feat(saml): implementation of saml for ZITADEL v2 (#3618)

2025-08-11 21:37:32 +00:00 · 2022-09-12 17:18:08 +01:00
parent 01a92ba5d9
commit 7a5f7f82cf
134 changed files with 5570 additions and 1293 deletions
--- a/internal/repository/keypair/certificate.go
+++ b/internal/repository/keypair/certificate.go
@@ -0,0 +1,61 @@
+package keypair
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	AddedCertificateEventType = eventTypePrefix + "certificate.added"
+)
+
+type AddedCertificateEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Certificate *Key `json:"certificate"`
+}
+
+func (e *AddedCertificateEvent) Data() interface{} {
+	return e
+}
+
+func (e *AddedCertificateEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAddedCertificateEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	certificateCrypto *crypto.CryptoValue,
+	certificateExpiration time.Time) *AddedCertificateEvent {
+	return &AddedCertificateEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AddedCertificateEventType,
+		),
+		Certificate: &Key{
+			Key:    certificateCrypto,
+			Expiry: certificateExpiration,
+		},
+	}
+}
+
+func AddedCertificateEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &AddedCertificateEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "KEY-4n9vs", "unable to unmarshal certificate added")
+	}
+
+	return e, nil
+}
--- a/internal/repository/keypair/eventstore.go
+++ b/internal/repository/keypair/eventstore.go
@@ -6,4 +6,5 @@ import (

 func RegisterEventMappers(es *eventstore.Eventstore) {
 	es.RegisterFilterEventMapper(AddedEventType, AddedEventMapper)
+	es.RegisterFilterEventMapper(AddedCertificateEventType, AddedCertificateEventMapper)
 }
--- a/internal/repository/project/application.go
+++ b/internal/repository/project/application.go
@@ -217,8 +217,9 @@ func ApplicationReactivatedEventMapper(event *repository.Event) (eventstore.Even
 type ApplicationRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AppID string `json:"appId,omitempty"`
-	name  string
+	AppID    string `json:"appId,omitempty"`
+	name     string
+	entityID string
 }

 func (e *ApplicationRemovedEvent) Data() interface{} {
@@ -226,7 +227,11 @@ func (e *ApplicationRemovedEvent) Data() interface{} {
 }

 func (e *ApplicationRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
-	return []*eventstore.EventUniqueConstraint{NewRemoveApplicationUniqueConstraint(e.name, e.Aggregate().ID)}
+	remove := []*eventstore.EventUniqueConstraint{NewRemoveApplicationUniqueConstraint(e.name, e.Aggregate().ID)}
+	if e.entityID != "" {
+		remove = append(remove, NewRemoveSAMLConfigEntityIDUniqueConstraint(e.entityID))
+	}
+	return remove
 }

 func NewApplicationRemovedEvent(
@@ -234,6 +239,7 @@ func NewApplicationRemovedEvent(
 	aggregate *eventstore.Aggregate,
 	appID,
 	name string,
+	entityID string,
 ) *ApplicationRemovedEvent {
 	return &ApplicationRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -241,8 +247,9 @@ func NewApplicationRemovedEvent(
 			aggregate,
 			ApplicationRemovedType,
 		),
-		AppID: appID,
-		name:  name,
+		AppID:    appID,
+		name:     name,
+		entityID: entityID,
 	}
 }

--- a/internal/repository/project/eventstore.go
+++ b/internal/repository/project/eventstore.go
@@ -41,5 +41,7 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(APIConfigChangedType, APIConfigChangedEventMapper).
 		RegisterFilterEventMapper(APIConfigSecretChangedType, APIConfigSecretChangedEventMapper).
 		RegisterFilterEventMapper(ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper).
-		RegisterFilterEventMapper(ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
+		RegisterFilterEventMapper(ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper).
+		RegisterFilterEventMapper(SAMLConfigAddedType, SAMLConfigAddedEventMapper).
+		RegisterFilterEventMapper(SAMLConfigChangedType, SAMLConfigChangedEventMapper)
 }
--- a/internal/repository/project/project.go
+++ b/internal/repository/project/project.go
@@ -240,7 +240,8 @@ func ProjectReactivatedEventMapper(event *repository.Event) (eventstore.Event, e
 type ProjectRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	Name string
+	Name                     string
+	entityIDUniqueContraints []*eventstore.EventUniqueConstraint
 }

