feat: app handling compliance (#527)

* feat: check oidc compliance

* fix: add tests

* fix: add oidc config tests

* fix: add oidc config tests user agent

* fix: test oidc config compliance

* fix: test oidc config compliance

* fix: useragent implicit authmethod none

* fix: merge master

* feat: translate compliance problems

* feat: check native app for custom url

* fix: better compliance handling

* fix: better compliance handling

* feat: add odidc dev mode

* fix: remove deprecated request fro management api

* fix: oidc package version

* fix: migration

* fix: tests

* fix: remove unused functions

* fix: generate proto files

* fix: native implicit and code none compliant

* fix: create project

* Update internal/project/model/oidc_config_test.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/api/grpc/management/application.go

@@ -17,7 +17,7 @@ func (s *Server) SearchApplications(ctx context.Context, in *management.Applicat
 }
 
 func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
-	app, err := s.project.ApplicationByID(ctx, in.Id)
+	app, err := s.project.ApplicationByID(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/application_converter.go

@@ -52,6 +52,10 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 		ClientSecret:           config.ClientSecretString,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(config.OIDCVersion),
+		NoneCompliant:          config.Compliance.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(config.Compliance.Problems),
+		DevMode:                config.DevMode,
 	}
 }
 
@@ -64,9 +68,22 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
 		ClientId:               app.OIDCClientID,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
 		PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(app.OIDCVersion),
+		NoneCompliant:          app.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(app.ComplianceProblems),
+		DevMode:                app.DevMode,
 	}
 }
 
+func complianceProblemsToLocalizedMessages(problems []string) []*message.LocalizedMessage {
+	converted := make([]*message.LocalizedMessage, len(problems))
+	for i, p := range problems {
+		converted[i] = message.NewLocalizedMessage(p)
+	}
+	return converted
+
+}
+
 func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
 	return &proj_model.Application{
 		ObjectRoot: models.ObjectRoot{
@@ -75,12 +92,14 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 		Name: app.Name,
 		Type: proj_model.AppTypeOIDC,
 		OIDCConfig: &proj_model.OIDCConfig{
+			OIDCVersion:            oidcVersionToModel(app.Version),
 			RedirectUris:           app.RedirectUris,
 			ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
 			GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
 			ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 			AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 			PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+			DevMode:                app.DevMode,
 		},
 	}
 }
@@ -107,6 +126,7 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 		AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 		PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+		DevMode:                app.DevMode,
 	}
 }
 
@@ -284,6 +304,14 @@ func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_mod
 	return proj_model.OIDCApplicationTypeWeb
 }
 
+func oidcVersionToModel(version management.OIDCVersion) proj_model.OIDCVersion {
+	switch version {
+	case management.OIDCVersion_OIDCV1_0:
+		return proj_model.OIDCVersionV1
+	}
+	return proj_model.OIDCVersionV1
+}
+
 func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
 	switch appType {
 	case proj_model.OIDCApplicationTypeWeb:
@@ -323,6 +351,15 @@ func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) managem
 	}
 }
 
+func oidcVersionFromModel(version proj_model.OIDCVersion) management.OIDCVersion {
+	switch version {
+	case proj_model.OIDCVersionV1:
+		return management.OIDCVersion_OIDCV1_0
+	default:
+		return management.OIDCVersion_OIDCV1_0
+	}
+}
+
 func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
 	return &management.Changes{
 		Limit:   limit,

internal/api/grpc/management/user_grant.go

@@ -67,107 +67,3 @@ func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGra
 	err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
-
-func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	request := projectUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(in.ProjectId)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
-	if err != nil {
-		return nil, err
-	}
-	request := projectGrantUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(grant.ProjectID)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}

internal/api/grpc/management/user_grant_converter.go

@@ -69,29 +69,6 @@ func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
 	return ids
 }
 
-func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
-func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		UserID:    u.UserId,
-		ProjectID: u.ProjectId,
-		RoleKeys:  u.RoleKeys,
-		GrantID:   u.ProjectGrantId,
-	}
-}
-
-func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
 func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,

internal/api/oidc/client_converter.go

@@ -1,6 +1,7 @@
 package oidc
 
 import (
+	"github.com/caos/oidc/pkg/oidc"
 	"time"
 
 	"github.com/caos/oidc/pkg/op"
@@ -27,7 +28,7 @@ func (c *Client) ApplicationType() op.ApplicationType {
 	return op.ApplicationType(c.OIDCApplicationType)
 }
 
-func (c *Client) GetAuthMethod() op.AuthMethod {
+func (c *Client) AuthMethod() op.AuthMethod {
 	return authMethodToOIDC(c.OIDCAuthMethodType)
 }
 
@@ -47,6 +48,14 @@ func (c *Client) PostLogoutRedirectURIs() []string {
 	return c.OIDCPostLogoutRedirectUris
 }
 
+func (c *Client) ResponseTypes() []oidc.ResponseType {
+	return responseTypesToOIDC(c.OIDCResponseTypes)
+}
+
+func (c *Client) DevMode() bool {
+	return c.ApplicationView.DevMode
+}
+
 func (c *Client) AccessTokenLifetime() time.Duration {
 	return c.defaultAccessTokenLifetime //PLANNED: impl from real client
 }
@@ -71,3 +80,24 @@ func authMethodToOIDC(authType model.OIDCAuthMethodType) op.AuthMethod {
 		return op.AuthMethodBasic
 	}
 }
+
+func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.ResponseType {
+	oidcTypes := make([]oidc.ResponseType, len(responseTypes))
+	for i, t := range responseTypes {
+		oidcTypes[i] = responseTypeToOIDC(t)
+	}
+	return oidcTypes
+}
+
+func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
+	switch responseType {
+	case model.OIDCResponseTypeCode:
+		return oidc.ResponseTypeCode
+	case model.OIDCResponseTypeIDTokenToken:
+		return oidc.ResponseTypeIDToken
+	case model.OIDCResponseTypeIDToken:
+		return oidc.ResponseTypeIDTokenOnly
+	default:
+		return oidc.ResponseTypeCode
+	}
+}