TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 20:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: app handling compliance (#527)

Browse Source 
* feat: check oidc compliance

* fix: add tests

* fix: add oidc config tests

* fix: add oidc config tests user agent

* fix: test oidc config compliance

* fix: test oidc config compliance

* fix: useragent implicit authmethod none

* fix: merge master

* feat: translate compliance problems

* feat: check native app for custom url

* fix: better compliance handling

* fix: better compliance handling

* feat: add odidc dev mode

* fix: remove deprecated request fro management api

* fix: oidc package version

* fix: migration

* fix: tests

* fix: remove unused functions

* fix: generate proto files

* fix: native implicit and code none compliant

* fix: create project

* Update internal/project/model/oidc_config_test.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi 2020-08-10 09:34:56 +02:00 committed by GitHub
parent 64f0b191b5
commit 5699fe80d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 15925 additions and 16502 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
console/src/app/services/project.service.ts
View File

@ -547,47 +547,6 @@ export class ProjectService {
);
}
// ********* */
public async SearchProjectUserGrants(
projectId: string,
offset: number,
limit: number,
queryList?: UserGrantSearchQuery[],
): Promise<UserGrantSearchResponse> {
const req = new ProjectUserGrantSearchRequest();
req.setLimit(limit);
req.setOffset(offset);
req.setProjectId(projectId);
if (queryList) {
req.setQueriesList(queryList);
}
return await this.request(
c => c.searchProjectUserGrants,
req,
f => f,
);
}
public async CreateProjectUserGrant(
projectId: string,
userId: string,
roleKeysList: string[],
): Promise<UserGrant> {
const req = new UserGrantCreate();
req.setProjectId(projectId);
req.setRoleKeysList(roleKeysList);
req.setUserId(userId);
return await this.request(
c => c.createProjectUserGrant,
req,
f => f,
);
}
// ********* */
public async CreateOIDCApp(app: OIDCApplicationCreate.AsObject): Promise<Application> {
const req = new OIDCApplicationCreate();
req.setProjectId(app.projectId);

4
go.mod
View File

@ -16,13 +16,13 @@ require (
github.com/aws/aws-sdk-go v1.33.13 // indirect
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
github.com/caos/logging v0.0.2
github.com/caos/oidc v0.6.4
github.com/caos/oidc v0.7.0
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cockroachdb/cockroach-go/v2 v2.0.4
github.com/envoyproxy/protoc-gen-validate v0.4.0
github.com/ghodss/yaml v1.0.0
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/golang/mock v1.4.3
github.com/golang/mock v1.4.4
github.com/golang/protobuf v1.4.2
github.com/google/go-cmp v0.5.1 // indirect
github.com/gorilla/csrf v1.7.0

6
go.sum
View File

@ -71,8 +71,8 @@ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBW
github.com/caos/logging v0.0.0-20191210002624-b3260f690a6a/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
github.com/caos/oidc v0.6.4 h1:BrtKcK004kkJqTBLP73tZat3SXozYMxqZrQ7mDpx+nY=
github.com/caos/oidc v0.6.4/go.mod h1:f3bYdAHhN9WS3VxYgy5c9wgsiJ3qNrek1r7ktgHriDs=
github.com/caos/oidc v0.7.0 h1:KmZ/sHBqBvfn2g8ExlBJEbQKGViJsKfxZsAXfMOkPZ0=
github.com/caos/oidc v0.7.0/go.mod h1:mnuSyFmv+WSuk2C/zps445xiMU9dW384/pV4WnIS8b0=
github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@ -140,6 +140,8 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

2
internal/api/grpc/management/application.go
View File

@ -17,7 +17,7 @@ func (s *Server) SearchApplications(ctx context.Context, in *management.Applicat
}
func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
app, err := s.project.ApplicationByID(ctx, in.Id)
app, err := s.project.ApplicationByID(ctx, in.ProjectId, in.Id)
if err != nil {
return nil, err
}

