mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 04:57:33 +00:00
fix: allow start and retrieve IdP intents with IdPs from other organizations (#7871)
* fix: correct resourceowner of intent to instance * fix: correct resourceowner of intent to instance * fix: correct resourceowner of intent to instance * fix: correct resourceowner of intent to instance * fix: correct resourceowner of intent to instance * docs: expand the login example with org specific parameters * fix: existence of idp is not checked through resourceowner * fix: existence of idp is not checked through resourceowner * fix: existence of idp is not checked through resourceowner --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
@@ -370,7 +370,7 @@ func (s *Server) StartIdentityProviderIntent(ctx context.Context, req *user.Star
|
||||
}
|
||||
|
||||
func (s *Server) startIDPIntent(ctx context.Context, idpID string, urls *user.RedirectURLs) (*user.StartIdentityProviderIntentResponse, error) {
|
||||
intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetCtxData(ctx).OrgID)
|
||||
intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, urls.GetSuccessUrl(), urls.GetFailureUrl(), authz.GetInstance(ctx).InstanceID())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -394,7 +394,7 @@ func (s *Server) startIDPIntent(ctx context.Context, idpID string, urls *user.Re
|
||||
}
|
||||
|
||||
func (s *Server) startLDAPIntent(ctx context.Context, idpID string, ldapCredentials *user.LDAPCredentials) (*user.StartIdentityProviderIntentResponse, error) {
|
||||
intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, "", "", authz.GetCtxData(ctx).OrgID)
|
||||
intentWriteModel, details, err := s.command.CreateIntent(ctx, idpID, "", "", authz.GetInstance(ctx).InstanceID())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -473,7 +473,7 @@ func (s *Server) ldapLogin(ctx context.Context, idpID, username, password string
|
||||
}
|
||||
|
||||
func (s *Server) RetrieveIdentityProviderIntent(ctx context.Context, req *user.RetrieveIdentityProviderIntentRequest) (_ *user.RetrieveIdentityProviderIntentResponse, err error) {
|
||||
intent, err := s.command.GetIntentWriteModel(ctx, req.GetIdpIntentId(), authz.GetCtxData(ctx).OrgID)
|
||||
intent, err := s.command.GetIntentWriteModel(ctx, req.GetIdpIntentId(), "")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -481,7 +481,7 @@ func (s *Server) RetrieveIdentityProviderIntent(ctx context.Context, req *user.R
|
||||
return nil, err
|
||||
}
|
||||
if intent.State != domain.IDPIntentStateSucceeded {
|
||||
return nil, zerrors.ThrowPreconditionFailed(nil, "IDP-Hk38e", "Errors.Intent.NotSucceeded")
|
||||
return nil, zerrors.ThrowPreconditionFailed(nil, "IDP-nme4gszsvx", "Errors.Intent.NotSucceeded")
|
||||
}
|
||||
return idpIntentToIDPIntentPb(intent, s.idpAlg)
|
||||
}
|
||||
|
||||
@@ -54,7 +54,7 @@ func TestMain(m *testing.M) {
|
||||
}
|
||||
|
||||
func TestServer_AddHumanUser(t *testing.T) {
|
||||
idpID := Tester.AddGenericOAuthProvider(t)
|
||||
idpID := Tester.AddGenericOAuthProvider(t, CTX)
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
req *user.AddHumanUserRequest
|
||||
@@ -1752,7 +1752,7 @@ func TestServer_DeleteUser(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestServer_AddIDPLink(t *testing.T) {
|
||||
idpID := Tester.AddGenericOAuthProvider(t)
|
||||
idpID := Tester.AddGenericOAuthProvider(t, CTX)
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
req *user.AddIDPLinkRequest
|
||||
@@ -1832,10 +1832,13 @@ func TestServer_AddIDPLink(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
idpID := Tester.AddGenericOAuthProvider(t)
|
||||
samlIdpID := Tester.AddSAMLProvider(t)
|
||||
samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t)
|
||||
samlPostIdpID := Tester.AddSAMLPostProvider(t)
|
||||
idpID := Tester.AddGenericOAuthProvider(t, CTX)
|
||||
