TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 03:24:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: check login policy state for idp policy mgmt (#2384)

Browse Source
This commit is contained in:
Livio Amstutz 2021-09-17 13:45:14 +02:00 committed by GitHub
parent d090f12672
commit 8883d74e3d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 240 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
internal/command/iam_policy_login.go
View File

@ -2,6 +2,7 @@ package command
import (
"context"
"github.com/caos/logging"
"github.com/caos/zitadel/internal/domain"
caos_errs "github.com/caos/zitadel/internal/errors"
@ -88,7 +89,16 @@ func (c *Commands) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpPr
if !idpProvider.IsValid() {
return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-9nf88", "Errors.IAM.LoginPolicy.IDP.Invalid")
}
_, err := c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID)
existingPolicy := NewIAMLoginPolicyWriteModel()
err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
if err != nil {
return nil, err
}
if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
return nil, caos_errs.ThrowNotFound(nil, "IAM-GVDfe", "Errors.IAM.LoginPolicy.NotFound")
}
_, err = c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID)
if err != nil {
return nil, caos_errs.ThrowPreconditionFailed(err, "IAM-m8fsd", "Errors.IDPConfig.NotExisting")
}
@ -117,8 +127,17 @@ func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context,
if !idpProvider.IsValid() {
return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-66m9s", "Errors.IAM.LoginPolicy.IDP.Invalid")
}
existingPolicy := NewIAMLoginPolicyWriteModel()
err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
if err != nil {
return nil, err
}
if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
return nil, caos_errs.ThrowNotFound(nil, "IAM-Dfg4t", "Errors.IAM.LoginPolicy.NotFound")
}
idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
err = c.eventstore.FilterToQueryReducer(ctx, idpModel)
if err != nil {
return nil, err
}

107
internal/command/iam_policy_login_test.go
View File

@ -313,11 +313,42 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "policy not existing, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(),
),
},
args: args{
ctx: context.Background(),
provider: &domain.IDPProvider{
IDPConfigID: "config1",
},
},
res: res{
err: caos_errs.IsNotFound,
},
},
{
name: "config not existing, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
iam.NewLoginPolicyAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(),
),
},
@ -336,6 +367,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
iam.NewLoginPolicyAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIDPConfigAddedEvent(context.Background(),
@ -349,17 +393,6 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
),
),
expectFilter(
eventFromEventPusher(
iam.NewLoginPolicyAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
eventFromEventPusher(
iam.NewIdentityProviderAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
@ -384,6 +417,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
iam.NewLoginPolicyAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIDPConfigAddedEvent(context.Background(),
@ -478,11 +524,42 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "login policy not existing, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(),
),
},
args: args{
ctx: context.Background(),
provider: &domain.IDPProvider{
IDPConfigID: "config1",
},
},
res: res{
err: caos_errs.IsNotFound,
},
},
{
name: "provider not existing, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
iam.NewLoginPolicyAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(),
),
},
@ -513,6 +590,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIdentityProviderAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
@ -555,6 +634,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIdentityProviderAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
@ -602,6 +683,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIdentityProviderAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,
@ -657,6 +740,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
iam.NewIdentityProviderAddedEvent(context.Background(),
&iam.NewAggregate().Aggregate,

19
internal/command/org_policy_login.go
View File

@ -165,7 +165,14 @@ func (c *Commands) AddIDPProviderToLoginPolicy(ctx context.Context, resourceOwne
if !idpProvider.IsValid() {
return nil, caos_errs.ThrowInvalidArgument(nil, "Org-9nf88", "Errors.Org.LoginPolicy.IDP.")
}
var err error
existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner)
if err != nil {
return nil, err
}
if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
return nil, caos_errs.ThrowNotFound(nil, "Org-Ffgw2", "Errors.Org.LoginPolicy.NotFound")
}
if idpProvider.Type == domain.IdentityProviderTypeOrg {
_, err = c.getOrgIDPConfigByID(ctx, idpProvider.IDPConfigID, resourceOwner)
} else {
@ -202,8 +209,16 @@ func (c *Commands) RemoveIDPProviderFromLoginPolicy(ctx context.Context, resourc
if !idpProvider.IsValid() {
return nil, caos_errs.ThrowInvalidArgument(nil, "Org-66m9s", "Errors.Org.LoginPolicy.IDP.Invalid")
}
existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner)
if err != nil {
return nil, err
}
if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
return nil, caos_errs.ThrowNotFound(nil, "Org-GVDfe", "Errors.Org.LoginPolicy.NotFound")
}
idpModel := NewOrgIdentityProviderWriteModel(resourceOwner, idpProvider.IDPConfigID)
err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
err = c.eventstore.FilterToQueryReducer(ctx, idpModel)
if err != nil {
return nil, err
}

111
internal/command/org_policy_login_test.go
View File

@ -625,11 +625,45 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "policy not existing, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(),
),
},
args: args{
ctx: context.Background(),
resourceOwner: "org1",
provider: &domain.IDPProvider{
IDPConfigID: "config1",
Name: "name",
Type: domain.IdentityProviderTypeOrg,
},
},
res: res{
err: caos_errs.IsNotFound,
},
},
{
name: "config not existing, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(),
),
},
@ -651,6 +685,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIDPConfigAddedEvent(context.Background(),
@ -664,17 +711,6 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
),
),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
eventFromEventPusher(
org.NewIdentityProviderAddedEvent(context.Background(),
&org.NewAggregate("org1", "or1").Aggregate,
@ -703,6 +739,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIDPConfigAddedEvent(context.Background(),
@ -823,11 +872,43 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "login policy not exist, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(),
),
},
args: args{
ctx: context.Background(),
resourceOwner: "org1",
provider: &domain.IDPProvider{
IDPConfigID: "config1",
},
},
res: res{
err: caos_errs.IsNotFound,
},
},
{
name: "provider not existing, not found error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
true,
true,
true,
true,
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(),
),
},
@ -861,6 +942,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIdentityProviderAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
@ -905,6 +988,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIdentityProviderAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
@ -956,6 +1041,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIdentityProviderAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
@ -1015,6 +1102,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
domain.PasswordlessTypeAllowed,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewIdentityProviderAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,

6
internal/org/repository/eventsourcing/model/login_policy.go
View File

@ -30,6 +30,9 @@ func (o *Org) appendAddIdpProviderToLoginPolicyEvent(event *es_models.Event) err
return err
}
provider.ObjectRoot.CreationDate = event.CreationDate
if o.LoginPolicy == nil {
return nil
}
o.LoginPolicy.IDPProviders = append(o.LoginPolicy.IDPProviders, provider)
return nil
}
@ -40,6 +43,9 @@ func (o *Org) appendRemoveIdpProviderFromLoginPolicyEvent(event *es_models.Event
if err != nil {
return err
}
if o.LoginPolicy == nil {
return nil
}
if i, m := iam_es_model.GetIDPProvider(o.LoginPolicy.IDPProviders, provider.IDPConfigID); m != nil {
o.LoginPolicy.IDPProviders[i] = o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1]
o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1] = nil