feat(actions): add token customization flow and extend functionally with modules (#4337)

* fix: potential memory leak

* feat(actions): possibility to parse json
feat(actions): possibility to perform http calls

* add query call

* feat(api): list flow and trigger types
fix(api): switch flow and trigger types to dynamic objects

* fix(translations): add action translations

* use `domain.FlowType`

* localizers

* localization

* trigger types

* options on `query.Action`

* add functions for actions

* feat: management api: add list flow and trigger  (#4352)

* console changes

* cleanup

* fix: wrong localization

Co-authored-by: Max Peintner <max@caos.ch>

* id token works

* check if claims not nil

* feat(actions): metadata api

* refactor(actions): modules

* fix: allow prerelease

* fix: test

* feat(actions): deny list for http hosts

* feat(actions): deny list for http hosts

* refactor: actions

* fix: different error ids

* fix: rename statusCode to status

* Actions objects as options (#4418)

* fix: rename statusCode to status

* fix(actions): objects as options

* fix(actions): objects as options

* fix(actions): set fields

* add http client to old actions

* fix(actions): add log module

* fix(actions): add user to context where possible

* fix(actions): add user to ctx in external authorization/pre creation

* fix(actions): query correct flow in claims

* test: actions

* fix(id-generator): panic if no machine id

* tests

* maybe this?

* fix linting

* refactor: improve code

* fix: metadata and usergrant usage in actions

* fix: appendUserGrant

* fix: allowedToFail and timeout in action execution

* fix: allowed to fail in token complement flow

* docs: add action log claim

* Update defaults.yaml

* fix log claim

* remove prerelease build

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/action/action.go

@@ -7,30 +7,66 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	action_pb "github.com/zitadel/zitadel/pkg/grpc/action"
+	message_pb "github.com/zitadel/zitadel/pkg/grpc/message"
 )
 
-func FlowTypeToDomain(flowType action_pb.FlowType) domain.FlowType {
+// for backward compatability: old enum identifiers are mapped as well
+func FlowTypeToDomain(flowType string) domain.FlowType {
 	switch flowType {
-	case action_pb.FlowType_FLOW_TYPE_EXTERNAL_AUTHENTICATION:
+	case "FLOW_TYPE_EXTERNAL_AUTHENTICATION", domain.FlowTypeExternalAuthentication.ID():
 		return domain.FlowTypeExternalAuthentication
+	case domain.FlowTypeCustomiseToken.ID():
+		return domain.FlowTypeCustomiseToken
 	default:
 		return domain.FlowTypeUnspecified
 	}
 }
 
-func TriggerTypeToDomain(triggerType action_pb.TriggerType) domain.TriggerType {
+func FlowTypeToPb(typ domain.FlowType) *action_pb.FlowType {
+	return &action_pb.FlowType{
+		Id: typ.ID(),
+		Name: &message_pb.LocalizedMessage{
+			Key: typ.LocalizationKey(),
+		},
+	}
+}
+
+// TriggerTypeToDomain maps the pb type to domain
+// for backward compatability: old enum identifiers are mapped as well
+func TriggerTypeToDomain(triggerType string) domain.TriggerType {
 	switch triggerType {
-	case action_pb.TriggerType_TRIGGER_TYPE_POST_AUTHENTICATION:
+	case "TRIGGER_TYPE_POST_AUTHENTICATION", domain.TriggerTypePostAuthentication.ID():
 		return domain.TriggerTypePostAuthentication
-	case action_pb.TriggerType_TRIGGER_TYPE_PRE_CREATION:
+	case "TRIGGER_TYPE_PRE_CREATION", domain.TriggerTypePreCreation.ID():
 		return domain.TriggerTypePreCreation
-	case action_pb.TriggerType_TRIGGER_TYPE_POST_CREATION:
+	case "TRIGGER_TYPE_POST_CREATION", domain.TriggerTypePostCreation.ID():
 		return domain.TriggerTypePostCreation
+	case domain.TriggerTypePreAccessTokenCreation.ID():
+		return domain.TriggerTypePreAccessTokenCreation
+	case domain.TriggerTypePreUserinfoCreation.ID():
+		return domain.TriggerTypePreUserinfoCreation
 	default:
 		return domain.TriggerTypeUnspecified
 	}
 }
 
