAttribute{})
 	return nil
 }

-func setUserinfo(user *query.User, userinfo models.AttributeSetter, attributes []int) {
+func setUserinfo(user *query.User, userinfo models.AttributeSetter, attributes []int, customAttributes map[string]*customAttribute) {
+	for name, attr := range customAttributes {
+		userinfo.SetCustomAttribute(name, "", attr.nameFormat, attr.attributeValue)
+	}
 	if len(attributes) == 0 {
 		userinfo.SetUsername(user.PreferredLoginName)
 		userinfo.SetUserID(user.ID)
@@ -191,3 +209,139 @@ func setUserinfo(user *query.User, userinfo models.AttributeSetter, attributes [
 		}
 	}
 }
+
+func (p *Storage) getCustomAttributes(ctx context.Context, user *query.User, userGrants *query.UserGrants) (map[string]*customAttribute, error) {
+	customAttributes := make(map[string]*customAttribute, 0)
+	queriedActions, err := p.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomizeSAMLResponse, domain.TriggerTypePreSAMLResponseCreation, user.ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+	ctxFields := actions.SetContextFields(
+		actions.SetFields("v1",
+			actions.SetFields("getUser", func(c *actions.FieldConfig) interface{} {
+				return func(call goja.FunctionCall) goja.Value {
+					return object.UserFromQuery(c, user)
+				}
+			}),
+			actions.SetFields("user",
+				actions.SetFields("getMetadata", func(c *actions.FieldConfig) interface{} {
+					return func(goja.FunctionCall) goja.Value {
+						resourceOwnerQuery, err := query.NewUserMetadataResourceOwnerSearchQuery(user.ResourceOwner)
+						if err != nil {
+							logging.WithError(err).Debug("unable to create search query")
+							panic(err)
+						}
+						metadata, err := p.query.SearchUserMetadata(
+							ctx,
+							true,
+							user.ID,
+							&query.UserMetadataSearchQueries{Queries: []query.SearchQuery{resourceOwnerQuery}},
+							false,
+						)
+						if err != nil {
+							logging.WithError(err).Info("unable to get md in action")
+							panic(err)
+						}
+						return object.UserMetadataListFromQuery(c, metadata)
+					}
+				}),
+				actions.SetFields("grants", func(c *actions.FieldConfig) interface{} {
+					return object.UserGrantsFromQuery(c, userGrants)
+				}),
+			),
+		),
+	)
+
+	for _, action := range queriedActions {
+		actionCtx, cancel := context.WithTimeout(ctx, action.Timeout())
+
+		apiFields := actions.WithAPIFields(
+			actions.SetFields("v1",
+				actions.SetFields("attributes",
+					actions.SetFields("setCustomAttribute", func(name string, nameFormat string, attributeValue ...string) {
+						if _, ok := customAttributes[name]; !ok {
+							customAttributes = appendCustomAttribute(customAttributes, name, nameFormat, attributeValue)
+							return
+						}
+					}),
+				),
+				actions.SetFields("user",
+					actions.SetFields("setMetadata", func(call goja.FunctionCall) {
+						if len(call.Arguments) != 2 {
+							panic("exactly 2 (key, value) arguments expected")
+						}
+						key := call.Arguments[0].Export().(string)
+						val := call.Arguments[1].Export()
+
+						value, err := json.Marshal(val)
+						if err != nil {
+							logging.WithError(err).Debug("unable to marshal")
+							panic(err)
+						}
+
+						metadata := &domain.Metadata{
+							Key:   key,
+							Value: value,
+						}
+						if _, err = p.command.SetUserMetadata(ctx, metadata, user.ID, user.ResourceOwner); err != nil {
+							logging.WithError(err).Info("unable to set md in action")
+							panic(err)
+						}
+					}),
+				),
+			),
+		)
+
+		err = actions.Run(
+			actionCtx,
+			ctxFields,
+			apiFields,
+			action.Script,
+			action.Name,
+			append(actions.ActionToOptions(action), actions.WithHTTP(actionCtx))...,
+		)
+		cancel()
+		if err != nil {
+			return nil, err
+		}
+	}
+	return customAttributes, nil
+}
+
+func (p *Storage) getGrants(ctx context.Context, userID, applicationID string) (*query.UserGrants, error) {
+	projectID, err := p.query.ProjectIDFromClientID(ctx, applicationID, false)
+	if err != nil {
+		return nil, err
+	}
+
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
+	if err != nil {
+		return nil, err
+	}
+	userIDQuery, err := query.NewUserGrantUserIDSearchQuery(userID)
+	if err != nil {
+		return nil, err
+	}
+	return p.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{
+			projectQuery,
