feat: Identity brokering (#730)

* feat: add/ remove external idps

* feat: external idp add /remove

* fix: auth proto

* fix: handle login

* feat: loginpolicy on authrequest

* feat: idp providers on login

* feat: link external idp

* fix: check login policy on check username

* feat: add mapping fields for idp config

* feat: use user org id if existing

* feat: use user org id if existing

* feat: register external user

* feat: register external user

* feat: user linking

* feat: user linking

* feat: design external login

* feat: design external login

* fix: tests

* fix: regenerate login design

* feat: next step test linking process

* feat: next step test linking process

* feat: cascade remove external idps on user

* fix: tests

* fix: tests

* feat: external idp requsts on users

* fix: generate protos

* feat: login styles

* feat: login styles

* fix: link user

* fix: register user on specifig org

* fix: user linking

* fix: register external, linking auto

* fix: remove unnecessary request from proto

* fix: tests

* fix: new oidc package

* fix: migration version

* fix: policy permissions

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/ui/login/handler/renderer.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/ui/login/handler/renderer.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: pr requests

* Update internal/ui/login/handler/link_users_handler.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: pr requests

* fix: pr requests

* fix: pr requests

* fix: login name size

* fix: profile image light

* fix: colors

* fix: pr requests

* fix: remove redirect uri validator

* fix: remove redirect uri validator

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -2,6 +2,12 @@ package eventstore
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"time"
 
 	"github.com/caos/logging"
@@ -11,6 +17,7 @@ import (
 	cache "github.com/caos/zitadel/internal/auth_request/repository"
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	"github.com/caos/zitadel/internal/id"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_view_model "github.com/caos/zitadel/internal/org/repository/view/model"
@@ -22,6 +29,8 @@ import (
 
 type AuthRequestRepo struct {
 	UserEvents   *user_event.UserEventstore
+	OrgEvents    *org_event.OrgEventstore
+	PolicyEvents *policy_event.PolicyEventstore
 	AuthRequests cache.AuthRequestCache
 	View         *view.View
 
@@ -29,6 +38,8 @@ type AuthRequestRepo struct {
 	UserViewProvider        userViewProvider
 	UserEventProvider       userEventProvider
 	OrgViewProvider         orgViewProvider
+	LoginPolicyViewProvider loginPolicyViewProvider
+	IDPProviderViewProvider idpProviderViewProvider
 
 	IdGenerator id.Generator
 
@@ -36,6 +47,8 @@ type AuthRequestRepo struct {
 	MfaInitSkippedLifeTime   time.Duration
 	MfaSoftwareCheckLifeTime time.Duration
 	MfaHardwareCheckLifeTime time.Duration
+
+	IAMID string
 }
 
 type userSessionViewProvider interface {
@@ -46,8 +59,17 @@ type userViewProvider interface {
 	UserByID(string) (*user_view_model.UserView, error)
 }
 
+type loginPolicyViewProvider interface {
+	LoginPolicyByAggregateID(string) (*iam_view_model.LoginPolicyView, error)
+}
+
+type idpProviderViewProvider interface {
+	IDPProvidersByAggregateID(string) ([]*iam_view_model.IDPProviderView, error)
+}
+
 type userEventProvider interface {
 	UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error)
+	BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error
 }
 
 type orgViewProvider interface {
@@ -73,7 +95,7 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 	}
 	request.Audience = ids
 	if request.LoginHint != "" {
-		err = repo.checkLoginName(request, request.LoginHint)
+		err = repo.checkLoginName(ctx, request, request.LoginHint)
 		logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID).Debug("login hint invalid")
 	}
 	err = repo.AuthRequests.SaveAuthRequest(ctx, request)
@@ -122,13 +144,45 @@ func (repo *AuthRequestRepo) CheckLoginName(ctx context.Context, id, loginName,
 	if err != nil {
 		return err
 	}
-	err = repo.checkLoginName(request, loginName)
+	err = repo.checkLoginName(ctx, request, loginName)
 	if err != nil {
 		return err
 	}
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }
 
+func (repo *AuthRequestRepo) SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkSelectedExternalIDP(request, idpConfigID)
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) CheckExternalUserLogin(ctx context.Context, authReqID, userAgentID string, externalUser *model.ExternalUser) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkExternalUserLogin(request, externalUser.IDPConfigID, externalUser.ExternalUserID)
+	if errors.IsNotFound(err) {
+		return repo.setLinkingUser(ctx, request, externalUser)
+	}
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) setLinkingUser(ctx context.Context, request *model.AuthRequest, externalUser *model.ExternalUser) error {
+	request.LinkingUsers = append(request.LinkingUsers, externalUser)
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID, userAgentID string) error {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -164,6 +218,59 @@ func (repo *AuthRequestRepo) VerifyMfaOTP(ctx context.Context, authRequestID, us
 	return repo.UserEvents.CheckMfaOTP(ctx, userID, code, request.WithCurrentInfo(info))
 }
 
