fix(app): move queries to query package (#2612)

* fix: move queries to query package * fix(auth): switch project role requests to query pkg * refactor: delete unused project role code * remove repo * implement sql queries * fix(database): oidc config change type to int2 * fix(queries): implement app queries * refactor: simplify code * fix: correct app query * Update app.go * fix token check * fix mock * test: app prepares * test: oidc compliance * test: OIDCOriginAllowList * fix: converter * resolve unsupported oidc version Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2021-11-26 07:57:05 +01:00
parent a9035def0f
commit 3473156c7e
39 changed files with 3150 additions and 1066 deletions
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -13,7 +13,6 @@ import (

 	"github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/errors"
-	proj_model "github.com/caos/zitadel/internal/project/model"
 	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
@@ -26,15 +25,20 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest
 	if !ok {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sd436", "no user agent id")
 	}
-	app, err := o.repo.ApplicationByClientID(ctx, req.ClientID)
+	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, req.ClientID)
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-AEG4d", "Errors.Internal")
 	}
-	req.Scopes, err = o.assertProjectRoleScopes(app, req.Scopes)
+	project, err := o.query.ProjectByID(ctx, projectID)
+	if err != nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-w4wIn", "Errors.Internal")
+	}
+	req.Scopes, err = o.assertProjectRoleScopes(project, req.Scopes)
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-Gqrfg", "Errors.Internal")
 	}
 	authRequest := CreateAuthRequestToBusiness(ctx, req, userAgentID, userID)
+	//TODO: ensure splitting of command and query side durring auth request and login refactoring
 	resp, err := o.repo.CreateAuthRequest(ctx, authRequest)
 	if err != nil {
 		return nil, err
@@ -205,8 +209,8 @@ func (o *OPStorage) GetKeySet(ctx context.Context) (_ *jose.JSONWebKeySet, err e
 	return o.repo.GetKeySet(ctx)
 }

-func (o *OPStorage) assertProjectRoleScopes(app *proj_model.ApplicationView, scopes []string) ([]string, error) {
-	if !app.ProjectRoleAssertion {
+func (o *OPStorage) assertProjectRoleScopes(project *query.Project, scopes []string) ([]string, error) {
+	if !project.ProjectRoleAssertion {
 		return scopes, nil
 	}
 	for _, scope := range scopes {
@@ -214,7 +218,7 @@ func (o *OPStorage) assertProjectRoleScopes(app *proj_model.ApplicationView, sco
 			return scopes, nil
 		}
 	}
-	projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(app.ProjectID)
+	projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(project.ID)
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
 	}
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -12,11 +12,10 @@ import (

 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/http"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	authreq_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
-	proj_model "github.com/caos/zitadel/internal/project/model"
 	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	user_model "github.com/caos/zitadel/internal/user/model"
@@ -37,11 +36,11 @@ const (
 func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Client, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	client, err := o.repo.ApplicationByClientID(ctx, id)
+	client, err := o.query.AppByOIDCClientID(ctx, id)
 	if err != nil {
 		return nil, err
 	}
-	if client.State != proj_model.AppStateActive {
+	if client.State != domain.AppStateActive {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sdaGg", "client is not active")
 	}
 	projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(client.ProjectID)
@@ -125,11 +124,11 @@ func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo oidc.User
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
 	if token.ApplicationID != "" {
-		app, err := o.repo.ApplicationByClientID(ctx, token.ApplicationID)
+		app, err := o.query.AppByOIDCClientID(ctx, token.ApplicationID)
 		if err != nil {
 			return err
 		}
-		if origin != "" && !http.IsOriginAllowed(app.OriginAllowList, origin) {
+		if origin != "" && !http.IsOriginAllowed(app.OIDCConfig.AllowedOrigins, origin) {
 			return errors.ThrowPermissionDenied(nil, "OIDC-da1f3", "origin is not allowed")
 		}
 	}
@@ -202,8 +201,8 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 			if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 				roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
 			}
-			if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
-				userInfo.AppendClaims(model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
+			if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
+				userInfo.AppendClaims(authreq_model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, authreq_model.OrgDomainPrimaryScope))
 			}
 		}
 	}
@@ -225,12 +224,12 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
-	app, err := o.repo.ApplicationByClientID(ctx, clientID)
+	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, clientID)
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Adfg5", "client not found")
 	}
 	for _, aud := range token.Audience {
-		if aud == clientID || aud == app.ProjectID {
+		if aud == clientID || aud == projectID {
 			err := o.SetUserinfoFromScopes(ctx, introspection, token.UserID, clientID, token.Scopes)
 			if err != nil {
 				return err
@@ -266,8 +265,8 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 		}
 		if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 			roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
-		} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
-			claims = appendClaim(claims, model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
+		} else if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
+			claims = appendClaim(claims, authreq_model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, authreq_model.OrgDomainPrimaryScope))
 		}
 	}
 	if len(roles) == 0 || clientID == "" {
@@ -284,11 +283,11 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 }