+			userIDQuery,
+		},
+	}, true, false)
+}
+
+type customAttribute struct {
+	nameFormat     string
+	attributeValue []string
+}
+
+func appendCustomAttribute(customAttributes map[string]*customAttribute, name string, nameFormat string, attributeValue []string) map[string]*customAttribute {
+	if customAttributes == nil {
+		customAttributes = make(map[string]*customAttribute)
+	}
+	customAttributes[name] = &customAttribute{
+		nameFormat:     nameFormat,
+		attributeValue: attributeValue,
+	}
+	return customAttributes
+}
--- a/internal/domain/flow.go
+++ b/internal/domain/flow.go
@@ -21,6 +21,7 @@ const (
 	FlowTypeExternalAuthentication
 	FlowTypeCustomiseToken
 	FlowTypeInternalAuthentication
+	FlowTypeCustomizeSAMLResponse
 	flowTypeCount
 )

@@ -56,6 +57,10 @@ func (s FlowType) TriggerTypes() []TriggerType {
 			TriggerTypePreCreation,
 			TriggerTypePostCreation,
 		}
+	case FlowTypeCustomizeSAMLResponse:
+		return []TriggerType{
+			TriggerTypePreSAMLResponseCreation,
+		}
 	default:
 		return nil
 	}
@@ -80,6 +85,8 @@ func (s FlowType) LocalizationKey() string {
 		return "Action.Flow.Type.CustomiseToken"
 	case FlowTypeInternalAuthentication:
 		return "Action.Flow.Type.InternalAuthentication"
+	case FlowTypeCustomizeSAMLResponse:
+		return "Action.Flow.Type.CustomizeSAMLResponse"
 	default:
 		return "Action.Flow.Type.Unspecified"
 	}
@@ -94,6 +101,7 @@ const (
 	TriggerTypePostCreation
 	TriggerTypePreUserinfoCreation
 	TriggerTypePreAccessTokenCreation
+	TriggerTypePreSAMLResponseCreation
 	triggerTypeCount
 )

@@ -124,6 +132,8 @@ func (s TriggerType) LocalizationKey() string {
 		return "Action.TriggerType.PreUserinfoCreation"
 	case TriggerTypePreAccessTokenCreation:
 		return "Action.TriggerType.PreAccessTokenCreation"
+	case TriggerTypePreSAMLResponseCreation:
+		return "Action.TriggerType.PreSAMLResponseCreation"
 	default:
 		return "Action.TriggerType.Unspecified"
 	}
--- a/internal/static/i18n/bg.yaml
+++ b/internal/static/i18n/bg.yaml
@@ -1266,6 +1266,7 @@ Action:
      ExternalAuthentication: Външно удостоверяване
      CustomiseToken: Токен за допълнение
      InternalAuthentication: Вътрешно удостоверяване
+      CustomizeSAMLResponse: Допълнение на SAMLResponse
  TriggerType:
    Unspecified: Неуточнено
    PostAuthentication: Публикуване на автентификация
@@ -1273,3 +1274,4 @@ Action:
    PostCreation: Създаване на публикации
    PreUserinfoCreation: Предварително създаване на потребителска информация
    PreAccessTokenCreation: Създаване на маркер за предварителен достъп
+    PreSAMLResponseCreation: Предварително създаване на SAMLResponse
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -1216,6 +1216,7 @@ Action:
      ExternalAuthentication:  Externe Authentifizierung
      CustomiseToken: Token ergänzen
      InternalAuthentication:  Interne Authentifizierung
+      CustomizeSAMLResponse: SAMLResponse ergänzen
  TriggerType:
    Unspecified: Unspezifiziert
    PostAuthentication: Nach Authentifizierung
@@ -1223,3 +1224,4 @@ Action:
    PostCreation: Nach Erstellung
    PreUserinfoCreation: Vor Userinfo Erstellung
    PreAccessTokenCreation: Vor Access Token Erstellung
+    PreSAMLResponseCreation: Vor SAMLResponse Erstellung
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -1216,6 +1216,7 @@ Action:
      ExternalAuthentication: External Authentication
      CustomiseToken: Complement Token
      InternalAuthentication: Internal Authentication
+      CustomizeSAMLResponse: Complement SAMLResponse
  TriggerType:
    Unspecified: Unspecified
    PostAuthentication: Post Authentication
@@ -1223,3 +1224,4 @@ Action:
    PostCreation: Post Creation
    PreUserinfoCreation: Pre Userinfo creation
    PreAccessTokenCreation: Pre access token creation
+    PreSAMLResponseCreation: Pre SAMLResponse creation
--- a/internal/static/i18n/es.yaml
+++ b/internal/static/i18n/es.yaml
@@ -1216,6 +1216,7 @@ Action:
      ExternalAuthentication: Autenticación externa
      CustomiseToken: Token complementario
      InternalAuthentication: Autenticación interna
+      CustomizeSAMLResponse: SAMLResponse complementario
  TriggerType:
    Unspecified: No especificado
    PostAuthentication: Post Autenticación
@@ -1223,3 +1224,4 @@ Action:
    PostCreation: Post Creación