orgIdpID := Tester.AddOrgGenericOAuthProvider(t, CTX, Tester.Organisation.ID)
|
||||
orgResp := Tester.CreateOrganization(IamCTX, fmt.Sprintf("NotDefaultOrg%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()))
|
||||
notDefaultOrgIdpID := Tester.AddOrgGenericOAuthProvider(t, CTX, orgResp.OrganizationId)
|
||||
samlIdpID := Tester.AddSAMLProvider(t, CTX)
|
||||
samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX)
|
||||
samlPostIdpID := Tester.AddSAMLPostProvider(t, CTX)
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
req *user.StartIdentityProviderIntentRequest
|
||||
@@ -1880,7 +1883,100 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "https://example.com/oauth/v2/authorize",
|
||||
parametersEqual: map[string]string{
|
||||
"client_id": "clientID",
|
||||
"prompt": "select_account",
|
||||
"redirect_uri": "http://" + Tester.Config.ExternalDomain + ":8080/idps/callback",
|
||||
"response_type": "code",
|
||||
"scope": "openid profile email",
|
||||
},
|
||||
parametersExisting: []string{"state"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "next step oauth auth url, default org",
|
||||
args: args{
|
||||
CTX,
|
||||
&user.StartIdentityProviderIntentRequest{
|
||||
IdpId: orgIdpID,
|
||||
Content: &user.StartIdentityProviderIntentRequest_Urls{
|
||||
Urls: &user.RedirectURLs{
|
||||
SuccessUrl: "https://example.com/success",
|
||||
FailureUrl: "https://example.com/failure",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "https://example.com/oauth/v2/authorize",
|
||||
parametersEqual: map[string]string{
|
||||
"client_id": "clientID",
|
||||
"prompt": "select_account",
|
||||
"redirect_uri": "http://" + Tester.Config.ExternalDomain + ":8080/idps/callback",
|
||||
"response_type": "code",
|
||||
"scope": "openid profile email",
|
||||
},
|
||||
parametersExisting: []string{"state"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "next step oauth auth url, default org",
|
||||
args: args{
|
||||
CTX,
|
||||
&user.StartIdentityProviderIntentRequest{
|
||||
IdpId: notDefaultOrgIdpID,
|
||||
Content: &user.StartIdentityProviderIntentRequest_Urls{
|
||||
Urls: &user.RedirectURLs{
|
||||
SuccessUrl: "https://example.com/success",
|
||||
FailureUrl: "https://example.com/failure",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "https://example.com/oauth/v2/authorize",
|
||||
parametersEqual: map[string]string{
|
||||
"client_id": "clientID",
|
||||
"prompt": "select_account",
|
||||
"redirect_uri": "http://" + Tester.Config.ExternalDomain + ":8080/idps/callback",
|
||||
"response_type": "code",
|
||||
"scope": "openid profile email",
|
||||
},
|
||||
parametersExisting: []string{"state"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "next step oauth auth url org",
|
||||
args: args{
|
||||
CTX,
|
||||
&user.StartIdentityProviderIntentRequest{
|
||||
IdpId: orgIdpID,
|
||||
Content: &user.StartIdentityProviderIntentRequest_Urls{
|
||||
Urls: &user.RedirectURLs{
|
||||
SuccessUrl: "https://example.com/success",
|
||||
FailureUrl: "https://example.com/failure",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "https://example.com/oauth/v2/authorize",
|
||||
parametersEqual: map[string]string{
|
||||
@@ -1911,7 +2007,7 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "http://" + Tester.Config.ExternalDomain + ":8000/sso",
|
||||
parametersExisting: []string{"RelayState", "SAMLRequest"},
|
||||
@@ -1935,7 +2031,7 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
url: "http://" + Tester.Config.ExternalDomain + ":8000/sso",
|
||||
parametersExisting: []string{"RelayState", "SAMLRequest"},
|
||||
@@ -1959,7 +2055,7 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
want: want{
|
||||
details: &object.Details{
|
||||
ChangeDate: timestamppb.Now(),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
},
|
||||
postForm: true,
|
||||
},
|
||||
