TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 00:57:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: use of generic oauth provider (#5345)

Browse Source 
Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
This commit is contained in:
Livio Spring
2023-03-03 11:38:49 +01:00
committed by GitHub
parent cfe00ef0d0
commit 2efa305e10
28 changed files with 456 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/query/idp_template.go
View File

@@ -54,6 +54,7 @@ type OAuthIDPTemplate struct {
TokenEndpoint string
UserEndpoint string
Scopes database.StringArray
IDAttribute string
}
type OIDCIDPTemplate struct {
@@ -196,6 +197,10 @@ var (
name: projection.OAuthScopesCol,
table: oauthIdpTemplateTable,
}
OAuthIDAttributeCol = Column{
name: projection.OAuthIDAttributeCol,
table: oauthIdpTemplateTable,
}
)
var (
@@ -505,6 +510,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
OAuthTokenEndpointCol.identifier(),
OAuthUserEndpointCol.identifier(),
OAuthScopesCol.identifier(),
OAuthIDAttributeCol.identifier(),
// oidc
OIDCIDCol.identifier(),
OIDCIssuerCol.identifier(),
@@ -564,6 +570,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
oauthTokenEndpoint := sql.NullString{}
oauthUserEndpoint := sql.NullString{}
oauthScopes := database.StringArray{}
oauthIDAttribute := sql.NullString{}
oidcID := sql.NullString{}
oidcIssuer := sql.NullString{}
@@ -627,6 +634,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
&oauthTokenEndpoint,
&oauthUserEndpoint,
&oauthScopes,
&oauthIDAttribute,
// oidc
&oidcID,
&oidcIssuer,
@@ -686,6 +694,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
TokenEndpoint: oauthTokenEndpoint.String,
UserEndpoint: oauthUserEndpoint.String,
Scopes: oauthScopes,
IDAttribute: oauthIDAttribute.String,
}
}
if oidcID.Valid {
@@ -770,6 +779,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
OAuthTokenEndpointCol.identifier(),
OAuthUserEndpointCol.identifier(),
OAuthScopesCol.identifier(),
OAuthIDAttributeCol.identifier(),
// oidc
OIDCIDCol.identifier(),
OIDCIssuerCol.identifier(),
@@ -833,6 +843,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
oauthTokenEndpoint := sql.NullString{}
oauthUserEndpoint := sql.NullString{}
oauthScopes := database.StringArray{}
oauthIDAttribute := sql.NullString{}
oidcID := sql.NullString{}
oidcIssuer := sql.NullString{}
@@ -896,6 +907,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
&oauthTokenEndpoint,
&oauthUserEndpoint,
&oauthScopes,
&oauthIDAttribute,
// oidc
&oidcID,
&oidcIssuer,
@@ -954,6 +966,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
TokenEndpoint: oauthTokenEndpoint.String,
UserEndpoint: oauthUserEndpoint.String,
Scopes: oauthScopes,
IDAttribute: oauthIDAttribute.String,
}
}
if oidcID.Valid {