 func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID string, requestedRoles []string) (map[string]map[string]string, error) {
-	app, err := o.repo.ApplicationByClientID(ctx, applicationID)
+	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, applicationID)
 	if err != nil {
 		return nil, err
 	}
-	grants, err := o.repo.UserGrantsByProjectAndUserID(app.ProjectID, userID)
+	grants, err := o.repo.UserGrantsByProjectAndUserID(projectID, userID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -8,24 +8,25 @@ import (
 	"github.com/caos/oidc/pkg/op"

 	authreq_model "github.com/caos/zitadel/internal/auth_request/model"
+	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/internal/query"
 )

 type Client struct {
-	*model.ApplicationView
+	app                        *query.App
 	defaultLoginURL            string
 	defaultAccessTokenLifetime time.Duration
 	defaultIdTokenLifetime     time.Duration
 	allowedScopes              []string
 }

-func ClientFromBusiness(app *model.ApplicationView, defaultLoginURL string, defaultAccessTokenLifetime, defaultIdTokenLifetime time.Duration, allowedScopes []string) (op.Client, error) {
-	if !app.IsOIDC {
+func ClientFromBusiness(app *query.App, defaultLoginURL string, defaultAccessTokenLifetime, defaultIdTokenLifetime time.Duration, allowedScopes []string) (op.Client, error) {
+	if app.OIDCConfig == nil {
 		return nil, errors.ThrowInvalidArgument(nil, "OIDC-d5bhD", "client is not a proper oidc application")
 	}
 	return &Client{
-			ApplicationView:            app,
+			app:                        app,
 			defaultLoginURL:            defaultLoginURL,
 			defaultAccessTokenLifetime: defaultAccessTokenLifetime,
 			defaultIdTokenLifetime:     defaultIdTokenLifetime,
@@ -34,15 +35,15 @@ func ClientFromBusiness(app *model.ApplicationView, defaultLoginURL string, defa
 }

 func (c *Client) ApplicationType() op.ApplicationType {
-	return op.ApplicationType(c.OIDCApplicationType)
+	return op.ApplicationType(c.app.OIDCConfig.AppType)
 }

 func (c *Client) AuthMethod() oidc.AuthMethod {
-	return authMethodToOIDC(c.OIDCAuthMethodType)
+	return authMethodToOIDC(c.app.OIDCConfig.AuthMethodType)
 }

 func (c *Client) GetID() string {
-	return c.OIDCClientID
+	return c.app.OIDCConfig.ClientID
 }

 func (c *Client) LoginURL(id string) string {
@@ -50,28 +51,28 @@ func (c *Client) LoginURL(id string) string {
 }

 func (c *Client) RedirectURIs() []string {
-	return c.OIDCRedirectUris
+	return c.app.OIDCConfig.RedirectURIs
 }

 func (c *Client) PostLogoutRedirectURIs() []string {
-	return c.OIDCPostLogoutRedirectUris
+	return c.app.OIDCConfig.PostLogoutRedirectURIs
 }

 func (c *Client) ResponseTypes() []oidc.ResponseType {
-	return responseTypesToOIDC(c.OIDCResponseTypes)
+	return responseTypesToOIDC(c.app.OIDCConfig.ResponseTypes)
 }

 func (c *Client) GrantTypes() []oidc.GrantType {
-	return grantTypesToOIDC(c.OIDCGrantTypes)
+	return grantTypesToOIDC(c.app.OIDCConfig.GrantTypes)
 }

 func (c *Client) DevMode() bool {
-	return c.ApplicationView.DevMode
+	return c.app.OIDCConfig.IsDevMode
 }

 func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
 	return func(scopes []string) []string {
-		if c.IDTokenRoleAssertion {
+		if c.app.OIDCConfig.AssertIDTokenRole {
 			return scopes
 		}
 		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
@@ -80,7 +81,7 @@ func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []strin

 func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
 	return func(scopes []string) []string {
-		if c.AccessTokenRoleAssertion {
+		if c.app.OIDCConfig.AssertAccessTokenRole {
 			return scopes
 		}
 		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
@@ -96,7 +97,7 @@ func (c *Client) IDTokenLifetime() time.Duration {
 }

