TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 03:57:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(actions): add token customization flow and extend functionally with modules (#4337)

Browse Source 
* fix: potential memory leak

* feat(actions): possibility to parse json
feat(actions): possibility to perform http calls

* add query call

* feat(api): list flow and trigger types
fix(api): switch flow and trigger types to dynamic objects

* fix(translations): add action translations

* use `domain.FlowType`

* localizers

* localization

* trigger types

* options on `query.Action`

* add functions for actions

* feat: management api: add list flow and trigger  (#4352)

* console changes

* cleanup

* fix: wrong localization

Co-authored-by: Max Peintner <max@caos.ch>

* id token works

* check if claims not nil

* feat(actions): metadata api

* refactor(actions): modules

* fix: allow prerelease

* fix: test

* feat(actions): deny list for http hosts

* feat(actions): deny list for http hosts

* refactor: actions

* fix: different error ids

* fix: rename statusCode to status

* Actions objects as options (#4418)

* fix: rename statusCode to status

* fix(actions): objects as options

* fix(actions): objects as options

* fix(actions): set fields

* add http client to old actions

* fix(actions): add log module

* fix(actions): add user to context where possible

* fix(actions): add user to ctx in external authorization/pre creation

* fix(actions): query correct flow in claims

* test: actions

* fix(id-generator): panic if no machine id

* tests

* maybe this?

* fix linting

* refactor: improve code

* fix: metadata and usergrant usage in actions

* fix: appendUserGrant

* fix: allowedToFail and timeout in action execution

* fix: allowed to fail in token complement flow

* docs: add action log claim

* Update defaults.yaml

* fix log claim

* remove prerelease build

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Silvan
2022-10-06 14:23:59 +02:00
committed by GitHub
parent bffb10a4b4
commit 43fb3fd1a6
62 changed files with 2806 additions and 636 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
internal/actions/actions.go
View File

@@ -1,112 +1,113 @@
package actions
import (
"context"
"errors"
"time"
"fmt"
"github.com/dop251/goja"
"github.com/dop251/goja_nodejs/console"
"github.com/dop251/goja_nodejs/require"
"github.com/zitadel/logging"
z_errs "github.com/zitadel/zitadel/internal/errors"
"github.com/zitadel/zitadel/internal/query"
)
var ErrHalt = errors.New("interrupt")
type Config struct {
HTTP HTTPConfig
}
type jsAction func(*Context, *API) error
var (
ErrHalt = errors.New("interrupt")
)
func Run(ctx *Context, api *API, script, name string, timeout time.Duration, allowedToFail bool) error {
if timeout <= 0 || timeout > 20 {
timeout = 20 * time.Second
}
prepareTimeout := timeout
if prepareTimeout > 5 {
prepareTimeout = 5 * time.Second
}
vm, err := prepareRun(script, prepareTimeout)
type jsAction func(fields, fields) error
func Run(ctx context.Context, ctxParam contextFields, apiParam apiFields, script, name string, opts ...Option) error {
config, err := prepareRun(ctx, ctxParam, apiParam, script, opts)
if err != nil {
return err
}
var fn jsAction
jsFn := vm.Get(name)
jsFn := config.vm.Get(name)
if jsFn == nil {
return errors.New("function not found")
}
err = vm.ExportTo(jsFn, &fn)
err = config.vm.ExportTo(jsFn, &fn)
if err != nil {
return err
}
t := setInterrupt(vm, timeout)
t := config.Start()
defer func() {
t.Stop()
}()
errCh := make(chan error)
go func() {
defer func() {
r := recover()
if r != nil && !allowedToFail {
err, ok := r.(error)
if !ok {
e, ok := r.(string)
if ok {
err = errors.New(e)
}
}
errCh <- err
return
}
}()
err = fn(ctx, api)
if err != nil && !allowedToFail {
errCh <- err
return
}
errCh <- nil
}()
return <-errCh
return executeFn(config, fn)
}
func newRuntime() *goja.Runtime {
vm := goja.New()
func prepareRun(ctx context.Context, ctxParam contextFields, apiParam apiFields, script string, opts []Option) (config *runConfig, err error) {
config = newRunConfig(ctx, opts...)
if config.timeout == 0 {
return nil, z_errs.ThrowInternal(nil, "ACTIO-uCpCx", "Errrors.Internal")
}
t := config.Prepare()
defer func() {
t.Stop()
}()
if ctxParam != nil {
ctxParam(config.ctxParam)
}
if apiParam != nil {
apiParam(config.apiParam)
}
printer := console.PrinterFunc(func(s string) {
logging.Log("ACTIONS-dfgg2").Debug(s)
})
registry := new(require.Registry)
registry.Enable(vm)
registry.RegisterNativeModule("console", console.RequireWithPrinter(printer))
console.Enable(vm)
registry.Enable(config.vm)
return vm
}
for name, loader := range config.modules {
registry.RegisterNativeModule(name, loader)
}
func prepareRun(script string, timeout time.Duration) (*goja.Runtime, error) {
vm := newRuntime()
t := setInterrupt(vm, timeout)
// overload error if function panics
defer func() {
t.Stop()
}()
errCh := make(chan error)
go func() {
defer func() {
r := recover()
if r != nil {
errCh <- r.(error)
return
}
}()
_, err := vm.RunString(script)
if err != nil {
errCh <- err
r := recover()
if r != nil {
err = r.(error)
return
}
errCh <- nil
}()
return vm, <-errCh
_, err = config.vm.RunString(script)
return config, err
}
func setInterrupt(vm *goja.Runtime, timeout time.Duration) *time.Timer {
vm.ClearInterrupt()
return time.AfterFunc(timeout, func() {
vm.Interrupt(ErrHalt)
})
func executeFn(config *runConfig, fn jsAction) (err error) {
defer func() {
r := recover()
if r != nil && !config.allowedToFail {
var ok bool
if err, ok = r.(error); ok {
return
}
e, ok := r.(string)
if ok {
err = errors.New(e)
return
}
err = fmt.Errorf("unknown error occured: %v", r)
}
}()
err = fn(config.ctxParam.fields, config.apiParam.fields)
if err != nil && !config.allowedToFail {
return err
}
return nil
}
func ActionToOptions(a *query.Action) []Option {
opts := make([]Option, 0, 1)
if a.AllowedToFail {
opts = append(opts, WithAllowedToFail())
}
return opts
}

