feat: ldap provider login (#5448)

Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2025-08-11 20:57:31 +00:00 · 2023-03-24 16:18:56 +01:00
parent a8bfcc166e
commit 41ff0bbc63
40 changed files with 2240 additions and 1142 deletions
--- a/internal/command/org_idp_test.go
+++ b/internal/command/org_idp_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"testing"
+	"time"

 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -17,7 +18,6 @@ import (
 	"github.com/zitadel/zitadel/internal/id"
 	id_mock "github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/idp"
-	"github.com/zitadel/zitadel/internal/repository/idpconfig"
 	"github.com/zitadel/zitadel/internal/repository/org"
 )

@@ -3734,25 +3734,6 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				},
 			},
 		},
-		{
-			"invalid host",
-			fields{
-				eventstore:  eventstoreExpect(t),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
-			},
-			args{
-				ctx:           context.Background(),
-				resourceOwner: "org1",
-				provider: LDAPProvider{
-					Name: "name",
-				},
-			},
-			res{
-				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-SDVg2", ""))
-				},
-			},
-		},
 		{
 			"invalid baseDN",
 			fields{
@@ -3764,7 +3745,6 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				provider: LDAPProvider{
 					Name: "name",
-					Host: "host",
 				},
 			},
 			res{
@@ -3774,7 +3754,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 			},
 		},
 		{
-			"invalid userObjectClass",
+			"invalid binddn",
 			fields{
 				eventstore:  eventstoreExpect(t),
 				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
@@ -3784,7 +3764,6 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				provider: LDAPProvider{
 					Name:   "name",
-					Host:   "host",
 					BaseDN: "baseDN",
 				},
 			},
@@ -3794,51 +3773,6 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				},
 			},
 		},
-		{
-			"invalid userUniqueAttribute",
-			fields{
-				eventstore:  eventstoreExpect(t),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
-			},
-			args{
-				ctx:           context.Background(),
-				resourceOwner: "org1",
-				provider: LDAPProvider{
-					Name:            "name",
-					Host:            "host",
-					BaseDN:          "baseDN",
-					UserObjectClass: "userObjectClass",
-				},
-			},
-			res{
-				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-AEG2w", ""))
-				},
-			},
-		},
-		{
-			"invalid admin",
-			fields{
-				eventstore:  eventstoreExpect(t),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
-			},
-			args{
-				ctx:           context.Background(),
-				resourceOwner: "org1",
-				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-				},
-			},
-			res{
-				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-SAD5n", ""))
-				},
-			},
-		},
 		{
 			"invalid password",
 			fields{
@@ -3849,17 +3783,108 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				ctx:           context.Background(),
 				resourceOwner: "org1",
 				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-					Admin:               "admin",
+					Name:   "name",
+					BindDN: "binddn",
+					BaseDN: "baseDN",
 				},
 			},
 			res{
 				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-sdf5h", ""))
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-AEG2w", ""))
+				},
+			},
+		},
+		{
+			"invalid userbase",
+			fields{
+				eventstore:  eventstoreExpect(t),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: LDAPProvider{
+					Name:         "name",
+					BindDN:       "binddn",
+					BaseDN:       "baseDN",
+					BindPassword: "password",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-SAD5n", ""))
+				},
+			},
+		},
+		{
+			"invalid servers",
+			fields{
+				eventstore:  eventstoreExpect(t),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: LDAPProvider{
+					Name:         "name",
+					BindDN:       "binddn",
+					BaseDN:       "baseDN",
+					BindPassword: "password",
+					UserBase:     "user",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-SAy945n", ""))
+				},
+			},
+		},
+		{
+			"invalid userObjectClasses",
+			fields{
+				eventstore:  eventstoreExpect(t),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: LDAPProvider{
+					Name:         "name",
+					Servers:      []string{"server"},
+					BindDN:       "binddn",
+					BaseDN:       "baseDN",
+					BindPassword: "password",
