diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 899ab5a036..25969473d2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,15 +1,27 @@ -### Definition of Ready +# Which Problems Are Solved -- [ ] I am happy with the code -- [ ] Short description of the feature/issue is added in the pr description -- [ ] PR is linked to the corresponding user story -- [ ] Acceptance criteria are met -- [ ] All open todos and follow ups are defined in a new ticket and justified -- [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented. -- [ ] No debug or dead code -- [ ] My code has no repetitions -- [ ] Critical parts are tested automatically -- [ ] Where possible E2E tests are implemented -- [ ] Documentation/examples are up-to-date -- [ ] All non-functional requirements are met -- [ ] Functionality of the acceptance criteria is checked manually on the dev system. +Replace this example text with a concise list of problems that this PR solves. +For example: +- If the property XY is not given, the system crashes with a nil pointer exception. + +# How the Problems Are Solved + +Replace this example text with a concise list of changes that this PR introduces. +For example: +- Validates if property XY is given and throws an error if not + +# Additional Changes + +Replace this example text with a concise list of additional changes that this PR introduces, that are not directly solving the initial problem but are related. +For example: +- The docs explicitly describe that the property XY is mandatory +- Adds missing translations for validations. + +# Additional Context + +Replace this example with links to related issues, discussions, discord threads, or other sources with more context. +Use the Closing #issue syntax for issues that are resolved with this PR. +- Closes #123 +- Discussion #456 +- Follow-up for PR #789 +- https://discord.com/channels/123/456 \ No newline at end of file diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index ee49ed33c9..6796658f6f 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -5,6 +5,7 @@ on: jobs: test: + timeout-minutes: 10 strategy: fail-fast: false matrix: diff --git a/.github/workflows/ready_for_review.yml b/.github/workflows/ready_for_review.yml new file mode 100644 index 0000000000..2ead263dc9 --- /dev/null +++ b/.github/workflows/ready_for_review.yml @@ -0,0 +1,31 @@ +on: + pull_request: + types: [opened] + +jobs: + comment: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v7 + with: + script: | + const content = `### Thanks for your contribution @${{ github.event.pull_request.user.login }}! 🎉 + + Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review: + + - [ ] I am happy with the code + - [ ] Documentations and examples are up-to-date + - [ ] Logical behavior changes are tested automatically + - [ ] No debug or dead code + - [ ] My code has no repetitions + - [ ] The PR title adheres to the [conventional commit format](https://www.conventionalcommits.org/en/v1.0.0/) + - [ ] The example texts in the PR description are replaced. + - [ ] If there are any open TODOs or follow-ups, they are described in issues and link to this PR + - [ ] If there are deviations from a user stories acceptance criteria or design, they are agreed upon with the PO and documented. + `; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: content + }) \ No newline at end of file diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml index b8d7952be3..ae6b815037 100644 --- a/cmd/defaults.yaml +++ b/cmd/defaults.yaml @@ -14,16 +14,16 @@ Tracing: # for type 'otel' is used for standard [open telemetry](https://opentelemetry.io) # Fraction: 1.0 # Endpoint: 'otel.collector.endpoint' - # + # # type 'log' or '' disables tracing - # + # # for type 'google' # ProjectID: '' # Fraction: 1.0 Type: none # ZITADEL_TRACING_TYPE Fraction: 1.0 # ZITADEL_TRACING_FRACTION # The endpoint of the otel collector endpoint - Endpoint: '' #ZITADEL_TRACING_ENDPOINT + Endpoint: "" #ZITADEL_TRACING_ENDPOINT Telemetry: # As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints. @@ -200,7 +200,7 @@ AssetStorage: # The Projections section defines the behavior for the scheduled and synchronous events projections. Projections: - # The maximum duration a transaction remains open + # The maximum duration a transaction remains open # before it spots left folding additional events # and updates the table. TransactionDuration: 500ms # ZITADEL_PROJECTIONS_TRANSACTIONDURATION @@ -264,7 +264,7 @@ Auth: # See Projections.BulkLimit SearchLimit: 1000 # ZITADEL_AUTH_SEARCHLIMIT Spooler: - # See Projections.TransationDuration + # See Projections.TransationDuration TransactionDuration: 10s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION # See Projections.BulkLimit BulkLimit: 100 #ZITADEL_AUTH_SPOOLER_BULKLIMIT @@ -704,6 +704,9 @@ DefaultInstance: PrivacyLink: https://zitadel.com/docs/legal/privacy-policy # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_PRIVACYLINK HelpLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_HELPLINK SupportEmail: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_SUPPORTEMAIL + DocsLink: https://zitadel.com/docs # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_DOCSLINK + CustomLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINK + CustomLinkText: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINKTEXT NotificationPolicy: PasswordChange: true # ZITADEL_DEFAULTINSTANCE_NOTIFICATIONPOLICY_PASSWORDCHANGE LabelPolicy: @@ -1432,4 +1435,4 @@ InitProjections: Enabled: true # ZITADEL_INITPROJECTIONS_ENABLED RetryFailedAfter: 100ms # ZITADEL_INITPROJECTIONS_RETRYFAILEDAFTER MaxFailureCount: 2 # ZITADEL_INITPROJECTIONS_MAXFAILURECOUNT - BulkLimit: 1000 # ZITADEL_INITPROJECTIONS_BULKLIMIT \ No newline at end of file + BulkLimit: 1000 # ZITADEL_INITPROJECTIONS_BULKLIMIT diff --git a/cmd/initialise/init.go b/cmd/initialise/init.go index 7451f73ad3..d45bacfc17 100644 --- a/cmd/initialise/init.go +++ b/cmd/initialise/init.go @@ -19,6 +19,7 @@ var ( createUserStmt string grantStmt string + settingsStmt string databaseStmt string createEventstoreStmt string createProjectionsStmt string @@ -53,7 +54,7 @@ The user provided by flags needs privileges to }, } - cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant()) + cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant(), newSettings()) return cmd } @@ -62,6 +63,7 @@ func InitAll(ctx context.Context, config *Config) { VerifyUser(config.Database.Username(), config.Database.Password()), VerifyDatabase(config.Database.DatabaseName()), VerifyGrant(config.Database.DatabaseName(), config.Database.Username()), + VerifySettings(config.Database.DatabaseName(), config.Database.Username()), ) logging.OnError(err).Fatal("unable to initialize the database") @@ -147,6 +149,11 @@ func ReadStmts(typ string) (err error) { return err } + settingsStmt, err = readStmt(typ, "11_settings") + if err != nil { + return err + } + return nil } diff --git a/cmd/initialise/sql/cockroach/11_settings.sql b/cmd/initialise/sql/cockroach/11_settings.sql new file mode 100644 index 0000000000..5fa9dd72f6 --- /dev/null +++ b/cmd/initialise/sql/cockroach/11_settings.sql @@ -0,0 +1,4 @@ +-- replace the first %[1]q with the database in double quotes +-- replace the second \%[2]q with the user in double quotes$ +-- For more information see technical advisory 10009 (https://zitadel.com/docs/support/advisory/a10009) +ALTER ROLE %[2]q IN DATABASE %[1]q SET enable_durable_locking_for_serializable = on; \ No newline at end of file diff --git a/cmd/initialise/sql/postgres/11_settings.sql b/cmd/initialise/sql/postgres/11_settings.sql new file mode 100644 index 0000000000..e69de29bb2 diff --git a/cmd/initialise/verify_settings.go b/cmd/initialise/verify_settings.go new file mode 100644 index 0000000000..75e811663f --- /dev/null +++ b/cmd/initialise/verify_settings.go @@ -0,0 +1,44 @@ +package initialise + +import ( + _ "embed" + "fmt" + + "github.com/spf13/cobra" + "github.com/spf13/viper" + "github.com/zitadel/logging" + + "github.com/zitadel/zitadel/internal/database" +) + +func newSettings() *cobra.Command { + return &cobra.Command{ + Use: "settings", + Short: "Ensures proper settings on the database", + Long: `Ensures proper settings on the database. + +Prerequisites: +- cockroachDB or postgreSQL + +Cockroach +- Sets enable_durable_locking_for_serializable to on for the zitadel user and database +`, + Run: func(cmd *cobra.Command, args []string) { + config := MustNewConfig(viper.GetViper()) + + err := initialise(config.Database, VerifySettings(config.Database.DatabaseName(), config.Database.Username())) + logging.OnError(err).Fatal("unable to set settings") + }, + } +} + +func VerifySettings(databaseName, username string) func(*database.DB) error { + return func(db *database.DB) error { + if db.Type() == "postgres" { + return nil + } + logging.WithFields("user", username, "database", databaseName).Info("verify settings") + + return exec(db, fmt.Sprintf(settingsStmt, databaseName, username), nil) + } +} diff --git a/cmd/setup/26.go b/cmd/setup/26.go new file mode 100644 index 0000000000..860198a75c --- /dev/null +++ b/cmd/setup/26.go @@ -0,0 +1,27 @@ +package setup + +import ( + "context" + _ "embed" + + "github.com/zitadel/zitadel/internal/database" + "github.com/zitadel/zitadel/internal/eventstore" +) + +var ( + //go:embed 26.sql + authUsers3 string +) + +type AuthUsers3 struct { + dbClient *database.DB +} + +func (mig *AuthUsers3) Execute(ctx context.Context, _ eventstore.Event) error { + _, err := mig.dbClient.ExecContext(ctx, authUsers3) + return err +} + +func (mig *AuthUsers3) String() string { + return "26_auth_users3" +} diff --git a/cmd/setup/26.sql b/cmd/setup/26.sql new file mode 100644 index 0000000000..fa709d667d --- /dev/null +++ b/cmd/setup/26.sql @@ -0,0 +1,16 @@ +CREATE TABLE IF NOT EXISTS auth.users3 ( + instance_id TEXT NOT NULL, + id TEXT NOT NULL, + resource_owner TEXT NOT NULL, + change_date TIMESTAMPTZ NULL, + password_set BOOL NULL, + password_change TIMESTAMPTZ NULL, + last_login TIMESTAMPTZ NULL, + init_required BOOL NULL, + mfa_init_skipped TIMESTAMPTZ NULL, + username_change_required BOOL NULL, + passwordless_init_required BOOL NULL, + password_init_required BOOL NULL, + + PRIMARY KEY (instance_id, id) +) diff --git a/cmd/setup/27.go b/cmd/setup/27.go new file mode 100644 index 0000000000..ee420ddfae --- /dev/null +++ b/cmd/setup/27.go @@ -0,0 +1,27 @@ +package setup + +import ( + "context" + _ "embed" + + "github.com/zitadel/zitadel/internal/database" + "github.com/zitadel/zitadel/internal/eventstore" +) + +var ( + //go:embed 27.sql + addSAMLNameIDFormat string +) + +type IDPTemplate6SAMLNameIDFormat struct { + dbClient *database.DB +} + +func (mig *IDPTemplate6SAMLNameIDFormat) Execute(ctx context.Context, _ eventstore.Event) error { + _, err := mig.dbClient.ExecContext(ctx, addSAMLNameIDFormat) + return err +} + +func (mig *IDPTemplate6SAMLNameIDFormat) String() string { + return "26_idp_templates6_add_saml_name_id_format" +} diff --git a/cmd/setup/27.sql b/cmd/setup/27.sql new file mode 100644 index 0000000000..0e0503b7f1 --- /dev/null +++ b/cmd/setup/27.sql @@ -0,0 +1,2 @@ +ALTER TABLE IF EXISTS projections.idp_templates6_saml ADD COLUMN IF NOT EXISTS name_id_format SMALLINT; +ALTER TABLE IF EXISTS projections.idp_templates6_saml ADD COLUMN IF NOT EXISTS transient_mapping_attribute_name TEXT; diff --git a/cmd/setup/config.go b/cmd/setup/config.go index bb96e9912b..1ba85804ab 100644 --- a/cmd/setup/config.go +++ b/cmd/setup/config.go @@ -108,6 +108,8 @@ type Steps struct { s23CorrectGlobalUniqueConstraints *CorrectGlobalUniqueConstraints s24AddActorToAuthTokens *AddActorToAuthTokens s25User11AddLowerFieldsToVerifiedEmail *User11AddLowerFieldsToVerifiedEmail + s26AuthUsers3 *AuthUsers3 + s27IDPTemplate6SAMLNameIDFormat *IDPTemplate6SAMLNameIDFormat } func MustNewSteps(v *viper.Viper) *Steps { diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go index 693ec81e32..bb0111d5be 100644 --- a/cmd/setup/setup.go +++ b/cmd/setup/setup.go @@ -138,6 +138,8 @@ func Setup(config *Config, steps *Steps, masterKey string) { steps.s23CorrectGlobalUniqueConstraints = &CorrectGlobalUniqueConstraints{dbClient: esPusherDBClient} steps.s24AddActorToAuthTokens = &AddActorToAuthTokens{dbClient: queryDBClient} steps.s25User11AddLowerFieldsToVerifiedEmail = &User11AddLowerFieldsToVerifiedEmail{dbClient: esPusherDBClient} + steps.s26AuthUsers3 = &AuthUsers3{dbClient: esPusherDBClient} + steps.s27IDPTemplate6SAMLNameIDFormat = &IDPTemplate6SAMLNameIDFormat{dbClient: esPusherDBClient} err = projection.Create(ctx, projectionDBClient, eventstoreClient, config.Projections, nil, nil, nil) logging.OnError(err).Fatal("unable to start projections") @@ -175,6 +177,7 @@ func Setup(config *Config, steps *Steps, masterKey string) { steps.s22ActiveInstancesIndex, steps.s23CorrectGlobalUniqueConstraints, steps.s24AddActorToAuthTokens, + steps.s26AuthUsers3, } { mustExecuteMigration(ctx, eventstoreClient, step, "migration failed") } @@ -188,6 +191,7 @@ func Setup(config *Config, steps *Steps, masterKey string) { steps.s18AddLowerFieldsToLoginNames, steps.s21AddBlockFieldToLimits, steps.s25User11AddLowerFieldsToVerifiedEmail, + steps.s27IDPTemplate6SAMLNameIDFormat, } { mustExecuteMigration(ctx, eventstoreClient, step, "migration failed") } diff --git a/console/src/app/directives/scrollable/scrollable.directive.ts b/console/src/app/directives/scrollable/scrollable.directive.ts index 0ee83a6f8e..a8cda5fae6 100644 --- a/console/src/app/directives/scrollable/scrollable.directive.ts +++ b/console/src/app/directives/scrollable/scrollable.directive.ts @@ -1,6 +1,7 @@ import { Directive, ElementRef, EventEmitter, HostListener, Output } from '@angular/core'; @Directive({ + standalone: true, selector: '[cnslScrollable]', }) export class ScrollableDirective { @@ -15,7 +16,6 @@ export class ScrollableDirective { const top = event.target.scrollTop; const height = this.el.nativeElement.scrollHeight; const offset = this.el.nativeElement.offsetHeight; - // emit bottom event if (top > height - offset - 1) { this.scrollPosition.emit('bottom'); diff --git a/console/src/app/directives/scrollable/scrollable.module.ts b/console/src/app/directives/scrollable/scrollable.module.ts deleted file mode 100644 index 89bcbfabc1..0000000000 --- a/console/src/app/directives/scrollable/scrollable.module.ts +++ /dev/null @@ -1,11 +0,0 @@ -import { CommonModule } from '@angular/common'; -import { NgModule } from '@angular/core'; - -import { ScrollableDirective } from './scrollable.directive'; - -@NgModule({ - declarations: [ScrollableDirective], - imports: [CommonModule], - exports: [ScrollableDirective], -}) -export class ScrollableModule {} diff --git a/console/src/app/modules/changes/changes.module.ts b/console/src/app/modules/changes/changes.module.ts index 9c087e6383..c19500ffa9 100644 --- a/console/src/app/modules/changes/changes.module.ts +++ b/console/src/app/modules/changes/changes.module.ts @@ -6,7 +6,6 @@ import { MatIconModule } from '@angular/material/icon'; import { MatProgressSpinnerModule } from '@angular/material/progress-spinner'; import { MatTooltipModule } from '@angular/material/tooltip'; import { TranslateModule } from '@ngx-translate/core'; -import { ScrollableModule } from 'src/app/directives/scrollable/scrollable.module'; import { HasRolePipeModule } from 'src/app/pipes/has-role-pipe/has-role-pipe.module'; import { LocalizedDatePipeModule } from 'src/app/pipes/localized-date-pipe/localized-date-pipe.module'; import { TimestampToDatePipeModule } from 'src/app/pipes/timestamp-to-date-pipe/timestamp-to-date-pipe.module'; @@ -18,7 +17,6 @@ import { ChangesComponent } from './changes.component'; declarations: [ChangesComponent], imports: [ CommonModule, - ScrollableModule, MatProgressSpinnerModule, TranslateModule, MatIconModule, @@ -30,6 +28,6 @@ import { ChangesComponent } from './changes.component'; MatTooltipModule, AvatarModule, ], - exports: [ChangesComponent, ScrollableModule], + exports: [ChangesComponent], }) export class ChangesModule {} diff --git a/console/src/app/modules/footer/footer.component.html b/console/src/app/modules/footer/footer.component.html index fdf2924441..26d863d129 100644 --- a/console/src/app/modules/footer/footer.component.html +++ b/console/src/app/modules/footer/footer.component.html @@ -1,11 +1,11 @@
-
- +
