Merge branch 'master' into new-eventstore

2025-08-12 11:27:33 +00:00 · 2020-11-19 17:20:09 +01:00
parent 4d6497f6c1 fcf81bed5f
commit 609c4d4f24
86 changed files with 294 additions and 113 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -109,8 +109,6 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 		return nil, err
 	}
 	request.Audience = appIDs
-	projectIDAud := request.GetScopeProjectIDsForAud()
-	request.Audience = append(request.Audience, projectIDAud...)
 	request.AppendAudIfNotExisting(app.ProjectID)
 	if request.LoginHint != "" {
 		err = repo.checkLoginName(ctx, request, request.LoginHint)
@@ -624,12 +622,16 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *model.AuthRequest) (

 func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *model.AuthRequest, user *user_model.UserView) (model.NextStep, bool, error) {
 	mfaLevel := request.MfaLevel()
-	promptRequired := (user.MfaMaxSetUp < mfaLevel) || !user.HasRequiredOrgMFALevel(request.LoginPolicy)
-	if promptRequired || !repo.mfaSkippedOrSetUp(user, request.LoginPolicy) {
+	allowedProviders, required := user.MfaTypesAllowed(mfaLevel, request.LoginPolicy)
+	promptRequired := (user.MfaMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required)
+	if promptRequired || !repo.mfaSkippedOrSetUp(user) {
 		types := user.MfaTypesSetupPossible(mfaLevel, request.LoginPolicy)
 		if promptRequired && len(types) == 0 {
 			return nil, false, errors.ThrowPreconditionFailed(nil, "LOGIN-5Hm8s", "Errors.Login.LoginPolicy.MFA.ForceAndNotConfigured")
 		}
+		if len(types) == 0 {
+			return nil, true, nil
+		}
 		return &model.MfaPromptStep{
 			Required:     promptRequired,
 			MfaProviders: types,
@@ -639,7 +641,7 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
 	default:
 		fallthrough
 	case model.MFALevelNotSetUp:
-		if user.MfaMaxSetUp == model.MFALevelNotSetUp {
+		if len(allowedProviders) == 0 {
 			return nil, true, nil
 		}
 		fallthrough
@@ -658,11 +660,11 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
 		}
 	}
 	return &model.MfaVerificationStep{
-		MfaProviders: user.MfaTypesAllowed(mfaLevel, request.LoginPolicy),
+		MfaProviders: allowedProviders,
 	}, false, nil
 }

-func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView, policy *iam_model.LoginPolicyView) bool {
+func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
 	if user.MfaMaxSetUp > model.MFALevelNotSetUp {
 		return true
 	}
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -909,6 +909,25 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
 			false,
 			errors.IsPreconditionFailed,
 		},
+		{
+			"not set up, no mfas configured, no prompt and true",
+			fields{
+				MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
+			},
+			args{
+				request: &model.AuthRequest{
+					LoginPolicy: &iam_model.LoginPolicyView{},
+				},
+				user: &user_model.UserView{
+					HumanView: &user_model.HumanView{
+						MfaMaxSetUp: model.MFALevelNotSetUp,
+					},
+				},
+			},
+			nil,
+			true,
+			nil,
+		},
 		{
 			"not set up, prompt and false",
 			fields{
@@ -988,7 +1007,9 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
 			},
 			args{
 				request: &model.AuthRequest{
-					LoginPolicy: &iam_model.LoginPolicyView{},
+					LoginPolicy: &iam_model.LoginPolicyView{
+						SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
+					},
 				},
 				user: &user_model.UserView{
 					HumanView: &user_model.HumanView{
@@ -1054,8 +1075,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 		MfaInitSkippedLifeTime time.Duration
 	}
 	type args struct {
-		user   *user_model.UserView
-		policy *iam_model.LoginPolicyView
+		user *user_model.UserView
 	}
 	tests := []struct {
 		name   string
@@ -1072,9 +1092,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaMaxSetUp: model.MFALevelSecondFactor,
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			true,
 		},
@@ -1090,9 +1107,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaInitSkipped: time.Now().UTC().Add(-10 * time.Hour),
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			true,
 		},
@@ -1108,9 +1122,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaInitSkipped: time.Now().UTC().Add(-40 * 24 * time.Hour),
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			false,
 		},
@@ -1120,7 +1131,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 			repo := &AuthRequestRepo{
 				MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
 			}
-			if got := repo.mfaSkippedOrSetUp(tt.args.user, tt.args.policy); got != tt.want {
+			if got := repo.mfaSkippedOrSetUp(tt.args.user); got != tt.want {
 				t.Errorf("mfaSkippedOrSetUp() = %v, want %v", got, tt.want)
 			}
 		})
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@@ -3,11 +3,13 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
+	"strings"
 	"time"

 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
@@ -18,19 +20,26 @@ type TokenRepo struct {
 	View       *view.View
 }

-func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
+func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
 	preferredLanguage := ""
 	user, _ := repo.View.UserByID(userID)
 	if user != nil {
 		preferredLanguage = user.PreferredLanguage
 	}
+
+	for _, scope := range scopes {
+		if strings.HasPrefix(scope, auth_req_model.ProjectIDScope) && strings.HasSuffix(scope, auth_req_model.AudSuffix) {
+			audience = append(audience, strings.TrimSuffix(strings.TrimPrefix(scope, auth_req_model.ProjectIDScope), auth_req_model.AudSuffix))
+		}
+	}
+
 	now := time.Now().UTC()
 	token := &usr_model.Token{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: userID,
 		},
 		UserAgentID:       agentID,
-		ApplicationID:     applicationID,
+		ApplicationID:     clientID,
 		Audience:          audience,
 		Scopes:            scopes,
 		Expiration:        now.Add(lifetime),
@@ -82,3 +91,12 @@ func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*
 	}
 	return model.TokenViewToModel(token), nil
 }
+
+func AppendAudIfNotExisting(aud string, existingAud []string) []string {
+	for _, a := range existingAud {
+		if a == aud {
+			return existingAud
+		}
+	}
+	return append(existingAud, aud)
+}