69
internal/actions/actions_test.go Normal file
View File

@@ -0,0 +1,69 @@
package actions
import (
"context"
"errors"
"testing"
"time"
"github.com/dop251/goja"
)
func TestRun(t *testing.T) {
type args struct {
timeout time.Duration
api apiFields
ctx contextFields
script string
name string
opts []Option
}
tests := []struct {
name string
args args
wantErr func(error) bool
}{
{
name: "simple script",
args: args{
api: nil,
script: `
function testFunc() {
for (i = 0; i < 10; i++) {}
}`,
name: "testFunc",
opts: []Option{},
},
wantErr: func(err error) bool { return err == nil },
},
{
name: "throw error",
args: args{
api: nil,
script: "function testFunc() {throw 'some error'}",
name: "testFunc",
opts: []Option{},
},
wantErr: func(err error) bool {
gojaErr := new(goja.Exception)
if errors.As(err, &gojaErr) {
return gojaErr.Value().String() == "some error"
}
return false
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.args.timeout == 0 {
tt.args.timeout = 10 * time.Second
}
ctx, cancel := context.WithTimeout(context.Background(), tt.args.timeout)
if err := Run(ctx, tt.args.ctx, tt.args.api, tt.args.script, tt.args.name, tt.args.opts...); !tt.wantErr(err) {
t.Errorf("Run() unexpected error = (%[1]T) %[1]v", err)
}
cancel()
})
}
}

110
internal/actions/api.go
View File

@@ -1,105 +1,19 @@
package actions
import (
"github.com/zitadel/zitadel/internal/domain"
"golang.org/x/text/language"
)
type API map[string]interface{}
func (a API) set(name string, value interface{}) {
map[string]interface{}(a)[name] = value
type apiConfig struct {
FieldConfig
}
func (a *API) SetHuman(human *domain.Human) *API {
a.set("setFirstName", func(firstName string) {
human.FirstName = firstName
})
a.set("setLastName", func(lastName string) {
human.LastName = lastName
})
a.set("setNickName", func(nickName string) {
human.NickName = nickName
})
a.set("setDisplayName", func(displayName string) {
human.DisplayName = displayName
})
a.set("setPreferredLanguage", func(preferredLanguage string) {
human.PreferredLanguage = language.Make(preferredLanguage)
})
a.set("setGender", func(gender domain.Gender) {
human.Gender = gender
})
a.set("setUsername", func(username string) {
human.Username = username
})
a.set("setEmail", func(email string) {
if human.Email == nil {
human.Email = &domain.Email{}
type apiFields func(*apiConfig)
func WithAPIFields(opts ...FieldOption) apiFields {
return func(p *apiConfig) {
if p.fields == nil {
p.fields = fields{}
}
human.Email.EmailAddress = email
})
a.set("setEmailVerified", func(verified bool) {
if human.Email == nil {
return
}
human.Email.IsEmailVerified = verified
})
a.set("setPhone", func(email string) {
if human.Phone == nil {
human.Phone = &domain.Phone{}
}
human.Phone.PhoneNumber = email
})
a.set("setPhoneVerified", func(verified bool) {
if human.Phone == nil {
return
}
human.Phone.IsPhoneVerified = verified
})
return a
}
func (a *API) SetExternalUser(user *domain.ExternalUser) *API {
a.set("setFirstName", func(firstName string) {
user.FirstName = firstName
})
a.set("setLastName", func(lastName string) {
user.LastName = lastName
})
a.set("setNickName", func(nickName string) {
user.NickName = nickName
})
a.set("setDisplayName", func(displayName string) {
user.DisplayName = displayName
})
a.set("setPreferredLanguage", func(preferredLanguage string) {
user.PreferredLanguage = language.Make(preferredLanguage)
})
a.set("setPreferredUsername", func(username string) {
user.PreferredUsername = username
})
a.set("setEmail", func(email string) {
user.Email = email
})
a.set("setEmailVerified", func(verified bool) {
user.IsEmailVerified = verified
})
a.set("setPhone", func(phone string) {
user.Phone = phone
})
a.set("setPhoneVerified", func(verified bool) {
user.IsPhoneVerified = verified
})
return a
}
func (a *API) SetMetadata(metadata *[]*domain.Metadata) *API {
a.set("metadata", metadata)
return a
}
func (a *API) SetUserGrants(usergrants *[]UserGrant) *API {
a.set("userGrants", usergrants)
return a
for _, opt := range opts {
opt(&p.FieldConfig)
}
}
}

