feat: Login, OP Support and Auth Queries (#177)

* fix: change oidc config * fix: change oidc config secret * begin models * begin repo * fix: implement grpc app funcs * fix: add application requests * fix: converter * fix: converter * fix: converter and generate clientid * fix: tests * feat: project grant aggregate * feat: project grant * fix: project grant check if role existing * fix: project grant requests * fix: project grant fixes * fix: project grant member model * fix: project grant member aggregate * fix: project grant member eventstore * fix: project grant member requests * feat: user model * begin repo * repo models and more * feat: user command side * lots of functions * user command side * profile requests * commit before rebase on user * save * local config with gopass and more * begin new auth command (user centric) * Update internal/user/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/user_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/eventstore_mock_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * changes from mr review * save files into basedir * changes from mr review * changes from mr review * move to auth request * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * changes requested on mr * fix generate codes * fix return if no events * password code * email verification step * more steps * lot of mfa * begin tests * more next steps * auth api * auth api (user) * auth api (user) * auth api (user) * differ requests * merge * tests * fix compilation error * mock for id generator * Update internal/user/repository/eventsourcing/model/password.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * requests of mr * check email * begin separation of command and query * otp * change packages * some cleanup and fixes * tests for auth request / next steps * add VerificationLifetimes to config and make it run * tests * fix code challenge validation * cleanup * fix merge * begin view * repackaging tests and configs * fix startup config for auth * add migration * add PromptSelectAccount * fix copy / paste * remove user_agent files * fixes * fix sequences in user_session * token commands * token queries and signout * fix * fix set password test * add token handler and table * handle session init * add session state * add user view test cases * change VerifyMyMfaOTP * some fixes * fix user repo in auth api * cleanup * add user session view test * fix merge * begin oidc * user agent and more * config * keys * key command and query * add login statics * key handler * start login * login handlers * lot of fixes * merge oidc * add missing exports * add missing exports * fix some bugs * authrequestid in htmls * getrequest * update auth request * fix userid check * add username to authrequest * fix user session and auth request handling * fix UserSessionsByAgentID * fix auth request tests * fix user session on UserPasswordChanged and MfaOtpRemoved * fix MfaTypesSetupPossible * handle mfa * fill username * auth request query checks new events * fix userSessionByIDs * fix tokens * fix userSessionByIDs test * add user selection * init code * user code creation date * add init user step * add verification failed types * add verification failures * verify init code * user init code handle * user init code handle * fix userSessionByIDs * update logging * user agent cookie * browserinfo from request * add DeleteAuthRequest * add static login files to binary * add login statik to build * move generate to separate file and remove statik.go files * remove static dirs from startup.yaml * generate into separate namespaces * merge master * auth request code * auth request type mapping * fix keys * improve tokens * improve register and basic styling * fix ailerons font * improve password reset * add audience to token * all oidc apps as audience * fix test nextStep * fix email texts * remove "not set" * lot of style changes * improve copy to clipboard * fix footer * add cookie handler * remove placeholders * fix compilation after merge * fix auth config * remove comments * typo * use new secrets store * change default pws to match default policy * fixes * add todo * enable login * fix db name * Auth queries (#179) * my usersession * org structure/ auth handlers * working user grant spooler * auth internal user grants * search my project orgs * remove permissions file * my zitadel permissions * my zitadel permissions * remove unused code * authz * app searches in view * token verification * fix user grant load * fix tests * fix tests * read configs * remove unused const * remove todos * env variables * app_name * working authz * search projects * global resourceowner * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * model2 rename * at least it works * check token expiry * search my user grants * remove token table from authz Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix test * fix ports and enable console Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-12-03 04:32:13 +00:00 · 2020-06-05 07:50:04 +02:00
parent 46b60a6968
commit 8a5badddf6
293 changed files with 14189 additions and 3176 deletions
--- a/internal/auth/repository/eventsourcing/view/application.go
+++ b/internal/auth/repository/eventsourcing/view/application.go
@@ -0,0 +1,105 @@
+package view
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/errors"
+	global_model "github.com/caos/zitadel/internal/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/internal/project/repository/view"
+	"github.com/caos/zitadel/internal/project/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view"
+)
+
+const (
+	applicationTable = "auth.applications"
+)
+
+func (v *View) ApplicationByID(appID string) (*model.ApplicationView, error) {
+	return view.ApplicationByID(v.Db, applicationTable, appID)
+}
+
+func (v *View) SearchApplications(request *proj_model.ApplicationSearchRequest) ([]*model.ApplicationView, int, error) {
+	return view.SearchApplications(v.Db, applicationTable, request)
+}
+