 func (c *Client) AccessTokenType() op.AccessTokenType {
-	return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType)
+	return accessTokenTypeToOIDC(c.app.OIDCConfig.AccessTokenType)
 }

 func (c *Client) IsScopeAllowed(scope string) bool {
@@ -124,40 +125,40 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 }

 func (c *Client) ClockSkew() time.Duration {
-	return c.ApplicationView.ClockSkew
+	return c.app.OIDCConfig.ClockSkew
 }

 func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
-	return c.ApplicationView.IDTokenUserinfoAssertion
+	return c.app.OIDCConfig.AssertIDTokenUserinfo
 }

-func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
+func accessTokenTypeToOIDC(tokenType domain.OIDCTokenType) op.AccessTokenType {
 	switch tokenType {
-	case model.OIDCTokenTypeBearer:
+	case domain.OIDCTokenTypeBearer:
 		return op.AccessTokenTypeBearer
-	case model.OIDCTokenTypeJWT:
+	case domain.OIDCTokenTypeJWT:
 		return op.AccessTokenTypeJWT
 	default:
 		return op.AccessTokenTypeBearer
 	}
 }

-func authMethodToOIDC(authType model.OIDCAuthMethodType) oidc.AuthMethod {
+func authMethodToOIDC(authType domain.OIDCAuthMethodType) oidc.AuthMethod {
 	switch authType {
-	case model.OIDCAuthMethodTypeBasic:
+	case domain.OIDCAuthMethodTypeBasic:
 		return oidc.AuthMethodBasic
-	case model.OIDCAuthMethodTypePost:
+	case domain.OIDCAuthMethodTypePost:
 		return oidc.AuthMethodPost
-	case model.OIDCAuthMethodTypeNone:
+	case domain.OIDCAuthMethodTypeNone:
 		return oidc.AuthMethodNone
-	case model.OIDCAuthMethodTypePrivateKeyJWT:
+	case domain.OIDCAuthMethodTypePrivateKeyJWT:
 		return oidc.AuthMethodPrivateKeyJWT
 	default:
 		return oidc.AuthMethodBasic
 	}
 }

-func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.ResponseType {
+func responseTypesToOIDC(responseTypes []domain.OIDCResponseType) []oidc.ResponseType {
 	oidcTypes := make([]oidc.ResponseType, len(responseTypes))
 	for i, t := range responseTypes {
 		oidcTypes[i] = responseTypeToOIDC(t)
@@ -165,20 +166,20 @@ func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.Response
 	return oidcTypes
 }

-func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
+func responseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
 	switch responseType {
-	case model.OIDCResponseTypeCode:
+	case domain.OIDCResponseTypeCode:
 		return oidc.ResponseTypeCode
-	case model.OIDCResponseTypeIDTokenToken:
+	case domain.OIDCResponseTypeIDTokenToken:
 		return oidc.ResponseTypeIDToken
-	case model.OIDCResponseTypeIDToken:
+	case domain.OIDCResponseTypeIDToken:
 		return oidc.ResponseTypeIDTokenOnly
 	default:
 		return oidc.ResponseTypeCode
 	}
 }

-func grantTypesToOIDC(grantTypes []model.OIDCGrantType) []oidc.GrantType {
+func grantTypesToOIDC(grantTypes []domain.OIDCGrantType) []oidc.GrantType {
 	oidcTypes := make([]oidc.GrantType, len(grantTypes))
 	for i, t := range grantTypes {
 		oidcTypes[i] = grantTypeToOIDC(t)
@@ -186,13 +187,13 @@ func grantTypesToOIDC(grantTypes []model.OIDCGrantType) []oidc.GrantType {
 	return oidcTypes
 }

-func grantTypeToOIDC(grantType model.OIDCGrantType) oidc.GrantType {
+func grantTypeToOIDC(grantType domain.OIDCGrantType) oidc.GrantType {
 	switch grantType {
-	case model.OIDCGrantTypeAuthorizationCode:
+	case domain.OIDCGrantTypeAuthorizationCode:
 		return oidc.GrantTypeCode
-	case model.OIDCGrantTypeImplicit:
+	case domain.OIDCGrantTypeImplicit:
 		return oidc.GrantTypeImplicit
-	case model.OIDCGrantTypeRefreshToken:
+	case domain.OIDCGrantTypeRefreshToken:
 		return oidc.GrantTypeRefreshToken
 	default:
 		return oidc.GrantTypeCode