86
internal/actions/config.go Normal file
View File

@@ -0,0 +1,86 @@
package actions
import (
"context"
"time"
"github.com/dop251/goja"
"github.com/dop251/goja_nodejs/require"
"github.com/zitadel/logging"
)
const (
maxPrepareTimeout = 5 * time.Second
)
type Option func(*runConfig)
func WithAllowedToFail() Option {
return func(c *runConfig) {
c.allowedToFail = true
}
}
type runConfig struct {
allowedToFail bool
timeout,
prepareTimeout time.Duration
modules map[string]require.ModuleLoader
vm *goja.Runtime
ctxParam *ctxConfig
apiParam *apiConfig
}
func newRunConfig(ctx context.Context, opts ...Option) *runConfig {
deadline, ok := ctx.Deadline()
if !ok {
logging.Warn("no timeout set on action run")
}
vm := goja.New()
vm.SetFieldNameMapper(goja.UncapFieldNameMapper())
config := &runConfig{
timeout: time.Until(deadline),
prepareTimeout: maxPrepareTimeout,
modules: map[string]require.ModuleLoader{},
vm: vm,
ctxParam: &ctxConfig{
FieldConfig: FieldConfig{
Runtime: vm,
fields: fields{},
},
},
apiParam: &apiConfig{
FieldConfig: FieldConfig{
Runtime: vm,
fields: fields{},
},
},
}
for _, opt := range opts {
opt(config)
}
if config.prepareTimeout > config.timeout {
config.prepareTimeout = config.timeout
}
return config
}
func (c *runConfig) Start() *time.Timer {
c.vm.ClearInterrupt()
return time.AfterFunc(c.timeout, func() {
c.vm.Interrupt(ErrHalt)
})
}
func (c *runConfig) Prepare() *time.Timer {
c.vm.ClearInterrupt()
return time.AfterFunc(c.prepareTimeout, func() {
c.vm.Interrupt(ErrHalt)
})
}

43
internal/actions/context.go
View File

@@ -1,36 +1,19 @@
package actions
import (
"encoding/json"
"github.com/zitadel/oidc/v2/pkg/oidc"
)
type Context map[string]interface{}
func (c Context) set(name string, value interface{}) {
map[string]interface{}(c)[name] = value
type ctxConfig struct {
FieldConfig
}
func (c *Context) SetToken(t *oidc.Tokens) *Context {
if t == nil {
return c
type contextFields func(*ctxConfig)
func SetContextFields(opts ...FieldOption) contextFields {
return func(p *ctxConfig) {
if p.fields == nil {
p.fields = fields{}
}
for _, opt := range opts {
opt(&p.FieldConfig)
}
}
if t.Token != nil && t.Token.AccessToken != "" {
c.set("accessToken", t.AccessToken)
}
if t.IDToken != "" {
c.set("idToken", t.IDToken)
}
if t.IDTokenClaims != nil {
c.set("getClaim", func(claim string) interface{} { return t.IDTokenClaims.GetClaim(claim) })
c.set("claimsJSON", func() (string, error) {
c, err := json.Marshal(t.IDTokenClaims)
if err != nil {
return "", err
}
return string(c), nil
})
}
return c
}

71
internal/actions/fields.go Normal file
View File

@@ -0,0 +1,71 @@
package actions
import (
"github.com/dop251/goja"
"github.com/zitadel/logging"
)
type fields map[string]interface{}
type FieldOption func(*FieldConfig)
type FieldConfig struct {
fields
Runtime *goja.Runtime
}
func SetFields(name string, values ...interface{}) FieldOption {
return func(p *FieldConfig) {
if len(values) == 0 {
return
}
for _, value := range values {
val, ok := value.(FieldOption)
// is the lowest field and can be set without further checks
if !ok {
// {
// "value": "some value"
// }
p.set(name, value)
continue
}
var field fields
if f, ok := p.fields[name]; ok {
// check if the found field is an object
if field, ok = f.(fields); !ok {
// panic because overwriting fields is not allowed
logging.WithFields("sub", name).Warn("sub is not an object")
panic("unable to prepare parameter")
}
} else {
// field does not exist so far.
// sub object for field can be created
field = fields{}
p.fields[name] = field
}
fieldParam := FieldConfig{
Runtime: p.Runtime,
fields: field,
}
val(&fieldParam)
}
}
}
func (f *FieldConfig) set(name string, value interface{}) {
if _, ok := f.fields[name]; ok {
logging.WithFields("name", name).Error("tried to overwrite field")
panic("tried to overwrite field")
}
v, ok := value.(func(*FieldConfig) interface{})
if ok {
f.fields[name] = v(f)
return
}
f.fields[name] = value
}