+ {{ 'FOOTER.LINKS.TOS' | translate }} - + {{ 'FOOTER.LINKS.PP' | translate }} diff --git a/console/src/app/modules/footer/footer.component.ts b/console/src/app/modules/footer/footer.component.ts index f7d1a3a148..758917ea4b 100644 --- a/console/src/app/modules/footer/footer.component.ts +++ b/console/src/app/modules/footer/footer.component.ts @@ -8,16 +8,7 @@ import { faXTwitter } from '@fortawesome/free-brands-svg-icons'; templateUrl: './footer.component.html', styleUrls: ['./footer.component.scss'], }) -export class FooterComponent implements OnInit { - public policy?: PrivacyPolicy.AsObject; +export class FooterComponent { public faXTwitter = faXTwitter; constructor(public authService: GrpcAuthService) {} - - ngOnInit(): void { - this.authService.getMyPrivacyPolicy().then((policyResp) => { - if (policyResp.policy) { - this.policy = policyResp.policy; - } - }); - } } diff --git a/console/src/app/modules/header/header.component.html b/console/src/app/modules/header/header.component.html index c436cc4a28..a8c438ae4d 100644 --- a/console/src/app/modules/header/header.component.html +++ b/console/src/app/modules/header/header.component.html @@ -168,7 +168,11 @@ - + + {{ customLinkText }} + + + {{ 'MENU.DOCUMENTATION' | translate }} diff --git a/console/src/app/modules/header/header.component.scss b/console/src/app/modules/header/header.component.scss index 2b219cc0fa..04a9e53d2e 100644 --- a/console/src/app/modules/header/header.component.scss +++ b/console/src/app/modules/header/header.component.scss @@ -224,7 +224,8 @@ flex: 1; } - .doc-link { + .doc-link, + .custom-link { margin-right: 1rem; @media only screen and (max-width: 800px) { diff --git a/console/src/app/modules/header/header.component.ts b/console/src/app/modules/header/header.component.ts index 25463e0c52..720d40cb98 100644 --- a/console/src/app/modules/header/header.component.ts +++ b/console/src/app/modules/header/header.component.ts @@ -1,5 +1,5 @@ import { ConnectedPosition, ConnectionPositionPair } from '@angular/cdk/overlay'; -import { Component, ElementRef, EventEmitter, Input, OnDestroy, Output, ViewChild } from '@angular/core'; +import { Component, ElementRef, EventEmitter, Input, OnDestroy, OnInit, Output, ViewChild } from '@angular/core'; import { Router } from '@angular/router'; import { BehaviorSubject, Observable, of, Subject } from 'rxjs'; import { Org } from 'src/app/proto/generated/zitadel/org_pb'; @@ -8,8 +8,8 @@ import { AuthenticationService } from 'src/app/services/authentication.service'; import { BreadcrumbService, BreadcrumbType } from 'src/app/services/breadcrumb.service'; import { GrpcAuthService } from 'src/app/services/grpc-auth.service'; import { ManagementService } from 'src/app/services/mgmt.service'; - import { ActionKeysType } from '../action-keys/action-keys.component'; +import { GetPrivacyPolicyResponse } from 'src/app/proto/generated/zitadel/management_pb'; @Component({ selector: 'cnsl-header', @@ -31,6 +31,9 @@ export class HeaderComponent implements OnDestroy { private destroy$: Subject = new Subject(); public BreadcrumbType: any = BreadcrumbType; public ActionKeysType: any = ActionKeysType; + public docsLink = 'https://zitadel.com/docs'; + public customLink = ''; + public customLinkText = ''; public positions: ConnectedPosition[] = [ new ConnectionPositionPair({ originX: 'start', originY: 'bottom' }, { overlayX: 'start', overlayY: 'top' }, 0, 10), @@ -47,7 +50,25 @@ export class HeaderComponent implements OnDestroy { public mgmtService: ManagementService, public breadcrumbService: BreadcrumbService, public router: Router, - ) {} + ) { + this.loadData(); + } + + public async loadData(): Promise { + const getData = (): Promise => { + return this.mgmtService.getPrivacyPolicy(); + }; + + getData() + .then((resp) => { + if (resp.policy) { + this.docsLink = resp.policy.docsLink; + this.customLink = resp.policy.customLink; + this.customLinkText = resp.policy.customLinkText; + } + }) + .catch(() => {}); + } public ngOnDestroy() { this.destroy$.next(); diff --git a/console/src/app/modules/org-context/org-context.component.html b/console/src/app/modules/org-context/org-context.component.html index dc1a0f1d64..154cb0dbd7 100644 --- a/console/src/app/modules/org-context/org-context.component.html +++ b/console/src/app/modules/org-context/org-context.component.html @@ -15,7 +15,7 @@ />
-
+
+
+ + + + {{ 'USER.PASSWORD.MAXLENGTHERROR' | translate: { value: 70 } }} ({{ password?.value?.length }}/{{ 70 }}) + +
diff --git a/console/src/app/modules/policies/privacy-policy/privacy-policy.component.html b/console/src/app/modules/policies/privacy-policy/privacy-policy.component.html index 41bfde9127..037d53389c 100644 --- a/console/src/app/modules/policies/privacy-policy/privacy-policy.component.html +++ b/console/src/app/modules/policies/privacy-policy/privacy-policy.component.html @@ -9,6 +9,7 @@ color="warn" (click)="resetDefault()" mat-stroked-button + data-e2e="reset-button" > {{ 'POLICY.RESET' | translate }} @@ -40,7 +41,23 @@ {{ 'POLICY.PRIVACY_POLICY.SUPPORTEMAIL' | translate }} - + + + + {{ 'POLICY.PRIVACY_POLICY.CUSTOMLINK' | translate }} + + + + + + {{ 'POLICY.PRIVACY_POLICY.CUSTOMLINKTEXT' | translate }} + + + + + {{ 'POLICY.PRIVACY_POLICY.DOCSLINK' | translate }} + +
@@ -53,6 +70,7 @@ color="primary" type="submit" mat-raised-button + data-e2e="save-button" > {{ 'ACTIONS.SAVE' | translate }} diff --git a/console/src/app/modules/policies/privacy-policy/privacy-policy.component.ts b/console/src/app/modules/policies/privacy-policy/privacy-policy.component.ts index 458c0b2728..53f7ab748f 100644 --- a/console/src/app/modules/policies/privacy-policy/privacy-policy.component.ts +++ b/console/src/app/modules/policies/privacy-policy/privacy-policy.component.ts @@ -61,6 +61,9 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { privacyLink: ['', []], helpLink: ['', []], supportEmail: ['', []], + docsLink: ['', []], + customLink: ['', []], + customLinkText: ['', []], }); this.canWrite$.pipe(take(1)).subscribe((canWrite) => { @@ -107,6 +110,9 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { privacyLink: '', helpLink: '', supportEmail: '', + docsLink: '', + customLink: '', + customLinkText: '', }); } }) @@ -117,6 +123,9 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { privacyLink: '', helpLink: '', supportEmail: '', + docsLink: '', + customLink: '', + customLinkText: '', }); }); } @@ -129,11 +138,16 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { req.setTosLink(this.form.get('tosLink')?.value); req.setHelpLink(this.form.get('helpLink')?.value); req.setSupportEmail(this.form.get('supportEmail')?.value); + req.setDocsLink(this.form.get('docsLink')?.value); + req.setCustomLink(this.form.get('customLink')?.value); + req.setCustomLinkText(this.form.get('customLinkText')?.value); (this.service as ManagementService) .addCustomPrivacyPolicy(req) .then(() => { this.toast.showInfo('POLICY.PRIVACY_POLICY.SAVED', true); this.loadData(); + // Reload console as links may have changed + this.reloadConsole(); }) .catch((error) => this.toast.showError(error)); } else { @@ -142,12 +156,17 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { req.setTosLink(this.form.get('tosLink')?.value); req.setHelpLink(this.form.get('helpLink')?.value); req.setSupportEmail(this.form.get('supportEmail')?.value); + req.setDocsLink(this.form.get('docsLink')?.value); + req.setCustomLink(this.form.get('customLink')?.value); + req.setCustomLinkText(this.form.get('customLinkText')?.value); (this.service as ManagementService) .updateCustomPrivacyPolicy(req) .then(() => { this.toast.showInfo('POLICY.PRIVACY_POLICY.SAVED', true); this.loadData(); + // Reload console as links may have changed + this.reloadConsole(); }) .catch((error) => this.toast.showError(error)); } @@ -157,12 +176,17 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { req.setTosLink(this.form.get('tosLink')?.value); req.setHelpLink(this.form.get('helpLink')?.value); req.setSupportEmail(this.form.get('supportEmail')?.value); + req.setDocsLink(this.form.get('docsLink')?.value); + req.setCustomLink(this.form.get('customLink')?.value); + req.setCustomLinkText(this.form.get('customLinkText')?.value); (this.service as AdminService) .updatePrivacyPolicy(req) .then(() => { this.toast.showInfo('POLICY.PRIVACY_POLICY.SAVED', true); this.loadData(); + // Reload console as links may have changed + this.reloadConsole(); }) .catch((error) => this.toast.showError(error)); } @@ -188,6 +212,7 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { .then(() => { setTimeout(() => { this.loadData(); + window.location.reload(); }, 1000); }) .catch((error) => { @@ -209,4 +234,10 @@ export class PrivacyPolicyComponent implements OnInit, OnDestroy { return false; } } + + private reloadConsole(): void { + setTimeout(() => { + window.location.reload(); + }, 1000); + } } diff --git a/console/src/app/modules/provider-options/provider-options.component.scss b/console/src/app/modules/provider-options/provider-options.component.scss index 5363ea02da..a39f3d6c5f 100644 --- a/console/src/app/modules/provider-options/provider-options.component.scss +++ b/console/src/app/modules/provider-options/provider-options.component.scss @@ -1,7 +1,7 @@ .option-form { display: grid; grid-template-columns: 1fr; - max-width: 400px; + max-width: 500px; padding-bottom: 1rem; .checkbox-desc { diff --git a/console/src/app/modules/providers/provider-saml-sp/provider-saml-sp.component.html b/console/src/app/modules/providers/provider-saml-sp/provider-saml-sp.component.html index d8b5b89fdf..79bab0f3df 100644 --- a/console/src/app/modules/providers/provider-saml-sp/provider-saml-sp.component.html +++ b/console/src/app/modules/providers/provider-saml-sp/provider-saml-sp.component.html @@ -70,6 +70,28 @@
+
+ + {{ 'IDP.SAML.NAMEIDFORMAT' | translate }} + + {{ + nameIdFormat + }} + + + + +
+

{{ 'IDP.SAML.TRANSIENTMAPPINGATTRIBUTENAME_DESC' | translate }}

+
+ + + {{ 'IDP.SAML.TRANSIENTMAPPINGATTRIBUTENAME' | translate }} + + + +
+ = new BehaviorSubject(''); public justActivated$ = new BehaviorSubject(false); @@ -118,6 +125,8 @@ export class ProviderSamlSpComponent { metadataUrl: new UntypedFormControl('', []), binding: new UntypedFormControl(this.bindingValues[0], [requiredValidator]), withSignedRequest: new UntypedFormControl(true, [requiredValidator]), + nameIdFormat: new UntypedFormControl(SAMLNameIDFormat.SAML_NAME_ID_FORMAT_PERSISTENT, []), + transientMappingAttributeName: new UntypedFormControl('', []), }, atLeastOneIsFilled('metadataXml', 'metadataUrl'), ); @@ -196,8 +205,12 @@ export class ProviderSamlSpComponent { req.setWithSignedRequest(this.withSignedRequest?.value); // @ts-ignore req.setBinding(SAMLBinding[this.binding?.value]); + // @ts-ignore + req.setNameIdFormat(SAMLNameIDFormat[this.nameIDFormat?.value]); + req.setTransientMappingAttributeName(this.transientMapping?.value); req.setProviderOptions(this.options); + console.log(req); this.loading = true; this.service .updateSAMLProvider(req) @@ -229,6 +242,11 @@ export class ProviderSamlSpComponent { // @ts-ignore req.setBinding(SAMLBinding[this.binding?.value]); req.setWithSignedRequest(this.withSignedRequest?.value); + if (this.nameIDFormat) { + // @ts-ignore + req.setNameIdFormat(SAMLNameIDFormat[this.nameIDFormat.value]); + } + req.setTransientMappingAttributeName(this.transientMapping?.value); this.loading = true; this.service .addSAMLProvider(req) @@ -279,6 +297,14 @@ export class ProviderSamlSpComponent { return false; } + compareNameIDFormat(value: string, index: number) { + console.log(value, index); + if (value) { + return value === Object.keys(SAMLNameIDFormat)[index]; + } + return false; + } + private get name(): AbstractControl | null { return this.form.get('name'); } @@ -298,4 +324,12 @@ export class ProviderSamlSpComponent { private get withSignedRequest(): AbstractControl | null { return this.form.get('withSignedRequest'); } + + private get nameIDFormat(): AbstractControl | null { + return this.form.get('nameIdFormat'); + } + + private get transientMapping(): AbstractControl | null { + return this.form.get('transientMappingAttributeName'); + } } diff --git a/console/src/app/modules/providers/providers.scss b/console/src/app/modules/providers/providers.scss index ba96f6c301..85584b956a 100644 --- a/console/src/app/modules/providers/providers.scss +++ b/console/src/app/modules/providers/providers.scss @@ -50,7 +50,7 @@ .formfield { display: block; - max-width: 400px; + max-width: 500px; &.pwd { display: none; @@ -132,7 +132,7 @@ } .string-list-component-wrapper { - max-width: 400px; + max-width: 500px; } .identity-provider-content { @@ -144,7 +144,7 @@ } .identity-provider-2-col { - max-width: 400px; + max-width: 500px; display: grid; grid-template-columns: 1fr 1fr; column-gap: 1rem; @@ -160,7 +160,7 @@ .flex-line { display: flex; align-items: flex-start; - max-width: 400px; + max-width: 500px; .formfield { flex: 1; diff --git a/console/src/app/modules/settings-grid/settinglinks.ts b/console/src/app/modules/settings-grid/settinglinks.ts index 726677ea73..7f967f865d 100644 --- a/console/src/app/modules/settings-grid/settinglinks.ts +++ b/console/src/app/modules/settings-grid/settinglinks.ts @@ -36,7 +36,7 @@ export const APPEARANCE_GROUP: SettingLinks = { }; export const PRIVACY_POLICY: SettingLinks = { - i18nTitle: 'SETTINGS.LIST.PRIVACYPOLICY', + i18nTitle: 'DESCRIPTIONS.SETTINGS.PRIVACY_POLICY.TITLE', i18nDesc: 'POLICY.PRIVACY_POLICY.DESCRIPTION', iamRouterLink: ['/settings'], orgRouterLink: ['/org-settings'], diff --git a/console/src/app/modules/settings-list/settings.ts b/console/src/app/modules/settings-list/settings.ts index a945a8c7c7..2b24d84e24 100644 --- a/console/src/app/modules/settings-list/settings.ts +++ b/console/src/app/modules/settings-list/settings.ts @@ -187,7 +187,7 @@ export const LOGINTEXTS: SidenavSetting = { export const PRIVACYPOLICY: SidenavSetting = { id: 'privacypolicy', - i18nKey: 'SETTINGS.LIST.PRIVACYPOLICY', + i18nKey: 'DESCRIPTIONS.SETTINGS.PRIVACY_POLICY.TITLE', groupI18nKey: 'SETTINGS.GROUPS.OTHER', requiredRoles: { [PolicyComponentServiceType.MGMT]: ['policy.read'], diff --git a/console/src/app/modules/smtp-provider/smtp-provider.component.html b/console/src/app/modules/smtp-provider/smtp-provider.component.html index b7ae8d8c63..80d90df499 100644 --- a/console/src/app/modules/smtp-provider/smtp-provider.component.html +++ b/console/src/app/modules/smtp-provider/smtp-provider.component.html @@ -2,7 +2,7 @@ title="{{ id ? ('SMTP.DETAIL.TITLE' | translate) : ('SMTP.CREATE.STEPS.TITLE' | translate: { value: providerDefaultSetting.name }) }}" - [createSteps]="2" + [createSteps]="3" [currentCreateStep]="currentCreateStep" (closed)="close()" > @@ -133,7 +133,7 @@ class="create-button" color="primary" data-e2e="create-button" - (click)="savePolicy()" + (click)="savePolicy(stepper)" [disabled]=" firstFormGroup.invalid || secondFormGroup.invalid || (['iam.policy.write'] | hasRole | async) === false " @@ -143,6 +143,82 @@
+ +
+ {{ 'SMTP.CREATE.STEPS.NEXT_STEPS' | translate }} + +
+
+

{{ 'SMTP.CREATE.STEPS.ACTIVATE.TITLE' | translate }}

+ +
+
+ +
+
+

{{ 'SMTP.CREATE.STEPS.ACTIVATE.DESCRIPTION' | translate }}

+ + + +
+
+

{{ 'SMTP.CREATE.STEPS.DEACTIVATE.TITLE' | translate }}

+ +
+
+ +
+
+

{{ 'SMTP.CREATE.STEPS.DEACTIVATE.DESCRIPTION' | translate }}

+ + +
+ + +
+
