TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 20:57:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: ensure actions execution on idp flows (#4711)

Browse Source
This commit is contained in:
Livio Spring 2022-11-18 12:49:17 +01:00 committed by GitHub
parent 2a8dfab192
commit 6d787bfd62
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 90 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
internal/api/ui/login/external_register_handler.go
View File

@ -2,7 +2,6 @@ package login
import ( import (
"net/http" "net/http"
"strings"
"github.com/zitadel/oidc/v2/pkg/client/rp" "github.com/zitadel/oidc/v2/pkg/client/rp"
"github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/oidc"
@ -121,59 +120,77 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques
if authReq.RequestedOrgID != "" { if authReq.RequestedOrgID != "" {
resourceOwner = authReq.RequestedOrgID resourceOwner = authReq.RequestedOrgID
} }
externalUser, externalIDP := l.mapTokenToLoginHumanAndExternalIDP(tokens, idpConfig)
externalUser, err := l.customExternalUserMapping(r.Context(), externalUser, tokens, authReq, idpConfig)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
if idpConfig.AutoRegister {
l.registerExternalUser(w, r, authReq, externalUser)
return
}
orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
labelPolicy, err := l.getLabelPolicy(r, resourceOwner)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
l.renderExternalRegisterOverview(w, r, authReq, orgIamPolicy, externalUser, externalIDP, labelPolicy.HideLoginNameSuffix, nil)
}
func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, externalUser *domain.ExternalUser) {
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
resourceOwner = authReq.RequestedOrgID
}
orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner) orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderRegisterOption(w, r, authReq, err)
return return
} }
labelPolicy, err := l.getLabelPolicy(r, resourceOwner) idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderRegisterOption(w, r, authReq, err)
return return
} }
user, externalIDP := l.mapTokenToLoginHumanAndExternalIDP(orgIamPolicy, tokens, idpConfig) user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, externalUser, idpConfig)
user, metadata, err = l.customExternalUserToLoginUserMapping(r.Context(), user, nil, authReq, idpConfig, metadata, resourceOwner)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderRegisterOption(w, r, authReq, err)
return return
} }
if !idpConfig.AutoRegister { err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, nil, authReq.ID, authReq.AgentID, resourceOwner, metadata, nil)
l.renderExternalRegisterOverview(w, r, authReq, orgIamPolicy, user, externalIDP, labelPolicy.HideLoginNameSuffix, nil)
return
}
l.registerExternalUser(w, r, authReq, user, externalIDP)
}
func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, user *domain.Human, externalIDP *domain.UserIDPLink) {
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
resourceOwner = authReq.RequestedOrgID
}
initCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeInitCode, l.userCodeAlg)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderRegisterOption(w, r, authReq, err)
return return
} }
emailCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeVerifyEmailCode, l.userCodeAlg) // read auth request again to get current state including userID
authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderError(w, r, authReq, err)
return return
} }
phoneCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeVerifyPhoneCode, l.userCodeAlg) userGrants, err := l.customGrants(r.Context(), authReq.UserID, nil, authReq, idpConfig, resourceOwner)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderError(w, r, authReq, err)
return return
} }
_, err = l.command.RegisterHuman(setContext(r.Context(), resourceOwner), resourceOwner, user, externalIDP, nil, initCodeGenerator, emailCodeGenerator, phoneCodeGenerator) err = l.appendUserGrants(r.Context(), userGrants, resourceOwner)
if err != nil { if err != nil {
l.renderRegisterOption(w, r, authReq, err) l.renderError(w, r, authReq, err)
return return
} }
l.renderNextStep(w, r, authReq) l.renderNextStep(w, r, authReq)
} }