186
internal/actions/fields_test.go Normal file
View File

@@ -0,0 +1,186 @@
package actions
import (
"fmt"
"testing"
"github.com/dop251/goja"
)
func TestSetFields(t *testing.T) {
primitveFn := func(a string) { fmt.Println(a) }
complexFn := func(*FieldConfig) interface{} {
return primitveFn
}
tests := []struct {
name string
setFields FieldOption
want fields
shouldPanic bool
}{
{
name: "field is simple value",
setFields: SetFields("value", 5),
want: fields{
"value": 5,
},
},
{
name: "field is method",
setFields: SetFields("value", primitveFn),
want: fields{
"value": primitveFn,
},
},
{
name: "field is complex method",
setFields: SetFields("value", complexFn),
want: fields{
"value": primitveFn,
},
},
{
name: "field without value",
setFields: SetFields("value"),
want: fields{},
},
{
name: "field with empty value",
setFields: SetFields("value", ""),
want: fields{
"value": "",
},
},
{
name: "nested simple value",
setFields: SetFields(
"field",
SetFields("sub", 5),
),
want: fields{
"field": fields{
"sub": 5,
},
},
},
{
name: "nested multiple fields",
setFields: SetFields(
"field",
SetFields("sub1", 5),
SetFields("sub2", "asdf"),
SetFields("sub3", primitveFn),
),
want: fields{
"field": fields{
"sub1": 5,
"sub2": "asdf",
"sub3": primitveFn,
},
},
},
{
name: "try to overwrite field primitives",
setFields: SetFields(
"field",
SetFields("sub", 5),
SetFields("sub", primitveFn),
),
shouldPanic: true,
},
{
name: "try to overwrite primitives with fields",
setFields: SetFields(
"field",
SetFields("sub", 5),
SetFields("sub", SetFields("please", "panic")),
),
shouldPanic: true,
},
{
name: "try to overwrite fields with primitive",
setFields: SetFields(
"field",
SetFields("sub", SetFields("please", "panic")),
SetFields("sub", 5),
),
shouldPanic: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
panicked := false
if tt.shouldPanic {
defer func() {
if panicked != tt.shouldPanic {
t.Errorf("wanted panic: %v got %v", tt.shouldPanic, panicked)
}
}()
defer func() {
recover()
panicked = true
}()
}
config := &FieldConfig{
Runtime: goja.New(),
fields: fields{},
}
tt.setFields(config)
if !tt.shouldPanic && fmt.Sprint(config.fields) != fmt.Sprint(tt.want) {
t.Errorf("SetFields() = %v, want %v", fmt.Sprint(config.fields), fmt.Sprint(tt.want))
}
})
}
}
func TestSetFieldsExecuteMethods(t *testing.T) {
primitveFn := func(a string) { fmt.Println(a) }
complexFn := func(*FieldConfig) interface{} {
return primitveFn
}
tests := []struct {
name string
setFields FieldOption
want fields
shouldPanic bool
}{
{
name: "field is method",
setFields: SetFields("value", primitveFn),
want: fields{
"value": primitveFn,
},
},
{
name: "field is complex method",
setFields: SetFields("value", complexFn),
want: fields{
"value": primitveFn,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
panicked := false
if tt.shouldPanic {
defer func() {
if panicked != tt.shouldPanic {
t.Errorf("wanted panic: %v got %v", tt.shouldPanic, panicked)
}
}()
defer func() {
recover()
panicked = true
}()
}
config := &FieldConfig{
Runtime: goja.New(),
fields: fields{},
}
tt.setFields(config)
if !tt.shouldPanic && fmt.Sprint(config.fields) != fmt.Sprint(tt.want) {
t.Errorf("SetFields() = %v, want %v", fmt.Sprint(config.fields), fmt.Sprint(tt.want))
}
})
}
}