+ + check diff --git a/console/src/app/modules/smtp-provider/smtp-provider.component.ts b/console/src/app/modules/smtp-provider/smtp-provider.component.ts index 5a60e2e1a4..439ec60339 100644 --- a/console/src/app/modules/smtp-provider/smtp-provider.component.ts +++ b/console/src/app/modules/smtp-provider/smtp-provider.component.ts @@ -31,6 +31,8 @@ import { OutlookDefaultSettings, SendgridDefaultSettings, } from './known-smtp-providers-settings'; +import { MatStepper } from '@angular/material/stepper'; +import { SMTPConfigState } from 'src/app/proto/generated/zitadel/settings_pb'; @Component({ selector: 'cnsl-smtp-provider', @@ -48,7 +50,7 @@ export class SMTPProviderComponent { public smtpLoading: boolean = false; public hasSMTPConfig: boolean = false; - + public isActive: boolean = false; public updateClientSecret: boolean = false; // stepper @@ -166,6 +168,7 @@ export class SMTPProviderComponent { .then((data) => { this.smtpLoading = false; if (data.smtpConfig) { + this.isActive = data.smtpConfig.state === SMTPConfigState.SMTP_CONFIG_ACTIVE; this.hasSMTPConfig = true; this.firstFormGroup.patchValue({ ['description']: data.smtpConfig.description, @@ -188,7 +191,7 @@ export class SMTPProviderComponent { }); } - private updateData(): Promise { + private updateData(): Promise { if (this.hasSMTPConfig) { const req = new UpdateSMTPConfigRequest(); req.setId(this.id); @@ -228,19 +231,49 @@ export class SMTPProviderComponent { } } - public savePolicy(): void { - this.updateData() + public activateSMTPConfig() { + this.service + .activateSMTPConfig(this.id) .then(() => { + this.toast.showInfo('SMTP.LIST.DIALOG.ACTIVATED', true); + this.isActive = true; + }) + .catch((error) => { + this.toast.showError(error); + }); + } + + public deactivateSMTPConfig() { + this.service + .deactivateSMTPConfig(this.id) + .then(() => { + this.toast.showInfo('SMTP.LIST.DIALOG.DEACTIVATED', true); + this.isActive = false; + }) + .catch((error) => { + this.toast.showError(error); + }); + } + + public savePolicy(stepper: MatStepper): void { + this.updateData() + .then((resp) => { + if (!this.id) { + // This is a new SMTP provider let's get the ID from the addSMTPConfig response + let createResponse = resp as AddSMTPConfigResponse.AsObject; + this.id = createResponse.id; + } + this.toast.showInfo('SETTING.SMTP.SAVED', true); setTimeout(() => { - this.close(); + stepper.next(); }, 2000); }) .catch((error: unknown) => { if (`${error}`.includes('No changes')) { this.toast.showInfo('SETTING.SMTP.NOCHANGES', true); setTimeout(() => { - this.close(); + stepper.next(); }, 2000); } else { this.toast.showError(error); diff --git a/console/src/app/modules/smtp-provider/smtp-provider.scss b/console/src/app/modules/smtp-provider/smtp-provider.scss index 06fdcefe6e..2bb7bca332 100644 --- a/console/src/app/modules/smtp-provider/smtp-provider.scss +++ b/console/src/app/modules/smtp-provider/smtp-provider.scss @@ -68,4 +68,32 @@ font-size: 14px; } } + + .title-row { + display: flex; + flex-direction: row; + justify-content: space-between; + align-items: center; + + .left { + display: flex; + flex-direction: row; + justify-content: space-between; + align-items: center; + } + + .right { + flex-shrink: 0; + } + + .title { + margin: 1.2rem 0; + } + + .next-icon { + font-size: 1.2rem; + height: 1.2rem; + width: 1.2rem; + } + } } diff --git a/console/src/app/services/authentication.service.ts b/console/src/app/services/authentication.service.ts index 314b9edb7e..3ee3024e40 100644 --- a/console/src/app/services/authentication.service.ts +++ b/console/src/app/services/authentication.service.ts @@ -35,6 +35,10 @@ export class AuthenticationService { return from(this.oauthService.loadUserProfile()); } + public getIdToken(): string { + return this.oauthService.getIdToken(); + } + public async authenticate(partialConfig?: Partial, force: boolean = false): Promise { if (partialConfig) { Object.assign(this.authConfig, partialConfig); diff --git a/console/src/app/services/grpc-auth.service.ts b/console/src/app/services/grpc-auth.service.ts index 987721180f..f6e48f694d 100644 --- a/console/src/app/services/grpc-auth.service.ts +++ b/console/src/app/services/grpc-auth.service.ts @@ -27,7 +27,6 @@ import { GetMyPhoneRequest, GetMyPhoneResponse, GetMyPrivacyPolicyRequest, - GetMyPrivacyPolicyResponse, GetMyProfileRequest, GetMyProfileResponse, GetMyUserRequest, @@ -99,11 +98,10 @@ import { ChangeQuery } from '../proto/generated/zitadel/change_pb'; import { MetadataQuery } from '../proto/generated/zitadel/metadata_pb'; import { ListQuery } from '../proto/generated/zitadel/object_pb'; import { Org, OrgFieldName, OrgQuery } from '../proto/generated/zitadel/org_pb'; -import { LabelPolicy } from '../proto/generated/zitadel/policy_pb'; +import { LabelPolicy, PrivacyPolicy } from '../proto/generated/zitadel/policy_pb'; import { Gender, MembershipQuery, User, WebAuthNVerification } from '../proto/generated/zitadel/user_pb'; import { GrpcService } from './grpc.service'; import { StorageKey, StorageLocation, StorageService } from './storage.service'; -import { ThemeService } from './theme.service'; @Injectable({ providedIn: 'root', @@ -137,11 +135,18 @@ export class GrpcAuthService { >(undefined); labelPolicyLoading$: BehaviorSubject = new BehaviorSubject(true); + public privacypolicy$!: Observable; + public privacypolicy: BehaviorSubject = new BehaviorSubject< + PrivacyPolicy.AsObject | undefined + >(undefined); + privacyPolicyLoading$: BehaviorSubject = new BehaviorSubject(true); + public zitadelPermissions: BehaviorSubject = new BehaviorSubject([]); public readonly fetchedZitadelPermissions: BehaviorSubject = new BehaviorSubject(false); public cachedOrgs: BehaviorSubject = new BehaviorSubject([]); private cachedLabelPolicies: { [orgId: string]: LabelPolicy.AsObject } = {}; + private cachedPrivacyPolicies: { [orgId: string]: PrivacyPolicy.AsObject } = {}; constructor( private readonly grpcService: GrpcService, @@ -169,6 +174,25 @@ export class GrpcAuthService { }, }); + this.privacypolicy$ = this.activeOrgChanged.pipe( + switchMap((org) => { + this.privacyPolicyLoading$.next(true); + return from(this.getMyPrivacyPolicy(org ? org.id : '')); + }), + filter((policy) => !!policy), + ); + + this.privacypolicy$.subscribe({ + next: (policy) => { + this.privacypolicy.next(policy); + this.privacyPolicyLoading$.next(false); + }, + error: (error) => { + console.error(error); + this.privacyPolicyLoading$.next(false); + }, + }); + this.user = forkJoin([ of(this.oauthService.getAccessToken()), this.oauthService.events.pipe( @@ -394,9 +418,12 @@ export class GrpcAuthService { if (queryList) { req.setQueriesList(queryList); } - // if (sortingColumn) { - // req.setSortingColumn(sortingColumn); - // } + if (sortingDirection) { + query.setAsc(sortingDirection === 'asc'); + } + if (sortingColumn) { + req.setSortingColumn(sortingColumn); + } req.setQuery(query); @@ -697,7 +724,23 @@ export class GrpcAuthService { } } - public getMyPrivacyPolicy(): Promise { - return this.grpcService.auth.getMyPrivacyPolicy(new GetMyPrivacyPolicyRequest(), null).then((resp) => resp.toObject()); + public getMyPrivacyPolicy(orgIdForCache?: string): Promise { + if (orgIdForCache && this.cachedPrivacyPolicies[orgIdForCache]) { + return Promise.resolve(this.cachedPrivacyPolicies[orgIdForCache]); + } else { + return this.grpcService.auth + .getMyPrivacyPolicy(new GetMyPrivacyPolicyRequest(), null) + .then((resp) => resp.toObject()) + .then((resp) => { + if (resp.policy) { + if (orgIdForCache) { + this.cachedPrivacyPolicies[orgIdForCache] = resp.policy; + } + return Promise.resolve(resp.policy); + } else { + return Promise.reject(); + } + }); + } } } diff --git a/console/src/app/services/grpc.service.ts b/console/src/app/services/grpc.service.ts index 8a87f95ef0..5c4c0fd510 100644 --- a/console/src/app/services/grpc.service.ts +++ b/console/src/app/services/grpc.service.ts @@ -18,6 +18,7 @@ import { I18nInterceptor } from './interceptors/i18n.interceptor'; import { OrgInterceptor } from './interceptors/org.interceptor'; import { StorageService } from './storage.service'; import { FeatureServiceClient } from '../proto/generated/zitadel/feature/v2beta/Feature_serviceServiceClientPb'; +import { GrpcAuthService } from './grpc-auth.service'; @Injectable({ providedIn: 'root', diff --git a/console/src/app/services/interceptors/auth.interceptor.ts b/console/src/app/services/interceptors/auth.interceptor.ts index d21bb5cdaa..4ccdc768c7 100644 --- a/console/src/app/services/interceptors/auth.interceptor.ts +++ b/console/src/app/services/interceptors/auth.interceptor.ts @@ -2,11 +2,13 @@ import { Injectable } from '@angular/core'; import { MatDialog } from '@angular/material/dialog'; import { Request, UnaryInterceptor, UnaryResponse } from 'grpc-web'; import { Subject } from 'rxjs'; -import { debounceTime, filter, first, take } from 'rxjs/operators'; +import { debounceTime, filter, first, map, take, tap } from 'rxjs/operators'; import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component'; import { AuthenticationService } from '../authentication.service'; import { StorageService } from '../storage.service'; +import { AuthConfig } from 'angular-oauth2-oidc'; +import { GrpcAuthService } from '../grpc-auth.service'; const authorizationKey = 'Authorization'; const bearerPrefix = 'Bearer'; @@ -44,7 +46,7 @@ export class AuthInterceptor implements UnaryIn return response; }) .catch(async (error: any) => { - if (error.code === 16) { + if (error.code === 16 || (error.code === 7 && error.message === 'mfa required (AUTHZ-Kl3p0)')) { this.triggerDialog.next(true); } return Promise.reject(error); @@ -67,7 +69,13 @@ export class AuthInterceptor implements UnaryIn .pipe(take(1)) .subscribe((resp) => { if (resp) { - this.authenticationService.authenticate(undefined, true); + const idToken = this.authenticationService.getIdToken(); + const configWithPrompt: Partial = { + customQueryParams: { + id_token_hint: idToken, + }, + }; + this.authenticationService.authenticate(configWithPrompt, true); } }); } diff --git a/console/src/assets/i18n/bg.json b/console/src/assets/i18n/bg.json index 2dd9ab1a5e..4a1131920a 100644 --- a/console/src/assets/i18n/bg.json +++ b/console/src/assets/i18n/bg.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Външни връзки", - "DESCRIPTION": "Насочете вашите потребители към персонализирани външни ресурси, показани на страницата за вход. Потребителите трябва да приемат Условията за ползване и Политиката за поверителност, преди да могат да се регистрират." + "DESCRIPTION": "Насочете потребителите си към персонализирани външни ресурси, показани на страницата за вход. Потребителите трябва да приемат Общите условия и Политиката за поверителност, преди да могат да се регистрират. Променете връзката към вашата документация или задайте празен низ, за ​​да скриете бутона за документация от конзолата. Добавете персонализирана външна връзка и персонализиран текст за тази връзка в конзолата или ги оставете празни, за да скриете този бутон." }, "SMTP_PROVIDER": { "TITLE": "Настройки на SMTP", @@ -588,6 +588,7 @@ "INVALID_FORMAT": "Форматирането е невалидно.", "NOTANEMAIL": "Дадената стойност не е имейл адрес.", "MINLENGTH": "Трябва да е поне {{requiredLength}} знака дълги.", + "MAXLENGTH": "Трябва да е по-малко от {{requiredLength}} символа", "UPPERCASEMISSING": "Трябва да включва главна буква.", "LOWERCASEMISSING": "Трябва да включва малка буква.", "SYMBOLERROR": "Трябва да включва символ или препинателен знак.", @@ -873,7 +874,8 @@ "SET": "Задайте нова парола", "RESENDNOTIFICATION": "Изпратете връзка за повторно задаване на парола", "REQUIRED": "Някои задължителни полета липсват.", - "MINLENGTHERROR": "Трябва да бъде поне {{value}} знака дълги." + "MINLENGTHERROR": "Трябва да бъде поне {{value}} знака дълги.", + "MAXLENGTHERROR": "Трябва да съдържа по-малко от {{value}} знака." }, "ID": "документ за самоличност", "EMAIL": "Електронна поща", @@ -1564,6 +1566,9 @@ "POLICYLINK": "Връзка към Политика за поверителност", "HELPLINK": "Връзка към Помощ", "SUPPORTEMAIL": "Имейл за поддръжка", + "DOCSLINK": "Връзка към документи (Console)", + "CUSTOMLINK": "Персонализирана връзка (Console)", + "CUSTOMLINKTEXT": "Персонализиран текст на връзката (Console)", "SAVED": "Запазено успешно!", "RESET_TITLE": "Възстановяване на стойностите по подразбиране", "RESET_DESCRIPTION": "На път сте да възстановите връзките по подразбиране за TOS и Политика за поверителност. " @@ -2215,7 +2220,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP доставчик", - "DESCRIPTION": "Това са SMTP доставчиците за вашето копие на Zitadel. Активирайте този, който искате да използвате, за да изпращате известия до вашите потребители.", + "DESCRIPTION": "Това са SMTP доставчиците за вашето копие на ZITADEL. Активирайте този, който искате да използвате, за да изпращате известия до вашите потребители.", "EMPTY": "Няма наличен SMTP доставчик", "ACTIVATED": "Активиран", "ACTIVATE": "Активирайте доставчика", @@ -2243,7 +2248,16 @@ "CURRENT_DESC_TITLE": "Това са вашите SMTP настройки", "PROVIDER_SETTINGS": "Настройки на SMTP доставчик", "SENDER_SETTINGS": "Настройки на изпращача", - "TEST_SETTINGS": "Тествайте настройките на SMTP" + "TEST_SETTINGS": "Тествайте настройките на SMTP", + "NEXT_STEPS": "Следващи стъпки", + "ACTIVATE": { + "TITLE": "Активирайте вашия SMTP доставчик", + "DESCRIPTION": "ZITADEL не може да използва този SMTP доставчик за изпращане на известия, докато не го активирате. Ако активирате този доставчик, всеки друг доставчик, който е бил активен, сега ще бъде деактивиран." + }, + "DEACTIVATE": { + "TITLE": "Деактивирайте вашия SMTP доставчик", + "DESCRIPTION": "Ако деактивирате този SMTP доставчик, ZITADEL не може да го използва за изпращане на известия, докато не го активирате отново." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/cs.json b/console/src/assets/i18n/cs.json index dbbd7ee2e9..f7b098c098 100644 --- a/console/src/assets/i18n/cs.json +++ b/console/src/assets/i18n/cs.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Externí odkazy", - "DESCRIPTION": "Navede vaše uživatele k vlastním externím zdrojům zobrazeným na přihlašovací stránce. Uživatelé musí přijmout Podmínky služby a Zásady ochrany osobních údajů, než se mohou zaregistrovat." + "DESCRIPTION": "Naveďte své uživatele k vlastním externím zdrojům zobrazeným na přihlašovací stránce. Než se uživatelé mohou zaregistrovat, musí přijmout podmínky služby a zásady ochrany osobních údajů. Změňte odkaz na dokumentaci nebo nastavte prázdný řetězec, abyste skryli tlačítko dokumentace z konzoly. Přidejte vlastní externí odkaz a vlastní text pro tento odkaz v konzole nebo je nastavte na prázdné, abyste toto tlačítko skryli." }, "SMTP_PROVIDER": { "TITLE": "Nastavení SMTP", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "Formát je neplatný.", "NOTANEMAIL": "Zadaná hodnota není e-mailová adresa.", "MINLENGTH": "Musí být dlouhé alespoň {{requiredLength}} znaků.", + "MAXLENGTH": "Musí být kratší než {{requiredLength}} znaků", "UPPERCASEMISSING": "Musí obsahovat velké písmeno.", "LOWERCASEMISSING": "Musí obsahovat malé písmeno.", "SYMBOLERROR": "Musí obsahovat symbol nebo interpunkční znaménko.", @@ -880,7 +881,8 @@ "SET": "Nastavit nové heslo", "RESENDNOTIFICATION": "Odeslat odkaz pro reset hesla", "REQUIRED": "Některá povinná pole nejsou vyplněna.", - "MINLENGTHERROR": "Musí být alespoň {{value}} znaků dlouhé." + "MINLENGTHERROR": "Musí být alespoň {{value}} znaků dlouhé.", + "MAXLENGTHERROR": "Musí být kratší než {{value}} znaků." }, "ID": "ID", "EMAIL": "E-mail", @@ -1571,6 +1573,9 @@ "POLICYLINK": "Odkaz na Zásady ochrany osobních údajů", "HELPLINK": "Odkaz na pomoc", "SUPPORTEMAIL": "E-mailová podpora", + "DOCSLINK": "Odkaz na Dokumenty (Console)", + "CUSTOMLINK": "Vlastní odkaz (Console)", + "CUSTOMLINKTEXT": "Text vlastního odkazu (Console)", "SAVED": "Úspěšně uloženo!", "RESET_TITLE": "Obnovit výchozí hodnoty", "RESET_DESCRIPTION": "Chystáte se obnovit výchozí odkazy pro Podmínky služby a Zásady ochrany osobních údajů. Opravdu chcete pokračovat?" @@ -2234,7 +2239,7 @@ "SMTP": { "LIST": { "TITLE": "Poskytovatel SMTP", - "DESCRIPTION": "Toto jsou poskytovatelé SMTP pro vaši instanci Zitadel. Aktivujte ten, který chcete používat k odesílání upozornění svým uživatelům.", + "DESCRIPTION": "Toto jsou poskytovatelé SMTP pro vaši instanci ZITADEL. Aktivujte ten, který chcete používat k odesílání upozornění svým uživatelům.", "EMPTY": "Není k dispozici žádný poskytovatel SMTP", "ACTIVATED": "Aktivováno", "ACTIVATE": "Aktivujte poskytovatele", @@ -2262,7 +2267,16 @@ "CURRENT_DESC_TITLE": "Toto jsou vaše nastavení SMTP", "PROVIDER_SETTINGS": "Nastavení poskytovatele SMTP", "SENDER_SETTINGS": "Nastavení odesílatele", - "TEST_SETTINGS": "Otestujte nastavení SMTP" + "TEST_SETTINGS": "Otestujte nastavení SMTP", + "NEXT_STEPS": "Další kroky", + "ACTIVATE": { + "TITLE": "Aktivujte svého poskytovatele SMTP", + "DESCRIPTION": "ZITADEL nemůže používat tohoto poskytovatele SMTP k odesílání upozornění, dokud jej neaktivujete. Pokud aktivujete tohoto poskytovatele, jakýkoli jiný aktivní poskytovatel bude nyní deaktivován." + }, + "DEACTIVATE": { + "TITLE": "Deaktivujte svého poskytovatele SMTP", + "DESCRIPTION": "Pokud deaktivujete tohoto poskytovatele SMTP, ZITADEL jej nebude moci používat k odesílání upozornění, dokud jej znovu neaktivujete." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json index 97002aad5e..4c595773c4 100644 --- a/console/src/assets/i18n/de.json +++ b/console/src/assets/i18n/de.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Externe Links", - "DESCRIPTION": "Leite deine Benutzer zu benutzerdefinierten externen Ressourcen, die auf der Anmeldeseite angezeigt werden. Benutzer müssen die Allgemeinen Geschäftsbedingungen und die Datenschutzrichtlinie akzeptieren, bevor sie sich anmelden können." + "DESCRIPTION": "Leiten Sie Ihre Benutzer zu benutzerdefinierten externen Ressourcen, die auf der Anmeldeseite angezeigt werden. Benutzer müssen die Nutzungsbedingungen und Datenschutzrichtlinien akzeptieren, bevor sie sich anmelden können. Ändern Sie den Link zu Ihrer Dokumentation oder legen Sie eine leere Zeichenfolge fest, um die Dokumentationsschaltfläche in der Konsole auszublenden. Fügen Sie in der Konsole einen benutzerdefinierten externen Link und einen benutzerdefinierten Text für diesen Link hinzu oder setzen Sie sie leer, um diese Schaltfläche auszublenden." }, "SMTP_PROVIDER": { "TITLE": "SMTP-Einstellungen", @@ -594,6 +594,7 @@ "INVALID_FORMAT": "Das Format is ungültig.", "NOTANEMAIL": "Der eingegebene Wert ist keine E-Mail Adresse.", "MINLENGTH": "Muss mindestens {{requiredLength}} Zeichen lang sein.", + "MAXLENGTH": "Muss weniger als {{requiredLength}} Zeichen enthalten", "UPPERCASEMISSING": "Muss einen Grossbuchstaben beinhalten.", "LOWERCASEMISSING": "Muss einen Kleinbuchstaben beinhalten.", "SYMBOLERROR": "Muss ein Symbol/Satzzeichen beinhalten.", @@ -879,7 +880,8 @@ "SET": "Passwort neu setzen", "RESENDNOTIFICATION": "Email zum Zurücksetzen senden", "REQUIRED": "Bitte prüfe, dass alle notwendigen Felder ausgefüllt sind.", - "MINLENGTHERROR": "Muss mindestens {{value}} Zeichen lang sein." + "MINLENGTHERROR": "Muss mindestens {{value}} Zeichen lang sein.", + "MAXLENGTHERROR": "Muss weniger als {{value}} Zeichen umfassen." }, "ID": "ID", "EMAIL": "E-Mail", @@ -1570,6 +1572,9 @@ "POLICYLINK": "Link zur den Datenschutzrichtlinien", "HELPLINK": "Link zur Hilfestellung", "SUPPORTEMAIL": "Support E-Mail", + "DOCSLINK": "Link zu Dokumenten (Console)", + "CUSTOMLINK": "Benutzerdefinierter Link (Console)", + "CUSTOMLINKTEXT": "Benutzerdefinierter Linktext (Console)", "SAVED": "Saved successfully!", "RESET_TITLE": "Standardwerte wiederherstellen", "RESET_DESCRIPTION": "Sie sind im Begriff die Standardlinks für die AGBs und Datenschutzrichtlinie wiederherzustellen. Wollen Sie fortfahren?" @@ -2224,7 +2229,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP-Anbieter", - "DESCRIPTION": "Dies sind die SMTP-Anbieter für Ihre Zitadel-Instanz. Aktivieren Sie diejenige, die Sie zum Senden von Benachrichtigungen an Ihre Benutzer verwenden möchten.", + "DESCRIPTION": "Dies sind die SMTP-Anbieter für Ihre ZITADEL-Instanz. Aktivieren Sie diejenige, die Sie zum Senden von Benachrichtigungen an Ihre Benutzer verwenden möchten.", "EMPTY": "Kein SMTP-Anbieter verfügbar", "ACTIVATED": "Aktiviert", "ACTIVATE": "Anbieter aktivieren", @@ -2252,7 +2257,16 @@ "CURRENT_DESC_TITLE": "Dies sind Ihre SMTP-Einstellungen", "PROVIDER_SETTINGS": "SMTP-Anbietereinstellungen", "SENDER_SETTINGS": "Absendereinstellungen", - "TEST_SETTINGS": "Testen Sie die SMTP-Einstellungen" + "TEST_SETTINGS": "Testen Sie die SMTP-Einstellungen", + "NEXT_STEPS": "Nächste Schritte", + "ACTIVATE": { + "TITLE": "Aktivieren Sie Ihren SMTP-Anbieter", + "DESCRIPTION": "ZITADEL kann diesen SMTP-Anbieter nicht zum Senden von Benachrichtigungen verwenden, bis Sie ihn aktivieren. Wenn Sie diesen Anbieter aktivieren, werden alle anderen aktiven Anbieter nun deaktiviert." + }, + "DEACTIVATE": { + "TITLE": "Deaktivieren Sie Ihren SMTP-Anbieter", + "DESCRIPTION": "Wenn Sie diesen SMTP-Anbieter deaktivieren, kann ZITADEL ihn nicht zum Versenden von Benachrichtigungen verwenden, bis Sie ihn erneut aktivieren." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json index 370effeb71..8a50cae2cf 100644 --- a/console/src/assets/i18n/en.json +++ b/console/src/assets/i18n/en.json @@ -54,7 +54,7 @@ }, "MACHINES": { "TITLE": "Service Users", - "DESCRIPTION": "Les utilisateurs du service s'authentifient de manière non interactive à l'aide d'un jeton de porteur JWT signé avec une clé privée. Ils peuvent également utiliser un jeton d'accès personnel.", + "DESCRIPTION": "Service Users authenticate non-interactively using a JWT bearer token signed with a private key. They can also use a personal access token.", "METADATA": "Add custom attributes to the user like the authenticating system. You can use this information in your actions." }, "SELF": { @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "External Links", - "DESCRIPTION": "Guide your users to custom external resources shown on the login page. Users need to accept the Terms of Service and Privacy Policy before they can sign up." + "DESCRIPTION": "Guide your users to custom external resources shown on the login page. Users need to accept the Terms of Service and Privacy Policy before they can sign up. Change the link to your documentation or set an empty string to hide the documentation button from the console. Add a custom external link and a custom text for that link in the console, or set them empty to hide that button." }, "SMTP_PROVIDER": { "TITLE": "SMTP Settings", @@ -595,8 +595,9 @@ "INVALID_FORMAT": "The formatting is invalid.", "NOTANEMAIL": "The given value is not an e-mail address.", "MINLENGTH": "Must be at least {{requiredLength}} characters long.", - "UPPERCASEMISSING": "Must include an uppercase character.", - "LOWERCASEMISSING": "Must include a lowercase character.", + "MAXLENGTH": "Must be less than {{requiredLength}} characters.", + "UPPERCASEMISSING": "Must include an uppercase letter.", + "LOWERCASEMISSING": "Must include a lowercase letter.", "SYMBOLERROR": "Must include a symbol or punctuation mark.", "NUMBERERROR": "Must include a digit.", "PWNOTEQUAL": "The passwords provided do not match.", @@ -880,7 +881,8 @@ "SET": "Set New Password", "RESENDNOTIFICATION": "Send Password Reset Link", "REQUIRED": "Some required fields are missing.", - "MINLENGTHERROR": "Has to be at least {{value}} characters long." + "MINLENGTHERROR": "Must be at least {{value}} characters long.", + "MAXLENGTHERROR": "Must be less than {{value}} characters." }, "ID": "ID", "EMAIL": "E-mail", @@ -1335,7 +1337,7 @@ "DOMAIN": "Domain settings", "LOGINTEXTS": "Login Interface Texts", "BRANDING": "Branding", - "PRIVACYPOLICY": "Privacy Policy", + "PRIVACYPOLICY": "External links", "OIDC": "OIDC Token lifetime and expiration", "SECRETS": "Secret Generator", "SECURITY": "Security settings", @@ -1571,6 +1573,9 @@ "POLICYLINK": "Link to Privacy Policy", "HELPLINK": "Link to Help", "SUPPORTEMAIL": "Support Email", + "DOCSLINK": "Docs Link (Console)", + "CUSTOMLINK": "Custom Link (Console)", + "CUSTOMLINKTEXT": "Custom Link Text (Console)", "SAVED": "Saved successfully!", "RESET_TITLE": "Restore Default Values", "RESET_DESCRIPTION": "You are about to restore the default Links for TOS and Privacy Policy. Do you really want to continue?" @@ -2041,7 +2046,7 @@ "DESCRIPTION": "Enter the credentials for your Apple Provider" }, "SAML": { - "TITLE": "Sign in with Saml SP", + "TITLE": "Sign in with SAML SP", "DESCRIPTION": "Enter the credentials for your SAML Provider" } }, @@ -2174,7 +2179,10 @@ "METADATAXML": "Metadata Xml", "METADATAURL": "Metadata URL", "BINDING": "Binding", - "SIGNEDREQUEST": "Signed Request" + "SIGNEDREQUEST": "Signed Request", + "NAMEIDFORMAT": "NameID Format", + "TRANSIENTMAPPINGATTRIBUTENAME": "Custom Mapping Attribute Name", + "TRANSIENTMAPPINGATTRIBUTENAME_DESC": "Alternative attribute name to map the user in case the `nameid-format` returned is `transient`, e.g. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`" }, "TOAST": { "SAVED": "Successfully saved.", @@ -2243,7 +2251,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP Provider", - "DESCRIPTION": "These are the SMTP providers for your Zitadel instance. Activate the one you want to use to send notifications to your users.", + "DESCRIPTION": "These are the SMTP providers for your ZITADEL instance. Activate the one you want to use to send notifications to your users.", "EMPTY": "No SMTP Provider available", "ACTIVATED": "Activated", "ACTIVATE": "Activate provider", @@ -2271,7 +2279,16 @@ "CURRENT_DESC_TITLE": "These are your SMTP settings", "PROVIDER_SETTINGS": "SMTP Provider Settings", "SENDER_SETTINGS": "Sender Settings", - "TEST_SETTINGS": "Test SMTP Settings" + "TEST_SETTINGS": "Test SMTP Settings", + "NEXT_STEPS": "Next Steps", + "ACTIVATE": { + "TITLE": "Activate your SMTP Provider", + "DESCRIPTION": "ZITADEL cannot use this SMTP Provider to send notifications until you activate it. If you activate this provider any other provider that was active will now be deactivated." + }, + "DEACTIVATE": { + "TITLE": "Deactivate your SMTP Provider", + "DESCRIPTION": "If you deactivate this SMTP Provider, ZITADEL cannot use it to send notifications until you activate it again." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/es.json b/console/src/assets/i18n/es.json index b134c4a1fa..d535f44252 100644 --- a/console/src/assets/i18n/es.json +++ b/console/src/assets/i18n/es.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Enlaces Externos", - "DESCRIPTION": "Guía a tus usuarios hacia recursos externos personalizados mostrados en la página de inicio de sesión. Los usuarios necesitan aceptar los Términos de Servicio y la Política de Privacidad antes de que puedan registrarse." + "DESCRIPTION": "Guía a tus usuarios a recursos externos personalizados que se muestran en la página de inicio de sesión. Los usuarios deben aceptar los Términos de servicio y la Política de privacidad antes de poder registrarse. Cambia el enlace a tu documentación o introduce una cadena de texto vacía para ocultar el botón de documentación de la consola. Agrega un enlace externo personalizado y un texto personalizado para dicho enlace en la consola, o déjalos vacíos para ocultar ese botón." }, "SMTP_PROVIDER": { "TITLE": "Configuración de SMTP", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "El formato no es valido.", "NOTANEMAIL": "El valor proporcionado no es una dirección de email.", "MINLENGTH": "Debe tener al menos {{requiredLength}} caracteres de longitud.", + "MAXLENGTH": "Debe tener menos de {{requiredLength}} caracteres.", "UPPERCASEMISSING": "Debe incluir un carácter en mayúscula.", "LOWERCASEMISSING": "Debe incluir un carácter en minúscula.", "SYMBOLERROR": "Debe incluir un símbolo o un signo de puntuación.", @@ -880,7 +881,8 @@ "SET": "Establecer nueva contraseña", "RESENDNOTIFICATION": "Enviar enlace para restablecer la contraseña", "REQUIRED": "Faltan algunos campos requeridos.", - "MINLENGTHERROR": "Debe tener al menos {{value}} caracteres de longitud." + "MINLENGTHERROR": "Debe tener al menos {{value}} caracteres de longitud.", + "MAXLENGTHERROR": "Debe tener menos de {{value}} caracteres" }, "ID": "ID", "EMAIL": "Email", @@ -1572,6 +1574,9 @@ "POLICYLINK": "Enlace a Política de privacidad", "HELPLINK": "Enlace de ayuda", "SUPPORTEMAIL": "Email de soporte", + "DOCSLINK": "Enlace de documentos (Console)", + "CUSTOMLINK": "Enlace personalizado (Console)", + "CUSTOMLINKTEXT": "Texto de enlace personalizado (Console)", "SAVED": "¡Se guardó con éxito!", "RESET_TITLE": "Restaurar valores por defecto", "RESET_DESCRIPTION": "Estás a punto de restaurar los enlaces por defecto para los TDS y la política de privacida. ¿Quieres continuar?" @@ -2222,7 +2227,7 @@ "SMTP": { "LIST": { "TITLE": "Proveedor SMTP", - "DESCRIPTION": "Estos son los proveedores SMTP para tu instancia de Zitadel. Activa el que quieras utilizar para enviar notificaciones a tus usuarios.", + "DESCRIPTION": "Estos son los proveedores SMTP para tu instancia de ZITADEL. Activa el que quieras utilizar para enviar notificaciones a tus usuarios.", "EMPTY": "No hay ningún proveedor SMTP disponible", "ACTIVATED": "Activado", "ACTIVATE": "Activar proveedor", @@ -2250,7 +2255,16 @@ "CURRENT_DESC_TITLE": "Estas son tus configuraciones SMTP", "PROVIDER_SETTINGS": "Configuración del proveedor SMTP", "SENDER_SETTINGS": "Configuración del remitente", - "TEST_SETTINGS": "Probar la configuración SMTP" + "TEST_SETTINGS": "Probar la configuración SMTP", + "NEXT_STEPS": "Pŕoximos pasos", + "ACTIVATE": { + "TITLE": "Activa tu proveedor SMTP", + "DESCRIPTION": "ZITADEL no puede usar este proveedor SMTP para enviar notificaciones hasta que lo actives. Si activas este proveedor cualquier otro proveedor que estuviera activado será desactivado ahora." + }, + "DEACTIVATE": { + "TITLE": "Desactiva tu proveedor SMTP", + "DESCRIPTION": "Si desactivas este proveedor SMTP, ZITADEL no puede utilizarlo para enviar notificationes hasta que lo actives otra vez." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json index cb96599cf9..110f0589d3 100644 --- a/console/src/assets/i18n/fr.json +++ b/console/src/assets/i18n/fr.json @@ -3,78 +3,78 @@ "DESCRIPTIONS": { "METADATA_TITLE": "Métadonnées", "HOME": { - "TITLE": "Commence avec ZITADEL", + "TITLE": "Commencez avec ZITADEL", "NEXT": { - "TITLE": "Tes prochaines étapes", - "DESCRIPTION": "Complète les étapes suivantes pour sécuriser ton application.", + "TITLE": "Vos prochaines étapes", + "DESCRIPTION": "Complétez les étapes suivantes pour sécuriser votre application.", "CREATE_PROJECT": { "TITLE": "Créer un projet", - "DESCRIPTION": "Ajoute un projet et définis ses rôles et autorisations." + "DESCRIPTION": "Ajoutez un projet et définissez ses rôles et autorisations." } }, "MORE_SHORTCUTS": { "GET_STARTED": { "TITLE": "Commencer", - "DESCRIPTION": "Suis le guide de démarrage rapide étape par étape et commence à construire immédiatement." + "DESCRIPTION": "Suivez le guide de démarrage rapide étape par étape et commencez à construire immédiatement." }, "DOCS": { "TITLE": "Documentation", - "DESCRIPTION": "Explore la base de connaissances de ZITADEL pour te familiariser avec les concepts et idées clés. Apprends comment fonctionne ZITADEL et comment l'utiliser." + "DESCRIPTION": "Explorez la base de connaissances de ZITADEL pour vous familiariser avec les concepts et idées clés. Apprennez comment fonctionne ZITADEL et comment l'utiliser." }, "EXAMPLES": { "TITLE": "Exemples et Kits de Développement Logiciel", - "DESCRIPTION": "Parcours nos exemples et SDKs pour utiliser ZITADEL avec tes langages de programmation et outils préférés." + "DESCRIPTION": "Parcourez nos exemples et SDKs pour utiliser ZITADEL avec vos langages de programmation et outils préférés." } } }, "ORG": { "TITLE": "Organisation", - "DESCRIPTION": "Une organisation héberge des utilisateurs, des projets avec des applications, des fournisseurs d'identité et des paramètres comme le branding de l'entreprise. Tu veux partager des paramètres à travers plusieurs organisations ? Configure les paramètres par défaut.", - "METADATA": "Ajoute des attributs personnalisés à l'organisation comme son emplacement ou un identifiant dans un autre système. Tu peux utiliser cette information dans tes actions." + "DESCRIPTION": "Une organisation héberge des utilisateurs, des projets avec des applications, des fournisseurs d'identité et des paramètres comme le branding de l'entreprise. Voulez-vous partager des paramètres à travers plusieurs organisations ? Configurez les paramètres par défaut.", + "METADATA": "Ajoutez des attributs personnalisés à l'organisation comme son emplacement ou un identifiant dans un autre système. Vous pouvez utiliser cette information dans vos actions." }, "PROJECTS": { "TITLE": "Projets", - "DESCRIPTION": "Un projet héberge une ou plusieurs applications, que tu peux utiliser pour authentifier tes utilisateurs. Tu peux également autoriser tes utilisateurs avec des projets. Pour permettre aux utilisateurs d'autres organisations de se connecter à tes applications, accorde-leur l'accès à ton projet.

Si tu ne trouves pas un projet, contacte le propriétaire du projet ou quelqu'un avec les droits correspondants pour obtenir l'accès.", + "DESCRIPTION": "Un projet héberge une ou plusieurs applications, que vous pouvez utiliser pour authentifier vos utilisateurs. Vous pouvez également autoriser vos utilisateurs avec des projets. Pour permettre aux utilisateurs d'autres organisations de se connecter à vos applications, accordez-leur l'accès à votre projet.