37
internal/api/grpc/management/application_converter.go
View File

@ -52,6 +52,10 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
ClientSecret: config.ClientSecretString,
AuthMethodType: oidcAuthMethodTypeFromModel(config.AuthMethodType),
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
Version: oidcVersionFromModel(config.OIDCVersion),
NoneCompliant: config.Compliance.NoneCompliant,
ComplianceProblems: complianceProblemsToLocalizedMessages(config.Compliance.Problems),
DevMode: config.DevMode,
}
}
@ -64,9 +68,22 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
ClientId: app.OIDCClientID,
AuthMethodType: oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
Version: oidcVersionFromModel(app.OIDCVersion),
NoneCompliant: app.NoneCompliant,
ComplianceProblems: complianceProblemsToLocalizedMessages(app.ComplianceProblems),
DevMode: app.DevMode,
}
}
func complianceProblemsToLocalizedMessages(problems []string) []*message.LocalizedMessage {
converted := make([]*message.LocalizedMessage, len(problems))
for i, p := range problems {
converted[i] = message.NewLocalizedMessage(p)
}
return converted
}
func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
return &proj_model.Application{
ObjectRoot: models.ObjectRoot{
@ -75,12 +92,14 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
Name: app.Name,
Type: proj_model.AppTypeOIDC,
OIDCConfig: &proj_model.OIDCConfig{
OIDCVersion: oidcVersionToModel(app.Version),
RedirectUris: app.RedirectUris,
ResponseTypes: oidcResponseTypesToModel(app.ResponseTypes),
GrantTypes: oidcGrantTypesToModel(app.GrantTypes),
ApplicationType: oidcApplicationTypeToModel(app.ApplicationType),
AuthMethodType: oidcAuthMethodTypeToModel(app.AuthMethodType),
PostLogoutRedirectUris: app.PostLogoutRedirectUris,
DevMode: app.DevMode,
},
}
}
@ -107,6 +126,7 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
ApplicationType: oidcApplicationTypeToModel(app.ApplicationType),
AuthMethodType: oidcAuthMethodTypeToModel(app.AuthMethodType),
PostLogoutRedirectUris: app.PostLogoutRedirectUris,
DevMode: app.DevMode,
}
}
@ -284,6 +304,14 @@ func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_mod
return proj_model.OIDCApplicationTypeWeb
}
func oidcVersionToModel(version management.OIDCVersion) proj_model.OIDCVersion {
switch version {
case management.OIDCVersion_OIDCV1_0:
return proj_model.OIDCVersionV1
}
return proj_model.OIDCVersionV1
}
func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
switch appType {
case proj_model.OIDCApplicationTypeWeb:
@ -323,6 +351,15 @@ func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) managem
}
}
func oidcVersionFromModel(version proj_model.OIDCVersion) management.OIDCVersion {
switch version {
case proj_model.OIDCVersionV1:
return management.OIDCVersion_OIDCV1_0
default:
return management.OIDCVersion_OIDCV1_0
}
}
func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
return &management.Changes{
Limit: limit,

104
internal/api/grpc/management/user_grant.go
View File

@ -67,107 +67,3 @@ func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGra
err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
return &empty.Empty{}, err
}
func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
request := projectUserGrantSearchRequestsToModel(in)
request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
request.AppendProjectIDQuery(in.ProjectId)
response, err := s.usergrant.SearchUserGrants(ctx, request)
if err != nil {
return nil, err
}
return userGrantSearchResponseFromModel(response), nil
}
func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
user, err := s.usergrant.UserGrantByID(ctx, request.Id)
if err != nil {
return nil, err
}
return userGrantViewFromModel(user), nil
}
func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
if err != nil {
return nil, err
}
request := projectGrantUserGrantSearchRequestsToModel(in)
request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
request.AppendProjectIDQuery(grant.ProjectID)
response, err := s.usergrant.SearchUserGrants(ctx, request)
if err != nil {
return nil, err
}
return userGrantSearchResponseFromModel(response), nil
}
func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
user, err := s.usergrant.UserGrantByID(ctx, request.Id)
if err != nil {
return nil, err
}
return userGrantViewFromModel(user), nil
}
func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}

23
internal/api/grpc/management/user_grant_converter.go
View File

@ -69,29 +69,6 @@ func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
return ids
}
func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
return &grant_model.UserGrant{
ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
RoleKeys: u.RoleKeys,
}
}
func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
return &grant_model.UserGrant{
UserID: u.UserId,
ProjectID: u.ProjectId,
RoleKeys: u.RoleKeys,
GrantID: u.ProjectGrantId,
}
}
func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
return &grant_model.UserGrant{
ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
RoleKeys: u.RoleKeys,
}
}
func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
return &grant_model.UserGrantSearchRequest{
Offset: project.Offset,

32
internal/api/oidc/client_converter.go
View File

@ -1,6 +1,7 @@
package oidc
import (
"github.com/caos/oidc/pkg/oidc"
"time"
"github.com/caos/oidc/pkg/op"
@ -27,7 +28,7 @@ func (c *Client) ApplicationType() op.ApplicationType {
return op.ApplicationType(c.OIDCApplicationType)
}
func (c *Client) GetAuthMethod() op.AuthMethod {
func (c *Client) AuthMethod() op.AuthMethod {
return authMethodToOIDC(c.OIDCAuthMethodType)
}
@ -47,6 +48,14 @@ func (c *Client) PostLogoutRedirectURIs() []string {
return c.OIDCPostLogoutRedirectUris
}
func (c *Client) ResponseTypes() []oidc.ResponseType {
return responseTypesToOIDC(c.OIDCResponseTypes)
}
func (c *Client) DevMode() bool {
return c.ApplicationView.DevMode
}
func (c *Client) AccessTokenLifetime() time.Duration {
return c.defaultAccessTokenLifetime //PLANNED: impl from real client
}
@ -71,3 +80,24 @@ func authMethodToOIDC(authType model.OIDCAuthMethodType) op.AuthMethod {
return op.AuthMethodBasic
}
}
func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.ResponseType {
oidcTypes := make([]oidc.ResponseType, len(responseTypes))
for i, t := range responseTypes {
oidcTypes[i] = responseTypeToOIDC(t)
}
return oidcTypes
}
func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
switch responseType {
case model.OIDCResponseTypeCode:
return oidc.ResponseTypeCode
case model.OIDCResponseTypeIDTokenToken:
return oidc.ResponseTypeIDToken
case model.OIDCResponseTypeIDToken:
return oidc.ResponseTypeIDTokenOnly
default:
return oidc.ResponseTypeCode
}
}

