fix: allow unicode characters in org domains (#6675)

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

internal/domain/org.go

@@ -25,7 +25,8 @@ func (o *Org) IsValid() bool {
 }
 
 func (o *Org) AddIAMDomain(iamDomain string) {
-	o.Domains = append(o.Domains, &OrgDomain{Domain: NewIAMDomainName(o.Name, iamDomain), Verified: true, Primary: true})
+	orgDomain, _ := NewIAMDomainName(o.Name, iamDomain)
+	o.Domains = append(o.Domains, &OrgDomain{Domain: orgDomain, Verified: true, Primary: true})
 }
 
 type OrgState int32

internal/domain/org_domain.go

@@ -6,6 +6,7 @@ import (
 
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 )
 
@@ -32,15 +33,18 @@ func (domain *OrgDomain) GenerateVerificationCode(codeGenerator crypto.Generator
 	return validationCode, nil
 }
 
-func NewIAMDomainName(orgName, iamDomain string) string {
+func NewIAMDomainName(orgName, iamDomain string) (string, error) {
 	// Reference: label domain requirements https://www.nic.ad.jp/timeline/en/20th/appendix1.html
 
 	// Replaces spaces in org name with hyphens
 	label := strings.ReplaceAll(orgName, " ", "-")
 
 	// The label must only contains alphanumeric characters and hyphens
-	// Invalid characters are replaced with and empty space
-	label = string(regexp.MustCompile(`[^a-zA-Z0-9-]`).ReplaceAll([]byte(label), []byte("")))
+	// Invalid characters are replaced with and empty space but as #6471,
+	// as these domains are not used to host ZITADEL, but only for user names,
+	// the characters shouldn't matter that much so we'll accept unicode
+	// characters, accented characters (\p{L}\p{M}), numbers and hyphens.
+	label = string(regexp.MustCompile(`[^\p{L}\p{M}0-9-]`).ReplaceAll([]byte(label), []byte("")))
 
 	// The label cannot exceed 63 characters
 	if len(label) > 63 {
@@ -64,7 +68,12 @@ func NewIAMDomainName(orgName, iamDomain string) string {
 		label = label[:len(label)-1]
 	}
 
-	return strings.ToLower(label + "." + iamDomain)
+	// Empty string should be invalid
+	if len(label) > 0 {
+		return strings.ToLower(label + "." + iamDomain), nil
+	}
+
+	return "", errors.ThrowInvalidArgument(nil, "ORG-RrfXY", "Errors.Org.Domain.EmptyString")
 }
 
 type OrgDomainValidationType int32

internal/domain/org_domain_test.go

@@ -41,10 +41,10 @@ func TestNewIAMDomainName(t *testing.T) {
 		{
 			name: "replace invalid characters [^a-zA-Z0-9-] with empty spaces",
 			args: args{
-				orgName:   "mí Örg name?",
+				orgName:   "mí >**name?",
 				iamDomain: "localhost",
 			},
-			result: "m-rg-name.localhost",
+			result: "mí-name.localhost",
 		},
 		{
 			name: "label created from org name size is not greater than 63 chars",
@@ -78,10 +78,18 @@ func TestNewIAMDomainName(t *testing.T) {
 			},
 			result: "my-super-long-organization-name-with-many-many-many-characters.localhost",
 		},
+		{
+			name: "string full with invalid characters returns empty",
+			args: args{
+				orgName:   "*¿=@^[])",
+				iamDomain: "localhost",
+			},
+			result: "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			domain := NewIAMDomainName(tt.args.orgName, tt.args.iamDomain)
+			domain, _ := NewIAMDomainName(tt.args.orgName, tt.args.iamDomain)
 			if tt.result != domain {
 				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, domain)
 			}