fix: prevent intent token reuse and add expiry

(cherry picked from commit b1e60e7398)
2025-08-12 04:07:31 +00:00 · 2025-04-24 08:33:08 +02:00
parent b452be9a92
commit 272424637a
47 changed files with 1061 additions and 159 deletions
--- a/internal/command/idp_intent_test.go
+++ b/internal/command/idp_intent_test.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"net/url"
 	"testing"
+	"time"

-	"github.com/crewjam/saml"
+	crewjam_saml "github.com/crewjam/saml"
+	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -26,6 +28,7 @@ import (
 	"github.com/zitadel/zitadel/internal/idp/providers/ldap"
 	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
 	openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
+	"github.com/zitadel/zitadel/internal/idp/providers/saml"
 	rep_idp "github.com/zitadel/zitadel/internal/repository/idp"
 	"github.com/zitadel/zitadel/internal/repository/idpintent"
 	"github.com/zitadel/zitadel/internal/repository/instance"
@@ -758,7 +761,7 @@ func TestCommands_SucceedIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "ro"),
+				writeModel: NewIDPIntentWriteModel("id", "ro", 0),
 			},
 			res{
 				err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
@@ -779,7 +782,7 @@ func TestCommands_SucceedIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "ro"),
+				writeModel: NewIDPIntentWriteModel("id", "ro", 0),
 				idpSession: &oauth.Session{
 					Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 						Token: &oauth2.Token{
@@ -813,6 +816,7 @@ func TestCommands_SucceedIDPIntent(t *testing.T) {
 									Crypted:    []byte("accessToken"),
 								},
 								"idToken",
+								time.Time{},
 							)
 							return event
 						}(),
@@ -821,7 +825,7 @@ func TestCommands_SucceedIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
 				idpSession: &openid.Session{
 					Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 						Token: &oauth2.Token{
@@ -864,7 +868,7 @@ func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
 		ctx        context.Context
 		writeModel *IDPIntentWriteModel
 		idpUser    idp.User
-		assertion  *saml.Assertion
+		session    *saml.Session
 		userID     string
 	}
 	type res struct {
@@ -889,7 +893,7 @@ func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "ro"),
+				writeModel: NewIDPIntentWriteModel("id", "ro", 0),
 			},
 			res{
 				err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
@@ -914,14 +918,17 @@ func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
 								KeyID:      "id",
 								Crypted:    []byte("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id\" IssueInstant=\"0001-01-01T00:00:00Z\" Version=\"\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"\" SPNameQualifier=\"\" Format=\"\" SPProvidedID=\"\"></Issuer></Assertion>"),
 							},
+							time.Time{},
 						),
 					),
 				),
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
-				assertion:  &saml.Assertion{ID: "id"},
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
+				session: &saml.Session{
+					Assertion: &crewjam_saml.Assertion{ID: "id"},
+				},
 				idpUser: openid.NewUser(&oidc.UserInfo{
 					Subject: "id",
 					UserInfoProfile: oidc.UserInfoProfile{
@@ -952,14 +959,17 @@ func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
 								KeyID:      "id",
 								Crypted:    []byte("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id\" IssueInstant=\"0001-01-01T00:00:00Z\" Version=\"\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"\" SPNameQualifier=\"\" Format=\"\" SPProvidedID=\"\"></Issuer></Assertion>"),
 							},
+							time.Time{},
 						),
 					),
 				),
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
-				assertion:  &saml.Assertion{ID: "id"},
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
+				session: &saml.Session{
+					Assertion: &crewjam_saml.Assertion{ID: "id"},
+				},
 				idpUser: openid.NewUser(&oidc.UserInfo{
 					Subject: "id",
 					UserInfoProfile: oidc.UserInfoProfile{
@@ -979,7 +989,7 @@ func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
 				eventstore:          tt.fields.eventstore(t),
 				idpConfigEncryption: tt.fields.idpConfigEncryption,
 			}
-			got, err := c.SucceedSAMLIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.assertion)
+			got, err := c.SucceedSAMLIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.session)
 			require.ErrorIs(t, err, tt.res.err)
 			assert.Equal(t, tt.res.token, got)
 		})
@@ -1019,7 +1029,7 @@ func TestCommands_RequestSAMLIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
 				request:    "request",
 			},
 			res{},
@@ -1047,7 +1057,7 @@ func TestCommands_SucceedLDAPIDPIntent(t *testing.T) {
 		writeModel *IDPIntentWriteModel
 		idpUser    idp.User
 		userID     string
-		attributes map[string][]string
+		session    *ldap.Session
 	}
 	type res struct {
 		token string
@@ -1071,7 +1081,7 @@ func TestCommands_SucceedLDAPIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
 			},
 			res{
 				err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
@@ -1091,14 +1101,24 @@ func TestCommands_SucceedLDAPIDPIntent(t *testing.T) {
 							"username",
 							"",
 							map[string][]string{"id": {"id"}},
+							time.Time{},
 						),
 					),
 				),
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
-				attributes: map[string][]string{"id": {"id"}},
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
+				session: &ldap.Session{
+					Entry: &goldap.Entry{
+						Attributes: []*goldap.EntryAttribute{
+							{
+								Name:   "id",
+								Values: []string{"id"},
+							},
+						},
+					},
+				},
 				idpUser: ldap.NewUser(
 					"id",
 					"",
@@ -1126,7 +1146,7 @@ func TestCommands_SucceedLDAPIDPIntent(t *testing.T) {
 				eventstore:          tt.fields.eventstore(t),
 				idpConfigEncryption: tt.fields.idpConfigEncryption,
 			}
-			got, err := c.SucceedLDAPIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.attributes)
+			got, err := c.SucceedLDAPIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.session)
 			require.ErrorIs(t, err, tt.res.err)
 			assert.Equal(t, tt.res.token, got)
 		})
@@ -1166,7 +1186,7 @@ func TestCommands_FailIDPIntent(t *testing.T) {
 			},
 			args{
 				ctx:        context.Background(),
-				writeModel: NewIDPIntentWriteModel("id", "instance"),
+				writeModel: NewIDPIntentWriteModel("id", "instance", 0),
 				reason:     "reason",
 			},
 			res{