+func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = linkExternalIDPs(ctx, repo.UserEventProvider, request)
+	if err != nil {
+		return err
+	}
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, registerUser *user_model.User, externalIDP *user_model.ExternalIDP, orgMember *org_model.OrgMember, authReqID, userAgentID, resourceOwner string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	policyResourceOwner := authz.GetCtxData(ctx).OrgID
+	if resourceOwner != "" {
+		policyResourceOwner = resourceOwner
+	}
+	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if orgMember != nil {
+		orgMember.UserID = user.AggregateID
+		_, memberAggregate, err := repo.OrgEvents.PrepareAddOrgMember(ctx, orgMember, policyResourceOwner)
+		if err != nil {
+			return err
+		}
+		aggregates = append(aggregates, memberAggregate)
+	}
+
+	err = sdk.PushAggregates(ctx, repo.UserEvents.PushAggregates, user.AppendEvents, aggregates...)
+	if err != nil {
+		return err
+	}
+	request.UserID = user.AggregateID
+	request.SelectedIDPConfigID = externalIDP.IDPConfigID
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) getAuthRequestNextSteps(ctx context.Context, id, userAgentID string, checkLoggedIn bool) (*model.AuthRequest, error) {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -185,18 +292,114 @@ func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id, userAgentID
 	if request.AgentID != userAgentID {
 		return nil, errors.ThrowPermissionDenied(nil, "EVENT-adk13", "Errors.AuthRequest.UserAgentNotCorresponding")
 	}
+	err = repo.fillLoginPolicy(ctx, request)
+	if err != nil {
+		return nil, err
+	}
 	return request, nil
 }
 
-func (repo *AuthRequestRepo) checkLoginName(request *model.AuthRequest, loginName string) error {
-	user, err := repo.View.UserByLoginName(loginName)
+func (repo *AuthRequestRepo) getLoginPolicyAndIDPProviders(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, []*iam_model.IDPProviderView, error) {
+	policy, err := repo.getLoginPolicy(ctx, orgID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !policy.AllowExternalIDP {
+		return policy, nil, nil
+	}
+	idpProviders, err := getLoginPolicyIDPProviders(repo.IDPProviderViewProvider, repo.IAMID, orgID, policy.Default)
+	if err != nil {
+		return nil, nil, err
+	}
+	return policy, idpProviders, nil
+}
+
+func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *model.AuthRequest) error {
+	orgID := request.UserOrgID
+	if orgID == "" {
+		orgID = request.GetScopeOrgID()
+	}
+	if orgID == "" {
+		orgID = repo.IAMID
+	}
+
+	policy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, orgID)
 	if err != nil {
 		return err
 	}
+	request.LoginPolicy = policy
+	if idpProviders != nil {
+		request.AllowedExternalIDPs = idpProviders
+	}
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *model.AuthRequest, loginName string) (err error) {
+	orgID := request.GetScopeOrgID()
+	user := new(user_view_model.UserView)
+	if orgID != "" {
+		user, err = repo.View.UserByLoginNameAndResourceOwner(loginName, orgID)
+	} else {
+		user, err = repo.View.UserByLoginName(loginName)
+		if err == nil {
+			err = repo.checkLoginPolicyWithResourceOwner(ctx, request, user)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if err != nil {
+		return err
+	}
+
 	request.SetUserInfo(user.ID, loginName, "", user.ResourceOwner)
 	return nil
 }
 
+func (repo AuthRequestRepo) checkLoginPolicyWithResourceOwner(ctx context.Context, request *model.AuthRequest, user *user_view_model.UserView) error {
+	loginPolicy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, user.ResourceOwner)
+	if err != nil {
+		return err
+	}
+	if len(request.LinkingUsers) != 0 && !loginPolicy.AllowExternalIDP {
+		return errors.ThrowInvalidArgument(nil, "LOGIN-s9sio", "Errors.User.NotAllowedToLink")
+	}
+	if len(request.LinkingUsers) != 0 {
+		exists := linkingIDPConfigExistingInAllowedIDPs(request.LinkingUsers, idpProviders)
+		if !exists {
+			return errors.ThrowInvalidArgument(nil, "LOGIN-Dj89o", "Errors.User.NotAllowedToLink")
+		}
+	}
+	request.LoginPolicy = loginPolicy
+	request.AllowedExternalIDPs = idpProviders
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *model.AuthRequest, idpConfigID string) error {
+	for _, externalIDP := range request.AllowedExternalIDPs {
+		if externalIDP.IDPConfigID == idpConfigID {
+			request.SelectedIDPConfigID = idpConfigID
+			return nil
+		}
+	}
+	return errors.ThrowNotFound(nil, "LOGIN-Nsm8r", "Errors.User.ExternalIDP.NotAllowed")
+}
+
+func (repo *AuthRequestRepo) checkExternalUserLogin(request *model.AuthRequest, idpConfigID, externalUserID string) (err error) {
+	orgID := request.GetScopeOrgID()
+	externalIDP := new(user_view_model.ExternalIDPView)
+	if orgID != "" {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, orgID)
+	} else {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	request.SetUserInfo(externalIDP.UserID, "", "", externalIDP.ResourceOwner)
+	return nil
+}
+
 func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthRequest, checkLoggedIn bool) ([]model.NextStep, error) {
 	if request == nil {
 		return nil, errors.ThrowInvalidArgument(nil, "EVENT-ds27a", "Errors.Internal")
@@ -206,7 +409,11 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return append(steps, &model.RedirectToCallbackStep{}), nil
 	}
 	if request.UserID == "" {
-		steps = append(steps, &model.LoginStep{})
+		if request.LinkingUsers != nil && len(request.LinkingUsers) > 0 {
+			steps = append(steps, new(model.ExternalNotFoundOptionStep))
+			return steps, nil
+		}
+		steps = append(steps, new(model.LoginStep))
 		if request.Prompt == model.PromptSelectAccount || request.Prompt == model.PromptUnspecified {
 			users, err := repo.usersForUserSelection(request)
 			if err != nil {
@@ -222,23 +429,26 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 	if err != nil {
 		return nil, err
 	}
+	request.LoginName = user.PreferredLoginName
 	userSession, err := userSessionByIDs(ctx, repo.UserSessionViewProvider, repo.UserEventProvider, request.AgentID, user)
 	if err != nil {
 		return nil, err
 	}
 