func (l *Login) renderExternalRegisterOverview(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, orgIAMPolicy *query.DomainPolicy, human *domain.Human, idp *domain.UserIDPLink, hideLoginNameSuffix bool, err error) { func (l *Login) renderExternalRegisterOverview(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, orgIAMPolicy *query.DomainPolicy, externalUser *domain.ExternalUser, idp *domain.UserIDPLink, hideLoginNameSuffix bool, err error) {
var errID, errMessage string var errID, errMessage string
if err != nil { if err != nil {
errID, errMessage = l.getErrorMessage(r, err) errID, errMessage = l.getErrorMessage(r, err)
@ -183,27 +200,25 @@ func (l *Login) renderExternalRegisterOverview(w http.ResponseWriter, r *http.Re
data := externalRegisterData{ data := externalRegisterData{
baseData: l.getBaseData(r, authReq, "ExternalRegistrationUserOverview.Title", "ExternalRegistrationUserOverview.Description", errID, errMessage), baseData: l.getBaseData(r, authReq, "ExternalRegistrationUserOverview.Title", "ExternalRegistrationUserOverview.Description", errID, errMessage),
externalRegisterFormData: externalRegisterFormData{ externalRegisterFormData: externalRegisterFormData{
Email: human.EmailAddress, Email: externalUser.Email,
Username: human.Username, Username: externalUser.PreferredUsername,
Firstname: human.FirstName, Firstname: externalUser.FirstName,
Lastname: human.LastName, Lastname: externalUser.LastName,
Nickname: human.NickName, Nickname: externalUser.NickName,
Language: human.PreferredLanguage.String(), Language: externalUser.PreferredLanguage.String(),
}, },
ExternalIDPID: idp.IDPConfigID, ExternalIDPID: idp.IDPConfigID,
ExternalIDPUserID: idp.ExternalUserID, ExternalIDPUserID: idp.ExternalUserID,
ExternalIDPUserDisplayName: idp.DisplayName, ExternalIDPUserDisplayName: idp.DisplayName,
ExternalEmail: human.EmailAddress, ExternalEmail: externalUser.Email,
ExternalEmailVerified: human.IsEmailVerified, ExternalEmailVerified: externalUser.IsEmailVerified,
ShowUsername: orgIAMPolicy.UserLoginMustBeDomain, ShowUsername: orgIAMPolicy.UserLoginMustBeDomain,
OrgRegister: orgIAMPolicy.UserLoginMustBeDomain, OrgRegister: orgIAMPolicy.UserLoginMustBeDomain,
ShowUsernameSuffix: !hideLoginNameSuffix, ShowUsernameSuffix: !hideLoginNameSuffix,
} }
if human.Phone != nil { data.Phone = externalUser.Phone
data.Phone = human.PhoneNumber data.ExternalPhone = externalUser.Phone
data.ExternalPhone = human.PhoneNumber data.ExternalPhoneVerified = externalUser.IsPhoneVerified
data.ExternalPhoneVerified = human.IsPhoneVerified
}
l.renderer.RenderTemplate(w, r, translator, l.renderer.Templates[tmplExternalRegisterOverview], data, nil) l.renderer.RenderTemplate(w, r, translator, l.renderer.Templates[tmplExternalRegisterOverview], data, nil)
} }
@ -220,79 +235,12 @@ func (l *Login) handleExternalRegisterCheck(w http.ResponseWriter, r *http.Reque
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner { if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
resourceOwner = authReq.RequestedOrgID resourceOwner = authReq.RequestedOrgID
} }
externalIDP, err := l.getExternalIDP(data)
if externalIDP == nil { user := l.mapExternalRegisterDataToUser(data)
l.renderRegisterOption(w, r, authReq, err) l.registerExternalUser(w, r, authReq, user)
return
}
user, err := l.mapExternalRegisterDataToUser(r, data)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
initCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeInitCode, l.userCodeAlg)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
emailCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeVerifyEmailCode, l.userCodeAlg)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
phoneCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeVerifyPhoneCode, l.userCodeAlg)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
_, err = l.command.RegisterHuman(setContext(r.Context(), resourceOwner), resourceOwner, user, externalIDP, nil, initCodeGenerator, emailCodeGenerator, phoneCodeGenerator)
if err != nil {
l.renderRegisterOption(w, r, authReq, err)
return
}
l.renderNextStep(w, r, authReq)
} }
func (l *Login) mapTokenToLoginHumanAndExternalIDP(orgIamPolicy *query.DomainPolicy, tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*domain.Human, *domain.UserIDPLink) { func (l *Login) mapTokenToLoginHumanAndExternalIDP(tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*domain.ExternalUser, *domain.UserIDPLink) {