+func (v *View) PutApplication(project *model.ApplicationView) error {
+	err := view.PutApplication(v.Db, applicationTable, project)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedApplicationSequence(project.Sequence)
+}
+
+func (v *View) DeleteApplication(appID string, eventSequence uint64) error {
+	err := view.DeleteApplication(v.Db, applicationTable, appID)
+	if err != nil {
+		return nil
+	}
+	return v.ProcessedApplicationSequence(eventSequence)
+}
+
+func (v *View) GetLatestApplicationSequence() (uint64, error) {
+	return v.latestSequence(applicationTable)
+}
+
+func (v *View) ProcessedApplicationSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(applicationTable, eventSequence)
+}
+
+func (v *View) GetLatestApplicationFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(applicationTable, sequence)
+}
+
+func (v *View) ProcessedApplicationFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
+
+func (v *View) ApplicationByClientID(_ context.Context, clientID string) (*model.ApplicationView, error) {
+	req := &proj_model.ApplicationSearchRequest{
+		Limit: 1,
+		Queries: []*proj_model.ApplicationSearchQuery{
+			{
+				Key:    proj_model.APPLICATIONSEARCHKEY_OIDC_CLIENT_ID,
+				Method: global_model.SEARCHMETHOD_EQUALS,
+				Value:  clientID,
+			},
+		},
+	}
+	apps, count, err := view.SearchApplications(v.Db, applicationTable, req)
+	if err != nil {
+		return nil, errors.ThrowPreconditionFailed(err, "VIEW-sd6JQ", "cannot find client")
+	}
+	if count != 1 {
+		return nil, errors.ThrowPreconditionFailed(nil, "VIEW-dfw3as", "cannot find client")
+	}
+	return apps[0], nil
+}
+
+func (v *View) AppIDsFromProjectByClientID(ctx context.Context, clientID string) ([]string, error) {
+	app, err := v.ApplicationByClientID(ctx, clientID)
+	if err != nil {
+		return nil, err
+	}
+	req := &proj_model.ApplicationSearchRequest{
+		Queries: []*proj_model.ApplicationSearchQuery{
+			{
+				Key:    proj_model.APPLICATIONSEARCHKEY_PROJECT_ID,
+				Method: global_model.SEARCHMETHOD_EQUALS,
+				Value:  app.ProjectID,
+			},
+		},
+	}
+	apps, _, err := view.SearchApplications(v.Db, applicationTable, req)
+	if err != nil {
+		return nil, errors.ThrowPreconditionFailed(err, "VIEW-Gd24q", "cannot find applications")
+	}
+	ids := make([]string, 0, len(apps))
+	for _, app := range apps {
+		if !app.IsOIDC {
+			continue
+		}
+		ids = append(ids, app.OIDCClientID)
+	}
+	return ids, nil
+}
--- a/internal/auth/repository/eventsourcing/view/key.go
+++ b/internal/auth/repository/eventsourcing/view/key.go
@@ -0,0 +1,72 @@
+package view
+
+import (
+	key_model "github.com/caos/zitadel/internal/key/model"
+	"github.com/caos/zitadel/internal/key/repository/view"
+	"github.com/caos/zitadel/internal/key/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view"
+)
+
+const (
+	keyTable = "auth.keys"
+)
+
+func (v *View) KeyByIDAndType(keyID string, private bool) (*model.KeyView, error) {
+	return view.KeyByIDAndType(v.Db, keyTable, keyID, private)
+}
+
+func (v *View) GetSigningKey() (*key_model.SigningKey, error) {
+	key, err := view.GetSigningKey(v.Db, keyTable)
+	if err != nil {
+		return nil, err
+	}
+	return key_model.SigningKeyFromKeyView(model.KeyViewToModel(key), v.keyAlgorithm)
+}
+
+func (v *View) GetActiveKeySet() ([]*key_model.PublicKey, error) {
+	keys, err := view.GetActivePublicKeys(v.Db, keyTable)
+	if err != nil {
+		return nil, err
+	}
+	return key_model.PublicKeysFromKeyView(model.KeyViewsToModel(keys), v.keyAlgorithm)
+}
+
+func (v *View) PutKeys(privateKey, publicKey *model.KeyView, eventSequence uint64) error {
+	err := view.PutKeys(v.Db, keyTable, privateKey, publicKey)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedKeySequence(eventSequence)
+}
+
+func (v *View) DeleteKey(keyID string, private bool, eventSequence uint64) error {
+	err := view.DeleteKey(v.Db, keyTable, keyID, private)
+	if err != nil {
+		return nil
+	}
+	return v.ProcessedKeySequence(eventSequence)
+}
+
+func (v *View) DeleteKeyPair(keyID string, eventSequence uint64) error {
+	err := view.DeleteKeyPair(v.Db, keyTable, keyID)
+	if err != nil {
+		return nil
+	}
+	return v.ProcessedKeySequence(eventSequence)
+}
+
+func (v *View) GetLatestKeySequence() (uint64, error) {
+	return v.latestSequence(keyTable)
+}
+
+func (v *View) ProcessedKeySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(keyTable, eventSequence)
+}
+
+func (v *View) GetLatestKeyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(keyTable, sequence)
+}
+
+func (v *View) ProcessedKeyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/org.go
+++ b/internal/auth/repository/eventsourcing/view/org.go
@@ -0,0 +1,43 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/org/model"
+	org_view "github.com/caos/zitadel/internal/org/repository/view"
+	"github.com/caos/zitadel/internal/view"
+)
+
+const (
+	orgTable = "auth.orgs"
+)
+
+func (v *View) OrgByID(orgID string) (*org_view.OrgView, error) {
+	return org_view.OrgByID(v.Db, orgTable, orgID)
+}
+
+func (v *View) SearchOrgs(req *model.OrgSearchRequest) ([]*org_view.OrgView, int, error) {
+	return org_view.SearchOrgs(v.Db, orgTable, req)
+}
+
+func (v *View) PutOrg(org *org_view.OrgView) error {
+	err := org_view.PutOrg(v.Db, orgTable, org)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedOrgSequence(org.Sequence)
+}
+
+func (v *View) GetLatestOrgFailedEvent(sequence uint64) (*view.FailedEvent, error) {
+	return v.latestFailedEvent(orgTable, sequence)
+}
+
+func (v *View) ProcessedOrgFailedEvent(failedEvent *view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
+
+func (v *View) GetLatestOrgSequence() (uint64, error) {
+	return v.latestSequence(orgTable)
+}
+
+func (v *View) ProcessedOrgSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(orgTable, eventSequence)
+}
--- a/internal/auth/repository/eventsourcing/view/token.go
+++ b/internal/auth/repository/eventsourcing/view/token.go
@@ -20,17 +20,23 @@ func (v *View) IsTokenValid(tokenID string) (bool, error) {
 	return view.IsTokenValid(v.Db, tokenTable, tokenID)
 }