+func TriggerTypesToPb(types []domain.TriggerType) []*action_pb.TriggerType {
+	list := make([]*action_pb.TriggerType, len(types))
+	for i, typ := range types {
+		list[i] = TriggerTypeToPb(typ)
+	}
+	return list
+}
+
+func TriggerTypeToPb(typ domain.TriggerType) *action_pb.TriggerType {
+	return &action_pb.TriggerType{
+		Id: typ.ID(),
+		Name: &message_pb.LocalizedMessage{
+			Key: typ.LocalizationKey(),
+		},
+	}
+}
+
 func FlowToPb(flow *query.Flow) *action_pb.Flow {
 	return &action_pb.Flow{
 		Type:           FlowTypeToPb(flow.Type),
@@ -47,28 +83,6 @@ func TriggerActionToPb(trigger domain.TriggerType, actions []*query.Action) *act
 	}
 }
 
-func FlowTypeToPb(flowType domain.FlowType) action_pb.FlowType {
-	switch flowType {
-	case domain.FlowTypeExternalAuthentication:
-		return action_pb.FlowType_FLOW_TYPE_EXTERNAL_AUTHENTICATION
-	default:
-		return action_pb.FlowType_FLOW_TYPE_UNSPECIFIED
-	}
-}
-
-func TriggerTypeToPb(triggerType domain.TriggerType) action_pb.TriggerType {
-	switch triggerType {
-	case domain.TriggerTypePostAuthentication:
-		return action_pb.TriggerType_TRIGGER_TYPE_POST_AUTHENTICATION
-	case domain.TriggerTypePreCreation:
-		return action_pb.TriggerType_TRIGGER_TYPE_PRE_CREATION
-	case domain.TriggerTypePostCreation:
-		return action_pb.TriggerType_TRIGGER_TYPE_POST_CREATION
-	default:
-		return action_pb.TriggerType_TRIGGER_TYPE_UNSPECIFIED
-	}
-}
-
 func TriggerActionsToPb(triggers map[domain.TriggerType][]*query.Action) []*action_pb.TriggerAction {
 	list := make([]*action_pb.TriggerAction, 0)
 	for trigger, actions := range triggers {
@@ -92,7 +106,7 @@ func ActionToPb(action *query.Action) *action_pb.Action {
 		State:         ActionStateToPb(action.State),
 		Name:          action.Name,
 		Script:        action.Script,
-		Timeout:       durationpb.New(action.Timeout),
+		Timeout:       durationpb.New(action.Timeout()),
 		AllowedToFail: action.AllowedToFail,
 	}
 }

internal/api/grpc/admin/export.go

@@ -2,12 +2,14 @@ package admin
 
 import (
 	"context"
+
+	"google.golang.org/protobuf/types/known/durationpb"
+
 	text_grpc "github.com/zitadel/zitadel/internal/api/grpc/text"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errors "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
-	action_pb "github.com/zitadel/zitadel/pkg/grpc/action"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 	app_pb "github.com/zitadel/zitadel/pkg/grpc/app"
 	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp"
@@ -17,7 +19,6 @@ import (
 	project_pb "github.com/zitadel/zitadel/pkg/grpc/project"
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
 	v1_pb "github.com/zitadel/zitadel/pkg/grpc/v1"
-	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 func (s *Server) ExportData(ctx context.Context, req *admin_pb.ExportDataRequest) (_ *admin_pb.ExportDataResponse, err error) {
@@ -639,8 +640,8 @@ func (s *Server) getTriggerActions(ctx context.Context, org string, processedAct
 			}
 