196
internal/actions/http_module.go Normal file
View File

@@ -0,0 +1,196 @@
package actions
import (
"bytes"
"context"
"encoding/json"
"io"
"net/http"
"net/url"
"strings"
"time"
"github.com/dop251/goja"
"github.com/zitadel/logging"
z_errs "github.com/zitadel/zitadel/internal/errors"
)
func WithHTTP(ctx context.Context) Option {
return func(c *runConfig) {
c.modules["zitadel/http"] = func(runtime *goja.Runtime, module *goja.Object) {
requireHTTP(ctx, &http.Client{Transport: new(transport)}, runtime, module)
}
}
}
type HTTP struct {
runtime *goja.Runtime
client *http.Client
}
func requireHTTP(ctx context.Context, client *http.Client, runtime *goja.Runtime, module *goja.Object) {
c := &HTTP{
client: client,
runtime: runtime,
}
o := module.Get("exports").(*goja.Object)
logging.OnError(o.Set("fetch", c.fetch(ctx))).Warn("unable to set module")
}
type fetchConfig struct {
Method string
Headers http.Header
Body io.Reader
}
var defaultFetchConfig = fetchConfig{
Method: http.MethodGet,
Headers: http.Header{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
}
func (c *HTTP) fetchConfigFromArg(arg *goja.Object, config *fetchConfig) (err error) {
for _, key := range arg.Keys() {
switch key {
case "headers":
config.Headers = parseHeaders(arg.Get(key).ToObject(c.runtime))
case "method":
config.Method = arg.Get(key).String()
case "body":
body, err := arg.Get(key).ToObject(c.runtime).MarshalJSON()
if err != nil {
return err
}
config.Body = bytes.NewReader(body)
default:
return z_errs.ThrowInvalidArgument(nil, "ACTIO-OfUeA", "key is invalid")
}
}
return nil
}
type response struct {
Body string
Status int
Headers map[string][]string
runtime *goja.Runtime
}
func (r *response) Json() goja.Value {
var val interface{}
if err := json.Unmarshal([]byte(r.Body), &val); err != nil {
panic(err)
}
return r.runtime.ToValue(val)
}
func (r *response) Text() goja.Value {
return r.runtime.ToValue(r.Body)
}
func (c *HTTP) fetch(ctx context.Context) func(call goja.FunctionCall) goja.Value {
return func(call goja.FunctionCall) goja.Value {
req := c.buildHTTPRequest(ctx, call.Arguments)
if deadline, ok := ctx.Deadline(); ok {
c.client.Timeout = time.Until(deadline)
}
res, err := c.client.Do(req)
if err != nil {
logging.WithError(err).Debug("call failed")
panic(err)
}
defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
logging.WithError(err).Warn("unable to parse body")
panic("unable to read response body")
}
return c.runtime.ToValue(&response{Status: res.StatusCode, Body: string(body), runtime: c.runtime})
}
}
// the first argument has to be a string and is required
// the second agrument is optional and an object with the following fields possible:
// - `Headers`: map with string key and value of type string or string array
// - `Body`: json body of the request
// - `Method`: http method type
func (c *HTTP) buildHTTPRequest(ctx context.Context, args []goja.Value) (req *http.Request) {
if len(args) > 2 {
logging.WithFields("count", len(args)).Debug("more than 2 args provided")
panic("too many args")
}
if len(args) == 0 {
panic("no url provided")
}
config := defaultFetchConfig
var err error
if len(args) == 2 {
if err = c.fetchConfigFromArg(args[1].ToObject(c.runtime), &config); err != nil {
panic(err)
}
}
req, err = http.NewRequestWithContext(ctx, config.Method, args[0].Export().(string), config.Body)
if err != nil {
panic(err)
}
req.Header = config.Headers
return req
}
func parseHeaders(headers *goja.Object) http.Header {
h := make(http.Header, len(headers.Keys()))
for _, k := range headers.Keys() {
header := headers.Get(k).Export()
var values []string
switch headerValue := header.(type) {
case string:
values = strings.Split(headerValue, ",")
case []any:
for _, v := range headerValue {
values = append(values, v.(string))
}
}
for _, v := range values {
h.Add(k, strings.TrimSpace(v))
}
}
return h
}
type transport struct{}
func (*transport) RoundTrip(req *http.Request) (*http.Response, error) {
if httpConfig == nil {
return http.DefaultTransport.RoundTrip(req)
}
if isHostBlocked(httpConfig.DenyList, req.URL) {
return nil, z_errs.ThrowInvalidArgument(nil, "ACTIO-N72d0", "host is denied")
}
return http.DefaultTransport.RoundTrip(req)
}
func isHostBlocked(denyList []AddressChecker, address *url.URL) bool {
for _, blocked := range denyList {
if blocked.Matches(address.Hostname()) {
return true
}
}
return false
}
type AddressChecker interface {
Matches(string) bool
}

98
internal/actions/http_module_config.go Normal file
View File

@@ -0,0 +1,98 @@
package actions
import (
"net"
"reflect"
"github.com/mitchellh/mapstructure"
z_errs "github.com/zitadel/zitadel/internal/errors"
)
func SetHTTPConfig(config *HTTPConfig) {
httpConfig = config
}
var httpConfig *HTTPConfig
type HTTPConfig struct {
DenyList []AddressChecker
}
func HTTPConfigDecodeHook(from, to reflect.Value) (interface{}, error) {
if to.Type() != reflect.TypeOf(HTTPConfig{}) {
return from.Interface(), nil
}
config := struct {
DenyList []string
}{}
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
WeaklyTypedInput: true,
Result: &config,
})
if err != nil {
return nil, err
}
if err = decoder.Decode(from.Interface()); err != nil {
return nil, err
}
c := HTTPConfig{
DenyList: make([]AddressChecker, len(config.DenyList)),
}
for i, entry := range config.DenyList {
if c.DenyList[i], err = parseDenyListEntry(entry); err != nil {
return nil, err
}
}
return c, nil
}
func parseDenyListEntry(entry string) (AddressChecker, error) {
if checker, err := NewIPChecker(entry); err == nil {
return checker, nil
}
return &DomainChecker{Domain: entry}, nil
}
func NewIPChecker(i string) (AddressChecker, error) {
_, network, err := net.ParseCIDR(i)
if err == nil {
return &IPChecker{Net: network}, nil
}
if ip := net.ParseIP(i); ip != nil {
return &IPChecker{IP: ip}, nil
}
return nil, z_errs.ThrowInvalidArgument(nil, "ACTIO-ddJ7h", "invalid ip")
}
type IPChecker struct {
Net *net.IPNet
IP net.IP
}
func (c *IPChecker) Matches(address string) bool {
ip := net.ParseIP(address)
if ip == nil {
return false
}
if c.IP != nil {
return c.IP.Equal(ip)
}
return c.Net.Contains(ip)
}
type DomainChecker struct {
Domain string
}
func (c *DomainChecker) Matches(domain string) bool {
//TODO: allow wild cards
return c.Domain == domain
}