username := tokens.IDTokenClaims.GetPreferredUsername()
switch idpConfig.OIDCUsernameMapping {
case iam_model.OIDCMappingFieldEmail:
if tokens.IDTokenClaims.IsEmailVerified() && tokens.IDTokenClaims.GetEmail() != "" {
username = tokens.IDTokenClaims.GetEmail()
}
}
if username == "" {
username = tokens.IDTokenClaims.GetEmail()
}
if orgIamPolicy.UserLoginMustBeDomain {
splittedUsername := strings.Split(username, "@")
if len(splittedUsername) > 1 {
username = splittedUsername[0]
}
}
human := &domain.Human{
Username: username,
Profile: &domain.Profile{
FirstName: tokens.IDTokenClaims.GetGivenName(),
LastName: tokens.IDTokenClaims.GetFamilyName(),
PreferredLanguage: tokens.IDTokenClaims.GetLocale(),
NickName: tokens.IDTokenClaims.GetNickname(),
},
Email: &domain.Email{
EmailAddress: tokens.IDTokenClaims.GetEmail(),
IsEmailVerified: tokens.IDTokenClaims.IsEmailVerified(),
},
}
if tokens.IDTokenClaims.GetPhoneNumber() != "" {
human.Phone = &domain.Phone{
PhoneNumber: tokens.IDTokenClaims.GetPhoneNumber(),
IsPhoneVerified: tokens.IDTokenClaims.IsPhoneNumberVerified(),
}
}
displayName := tokens.IDTokenClaims.GetPreferredUsername() displayName := tokens.IDTokenClaims.GetPreferredUsername()
switch idpConfig.OIDCIDPDisplayNameMapping { switch idpConfig.OIDCIDPDisplayNameMapping {
case iam_model.OIDCMappingFieldEmail: case iam_model.OIDCMappingFieldEmail:
@ -304,50 +252,46 @@ func (l *Login) mapTokenToLoginHumanAndExternalIDP(orgIamPolicy *query.DomainPol
displayName = tokens.IDTokenClaims.GetEmail() displayName = tokens.IDTokenClaims.GetEmail()
} }
externalUser := &domain.ExternalUser{
IDPConfigID: idpConfig.IDPConfigID,
ExternalUserID: tokens.IDTokenClaims.GetSubject(),
PreferredUsername: tokens.IDTokenClaims.GetPreferredUsername(),
DisplayName: displayName,
FirstName: tokens.IDTokenClaims.GetGivenName(),
LastName: tokens.IDTokenClaims.GetFamilyName(),
NickName: tokens.IDTokenClaims.GetNickname(),
Email: tokens.IDTokenClaims.GetEmail(),
IsEmailVerified: tokens.IDTokenClaims.IsEmailVerified(),
}
if tokens.IDTokenClaims.GetPhoneNumber() != "" {
externalUser.Phone = tokens.IDTokenClaims.GetPhoneNumber()
externalUser.IsPhoneVerified = tokens.IDTokenClaims.IsPhoneNumberVerified()
}
externalIDP := &domain.UserIDPLink{ externalIDP := &domain.UserIDPLink{
IDPConfigID: idpConfig.IDPConfigID, IDPConfigID: idpConfig.IDPConfigID,
ExternalUserID: tokens.IDTokenClaims.GetSubject(), ExternalUserID: tokens.IDTokenClaims.GetSubject(),
DisplayName: displayName, DisplayName: displayName,
} }
return human, externalIDP return externalUser, externalIDP
} }
func (l *Login) mapExternalRegisterDataToUser(r *http.Request, data *externalRegisterFormData) (*domain.Human, error) { func (l *Login) mapExternalRegisterDataToUser(data *externalRegisterFormData) *domain.ExternalUser {
human := &domain.Human{ isEmailVerified := data.ExternalEmailVerified && data.Email == data.ExternalEmail
Username: data.Username, isPhoneVerified := data.ExternalPhoneVerified && data.Phone == data.ExternalPhone
Profile: &domain.Profile{ return &domain.ExternalUser{
FirstName: data.Firstname, IDPConfigID: data.ExternalIDPConfigID,
LastName: data.Lastname, ExternalUserID: data.ExternalIDPExtUserID,
PreferredLanguage: language.Make(data.Language), PreferredUsername: data.Username,
NickName: data.Nickname, DisplayName: data.Email,
}, FirstName: data.Firstname,
Email: &domain.Email{ LastName: data.Lastname,
EmailAddress: data.Email, NickName: data.Nickname,
}, PreferredLanguage: language.Make(data.Language),
Email: data.Email,
IsEmailVerified: isEmailVerified,
Phone: data.Phone,
IsPhoneVerified: isPhoneVerified,
} }
if data.ExternalEmail != data.Email {
human.IsEmailVerified = false
} else {
human.IsEmailVerified = data.ExternalEmailVerified
}
if data.ExternalPhone == "" {
return human, nil
}
human.Phone = &domain.Phone{
PhoneNumber: data.Phone,
}
if data.ExternalPhone != data.Phone {
human.IsPhoneVerified = false
} else {
human.IsPhoneVerified = data.ExternalPhoneVerified
}
return human, nil
}
func (l *Login) getExternalIDP(data *externalRegisterFormData) (*domain.UserIDPLink, error) {
return &domain.UserIDPLink{
IDPConfigID: data.ExternalIDPConfigID,
ExternalUserID: data.ExternalIDPExtUserID,
DisplayName: data.ExternalIDPDisplayName,
}, nil
} }