 func (e *ProjectRemovedEvent) Data() interface{} {
@@ -248,13 +249,20 @@ func (e *ProjectRemovedEvent) Data() interface{} {
 }

 func (e *ProjectRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
-	return []*eventstore.EventUniqueConstraint{NewRemoveProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+	constraints := []*eventstore.EventUniqueConstraint{NewRemoveProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+	if e.entityIDUniqueContraints != nil {
+		for _, constraint := range e.entityIDUniqueContraints {
+			constraints = append(constraints, constraint)
+		}
+	}
+	return constraints
 }

 func NewProjectRemovedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	name string,
+	entityIDUniqueContraints []*eventstore.EventUniqueConstraint,
 ) *ProjectRemovedEvent {
 	return &ProjectRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -262,7 +270,8 @@ func NewProjectRemovedEvent(
 			aggregate,
 			ProjectRemovedType,
 		),
-		Name: name,
+		Name:                     name,
+		entityIDUniqueContraints: entityIDUniqueContraints,
 	}
 }

--- a/internal/repository/project/saml_config.go
+++ b/internal/repository/project/saml_config.go
@@ -0,0 +1,163 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueEntityIDType    = "entity_ids"
+	SAMLConfigAddedType   = applicationEventTypePrefix + "config.saml.added"
+	SAMLConfigChangedType = applicationEventTypePrefix + "config.saml.changed"
+)
+
+type SAMLConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID       string `json:"appId"`
+	EntityID    string `json:"entityId"`
+	Metadata    []byte `json:"metadata,omitempty"`
+	MetadataURL string `json:"metadata_url,omitempty"`
+}
+
+func (e *SAMLConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddSAMLConfigEntityIDUniqueConstraint(entityID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueEntityIDType,
+		entityID,
+		"Errors.Project.App.SAMLEntityIDAlreadyExists")
+}
+
+func NewRemoveSAMLConfigEntityIDUniqueConstraint(entityID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueEntityIDType,
+		entityID)
+}
+
+func (e *SAMLConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddSAMLConfigEntityIDUniqueConstraint(e.EntityID)}
+}
+
+func NewSAMLConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	entityID string,
+	metadata []byte,
+	metadataURL string,
+) *SAMLConfigAddedEvent {
+	return &SAMLConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SAMLConfigAddedType,
+		),
+		AppID:       appID,
+		EntityID:    entityID,
+		Metadata:    metadata,
+		MetadataURL: metadataURL,
+	}
+}
+
+func SAMLConfigAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &SAMLConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "SAML-BDd15", "unable to unmarshal saml config")
+	}
+
+	return e, nil
+}
+
+type SAMLConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID       string  `json:"appId"`
+	EntityID    string  `json:"entityId"`
+	Metadata    []byte  `json:"metadata,omitempty"`
+	MetadataURL *string `json:"metadata_url,omitempty"`
+	oldEntityID string
+}
+
+func (e *SAMLConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SAMLConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if e.EntityID != "" {
+		return []*eventstore.EventUniqueConstraint{
+			NewRemoveSAMLConfigEntityIDUniqueConstraint(e.oldEntityID),
+			NewAddSAMLConfigEntityIDUniqueConstraint(e.EntityID),
+		}
+	}
+	return nil
+}
+
+func NewSAMLConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	oldEntityID string,
+	changes []SAMLConfigChanges,
+) (*SAMLConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "SAML-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &SAMLConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SAMLConfigChangedType,
+		),
+		AppID:       appID,
+		oldEntityID: oldEntityID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type SAMLConfigChanges func(event *SAMLConfigChangedEvent)
+
+func ChangeMetadata(metadata []byte) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.Metadata = metadata
+	}
+}
+
+func ChangeMetadataURL(metadataURL string) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.MetadataURL = &metadataURL
+	}
+}
+
+func ChangeEntityID(entityID string) func(event *SAMLConfigChangedEvent) {
+	return func(e *SAMLConfigChangedEvent) {
+		e.EntityID = entityID
+	}
+}
+
+func SAMLConfigChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &SAMLConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "SAML-BFd15", "unable to unmarshal saml config")
+	}
+
+	return e, nil
+}