433
internal/actions/http_module_test.go Normal file
View File

@@ -0,0 +1,433 @@
package actions
import (
"bytes"
"context"
"io"
"net/http"
"net/url"
"reflect"
"testing"
"github.com/dop251/goja"
"github.com/zitadel/zitadel/internal/errors"
)
func Test_isHostBlocked(t *testing.T) {
var denyList = []AddressChecker{
mustNewIPChecker(t, "192.168.5.0/24"),
mustNewIPChecker(t, "127.0.0.1"),
&DomainChecker{Domain: "test.com"},
}
type args struct {
address *url.URL
}
tests := []struct {
name string
args args
want bool
}{
{
name: "in range",
args: args{
address: mustNewURL(t, "https://192.168.5.4/hodor"),
},
want: true,
},
{
name: "exact ip",
args: args{
address: mustNewURL(t, "http://127.0.0.1:8080/hodor"),
},
want: true,
},
{
name: "address match",
args: args{
address: mustNewURL(t, "https://test.com:42/hodor"),
},
want: true,
},
{
name: "address not match",
args: args{
address: mustNewURL(t, "https://test2.com/hodor"),
},
want: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := isHostBlocked(denyList, tt.args.address); got != tt.want {
t.Errorf("isHostBlocked() = %v, want %v", got, tt.want)
}
})
}
}
func mustNewIPChecker(t *testing.T, ip string) AddressChecker {
t.Helper()
checker, err := NewIPChecker(ip)
if err != nil {
t.Errorf("unable to parse cidr of %q because: %v", ip, err)
t.FailNow()
}
return checker
}
func mustNewURL(t *testing.T, raw string) *url.URL {
u, err := url.Parse(raw)
if err != nil {
t.Errorf("unable to parse address of %q because: %v", raw, err)
t.FailNow()
}
return u
}
func TestHTTP_fetchConfigFromArg(t *testing.T) {
runtime := goja.New()
runtime.SetFieldNameMapper(goja.UncapFieldNameMapper())
type args struct {
arg *goja.Object
}
tests := []struct {
name string
args args
wantConfig fetchConfig
wantErr func(error) bool
}{
{
name: "no fetch option provided",
args: args{
arg: runtime.ToValue(
struct{}{},
).ToObject(runtime),
},
wantConfig: fetchConfig{},
wantErr: func(err error) bool {
return err == nil
},
},
{
name: "header set as string",
args: args{
arg: runtime.ToValue(
&struct {
Headers map[string]string
}{
Headers: map[string]string{
"Authorization": "Bearer token",
},
},
).ToObject(runtime),
},
wantConfig: fetchConfig{
Headers: http.Header{
"Authorization": {"Bearer token"},
},
},
wantErr: func(err error) bool {
return err == nil
},
},
{
name: "header set as list",
args: args{
arg: runtime.ToValue(
&struct {
Headers map[string][]any
}{
Headers: map[string][]any{
"Authorization": {"Bearer token"},
},
},
).ToObject(runtime),
},
wantConfig: fetchConfig{
Headers: http.Header{
"Authorization": {"Bearer token"},
},
},
wantErr: func(err error) bool {
return err == nil
},
},
{
name: "method set",
args: args{
arg: runtime.ToValue(
&struct {
Method string
}{
Method: http.MethodPost,
},
).ToObject(runtime),
},
wantConfig: fetchConfig{
Method: http.MethodPost,
},
wantErr: func(err error) bool {
return err == nil
},
},
{
name: "body set",
args: args{
arg: runtime.ToValue(
&struct {
Body struct{ Id string }
}{
Body: struct{ Id string }{
Id: "asdf123",
},
},
).ToObject(runtime),
},
wantConfig: fetchConfig{
Body: bytes.NewReader([]byte(`{"id":"asdf123"}`)),
},
wantErr: func(err error) bool {
return err == nil
},
},
{
name: "invalid header",
args: args{
arg: runtime.ToValue(
&struct {
NotExists struct{}
}{
NotExists: struct{}{},
},
).ToObject(runtime),
},
wantConfig: fetchConfig{},
wantErr: func(err error) bool {
return errors.IsErrorInvalidArgument(err)
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &HTTP{
runtime: runtime,
client: http.DefaultClient,
}
gotConfig := new(fetchConfig)
err := c.fetchConfigFromArg(tt.args.arg, gotConfig)
if !tt.wantErr(err) {
t.Errorf("HTTP.fetchConfigFromArg() error = %v", err)
return
}
if !reflect.DeepEqual(gotConfig.Headers, tt.wantConfig.Headers) {
t.Errorf("config.Headers got = %#v, want %#v", gotConfig.Headers, tt.wantConfig.Headers)
}
if gotConfig.Method != tt.wantConfig.Method {
t.Errorf("config.Method got = %#v, want %#v", gotConfig.Method, tt.wantConfig.Method)
}
if tt.wantConfig.Body == nil {
if gotConfig.Body != nil {
t.Errorf("didn't expect a body")
}
return
}
gotBody, _ := io.ReadAll(gotConfig.Body)
wantBody, _ := io.ReadAll(tt.wantConfig.Body)
if !reflect.DeepEqual(gotBody, wantBody) {
t.Errorf("config.Body got = %s, want %s", gotBody, wantBody)
}
})
}
}
func TestHTTP_buildHTTPRequest(t *testing.T) {
runtime := goja.New()
runtime.SetFieldNameMapper(goja.UncapFieldNameMapper())
type args struct {
args []goja.Value
}
tests := []struct {
name string
args args
wantReq *http.Request
shouldPanic bool
}{
{
name: "only url",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
},
},
wantReq: &http.Request{
Method: http.MethodGet,
URL: mustNewURL(t, "http://my-url.ch"),
Header: defaultFetchConfig.Headers,
Body: nil,
},
},
{
name: "no params",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue(&struct{}{}),
},
},
wantReq: &http.Request{
Method: http.MethodGet,
URL: mustNewURL(t, "http://my-url.ch"),
Header: defaultFetchConfig.Headers,
Body: nil,
},
},
{
name: "overwrite headers",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue(struct {
Headers map[string][]interface{}
}{
Headers: map[string][]interface{}{"Authorization": {"some token"}},
}),
},
},
wantReq: &http.Request{
Method: http.MethodGet,
URL: mustNewURL(t, "http://my-url.ch"),
Header: http.Header{
"Authorization": []string{"some token"},
},
Body: nil,
},
},
{
name: "post with body",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue(struct {
Body struct{ MyData string }
}{
Body: struct{ MyData string }{MyData: "hello world"},
}),
},
},
wantReq: &http.Request{
Method: http.MethodGet,
URL: mustNewURL(t, "http://my-url.ch"),
Header: defaultFetchConfig.Headers,
Body: io.NopCloser(bytes.NewReader([]byte(`{"myData":"hello world"}`))),
},
},
{
name: "too many args",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue("http://my-url.ch"),
runtime.ToValue("http://my-url.ch"),
},
},
wantReq: nil,
shouldPanic: true,
},
{
name: "no args",
args: args{
args: []goja.Value{},
},
wantReq: nil,
shouldPanic: true,
},
{
name: "invalid config",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue(struct {
Invalid bool
}{
Invalid: true,
}),
},
},
wantReq: nil,
shouldPanic: true,
},
{
name: "invalid method",
args: args{
args: []goja.Value{
runtime.ToValue("http://my-url.ch"),
runtime.ToValue(struct {
Method string
}{
Method: " asdf asdf",
}),
},
},
wantReq: nil,
shouldPanic: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
panicked := false
if tt.shouldPanic {
defer func() {
if panicked != tt.shouldPanic {
t.Errorf("wanted panic: %v got %v", tt.shouldPanic, panicked)
}
}()
defer func() {
recover()
panicked = true
}()
}
c := &HTTP{
runtime: runtime,
}
gotReq := c.buildHTTPRequest(context.Background(), tt.args.args)
if tt.shouldPanic {
return
}
if gotReq.URL.String() != tt.wantReq.URL.String() {
t.Errorf("url = %s, want %s", gotReq.URL, tt.wantReq.URL)
}
if !reflect.DeepEqual(gotReq.Header, tt.wantReq.Header) {
t.Errorf("headers = %v, want %v", gotReq.Header, tt.wantReq.Header)
}
if gotReq.Method != tt.wantReq.Method {
t.Errorf("method = %s, want %s", gotReq.Method, tt.wantReq.Method)
}
if tt.wantReq.Body == nil {
if gotReq.Body != nil {
t.Errorf("didn't expect a body")
}
return
}
gotBody, _ := io.ReadAll(gotReq.Body)
wantBody, _ := io.ReadAll(tt.wantReq.Body)
if !reflect.DeepEqual(gotBody, wantBody) {
t.Errorf("config.Body got = %s, want %s", gotBody, wantBody)
}
})
}
}

