feat: add exclusion of criteria for active idp query (#9040)

# Which Problems Are Solved To list IDPs for potential linking, we need to filter them. The GetActiveIdentityProviderResponse should therefore be extended to provide the IDPConfig or information about whether the IDP is allowed to be linked or created. # How the Problems Are Solved Add parameters to the request to exclude CreationDisallowed and/or LinkingDisallowed in the query. # Additional Changes Added integration tests for the GetGetActiveIdentityProvider endpoint. # Additional Context Closes #8981 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:37:32 +00:00 · 2024-12-18 17:19:05 +01:00
parent da706a8b30
commit 870e3b1b26
11 changed files with 494 additions and 32 deletions
--- a/internal/api/grpc/idp/v2/query.go
+++ b/internal/api/grpc/idp/v2/query.go
@@ -96,7 +96,7 @@ func configToPb(config *query.IDPTemplate) *idp_pb.IDPConfig {
 			IsCreationAllowed: config.IsCreationAllowed,
 			IsAutoCreation:    config.IsAutoCreation,
 			IsAutoUpdate:      config.IsAutoUpdate,
-			AutoLinking:       autoLinkingOptionToPb(config.AutoLinking),
+			AutoLinking:       AutoLinkingOptionToPb(config.AutoLinking),
 		},
 	}
 	if config.OAuthIDPTemplate != nil {
@@ -150,7 +150,7 @@ func configToPb(config *query.IDPTemplate) *idp_pb.IDPConfig {
 	return idpConfig
 }

-func autoLinkingOptionToPb(linking domain.AutoLinkingOption) idp_pb.AutoLinkingOption {
+func AutoLinkingOptionToPb(linking domain.AutoLinkingOption) idp_pb.AutoLinkingOption {
 	switch linking {
 	case domain.AutoLinkingOptionUnspecified:
 		return idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED
--- a/internal/api/grpc/settings/v2/integration_test/settings_test.go
+++ b/internal/api/grpc/settings/v2/integration_test/settings_test.go
@@ -7,11 +7,15 @@ import (
 	"testing"
 	"time"

+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/idp"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
 	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
@@ -178,3 +182,281 @@ func TestServer_SetSecuritySettings(t *testing.T) {
 		})
 	}
 }
+
+func idpResponse(id, name string, linking, creation, autoCreation, autoUpdate bool, autoLinking idp_pb.AutoLinkingOption) *settings.IdentityProvider {
+	return &settings.IdentityProvider{
+		Id:   id,
+		Name: name,
+		Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH,
+		Options: &idp_pb.Options{
+			IsLinkingAllowed:  linking,
+			IsCreationAllowed: creation,
+			IsAutoCreation:    autoCreation,
+			IsAutoUpdate:      autoUpdate,
+			AutoLinking:       autoLinking,
+		},
+	}
+}
+
+func TestServer_GetActiveIdentityProviders(t *testing.T) {
+	instance := integration.NewInstance(CTX)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, gofakeit.AppName()) // inactive
+	idpActiveName := gofakeit.AppName()
+	idpActiveResp := instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, idpActiveName)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpActiveResp.GetId())
+	idpActiveResponse := idpResponse(idpActiveResp.GetId(), idpActiveName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpLinkingDisallowedName := gofakeit.AppName()
+	idpLinkingDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpLinkingDisallowedName, false, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpLinkingDisallowedResp.GetId())
+	idpLinkingDisallowedResponse := idpResponse(idpLinkingDisallowedResp.GetId(), idpLinkingDisallowedName, false, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpCreationDisallowedName := gofakeit.AppName()
+	idpCreationDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpCreationDisallowedName, true, false, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpCreationDisallowedResp.GetId())
+	idpCreationDisallowedResponse := idpResponse(idpCreationDisallowedResp.GetId(), idpCreationDisallowedName, true, false, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpNoAutoCreationName := gofakeit.AppName()
+	idpNoAutoCreationResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoCreationName, true, true, false, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoCreationResp.GetId())
+	idpNoAutoCreationResponse := idpResponse(idpNoAutoCreationResp.GetId(), idpNoAutoCreationName, true, true, false, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpNoAutoLinkingName := gofakeit.AppName()
+	idpNoAutoLinkingResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoLinkingName, true, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoLinkingResp.GetId())
+	idpNoAutoLinkingResponse := idpResponse(idpNoAutoLinkingResp.GetId(), idpNoAutoLinkingName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
+
+	type args struct {
+		ctx context.Context
+		req *settings.GetActiveIdentityProvidersRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *settings.GetActiveIdentityProvidersResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
+				req: &settings.GetActiveIdentityProvidersRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success, all",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 5,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude linking disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, only linking disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpLinkingDisallowedResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude creation disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					CreationAllowed: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, only creation disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					CreationAllowed: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpCreationDisallowedResponse,
+				},
+			},
+		},
+		{
+			name: "success, auto creation",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoCreation: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, no auto creation",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoCreation: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpNoAutoCreationResponse,
+				},
+			},
+		},
+		{
+			name: "success, auto linking",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoLinking: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+				},
+			},
+		},
+		{
+			name: "success, no auto linking",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoLinking: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude all",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed:  gu.Ptr(true),
+					CreationAllowed: gu.Ptr(true),
+					AutoCreation:    gu.Ptr(true),
+					AutoLinking:     gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
+			assert.EventuallyWithT(t, func(ct *assert.CollectT) {
+				got, err := instance.Client.SettingsV2.GetActiveIdentityProviders(tt.args.ctx, tt.args.req)
+				if tt.wantErr {
+					assert.Error(ct, err)
+					return
+				}
+				if !assert.NoError(ct, err) {
+					return
+				}
+				for i, result := range tt.want.GetIdentityProviders() {
+					assert.EqualExportedValues(ct, result, got.GetIdentityProviders()[i])
+				}
+				integration.AssertListDetails(ct, tt.want, got)
+			}, retryDuration, tick)
+		})
+	}
+}
--- a/internal/api/grpc/settings/v2/settings.go
+++ b/internal/api/grpc/settings/v2/settings.go
@@ -120,7 +120,12 @@ func (s *Server) GetLockoutSettings(ctx context.Context, req *settings.GetLockou
 }