Si vous ne trouvez pas un projet, contactez le propriétaire du projet ou quelqu'un avec les droits correspondants pour obtenir l'accès.", "OWNED": { "TITLE": "Projets Possédés", - "DESCRIPTION": "Ce sont les projets que tu possèdes. Tu peux gérer les paramètres de ces projets, les autorisations et les applications." + "DESCRIPTION": "Ce sont les projets que vous possédez. Vous pouvez gérer les paramètres de ces projets, les autorisations et les applications." }, "GRANTED": { - "TITLE": "Projets Accordés", - "DESCRIPTION": "Ce sont les projets que d'autres organisations t'ont accordés. Avec les projets accordés, tu peux donner à tes utilisateurs l'accès aux applications d'autres organisations." + "TITLE": "Projets Octroyés", + "DESCRIPTION": "Ce sont les projets que d'autres organisations vous ont octroyés. Avec les projets octroyés, vous pouvez donner à vos utilisateurs l'accès aux applications d'autres organisations." } }, "USERS": { "TITLE": "Utilisateurs", - "DESCRIPTION": "Un utilisateur est un humain ou une machine qui peut accéder à tes applications.", + "DESCRIPTION": "Un utilisateur est un humain ou une machine qui peut accéder à vos applications.", "HUMANS": { - "TITLE": "utilisateurs", + "TITLE": "Utilisateurs", "DESCRIPTION": "Les utilisateurs s'authentifient de manière interactive dans une session de navigateur avec une invite de connexion.", - "METADATA": "Ajoute des attributs personnalisés à l'utilisateur comme le département. Tu peux utiliser cette information dans tes actions." + "METADATA": "Ajoutez des attributs personnalisés à l'utilisateur comme le département. Vous pouvez utiliser cette information dans vos actions." }, "MACHINES": { "TITLE": "Utilisateurs des services", "DESCRIPTION": "Les utilisateurs des services s'authentifient de manière non interactive en utilisant un token porteur JWT signé avec une clé privée. Elles peuvent également utiliser un token d'accès personnel.", - "METADATA": "Ajoute des attributs personnalisés à l'utilisateur comme le système d'authentification. Tu peux utiliser cette information dans tes actions." + "METADATA": "Ajoute des attributs personnalisés à l'utilisateur comme le système d'authentification. Vous pouvez utiliser cette information dans vos actions." }, "SELF": { - "METADATA": "Ajoute des attributs personnalisés à ton utilisateur comme ton département. Tu peux utiliser cette information dans les actions de ton organisation." + "METADATA": "Ajoutez des attributs personnalisés à votre utilisateur comme votre département. Vous pouvez utiliser cette information dans les actions de votre organisation." } }, "AUTHORIZATIONS": { "TITLE": "Autorisations", - "DESCRIPTION": "Les autorisations définissent les droits d'accès d'un utilisateur à un projet. Tu peux accorder à un utilisateur l'accès à un projet et définir les rôles de l'utilisateur au sein de ce projet." + "DESCRIPTION": "Les autorisations définissent les droits d'accès d'un utilisateur à un projet. Vous pouvez octroyer à un utilisateur l'accès à un projet et définir les rôles de l'utilisateur au sein de ce projet." }, "ACTIONS": { "TITLE": "Actions", - "DESCRIPTION": "Exécute du code personnalisé sur des événements qui se produisent lorsque tes utilisateurs s'authentifient chez ZITADEL. Automatise tes processus, enrichis les métadonnées de tes utilisateurs et leurs tokens ou notifie des systèmes externes.", + "DESCRIPTION": "Exécutez du code personnalisé sur des événements qui se produisent lorsque vos utilisateurs s'authentifient chez ZITADEL. Automatisez vos processus, enrichissez les métadonnées de vos utilisateurs et leurs tokens ou notifiez des systèmes externes.", "SCRIPTS": { "TITLE": "Scripts", - "DESCRIPTION": "Écris ton code JavaScript une fois et déclenche-le dans plusieurs flux." + "DESCRIPTION": "Écrivez votre code JavaScript une fois et déclenchez-le dans plusieurs flux." }, "FLOWS": { "TITLE": "Flux", - "DESCRIPTION": "Choisis un flux d'authentification et déclenche ton action sur un événement spécifique dans ce flux." + "DESCRIPTION": "Choisissez un flux d'authentification et déclenchez votre action sur un événement spécifique dans ce flux." } }, "SETTINGS": { @@ -84,7 +84,7 @@ }, "ORG": { "TITLE": "Paramètres de l'Organisation", - "DESCRIPTION": "Personnalise les paramètres de ton organisation." + "DESCRIPTION": "Personnalisez les paramètres de votre organisation." }, "FEATURES": { "TITLE": "Paramètres des fonctionnalités", @@ -92,7 +92,7 @@ }, "IDPS": { "TITLE": "Fournisseurs d'Identité", - "DESCRIPTION": "Crée et active des fournisseurs d'identité externes. Choisis un fournisseur bien connu ou configure tout autre fournisseur compatible OIDC, OAuth ou SAML de ton choix. Tu peux même utiliser tes tokens JWT existants comme identités fédérées en configurant un fournisseur d'identité JWT.", + "DESCRIPTION": "Créez et activez des fournisseurs d'identité externes. Choisissez un fournisseur bien connu ou configurez tout autre fournisseur compatible OIDC, OAuth ou SAML de votre choix. Vous pouvez même utiliser vos tokens JWT existants comme identités fédérées en configurant un fournisseur d'identité JWT.", "NEXT": "Et maintenant ?", "SAML": { "TITLE": "Configurez votre fournisseur d'identité SAML", @@ -121,56 +121,56 @@ }, "PW_COMPLEXITY": { "TITLE": "Complexité du Mot de Passe", - "DESCRIPTION": "Assure-toi que tes utilisateurs utilisent des mots de passe forts en définissant des règles de complexité." + "DESCRIPTION": "Assurez-vous que vos utilisateurs utilisent des mots de passe forts en définissant des règles de complexité." }, "BRANDING": { "TITLE": "Branding", - "DESCRIPTION": "Personnalise l'apparence de ton formulaire de connexion. N'oublie pas d'appliquer ta configuration lorsque tu as terminé." + "DESCRIPTION": "Personnalisez l'apparence de votre formulaire de connexion. N'oubliez pas d'appliquer votre configuration lorsque vous avez terminé." }, "PRIVACY_POLICY": { "TITLE": "Liens Externes", - "DESCRIPTION": "Guide tes utilisateurs vers des ressources externes personnalisées affichées sur la page de connexion. Les utilisateurs doivent accepter les Termes de Service et la Politique de Confidentialité avant de pouvoir s'inscrire." + "DESCRIPTION": "Guidez vos utilisateurs vers des ressources externes personnalisées affichées sur la page de connexion. Les utilisateurs doivent accepter les conditions d'utilisation et la politique de confidentialité avant de pouvoir s'inscrire. Modifiez le lien vers votre documentation ou définissez une chaîne vide pour masquer le bouton de documentation de la console. Ajoutez un lien externe personnalisé et un texte personnalisé pour ce lien dans la console, ou définissez-les vides pour masquer ce bouton." }, "SMTP_PROVIDER": { "TITLE": "Paramètres SMTP", - "DESCRIPTION": "Configure ton serveur SMTP pour utiliser un domaine pour l'adresse de l'expéditeur que tes utilisateurs connaissent et en qui ils ont confiance." + "DESCRIPTION": "Configurez votre serveur SMTP pour utiliser un domaine pour l'adresse de l'expéditeur que vos utilisateurs connaissent et en qui ils ont confiance." }, "SMS_PROVIDER": { "TITLE": "Paramètres SMS", - "DESCRIPTION": "Pour débloquer toutes les fonctionnalités de ZITADEL, configure Twilio pour envoyer des messages SMS à tes utilisateurs." + "DESCRIPTION": "Pour débloquer toutes les fonctionnalités de ZITADEL, configurez Twilio pour envoyer des messages SMS à vos utilisateurs." }, "IAM_EVENTS": { "TITLE": "Événements", - "DESCRIPTION": "Cette page montre tous les changements d'état dans ton instance aussi loin que la limite de piste d'audit de tes instances. Filtre la liste par plage de temps à des fins de débogage ou filtre-la par un agrégat à des fins d'audit." + "DESCRIPTION": "Cette page montre tous les changements d'état dans votre instance aussi loin que la limite de piste d'audit de vos instances. Filtrez la liste par plage de temps à des fins de débogage ou filtrez-la par un agrégat à des fins d'audit." }, "IAM_FAILED_EVENTS": { "TITLE": "Événements Échoués", - "DESCRIPTION": "Cette page montre tous les événements échoués dans ton instance. Si ZITADEL ne se comporte pas comme tu l'attends, vérifie toujours cette liste en premier." + "DESCRIPTION": "Cette page montre tous les événements échoués dans votre instance. Si ZITADEL ne se comporte pas comme vous l'attendez, vérifiez toujours cette liste en premier." }, "IAM_VIEWS": { "TITLE": "Vues", - "DESCRIPTION": "Cette page montre toutes tes vues de base de données et quand elles ont traité leur dernier événement. Si des données te manquent, vérifie si la vue est à jour." + "DESCRIPTION": "Cette page montre toutes vos vues de base de données et quand elles ont traité leur dernier événement. Si des données vous manquent, vérifiez si la vue est à jour." }, "LANGUAGES": { "TITLE": "Langues", - "DESCRIPTION": "Restreins les langues dans lesquelles le formulaire de connexion et les messages de notification sont traduits. Si tu souhaites désactiver certaines langues, déplace-les vers la section Langues Non Autorisées. Tu peux spécifier une langue autorisée comme langue par défaut. Si la langue préférée d'un utilisateur n'est pas autorisée, la langue par défaut est utilisée." + "DESCRIPTION": "Restreignez les langues dans lesquelles le formulaire de connexion et les messages de notification sont traduits. Si vous souhaitez désactiver certaines langues, déplacez-les vers la section Langues Non Autorisées. Vous pouvez spécifier une langue autorisée comme langue par défaut. Si la langue préférée d'un utilisateur n'est pas autorisée, la langue par défaut est utilisée." }, "SECRET_GENERATORS": { "TITLE": "Générateurs de Secret", - "DESCRIPTION": "Définis la complexité et la durée de vie de tes secrets. Une complexité et une durée de vie plus élevées améliorent la sécurité, une complexité et une durée de vie plus faibles améliorent la performance de déchiffrement." + "DESCRIPTION": "Définissez la complexité et la durée de vie de vos secrets. Une complexité et une durée de vie plus élevées améliorent la sécurité, une complexité et une durée de vie plus faibles améliorent la performance de déchiffrement." }, "SECURITY": { "TITLE": "Paramètres de Sécurité", - "DESCRIPTION": "Active les fonctionnalités de ZITADEL qui peuvent avoir des impacts sur la sécurité. Tu devrais vraiment savoir ce que tu fais avant de changer ces paramètres." + "DESCRIPTION": "Activez les fonctionnalités de ZITADEL qui peuvent avoir des impacts sur la sécurité. Vous devriez vraiment savoir ce que vous faites avant de changer ces paramètres." }, "OIDC": { "TITLE": "Paramètres OpenID Connect", - "DESCRIPTION": "Configure la durée de vie de tes tokens OIDC. Utilise des durées plus courtes pour augmenter la sécurité de tes utilisateurs, utilise des durées plus longues pour augmenter leur commodité.", + "DESCRIPTION": "Configurez la durée de vie de vos tokens OIDC. Utilisez des durées plus courtes pour augmenter la sécurité de vos utilisateurs, utilisez des durées plus longues pour augmenter leur commodité.", "LABEL_HOURS": "Durée de vie maximale en heures", "LABEL_DAYS": "Durée de vie maximale en jours", "ACCESS_TOKEN": { "TITLE": "Token d'Accès", - "DESCRIPTION": "Le token d'accès est utilisé pour authentifier un utilisateur. C'est un token de courte durée qui est utilisé pour accéder aux données de l'utilisateur. Utilise une courte durée de vie pour minimiser le risque d'accès non autorisé. Les tokens d'accès peuvent être automatiquement rafraîchis en utilisant un token de rafraîchissement." + "DESCRIPTION": "Le token d'accès est utilisé pour authentifier un utilisateur. C'est un token de courte durée qui est utilisé pour accéder aux données de l'utilisateur. Utilisez une courte durée de vie pour minimiser le risque d'accès non autorisé. Les tokens d'accès peuvent être automatiquement rafraîchis en utilisant un token de rafraîchissement." }, "ID_TOKEN": { "TITLE": "Token ID", @@ -187,107 +187,107 @@ }, "MESSAGE_TEXTS": { "TITLE": "Textes des Messages", - "DESCRIPTION": "Personnalise les textes de tes emails de notification ou messages SMS. Si tu souhaites désactiver certaines langues, restreins-les dans les paramètres de langue de tes instances.", + "DESCRIPTION": "Personnalisez les textes de vos e-mails de notification ou messages SMS. Si vous souhaitez désactiver certaines langues, restreignez-les dans les paramètres de langue de vos instances.", "TYPE_DESCRIPTIONS": { - "DC": "Lorsque tu revendiques un domaine pour ton organisation, les utilisateurs qui n'utilisent pas ce domaine dans leur nom de connexion seront invités à changer leur nom de connexion pour correspondre au domaine revendiqué.", - "INIT": "Lorsqu'un utilisateur est créé, il recevra un email avec un lien pour définir son mot de passe.", - "PC": "Lorsqu'un utilisateur change son mot de passe, il recevra une notification sur le changement si tu as activé cela dans les paramètres de notification.", - "PL": "Lorsqu'un utilisateur ajoute une méthode d'authentification sans mot de passe, il doit l'activer en cliquant sur un lien dans un email.", - "PR": "Lorsqu'un utilisateur réinitialise son mot de passe, il recevra un email avec un lien pour définir un nouveau mot de passe.", - "VE": "Lorsqu'un utilisateur change son adresse email, il recevra un email avec un lien pour vérifier la nouvelle adresse.", + "DC": "Lorsque vous revendiquez un domaine pour votre organisation, les utilisateurs qui n'utilisent pas ce domaine dans leur nom de connexion seront invités à changer leur nom de connexion pour correspondre au domaine revendiqué.", + "INIT": "Lorsqu'un utilisateur est créé, il recevra un e-mail avec un lien pour définir son mot de passe.", + "PC": "Lorsqu'un utilisateur change son mot de passe, il recevra une notification sur le changement si vous avez activé cela dans les paramètres de notification.", + "PL": "Lorsqu'un utilisateur ajoute une méthode d'authentification sans mot de passe, il doit l'activer en cliquant sur un lien dans un e-mail.", + "PR": "Lorsqu'un utilisateur réinitialise son mot de passe, il recevra un e-mail avec un lien pour définir un nouveau mot de passe.", + "VE": "Lorsqu'un utilisateur change son adresse e-mail, il recevra un e-mail avec un lien pour vérifier la nouvelle adresse.", "VP": "Lorsqu'un utilisateur change son numéro de téléphone, il recevra un SMS avec un code pour vérifier le nouveau numéro.", - "VEO": "Lorsqu'un utilisateur ajoute un Mot de Passe à Usage Unique via email, il doit l'activer en entrant un code envoyé à son adresse email.", + "VEO": "Lorsqu'un utilisateur ajoute un Mot de Passe à Usage Unique via e-mail, il doit l'activer en entrant un code envoyé à son adresse e-mail.", "VSO": "Lorsqu'un utilisateur ajoute un Mot de Passe à Usage Unique via SMS, il doit l'activer en entrant un code envoyé à son numéro de téléphone." } }, "LOGIN_TEXTS": { "TITLE": "Textes de l'Interface de Connexion", - "DESCRIPTION": "Personnalise les textes de ton formulaire de connexion. Si un texte est vide, le placeholder montre la valeur par défaut. Si tu souhaites désactiver certaines langues, restreins-les dans les paramètres de langue de tes instances." + "DESCRIPTION": "Personnalisez les textes de votre formulaire de connexion. Si un texte est vide, le placeholder montre la valeur par défaut. Si vous souhaitez désactiver certaines langues, restreignez-les dans les paramètres de langue de vos instances." }, "DOMAINS": { "TITLE": "Paramètres de Domaine", - "DESCRIPTION": "Définis des restrictions sur tes domaines et configure les modèles de nom de connexion.", + "DESCRIPTION": "Définissez des restrictions sur vos domaines et configurez les modèles de nom de connexion.", "REQUIRE_VERIFICATION": { "TITLE": "Exiger que les domaines personnalisés soient vérifiés", "DESCRIPTION": "Si cela est activé, les domaines de l'organisation doivent être vérifiés avant qu'ils puissent être utilisés pour la découverte de domaine ou le suffixage de nom d'utilisateur." }, "LOGIN_NAME_PATTERN": { "TITLE": "Modèle de Nom de Connexion", - "DESCRIPTION": "Contrôle le modèle des noms de connexion de tes utilisateurs. ZITADEL sélectionne l'organisation de tes utilisateurs dès qu'ils entrent leur nom de connexion. Par conséquent, les noms de connexion doivent être uniques dans toutes les organisations. Si tu as des utilisateurs qui ont un compte dans plusieurs domaines, tu peux assurer l'unicité en suffixant tes noms de connexion avec le domaine de l'organisation." + "DESCRIPTION": "Contrôlez le modèle des noms de connexion de vos utilisateurs. ZITADEL sélectionne l'organisation de vos utilisateurs dès qu'ils entrent leur nom de connexion. Par conséquent, les noms de connexion doivent être uniques dans toutes les organisations. Si vous avez des utilisateurs qui ont un compte dans plusieurs domaines, vous pouvez assurer l'unicité en suffixant vos noms de connexion avec le domaine de l'organisation." }, "DOMAIN_VERIFICATION": { "TITLE": "Vérification de Domaine", - "DESCRIPTION": "Permet uniquement à ton organisation d'utiliser les domaines qu'elle contrôle réellement. Si activé, les domaines de l'organisation sont vérifiés périodiquement par DNS ou défi HTTP