feat: Identity brokering (#730)

* feat: add/ remove external idps * feat: external idp add /remove * fix: auth proto * fix: handle login * feat: loginpolicy on authrequest * feat: idp providers on login * feat: link external idp * fix: check login policy on check username * feat: add mapping fields for idp config * feat: use user org id if existing * feat: use user org id if existing * feat: register external user * feat: register external user * feat: user linking * feat: user linking * feat: design external login * feat: design external login * fix: tests * fix: regenerate login design * feat: next step test linking process * feat: next step test linking process * feat: cascade remove external idps on user * fix: tests * fix: tests * feat: external idp requsts on users * fix: generate protos * feat: login styles * feat: login styles * fix: link user * fix: register user on specifig org * fix: user linking * fix: register external, linking auto * fix: remove unnecessary request from proto * fix: tests * fix: new oidc package * fix: migration version * fix: policy permissions * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * Update internal/ui/login/handler/link_users_handler.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * fix: pr requests * fix: pr requests * fix: login name size * fix: profile image light * fix: colors * fix: pr requests * fix: remove redirect uri validator * fix: remove redirect uri validator Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-11 19:17:32 +00:00 · 2020-09-18 13:26:28 +02:00
parent 1d542a0c57
commit 320ddfa46d
141 changed files with 30057 additions and 12535 deletions
--- a/internal/iam/model/idp_config.go
+++ b/internal/iam/model/idp_config.go
@@ -17,12 +17,14 @@ type IDPConfig struct {

 type OIDCIDPConfig struct {
 	es_models.ObjectRoot
-	IDPConfigID        string
-	ClientID           string
-	ClientSecret       *crypto.CryptoValue
-	ClientSecretString string
-	Issuer             string
-	Scopes             []string
+	IDPConfigID           string
+	ClientID              string
+	ClientSecret          *crypto.CryptoValue
+	ClientSecretString    string
+	Issuer                string
+	Scopes                []string
+	IDPDisplayNameMapping OIDCMappingField
+	UsernameMapping       OIDCMappingField
 }

 type IdpConfigType int32
@@ -40,6 +42,14 @@ const (
 	IDPConfigStateRemoved
 )

+type OIDCMappingField int32
+
+const (
+	OIDCMappingFieldUnspecified OIDCMappingField = iota
+	OIDCMappingFieldPreferredLoginName
+	OIDCMappingFieldEmail
+)
+
 func NewIDPConfig(iamID, idpID string) *IDPConfig {
 	return &IDPConfig{ObjectRoot: es_models.ObjectRoot{AggregateID: iamID}, IDPConfigID: idpID}
 }
--- a/internal/iam/model/idp_config_view.go
+++ b/internal/iam/model/idp_config_view.go
@@ -17,11 +17,13 @@ type IDPConfigView struct {
 	Sequence        uint64
 	IDPProviderType IDPProviderType

-	IsOIDC           bool
-	OIDCClientID     string
-	OIDCClientSecret *crypto.CryptoValue
-	OIDCIssuer       string
-	OIDCScopes       []string
+	IsOIDC                    bool
+	OIDCClientID              string
+	OIDCClientSecret          *crypto.CryptoValue
+	OIDCIssuer                string
+	OIDCScopes                []string
+	OIDCIDPDisplayNameMapping OIDCMappingField
+	OIDCUsernameMapping       OIDCMappingField
 }

 type IDPConfigSearchRequest struct {
--- a/internal/iam/repository/eventsourcing/eventstore.go
+++ b/internal/iam/repository/eventsourcing/eventstore.go
@@ -380,7 +380,10 @@ func (es *IAMEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Fms8w", "Errors.IAM.IdpIsNotOIDC")
 	}
 	if config.ClientSecretString != "" {
-		err = idp.OIDCConfig.CryptSecret(es.secretCrypto)
+		err = config.CryptSecret(es.secretCrypto)
+		if err != nil {
+			return nil, err
+		}
 	} else {
 		config.ClientSecret = nil
 	}
@@ -467,20 +470,31 @@ func (es *IAMEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-Slf9s", "Errors.Internal")
 }

