feat: enable iframe use (#4766)

* feat: enable iframe use * cleanup * fix mocks * fix linting * docs: add iframe usage to solution scenarios configurations * improve api * feat(console): security policy * description * remove unnecessary line * disable input button and urls when not enabled * add image to docs Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2022-12-14 07:17:36 +01:00
parent 33e973f015
commit 632639ae7f
40 changed files with 1151 additions and 45 deletions
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@@ -11,6 +11,7 @@ import (
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -81,6 +82,12 @@ type Instance struct {
 	DefaultLang  language.Tag
 	Domains      []*InstanceDomain
 	host         string
+	csp          csp
+}
+
+type csp struct {
+	enabled        bool
+	allowedOrigins database.StringArray
 }

 type Instances struct {
@@ -120,6 +127,13 @@ func (i *Instance) DefaultOrganisationID() string {
 	return i.DefaultOrgID
 }

+func (i *Instance) SecurityPolicyAllowedOrigins() []string {
+	if !i.csp.enabled {
+		return nil
+	}
+	return i.csp.allowedOrigins
+}
+
 type InstanceSearchQueries struct {
 	SearchRequest
 	Queries []SearchQuery
@@ -189,7 +203,7 @@ func (q *Queries) InstanceByHost(ctx context.Context, host string) (_ authz.Inst
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	stmt, scan := prepareInstanceDomainQuery(host)
+	stmt, scan := prepareAuthzInstanceQuery(host)
 	host = strings.Split(host, ":")[0] //remove possible port
 	query, args, err := stmt.Where(sq.Eq{
 		InstanceDomainDomainCol.identifier(): host,
@@ -436,3 +450,92 @@ func prepareInstanceDomainQuery(host string) (sq.SelectBuilder, func(*sql.Rows)
 			return instance, nil
 		}
 }
+
+func prepareAuthzInstanceQuery(host string) (sq.SelectBuilder, func(*sql.Rows) (*Instance, error)) {
+	return sq.Select(
+			InstanceColumnID.identifier(),
+			InstanceColumnCreationDate.identifier(),
+			InstanceColumnChangeDate.identifier(),
+			InstanceColumnSequence.identifier(),
+			InstanceColumnName.identifier(),
+			InstanceColumnDefaultOrgID.identifier(),
+			InstanceColumnProjectID.identifier(),
+			InstanceColumnConsoleID.identifier(),
+			InstanceColumnConsoleAppID.identifier(),
+			InstanceColumnDefaultLanguage.identifier(),
+			InstanceDomainDomainCol.identifier(),
+			InstanceDomainIsPrimaryCol.identifier(),
+			InstanceDomainIsGeneratedCol.identifier(),
+			InstanceDomainCreationDateCol.identifier(),
+			InstanceDomainChangeDateCol.identifier(),
+			InstanceDomainSequenceCol.identifier(),
+			SecurityPolicyColumnEnabled.identifier(),
+			SecurityPolicyColumnAllowedOrigins.identifier(),
+		).
+			From(instanceTable.identifier()).
+			LeftJoin(join(InstanceDomainInstanceIDCol, InstanceColumnID)).
+			LeftJoin(join(SecurityPolicyColumnInstanceID, InstanceColumnID)).
+			PlaceholderFormat(sq.Dollar),
+		func(rows *sql.Rows) (*Instance, error) {
+			instance := &Instance{
+				host:    host,
+				Domains: make([]*InstanceDomain, 0),
+			}
+			lang := ""
+			for rows.Next() {
+				var (
+					domain                sql.NullString
+					isPrimary             sql.NullBool
+					isGenerated           sql.NullBool
+					changeDate            sql.NullTime
+					creationDate          sql.NullTime
+					sequence              sql.NullInt64
+					securityPolicyEnabled sql.NullBool
+				)
+				err := rows.Scan(
+					&instance.ID,
+					&instance.CreationDate,
+					&instance.ChangeDate,
+					&instance.Sequence,
+					&instance.Name,
+					&instance.DefaultOrgID,
+					&instance.IAMProjectID,
+					&instance.ConsoleID,
+					&instance.ConsoleAppID,
+					&lang,
+					&domain,
+					&isPrimary,
+					&isGenerated,
+					&changeDate,
+					&creationDate,
+					&sequence,
+					&securityPolicyEnabled,
+					&instance.csp.allowedOrigins,
+				)
+				if err != nil {
+					return nil, errors.ThrowInternal(err, "QUERY-d3fas", "Errors.Internal")
+				}
+				if !domain.Valid {
+					continue
+				}
+				instance.Domains = append(instance.Domains, &InstanceDomain{
+					CreationDate: creationDate.Time,
+					ChangeDate:   changeDate.Time,
+					Sequence:     uint64(sequence.Int64),
+					Domain:       domain.String,
+					IsPrimary:    isPrimary.Bool,
+					IsGenerated:  isGenerated.Bool,
+					InstanceID:   instance.ID,
+				})
+				instance.csp.enabled = securityPolicyEnabled.Bool
+			}
+			if instance.ID == "" {
+				return nil, errors.ThrowNotFound(nil, "QUERY-n0wng", "Errors.IAM.NotFound")
+			}
+			instance.DefaultLang = language.Make(lang)
+			if err := rows.Close(); err != nil {
+				return nil, errors.ThrowInternal(err, "QUERY-Dfbe2", "Errors.Query.CloseRows")
+			}
+			return instance, nil
+		}
+}