avant qu'ils puissent être utilisés. C'est une fonctionnalité de sécurité pour prévenir le détournement de domaine." + "DESCRIPTION": "Permet uniquement à votre organisation d'utiliser les domaines qu'elle contrôle réellement. Si activé, les domaines de l'organisation sont vérifiés périodiquement par DNS ou défi HTTP avant qu'ils puissent être utilisés. C'est une fonctionnalité de sécurité pour prévenir le détournement de domaine." }, "SMTP_SENDER_ADDRESS": { "TITLE": "Adresse de l'Expéditeur SMTP", - "DESCRIPTION": "Permet uniquement une adresse de l'expéditeur SMTP si elle correspond à l'un de tes domaines d'instance." + "DESCRIPTION": "Permet uniquement une adresse de l'expéditeur SMTP si elle correspond à l'un de vos domaines d'instance." } }, "LOGIN": { "LIFETIMES": { "TITLE": "Durées de Vie de Connexion", - "DESCRIPTION": "Renforce ta sécurité en réduisant certaines durées de vie maximales liées à la connexion.", + "DESCRIPTION": "Renforcez votre sécurité en réduisant certaines durées de vie maximales liées à la connexion.", "LABEL": "Durée de vie maximale en heures", "PW_CHECK": { "TITLE": "Vérification de Mot de Passe", - "DESCRIPTION": "Tes utilisateurs doivent changer leurs mots de passe pendant ces périodes." + "DESCRIPTION": "Vos utilisateurs doivent changer leurs mots de passe pendant ces périodes." }, "EXT_LOGIN_CHECK": { "TITLE": "Vérification de Connexion Externe", - "DESCRIPTION": "Tes utilisateurs sont redirigés vers leurs fournisseurs d'identité externes pendant ces périodes." + "DESCRIPTION": "Vos utilisateurs sont redirigés vers leurs fournisseurs d'identité externes pendant ces périodes." }, "MULTI_FACTOR_INIT": { "TITLE": "Vérification d'Initiation Multifacteur", - "DESCRIPTION": "Il sera demandé à tes utilisateurs de configurer un second facteur ou un Multifacteur pendant ces périodes, s'ils ne l'ont pas déjà fait. Une durée de vie de 0 désactive cette invite." + "DESCRIPTION": "Il sera demandé à vos utilisateurs de configurer un second facteur ou un Multifacteur pendant ces périodes, s'ils ne l'ont pas déjà fait. Une durée de vie de 0 désactive cette demande." }, "SECOND_FACTOR_CHECK": { "TITLE": "Vérification du Second Facteur", - "DESCRIPTION": "Tes utilisateurs doivent revalider leur second facteur pendant ces périodes." + "DESCRIPTION": "Vos utilisateurs doivent re-valider leur second facteur pendant ces périodes." }, "MULTI_FACTOR_CHECK": { "TITLE": "Vérification Multifacteur", - "DESCRIPTION": "Tes utilisateurs doivent revalider leur Multifacteur pendant ces périodes." + "DESCRIPTION": "Vos utilisateurs doivent re-valider leur Multifacteur pendant ces périodes." } }, "FORM": { - "TITLE": "Login Form", - "DESCRIPTION": "Customize the login form.", + "TITLE": "Formulaire de connexion", + "DESCRIPTION": "Personnalisez le formulaire de connexion", "USERNAME_PASSWORD_ALLOWED": { - "TITLE": "Username and Password allowed", - "DESCRIPTION": "Allow your users to log in with their username and password. If this is deactivated, your users can only log in using passwordless authentication or with an external identity provider." + "TITLE": "Nom d'utilisateur et mot de passe autorisés", + "DESCRIPTION": "Autorisez vos utilisateurs à se connecter avec leur nom d'utilisateur et mot de passe. Si désactivé, vos utilisateurs pourront uniquement se connecter avec une méthode d'authentification sans mot de passe ou avec un fournisseur d'identité externe" }, "USER_REGISTRATION_ALLOWED": { - "TITLE": "User Registration allowed", - "DESCRIPTION": "Allow anonymous users to create an account." + "TITLE": "Enregistrement de nouveaux utilisateurs autorisé", + "DESCRIPTION": "Autorisez des utilisateurs anonymes à s'enregistrer." }, "ORG_REGISTRATION_ALLOWED": { - "TITLE": "Organization Registration allowed", - "DESCRIPTION": "Allow anonymous users to create an organization." + "TITLE": "Enregistrement de nouvelles organisations autorisé", + "DESCRIPTION": "Autorisez des utilisateurs anonymes à créer une organisation." }, "EXTERNAL_LOGIN_ALLOWED": { - "TITLE": "External Login allowed", - "DESCRIPTION": "Allow your users to log in with an external identity provider instead of using the ZITADEL user to log in." + "TITLE": "Connexion externe autorisée", + "DESCRIPTION": "Autorisez vos utilisateurs à se connecter avec un fournisseur d'identité externe à la place de la connexion avec le nom d'utilisateur ZITADEL." }, "HIDE_PASSWORD_RESET": { "TITLE": "Réinitialisation du mot de passe masquée", "DESCRIPTION": "Ne permettez pas à vos utilisateurs de réinitialiser leur mot de passe." }, "DOMAIN_DISCOVERY_ALLOWED": { - "TITLE": "Domain Discovery allowed", - "DESCRIPTION": "Find your users organizations depending on their login names domain, for example their email address." + "TITLE": "Découverte du domaine autorisée", + "DESCRIPTION": "Trouvez les organisations de vos utilisateurs en fonction de leur nom de domaine de connexion, par exemple leur adresse e-mail." }, "IGNORE_UNKNOWN_USERNAMES": { - "TITLE": "Ignore unknown Usernames", - "DESCRIPTION": "If this is activated, the login form will not show an error message if the username is unknown. This helps to prevent username guessing." + "TITLE": "Ignorer les nom d'utilisateurs inconnus", + "DESCRIPTION": "Si activé, le formulaire de connexion n'affichera pas un message d'erreur si le nom d'utilisateur est inconnu. Cela permet d'éviter de deviner les noms d'utilisateurs." }, "DISABLE_EMAIL_LOGIN": { - "TITLE": "Disable Email Login", - "DESCRIPTION": "If this is activated, your users can't use their email addresses to log in. Beware that if you deactivate this, your users email addresses must be unique accross all organizations in order to log in." + "TITLE": "Désactiver la connexion par e-mail", + "DESCRIPTION": "Si activé, vos utilisateurs ne pourront pas utiliser leur adresse e-mail pour se connecter. Veuillez noter que si vous le désactivez, les adresses e-mails de vos utilisateurs devront être uniques à travers toutes les organisations afin de pouvoir se connecter." }, "DISABLE_PHONE_LOGIN": { - "TITLE": "Disable Phone Login", - "DESCRIPTION": "If this is activated, your users can't use their phone numbers to log in. Beware that if you deactivate this, your users phone numbers must be unique accross all organizations in order to log in." + "TITLE": "Désactiver la connexion par numéro de téléphone", + "DESCRIPTION": "Si activé, vos utilisateurs ne pourront pas utiliser leur numéro de téléphone pour se connecter. Veuillez noter que si vous le désactivez, les numéros de téléphone devront être uniques à travers toutes les organisations afin de pouvoir se connecter." } } } @@ -297,7 +297,7 @@ "PREVIOUS": "Précédent", "NEXT": "Suivant", "COUNT": "Résultats totaux", - "MORE": "plus" + "MORE": "Plus" }, "FOOTER": { "LINKS": { @@ -336,7 +336,7 @@ "DESCRIPTION": "Votre processus d'intégration", "MOREDESCRIPTION": "plus de raccourcis", "COMPLETED": "terminé", - "DISMISS": "fermer", + "DISMISS": "Passer", "CARD": { "TITLE": "Faites fonctionner votre ZITADEL", "DESCRIPTION": "Cette liste de contrôle vous aide à configurer votre instance et vous guide à travers les étapes les plus essentielles." @@ -345,22 +345,22 @@ "instance.policy.label.added": { "title": "Créez votre marque", "description": "Définissez la couleur et la forme de votre connexion et téléchargez votre logo et vos icônes.", - "action": "Définissez" + "action": "Configurez votre marque" }, "instance.smtp.config.added": { - "title": "Configurez paramètres SMTP", - "description": "Définissez paramètres de serveur de messagerie", - "action": "Configurez" + "title": "Configurez les paramètres SMTP", + "description": "Définissez les paramètres de serveur de messagerie", + "action": "Configurez le SMTP" }, "PROJECT_CREATED": { - "title": "Créez projet", - "description": "Ajoutez projet et définissez ses rôles et autorisations.", - "action": "Créez projet" + "title": "Créez un projet", + "description": "Ajoutez un projet et définissez ses rôles et autorisations.", + "action": "Créez un projet" }, "APPLICATION_CREATED": { - "title": "Enregistrez votre application", - "description": "Enregistrez votre application web, native, api ou saml et configurez un flux d'authentification.", - "action": "Enregistrez l'application" + "title": "Créez votre application", + "description": "Créez votre application web, native, api ou saml et configurez un flux d'authentification.", + "action": "Créez l'application" }, "AUTHENTICATION_SUCCEEDED_ON_APPLICATION": { "title": "Connectez-vous à votre application", @@ -369,18 +369,18 @@ }, "user.human.added": { "title": "Ajouter des utilisateurs", - "description": "Ajouter les utilisateurs de application", - "action": "Ajuter utilisateur" + "description": "Ajoutez les utilisateurs de l'application", + "action": "Ajoutez un utilisateur" }, "user.grant.added": { - "title": "Utilisateurs de subventions", + "title": "Octroyer des droits", "description": "Autorisez les utilisateurs à accéder à votre application et définissez leur rôle.", - "action": "Autorisez" + "action": "Accordez des droits à un utilisateur" } } }, "MENU": { - "INSTANCE": "paramètres par défaut", + "INSTANCE": "Paramètres par défaut", "DASHBOARD": "Accueil", "PERSONAL_INFO": "Informations personnelles", "DOCUMENTATION": "Documentation", @@ -392,9 +392,9 @@ "ORGANIZATION": "Organisation", "PROJECT": "Projets", "PROJECTOVERVIEW": "Vue d'ensemble", - "PROJECTGRANTS": "Subventions", + "PROJECTGRANTS": "Droits", "ROLES": "Rôles", - "GRANTEDPROJECT": "Projets accordés", + "GRANTEDPROJECT": "Projets octroyés", "HUMANUSERS": "Utilisateurs", "MACHINEUSERS": "Utilisateurs de services", "LOGOUT": "Déconnexion de tous les utilisateurs", @@ -407,19 +407,19 @@ "TOS": "Conditions de service", "OPENSHORTCUTSTOOLTIP": "Tapez ? pour afficher les raccourcis clavier", "SETTINGS": "Paramètres", - "CUSTOMERPORTAL": "Customer Portal" + "CUSTOMERPORTAL": "Portail Client" }, "QUICKSTART": { "TITLE": "Intégrer ZITADEL dans votre application", - "DESCRIPTION": "Intégrez ZITADEL dans votre application ou utilisez l'un de nos échantillons pour démarrer en quelques minutes", + "DESCRIPTION": "Intégrez ZITADEL dans votre application ou utilisez l'un de nos échantillons pour démarrer en quelques minutes.", "BTN_START": "Créer une application", "BTN_LEARNMORE": "En savoir plus", "CREATEPROJECTFORAPP": "Créer un projet {{value}}", - "SELECT_FRAMEWORK": "Select Framework", + "SELECT_FRAMEWORK": "Sélectionner un framework", "FRAMEWORK": "Framework", "FRAMEWORK_OTHER": "Autre (OIDC, SAML, API)", "ALMOSTDONE": "Vous avez presque terminé", - "REVIEWCONFIGURATION": "Review Configuration", + "REVIEWCONFIGURATION": "Aperçu de la configuration", "REVIEWCONFIGURATION_DESCRIPTION": "Nous avons créé une configuration de base pour les applications {{value}}. Vous pouvez adapter cette configuration à vos besoins après sa création.", "REDIRECTS": "Configurer les redirections", "DEVMODEWARN": "Le mode développement est activé par défaut. Vous pouvez mettre à jour les valeurs pour la production ultérieurement.", @@ -428,7 +428,7 @@ "DUPLICATEAPPRENAME": "Une application avec ce nom existe déjà. Veuillez choisir un autre nom.", "DIALOG": { "CHANGE": { - "TITLE": "Cadre de changement", + "TITLE": "Modifier le framework", "DESCRIPTION": "Choisissez l'un des frameworks disponibles pour une configuration rapide de votre application." } } @@ -441,8 +441,8 @@ "COPY": "Copier dans le presse-papiers", "COPIED": "Copié dans le presse-papiers.", "RESET": "Réinitialiser", - "RESETDEFAULT": "Réinitialiser par défaut", - "RESETTO": "Réinitialiser à", + "RESETDEFAULT": "Réinitialiser à la valeur par défaut", + "RESETTO": "Réinitialiser à : ", "RESETCURRENT": "Réinitialiser à la valeur actuelle", "SHOW": "Afficher", "HIDE": "Cacher", @@ -459,7 +459,7 @@ "CANCEL": "Annuler", "INFO": "Info", "OK": "OK", - "SELECT": "Sélectionnez", + "SELECT": "Sélectionner", "VIEW": "Afficher", "SELECTIONDELETE": "Supprimer la sélection", "DELETE": "Supprimer", @@ -474,7 +474,7 @@ "REFRESH": "Rafraîchir", "LOGIN": "Connexion", "EDIT": "Modifier", - "PIN": "Pin / Unpin", + "PIN": "Épingler / Désépingler", "CONFIGURE": "Configurer", "SEND": "Envoyer", "NEWVALUE": "Nouvelle valeur", @@ -483,18 +483,18 @@ "OF": "de", "PREVIOUS": "Précédent", "NEXT": "Suivant", - "MORE": "plus", + "MORE": "Plus", "STEP": "Étape", "UNSAVEDCHANGES": "Modifications non enregistrées", "UNSAVED": { "DIALOG": { "DESCRIPTION": "Voulez-vous vraiment annuler cette nouvelle action ? Votre action sera perdue", "CANCEL": "Annuler", - "DISCARD": "Jeter" + "DISCARD": "Abandonner" } }, "TABLE": { - "SHOWUSER": "Afficher l'utilisateur{{value}}" + "SHOWUSER": "Afficher l'utilisateur {{value}}" }, "DOWNLOAD": "Télécharger" }, @@ -508,17 +508,17 @@ "ORG_OWNER": "A le droit de contrôler l'ensemble de l'organisation", "ORG_USER_MANAGER": "A le droit de créer et de gérer les utilisateurs de l'organisation", "ORG_OWNER_VIEWER": "A le droit de passer en revue l'ensemble de l'organisation", - "ORG_USER_PERMISSION_EDITOR": "A le droit de gérer les subventions aux utilisateurs", - "ORG_PROJECT_PERMISSION_EDITOR": "A le droit de gérer les subventions aux projets", + "ORG_USER_PERMISSION_EDITOR": "A le droit d'octroyer des droits aux utilisateurs", + "ORG_PROJECT_PERMISSION_EDITOR": "A le droit d'octroyer des droits aux projets", "ORG_PROJECT_CREATOR": "A le droit de créer ses propres projets et leurs paramètres sous-jacents.", "ORG_ADMIN_IMPERSONATOR": "A l'autorisation de se faire passer pour l'administrateur et les utilisateurs finaux de l'organisation", "ORG_END_USER_IMPERSONATOR": "Est autorisé à usurper l'identité des utilisateurs finaux de l'organisation", "PROJECT_OWNER": "A le droit de gérer l'ensemble du projet", "PROJECT_OWNER_VIEWER": "A le droit de passer en revue l'ensemble du projet", "PROJECT_OWNER_GLOBAL": "A le droit d'accéder à l'ensemble du projet", - "PROJECT_OWNER_VIEWER_GLOBAL": "A le droit de réviser l'ensemble du projet", - "PROJECT_GRANT_OWNER": "A le droit de gérer la subvention du projet", - "PROJECT_GRANT_OWNER_VIEWER": "A le droit de réviser la subvention du projet" + "PROJECT_OWNER_VIEWER_GLOBAL": "A le droit de passer en revue l'ensemble du projet", + "PROJECT_GRANT_OWNER": "A le droit de gérer les autorisations du projet", + "PROJECT_GRANT_OWNER_VIEWER": "A le droit de passer en revue les autorisations du projet" }, "OVERLAYS": { "ORGSWITCHER": { @@ -537,7 +537,7 @@ "TEXT": "Attention ! Le contexte de l'organisation a changé." }, "SWITCHEDTOINSTANCE": { - "TEXT": "La vue vient de changer en instance !" + "TEXT": "La vue vient de changer en instance !" } }, "FILTER": { @@ -562,9 +562,9 @@ "SIDEWIDE": "Raccourcis pour l'ensemble du site", "SHORTCUTS": { "HOME": "Aller à Accueil", - "INSTANCE": "Vers l'aperçu des instances", + "INSTANCE": "Aller dans l'aperçu des instances", "ORG": "Aller à Organisation", - "ORGSETTINGS": "Vers les paramètres de l'organisation", + "ORGSETTINGS": "Aller dans les paramètres de l'organisation", "ORGSWITCHER": "Modifier l'organisation", "ME": "Aller à son propre profil", "PROJECTS": "Aller à Projets", @@ -581,7 +581,7 @@ "NOROWS": "Pas de données" }, "ERRORS": { - "REQUIRED": "Remplis ce champ s'il te plaît.", + "REQUIRED": "Merci de remplir ce champ.", "ATLEASTONE": "Indiquez au moins une valeur.", "TOKENINVALID": { "TITLE": "Votre jeton d'autorisation a expiré.", @@ -591,9 +591,10 @@ "TITLE": "Votre instance est bloquée.", "DESCRIPTION": "Demandez à votre administrateur d'instance ZITADEL de mettre à jour l'abonnement." }, - "INVALID_FORMAT": "Le format n'est pas valide", - "NOTANEMAIL": "La valeur donnée n'est pas une adresse e-mail", + "INVALID_FORMAT": "Le format n'est pas valide.", + "NOTANEMAIL": "La valeur donnée n'est pas une adresse e-mail.", "MINLENGTH": "Doit comporter au moins {{length}} caractères.", + "MAXLENGTH": "Doit contenir moins de {{requiredLength}} caractères.", "UPPERCASEMISSING": "Doit inclure un caractère majuscule.", "LOWERCASEMISSING": "Doit inclure un caractère minuscule.", "SYMBOLERROR": "Doit inclure un symbole ou un signe de ponctuation.", @@ -653,9 +654,9 @@ "DELETE_BTN": "Supprimer définitivement" }, "SENDEMAILDIALOG": { - "TITLE": "Envoyer une notification par e-mail", - "DESCRIPTION": "Cliquez sur le bouton ci-dessous pour envoyer une notification à l'adresse e-mail actuelle ou modifier l'adresse e-mail dans le champ.", - "NEWEMAIL": "Nouvelle adresse e-mail" + "TITLE": "Envoyer une notification pare-mail", + "DESCRIPTION": "Cliquez sur le bouton ci-dessous pour envoyer une notification à l'adressee-mail actuelle ou modifier l'adressee-mail dans le champ.", + "NEWEMAIL": "Nouvelle adressee-mail" }, "SECRETDIALOG": { "CLIENTSECRET": "Client Secret", @@ -667,12 +668,12 @@ "CHANGEDATE": "Dernière modification", "CREATIONDATE": "Créé à", "FILTER": { - "0": "Filtre pour DisplayName", + "0": "Filtre pour le nom d'utilisateur affiché", "1": "Filtre sur le nom d'utilisateur", - "2": "filtre pour DisplayName", + "2": "filtre pour le nom d'utilisateur affiché", "3": "filtre pour Username", - "4": "filtre pour Email", - "5": "filtre pour DisplayName", + "4": "filtre pour E-mail", + "5": "filtre