-func (es *IAMEventstore) RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error {
+func (es *IAMEventstore) PrepareRemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) (*model.IAM, *models.Aggregate, error) {
 	if provider == nil || !provider.IsValid() {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-Esi8c", "Errors.IdpProviderInvalid")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Esi8c", "Errors.IdpProviderInvalid")
 	}
 	iam, err := es.IAMByID(ctx, provider.AggregateID)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
 	if _, m := iam.DefaultLoginPolicy.GetIdpProvider(provider.IdpConfigID); m == nil {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-29skr", "Errors.IAM.LoginPolicy.IdpProviderNotExisting")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-29skr", "Errors.IAM.LoginPolicy.IdpProviderNotExisting")
 	}
 	repoIam := model.IAMFromModel(iam)
-	addAggregate := LoginPolicyIDPProviderRemovedAggregate(es.Eventstore.AggregateCreator(), repoIam, &model.IDPProviderID{provider.IdpConfigID})
-	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	removeAgg, err := LoginPolicyIDPProviderRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, &model.IDPProviderID{provider.IdpConfigID})
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, removeAgg, nil
+}
+
+func (es *IAMEventstore) RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error {
+	repoIam, removeAgg, err := es.PrepareRemoveIDPProviderFromLoginPolicy(ctx, provider)
+	if err != nil {
+		return err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, removeAgg)
 	if err != nil {
 		return err
 	}
--- a/internal/iam/repository/eventsourcing/iam.go
+++ b/internal/iam/repository/eventsourcing/iam.go
@@ -285,17 +285,15 @@ func LoginPolicyIDPProviderAddedAggregate(aggCreator *es_models.AggregateCreator
 	}
 }

-func LoginPolicyIDPProviderRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, provider *model.IDPProviderID) func(ctx context.Context) (*es_models.Aggregate, error) {
-	return func(ctx context.Context) (*es_models.Aggregate, error) {
-		if provider == nil || existing == nil {
-			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sml9d", "Errors.Internal")
-		}
-		agg, err := IAMAggregate(ctx, aggCreator, existing)
-		if err != nil {
-			return nil, err
-		}
-		return agg.AppendEvent(model.LoginPolicyIDPProviderRemoved, provider)
+func LoginPolicyIDPProviderRemovedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, provider *model.IDPProviderID) (*es_models.Aggregate, error) {
+	if provider == nil || existing == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sml9d", "Errors.Internal")
 	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	return agg.AppendEvent(model.LoginPolicyIDPProviderRemoved, provider)
 }

 func checkExistingLoginPolicyValidation() func(...*es_models.Event) error {
--- a/internal/iam/repository/eventsourcing/iam_test.go
+++ b/internal/iam/repository/eventsourcing/iam_test.go
@@ -1447,7 +1447,7 @@ func TestLoginPolicyIdpProviderRemovedAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg, err := LoginPolicyIDPProviderRemovedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newProviderID)(tt.args.ctx)
+			agg, err := LoginPolicyIDPProviderRemovedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newProviderID)

 			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
--- a/internal/iam/repository/eventsourcing/model/idp_config.go
+++ b/internal/iam/repository/eventsourcing/model/idp_config.go
@@ -10,11 +10,12 @@ import (

 type IDPConfig struct {
 	es_models.ObjectRoot
-	IDPConfigID   string         `json:"idpConfigId"`
-	State         int32          `json:"-"`
-	Name          string         `json:"name,omitempty"`
-	Type          int32          `json:"idpType,omitempty"`
-	LogoSrc       []byte         `json:"logoSrc,omitempty"`
+	IDPConfigID string `json:"idpConfigId"`
+	State       int32  `json:"-"`
+	Name        string `json:"name,omitempty"`
+	Type        int32  `json:"idpType,omitempty"`
+	LogoSrc     []byte `json:"logoSrc,omitempty"`
+
 	OIDCIDPConfig *OIDCIDPConfig `json:"-"`
 }

--- a/internal/iam/repository/eventsourcing/model/oidc_idp_config.go
+++ b/internal/iam/repository/eventsourcing/model/oidc_idp_config.go
@@ -12,11 +12,13 @@ import (

 type OIDCIDPConfig struct {
 	es_models.ObjectRoot
-	IDPConfigID  string              `json:"idpConfigId"`
-	ClientID     string              `json:"clientId"`
-	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
-	Issuer       string              `json:"issuer,omitempty"`
-	Scopes       pq.StringArray      `json:"scopes,omitempty"`
+	IDPConfigID           string              `json:"idpConfigId"`
+	ClientID              string              `json:"clientId"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Issuer                string              `json:"issuer,omitempty"`
+	Scopes                pq.StringArray      `json:"scopes,omitempty"`
+	IDPDisplayNameMapping int32               `json:"idpDisplayNameMapping,omitempty"`
+	UsernameMapping       int32               `json:"usernameMapping,omitempty"`
 }