+					UserBase:     "user",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-S1x705n", ""))
+				},
+			},
+		},
+		{
+			"invalid userFilters",
+			fields{
+				eventstore:  eventstoreExpect(t),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: LDAPProvider{
+					Name:              "name",
+					Servers:           []string{"server"},
+					BindDN:            "binddn",
+					BaseDN:            "baseDN",
+					BindPassword:      "password",
+					UserBase:          "user",
+					UserObjectClasses: []string{"object"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-aAx9x1n", ""))
 				},
 			},
 		},
@@ -3873,23 +3898,23 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 							org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate,
 								"id1",
 								"name",
-								"host",
-								"",
+								[]string{"server"},
 								false,
 								"baseDN",
-								"userObjectClass",
-								"userUniqueAttribute",
-								"admin",
+								"dn",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
 									KeyID:      "id",
 									Crypted:    []byte("password"),
 								},
+								"user",
+								[]string{"object"},
+								[]string{"filter"},
+								time.Second*30,
 								idp.LDAPAttributes{},
 								idp.Options{},
 							)),
-						uniqueConstraintsFromEventConstraint(idpconfig.NewAddIDPConfigNameUniqueConstraint("name", "org1")),
 					),
 				),
 				idGenerator:  id_mock.NewIDGeneratorExpectIDs(t, "id1"),
@@ -3899,13 +3924,16 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				ctx:           context.Background(),
 				resourceOwner: "org1",
 				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-					Admin:               "admin",
-					Password:            "password",
+					Name:              "name",
+					Servers:           []string{"server"},
+					StartTLS:          false,
+					BaseDN:            "baseDN",
+					BindDN:            "dn",
+					BindPassword:      "password",
+					UserBase:          "user",
+					UserObjectClasses: []string{"object"},
+					UserFilters:       []string{"filter"},
+					Timeout:           time.Second * 30,
 				},
 			},
 			res: res{
@@ -3923,19 +3951,20 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 							org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate,
 								"id1",
 								"name",
-								"host",
-								"port",
-								true,
+								[]string{"server"},
+								false,
 								"baseDN",
-								"userObjectClass",
-								"userUniqueAttribute",
-								"admin",
+								"dn",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
 									KeyID:      "id",
 									Crypted:    []byte("password"),
 								},
+								"user",
+								[]string{"object"},
+								[]string{"filter"},
+								time.Second*30,
 								idp.LDAPAttributes{
 									IDAttribute:                "id",
 									FirstNameAttribute:         "firstName",
@@ -3958,7 +3987,6 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 									IsAutoUpdate:      true,
 								},
 							)),
-						uniqueConstraintsFromEventConstraint(idpconfig.NewAddIDPConfigNameUniqueConstraint("name", "org1")),
 					),
 				),
 				idGenerator:  id_mock.NewIDGeneratorExpectIDs(t, "id1"),
@@ -3968,15 +3996,16 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
 				ctx:           context.Background(),
 				resourceOwner: "org1",
 				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					Port:                "port",
-					TLS:                 true,
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-					Admin:               "admin",
-					Password:            "password",
+					Name:              "name",
+					Servers:           []string{"server"},
+					StartTLS:          false,
+					BaseDN:            "baseDN",
+					BindDN:            "dn",
+					BindPassword:      "password",
+					UserBase:          "user",
+					UserObjectClasses: []string{"object"},
+					UserFilters:       []string{"filter"},
+					Timeout:           time.Second * 30,
 					LDAPAttributes: idp.LDAPAttributes{
 						IDAttribute:                "id",
 						FirstNameAttribute:         "firstName",
@@ -4082,25 +4111,6 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				},
 			},
 		},
-		{
-			"invalid host",
-			fields{
-				eventstore: eventstoreExpect(t),
-			},
-			args{
-				ctx:           context.Background(),
-				resourceOwner: "org1",
-				id:            "id1",
-				provider: LDAPProvider{
-					Name: "name",
-				},
-			},
-			res{