29
internal/management/repository/eventsourcing/eventstore/project.go
View File

@ -296,10 +296,31 @@ func (repo *ProjectRepo) ProjectChanges(ctx context.Context, id string, lastSequ
return changes, nil
}
func (repo *ProjectRepo) ApplicationByID(ctx context.Context, appID string) (*proj_model.ApplicationView, error) {
app, err := repo.View.ApplicationByID(appID)
if err != nil {
return nil, err
func (repo *ProjectRepo) ApplicationByID(ctx context.Context, projectID, appID string) (*proj_model.ApplicationView, error) {
app, viewErr := repo.View.ApplicationByID(appID)
if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
return nil, viewErr
}
if caos_errs.IsNotFound(viewErr) {
app = new(model.ApplicationView)
}
events, esErr := repo.ProjectEvents.ProjectEventsByID(ctx, projectID, app.Sequence)
if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
return nil, caos_errs.ThrowNotFound(nil, "EVENT-Fshu8", "Errors.Application.NotFound")
}
if esErr != nil {
logging.Log("EVENT-SLCo9").WithError(viewErr).Debug("error retrieving new events")
return model.ApplicationViewToModel(app), nil
}
viewApp := *app
for _, event := range events {
err := app.AppendEvent(event)
if err != nil {
return model.ApplicationViewToModel(&viewApp), nil
}
}
return model.ApplicationViewToModel(app), nil
}

2
internal/management/repository/project.go
View File

@ -32,7 +32,7 @@ type ProjectRepository interface {
ProjectChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool) (*model.ProjectChanges, error)
BulkAddProjectRole(ctx context.Context, role []*model.ProjectRole) error
ApplicationByID(ctx context.Context, appID string) (*model.ApplicationView, error)
ApplicationByID(ctx context.Context, projectID, appID string) (*model.ApplicationView, error)
AddApplication(ctx context.Context, app *model.Application) (*model.Application, error)
ChangeApplication(ctx context.Context, app *model.Application) (*model.Application, error)
DeactivateApplication(ctx context.Context, projectID, appID string) (*model.Application, error)

4
internal/project/model/application_view.go
View File

@ -14,6 +14,7 @@ type ApplicationView struct {
State AppState
IsOIDC bool
OIDCVersion OIDCVersion
OIDCClientID string
OIDCRedirectUris []string
OIDCResponseTypes []OIDCResponseType
@ -21,6 +22,9 @@ type ApplicationView struct {
OIDCApplicationType OIDCApplicationType
OIDCAuthMethodType OIDCAuthMethodType
OIDCPostLogoutRedirectUris []string
NoneCompliant bool
ComplianceProblems []string
DevMode bool
Sequence uint64
}

175
internal/project/model/oidc_config.go
View File

@ -12,6 +12,13 @@ import (
"github.com/caos/zitadel/internal/id"
)
const (
http = "http://"
httpLocalhost = "http://localhost:"
httpLocalhost2 = "http://localhost/"
https = "https://"
)
type OIDCConfig struct {
es_models.ObjectRoot
AppID string
@ -24,8 +31,17 @@ type OIDCConfig struct {
ApplicationType OIDCApplicationType
AuthMethodType OIDCAuthMethodType
PostLogoutRedirectUris []string
OIDCVersion OIDCVersion
Compliance *Compliance
DevMode bool
}
type OIDCVersion int32
const (
OIDCVersionV1 OIDCVersion = iota
)
type OIDCResponseType int32
const (
@ -58,10 +74,15 @@ const (
OIDCAuthMethodTypeNone
)
type Compliance struct {
NoneCompliant bool
Problems []string
}
func (c *OIDCConfig) IsValid() bool {
grantTypes := c.getRequiredGrantTypes()
for _, grantType := range grantTypes {
ok := c.containsGrantType(grantType)
ok := containsOIDCGrantType(c.GrantTypes, grantType)
if !ok {
return false
}
@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
return stringSecret, nil
}
func (c *OIDCConfig) FillCompliance() {
c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
}
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
switch version {
case OIDCVersionV1:
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
}
return nil
}
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
compliance := &Compliance{NoneCompliant: false}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
} else {
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
CheckRedirectUrisImplicit(compliance, appType, redirectUris)
}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisCode(compliance, appType, redirectUris)
}
}
switch appType {
case OIDCApplicationTypeNative:
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeUserAgent:
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
}
if compliance.NoneCompliant {
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
}
return compliance
}
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
}
}
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
}
}
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
}
}
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeNative {
if !onlyLocalhostIsHttp(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
}
return
}
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
}
}
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
}
if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if !compliance.NoneCompliant {
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
}
}
func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
grantTypes := make([]OIDCGrantType, 0)
implicit := false
@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
if !implicit {
implicit = true
grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
}
}
@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
return grantTypes
}
func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
for _, t := range c.GrantTypes {
if t == grantType {
func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
for _, gt := range grantTypes {
if gt == grantType {
return true
}
}
return false
}
func urlsAreHttps(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, https) {
return false
}
}
return true
}
func urlContainsPrefix(uris []string, prefix string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, prefix) {
return true
}
}
return false
}
func containsCustom(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
return true
}
}
return false
}
func onlyLocalhostIsHttp(uris []string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, http) {
if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
return false
}
}
}
return true
}