 func (c *OIDCIDPConfig) Changes(changed *OIDCIDPConfig) map[string]interface{} {
@@ -25,7 +27,7 @@ func (c *OIDCIDPConfig) Changes(changed *OIDCIDPConfig) map[string]interface{} {
 	if c.ClientID != changed.ClientID {
 		changes["clientId"] = changed.ClientID
 	}
-	if c.ClientSecret != nil {
+	if c.ClientSecret != nil && c.ClientSecret != changed.ClientSecret {
 		changes["clientSecret"] = changed.ClientSecret
 	}
 	if c.Issuer != changed.Issuer {
@@ -34,28 +36,38 @@ func (c *OIDCIDPConfig) Changes(changed *OIDCIDPConfig) map[string]interface{} {
 	if !reflect.DeepEqual(c.Scopes, changed.Scopes) {
 		changes["scopes"] = changed.Scopes
 	}
+	if c.IDPDisplayNameMapping != changed.IDPDisplayNameMapping {
+		changes["idpDisplayNameMapping"] = changed.IDPDisplayNameMapping
+	}
+	if c.UsernameMapping != changed.UsernameMapping {
+		changes["usernameMapping"] = changed.UsernameMapping
+	}
 	return changes
 }

 func OIDCIDPConfigFromModel(config *model.OIDCIDPConfig) *OIDCIDPConfig {
 	return &OIDCIDPConfig{
-		ObjectRoot:   config.ObjectRoot,
-		IDPConfigID:  config.IDPConfigID,
-		ClientID:     config.ClientID,
-		ClientSecret: config.ClientSecret,
-		Issuer:       config.Issuer,
-		Scopes:       config.Scopes,
+		ObjectRoot:            config.ObjectRoot,
+		IDPConfigID:           config.IDPConfigID,
+		ClientID:              config.ClientID,
+		ClientSecret:          config.ClientSecret,
+		Issuer:                config.Issuer,
+		Scopes:                config.Scopes,
+		IDPDisplayNameMapping: int32(config.IDPDisplayNameMapping),
+		UsernameMapping:       int32(config.UsernameMapping),
 	}
 }

 func OIDCIDPConfigToModel(config *OIDCIDPConfig) *model.OIDCIDPConfig {
 	return &model.OIDCIDPConfig{
-		ObjectRoot:   config.ObjectRoot,
-		IDPConfigID:  config.IDPConfigID,
-		ClientID:     config.ClientID,
-		ClientSecret: config.ClientSecret,
-		Issuer:       config.Issuer,
-		Scopes:       config.Scopes,
+		ObjectRoot:            config.ObjectRoot,
+		IDPConfigID:           config.IDPConfigID,
+		ClientID:              config.ClientID,
+		ClientSecret:          config.ClientSecret,
+		Issuer:                config.Issuer,
+		Scopes:                config.Scopes,
+		IDPDisplayNameMapping: model.OIDCMappingField(config.IDPDisplayNameMapping),
+		UsernameMapping:       model.OIDCMappingField(config.UsernameMapping),
 	}
 }

--- a/internal/iam/repository/view/idp_provider_view.go
+++ b/internal/iam/repository/view/idp_provider_view.go
@@ -22,7 +22,7 @@ func GetIDPProviderByAggregateIDAndConfigID(db *gorm.DB, table, aggregateID, idp
 }

 func IDPProvidersByIdpConfigID(db *gorm.DB, table string, idpConfigID string) ([]*model.IDPProviderView, error) {
-	members := make([]*model.IDPProviderView, 0)
+	providers := make([]*model.IDPProviderView, 0)
 	queries := []*iam_model.IDPProviderSearchQuery{
 		{
 			Key:    iam_model.IDPProviderSearchKeyIdpConfigID,
@@ -31,11 +31,28 @@ func IDPProvidersByIdpConfigID(db *gorm.DB, table string, idpConfigID string) ([
 		},
 	}
 	query := repository.PrepareSearchQuery(table, model.IDPProviderSearchRequest{Queries: queries})
-	_, err := query(db, &members)
+	_, err := query(db, &providers)
 	if err != nil {
 		return nil, err
 	}
-	return members, nil
+	return providers, nil
+}
+
+func IDPProvidersByAggregateID(db *gorm.DB, table string, aggregateID string) ([]*model.IDPProviderView, error) {
+	providers := make([]*model.IDPProviderView, 0)
+	queries := []*iam_model.IDPProviderSearchQuery{
+		{
+			Key:    iam_model.IDPProviderSearchKeyAggregateID,
+			Value:  aggregateID,
+			Method: global_model.SearchMethodEquals,
+		},
+	}
+	query := repository.PrepareSearchQuery(table, model.IDPProviderSearchRequest{Queries: queries})
+	_, err := query(db, &providers)
+	if err != nil {
+		return nil, err
+	}
+	return providers, nil
 }