-				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-Dz62d", ""))
-				},
-			},
-		},
 		{
 			"invalid baseDN",
 			fields{
@@ -4112,7 +4122,6 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				id:            "id1",
 				provider: LDAPProvider{
 					Name: "name",
-					Host: "host",
 				},
 			},
 			res{
@@ -4122,7 +4131,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 			},
 		},
 		{
-			"invalid userObjectClass",
+			"invalid binddn",
 			fields{
 				eventstore: eventstoreExpect(t),
 			},
@@ -4132,7 +4141,6 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				id:            "id1",
 				provider: LDAPProvider{
 					Name:   "name",
-					Host:   "host",
 					BaseDN: "baseDN",
 				},
 			},
@@ -4143,7 +4151,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 			},
 		},
 		{
-			"invalid userUniqueAttribute",
+			"invalid userbase",
 			fields{
 				eventstore: eventstoreExpect(t),
 			},
@@ -4152,33 +4160,9 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				id:            "id1",
 				provider: LDAPProvider{
-					Name:            "name",
-					Host:            "host",
-					BaseDN:          "baseDN",
-					UserObjectClass: "userObjectClass",
-				},
-			},
-			res{
-				err: func(err error) bool {
-					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-ASFt6", ""))
-				},
-			},
-		},
-		{
-			"invalid admin",
-			fields{
-				eventstore: eventstoreExpect(t),
-			},
-			args{
-				ctx:           context.Background(),
-				resourceOwner: "org1",
-				id:            "id1",
-				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
+					Name:   "name",
+					BaseDN: "baseDN",
+					BindDN: "bindDN",
 				},
 			},
 			res{
@@ -4187,6 +4171,75 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				},
 			},
 		},
+		{
+			"invalid servers",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				id:            "id1",
+				provider: LDAPProvider{
+					Name:     "name",
+					BaseDN:   "baseDN",
+					BindDN:   "bindDN",
+					UserBase: "user",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-Sxx945n", ""))
+				},
+			},
+		},
+		{
+			"invalid userObjectClasses",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				id:            "id1",
+				provider: LDAPProvider{
+					Name:     "name",
+					Servers:  []string{"server"},
+					BaseDN:   "baseDN",
+					BindDN:   "bindDN",
+					UserBase: "user",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-S1p605n", ""))
+				},
+			},
+		},
+		{
+			"invalid userFilters",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				id:            "id1",
+				provider: LDAPProvider{
+					Name:              "name",
+					Servers:           []string{"server"},
+					BaseDN:            "baseDN",
+					BindDN:            "bindDN",
+					UserBase:          "user",
+					UserObjectClasses: []string{"object"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowInvalidArgument(nil, "ORG-aBx901n", ""))
+				},
+			},
+		},
 		{
 			name: "not found",
 			fields: fields{
@@ -4199,16 +4252,20 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				id:            "id1",
 				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-					Admin:               "admin",
+					Name:              "name",
+					Servers:           []string{"server"},
+					BaseDN:            "baseDN",
+					BindDN:            "binddn",
+					BindPassword:      "password",
+					UserBase:          "user",
+					UserObjectClasses: []string{"object"},
+					UserFilters:       []string{"filter"},
 				},
 			},
 			res: res{
-				err: caos_errors.IsNotFound,
+				err: func(err error) bool {
+					return errors.Is(err, caos_errors.ThrowNotFound(nil, "ORG-ASF3F", ""))
+				},
 			},
 		},
 		{
@@ -4220,19 +4277,20 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 							org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate,
 								"id1",
 								"name",
-								"host",
-								"",
+								[]string{"server"},
 								false,
-								"baseDN",
-								"userObjectClass",
-								"userUniqueAttribute",
-								"admin",
+								"basedn",
+								"binddn",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
 									KeyID:      "id",
 									Crypted:    []byte("password"),
 								},
+								"user",
+								[]string{"object"},
+								[]string{"filter"},
+								time.Second*30,
 								idp.LDAPAttributes{},
 								idp.Options{},
 							)),