-func (v *View) CreateToken(agentID, applicationID, userID string, lifetime time.Duration) (*model.Token, error) {
+func (v *View) CreateToken(agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*model.Token, error) {
+	id, err := v.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
 	now := time.Now().UTC()
 	token := &model.Token{
+		ID:            id,
 		CreationDate:  now,
 		UserID:        userID,
 		ApplicationID: applicationID,
 		UserAgentID:   agentID,
+		Scopes:        scopes,
+		Audience:      audience,
 		Expiration:    now.Add(lifetime),
 	}
-	err := view.PutToken(v.Db, tokenTable, token)
-	if err != nil {
+	if err := view.PutToken(v.Db, tokenTable, token); err != nil {
 		return nil, err
 	}
 	return token, nil
--- a/internal/auth/repository/eventsourcing/view/user_grant.go
+++ b/internal/auth/repository/eventsourcing/view/user_grant.go
@@ -0,0 +1,64 @@
+package view
+
+import (
+	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/internal/usergrant/repository/view"
+	"github.com/caos/zitadel/internal/usergrant/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view"
+)
+
+const (
+	userGrantTable = "auth.user_grants"
+)
+
+func (v *View) UserGrantByID(grantID string) (*model.UserGrantView, error) {
+	return view.UserGrantByID(v.Db, userGrantTable, grantID)
+}
+
+func (v *View) UserGrantByIDs(resourceOwnerID, projectID, userID string) (*model.UserGrantView, error) {
+	return view.UserGrantByIDs(v.Db, userGrantTable, resourceOwnerID, projectID, userID)
+}
+
+func (v *View) UserGrantsByUserID(userID string) ([]*model.UserGrantView, error) {
+	return view.UserGrantsByUserID(v.Db, userGrantTable, userID)
+}
+
+func (v *View) UserGrantsByProjectID(projectID string) ([]*model.UserGrantView, error) {
+	return view.UserGrantsByProjectID(v.Db, userGrantTable, projectID)
+}
+
+func (v *View) SearchUserGrants(request *grant_model.UserGrantSearchRequest) ([]*model.UserGrantView, int, error) {
+	return view.SearchUserGrants(v.Db, userGrantTable, request)
+}
+
+func (v *View) PutUserGrant(grant *model.UserGrantView, sequence uint64) error {
+	err := view.PutUserGrant(v.Db, userGrantTable, grant)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedUserGrantSequence(sequence)
+}
+
+func (v *View) DeleteUserGrant(grantID string, eventSequence uint64) error {
+	err := view.DeleteUserGrant(v.Db, userGrantTable, grantID)
+	if err != nil {
+		return nil
+	}
+	return v.ProcessedUserGrantSequence(eventSequence)
+}
+
+func (v *View) GetLatestUserGrantSequence() (uint64, error) {
+	return v.latestSequence(userGrantTable)
+}
+
+func (v *View) ProcessedUserGrantSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(userGrantTable, eventSequence)
+}
+
+func (v *View) GetLatestUserGrantFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(userGrantTable, sequence)
+}
+
+func (v *View) ProcessedUserGrantFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/user_session.go
+++ b/internal/auth/repository/eventsourcing/view/user_session.go
@@ -10,14 +10,14 @@ const (
 	userSessionTable = "auth.user_sessions"
 )