-	if user.InitRequired {
-		return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
-	}
-	if !user.PasswordSet {
-		return append(steps, &model.InitPasswordStep{}), nil
-	}
+	if request.SelectedIDPConfigID == "" {
+		if user.InitRequired {
+			return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
+		}
+		if !user.PasswordSet {
+			return append(steps, &model.InitPasswordStep{}), nil
+		}
 
-	if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
-		return append(steps, &model.PasswordStep{}), nil
+		if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
+			return append(steps, &model.PasswordStep{}), nil
+		}
+		request.PasswordVerified = true
+		request.AuthTime = userSession.PasswordVerification
 	}
-	request.PasswordVerified = true
-	request.AuthTime = userSession.PasswordVerification
 
 	if step, ok := repo.mfaChecked(userSession, request, user); !ok {
 		return append(steps, step), nil
@@ -258,6 +468,10 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return steps, nil
 	}
 
+	if request.LinkingUsers != nil && len(request.LinkingUsers) != 0 {
+		return append(steps, &model.LinkUsersStep{}), nil
+
+	}
 	//PLANNED: consent step
 	return append(steps, &model.RedirectToCallbackStep{}), nil
 }
@@ -322,6 +536,36 @@ func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
 	return checkVerificationTime(user.MfaInitSkipped, repo.MfaInitSkippedLifeTime)
 }
 
+func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, error) {
+	policy, err := repo.View.LoginPolicyByAggregateID(orgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.LoginPolicyByAggregateID(repo.IAMID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LoginPolicyViewToModel(policy), err
+}
+
+func getLoginPolicyIDPProviders(provider idpProviderViewProvider, iamID, orgID string, defaultPolicy bool) ([]*iam_model.IDPProviderView, error) {
+	if defaultPolicy {
+		idpProviders, err := provider.IDPProvidersByAggregateID(iamID)
+		if err != nil {
+			return nil, err
+		}
+		return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+	}
+	idpProviders, err := provider.IDPProvidersByAggregateID(orgID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+}
+
 func checkVerificationTime(verificationTime time.Time, lifetime time.Duration) bool {
 	return verificationTime.Add(lifetime).After(time.Now().UTC())
 }
@@ -422,3 +666,37 @@ func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider
 	}
 	return user_view_model.UserToModel(&userCopy), nil
 }
+
+func linkExternalIDPs(ctx context.Context, userEventProvider userEventProvider, request *model.AuthRequest) error {
+	externalIDPs := make([]*user_model.ExternalIDP, len(request.LinkingUsers))
+	for i, linkingUser := range request.LinkingUsers {
+		externalIDP := &user_model.ExternalIDP{
+			ObjectRoot:  es_models.ObjectRoot{AggregateID: request.UserID},
+			IDPConfigID: linkingUser.IDPConfigID,
+			UserID:      linkingUser.ExternalUserID,
+			DisplayName: linkingUser.DisplayName,
+		}
+		externalIDPs[i] = externalIDP
+	}
+	data := authz.CtxData{
+		UserID: "LOGIN",
+		OrgID:  request.UserOrgID,
+	}
+	return userEventProvider.BulkAddExternalIDPs(authz.SetCtxData(ctx, data), request.UserID, externalIDPs)
+}
+
+func linkingIDPConfigExistingInAllowedIDPs(linkingUsers []*model.ExternalUser, idpProviders []*iam_model.IDPProviderView) bool {
+	for _, linkingUser := range linkingUsers {
+		exists := false
+		for _, idp := range idpProviders {
+			if idp.IDPConfigID == linkingUser.IDPConfigID {
+				exists = true
+				continue
+			}
+		}
+		if !exists {
+			return false
+		}
+	}
+	return true
+}