869
internal/project/model/oidc_config_test.go Normal file
View File

@ -0,0 +1,869 @@
package model
import (
"reflect"
"testing"
)
func TestGetOIDCC1Compliance(t *testing.T) {
type args struct {
appType OIDCApplicationType
grantTypes []OIDCGrantType
authMethod OIDCAuthMethodType
redirectUris []string
}
type result struct {
noneCompliant bool
complianceProblems []string
}
tests := []struct {
name string
args args
result result
}{
{
name: "Native: codeflow custom redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow invalid authmethod type (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Native.AuthMethodType.NotNone",
},
},
},
{
name: "Native: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Native: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
},
},
},
{
name: "Native: implicit http://localhost redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit http://localhost: redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Web: code https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code http redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "Web: implicit https uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost: redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: code https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: code http redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code custom redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "UserAgent: code authmethod type not none (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.chauth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit auth method not none (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
if tt.result.noneCompliant != result.NoneCompliant {
t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
}
if tt.result.noneCompliant {
if len(tt.result.complianceProblems) != len(result.Problems) {
t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
}
if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
}
}
})
}
}
func TestGetRequiredGrantTypes(t *testing.T) {
type args struct {
oidcConfig OIDCConfig
}
tests := []struct {
name string
args args
result []OIDCGrantType
}{
{
name: "oidc response type code",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
},
{
name: "oidc response type id_token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type code, id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := tt.args.oidcConfig.getRequiredGrantTypes()
if !reflect.DeepEqual(tt.result, result) {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestContainsOIDCGrantType(t *testing.T) {
type args struct {
grantTypes []OIDCGrantType
grantType OIDCGrantType
}
tests := []struct {
name string
args args
result bool
}{
{
name: "contains grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeImplicit,
},
grantType: OIDCGrantTypeImplicit,
},
result: true,
},
{
name: "doesnt contain grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeRefreshToken,
},
grantType: OIDCGrantTypeImplicit,
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestUrlsAreHttps(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "only https uris",
args: args{
uris: []string{
"https://zitadel.ch",
"https://caos.ch",
},
},
result: true,
},
{
name: "http localhost uris",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost",
},
},
result: false,
},
{
name: "http not localhsot",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := urlsAreHttps(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestOnlyLocalhostIsHttp(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
{
name: "http localhost/",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost/auth/callback",
},
},
result: true,
},
{
name: "http not localhost:",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
},
},
result: true,
},
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
"http://zitadel.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := onlyLocalhostIsHttp(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}

1
internal/project/repository/eventsourcing/eventstore.go
View File

@ -534,6 +534,7 @@ func (es *ProjectEventstore) AddApplication(ctx context.Context, app *proj_model
if _, a := model.GetApplication(repoProject.Applications, app.AppID); a != nil {
converted := model.AppToModel(a)
converted.OIDCConfig.ClientSecretString = stringPw
converted.OIDCConfig.FillCompliance()
return converted, nil
}
return nil, caos_errs.ThrowInternal(nil, "EVENT-GvPct", "Errors.Internal")

16
internal/project/repository/eventsourcing/model/oidc_config.go
View File

@ -11,6 +11,7 @@ import (
type OIDCConfig struct {
es_models.ObjectRoot
Version int32 `json:"oidcVersion,omitempty"`
AppID string `json:"appId"`
ClientID string `json:"clientId,omitempty"`
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
@ -20,6 +21,7 @@ type OIDCConfig struct {
ApplicationType int32 `json:"applicationType,omitempty"`
AuthMethodType int32 `json:"authMethodType,omitempty"`
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
DevMode bool `json:"devMode,omitempty"`
}
func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@ -40,9 +42,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
if c.AuthMethodType != changed.AuthMethodType {
changes["authMethodType"] = changed.AuthMethodType
}
if c.Version != changed.Version {
changes["oidcVersion"] = changed.Version
}
if !reflect.DeepEqual(c.PostLogoutRedirectUris, changed.PostLogoutRedirectUris) {
changes["postLogoutRedirectUris"] = changed.PostLogoutRedirectUris
}
if c.DevMode != changed.DevMode {
changes["devMode"] = changed.DevMode
}
return changes
}
@ -58,6 +66,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
return &OIDCConfig{
ObjectRoot: config.ObjectRoot,
AppID: config.AppID,
Version: int32(config.OIDCVersion),
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectUris: config.RedirectUris,
@ -66,6 +75,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
ApplicationType: int32(config.ApplicationType),
AuthMethodType: int32(config.AuthMethodType),
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
DevMode: config.DevMode,
}
}
@ -78,9 +88,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
for i, rt := range config.GrantTypes {
grantTypes[i] = model.OIDCGrantType(rt)
}
return &model.OIDCConfig{
oidcConfig := &model.OIDCConfig{
ObjectRoot: config.ObjectRoot,
AppID: config.AppID,
OIDCVersion: model.OIDCVersion(config.Version),
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectUris: config.RedirectUris,
@ -89,7 +100,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
ApplicationType: model.OIDCApplicationType(config.ApplicationType),
AuthMethodType: model.OIDCAuthMethodType(config.AuthMethodType),
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
DevMode: config.DevMode,
}
oidcConfig.FillCompliance()
return oidcConfig
}
func (p *Project) appendAddOIDCConfigEvent(event *es_models.Event) error {