pour le nom d'utilisateur affiché", "10": "filtre pour le nom de l'organisation", "12": "filtre pour le nom du projet" }, @@ -690,7 +691,7 @@ "U2F": "Ajouter une méthode", "U2F_DIALOG_TITLE": "Vérifier l'authentifiant", "U2F_DIALOG_DESCRIPTION": "Entrez un nom pour votre connexion sans mot de passe utilisée", - "U2F_SUCCESS": "Auth sans mot de passe créé avec succès !", + "U2F_SUCCESS": "Connexion sans mot de passe créé avec succès !", "U2F_ERROR": "Une erreur s'est produite pendant la configuration !", "U2F_NAME": "Nom de l'authentificateur", "TYPE": { @@ -711,7 +712,7 @@ "ADD_DESCRIPTION": "Sélectionnez l'une des options disponibles pour créer une méthode d'authentification sans mot de passe.", "SEND_DESCRIPTION": "Envoyez vous-même un lien d'enregistrement à votre adresse électronique.", "SEND": "Envoyer le lien d'enregistrement", - "SENT": "L'email a été délivré avec succès. Vérifiez votre boîte aux lettres électronique pour poursuivre la configuration.", + "SENT": "L'e-mail a été délivré avec succès. Vérifiez votre boîte aux lettres électronique pour poursuivre la configuration.", "QRCODE_DESCRIPTION": "Générer un code QR à scanner avec un autre appareil.", "QRCODE": "Générer un code QR", "QRCODE_SCAN": "Scannez ce code QR pour poursuivre la configuration sur votre appareil.", @@ -738,8 +739,8 @@ "U2F_ERROR": "Une erreur s'est produite pendant l'installation !", "U2F_NAME": "Nom de l'authentificateur", "OTPSMS": "OTP (One-Time Password) avec SMS", - "OTPEMAIL": "OTP (password monouso) con e-mail", - "SETUPOTPSMSDESCRIPTION": "Voulez-vous configurer ce numéro de téléphone comme deuxième facteur OTP (mot de passe à usage unique) ?", + "OTPEMAIL": "OTP (password monouso) cone-mail", + "SETUPOTPSMSDESCRIPTION": "Voulez-vous configurer ce numéro de téléphone comme deuxième facteur OTP (mot de passe à usage unique) ?", "OTPSMSSUCCESS": "OTP Factor mis en place avec succès.", "OTPSMSPHONEMUSTBEVERIFIED": "Votre téléphone doit être vérifié pour pouvoir utiliser cette méthode.", "OTPEMAILSUCCESS": "OTP Factor mis en place avec succès.", @@ -777,7 +778,7 @@ "CREATE": { "TITLE": "Créer un nouvel utilisateur", "DESCRIPTION": "Veuillez fournir les informations nécessaires.", - "NAMEANDEMAILSECTION": "Nom et e-mail", + "NAMEANDEMAILSECTION": "Nom ete-mail", "GENDERLANGSECTION": "Sexe et langue", "PHONESECTION": "Numéro de téléphone", "PASSWORDSECTION": "Mot de passe initial", @@ -803,7 +804,7 @@ "TITLE": "Profil", "EMAIL": "Courriel", "PHONE": "Numéro de téléphone", - "PHONE_HINT": "Utilisez le symbole + suivi de l'indicatif du pays de l'appelant, ou sélectionnez le pays dans la liste déroulante et saisissez enfin le numéro de téléphone", + "PHONE_HINT": "Utilisez le symbole + suivi de l'indicatif du pays de l'appelant, ou sélectionnez le pays dans la liste déroulante et saisissez enfin le numéro de téléphone.", "USERNAME": "Nom de l'utilisateur", "CHANGEUSERNAME": "modifier", "CHANGEUSERNAME_TITLE": "Modifier le nom d'utilisateur", @@ -879,7 +880,8 @@ "SET": "Définir un nouveau mot de passe", "RESENDNOTIFICATION": "Envoyer le lien de réinitialisation du mot de passe", "REQUIRED": "Certains champs obligatoires sont manquants.", - "MINLENGTHERROR": "Doit comporter au moins {{value}} caractères." + "MINLENGTHERROR": "Doit comporter au moins {{value}} caractères.", + "MAXLENGTHERROR": "Doit contenir moins de {{value}} caractères" }, "ID": "ID", "EMAIL": "E-mail", @@ -892,19 +894,19 @@ "ISINITIAL": "L'utilisateur n'est pas encore actif", "LOGINMETHODS": { "TITLE": "Informations sur le contact", - "DESCRIPTION": "Les informations fournies sont utilisées pour vous envoyer des informations importantes, comme des e-mails de réinitialisation de mot de passe.", + "DESCRIPTION": "Les informations fournies sont utilisées pour vous envoyer des informations importantes, comme dese-mails de réinitialisation de mot de passe.", "EMAIL": { "TITLE": "Courriel", - "VALID": "validé", + "VALID": "Validé", "ISVERIFIED": "Courriel vérifié", "ISVERIFIEDDESC": "Si l'e-mail est indiqué comme vérifié, aucune demande de vérification d'e-mail ne sera effectuée.", "RESEND": "Renvoyer l'e-mail de vérification", "EDITTITLE": "Modifier l'e-mail", - "EDITDESC": "Entrez le nouvel e-mail dans le champ ci-dessous." + "EDITDESC": "Entrez le nouvele-mail dans le champ ci-dessous." }, "PHONE": { "TITLE": "Téléphone", - "VALID": "validé", + "VALID": "Validé", "RESEND": "Renvoyer le message texte de vérification", "EDITTITLE": "Changer le numéro", "EDITVALUE": "Numéro de téléphone", @@ -957,7 +959,7 @@ "EDITACCOUNT": "Modifier le compte", "ADDACCOUNT": "Se connecter avec un autre compte", "RESENDINITIALEMAIL": "Renvoyer le courrier d'activation", - "RESENDEMAILNOTIFICATION": "Renvoyer la notification par e-mail", + "RESENDEMAILNOTIFICATION": "Renvoyer la notification pare-mail", "TOAST": { "CREATED": "Utilisateur créé avec succès.", "SAVED": "Profil enregistré avec succès.", @@ -971,7 +973,7 @@ "EMAILVERIFICATIONSENT": "Code de vérification de l'e-mail envoyé.", "OTPREMOVED": "OTP supprimé.", "U2FREMOVED": "Facteur supprimé.", - "PASSWORDLESSREMOVED": "Sans mot de passe supprimé.", + "PASSWORDLESSREMOVED": "Connexion sans mot de passe supprimée.", "INITIALPASSWORDSET": "Mot de passe initial défini.", "PASSWORDNOTIFICATIONSENT": "Notification de changement de mot de passe envoyée.", "PASSWORDCHANGED": "Mot de passe modifié avec succès.", @@ -989,8 +991,8 @@ "SECRETREMOVED": "Secret supprimé avec succès !" }, "MEMBERSHIPS": { - "TITLE": "Rôles du gestionnaire ZITADEL", - "DESCRIPTION": "Il s'agit de toutes les attributions des membres de l'utilisateur. Vous pouvez les modifier également sur les pages de détails de l'organisation, du projet ou de l'IAM.", + "TITLE": "Rôles du responsable ZITADEL", + "DESCRIPTION": "Il s'agit de toutes les attributions des membres de l'utilisateur. Vous pouvez également les modifier sur les pages de détails de l'organisation, du projet ou de l'IAM.", "ORGCONTEXT": "Vous voyez toutes les organisations et tous les projets qui sont liés à l'organisation actuellement sélectionnée.", "USERCONTEXT": "Vous voyez toutes les organisations et tous les projets auxquels vous êtes autorisé. Y compris les autres organisations.", "CREATIONDATE": "Date de création", @@ -1005,7 +1007,7 @@ "UNKNOWN": "Inconnu", "ORG": "Organisation", "PROJECT": "Projet", - "GRANTEDPROJECT": "Projet accordé" + "GRANTEDPROJECT": "Projet octroyé" } }, "PERSONALACCESSTOKEN": { @@ -1080,7 +1082,7 @@ }, "REMOVEACTIONSLIST": { "TITLE": "Supprimer les actions sélectionnées ?", - "DESCRIPTION": "Voulez-vous vraiment supprimer les actions sélectionnées du flux ?" + "DESCRIPTION": "Voulez-vous vraiment supprimer les actions sélectionnées du flux ?" } }, "TOAST": { @@ -1099,8 +1101,8 @@ "DESCRIPTION": "Gérez vos vues ZITADEL et les événements échoués." }, "MEMBER": { - "TITLE": "Managers", - "DESCRIPTION": "Ces gestionnaires sont autorisés à effectuer des changements dans votre instance." + "TITLE": "Responsables", + "DESCRIPTION": "Ces responsables sont autorisés à effectuer des changements dans votre instance." }, "PAGES": { "STATE": "Statut", @@ -1189,10 +1191,10 @@ } }, "TOAST": { - "MEMBERREMOVED": "Gestionnaire supprimé.", - "MEMBERSADDED": "Gestionnaires ajoutés.", - "MEMBERADDED": "Gestionnaire ajouté.", - "MEMBERCHANGED": "Manager changé.", + "MEMBERREMOVED": "Responsable supprimé.", + "MEMBERSADDED": "Responsable ajoutés.", + "MEMBERADDED": "Responsable ajouté.", + "MEMBERCHANGED": "Responsable modifié.", "ROLEREMOVED": "Rôle supprimé.", "ROLECHANGED": "Rôle modifié.", "REACTIVATED": "Réactivé", @@ -1230,20 +1232,20 @@ }, "ORGDOMAIN": { "TITLE": "Vérifier la propriété de {{value}}", - "VERIFICATION": "Nous vous proposons deux méthodes pour valider manuellement votre domaine :", + "VERIFICATION": "Nous vous proposons deux méthodes pour valider manuellement votre domaine :", "VERIFICATION_HTML": "-HTTP. Hébergez un fichier de vérification temporaire sur votre site Web", "VERIFICATION_DNS": "-DNS. Créer une entrée DNS d'enregistrement TXT", - "VERIFICATION_DNS_DESC": "Si vous gérez {{ value }} et que vous avez accès à vos enregistrements DNS, vous pouvez créer un nouvel enregistrement TXT avec les valeurs suivantes :", + "VERIFICATION_DNS_DESC": "Si vous gérez {{ value }} et que vous avez accès à vos enregistrements DNS, vous pouvez créer un nouvel enregistrement TXT avec les valeurs suivantes :", "VERIFICATION_DNS_HOST_LABEL": "Host:", - "VERIFICATION_DNS_CHALLENGE_LABEL": "Utilisez ce code pour la valeur de l'enregistrement TXT :", + "VERIFICATION_DNS_CHALLENGE_LABEL": "Utilisez ce code pour la valeur de l'enregistrement TXT :", "VERIFICATION_HTTP_DESC": "Si vous avez accès à l'hébergement de votre site Web, téléchargez simplement le fichier de vérification et téléchargez-le à l'URL fournie.", - "VERIFICATION_HTTP_URL_LABEL": "URL attendue :", - "VERIFICATION_HTTP_FILE_LABEL": "Dossier de vérification :", - "VERIFICATION_SKIP": "Vous pouvez ignorer la vérification pour le moment et continuer à créer votre organisation, mais pour pouvoir utiliser votre domaine, cette étape doit être complétée !", + "VERIFICATION_HTTP_URL_LABEL": "URL attendue :", + "VERIFICATION_HTTP_FILE_LABEL": "Dossier de vérification :", + "VERIFICATION_SKIP": "Vous pouvez ignorer la vérification pour le moment et continuer à créer votre organisation, mais pour pouvoir utiliser votre domaine, cette étape doit être complétée !", "VERIFICATION_VALIDATION_DESC": "Ne supprimez pas le code de vérification, car ZITADEL revérifiera de temps en temps la propriété de votre domaine.", "VERIFICATION_NEWTOKEN_TITLE": "Demander un nouveau jeton", "VERIFICATION_VALIDATION_ONGOING": "La méthode {{ value }} a été sélectionnée pour vérifier votre domaine. Cliquez sur le bouton pour déclencher une vérification ou réinitialiser le processus de vérification.", - "VERIFICATION_SUCCESSFUL": "Domaine vérifié avec succès !", + "VERIFICATION_SUCCESSFUL": "Domaine vérifié avec succès !", "RESETMETHOD": "Réinitialiser la méthode de vérification" }, "DOWNLOAD_FILE": "Télécharger le fichier", @@ -1277,7 +1279,7 @@ "2": "Désactivé" }, "MEMBER": { - "TITLE": "Gestionnaires de l'organisation", + "TITLE": "Responsables de l'organisation", "DESCRIPTION": "Définissez les utilisateurs qui peuvent modifier les préférences de votre organisation." }, "TOAST": { @@ -1286,9 +1288,9 @@ "REACTIVATED": "Organisation réactivée.", "DOMAINADDED": "Domaine ajouté.", "DOMAINREMOVED": "Domaine supprimé.", - "MEMBERADDED": "Gestionnaire ajouté.", - "MEMBERREMOVED": "Gestionnaire supprimé.", - "MEMBERCHANGED": "Gestionnaire modifié.", + "MEMBERADDED": "Responsable ajouté.", + "MEMBERREMOVED": "Responsable supprimé.", + "MEMBERCHANGED": "Responsable modifié.", "SETPRIMARY": "Domaine primaire défini.", "DELETED": "Organisation supprimée avec succès", "DEFAULTORGNOTFOUND": "L'organisation par défaut est introuvable", @@ -1297,11 +1299,11 @@ "DIALOG": { "DEACTIVATE": { "TITLE": "Désactiver l'organisation", - "DESCRIPTION": "Vous êtes sur le point de désactiver votre organisation. Les utilisateurs ne peuvent plus se connecter ? Voulez-vous continuer ?" + "DESCRIPTION": "Vous êtes sur le point de désactiver votre organisation. Les utilisateurs ne pourront plus se connecter. Voulez-vous continuer ?" }, "REACTIVATE": { "TITLE": "Réactiver l'organisation", - "DESCRIPTION": "Vous êtes sur le point de réactiver votre organisation. Les utilisateurs peuvent ensuite se reconnecter ? Voulez-vous continuer ?" + "DESCRIPTION": "Vous êtes sur le point de réactiver votre organisation. Les utilisateurs pourront se reconnecter. Voulez-vous continuer ?" }, "DELETE": { "TITLE": "Supprimer l'organisation", @@ -1336,7 +1338,7 @@ "BRANDING": "Image de marque", "PRIVACYPOLICY": "Politique de confidentialité", "OIDC": "Durée de vie et expiration des jetons OIDC", - "SECRETS": "Apparence secrète", + "SECRETS": "Générateur de secrets", "SECURITY": "Paramètres de sécurité", "EVENTS": "Événements", "FAILEDEVENTS": "Événements échoués", @@ -1383,7 +1385,7 @@ "SMTP": { "TITLE": "Paramètres SMTP", "DESCRIPTION": "Description", - "SENDERADDRESS": "Adresse e-mail de l'expéditeur", + "SENDERADDRESS": "Adressee-mail de l'expéditeur", "SENDERNAME": "Nom de l'expéditeur", "REPLYTOADDRESS": "Adresse Reply-to", "HOSTANDPORT": "Hôte et port", @@ -1392,8 +1394,8 @@ "SETPASSWORD": "Définir le mot de passe SMTP", "PASSWORDSET": "Le mot de passe SMTP a été défini avec succès.", "TLS": "Sécurité de la couche de transport (TLS)", - "SAVED": "Enregistré avec succès!", - "NOCHANGES": "Aucun changement!", + "SAVED": "Enregistré avec succès !", + "NOCHANGES": "Aucun changement !", "REQUIREDWARN": "Pour envoyer des notifications depuis votre domaine, vous devez entrer vos données SMTP." }, "SMS": { @@ -1432,7 +1434,7 @@ "5": "Initialisation sans mot de passe", "6": "Secret de l'application", "7": "Mot de passe à usage unique (OTP) - SMS", - "8": "Mot de passe à usage unique (OTP) - e-mail" + "8": "Mot de passe à usage unique (OTP) -e-mail" }, "ADDGENERATOR": "Configurer générateur de mot de passe", "GENERATORTYPE": "Type", @@ -1459,7 +1461,7 @@ "OIDCLEGACYINTROSPECTION": "Introspection héritée OIDC", "OIDCLEGACYINTROSPECTION_DESCRIPTION": "Nous avons récemment refondu le point d'introspection pour des raisons de performances. Cette fonctionnalité peut être utilisée pour revenir à l'implémentation héritée en cas de bogues inattendus.", "OIDCTOKENEXCHANGE": "Échange de jetons OIDC", - "OIDCTOKENEXCHANGE_DESCRIPTION": "Activez le type de subvention expérimentale urn:ietf:params:oauth:grant-type:token-exchange pour le point de terminaison de jeton OIDC. L'échange de jetons peut être utilisé pour demander des jetons avec une portée moindre ou pour usurper d'autres utilisateurs. Consultez la politique de sécurité pour autoriser l'usurpation sur une instance.", + "OIDCTOKENEXCHANGE_DESCRIPTION": "Activez le type d'octroi expérimental urn:ietf:params:oauth:grant-type:token-exchange pour le point de terminaison de jeton OIDC. L'échange de jetons peut être utilisé pour demander des jetons avec une portée moindre ou pour usurper d'autres utilisateurs. Consultez la politique de sécurité pour autoriser l'usurpation sur une instance.", "OIDCTRIGGERINTROSPECTIONPROJECTIONS": "Déclencheurs de projections d'introspection OIDC", "OIDCTRIGGERINTROSPECTIONPROJECTIONS_DESCRIPTION": "Activez les déclencheurs de projection lors d'une demande d'introspection. Cela peut agir comme un contournement s'il existe des problèmes de cohérence perceptibles dans la réponse à l'introspection, mais cela peut avoir un impact sur les performances. Nous prévoyons de supprimer les déclencheurs pour les demandes d'introspection à l'avenir.", "USERSCHEMA": "Schéma utilisateur", @@ -1498,14 +1500,14 @@ "PASSWORDCHANGE": "Changement de mot de passe" }, "PRIVATELABELING": { - "DESCRIPTION": "Donnez au login votre style personnalisé et modifiez son comportement.", + "DESCRIPTION": "Donnez à la connexion votre style personnalisé et modifiez son comportement.", "PREVIEW_DESCRIPTION": "Les modifications de la politique seront automatiquement déployées dans l'environnement de prévisualisation.", "BTN": "Sélectionner le fichier", "ACTIVATEPREVIEW": "Appliquer la configuration", - "DARK": "Mode foncé", + "DARK": "Mode sombre", "LIGHT": "Mode clair", "CHANGEVIEW": "Modifier la vue", - "ACTIVATED": "Les changements de politique sont maintenant LIVE", + "ACTIVATED": "Les changements de politique sont maintenant propagés", "THEME": "Thème", "COLORS": "Couleurs", "FONT": "Police de caractères", @@ -1516,7 +1518,7 @@ "RELEASEFONT": "Release", "USEOFLOGO": "Votre logo sera utilisé dans la connexion ainsi que dans les courriels, tandis que l'icône est utilisée pour les petits éléments de l'interface utilisateur, comme le sélecteur d'organisation dans la console.", "MAXSIZE": "La taille maximale est limitée à 524 Ko.", - "EMAILNOSVG": "Le format de fichier SVG n'est pas supporté dans les emails. Téléchargez donc votre logo en PNG ou dans un autre format pris en charge.", + "EMAILNOSVG": "Le format de fichier SVG n'est pas supporté dans les e-mails. Téléchargez donc votre logo en PNG ou dans un autre format pris en charge.", "MAXSIZEEXCEEDED": "La taille maximale de 524kB est dépassée.", "NOSVGSUPPORTED": "SVG n'est pas pris en charge", "FONTINLOGINONLY": "La police n'est actuellement affichée que dans l'interface de connexion.", @@ -1532,8 +1534,8 @@ "TITLE": "Connexion", "SECOND": "Connectez-vous avec votre compte ZITADEL.", "ERROR": "L'utilisateur n'a pas pu être trouvé !", - "PRIMARYBUTTON": "suivant", - "SECONDARYBUTTON": "enregistrez-vous" + "PRIMARYBUTTON": "Suivant", + "SECONDARYBUTTON": "Enregistrez-vous" }, "THEMEMODE": { "THEME_MODE_AUTO": "Mode automatique", @@ -1559,7 +1561,7 @@ "TITLE": "Paramètres de connexion", "DESCRIPTION": "Définir la manière dont les utilisateurs peuvent être authentifiés et configurer les fournisseurs d'identité.", "DESCRIPTIONCREATEADMIN": "Les utilisateurs peuvent choisir parmi les fournisseurs d'identité disponibles ci-dessous.", - "DESCRIPTIONCREATEMGMT": "Les utilisateurs peuvent choisir parmi les fournisseurs d'identité disponibles