feat(login): use new IDP templates (#5315)

The login uses the new template based IDPs with backwards compatibility for old IDPs

internal/command/idp.go

@@ -1,6 +1,12 @@
 package command
 
-import "github.com/zitadel/zitadel/internal/repository/idp"
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command/preparation"
+	"github.com/zitadel/zitadel/internal/repository/idp"
+)
 
 type GenericOAuthProvider struct {
 	Name                  string
@@ -52,3 +58,34 @@ type LDAPProvider struct {
 	LDAPAttributes      idp.LDAPAttributes
 	IDPOptions          idp.Options
 }
+
+func ExistsIDP(ctx context.Context, filter preparation.FilterToQueryReducer, id, orgID string) (exists bool, err error) {
+	writeModel := NewOrgIDPRemoveWriteModel(orgID, id)
+	events, err := filter(ctx, writeModel.Query())
+	if err != nil {
+		return false, err
+	}
+
+	if len(events) > 0 {
+		writeModel.AppendEvents(events...)
+		if err := writeModel.Reduce(); err != nil {
+			return false, err
+		}
+		return writeModel.State.Exists(), nil
+	}
+
+	instanceWriteModel := NewInstanceIDPRemoveWriteModel(authz.GetInstance(ctx).InstanceID(), id)
+	events, err = filter(ctx, instanceWriteModel.Query())
+	if err != nil {
+		return false, err
+	}
+
+	if len(events) == 0 {
+		return false, nil
+	}
+	instanceWriteModel.AppendEvents(events...)
+	if err := instanceWriteModel.Reduce(); err != nil {
+		return false, err
+	}
+	return instanceWriteModel.State.Exists(), nil
+}

internal/command/instance_idp.go

@@ -236,6 +236,23 @@ func (c *Commands) DeleteInstanceProvider(ctx context.Context, id string) (*doma
 	return pushedEventsToObjectDetails(pushedEvents), nil
 }
 
+func ExistsInstanceIDP(ctx context.Context, filter preparation.FilterToQueryReducer, id string) (exists bool, err error) {
+	instanceWriteModel := NewInstanceIDPRemoveWriteModel(authz.GetInstance(ctx).InstanceID(), id)
+	events, err := filter(ctx, instanceWriteModel.Query())
+	if err != nil {
+		return false, err
+	}
+
+	if len(events) == 0 {
+		return false, nil
+	}
+	instanceWriteModel.AppendEvents(events...)
+	if err := instanceWriteModel.Reduce(); err != nil {
+		return false, err
+	}
+	return instanceWriteModel.State.Exists(), nil
+}
+
 func (c *Commands) prepareAddInstanceOAuthProvider(a *instance.Aggregate, writeModel *InstanceOAuthIDPWriteModel, provider GenericOAuthProvider) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if provider.Name = strings.TrimSpace(provider.Name); provider.Name == "" {

internal/command/instance_policy_login.go

@@ -41,8 +41,8 @@ func (c *Commands) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpPr
 		return nil, caos_errs.ThrowNotFound(nil, "INSTANCE-GVDfe", "Errors.IAM.LoginPolicy.NotFound")
 	}
 
-	_, err = c.getInstanceIDPConfigByID(ctx, idpProvider.IDPConfigID)
-	if err != nil {
+	exists, err := ExistsInstanceIDP(ctx, c.eventstore.Filter, idpProvider.IDPConfigID)
+	if err != nil || !exists {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "INSTANCE-m8fsd", "Errors.IDPConfig.NotExisting")
 	}
 	idpModel := NewInstanceIdentityProviderWriteModel(ctx, idpProvider.IDPConfigID)

internal/command/org_idp.go

@@ -225,6 +225,23 @@ func (c *Commands) DeleteOrgProvider(ctx context.Context, resourceOwner, id stri
 	return pushedEventsToObjectDetails(pushedEvents), nil
 }
 
+func ExistsOrgIDP(ctx context.Context, filter preparation.FilterToQueryReducer, id, orgID string) (exists bool, err error) {
+	writeModel := NewOrgIDPRemoveWriteModel(orgID, id)
+	events, err := filter(ctx, writeModel.Query())
+	if err != nil {
+		return false, err
+	}
+
+	if len(events) == 0 {
+		return false, nil
+	}
+	writeModel.AppendEvents(events...)
+	if err := writeModel.Reduce(); err != nil {
+		return false, err
+	}
+	return writeModel.State.Exists(), nil
+}
+
 func (c *Commands) prepareAddOrgOAuthProvider(a *org.Aggregate, writeModel *OrgOAuthIDPWriteModel, provider GenericOAuthProvider) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if provider.Name = strings.TrimSpace(provider.Name); provider.Name == "" {

internal/command/org_policy_login.go

@@ -146,12 +146,13 @@ func (c *Commands) AddIDPToLoginPolicy(ctx context.Context, resourceOwner string
 		return nil, caos_errs.ThrowNotFound(nil, "Org-Ffgw2", "Errors.Org.LoginPolicy.NotFound")
 	}
 
+	var exists bool
 	if idpProvider.Type == domain.IdentityProviderTypeOrg {
-		_, err = c.getOrgIDPConfigByID(ctx, idpProvider.IDPConfigID, resourceOwner)
+		exists, err = ExistsOrgIDP(ctx, c.eventstore.Filter, idpProvider.IDPConfigID, resourceOwner)
 	} else {
-		_, err = c.getInstanceIDPConfigByID(ctx, idpProvider.IDPConfigID)
+		exists, err = ExistsInstanceIDP(ctx, c.eventstore.Filter, idpProvider.IDPConfigID)
 	}
-	if err != nil {
+	if !exists || err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "Org-3N9fs", "Errors.IDPConfig.NotExisting")
 	}
 	idpModel := NewOrgIdentityProviderWriteModel(resourceOwner, idpProvider.IDPConfigID)

internal/command/user_idp_link.go

@@ -66,14 +66,12 @@ func (c *Commands) addUserIDPLink(ctx context.Context, human *eventstore.Aggrega
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-6m9Kd", "Errors.User.ExternalIDP.Invalid")
 	}
 
-	_, err := c.getOrgIDPConfigByID(ctx, link.IDPConfigID, human.ResourceOwner)
-	if caos_errs.IsNotFound(err) {
-		_, err = c.getInstanceIDPConfigByID(ctx, link.IDPConfigID)
-	}
-	if err != nil {
+	exists, err := ExistsIDP(ctx, c.eventstore.Filter, link.IDPConfigID, human.ResourceOwner)
+	if !exists || err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-39nfs", "Errors.IDPConfig.NotExisting")
 	}
 	return user.NewUserIDPLinkAddedEvent(ctx, human, link.IDPConfigID, link.DisplayName, link.ExternalUserID), nil
+
 }
 
 func (c *Commands) RemoveUserIDPLink(ctx context.Context, link *domain.UserIDPLink) (*domain.ObjectDetails, error) {