51
internal/query/idp_template_test.go
View File

@@ -29,13 +29,14 @@ var (
` projections.idp_templates2.is_auto_creation,` +
` projections.idp_templates2.is_auto_update,` +
// oauth
` projections.idp_templates2_oauth.idp_id,` +
` projections.idp_templates2_oauth.client_id,` +
` projections.idp_templates2_oauth.client_secret,` +
` projections.idp_templates2_oauth.authorization_endpoint,` +
` projections.idp_templates2_oauth.token_endpoint,` +
` projections.idp_templates2_oauth.user_endpoint,` +
` projections.idp_templates2_oauth.scopes,` +
` projections.idp_templates2_oauth2.idp_id,` +
` projections.idp_templates2_oauth2.client_id,` +
` projections.idp_templates2_oauth2.client_secret,` +
` projections.idp_templates2_oauth2.authorization_endpoint,` +
` projections.idp_templates2_oauth2.token_endpoint,` +
` projections.idp_templates2_oauth2.user_endpoint,` +
` projections.idp_templates2_oauth2.scopes,` +
` projections.idp_templates2_oauth2.id_attribute,` +
// oidc
` projections.idp_templates2_oidc.idp_id,` +
` projections.idp_templates2_oidc.issuer,` +
@@ -77,7 +78,7 @@ var (
` projections.idp_templates2_ldap.avatar_url_attribute,` +
` projections.idp_templates2_ldap.profile_attribute` +
` FROM projections.idp_templates2` +
` LEFT JOIN projections.idp_templates2_oauth ON projections.idp_templates2.id = projections.idp_templates2_oauth.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oauth.instance_id` +
` LEFT JOIN projections.idp_templates2_oauth2 ON projections.idp_templates2.id = projections.idp_templates2_oauth2.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oauth2.instance_id` +
` LEFT JOIN projections.idp_templates2_oidc ON projections.idp_templates2.id = projections.idp_templates2_oidc.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oidc.instance_id` +
` LEFT JOIN projections.idp_templates2_jwt ON projections.idp_templates2.id = projections.idp_templates2_jwt.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_jwt.instance_id` +
` LEFT JOIN projections.idp_templates2_google ON projections.idp_templates2.id = projections.idp_templates2_google.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_google.instance_id` +
@@ -105,6 +106,7 @@ var (
"token_endpoint",
"user_endpoint",
"scopes",
"id_attribute",
// oidc config
"id_id",
"issuer",
@@ -160,13 +162,14 @@ var (
` projections.idp_templates2.is_auto_creation,` +
` projections.idp_templates2.is_auto_update,` +
// oauth
` projections.idp_templates2_oauth.idp_id,` +
` projections.idp_templates2_oauth.client_id,` +
` projections.idp_templates2_oauth.client_secret,` +
` projections.idp_templates2_oauth.authorization_endpoint,` +
` projections.idp_templates2_oauth.token_endpoint,` +
` projections.idp_templates2_oauth.user_endpoint,` +
` projections.idp_templates2_oauth.scopes,` +
` projections.idp_templates2_oauth2.idp_id,` +
` projections.idp_templates2_oauth2.client_id,` +
` projections.idp_templates2_oauth2.client_secret,` +
` projections.idp_templates2_oauth2.authorization_endpoint,` +
` projections.idp_templates2_oauth2.token_endpoint,` +
` projections.idp_templates2_oauth2.user_endpoint,` +
` projections.idp_templates2_oauth2.scopes,` +
` projections.idp_templates2_oauth2.id_attribute,` +
// oidc
` projections.idp_templates2_oidc.idp_id,` +
` projections.idp_templates2_oidc.issuer,` +
@@ -209,7 +212,7 @@ var (
` projections.idp_templates2_ldap.profile_attribute,` +
` COUNT(*) OVER ()` +
` FROM projections.idp_templates2` +
` LEFT JOIN projections.idp_templates2_oauth ON projections.idp_templates2.id = projections.idp_templates2_oauth.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oauth.instance_id` +
` LEFT JOIN projections.idp_templates2_oauth2 ON projections.idp_templates2.id = projections.idp_templates2_oauth2.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oauth2.instance_id` +
` LEFT JOIN projections.idp_templates2_oidc ON projections.idp_templates2.id = projections.idp_templates2_oidc.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_oidc.instance_id` +
` LEFT JOIN projections.idp_templates2_jwt ON projections.idp_templates2.id = projections.idp_templates2_jwt.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_jwt.instance_id` +
` LEFT JOIN projections.idp_templates2_google ON projections.idp_templates2.id = projections.idp_templates2_google.idp_id AND projections.idp_templates2.instance_id = projections.idp_templates2_google.instance_id` +
@@ -237,6 +240,7 @@ var (
"token_endpoint",
"user_endpoint",
"scopes",
"id_attribute",
// oidc config
"id_id",
"issuer",
@@ -339,6 +343,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
"token",
"user",
database.StringArray{"profile"},
"id-attribute",
// oidc
nil,
nil,
@@ -404,6 +409,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
TokenEndpoint: "token",
UserEndpoint: "user",
Scopes: []string{"profile"},
IDAttribute: "id-attribute",
},
},
},
@@ -436,6 +442,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
"idp-id",
"issuer",
@@ -531,6 +538,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -626,6 +634,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -720,6 +729,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -833,6 +843,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -957,6 +968,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -1079,6 +1091,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -1176,6 +1189,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -1239,6 +1253,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -1302,6 +1317,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
"token",
"user",
database.StringArray{"profile"},
"id-attribute",
// oidc
nil,
nil,
@@ -1365,6 +1381,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
"idp-id-oidc",
"issuer",
@@ -1428,6 +1445,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// oidc
nil,
nil,
@@ -1561,6 +1579,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
TokenEndpoint: "token",
UserEndpoint: "user",
Scopes: []string{"profile"},
IDAttribute: "id-attribute",
},
},
{

