TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-10-23 20:41:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

some cleanup

Browse Source
This commit is contained in:
Tim Möhlmann
2023-11-13 19:20:01 +02:00
parent 477d565ffb
commit 3294ba4c4b
10 changed files with 47 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/api/oidc/client.go
View File

@@ -27,7 +27,6 @@ import (
)
const (
// TODO: remove declarations: (moved to domain package)
ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:"
ScopeProjectsRoles = "urn:zitadel:iam:org:projects:roles"
ClaimProjectRoles = "urn:zitadel:iam:org:project:roles"
@@ -180,6 +179,21 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
if strings.HasPrefix(tokenID, command.IDPrefixV2) {
token, err := o.query.ActiveAccessTokenByToken(ctx, tokenID)
if err != nil {
return err
}
projectID, err := o.query.ProjectIDFromClientID(ctx, clientID)
if err != nil {
return errors.ThrowPermissionDenied(nil, "OIDC-Adfg5", "client not found")
}
return o.introspect(ctx, introspection,
tokenID, token.UserID, token.ClientID, clientID, projectID,
token.Audience, token.Scope,
token.AccessTokenCreation, token.AccessTokenExpiration)
}
token, err := o.repo.TokenByIDs(ctx, subject, tokenID)
if err != nil {
return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
@@ -370,7 +384,7 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo *oidc.UserInfo, us
if err != nil {
return err
}
setUserInfoRoleClaims(userInfo, projectRoles)
o.setUserInfoRoleClaims(userInfo, projectRoles)
return o.userinfoFlows(ctx, user, userGrants, userInfo)
}
@@ -432,7 +446,7 @@ func (o *OPStorage) setUserInfoResourceOwner(ctx context.Context, userInfo *oidc
return nil
}
func setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projectsRoles) {
func (o *OPStorage) setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projectsRoles) {
if roles != nil && len(roles.projects) > 0 {
if roles, ok := roles.projects[roles.requestProjectID]; ok {
userInfo.AppendClaims(ClaimProjectRoles, roles)

2
internal/api/oidc/introspect.go
View File

@@ -186,7 +186,7 @@ func (s *Server) introspectionToken(ctx context.Context, accessToken string, rc
}
tokenID, subject = split[0], split[1]
} else {
verifier := op.NewAccessTokenVerifier(op.IssuerFromContext(ctx), s.storage.keySet)
verifier := op.NewAccessTokenVerifier(op.IssuerFromContext(ctx), s.keySet)
claims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, verifier)
if err != nil {
return nil, err

8
internal/api/oidc/op.go
View File

@@ -68,7 +68,6 @@ type OPStorage struct {
command *command.Commands
query *query.Queries
eventstore *eventstore.Eventstore
keySet *keySetCache
defaultLoginURL string
defaultLoginURLV2 string
defaultLogoutURLV2 string
@@ -123,6 +122,8 @@ func NewServer(
storage: storage,
LegacyServer: op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
query: query,
command: command,
keySet: newKeySet(context.TODO(), time.Hour, query.GetActivePublicKeyByID),
fallbackLogger: fallbackLogger,
hashAlg: crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
signingKeyAlgorithm: config.SigningKeyAlgorithm,
@@ -179,13 +180,12 @@ func createOPConfig(config Config, defaultLogoutRedirectURI string, cryptoKey []
return opConfig, nil
}
func newStorage(config Config, command *command.Commands, queries *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB, externalSecure bool) *OPStorage {
func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB, externalSecure bool) *OPStorage {
return &OPStorage{
repo: repo,
command: command,
query: queries,
query: query,
eventstore: es,
keySet: newKeySet(context.TODO(), time.Hour, queries.GetActivePublicKeyByID),
defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
defaultLoginURLV2: config.DefaultLoginURLV2,
defaultLogoutURLV2: config.DefaultLogoutURLV2,

2
internal/api/oidc/server.go
View File

@@ -9,6 +9,7 @@ import (
"github.com/zitadel/logging"
"github.com/zitadel/oidc/v3/pkg/oidc"
"github.com/zitadel/oidc/v3/pkg/op"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/query"
@@ -22,6 +23,7 @@ type Server struct {
query *query.Queries
command *command.Commands
keySet *keySetCache
fallbackLogger *slog.Logger
hashAlg crypto.HashAlgorithm

11
internal/api/oidc/userinfo.go
View File

@@ -248,6 +248,17 @@ func setUserInfoOrgClaims(user *query.OIDCUserInfo, out *oidc.UserInfo) {
}
}
func setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projectsRoles) {
if roles != nil && len(roles.projects) > 0 {
if roles, ok := roles.projects[roles.requestProjectID]; ok {
userInfo.AppendClaims(ClaimProjectRoles, roles)
}
for projectID, roles := range roles.projects {
userInfo.AppendClaims(fmt.Sprintf(ClaimProjectRolesFormat, projectID), roles)
}
}
}
func (s *Server) userinfoFlows(ctx context.Context, user *query.OIDCUserInfo, userGrants *query.UserGrants, userInfo *oidc.UserInfo) error {
queriedActions, err := s.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, user.User.ResourceOwner, false)
if err != nil {