@@ -1999,13 +2095,13 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
idpID := Tester.AddGenericOAuthProvider(t)
|
||||
intentID := Tester.CreateIntent(t, idpID)
|
||||
successfulID, token, changeDate, sequence := Tester.CreateSuccessfulOAuthIntent(t, idpID, "", "id")
|
||||
successfulWithUserID, WithUsertoken, WithUserchangeDate, WithUsersequence := Tester.CreateSuccessfulOAuthIntent(t, idpID, "user", "id")
|
||||
ldapSuccessfulID, ldapToken, ldapChangeDate, ldapSequence := Tester.CreateSuccessfulLDAPIntent(t, idpID, "", "id")
|
||||
ldapSuccessfulWithUserID, ldapWithUserToken, ldapWithUserChangeDate, ldapWithUserSequence := Tester.CreateSuccessfulLDAPIntent(t, idpID, "user", "id")
|
||||
samlSuccessfulID, samlToken, samlChangeDate, samlSequence := Tester.CreateSuccessfulSAMLIntent(t, idpID, "", "id")
|
||||
idpID := Tester.AddGenericOAuthProvider(t, CTX)
|
||||
intentID := Tester.CreateIntent(t, CTX, idpID)
|
||||
successfulID, token, changeDate, sequence := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", "id")
|
||||
successfulWithUserID, withUsertoken, withUserchangeDate, withUsersequence := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "user", "id")
|
||||
ldapSuccessfulID, ldapToken, ldapChangeDate, ldapSequence := Tester.CreateSuccessfulLDAPIntent(t, CTX, idpID, "", "id")
|
||||
ldapSuccessfulWithUserID, ldapWithUserToken, ldapWithUserChangeDate, ldapWithUserSequence := Tester.CreateSuccessfulLDAPIntent(t, CTX, idpID, "user", "id")
|
||||
samlSuccessfulID, samlToken, samlChangeDate, samlSequence := Tester.CreateSuccessfulSAMLIntent(t, CTX, idpID, "", "id")
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
req *user.RetrieveIdentityProviderIntentRequest
|
||||
@@ -2050,7 +2146,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
want: &user.RetrieveIdentityProviderIntentResponse{
|
||||
Details: &object.Details{
|
||||
ChangeDate: timestamppb.New(changeDate),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
Sequence: sequence,
|
||||
},
|
||||
IdpInformation: &user.IDPInformation{
|
||||
@@ -2081,14 +2177,14 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
CTX,
|
||||
&user.RetrieveIdentityProviderIntentRequest{
|
||||
IdpIntentId: successfulWithUserID,
|
||||
IdpIntentToken: WithUsertoken,
|
||||
IdpIntentToken: withUsertoken,
|
||||
},
|
||||
},
|
||||
want: &user.RetrieveIdentityProviderIntentResponse{
|
||||
Details: &object.Details{
|
||||
ChangeDate: timestamppb.New(WithUserchangeDate),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
Sequence: WithUsersequence,
|
||||
ChangeDate: timestamppb.New(withUserchangeDate),
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
Sequence: withUsersequence,
|
||||
},
|
||||
UserId: "user",
|
||||
IdpInformation: &user.IDPInformation{
|
||||
@@ -2125,7 +2221,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
want: &user.RetrieveIdentityProviderIntentResponse{
|
||||
Details: &object.Details{
|
||||
ChangeDate: timestamppb.New(ldapChangeDate),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
Sequence: ldapSequence,
|
||||
},
|
||||
IdpInformation: &user.IDPInformation{
|
||||
@@ -2170,7 +2266,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
want: &user.RetrieveIdentityProviderIntentResponse{
|
||||
Details: &object.Details{
|
||||
ChangeDate: timestamppb.New(ldapWithUserChangeDate),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
Sequence: ldapWithUserSequence,
|
||||
},
|
||||
UserId: "user",
|
||||
@@ -2216,7 +2312,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
|
||||
want: &user.RetrieveIdentityProviderIntentResponse{
|
||||
Details: &object.Details{
|
||||
ChangeDate: timestamppb.New(samlChangeDate),
|
||||
ResourceOwner: Tester.Organisation.ID,
|
||||
ResourceOwner: Tester.Instance.InstanceID(),
|
||||
Sequence: samlSequence,
|
||||
},
|
||||
IdpInformation: &user.IDPInformation{
|
||||
|
||||
Reference in New Issue
Block a user