-func (v *View) UserSessionByID(sessionID string) (*model.UserSessionView, error) {
-	return view.UserSessionByID(v.Db, userSessionTable, sessionID)
-}
-
 func (v *View) UserSessionByIDs(agentID, userID string) (*model.UserSessionView, error) {
 	return view.UserSessionByIDs(v.Db, userSessionTable, agentID, userID)
 }

+func (v *View) UserSessionsByUserID(userID string) ([]*model.UserSessionView, error) {
+	return view.UserSessionsByUserID(v.Db, userSessionTable, userID)
+}
+
 func (v *View) UserSessionsByAgentID(agentID string) ([]*model.UserSessionView, error) {
 	return view.UserSessionsByAgentID(v.Db, userSessionTable, agentID)
 }
--- a/internal/auth/repository/eventsourcing/view/view.go
+++ b/internal/auth/repository/eventsourcing/view/view.go
@@ -4,19 +4,26 @@ import (
 	"database/sql"

 	"github.com/jinzhu/gorm"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/id"
 )

 type View struct {
-	Db *gorm.DB
+	Db           *gorm.DB
+	keyAlgorithm crypto.EncryptionAlgorithm
+	idGenerator  id.Generator
 }

-func StartView(sqlClient *sql.DB) (*View, error) {
+func StartView(sqlClient *sql.DB, keyAlgorithm crypto.EncryptionAlgorithm, idGenerator id.Generator) (*View, error) {
 	gorm, err := gorm.Open("postgres", sqlClient)
 	if err != nil {
 		return nil, err
 	}
 	return &View{
-		Db: gorm,
+		Db:           gorm,
+		keyAlgorithm: keyAlgorithm,
+		idGenerator:  idGenerator,
 	}, nil
 }