    PreUserinfoCreation: Pre creación de Userinfo
    PreAccessTokenCreation: Pre creación de token de acceso
+    PreSAMLResponseCreation: Creación previa de SAMLResponse
--- a/internal/static/i18n/fr.yaml
+++ b/internal/static/i18n/fr.yaml
@@ -1045,6 +1045,7 @@ Action:
      ExternalAuthentication: Authentification externe
      CustomiseToken: Compléter Token
      InternalAuthentication: Authentification interne
+      CustomizeSAMLResponse: Compléter SAMLResponse
  TriggerType:
    Unspecified: Non spécifié
    PostAuthentication: Authentification postérieure
@@ -1052,3 +1053,4 @@ Action:
    PostCreation: Post-création
    PreUserinfoCreation: Pré Userinfo création
    PreAccessTokenCreation: Pré access token création
+    PreSAMLResponseCreation: Création préalable de la réponse SAMLResponse
--- a/internal/static/i18n/it.yaml
+++ b/internal/static/i18n/it.yaml
@@ -1045,6 +1045,7 @@ Action:
      ExternalAuthentication: Autenticazione esterna
      CustomiseToken: Completare Token
      InternalAuthentication: Autenticazione interna
+      CustomizeSAMLResponse: Completare SAMLResponse
  TriggerType:
    Unspecified: Non specificato
    PostAuthentication: Post-autenticazione
@@ -1052,3 +1053,4 @@ Action:
    PostCreation: Creazione successiva
    PreUserinfoCreation: Pre userinfo creazione
    PreAccessTokenCreation: Pre access token creazione
+    PreSAMLResponseCreation: Pre SAMLResponse creazione
--- a/internal/static/i18n/ja.yaml
+++ b/internal/static/i18n/ja.yaml
@@ -1205,6 +1205,7 @@ Action:
      ExternalAuthentication: 外部認証
      CustomiseToken: トークンを補完
      InternalAuthentication: 内部認証
+      CustomizeSAMLResponse: SAMLResponse の補完
  TriggerType:
    Unspecified: 未定義
    PostAuthentication: 認証後
@@ -1212,3 +1213,4 @@ Action:
    PostCreation: 作成後
    PreUserinfoCreation: ユーザー情報作成前
    PreAccessTokenCreation: アクセストークン作成前
+    PreSAMLResponseCreation: SAMLResponse の作成前
--- a/internal/static/i18n/mk.yaml
+++ b/internal/static/i18n/mk.yaml
@@ -1215,6 +1215,7 @@ Action:
      ExternalAuthentication: Надворешна автентикација
      CustomiseToken: Комплемент на токенот
      InternalAuthentication: Внатрешна автентикација
+      CustomizeSAMLResponse: Дополнете го SAMLResponse
  TriggerType:
    Unspecified: Неодредено
    PostAuthentication: По автентикација
@@ -1222,3 +1223,4 @@ Action:
    PostCreation: По креирање
    PreUserinfoCreation: Пред креирање на кориснички информации
    PreAccessTokenCreation: Пред креирање на токен за пристап
+    PreSAMLResponseCreation: Пред создавање на SAMLResponse
--- a/internal/static/i18n/pl.yaml
+++ b/internal/static/i18n/pl.yaml
@@ -1216,6 +1216,7 @@ Action:
      ExternalAuthentication: Autentykacja zewnętrzna
      CustomiseToken: Uzupełnienie tokenu
      InternalAuthentication: Autentykacja wewnętrzna
+      CustomizeSAMLResponse: Uzupełnienie SAMLResponse
  TriggerType:
    Unspecified: Nieokreślony
    PostAuthentication: Po autentykacji
@@ -1223,3 +1224,4 @@ Action:
    PostCreation: Po utworzeniu
    PreUserinfoCreation: Przed tworzeniem informacji o użytkowniku
    PreAccessTokenCreation: Przed tworzeniem tokenu dostępu
+    PreSAMLResponseCreation: Wstępne tworzenie odpowiedzi SAMLResponse
--- a/internal/static/i18n/pt.yaml
+++ b/internal/static/i18n/pt.yaml
@@ -1211,6 +1211,7 @@ Action:
      ExternalAuthentication: Autenticação externa
      CustomiseToken: Complementar Token
      InternalAuthentication: Autenticação interna
+      CustomizeSAMLResponse: Complementar SAMLResponse
  TriggerType:
    Unspecified: Não especificado
    PostAuthentication: Pós-autenticação
@@ -1218,3 +1219,4 @@ Action:
    PostCreation: Póscriação
    PreUserinfoCreation: Pré-criação de informações do usuário
    PreAccessTokenCreation: Pré-criação de access token
+    PreSAMLResponseCreation: Pré-criação de SAMLResponse
--- a/internal/static/i18n/zh.yaml
+++ b/internal/static/i18n/zh.yaml
@@ -1045,6 +1045,7 @@ Action:
      ExternalAuthentication: 外部认证
      CustomiseToken: 自定义令牌
      InternalAuthentication: 内部认证
+      CustomizeSAMLResponse: 补充 SAMLResponse
  TriggerType:
    Unspecified: 未指定的
    PostAuthentication: 后期认证
@@ -1052,3 +1053,4 @@ Action:
    PostCreation: 创建后
    PreUserinfoCreation: 用户信息创建前
    PreAccessTokenCreation: access 令牌创建前
+    PreSAMLResponseCreation: 创建 SAMLResponse 前