30
internal/actions/log_module.go Normal file
View File

@@ -0,0 +1,30 @@
package actions
import (
"github.com/zitadel/logging"
"github.com/dop251/goja"
"github.com/dop251/goja_nodejs/console"
)
var ServerLog *logrus
type logrus struct{}
func (*logrus) Log(s string) {
logging.WithFields("message", s).Info("log from action")
}
func (*logrus) Warn(s string) {
logging.WithFields("message", s).Info("warn from action")
}
func (*logrus) Error(s string) {
logging.WithFields("message", s).Info("error from action")
}
func WithLogger(logger console.Printer) Option {
return func(c *runConfig) {
c.modules["zitadel/log"] = func(runtime *goja.Runtime, module *goja.Object) {
console.RequireWithPrinter(logger)(runtime, module)
}
}
}

56
internal/actions/object/metadata.go Normal file
View File

@@ -0,0 +1,56 @@
package object
import (
"encoding/json"
"time"
"github.com/dop251/goja"
"github.com/zitadel/logging"
"github.com/zitadel/zitadel/internal/actions"
"github.com/zitadel/zitadel/internal/query"
)
func UserMetadataListFromQuery(c *actions.FieldConfig, metadata *query.UserMetadataList) goja.Value {
result := &userMetadataList{
Count: metadata.Count,
Sequence: metadata.Sequence,
Timestamp: metadata.Timestamp,
Metadata: make([]*userMetadata, len(metadata.Metadata)),
}
for i, md := range metadata.Metadata {
var value interface{}
err := json.Unmarshal(md.Value, &value)
if err != nil {
logging.WithError(err).Debug("unable to unmarshal into map")
panic(err)
}
result.Metadata[i] = &userMetadata{
CreationDate: md.CreationDate,
ChangeDate: md.ChangeDate,
ResourceOwner: md.ResourceOwner,
Sequence: md.Sequence,
Key: md.Key,
Value: c.Runtime.ToValue(value),
}
}
return c.Runtime.ToValue(result)
}
type userMetadataList struct {
Count uint64
Sequence uint64
Timestamp time.Time
Metadata []*userMetadata
}
type userMetadata struct {
CreationDate time.Time
ChangeDate time.Time
ResourceOwner string
Sequence uint64
Key string
Value goja.Value
}