29
internal/query/projection/idp_login_policy_link.go
View File

@@ -81,6 +81,10 @@ func (p *idpLoginPolicyLinkProjection) reducers() []handler.AggregateReducer {
Event: org.IDPConfigRemovedEventType,
Reduce: p.reduceIDPConfigRemoved,
},
{
Event: org.IDPRemovedEventType,
Reduce: p.reduceIDPRemoved,
},
{
Event: org.OrgRemovedEventType,
Reduce: p.reduceOwnerRemoved,
@@ -106,6 +110,10 @@ func (p *idpLoginPolicyLinkProjection) reducers() []handler.AggregateReducer {
Event: instance.IDPConfigRemovedEventType,
Reduce: p.reduceIDPConfigRemoved,
},
{
Event: instance.IDPRemovedEventType,
Reduce: p.reduceIDPRemoved,
},
{
Event: instance.InstanceRemovedEventType,
Reduce: reduceInstanceRemovedHelper(IDPUserLinkInstanceIDCol),
@@ -209,6 +217,27 @@ func (p *idpLoginPolicyLinkProjection) reduceIDPConfigRemoved(event eventstore.E
), nil
}
func (p *idpLoginPolicyLinkProjection) reduceIDPRemoved(event eventstore.Event) (*handler.Statement, error) {
var idpID string
switch e := event.(type) {
case *org.IDPRemovedEvent:
idpID = e.ID
case *instance.IDPRemovedEvent:
idpID = e.ID
default:
return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-SFED3", "reduce.wrong.event.type %v", []eventstore.EventType{org.IDPRemovedEventType, instance.IDPRemovedEventType})
}
return crdb.NewDeleteStatement(event,
[]handler.Condition{
handler.NewCond(IDPLoginPolicyLinkIDPIDCol, idpID),
handler.NewCond(IDPLoginPolicyLinkResourceOwnerCol, event.Aggregate().ResourceOwner),
handler.NewCond(IDPLoginPolicyLinkInstanceIDCol, event.Aggregate().InstanceID),
},
), nil
}
func (p *idpLoginPolicyLinkProjection) reducePolicyRemoved(event eventstore.Event) (*handler.Statement, error) {
e, ok := event.(*org.LoginPolicyRemovedEvent)
if !ok {

60
internal/query/projection/idp_login_policy_link_test.go
View File

@@ -331,6 +331,66 @@ func TestIDPLoginPolicyLinkProjection_reduces(t *testing.T) {
},
},
},
{
name: "org IDPRemovedEvent",
args: args{
event: getEvent(testEvent(
repository.EventType(org.IDPRemovedEventType),
org.AggregateType,
[]byte(`{
"id": "id"
}`),
), org.IDPRemovedEventMapper),
},
reduce: (&idpLoginPolicyLinkProjection{}).reduceIDPRemoved,
want: wantReduce{
aggregateType: org.AggregateType,
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: "DELETE FROM projections.idp_login_policy_links4 WHERE (idp_id = $1) AND (resource_owner = $2) AND (instance_id = $3)",
expectedArgs: []interface{}{
"id",
"ro-id",
"instance-id",
},
},
},
},
},
},
{
name: "iam IDPRemovedEvent",
args: args{
event: getEvent(testEvent(
repository.EventType(instance.IDPRemovedEventType),
instance.AggregateType,
[]byte(`{
"id": "id"
}`),
), instance.IDPRemovedEventMapper),
},
reduce: (&idpLoginPolicyLinkProjection{}).reduceIDPRemoved,
want: wantReduce{
aggregateType: instance.AggregateType,
sequence: 15,
previousSequence: 10,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: "DELETE FROM projections.idp_login_policy_links4 WHERE (idp_id = $1) AND (resource_owner = $2) AND (instance_id = $3)",
expectedArgs: []interface{}{
"id",
"ro-id",
"instance-id",
},
},
},
},
},
},
{
name: "org.reduceOwnerRemoved",
reduce: (&idpLoginPolicyLinkProjection{}).reduceOwnerRemoved,