 func SearchIDPProviders(db *gorm.DB, table string, req *iam_model.IDPProviderSearchRequest) ([]*model.IDPProviderView, uint64, error) {
--- a/internal/iam/repository/view/idp_view.go
+++ b/internal/iam/repository/view/idp_view.go
@@ -20,6 +20,23 @@ func IDPByID(db *gorm.DB, table, idpID string) (*model.IDPConfigView, error) {
 	return idp, err
 }

+func GetIDPConfigsByAggregateID(db *gorm.DB, table string, aggregateID string) ([]*model.IDPConfigView, error) {
+	idps := make([]*model.IDPConfigView, 0)
+	queries := []*iam_model.IDPConfigSearchQuery{
+		{
+			Key:    iam_model.IDPConfigSearchKeyAggregateID,
+			Value:  aggregateID,
+			Method: global_model.SearchMethodEquals,
+		},
+	}
+	query := repository.PrepareSearchQuery(table, model.IDPConfigSearchRequest{Queries: queries})
+	_, err := query(db, &idps)
+	if err != nil {
+		return nil, err
+	}
+	return idps, nil
+}
+
 func SearchIDPs(db *gorm.DB, table string, req *iam_model.IDPConfigSearchRequest) ([]*model.IDPConfigView, uint64, error) {
 	idps := make([]*model.IDPConfigView, 0)
 	query := repository.PrepareSearchQuery(table, model.IDPConfigSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries})
--- a/internal/iam/repository/view/model/idp_config.go
+++ b/internal/iam/repository/view/model/idp_config.go
@@ -32,55 +32,61 @@ type IDPConfigView struct {
 	IDPState        int32     `json:"-" gorm:"column:idp_state"`
 	IDPProviderType int32     `json:"-" gorm:"column:idp_provider_type"`

-	IsOIDC           bool                `json:"-" gorm:"column:is_oidc"`
-	OIDCClientID     string              `json:"clientId" gorm:"column:oidc_client_id"`
-	OIDCClientSecret *crypto.CryptoValue `json:"clientSecret" gorm:"column:oidc_client_secret"`
-	OIDCIssuer       string              `json:"issuer" gorm:"column:oidc_issuer"`
-	OIDCScopes       pq.StringArray      `json:"scopes" gorm:"column:oidc_scopes"`
+	IsOIDC                    bool                `json:"-" gorm:"column:is_oidc"`
+	OIDCClientID              string              `json:"clientId" gorm:"column:oidc_client_id"`
+	OIDCClientSecret          *crypto.CryptoValue `json:"clientSecret" gorm:"column:oidc_client_secret"`
+	OIDCIssuer                string              `json:"issuer" gorm:"column:oidc_issuer"`
+	OIDCScopes                pq.StringArray      `json:"scopes" gorm:"column:oidc_scopes"`
+	OIDCIDPDisplayNameMapping int32               `json:"idpDisplayNameMapping" gorm:"column:oidc_idp_display_name_mapping"`
+	OIDCUsernameMapping       int32               `json:"usernameMapping" gorm:"column:oidc_idp_username_mapping"`

