TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 11:27:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: idps (#777)

Browse Source 
* fix: update client secret, skip passwordsteps only if login not if linking

* fix: global policy for register

* fix: scope handling

* fix: back after error

* fix: change org id scope to primary domain

* fix: check if primarydomain empty

* fix: local sh

* fix: disable buttons on org login policy
This commit is contained in:
Fabi
2020-09-28 09:29:41 +02:00
committed by GitHub
parent 3e1204524e
commit 83b0ac1fdb
17 changed files with 196 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
internal/auth/repository/eventsourcing/eventstore/auth_request.go
View File

@@ -74,6 +74,7 @@ type userEventProvider interface {
type orgViewProvider interface {
OrgByID(string) (*org_view_model.OrgView, error)
OrgByPrimaryDomain(string) (*org_view_model.OrgView, error)
}
func (repo *AuthRequestRepo) Health(ctx context.Context) error {
@@ -231,6 +232,16 @@ func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, u
return repo.AuthRequests.UpdateAuthRequest(ctx, request)
}
func (repo *AuthRequestRepo) ResetLinkingUsers(ctx context.Context, authReqID, userAgentID string) error {
request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
if err != nil {
return err
}
request.LinkingUsers = nil
request.SelectedIDPConfigID = ""
return repo.AuthRequests.UpdateAuthRequest(ctx, request)
}
func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, registerUser *user_model.User, externalIDP *user_model.ExternalIDP, orgMember *org_model.OrgMember, authReqID, userAgentID, resourceOwner string) error {
request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
if err != nil {
@@ -317,7 +328,14 @@ func (repo *AuthRequestRepo) getLoginPolicyAndIDPProviders(ctx context.Context,
func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *model.AuthRequest) error {
orgID := request.UserOrgID
if orgID == "" {
orgID = request.GetScopeOrgID()
primaryDomain := request.GetScopeOrgPrimaryDomain()
if primaryDomain != "" {
org, err := repo.GetOrgByPrimaryDomain(primaryDomain)
if err != nil {
return err
}
orgID = org.ID
}
}
if orgID == "" {
orgID = repo.IAMID
@@ -335,7 +353,16 @@ func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *model
}
func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *model.AuthRequest, loginName string) (err error) {
orgID := request.GetScopeOrgID()
primaryDomain := request.GetScopeOrgPrimaryDomain()
orgID := ""
if primaryDomain != "" {
org, err := repo.GetOrgByPrimaryDomain(primaryDomain)
if err != nil {
return err
}
orgID = org.ID
}
user := new(user_view_model.UserView)
if orgID != "" {
user, err = repo.View.UserByLoginNameAndResourceOwner(loginName, orgID)
@@ -356,6 +383,14 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *model.
return nil
}
func (repo AuthRequestRepo) GetOrgByPrimaryDomain(primaryDomain string) (*org_model.OrgView, error) {
org, err := repo.OrgViewProvider.OrgByPrimaryDomain(primaryDomain)
if err != nil {
return nil, err
}
return org_view_model.OrgToModel(org), nil
}
func (repo AuthRequestRepo) checkLoginPolicyWithResourceOwner(ctx context.Context, request *model.AuthRequest, user *user_view_model.UserView) error {
loginPolicy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, user.ResourceOwner)
if err != nil {
@@ -386,10 +421,15 @@ func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *model.AuthRequest
}
func (repo *AuthRequestRepo) checkExternalUserLogin(request *model.AuthRequest, idpConfigID, externalUserID string) (err error) {
orgID := request.GetScopeOrgID()
primaryDomain := request.GetScopeOrgPrimaryDomain()
externalIDP := new(user_view_model.ExternalIDPView)
if orgID != "" {
externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, orgID)
org := new(org_model.OrgView)
if primaryDomain != "" {
org, err = repo.GetOrgByPrimaryDomain(primaryDomain)
if err != nil {
return err
}
externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, org.ID)
} else {
externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID)
}
@@ -435,7 +475,7 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
return nil, err
}
if request.SelectedIDPConfigID == "" {
if request.SelectedIDPConfigID == "" || (request.SelectedIDPConfigID != "" && request.LinkingUsers != nil && len(request.LinkingUsers) > 0) {
if user.InitRequired {
return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
}

38
internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
View File

@@ -139,12 +139,22 @@ func (m *mockViewOrg) OrgByID(string) (*org_view_model.OrgView, error) {
}, nil
}
func (m *mockViewOrg) OrgByPrimaryDomain(string) (*org_view_model.OrgView, error) {
return &org_view_model.OrgView{
State: int32(m.State),
}, nil
}
type mockViewErrOrg struct{}
func (m *mockViewErrOrg) OrgByID(string) (*org_view_model.OrgView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
func (m *mockViewErrOrg) OrgByPrimaryDomain(string) (*org_view_model.OrgView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
func TestAuthRequestRepo_nextSteps(t *testing.T) {
type fields struct {
UserEvents *user_event.UserEventstore
@@ -582,7 +592,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
nil,
},
{
"linking users, link users step",
"linking users, password step",
fields{
userSessionViewProvider: &mockViewUserSession{
MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
@@ -596,6 +606,32 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
args{
&model.AuthRequest{
UserID: "UserID",
SelectedIDPConfigID: "IDPConfigID",
LinkingUsers: []*model.ExternalUser{{IDPConfigID: "IDPConfigID", ExternalUserID: "UserID", DisplayName: "DisplayName"}},
}, false},
[]model.NextStep{&model.PasswordStep{}},
nil,
},
{
"linking users, linking step",
fields{
userSessionViewProvider: &mockViewUserSession{
PasswordVerification: time.Now().UTC().Add(-5 * time.Minute),
MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
},
userViewProvider: &mockViewUser{
PasswordSet: true,
IsEmailVerified: true,
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
MfaSoftwareCheckLifeTime: 18 * time.Hour,
PasswordCheckLifeTime: 10 * 24 * time.Hour,
},
args{
&model.AuthRequest{
UserID: "UserID",

11
internal/auth/repository/eventsourcing/handler/org.go
View File

@@ -46,6 +46,17 @@ func (o *Org) Reduce(event *es_models.Event) (err error) {
return err
}
err = org.AppendEvent(event)
case model.OrgDomainPrimarySet:
domain := new(org_model.OrgDomainView)
err = domain.SetData(event)
if err != nil {
return err
}
org, err = o.view.OrgByID(event.AggregateID)
if err != nil {
return err
}
org.Domain = domain.Domain
default:
return o.view.ProcessedOrgSequence(event.Sequence)
}

4
internal/auth/repository/eventsourcing/view/org.go
View File

@@ -15,6 +15,10 @@ func (v *View) OrgByID(orgID string) (*org_model.OrgView, error) {
return org_view.OrgByID(v.Db, orgTable, orgID)
}
func (v *View) OrgByPrimaryDomain(primaryDomain string) (*org_model.OrgView, error) {
return org_view.OrgByPrimaryDomain(v.Db, orgTable, primaryDomain)
}
func (v *View) SearchOrgs(req *model.OrgSearchRequest) ([]*org_model.OrgView, uint64, error) {
return org_view.SearchOrgs(v.Db, orgTable, req)
}