165
internal/actions/object/user.go Normal file
View File

@@ -0,0 +1,165 @@
package object
import (
"time"
"github.com/dop251/goja"
"github.com/zitadel/zitadel/internal/actions"
"github.com/zitadel/zitadel/internal/database"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
)
func UserFromExternalUser(c *actions.FieldConfig, user *domain.ExternalUser) goja.Value {
return c.Runtime.ToValue(&externalUser{
ExternalId: user.ExternalUserID,
ExternalIdpId: user.ExternalUserID,
Human: human{
FirstName: user.FirstName,
LastName: user.LastName,
NickName: user.NickName,
DisplayName: user.DisplayName,
PreferredLanguage: user.PreferredLanguage.String(),
Email: user.Email,
IsEmailVerified: user.IsEmailVerified,
Phone: user.Phone,
IsPhoneVerified: user.IsPhoneVerified,
},
})
}
func UserFromHuman(c *actions.FieldConfig, user *domain.Human) goja.Value {
u := &humanUser{
Id: user.AggregateID,
CreationDate: user.CreationDate,
ChangeDate: user.ChangeDate,
ResourceOwner: user.ResourceOwner,
Sequence: user.Sequence,
State: user.State,
Username: user.Username,
LoginNames: user.LoginNames,
PreferredLoginName: user.PreferredLoginName,
}
if user.Profile != nil {
u.Human.FirstName = user.Profile.FirstName
u.Human.LastName = user.Profile.LastName
u.Human.NickName = user.Profile.NickName
u.Human.DisplayName = user.Profile.DisplayName
u.Human.PreferredLanguage = user.Profile.PreferredLanguage.String()
}
if user.Email != nil {
u.Human.Email = user.Email.EmailAddress
u.Human.IsEmailVerified = user.Email.IsEmailVerified
}
if user.Phone != nil {
u.Human.Phone = user.Phone.PhoneNumber
u.Human.IsPhoneVerified = user.Phone.IsPhoneVerified
}
return c.Runtime.ToValue(u)
}
func UserFromQuery(c *actions.FieldConfig, user *query.User) goja.Value {
if user.Human != nil {
return humanFromQuery(c, user)
}
return machineFromQuery(c, user)
}
func humanFromQuery(c *actions.FieldConfig, user *query.User) goja.Value {
return c.Runtime.ToValue(&humanUser{
Id: user.ID,
CreationDate: user.CreationDate,
ChangeDate: user.ChangeDate,
ResourceOwner: user.ResourceOwner,
Sequence: user.Sequence,
State: user.State,
Username: user.Username,
LoginNames: user.LoginNames,
PreferredLoginName: user.PreferredLoginName,
Human: human{
FirstName: user.Human.FirstName,
LastName: user.Human.LastName,
NickName: user.Human.NickName,
DisplayName: user.Human.DisplayName,
AvatarKey: user.Human.AvatarKey,
PreferredLanguage: user.Human.PreferredLanguage.String(),
Gender: user.Human.Gender,
Email: user.Human.Email,
IsEmailVerified: user.Human.IsEmailVerified,
Phone: user.Human.Phone,
IsPhoneVerified: user.Human.IsPhoneVerified,
},
})
}
func machineFromQuery(c *actions.FieldConfig, user *query.User) goja.Value {
return c.Runtime.ToValue(&machineUser{
Id: user.ID,
CreationDate: user.CreationDate,
ChangeDate: user.ChangeDate,
ResourceOwner: user.ResourceOwner,
Sequence: user.Sequence,
State: user.State,
Username: user.Username,
LoginNames: user.LoginNames,
PreferredLoginName: user.PreferredLoginName,
Machine: machine{
Name: user.Machine.Name,
Description: user.Machine.Description,
},
})
}
type externalUser struct {
ExternalId string
ExternalIdpId string
Human human
}
type humanUser struct {
Id string
CreationDate time.Time
ChangeDate time.Time
ResourceOwner string
Sequence uint64
State domain.UserState
Username string
LoginNames database.StringArray
PreferredLoginName string
Human human
}
type human struct {
FirstName string
LastName string
NickName string
DisplayName string
AvatarKey string
PreferredLanguage string
Gender domain.Gender
Email string
IsEmailVerified bool
Phone string
IsPhoneVerified bool
}
type machineUser struct {
Id string
CreationDate time.Time
ChangeDate time.Time
ResourceOwner string
Sequence uint64
State domain.UserState
Username string
LoginNames database.StringArray
PreferredLoginName string
Machine machine
}
type machine struct {
Name string
Description string
}

48
internal/actions/provided.go
View File

@@ -1,55 +1,7 @@
package actions
import (
"errors"
"github.com/dop251/goja"
)
type UserGrant struct {
ProjectID string
ProjectGrantID string
Roles []string
}
func appendUserGrant(list *[]UserGrant) func(goja.FunctionCall) goja.Value {
return func(call goja.FunctionCall) goja.Value {
userGrantMap := call.Argument(0).Export()
userGrant, _ := userGrantFromMap(userGrantMap)
*list = append(*list, userGrant)
return nil
}
}
func userGrantFromMap(grantMap interface{}) (UserGrant, error) {
m, ok := grantMap.(map[string]interface{})
if !ok {
return UserGrant{}, errors.New("invalid")
}
projectID, ok := m["projectID"].(string)
if !ok {
return UserGrant{}, errors.New("invalid")
}
var projectGrantID string
if id, ok := m["projectGrantID"]; ok {
projectGrantID, ok = id.(string)
if !ok {
return UserGrant{}, errors.New("invalid")
}
}
var roles []string
if r := m["roles"]; r != nil {
rs, ok := r.([]interface{})
if !ok {
return UserGrant{}, errors.New("invalid")
}
for _, role := range rs {
roles = append(roles, role.(string))
}
}
return UserGrant{
ProjectID: projectID,
ProjectGrantID: projectGrantID,
Roles: roles,
}, nil
}