 	Sequence uint64 `json:"-" gorm:"column:sequence"`
 }

 func IDPConfigViewFromModel(idp *model.IDPConfigView) *IDPConfigView {
 	return &IDPConfigView{
-		IDPConfigID:      idp.IDPConfigID,
-		AggregateID:      idp.AggregateID,
-		Name:             idp.Name,
-		LogoSrc:          idp.LogoSrc,
-		Sequence:         idp.Sequence,
-		CreationDate:     idp.CreationDate,
-		ChangeDate:       idp.ChangeDate,
-		IDPProviderType:  int32(idp.IDPProviderType),
-		IsOIDC:           idp.IsOIDC,
-		OIDCClientID:     idp.OIDCClientID,
-		OIDCClientSecret: idp.OIDCClientSecret,
-		OIDCIssuer:       idp.OIDCIssuer,
-		OIDCScopes:       idp.OIDCScopes,
+		IDPConfigID:               idp.IDPConfigID,
+		AggregateID:               idp.AggregateID,
+		Name:                      idp.Name,
+		LogoSrc:                   idp.LogoSrc,
+		Sequence:                  idp.Sequence,
+		CreationDate:              idp.CreationDate,
+		ChangeDate:                idp.ChangeDate,
+		IDPProviderType:           int32(idp.IDPProviderType),
+		IsOIDC:                    idp.IsOIDC,
+		OIDCClientID:              idp.OIDCClientID,
+		OIDCClientSecret:          idp.OIDCClientSecret,
+		OIDCIssuer:                idp.OIDCIssuer,
+		OIDCScopes:                idp.OIDCScopes,
+		OIDCIDPDisplayNameMapping: int32(idp.OIDCIDPDisplayNameMapping),
+		OIDCUsernameMapping:       int32(idp.OIDCUsernameMapping),
 	}
 }

-func IdpConfigViewToModel(idp *IDPConfigView) *model.IDPConfigView {
+func IDPConfigViewToModel(idp *IDPConfigView) *model.IDPConfigView {
 	return &model.IDPConfigView{
-		IDPConfigID:      idp.IDPConfigID,
-		AggregateID:      idp.AggregateID,
-		Name:             idp.Name,
-		LogoSrc:          idp.LogoSrc,
-		Sequence:         idp.Sequence,
-		CreationDate:     idp.CreationDate,
-		ChangeDate:       idp.ChangeDate,
-		IDPProviderType:  model.IDPProviderType(idp.IDPProviderType),
-		IsOIDC:           idp.IsOIDC,
-		OIDCClientID:     idp.OIDCClientID,
-		OIDCClientSecret: idp.OIDCClientSecret,
-		OIDCIssuer:       idp.OIDCIssuer,
-		OIDCScopes:       idp.OIDCScopes,
+		IDPConfigID:               idp.IDPConfigID,
+		AggregateID:               idp.AggregateID,
+		Name:                      idp.Name,
+		LogoSrc:                   idp.LogoSrc,
+		Sequence:                  idp.Sequence,
+		CreationDate:              idp.CreationDate,
+		ChangeDate:                idp.ChangeDate,
+		IDPProviderType:           model.IDPProviderType(idp.IDPProviderType),
+		IsOIDC:                    idp.IsOIDC,
+		OIDCClientID:              idp.OIDCClientID,
+		OIDCClientSecret:          idp.OIDCClientSecret,
+		OIDCIssuer:                idp.OIDCIssuer,
+		OIDCScopes:                idp.OIDCScopes,
+		OIDCIDPDisplayNameMapping: model.OIDCMappingField(idp.OIDCIDPDisplayNameMapping),
+		OIDCUsernameMapping:       model.OIDCMappingField(idp.OIDCUsernameMapping),
 	}
 }

 func IdpConfigViewsToModel(idps []*IDPConfigView) []*model.IDPConfigView {
 	result := make([]*model.IDPConfigView, len(idps))
 	for i, idp := range idps {
-		result[i] = IdpConfigViewToModel(idp)
+		result[i] = IDPConfigViewToModel(idp)
 	}
 	return result
 }
--- a/internal/iam/repository/view/model/idp_provider.go
+++ b/internal/iam/repository/view/model/idp_provider.go
@@ -39,6 +39,7 @@ func IDPProviderViewFromModel(policy *model.IDPProviderView) *IDPProviderView {
 		CreationDate:    policy.CreationDate,
 		ChangeDate:      policy.ChangeDate,
 		Name:            policy.Name,
+		IDPConfigID:     policy.IDPConfigID,
 		IDPConfigType:   int32(policy.IDPConfigType),
 		IDPProviderType: int32(policy.IDPProviderType),
 	}
@@ -51,6 +52,7 @@ func IDPProviderViewToModel(policy *IDPProviderView) *model.IDPProviderView {
 		CreationDate:    policy.CreationDate,
 		ChangeDate:      policy.ChangeDate,
 		Name:            policy.Name,
+		IDPConfigID:     policy.IDPConfigID,
 		IDPConfigType:   model.IdpConfigType(policy.IDPConfigType),
 		IDPProviderType: model.IDPProviderType(policy.IDPProviderType),
 	}