feat: app handling compliance (#527)

* feat: check oidc compliance * fix: add tests * fix: add oidc config tests * fix: add oidc config tests user agent * fix: test oidc config compliance * fix: test oidc config compliance * fix: useragent implicit authmethod none * fix: merge master * feat: translate compliance problems * feat: check native app for custom url * fix: better compliance handling * fix: better compliance handling * feat: add odidc dev mode * fix: remove deprecated request fro management api * fix: oidc package version * fix: migration * fix: tests * fix: remove unused functions * fix: generate proto files * fix: native implicit and code none compliant * fix: create project * Update internal/project/model/oidc_config_test.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 01:47:33 +00:00 · 2020-08-10 09:34:56 +02:00
parent 64f0b191b5
commit 5699fe80d5
27 changed files with 15925 additions and 16502 deletions
--- a/internal/project/repository/eventsourcing/eventstore.go
+++ b/internal/project/repository/eventsourcing/eventstore.go
@@ -534,6 +534,7 @@ func (es *ProjectEventstore) AddApplication(ctx context.Context, app *proj_model
 	if _, a := model.GetApplication(repoProject.Applications, app.AppID); a != nil {
 		converted := model.AppToModel(a)
 		converted.OIDCConfig.ClientSecretString = stringPw
+		converted.OIDCConfig.FillCompliance()
 		return converted, nil
 	}
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-GvPct", "Errors.Internal")
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -11,6 +11,7 @@ import (

 type OIDCConfig struct {
 	es_models.ObjectRoot
+	Version                int32               `json:"oidcVersion,omitempty"`
 	AppID                  string              `json:"appId"`
 	ClientID               string              `json:"clientId,omitempty"`
 	ClientSecret           *crypto.CryptoValue `json:"clientSecret,omitempty"`
@@ -20,6 +21,7 @@ type OIDCConfig struct {
 	ApplicationType        int32               `json:"applicationType,omitempty"`
 	AuthMethodType         int32               `json:"authMethodType,omitempty"`
 	PostLogoutRedirectUris []string            `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                bool                `json:"devMode,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -40,9 +42,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.AuthMethodType != changed.AuthMethodType {
 		changes["authMethodType"] = changed.AuthMethodType
 	}
+	if c.Version != changed.Version {
+		changes["oidcVersion"] = changed.Version
+	}
 	if !reflect.DeepEqual(c.PostLogoutRedirectUris, changed.PostLogoutRedirectUris) {
 		changes["postLogoutRedirectUris"] = changed.PostLogoutRedirectUris
 	}
+	if c.DevMode != changed.DevMode {
+		changes["devMode"] = changed.DevMode
+	}
 	return changes
 }

@@ -58,6 +66,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 	return &OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		Version:                int32(config.OIDCVersion),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -66,6 +75,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		ApplicationType:        int32(config.ApplicationType),
 		AuthMethodType:         int32(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
 }

@@ -78,9 +88,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 	for i, rt := range config.GrantTypes {
 		grantTypes[i] = model.OIDCGrantType(rt)
 	}
-	return &model.OIDCConfig{
+	oidcConfig := &model.OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		OIDCVersion:            model.OIDCVersion(config.Version),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -89,7 +100,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		ApplicationType:        model.OIDCApplicationType(config.ApplicationType),
 		AuthMethodType:         model.OIDCAuthMethodType(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
+	oidcConfig.FillCompliance()
+	return oidcConfig
 }

 func (p *Project) appendAddOIDCConfigEvent(event *es_models.Event) error {
--- a/internal/project/repository/eventsourcing/project.go
+++ b/internal/project/repository/eventsourcing/project.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"