2
internal/project/repository/eventsourcing/project.go
View File

@ -2,6 +2,7 @@ package eventsourcing
import (
"context"
"github.com/caos/zitadel/internal/api/authz"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/errors"
@ -46,6 +47,7 @@ func ProjectCreateAggregate(aggCreator *es_models.AggregateCreator, project *mod
}
validationQuery := es_models.NewSearchQuery().
AggregateTypeFilter(model.ProjectAggregate).
ResourceOwnerFilter(authz.GetCtxData(ctx).OrgID).
EventTypesFilter(model.ProjectAdded, model.ProjectChanged, model.ProjectRemoved)
validation := addProjectValidation(project.Name)

23
internal/project/repository/view/model/application.go
View File

@ -28,6 +28,7 @@ type ApplicationView struct {
State int32 `json:"-" gorm:"column:app_state"`
IsOIDC bool `json:"-" gorm:"column:is_oidc"`
OIDCVersion int32 `json:"oidcVersion" gorm:"column:oidc_version"`
OIDCClientID string `json:"clientId" gorm:"column:oidc_client_id"`
OIDCRedirectUris pq.StringArray `json:"redirectUris" gorm:"column:oidc_redirect_uris"`
OIDCResponseTypes pq.Int64Array `json:"responseTypes" gorm:"column:oidc_response_types"`
@ -35,6 +36,9 @@ type ApplicationView struct {
OIDCApplicationType int32 `json:"applicationType" gorm:"column:oidc_application_type"`
OIDCAuthMethodType int32 `json:"authMethodType" gorm:"column:oidc_auth_method_type"`
OIDCPostLogoutRedirectUris pq.StringArray `json:"postLogoutRedirectUris" gorm:"column:oidc_post_logout_redirect_uris"`
NoneCompliant bool `json:"-" gorm:"column:none_compliant"`
ComplianceProblems pq.StringArray `json:"-" gorm:"column:compliance_problems"`
DevMode bool `json:"devMode" gorm:"column:dev_mode"`
Sequence uint64 `json:"-" gorm:"sequence"`
}
@ -57,6 +61,7 @@ func ApplicationViewFromModel(app *model.ApplicationView) *ApplicationView {
OIDCApplicationType: int32(app.OIDCApplicationType),
OIDCAuthMethodType: int32(app.OIDCAuthMethodType),
OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
DevMode: app.DevMode,
}
}
@ -87,6 +92,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
ChangeDate: app.ChangeDate,
IsOIDC: app.IsOIDC,
OIDCVersion: model.OIDCVersion(app.OIDCVersion),
OIDCClientID: app.OIDCClientID,
OIDCRedirectUris: app.OIDCRedirectUris,
OIDCResponseTypes: OIDCResponseTypesToModel(app.OIDCResponseTypes),
@ -94,6 +100,9 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
OIDCApplicationType: model.OIDCApplicationType(app.OIDCApplicationType),
OIDCAuthMethodType: model.OIDCAuthMethodType(app.OIDCAuthMethodType),
OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
NoneCompliant: app.NoneCompliant,
ComplianceProblems: app.ComplianceProblems,
DevMode: app.DevMode,
}
}
@ -132,9 +141,17 @@ func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
case es_model.OIDCConfigAdded:
a.IsOIDC = true
err = a.SetData(event)
if err != nil {
return err
}
a.setCompliance()
case es_model.OIDCConfigChanged,
es_model.ApplicationChanged:
err = a.SetData(event)
if err != nil {
return err
}
a.setCompliance()
case es_model.ApplicationDeactivated:
a.State = int32(model.AppStateInactive)
case es_model.ApplicationReactivated:
@ -154,3 +171,9 @@ func (a *ApplicationView) SetData(event *models.Event) error {
}
return nil
}
func (a *ApplicationView) setCompliance() {
compliance := model.GetOIDCCompliance(model.OIDCVersion(a.OIDCVersion), model.OIDCApplicationType(a.OIDCApplicationType), OIDCGrantTypesToModel(a.OIDCGrantTypes), OIDCResponseTypesToModel(a.OIDCResponseTypes), model.OIDCAuthMethodType(a.OIDCAuthMethodType), a.OIDCPostLogoutRedirectUris)
a.NoneCompliant = compliance.NoneCompliant
a.ComplianceProblems = compliance.Problems
}

21
internal/static/i18n/de.yaml
View File

@ -291,3 +291,24 @@ EventTypes:
removed: ZITADEL Mitglied entfernt
key_pair:
added: Schlüsselpaar hinzugefügt
Application:
OIDC:
V1:
NotCompliant: Deine Konfiguration ist nicht konform und weicht vom OIDC 1.0 Standard ab.
NotAllCombinationsAreAllowed: Die Konfiguration ist konform, jedoch werden nicht alle möglichen Kombinationen erlaubt.
Code:
RedirectUris:
HttpOnlyForWeb: Grant Type Code erlaubt http Redirect Uris nur für den Apptype Web.
CustomOnlyForNative: Grant Type Code erlaubt custom Redirect Uris nur für den Apptype Native. (z.B appname:// )
Implicit:
RedirectUris:
CustomNotAllowed: Grant Type Implicit erlaubt keine custom Redirect Uris.
HttpNotAllowed: Grant Type Implicit erlaubt keine http Redirect Uris.
NativeShouldBeHttpLocalhost: Grant Type Implicit erlaubt beim Apptype Native http nur mit localhost (http://localhost)
HttpLocalhostOnlyForNative: Http://localhost Redirect Uri ist nur für Native Applikationen erlaubt.
Native:
AuthMethodType:
NotNone: Bei Native Applikationen sollte der AuthMethodType none sein.
UserAgent:
AuthMethodType:
NotNone: Bei einem User Agent sollte der AuthMethodType none sein.