 func (s *Server) GetActiveIdentityProviders(ctx context.Context, req *settings.GetActiveIdentityProvidersRequest) (*settings.GetActiveIdentityProvidersResponse, error) {
-	links, err := s.query.IDPLoginPolicyLinks(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), &query.IDPLoginPolicyLinksSearchQuery{}, false)
+	queries, err := activeIdentityProvidersToQuery(req)
+	if err != nil {
+		return nil, err
+	}
+
+	links, err := s.query.IDPLoginPolicyLinks(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), &query.IDPLoginPolicyLinksSearchQuery{Queries: queries}, false)
 	if err != nil {
 		return nil, err
 	}
@@ -131,6 +136,43 @@ func (s *Server) GetActiveIdentityProviders(ctx context.Context, req *settings.G
 	}, nil
 }

+func activeIdentityProvidersToQuery(req *settings.GetActiveIdentityProvidersRequest) (_ []query.SearchQuery, err error) {
+	q := make([]query.SearchQuery, 0, 4)
+	if req.CreationAllowed != nil {
+		creationQuery, err := query.NewIDPTemplateIsCreationAllowedSearchQuery(*req.CreationAllowed)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.LinkingAllowed != nil {
+		creationQuery, err := query.NewIDPTemplateIsLinkingAllowedSearchQuery(*req.LinkingAllowed)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.AutoCreation != nil {
+		creationQuery, err := query.NewIDPTemplateIsAutoCreationSearchQuery(*req.AutoCreation)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.AutoLinking != nil {
+		compare := query.NumberEquals
+		if *req.AutoLinking {
+			compare = query.NumberNotEquals
+		}
+		creationQuery, err := query.NewIDPTemplateAutoLinkingSearchQuery(0, compare)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	return q, nil
+}
+
 func (s *Server) GetGeneralSettings(ctx context.Context, _ *settings.GetGeneralSettingsRequest) (*settings.GetGeneralSettingsResponse, error) {
 	instance := authz.GetInstance(ctx)
 	return &settings.GetGeneralSettingsResponse{
--- a/internal/api/grpc/settings/v2/settings_converter.go
+++ b/internal/api/grpc/settings/v2/settings_converter.go
@@ -5,9 +5,11 @@ import (

 	"google.golang.org/protobuf/types/known/durationpb"

+	idp_api "github.com/zitadel/zitadel/internal/api/grpc/idp/v2"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )

@@ -189,6 +191,13 @@ func identityProviderToPb(idp *query.IDPLoginPolicyLink) *settings.IdentityProvi
 		Id:   idp.IDPID,
 		Name: domain.IDPName(idp.IDPName, idp.IDPType),
 		Type: idpTypeToPb(idp.IDPType),
+		Options: &idp_pb.Options{
+			IsLinkingAllowed:  idp.IsLinkingAllowed,
+			IsCreationAllowed: idp.IsCreationAllowed,
+			IsAutoCreation:    idp.IsAutoCreation,
+			IsAutoUpdate:      idp.IsAutoUpdate,
+			AutoLinking:       idp_api.AutoLinkingOptionToPb(idp.AutoLinking),
+		},
 	}
 }

--- a/internal/api/grpc/settings/v2/settings_converter_test.go
+++ b/internal/api/grpc/settings/v2/settings_converter_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/pkg/grpc/idp/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )

@@ -382,14 +383,24 @@ func Test_lockoutSettingsToPb(t *testing.T) {
 func Test_identityProvidersToPb(t *testing.T) {
 	arg := []*query.IDPLoginPolicyLink{
 		{
-			IDPID:   "1",
-			IDPName: "foo",
-			IDPType: domain.IDPTypeOIDC,
+			IDPID:             "1",
+			IDPName:           "foo",
+			IDPType:           domain.IDPTypeOIDC,
+			IsCreationAllowed: true,
+			IsLinkingAllowed:  true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       domain.AutoLinkingOptionUsername,
 		},
 		{
-			IDPID:   "2",
-			IDPName: "bar",
-			IDPType: domain.IDPTypeGitHub,
+			IDPID:             "2",
+			IDPName:           "bar",
+			IDPType:           domain.IDPTypeGitHub,
+			IsCreationAllowed: true,
+			IsLinkingAllowed:  true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       domain.AutoLinkingOptionEmail,
 		},
 	}
 	want := []*settings.IdentityProvider{
@@ -397,11 +408,25 @@ func Test_identityProvidersToPb(t *testing.T) {
 			Id:   "1",
 			Name: "foo",
 			Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OIDC,
+			Options: &idp.Options{
+				IsCreationAllowed: true,
+				IsLinkingAllowed:  true,
+				IsAutoCreation:    true,
+				IsAutoUpdate:      true,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+			},
 		},
 		{
 			Id:   "2",
 			Name: "bar",
 			Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB,
+			Options: &idp.Options{
+				IsCreationAllowed: true,
+				IsLinkingAllowed:  true,
+				IsAutoCreation:    true,
+				IsAutoUpdate:      true,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL,
+			},
 		},
 	}
 	got := identityProvidersToPb(arg)