 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
@@ -46,6 +47,7 @@ func ProjectCreateAggregate(aggCreator *es_models.AggregateCreator, project *mod
 		}
 		validationQuery := es_models.NewSearchQuery().
 			AggregateTypeFilter(model.ProjectAggregate).
+			ResourceOwnerFilter(authz.GetCtxData(ctx).OrgID).
 			EventTypesFilter(model.ProjectAdded, model.ProjectChanged, model.ProjectRemoved)

 		validation := addProjectValidation(project.Name)
--- a/internal/project/repository/view/model/application.go
+++ b/internal/project/repository/view/model/application.go
@@ -28,6 +28,7 @@ type ApplicationView struct {
 	State        int32     `json:"-" gorm:"column:app_state"`

 	IsOIDC                     bool           `json:"-" gorm:"column:is_oidc"`
+	OIDCVersion                int32          `json:"oidcVersion" gorm:"column:oidc_version"`
 	OIDCClientID               string         `json:"clientId" gorm:"column:oidc_client_id"`
 	OIDCRedirectUris           pq.StringArray `json:"redirectUris" gorm:"column:oidc_redirect_uris"`
 	OIDCResponseTypes          pq.Int64Array  `json:"responseTypes" gorm:"column:oidc_response_types"`
@@ -35,6 +36,9 @@ type ApplicationView struct {
 	OIDCApplicationType        int32          `json:"applicationType" gorm:"column:oidc_application_type"`
 	OIDCAuthMethodType         int32          `json:"authMethodType" gorm:"column:oidc_auth_method_type"`
 	OIDCPostLogoutRedirectUris pq.StringArray `json:"postLogoutRedirectUris" gorm:"column:oidc_post_logout_redirect_uris"`
+	NoneCompliant              bool           `json:"-" gorm:"column:none_compliant"`
+	ComplianceProblems         pq.StringArray `json:"-" gorm:"column:compliance_problems"`
+	DevMode                    bool           `json:"devMode" gorm:"column:dev_mode"`

 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@@ -57,6 +61,7 @@ func ApplicationViewFromModel(app *model.ApplicationView) *ApplicationView {
 		OIDCApplicationType:        int32(app.OIDCApplicationType),
 		OIDCAuthMethodType:         int32(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		DevMode:                    app.DevMode,
 	}
 }

@@ -87,6 +92,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		ChangeDate:   app.ChangeDate,

 		IsOIDC:                     app.IsOIDC,
+		OIDCVersion:                model.OIDCVersion(app.OIDCVersion),
 		OIDCClientID:               app.OIDCClientID,
 		OIDCRedirectUris:           app.OIDCRedirectUris,
 		OIDCResponseTypes:          OIDCResponseTypesToModel(app.OIDCResponseTypes),
@@ -94,6 +100,9 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		OIDCApplicationType:        model.OIDCApplicationType(app.OIDCApplicationType),
 		OIDCAuthMethodType:         model.OIDCAuthMethodType(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		NoneCompliant:              app.NoneCompliant,
+		ComplianceProblems:         app.ComplianceProblems,
+		DevMode:                    app.DevMode,
 	}
 }

@@ -132,9 +141,17 @@ func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
 	case es_model.OIDCConfigAdded:
 		a.IsOIDC = true
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.OIDCConfigChanged,
 		es_model.ApplicationChanged:
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.ApplicationDeactivated:
 		a.State = int32(model.AppStateInactive)
 	case es_model.ApplicationReactivated:
@@ -154,3 +171,9 @@ func (a *ApplicationView) SetData(event *models.Event) error {
 	}
 	return nil
 }
+
+func (a *ApplicationView) setCompliance() {
+	compliance := model.GetOIDCCompliance(model.OIDCVersion(a.OIDCVersion), model.OIDCApplicationType(a.OIDCApplicationType), OIDCGrantTypesToModel(a.OIDCGrantTypes), OIDCResponseTypesToModel(a.OIDCResponseTypes), model.OIDCAuthMethodType(a.OIDCAuthMethodType), a.OIDCPostLogoutRedirectUris)
+	a.NoneCompliant = compliance.NoneCompliant
+	a.ComplianceProblems = compliance.Problems
+}