8
internal/query/projection/idp_template.go
View File

@@ -24,7 +24,7 @@ const (
IDPTemplateGoogleTable = IDPTemplateTable + "_" + IDPTemplateGoogleSuffix
IDPTemplateLDAPTable = IDPTemplateTable + "_" + IDPTemplateLDAPSuffix
IDPTemplateOAuthSuffix = "oauth"
IDPTemplateOAuthSuffix = "oauth2"
IDPTemplateOIDCSuffix = "oidc"
IDPTemplateJWTSuffix = "jwt"
IDPTemplateGoogleSuffix = "google"
@@ -54,6 +54,7 @@ const (
OAuthTokenEndpointCol = "token_endpoint"
OAuthUserEndpointCol = "user_endpoint"
OAuthScopesCol = "scopes"
OAuthIDAttributeCol = "id_attribute"
OIDCIDCol = "idp_id"
OIDCInstanceIDCol = "instance_id"
@@ -139,6 +140,7 @@ func newIDPTemplateProjection(ctx context.Context, config crdb.StatementHandlerC
crdb.NewColumn(OAuthTokenEndpointCol, crdb.ColumnTypeText),
crdb.NewColumn(OAuthUserEndpointCol, crdb.ColumnTypeText),
crdb.NewColumn(OAuthScopesCol, crdb.ColumnTypeTextArray, crdb.Nullable()),
crdb.NewColumn(OAuthIDAttributeCol, crdb.ColumnTypeText),
},
crdb.NewPrimaryKey(OAuthInstanceIDCol, OAuthIDCol),
IDPTemplateOAuthSuffix,
@@ -417,6 +419,7 @@ func (p *idpTemplateProjection) reduceOAuthIDPAdded(event eventstore.Event) (*ha
handler.NewCol(OAuthTokenEndpointCol, idpEvent.TokenEndpoint),
handler.NewCol(OAuthUserEndpointCol, idpEvent.UserEndpoint),
handler.NewCol(OAuthScopesCol, database.StringArray(idpEvent.Scopes)),
handler.NewCol(OAuthIDAttributeCol, idpEvent.IDAttribute),
},
crdb.WithTableSuffix(IDPTemplateOAuthSuffix),
),
@@ -1176,6 +1179,9 @@ func reduceOAuthIDPChangedColumns(idpEvent idp.OAuthIDPChangedEvent) []handler.C
if idpEvent.Scopes != nil {
oauthCols = append(oauthCols, handler.NewCol(OAuthScopesCol, database.StringArray(idpEvent.Scopes)))
}
if idpEvent.IDAttribute != nil {
oauthCols = append(oauthCols, handler.NewCol(OAuthIDAttributeCol, *idpEvent.IDAttribute))
}
return oauthCols
}

14
internal/query/projection/idp_template_test.go
View File

@@ -154,6 +154,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"tokenEndpoint": "token",
"userEndpoint": "user",
"scopes": ["profile"],
"idAttribute": "id-attribute",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -188,7 +189,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates2_oauth (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
expectedStmt: "INSERT INTO projections.idp_templates2_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
@@ -198,6 +199,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"token",
"user",
database.StringArray{"profile"},
"id-attribute",
},
},
},
@@ -223,6 +225,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"tokenEndpoint": "token",
"userEndpoint": "user",
"scopes": ["profile"],
"idAttribute": "id-attribute",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -257,7 +260,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates2_oauth (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
expectedStmt: "INSERT INTO projections.idp_templates2_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
@@ -267,6 +270,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"token",
"user",
database.StringArray{"profile"},
"id-attribute",
},
},
},
@@ -304,7 +308,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
},
},
{
expectedStmt: "UPDATE projections.idp_templates2_oauth SET client_id = $1 WHERE (idp_id = $2) AND (instance_id = $3)",
expectedStmt: "UPDATE projections.idp_templates2_oauth2 SET client_id = $1 WHERE (idp_id = $2) AND (instance_id = $3)",
expectedArgs: []interface{}{
"id",
"idp-id",
@@ -334,6 +338,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"tokenEndpoint": "token",
"userEndpoint": "user",
"scopes": ["profile"],
"idAttribute": "id-attribute",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -363,7 +368,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
},
},
{
expectedStmt: "UPDATE projections.idp_templates2_oauth SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes) = ($1, $2, $3, $4, $5, $6) WHERE (idp_id = $7) AND (instance_id = $8)",
expectedStmt: "UPDATE projections.idp_templates2_oauth2 SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) = ($1, $2, $3, $4, $5, $6, $7) WHERE (idp_id = $8) AND (instance_id = $9)",
expectedArgs: []interface{}{
"client_id",
anyArg{},
@@ -371,6 +376,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
"token",
"user",
database.StringArray{"profile"},
"id-attribute",
"idp-id",
"instance-id",
},