diff --git a/internal/command/iam_policy_login.go b/internal/command/iam_policy_login.go index ccf1052823..66df4c92c1 100644 --- a/internal/command/iam_policy_login.go +++ b/internal/command/iam_policy_login.go @@ -2,6 +2,7 @@ package command import ( "context" + "github.com/caos/logging" "github.com/caos/zitadel/internal/domain" caos_errs "github.com/caos/zitadel/internal/errors" @@ -88,7 +89,16 @@ func (c *Commands) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpPr if !idpProvider.IsValid() { return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-9nf88", "Errors.IAM.LoginPolicy.IDP.Invalid") } - _, err := c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID) + existingPolicy := NewIAMLoginPolicyWriteModel() + err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "IAM-GVDfe", "Errors.IAM.LoginPolicy.NotFound") + } + + _, err = c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID) if err != nil { return nil, caos_errs.ThrowPreconditionFailed(err, "IAM-m8fsd", "Errors.IDPConfig.NotExisting") } @@ -117,8 +127,17 @@ func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, if !idpProvider.IsValid() { return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-66m9s", "Errors.IAM.LoginPolicy.IDP.Invalid") } + existingPolicy := NewIAMLoginPolicyWriteModel() + err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "IAM-Dfg4t", "Errors.IAM.LoginPolicy.NotFound") + } + idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID) - err := c.eventstore.FilterToQueryReducer(ctx, idpModel) + err = c.eventstore.FilterToQueryReducer(ctx, idpModel) if err != nil { return nil, err } diff --git a/internal/command/iam_policy_login_test.go b/internal/command/iam_policy_login_test.go index b36b7ae168..bbaa0806a1 100644 --- a/internal/command/iam_policy_login_test.go +++ b/internal/command/iam_policy_login_test.go @@ -313,11 +313,42 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, + { + name: "policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + provider: &domain.IDPProvider{ + IDPConfigID: "config1", + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, { name: "config not existing, precondition error", fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + iam.NewLoginPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter(), ), }, @@ -336,6 +367,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) { fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + iam.NewLoginPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter( eventFromEventPusher( iam.NewIDPConfigAddedEvent(context.Background(), @@ -349,17 +393,6 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) { ), ), expectFilter( - eventFromEventPusher( - iam.NewLoginPolicyAddedEvent(context.Background(), - &iam.NewAggregate().Aggregate, - true, - true, - true, - true, - true, - domain.PasswordlessTypeAllowed, - ), - ), eventFromEventPusher( iam.NewIdentityProviderAddedEvent(context.Background(), &iam.NewAggregate().Aggregate, @@ -384,6 +417,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) { fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + iam.NewLoginPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter( eventFromEventPusher( iam.NewIDPConfigAddedEvent(context.Background(), @@ -478,11 +524,42 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, + { + name: "login policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + provider: &domain.IDPProvider{ + IDPConfigID: "config1", + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, { name: "provider not existing, not found error", fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + iam.NewLoginPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter(), ), }, @@ -513,6 +590,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( iam.NewIdentityProviderAddedEvent(context.Background(), &iam.NewAggregate().Aggregate, @@ -555,6 +634,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( iam.NewIdentityProviderAddedEvent(context.Background(), &iam.NewAggregate().Aggregate, @@ -602,6 +683,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( iam.NewIdentityProviderAddedEvent(context.Background(), &iam.NewAggregate().Aggregate, @@ -657,6 +740,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( iam.NewIdentityProviderAddedEvent(context.Background(), &iam.NewAggregate().Aggregate, diff --git a/internal/command/org_policy_login.go b/internal/command/org_policy_login.go index 9460898592..88e19d486a 100644 --- a/internal/command/org_policy_login.go +++ b/internal/command/org_policy_login.go @@ -165,7 +165,14 @@ func (c *Commands) AddIDPProviderToLoginPolicy(ctx context.Context, resourceOwne if !idpProvider.IsValid() { return nil, caos_errs.ThrowInvalidArgument(nil, "Org-9nf88", "Errors.Org.LoginPolicy.IDP.") } - var err error + existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "Org-Ffgw2", "Errors.Org.LoginPolicy.NotFound") + } + if