TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 21:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: primary domain (#936)

Browse Source 
* fix: primary domain

* fix: remove comment

* fix: oidc version
This commit is contained in:
Fabi 2020-11-03 10:50:03 +01:00 committed by GitHub
parent b79661d66e
commit 51417be35d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 345 additions and 640 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -16,7 +16,7 @@ require (
github.com/aws/aws-sdk-go v1.35.11 // indirect github.com/aws/aws-sdk-go v1.35.11 // indirect
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
github.com/caos/logging v0.0.2 github.com/caos/logging v0.0.2
github.com/caos/oidc v0.12.3 github.com/caos/oidc v0.12.4
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cockroachdb/cockroach-go/v2 v2.0.8 github.com/cockroachdb/cockroach-go/v2 v2.0.8
github.com/envoyproxy/protoc-gen-validate v0.4.1 github.com/envoyproxy/protoc-gen-validate v0.4.1

14
internal/api/oidc/client.go
View File

@ -2,6 +2,7 @@ package oidc
import ( import (
"context" "context"
"github.com/caos/zitadel/internal/auth_request/model"
"strings" "strings"
"golang.org/x/text/language" "golang.org/x/text/language"
@ -153,6 +154,9 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
if strings.HasPrefix(scope, ScopeProjectRolePrefix) { if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix)) roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
} }
if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
userInfo.AppendClaims(model.OrgDomainPrimaryScope, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
}
} }
} }
@ -170,17 +174,19 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
return userInfo, nil return userInfo, nil
} }
func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, applicationID string, scopes []string) (claims map[string]interface{}, err error) { func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error) {
roles := make([]string, 0) roles := make([]string, 0)
for _, scope := range scopes { for _, scope := range scopes {
if strings.HasPrefix(scope, ScopeProjectRolePrefix) { if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix)) roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
claims = map[string]interface{}{model.OrgDomainPrimaryScope: strings.TrimPrefix(scope, model.OrgDomainPrimaryScope)}
} }
} }
if len(roles) == 0 || applicationID == "" { if len(roles) == 0 || clientID == "" {
return nil, nil return claims, nil
} }
projectRoles, err := o.assertRoles(ctx, userID, applicationID, roles) projectRoles, err := o.assertRoles(ctx, userID, clientID, roles)
if err != nil { if err != nil {
return nil, err return nil, err
} }

53
internal/api/oidc/client_converter.go
View File

@ -1,6 +1,8 @@
package oidc package oidc
import ( import (
authreq_model "github.com/caos/zitadel/internal/auth_request/model"
"strings"
"time" "time"
"github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/oidc"
@ -63,16 +65,22 @@ func (c *Client) DevMode() bool {
return c.ApplicationView.DevMode return c.ApplicationView.DevMode
} }
func (c *Client) AllowedScopes() []string { func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
return c.allowedScopes return func(scopes []string) []string {
if c.IDTokenRoleAssertion {
return scopes
}
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
} }
func (c *Client) AssertAdditionalIdTokenScopes() bool { func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
return c.IDTokenRoleAssertion return func(scopes []string) []string {
} if c.AccessTokenRoleAssertion {
return scopes
func (c *Client) AssertAdditionalAccessTokenScopes() bool { }
return c.AccessTokenRoleAssertion return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
} }
func (c *Client) AccessTokenLifetime() time.Duration { func (c *Client) AccessTokenLifetime() time.Duration {
@ -87,6 +95,18 @@ func (c *Client) AccessTokenType() op.AccessTokenType {
return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType) return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType)
} }
func (c *Client) IsScopeAllowed(scope string) bool {
if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
return true
}
for _, allowedScope := range c.allowedScopes {
if scope == allowedScope {
return true
}
}
return false
}
func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType { func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
switch tokenType { switch tokenType {
case model.OIDCTokenTypeBearer: case model.OIDCTokenTypeBearer:
@ -131,3 +151,20 @@ func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
return oidc.ResponseTypeCode return oidc.ResponseTypeCode
} }
} }
func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
newScopeList := make([]string, 0)
for _, scope := range scopes {
hasPrefix := false
for _, prefix := range scopePrefix {
if strings.HasPrefix(scope, prefix) {
hasPrefix = true
continue
}
}
if !hasPrefix {
newScopeList = append(newScopeList, scope)
}
}
return newScopeList
}

417
pkg/grpc/management/management.pb.gw.go
View File

File diff suppressed because it is too large Load Diff

499
pkg/grpc/management/management.swagger.json
View File

File diff suppressed because it is too large Load Diff