21
internal/static/i18n/en.yaml
View File

@ -291,3 +291,24 @@ EventTypes:
removed: ZITADEL member removed
key_pair:
added: Key pair added
Application:
OIDC:
V1:
NotCompliant: Your configuration is not compliant and differs from OIDC 1.0 standard.
NotAllCombinationsAreAllowed: Configuration is compliant, but not all possible combinations are allowed.
Code:
RedirectUris:
HttpOnlyForWeb: Grant type code only allowed http redirect uris for apptype web.
CustomOnlyForNative: Grant type code only allowes custom redirect uris for apptype native (e.g appname:// )
Implicit:
RedirectUris:
CustomNotAllowed: Grant type implicit doesn't allow custom redirect uris
HttpNotAllowed: Grant tpye implicit doesn't allow http redirect uris
NativeShouldBeHttpLocalhost: Grant tpye implicit only allowed http://localhost for native apptype
HttpLocalhostOnlyForNative: Http://localhost redirect uri is only allowed for native applications.
Native:
AuthMethodType:
NotNone: Native applications should have authmethodtype none.
UserAgent:
AuthMethodType:
NotNone: User agent app should have authmethodtype none.

18
migrations/cockroach/V1.4__compliance.sql Normal file
View File

@ -0,0 +1,18 @@
BEGIN;
ALTER TABLE management.applications ADD COLUMN oidc_version SMALLINT;
ALTER TABLE management.applications ADD COLUMN none_compliant BOOLEAN;
ALTER TABLE management.applications ADD COLUMN compliance_problems TEXT ARRAY;
ALTER TABLE management.applications ADD COLUMN dev_mode BOOLEAN;
ALTER TABLE auth.applications ADD COLUMN oidc_version SMALLINT;
ALTER TABLE auth.applications ADD COLUMN none_compliant BOOLEAN;
ALTER TABLE auth.applications ADD COLUMN compliance_problems TEXT ARRAY;
ALTER TABLE auth.applications ADD COLUMN dev_mode BOOLEAN;
ALTER TABLE authz.applications ADD COLUMN oidc_version SMALLINT;
ALTER TABLE authz.applications ADD COLUMN none_compliant BOOLEAN;
ALTER TABLE authz.applications ADD COLUMN compliance_problems TEXT ARRAY;
ALTER TABLE authz.applications ADD COLUMN dev_mode BOOLEAN;
COMMIT;

24
pkg/grpc/management/application.go Normal file
View File

@ -0,0 +1,24 @@
package management
import (
"github.com/caos/zitadel/internal/api/grpc/server/middleware"
)
func (a *ApplicationView) Localizers() []middleware.Localizer {
if a == nil {
return nil
}
switch configType := a.AppConfig.(type) {
case *ApplicationView_OidcConfig:
if !configType.OidcConfig.NoneCompliant {
return nil
}
localizers := make([]middleware.Localizer, len(configType.OidcConfig.ComplianceProblems))
for i, problem := range configType.OidcConfig.ComplianceProblems {
localizers[i] = problem
}
return localizers
}
return nil
}

60
pkg/grpc/management/management.pb.authoptions.go
View File

@ -553,64 +553,4 @@ var ManagementService_AuthMethods = authz.MethodMapping{
Permission: "user.grant.delete",
CheckParam: "",
},
"/caos.zitadel.management.api.v1.ManagementService/SearchProjectUserGrants": authz.Option{
Permission: "project.user.grant.read",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/ProjectUserGrantByID": authz.Option{
Permission: "project.user.grant.read",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/CreateProjectUserGrant": authz.Option{
Permission: "project.user.grant.write",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectUserGrant": authz.Option{
Permission: "project.user.grant.write",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectUserGrant": authz.Option{
Permission: "project.user.grant.write",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectUserGrant": authz.Option{
Permission: "project.user.grant.write",
CheckParam: "ProjectId",
},
"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrantUserGrants": authz.Option{
Permission: "project.grant.user.grant.read",
CheckParam: "ProjectGrantId",
},
"/caos.zitadel.management.api.v1.ManagementService/ProjectGrantUserGrantByID": authz.Option{
Permission: "project.grant.user.grant.read",
CheckParam: "ProjectGrantId",
},
"/caos.zitadel.management.api.v1.ManagementService/CreateProjectGrantUserGrant": authz.Option{
Permission: "project.grant.user.grant.write",
CheckParam: "ProjectGrantId",
},
"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectGrantUserGrant": authz.Option{
Permission: "project.grant.user.grant.write",
CheckParam: "ProjectGrantId",
},
"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectGrantUserGrant": authz.Option{
Permission: "project.grant.user.grant.write",
CheckParam: "ProjectGrantId",
},
"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectGrantUserGrant": authz.Option{
Permission: "project.grant.user.grant.write",
CheckParam: "ProjectGrantId",
},
}