@@ -4244,12 +4302,14 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				id:            "id1",
 				provider: LDAPProvider{
-					Name:                "name",
-					Host:                "host",
-					BaseDN:              "baseDN",
-					UserObjectClass:     "userObjectClass",
-					UserUniqueAttribute: "userUniqueAttribute",
-					Admin:               "admin",
+					Name:              "name",
+					Servers:           []string{"server"},
+					BaseDN:            "basedn",
+					BindDN:            "binddn",
+					UserObjectClasses: []string{"object"},
+					UserFilters:       []string{"filter"},
+					UserBase:          "user",
+					Timeout:           time.Second * 30,
 				},
 			},
 			res: res{
@@ -4265,19 +4325,20 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 							org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate,
 								"id1",
 								"name",
-								"host",
-								"port",
+								[]string{"server"},
 								false,
-								"baseDN",
-								"userObjectClass",
-								"userUniqueAttribute",
-								"admin",
+								"basedn",
+								"binddn",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
 									KeyID:      "id",
 									Crypted:    []byte("password"),
 								},
+								"user",
+								[]string{"object"},
+								[]string{"filter"},
+								time.Second*30,
 								idp.LDAPAttributes{},
 								idp.Options{},
 							)),
@@ -4288,22 +4349,22 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 								t := true
 								event, _ := org.NewLDAPIDPChangedEvent(context.Background(), &org.NewAggregate("org1").Aggregate,
 									"id1",
-									"name",
 									[]idp.LDAPIDPChanges{
 										idp.ChangeLDAPName("new name"),
-										idp.ChangeLDAPHost("new host"),
-										idp.ChangeLDAPPort("new port"),
-										idp.ChangeLDAPTLS(true),
-										idp.ChangeLDAPBaseDN("new baseDN"),
-										idp.ChangeLDAPUserObjectClass("new userObjectClass"),
-										idp.ChangeLDAPUserUniqueAttribute("new userUniqueAttribute"),
-										idp.ChangeLDAPAdmin("new admin"),
-										idp.ChangeLDAPPassword(&crypto.CryptoValue{
+										idp.ChangeLDAPServers([]string{"new server"}),
+										idp.ChangeLDAPStartTLS(true),
+										idp.ChangeLDAPBaseDN("new basedn"),
+										idp.ChangeLDAPBindDN("new binddn"),
+										idp.ChangeLDAPBindPassword(&crypto.CryptoValue{
 											CryptoType: crypto.TypeEncryption,
 											Algorithm:  "enc",
 											KeyID:      "id",
 											Crypted:    []byte("new password"),
 										}),
+										idp.ChangeLDAPUserBase("new user"),
+										idp.ChangeLDAPUserObjectClasses([]string{"new object"}),
+										idp.ChangeLDAPUserFilters([]string{"new filter"}),
+										idp.ChangeLDAPTimeout(time.Second * 20),
 										idp.ChangeLDAPAttributes(idp.LDAPAttributeChanges{
 											IDAttribute:                stringPointer("new id"),
 											FirstNameAttribute:         stringPointer("new firstName"),
@@ -4330,8 +4391,6 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 								return event
 							}(),
 						),
-						uniqueConstraintsFromEventConstraint(idpconfig.NewRemoveIDPConfigNameUniqueConstraint("name", "org1")),
-						uniqueConstraintsFromEventConstraint(idpconfig.NewAddIDPConfigNameUniqueConstraint("new name", "org1")),
 					),
 				),
 				secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
@@ -4341,15 +4400,16 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
 				resourceOwner: "org1",
 				id:            "id1",
 				provider: LDAPProvider{
-					Name:                "new name",
-					Host:                "new host",
-					Port:                "new port",
-					TLS:                 true,
-					BaseDN:              "new baseDN",
-					UserObjectClass:     "new userObjectClass",
-					UserUniqueAttribute: "new userUniqueAttribute",
-					Admin:               "new admin",
-					Password:            "new password",
+					Name:              "new name",
+					Servers:           []string{"new server"},
+					StartTLS:          true,
+					BaseDN:            "new basedn",
+					BindDN:            "new binddn",
+					BindPassword:      "new password",
+					UserBase:          "new user",
+					UserObjectClasses: []string{"new object"},
+					UserFilters:       []string{"new filter"},
+					Timeout:           time.Second * 20,
 					LDAPAttributes: idp.LDAPAttributes{
 						IDAttribute:                "new id",
 						FirstNameAttribute:         "new firstName",