idpProvider.Type == domain.IdentityProviderTypeOrg { _, err = c.getOrgIDPConfigByID(ctx, idpProvider.IDPConfigID, resourceOwner) } else { @@ -202,8 +209,16 @@ func (c *Commands) RemoveIDPProviderFromLoginPolicy(ctx context.Context, resourc if !idpProvider.IsValid() { return nil, caos_errs.ThrowInvalidArgument(nil, "Org-66m9s", "Errors.Org.LoginPolicy.IDP.Invalid") } + existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "Org-GVDfe", "Errors.Org.LoginPolicy.NotFound") + } + idpModel := NewOrgIdentityProviderWriteModel(resourceOwner, idpProvider.IDPConfigID) - err := c.eventstore.FilterToQueryReducer(ctx, idpModel) + err = c.eventstore.FilterToQueryReducer(ctx, idpModel) if err != nil { return nil, err } diff --git a/internal/command/org_policy_login_test.go b/internal/command/org_policy_login_test.go index ff4cbb4719..e5d364554e 100644 --- a/internal/command/org_policy_login_test.go +++ b/internal/command/org_policy_login_test.go @@ -625,11 +625,45 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, + { + name: "policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + resourceOwner: "org1", + provider: &domain.IDPProvider{ + IDPConfigID: "config1", + Name: "name", + Type: domain.IdentityProviderTypeOrg, + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, { name: "config not existing, precondition error", fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + org.NewLoginPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter(), ), }, @@ -651,6 +685,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) { fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + org.NewLoginPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter( eventFromEventPusher( org.NewIDPConfigAddedEvent(context.Background(), @@ -664,17 +711,6 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) { ), ), expectFilter( - eventFromEventPusher( - org.NewLoginPolicyAddedEvent(context.Background(), - &org.NewAggregate("org1", "org1").Aggregate, - true, - true, - true, - true, - true, - domain.PasswordlessTypeAllowed, - ), - ), eventFromEventPusher( org.NewIdentityProviderAddedEvent(context.Background(), &org.NewAggregate("org1", "or1").Aggregate, @@ -703,6 +739,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) { fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + org.NewLoginPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter( eventFromEventPusher( org.NewIDPConfigAddedEvent(context.Background(), @@ -823,11 +872,43 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, + { + name: "login policy not exist, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + resourceOwner: "org1", + provider: &domain.IDPProvider{ + IDPConfigID: "config1", + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, { name: "provider not existing, not found error", fields: fields{ eventstore: eventstoreExpect( t, + expectFilter( + eventFromEventPusher( + org.NewLoginPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + true, + true, + true, + true, + true, + domain.PasswordlessTypeAllowed, + ), + ), + ), expectFilter(), ), }, @@ -861,6 +942,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( org.NewIdentityProviderAddedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, @@ -905,6 +988,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( org.NewIdentityProviderAddedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, @@ -956,6 +1041,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( org.NewIdentityProviderAddedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, @@ -1015,6 +1102,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) { domain.PasswordlessTypeAllowed, ), ), + ), + expectFilter( eventFromEventPusher( org.NewIdentityProviderAddedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, diff --git a/internal/org/repository/eventsourcing/model/login_policy.go b/internal/org/repository/eventsourcing/model/login_policy.go index a9b67ceded..1371315775 100644 --- a/internal/org/repository/eventsourcing/model/login_policy.go +++ b/internal/org/repository/eventsourcing/model/login_policy.go @@ -30,6 +30,9 @@ func (o *Org) appendAddIdpProviderToLoginPolicyEvent(event *es_models.Event) err return err } provider.ObjectRoot.CreationDate = event.CreationDate + if o.LoginPolicy == nil { + return nil + } o.LoginPolicy.IDPProviders = append(o.LoginPolicy.IDPProviders, provider) return nil } @@ -40,6 +43,9 @@ func (o *Org) appendRemoveIdpProviderFromLoginPolicyEvent(event *es_models.Event if err != nil { return err } + if o.LoginPolicy == nil { + return nil + } if i, m := iam_es_model.GetIDPProvider(o.LoginPolicy.IDPProviders, provider.IDPConfigID); m != nil { o.LoginPolicy.IDPProviders[i] = o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1] o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1] = nil