23010
pkg/grpc/management/management.pb.go
View File

File diff suppressed because it is too large Load Diff

7437
pkg/grpc/management/management.pb.gw.go
View File

File diff suppressed because it is too large Load Diff

240
pkg/grpc/management/mock/management.proto.mock.go
View File

@ -477,46 +477,6 @@ func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrant(arg0, arg1
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrant), varargs...)
}
// CreateProjectGrantUserGrant mocks base method
func (m *MockManagementServiceClient) CreateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "CreateProjectGrantUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// CreateProjectGrantUserGrant indicates an expected call of CreateProjectGrantUserGrant
func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrantUserGrant), varargs...)
}
// CreateProjectUserGrant mocks base method
func (m *MockManagementServiceClient) CreateProjectUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "CreateProjectUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// CreateProjectUserGrant indicates an expected call of CreateProjectUserGrant
func (mr *MockManagementServiceClientMockRecorder) CreateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectUserGrant), varargs...)
}
// CreateUser mocks base method
func (m *MockManagementServiceClient) CreateUser(arg0 context.Context, arg1 *management.CreateUserRequest, arg2 ...grpc.CallOption) (*management.User, error) {
m.ctrl.T.Helper()
@ -637,46 +597,6 @@ func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrant(arg0,
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrant), varargs...)
}
// DeactivateProjectGrantUserGrant mocks base method
func (m *MockManagementServiceClient) DeactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "DeactivateProjectGrantUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// DeactivateProjectGrantUserGrant indicates an expected call of DeactivateProjectGrantUserGrant
func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrantUserGrant), varargs...)
}
// DeactivateProjectUserGrant mocks base method
func (m *MockManagementServiceClient) DeactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "DeactivateProjectUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// DeactivateProjectUserGrant indicates an expected call of DeactivateProjectUserGrant
func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectUserGrant), varargs...)
}
// DeactivateUser mocks base method
func (m *MockManagementServiceClient) DeactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
m.ctrl.T.Helper()
@ -1357,46 +1277,6 @@ func (mr *MockManagementServiceClientMockRecorder) ProjectGrantByID(arg0, arg1 i
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantByID), varargs...)
}
// ProjectGrantUserGrantByID mocks base method
func (m *MockManagementServiceClient) ProjectGrantUserGrantByID(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "ProjectGrantUserGrantByID", varargs...)
ret0, _ := ret[0].(*management.UserGrantView)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// ProjectGrantUserGrantByID indicates an expected call of ProjectGrantUserGrantByID
func (mr *MockManagementServiceClientMockRecorder) ProjectGrantUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantUserGrantByID), varargs...)
}
// ProjectUserGrantByID mocks base method
func (m *MockManagementServiceClient) ProjectUserGrantByID(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "ProjectUserGrantByID", varargs...)
ret0, _ := ret[0].(*management.UserGrantView)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// ProjectUserGrantByID indicates an expected call of ProjectUserGrantByID
func (mr *MockManagementServiceClientMockRecorder) ProjectUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectUserGrantByID), varargs...)
}
// ReactivateApplication mocks base method
func (m *MockManagementServiceClient) ReactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
m.ctrl.T.Helper()
@ -1477,46 +1357,6 @@ func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrant(arg0,
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrant), varargs...)
}
// ReactivateProjectGrantUserGrant mocks base method
func (m *MockManagementServiceClient) ReactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "ReactivateProjectGrantUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// ReactivateProjectGrantUserGrant indicates an expected call of ReactivateProjectGrantUserGrant
func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrantUserGrant), varargs...)
}
// ReactivateProjectUserGrant mocks base method
func (m *MockManagementServiceClient) ReactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "ReactivateProjectUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// ReactivateProjectUserGrant indicates an expected call of ReactivateProjectUserGrant
func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectUserGrant), varargs...)
}
// ReactivateUser mocks base method
func (m *MockManagementServiceClient) ReactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
m.ctrl.T.Helper()
@ -1937,26 +1777,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantMembers(arg
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantMembers), varargs...)
}
// SearchProjectGrantUserGrants mocks base method
func (m *MockManagementServiceClient) SearchProjectGrantUserGrants(arg0 context.Context, arg1 *management.ProjectGrantUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "SearchProjectGrantUserGrants", varargs...)
ret0, _ := ret[0].(*management.UserGrantSearchResponse)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// SearchProjectGrantUserGrants indicates an expected call of SearchProjectGrantUserGrants
func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantUserGrants), varargs...)
}
// SearchProjectGrants mocks base method
func (m *MockManagementServiceClient) SearchProjectGrants(arg0 context.Context, arg1 *management.ProjectGrantSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantSearchResponse, error) {
m.ctrl.T.Helper()
@ -2017,26 +1837,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectRoles(arg0, arg1
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectRoles), varargs...)
}
// SearchProjectUserGrants mocks base method
func (m *MockManagementServiceClient) SearchProjectUserGrants(arg0 context.Context, arg1 *management.ProjectUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "SearchProjectUserGrants", varargs...)
ret0, _ := ret[0].(*management.UserGrantSearchResponse)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// SearchProjectUserGrants indicates an expected call of SearchProjectUserGrants
func (mr *MockManagementServiceClientMockRecorder) SearchProjectUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectUserGrants), varargs...)
}
// SearchProjects mocks base method
func (m *MockManagementServiceClient) SearchProjects(arg0 context.Context, arg1 *management.ProjectSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectSearchResponse, error) {
m.ctrl.T.Helper()
@ -2337,46 +2137,6 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrant(arg0, arg1
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrant), varargs...)
}
// UpdateProjectGrantUserGrant mocks base method
func (m *MockManagementServiceClient) UpdateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "UpdateProjectGrantUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// UpdateProjectGrantUserGrant indicates an expected call of UpdateProjectGrantUserGrant
func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrantUserGrant), varargs...)
}
// UpdateProjectUserGrant mocks base method
func (m *MockManagementServiceClient) UpdateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "UpdateProjectUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// UpdateProjectUserGrant indicates an expected call of UpdateProjectUserGrant
func (mr *MockManagementServiceClientMockRecorder) UpdateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectUserGrant), varargs...)
}
// UpdateUserAddress mocks base method
func (m *MockManagementServiceClient) UpdateUserAddress(arg0 context.Context, arg1 *management.UpdateUserAddressRequest, arg2 ...grpc.CallOption) (*management.UserAddress, error) {
m.ctrl.T.Helper()

