feat: enable iframe use (#4766)

* feat: enable iframe use * cleanup * fix mocks * fix linting * docs: add iframe usage to solution scenarios configurations * improve api * feat(console): security policy * description * remove unnecessary line * disable input button and urls when not enabled * add image to docs Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-12 04:57:33 +00:00 · 2022-12-14 07:17:36 +01:00
parent 33e973f015
commit 632639ae7f
40 changed files with 1151 additions and 45 deletions
--- a/internal/command/instance_policy_security.go
+++ b/internal/command/instance_policy_security.go
@@ -0,0 +1,59 @@
+package command
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command/preparation"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+)
+
+func (c *Commands) SetSecurityPolicy(ctx context.Context, enabled bool, allowedOrigins []string) (*domain.ObjectDetails, error) {
+	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
+	validation := c.prepareSetSecurityPolicy(instanceAgg, enabled, allowedOrigins)
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
+	if err != nil {
+		return nil, err
+	}
+	events, err := c.eventstore.Push(ctx, cmds...)
+	if err != nil {
+		return nil, err
+	}
+	return &domain.ObjectDetails{
+		Sequence:      events[len(events)-1].Sequence(),
+		EventDate:     events[len(events)-1].CreationDate(),
+		ResourceOwner: events[len(events)-1].Aggregate().InstanceID,
+	}, nil
+}
+
+func (c *Commands) prepareSetSecurityPolicy(a *instance.Aggregate, enabled bool, allowedOrigins []string) preparation.Validation {
+	return func() (preparation.CreateCommands, error) {
+		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			writeModel, err := c.getSecurityPolicyWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+			cmd, err := writeModel.NewSetEvent(ctx, &a.Aggregate, enabled, allowedOrigins)
+			if err != nil {
+				return nil, err
+			}
+			return []eventstore.Command{cmd}, nil
+		}, nil
+	}
+}
+
+func (c *Commands) getSecurityPolicyWriteModel(ctx context.Context, filter preparation.FilterToQueryReducer) (_ *InstanceSecurityPolicyWriteModel, err error) {
+	writeModel := NewInstanceSecurityPolicyWriteModel(ctx)
+	events, err := filter(ctx, writeModel.Query())
+	if err != nil {
+		return nil, err
+	}
+	if len(events) == 0 {
+		return writeModel, nil
+	}
+	writeModel.AppendEvents(events...)
+	err = writeModel.Reduce()
+	return writeModel, err
+}
--- a/internal/command/instance_policy_security_model.go
+++ b/internal/command/instance_policy_security_model.go
@@ -0,0 +1,73 @@
+package command
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+)
+
+type InstanceSecurityPolicyWriteModel struct {
+	eventstore.WriteModel
+
+	Enabled        bool
+	AllowedOrigins []string
+}
+
+func NewInstanceSecurityPolicyWriteModel(ctx context.Context) *InstanceSecurityPolicyWriteModel {
+	return &InstanceSecurityPolicyWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   authz.GetInstance(ctx).InstanceID(),
+			ResourceOwner: authz.GetInstance(ctx).InstanceID(),
+		},
+	}
+}
+
+func (wm *InstanceSecurityPolicyWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		if e, ok := event.(*instance.SecurityPolicySetEvent); ok {
+			if e.Enabled != nil {
+				wm.Enabled = *e.Enabled
+			}
+			if e.AllowedOrigins != nil {
+				wm.AllowedOrigins = *e.AllowedOrigins
+			}
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *InstanceSecurityPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(wm.ResourceOwner).
+		AddQuery().
+		AggregateTypes(instance.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			instance.SecurityPolicySetEventType).
+		Builder()
+}
+
+func (wm *InstanceSecurityPolicyWriteModel) NewSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	enabled bool,
+	allowedOrigins []string,
+) (*instance.SecurityPolicySetEvent, error) {
+	changes := make([]instance.SecurityPolicyChanges, 0, 2)
+	var err error
+
+	if wm.Enabled != enabled {
+		changes = append(changes, instance.ChangeSecurityPolicyEnabled(enabled))
+	}
+	if enabled && !reflect.DeepEqual(wm.AllowedOrigins, allowedOrigins) {
+		changes = append(changes, instance.ChangeSecurityPolicyAllowedOrigins(allowedOrigins))
+	}
+	changeEvent, err := instance.NewSecurityPolicySetEvent(ctx, aggregate, changes)
+	if err != nil {
+		return nil, err
+	}
+	return changeEvent, nil
+}
--- a/internal/command/main_test.go
+++ b/internal/command/main_test.go
@@ -244,3 +244,7 @@ func (m *mockInstance) RequestedDomain() string {
 func (m *mockInstance) RequestedHost() string {
 	return "zitadel.cloud:443"
 }
+
+func (m *mockInstance) SecurityPolicyAllowedOrigins() []string {
+	return nil
+}