 			triggerActions = append(triggerActions, &management_pb.SetTriggerActionsRequest{
-				FlowType:    action_pb.FlowType(flowType),
-				TriggerType: action_pb.TriggerType(triggerType),
+				FlowType:    flowType.ID(),
+				TriggerType: triggerType.ID(),
 				ActionIds:   actions,
 			})
 		}
@@ -662,7 +663,7 @@ func (s *Server) getActions(ctx context.Context, org string) ([]*v1_pb.DataActio
 		return actions, nil
 	}
 	for i, action := range queriedActions.Actions {
-		timeout := durationpb.New(action.Timeout)
+		timeout := durationpb.New(action.Timeout())
 
 		actions[i] = &v1_pb.DataAction{
 			ActionId: action.ID,

internal/api/grpc/admin/import.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/zitadel/logging"
 	"github.com/zitadel/zitadel/internal/api/authz"
+	action_grpc "github.com/zitadel/zitadel/internal/api/grpc/action"
 	"github.com/zitadel/zitadel/internal/api/grpc/management"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
@@ -693,9 +694,9 @@ func (s *Server) importData(ctx context.Context, orgs []*admin_pb.DataOrg) (*adm
 
 		if org.TriggerActions != nil {
 			for _, triggerAction := range org.GetTriggerActions() {
-				_, err := s.command.SetTriggerActions(ctx, domain.FlowType(triggerAction.FlowType), domain.TriggerType(triggerAction.TriggerType), triggerAction.ActionIds, org.GetOrgId())
+				_, err := s.command.SetTriggerActions(ctx, action_grpc.FlowTypeToDomain(triggerAction.FlowType), action_grpc.TriggerTypeToDomain(triggerAction.TriggerType), triggerAction.ActionIds, org.GetOrgId())
 				if err != nil {
-					errors = append(errors, &admin_pb.ImportDataError{Type: "trigger_action", Id: triggerAction.FlowType.String() + "_" + triggerAction.TriggerType.String(), Message: err.Error()})
+					errors = append(errors, &admin_pb.ImportDataError{Type: "trigger_action", Id: triggerAction.FlowType + "_" + triggerAction.TriggerType, Message: err.Error()})
 					continue
 				}
 				successOrg.TriggerActions = append(successOrg.TriggerActions, &management_pb.SetTriggerActionsRequest{FlowType: triggerAction.FlowType, TriggerType: triggerAction.TriggerType, ActionIds: triggerAction.GetActionIds()})

internal/api/grpc/management/flow.go

@@ -6,9 +6,31 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	action_grpc "github.com/zitadel/zitadel/internal/api/grpc/action"
 	obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	action_pb "github.com/zitadel/zitadel/pkg/grpc/action"
 	mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
 )
 
+func (s *Server) ListFlowTypes(ctx context.Context, _ *mgmt_pb.ListFlowTypesRequest) (*mgmt_pb.ListFlowTypesResponse, error) {
+	return &mgmt_pb.ListFlowTypesResponse{
+		Result: []*action_pb.FlowType{
+			action_grpc.FlowTypeToPb(domain.FlowTypeExternalAuthentication),
+			action_grpc.FlowTypeToPb(domain.FlowTypeCustomiseToken),
+		},
+	}, nil
+}
+
+func (s *Server) ListFlowTriggerTypes(ctx context.Context, req *mgmt_pb.ListFlowTriggerTypesRequest) (*mgmt_pb.ListFlowTriggerTypesResponse, error) {
+	triggerTypes := action_grpc.FlowTypeToDomain(req.Type).TriggerTypes()
+	if len(triggerTypes) == 0 {
+		return nil, errors.ThrowNotFound(nil, "MANAG-P2OBk", "Errors.NotFound")
+	}
+	return &mgmt_pb.ListFlowTriggerTypesResponse{
+		Result: action_grpc.TriggerTypesToPb(triggerTypes),
+	}, nil
+}
+
 func (s *Server) GetFlow(ctx context.Context, req *mgmt_pb.GetFlowRequest) (*mgmt_pb.GetFlowResponse, error) {
 	flow, err := s.query.GetFlow(ctx, action_grpc.FlowTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
 	if err != nil {