222
pkg/grpc/management/proto/management.proto
View File

@ -1247,184 +1247,6 @@ service ManagementService {
permission: "user.grant.delete"
};
}
// search user grants based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
option deprecated = true;
option (google.api.http) = {
post: "/projects/{project_id}/users/grants/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.read"
check_field_name: "ProjectId"
};
}
// get user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
option deprecated = true;
option (google.api.http) = {
get: "/projects/{project_id}/users/{user_id}/grants/{id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.read"
check_field_name: "ProjectId"
};
}
// create user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
post: "/projects/{project_id}/users/{user_id}/grants"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.write"
check_field_name: "ProjectId"
};
}
// update user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.write"
check_field_name: "ProjectId"
};
}
// deactivate user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.write"
check_field_name: "ProjectId"
};
}
// reactivate user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated
rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.user.grant.write"
check_field_name: "ProjectId"
};
}
// search user grants based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
option deprecated = true;
option (google.api.http) = {
post: "/projectgrants/{project_grant_id}/users/grants/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.read"
check_field_name: "ProjectGrantId"
};
}
// get user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
option deprecated = true;
option (google.api.http) = {
get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.read"
check_field_name: "ProjectGrantId"
};
}
// create user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.write"
check_field_name: "ProjectGrantId"
};
}
// update user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.write"
check_field_name: "ProjectGrantId"
};
}
// deactivate user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.write"
check_field_name: "ProjectGrantId"
};
}
// reactivate user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated
rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.grant.user.grant.write"
check_field_name: "ProjectGrantId"
};
}
}
message ZitadelDocs {
@ -2335,6 +2157,10 @@ message OIDCConfig {
string client_secret = 6;
OIDCAuthMethodType auth_method_type = 7;
repeated string post_logout_redirect_uris = 8;
OIDCVersion version = 9;
bool none_compliant = 10;
repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
bool dev_mode = 12;
}
message OIDCApplicationCreate {
@ -2346,6 +2172,12 @@ message OIDCApplicationCreate {
OIDCApplicationType application_type = 6;
OIDCAuthMethodType auth_method_type = 7;
repeated string post_logout_redirect_uris = 8;
OIDCVersion version = 9;
bool dev_mode = 10;
}
enum OIDCVersion {
OIDCV1_0 = 0;
}
message OIDCConfigUpdate {
@ -2357,6 +2189,7 @@ message OIDCConfigUpdate {
OIDCApplicationType application_type = 6;
OIDCAuthMethodType auth_method_type = 7;
repeated string post_logout_redirect_uris = 8;
bool dev_mode = 9;
}
enum OIDCResponseType {
@ -2630,39 +2463,6 @@ message UserGrantID {
string id = 2;
}
message ProjectUserGrantID {
string project_id = 1;
string user_id = 2;
string id = 3;
}
message ProjectUserGrantUpdate {
string project_id = 1;
string user_id = 2;
string id = 3;
repeated string role_keys = 4;
}
message ProjectGrantUserGrantID {
string project_grant_id = 1;
string user_id = 2;
string id = 3;
}
message ProjectGrantUserGrantCreate {
string user_id = 1;
string project_grant_id = 2;
string project_id = 3 [(validate.rules).string.min_len = 1];
repeated string role_keys = 4;
}
message ProjectGrantUserGrantUpdate {
string project_grant_id = 1;
string user_id = 2;
string id = 3;
repeated string role_keys = 4;
}
enum UserGrantState {
USERGRANTSTATE_UNSPECIFIED = 0;
USERGRANTSTATE_ACTIVE = 1;

4
pkg/grpc/message/message.go
View File

@ -11,3 +11,7 @@ func (m *LocalizedMessage) SetLocalizedMessage(message string) {
func NewLocalizedEventType(key string) *LocalizedMessage {
return &LocalizedMessage{Key: "EventTypes." + key}
}
func NewLocalizedMessage(key string) *LocalizedMessage {
return &LocalizedMessage{Key: key}
}