ci-dessous. Note", + "DESCRIPTIONCREATEMGMT": "Les utilisateurs peuvent choisir parmi les fournisseurs d'identité disponibles ci-dessous. Note : vous pouvez utiliser des fournisseurs configurés dans le système aussi bien que des fournisseurs configurés uniquement pour votre organisation.", "LIFETIME_INVALID": "Le formulaire contient des valeurs non valides.", "SAVED": "Enregistré avec succès !", "PROVIDER_ADDED": "Fournisseur d'identité activé." @@ -1570,6 +1572,9 @@ "POLICYLINK": "Lien vers la politique de confidentialité", "HELPLINK": "Lien vers l'aide", "SUPPORTEMAIL": "E-mail d'assistance", + "DOCSLINK": "Lien Docs (Console)", + "CUSTOMLINK": "Lien personnalisé (Console)", + "CUSTOMLINKTEXT": "Texte de lien personnalisé (Console)", "SAVED": "Enregistré avec succès !", "RESET_TITLE": "Restaurer les valeurs par défaut", "RESET_DESCRIPTION": "Vous êtes sur le point de restaurer les liens par défaut pour les CGS et la politique de confidentialité. Voulez-vous vraiment continuer ?" @@ -1581,13 +1586,13 @@ "NEWERVERSIONEXISTS": "Une version plus récente existe", "CURRENTDATE": "Configuration actuelle", "CHANGEDATE": "Version plus récente de", - "KEYNAME": "Écran / Interface de connexion", + "KEYNAME": "Interface / Page de connexion", "RESET_TITLE": "Restaurer les valeurs par défaut", "RESET_DESCRIPTION": "Vous êtes sur le point de restaurer toutes les valeurs par défaut. Toutes les modifications que vous avez apportées seront définitivement supprimées. Voulez-vous vraiment continuer ?", "UNSAVED_TITLE": "Continuer sans sauvegarder ?", "UNSAVED_DESCRIPTION": "Vous avez apporté des modifications sans les sauvegarder. Voulez-vous les enregistrer maintenant ?", "ACTIVE_LANGUAGE_NOT_ALLOWED": "Vous avez sélectionné une langue qui n'est pas autorisée. Vous pouvez continuer à modifier les textes. Mais si vous voulez que vos utilisateurs puissent réellement utiliser cette langue, modifiez les restrictions de vos instances.", - "LANGUAGES_NOT_ALLOWED": "Non autorisé:", + "LANGUAGES_NOT_ALLOWED": "Non autorisé :", "LANGUAGE": "Langue", "LANGUAGES": { "de": "Deutsch", @@ -1606,8 +1611,8 @@ "nl": "Nederlands" }, "KEYS": { - "emailVerificationDoneText": "Vérification de l'email effectuée", - "emailVerificationText": "Vérification de l'email", + "emailVerificationDoneText": "Vérification de l'e-mail effectuée", + "emailVerificationText": "Vérification de l'e-mail", "externalUserNotFoundText": "Utilisateur externe non trouvé", "footerText": "Pied de page", "initMfaDoneText": "Initialiser MFA terminé", @@ -1631,14 +1636,14 @@ "registrationOrgText": "Enregistrer l'organisation", "registrationUserText": "Enregistrer un utilisateur", "selectAccountText": "Sélectionner un compte", - "successLoginText": "Connexion avec succès", + "successLoginText": "Connecté avec succès", "usernameChangeDoneText": "Changement de nom d'utilisateur effectué", "usernameChangeText": "Changement de nom d'utilisateur", "verifyMfaOtpText": "Vérifier l'OTP", "verifyMfaU2fText": "Vérifier le second facteur universel", "passwordlessPromptText": "Invitation sans mot de passe", - "passwordlessRegistrationDoneText": "Enregistrement sans mot de passe Terminé", - "passwordlessRegistrationText": "Enregistrement sans mot de passe", + "passwordlessRegistrationDoneText": "Enregistrement d'une connexion sans mot de passe terminé", + "passwordlessRegistrationText": "Enregistrement d'une connexion sans mot de passe", "passwordlessText": "Sans mot de passe", "externalRegistrationUserOverviewText": "Enregistrement externe Aperçu de l'utilisateur" } @@ -1647,14 +1652,14 @@ "TYPE": "Notification", "TYPES": { "INIT": "Initialisation", - "VE": "Vérifier l'email", + "VE": "Vérifier l'e-mail", "VP": "Vérifier le téléphone", "VSO": "Vérifier SMS OTP", "VEO": "Vérifier l'OTP par courrier électronique", "PR": "Réinitialisation du mot de passe", "DC": "Réclamation de domaine", "PL": "Sans mot de passe", - "PC": "Changement de mot de passe" + "PC": "Modification du mot de passe" }, "CHIPS": { "firstname": "Prénom", @@ -1665,7 +1670,7 @@ "nickName": "Surnom", "loginnames": "Noms de connexion", "domain": "Domaine", - "lastEmail": "Dernier email", + "lastEmail": "Dernier e-mail", "lastPhone": "Dernier téléphone", "verifiedEmail": "Courriel vérifié", "verifiedPhone": "Téléphone vérifié", @@ -1684,15 +1689,15 @@ "BTN_EDIT": "Modifier", "DATA": { "DESCRIPTION": "Description", - "MINLENGTH": "longueur minimale", - "HASNUMBER": "a numéro", - "HASSYMBOL": "a un symbole", - "HASLOWERCASE": "a minuscule", - "HASUPPERCASE": "a majuscule", + "MINLENGTH": "doit comporter une longueur minimale", + "HASNUMBER": "doit comporter un numéro", + "HASSYMBOL": "doit comporter un symbole", + "HASLOWERCASE": "doit comporter une minuscule", + "HASUPPERCASE": "doit comporter une majuscule", "SHOWLOCKOUTFAILURES": "montrer les échecs de verrouillage", - "MAXPASSWORDATTEMPTS": "Mot de passe maximum tentatives", - "MAXOTPATTEMPTS": "Maximal de tentatives OTP", - "EXPIREWARNDAYS": "Expiration Avertissement après le jour", + "MAXPASSWORDATTEMPTS": "Tentatives maximales du mot de passe", + "MAXOTPATTEMPTS": "Tentatives maximales de l'OTP", + "EXPIREWARNDAYS": "Avertissement d'expiration après le jour", "MAXAGEDAYS": "Âge maximum en jours", "USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation", "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.", @@ -1767,11 +1772,11 @@ "CREATE_DESC": "Insérez le nom de votre projet.", "ROLE": "Rôle", "NOITEMS": "Aucun projet", - "ZITADELPROJECT": "Ceci appartient au projet ZITADEL. Attention", + "ZITADELPROJECT": "Ceci appartient au projet ZITADEL. Attention : si vous faites de changements, ZITADEL pourrait ne pas fonctionner correctement.", "TYPE": { "OWNED": "Projets possédés", - "OWNED_SINGULAR": "Projet propre", - "GRANTED_SINGULAR": "Projet concédé" + "OWNED_SINGULAR": "Projet possédé", + "GRANTED_SINGULAR": "Projet octroyé" }, "PRIVATELABEL": { "TITLE": "Image de marque", @@ -1827,7 +1832,7 @@ "TITLE": "Type", "0": "Type inconnu", "1": "Propriété", - "2": "Accordé" + "2": "Octroyé" }, "NAME": "Nom", "NAMEDIALOG": { @@ -1836,10 +1841,10 @@ "NAME": "Nouveau nom" }, "MEMBER": { - "TITLE": "Managers", - "TITLEDESC": "Les gestionnaires peuvent apporter des modifications à ce projet en fonction de leur rôle.", - "DESCRIPTION": "Ces gestionnaires peuvent être en mesure de modifier votre projet.", - "USERNAME": "Nom de l'utilisateur", + "TITLE": "Responsables", + "TITLEDESC": "Les responsables peuvent apporter des modifications à ce projet en fonction de leur rôle.", + "DESCRIPTION": "Ces responsables peuvent être en mesure de modifier votre projet.", + "USERNAME": "Nom d'utilisateur", "DISPLAYNAME": "Nom d'affichage", "LOGINNAME": "Nom de connexion", "EMAIL": "E-mail", @@ -1847,28 +1852,28 @@ "USERID": "ID de l'utilisateur" }, "GRANT": { - "EMPTY": "Aucune organisation subventionnée.", - "TITLE": "Subventions de projet", + "EMPTY": "Aucune organisation octroyée.", + "TITLE": "Accords de projet", "DESCRIPTION": "Autoriser une autre organisation à utiliser votre projet.", "EDITTITLE": "Rôles d'édition", "CREATE": { - "TITLE": "Créer une subvention d'organisation", + "TITLE": "Octroyer une organisation", "SEL_USERS": "Sélectionnez les utilisateurs auxquels vous souhaitez accorder l'accès", "SEL_PROJECT": "Rechercher un projet", "SEL_ROLES": "Sélectionnez les rôles que vous souhaitez ajouter à l'autorisation.", "SEL_USER": "Sélectionnez les utilisateurs", "SEL_ORG": "Rechercher une organisation", - "SEL_ORG_DESC": "Rechercher l'organisme à accorder", - "ORG_DESCRIPTION": "Vous êtes sur le point d'accorder un utilisateur pour l'organisation{{name}}.", + "SEL_ORG_DESC": "Rechercher l'organisme à octroyer", + "ORG_DESCRIPTION": "Vous êtes sur le point d'octroyer un utilisateur pour l'organisation {{name}}.", "ORG_DESCRIPTION_DESC": "Changez le contexte dans l'en-tête ci-dessus pour accorder un utilisateur pour une autre organisation.", "SEL_ORG_FORMFIELD": "Organisation", "FOR_ORG": "L'autorisation est créée pour" }, "DETAIL": { - "TITLE": "Subvention de projet", - "DESC": "Vous pouvez sélectionner les rôles qui peuvent être utilisés par l'organisation spécifiée, et élire les managers.", + "TITLE": "Octroyer un projet", + "DESC": "Vous pouvez sélectionner les rôles qui peuvent être utilisés par l'organisation spécifiée, et élire les responsables.", "MEMBERTITLE": "Responsables", - "MEMBERDESC": "Il s'agit des gestionnaires de l'organisation subventionnée. Ajoutez ici les utilisateurs qui doivent avoir accès à la modification des données du projet.", + "MEMBERDESC": "Il s'agit des responsables de l'organisation accordée. Ajoutez ici les utilisateurs qui doivent avoir accès à la modification des données du projet.", "PROJECTNAME": "Nom du projet", "GRANTEDORG": "Organisation autorisée", "RESOURCEOWNER": "Propriétaire des ressources" @@ -1881,14 +1886,14 @@ "ALL": "Tous", "SHOWDETAIL": "Afficher les détails", "USER": "Utilisateur", - "MEMBERS": "Managers", + "MEMBERS": "Responsables", "ORG": "Organisation", "PROJECTNAME": "Nom du projet", - "GRANTEDORG": "Organisation accordée", + "GRANTEDORG": "Organisation octroyée", "GRANTEDORGDOMAIN": "Domaine", "RESOURCEOWNER": "Propriétaire de la ressource", "GRANTEDORGNAME": "Nom de l'organisation", - "GRANTID": "Grant Id", + "GRANTID": "Id de l'octroi", "CREATIONDATE": "Date de création", "CHANGEDATE": "Dernière modification", "DATES": "Dates", @@ -1896,17 +1901,17 @@ "NOROLES": "Aucun rôle", "TYPE": "Type", "TOAST": { - "PROJECTGRANTUSERGRANTADDED": "Subvention de projet créée.", - "PROJECTGRANTADDED": "Accord de projet créé.", - "PROJECTGRANTCHANGED": "Subvention de projet modifiée.", - "PROJECTGRANTMEMBERADDED": "Ajout d'un gestionnaire de subvention.", - "PROJECTGRANTMEMBERCHANGED": "Directeur de subvention modifié.", - "PROJECTGRANTMEMBERREMOVED": "Gestionnaire de subvention supprimé.", - "PROJECTGRANTUPDATED": "Subvention de projet mise à jour" + "PROJECTGRANTUSERGRANTADDED": "Octroi de projet créée.", + "PROJECTGRANTADDED": "Octroi de projet créé.", + "PROJECTGRANTCHANGED": "Octroi de projet modifiée.", + "PROJECTGRANTMEMBERADDED": "Responsable d'octrois ajouté.", + "PROJECTGRANTMEMBERCHANGED": "Responsable d'octrois modifié.", + "PROJECTGRANTMEMBERREMOVED": "Responsable d'octrois supprimé.", + "PROJECTGRANTUPDATED": "Octroi de projet mise à jour" }, "DIALOG": { - "DELETE_TITLE": "Supprimer une subvention de projet", - "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer une subvention de projet. Vous êtes sûr ?" + "DELETE_TITLE": "Supprimer un octroi de projet", + "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer un accord de projet. Êtes-vous sûr ?" }, "ROLES": "Rôles du projet" }, @@ -1920,7 +1925,7 @@ "ADDNEWLINE": "Ajouter un rôle supplémentaire", "KEY": "Clé", "TITLE": "Rôles", - "DESCRIPTION": "Définissez certains rôles qui peuvent être utilisés pour créer des subventions de projet.", + "DESCRIPTION": "Définissez certains rôles qui peuvent être utilisés pour créer des accords de projet.", "NAME": "Nom", "DISPLAY_NAME": "Afficher le nom", "GROUP": "Groupe", @@ -1932,7 +1937,7 @@ "DELETE": "Supprimer un rôle", "CREATIONDATE": "Créé", "CHANGEDATE": "Dernière modification", - "SELECTGROUPTOOLTIP": "Sélectionner tous les Rôles du groupe{{group}}.", + "SELECTGROUPTOOLTIP": "Sélectionner tous les Rôles du groupe {{group}}.", "OPTIONS": "Options", "ASSERTION": "Affirmer les rôles lors de l'authentification", "ASSERTION_DESCRIPTION": "Les informations sur les rôles sont envoyées par le point de terminaison Userinfo et, selon les paramètres de votre application, sous forme de jetons ou d'autres types.", @@ -1963,10 +1968,10 @@ "EMPTY": "Aucun projet trouvé" }, "TOAST": { - "MEMBERREMOVED": "Gestionnaire supprimé.", - "MEMBERSADDED": "Gestionnaires ajoutés.", - "MEMBERADDED": "Gestionnaire ajouté.", - "MEMBERCHANGED": "Manager changé.", + "MEMBERREMOVED": "Responsable supprimé.", + "MEMBERSADDED": "Responsables ajoutés.", + "MEMBERADDED": "Responsable ajouté.", + "MEMBERCHANGED": "Responsable modifié.", "ROLESCREATED": "Rôles créés.", "ROLEREMOVED": "Rôle supprimé.", "ROLECHANGED": "Rôle modifié.", @@ -1974,7 +1979,7 @@ "DEACTIVATED": "Désactivé.", "CREATED": "Projet créé.", "UPDATED": "Projet modifié.", - "GRANTUPDATED": "Subvention modifiée.", + "GRANTUPDATED": "Octroi modifié.", "DELETED": "Projet supprimé." } }, @@ -2045,11 +2050,11 @@ "OPTIONS": { "ISAUTOCREATION": "Création automatique", "ISAUTOCREATION_DESC": "Détermine si un compte sera créé s'il n'existe pas déjà.", - "ISAUTOUPDATE": "est mise à jour automatiquement", + "ISAUTOUPDATE": "Mise à jour automatique", "ISAUTOUPDATE_DESC": "Si cette option est sélectionnée, les comptes sont mis à jour lors de la réauthentification.", - "ISCREATIONALLOWED": "la création est-elle autorisée", + "ISCREATIONALLOWED": "Création de comptes autorisée", "ISCREATIONALLOWED_DESC": "Détermine si des comptes peuvent être créés.", - "ISLINKINGALLOWED": "la liaison est-elle autorisée", + "ISLINKINGALLOWED": "Liaison de comptes autorisée", "ISLINKINGALLOWED_DESC": "Détermine si une identité peut être liée à un compte existant.", "AUTOLINKING_DESC": "Détermine si une identité sera invitée à être liée à un compte existant.", "AUTOLINKINGTYPE": { @@ -2084,8 +2089,8 @@ "NAMEHINT": "Si elle est spécifiée, elle sera affichée dans l'interface de connexion.", "OPTIONAL": "optionnel", "LDAPATTRIBUTES": "Attributs LDAP", - "UPDATEBINDPASSWORD": "mettre à jour le mot de bind password", - "UPDATECLIENTSECRET": "mise à jour du secret client", + "UPDATEBINDPASSWORD": "mettre à jour le mot de passe Bind", + "UPDATECLIENTSECRET": "mettre à jour le secret client", "ADD": "Ajouter un fournisseur d'identité", "TYPE": "Type", "OWNER": "Propriétaire", @@ -2098,8 +2103,8 @@ "AVAILABILITY": "Disponibilité", "AVAILABLE": "disponible", "AVAILABLEBUTINACTIVE": "disponible mais inactif", - "SETAVAILABLE": "défini comme disponible", - "SETUNAVAILABLE": "défini comme non disponible", + "SETAVAILABLE": "définir comme disponible", + "SETUNAVAILABLE": "définir comme non disponible", "CONFIG": "Configuration", "STATE": "Statut", "ISSUER": "Émetteur", @@ -2121,8 +2126,8 @@ "LDAPIDATTRIBUTE": "ID attribute", "AVATARURLATTRIBUTE": "Avatar Url attribute", "DISPLAYNAMEATTRIBUTE": "Displayname attribute", - "EMAILATTRIBUTEATTRIBUTE": "Email attribute", - "EMAILVERIFIEDATTRIBUTE": "Email verified attribute", + "EMAILATTRIBUTEATTRIBUTE": "E-mail attribute", + "EMAILVERIFIEDATTRIBUTE": "E-mail verified attribute", "FIRSTNAMEATTRIBUTE": "Firstname attribute", "LASTNAMEATTRIBUTE": "Lastname attribute", "NICKNAMEATTRIBUTE": "Nickname attribute", @@ -2139,10 +2144,10 @@ "DEACTIVATE": "Désactiver", "ACTIVATE": "Activer", "DELETE": "Supprimer", - "DELETE_TITLE": "Supprimer Idp", + "DELETE_TITLE": "Supprimer l'IDP", "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer un fournisseur d'identité. Les changements qui en résultent sont irrévocables. Voulez-vous vraiment le faire ?", "REMOVE_WARN_TITLE": "Supprimer le fournisseur d'identité", - "REMOVE_WARN_DESCRIPTION": "Vous êtes sur le point de supprimer un fournisseur d'identité. Cela supprimera la sélection de l'IDP disponible pour vos utilisateurs et les utilisateurs déjà enregistrés ne pourront plus se reconnecter. Êtes-vous sûr de continuer ?", + "REMOVE_WARN_DESCRIPTION": "Vous êtes sur le point de supprimer un fournisseur d'identité. Cela supprimera la sélection de l'IDP disponible pour vos utilisateurs et les utilisateurs déjà enregistrés ne pourront plus se reconnecter. Êtes-vous sûr de continuer ?", "DELETE_SELECTION_TITLE": "Supprimer Idp", "DELETE_SELECTION_DESCRIPTION": "Vous êtes sur le point de supprimer un fournisseur d'identité. Les changements qui en résultent sont irrévocables. Voulez-vous vraiment le faire ?", "EMPTY": "Aucun IDP disponible", @@ -2199,9 +2204,9 @@ }, "SECONDFACTORTYPES": { "0": "Inconnu", - "1": "One Time Password par authenticator app (TOTP)", + "1": "One Time Password via une application d'authentification (TOTP)", "2": "Empreinte digitale, clés de sécurité, Face ID et autres", - "3": "One Time Password par email (Email OTP)", + "3": "One Time Password par e-mail (E-mail OTP)", "4": "One Time Password par SMS (SMS OTP)" } }, @@ -2225,18 +2230,18 @@ "SMTP": { "LIST": { "TITLE": "Fournisseur SMTP", - "DESCRIPTION": "Ce sont les fournisseurs SMTP de votre instance Zitadel. Activez celui que vous souhaitez utiliser pour envoyer des notifications à vos utilisateurs.", + "DESCRIPTION": "Ce sont les fournisseurs SMTP de votre instance ZITADEL. Activez celui que vous souhaitez utiliser pour envoyer des notifications à vos utilisateurs.", "EMPTY": "Aucun fournisseur SMTP disponible", "ACTIVATED": "Activé", "ACTIVATE": "Activer le fournisseur", "DEACTIVATE": "Désactiver le fournisseur", - "TYPE": "Taper", + "TYPE": "Type", "DIALOG": { "ACTIVATED": "La configuration SMTP a été activée", "ACTIVATE_WARN_TITLE": "Activer la configuration SMTP", - "ACTIVATE_WARN_DESCRIPTION": "Vous êtes sur le point d'activer une configuration SMTP. Nous allons d’abord désactiver le fournisseur actif actuel, puis activer cette configuration. Es-tu sûr?", + "ACTIVATE_WARN_DESCRIPTION": "Vous êtes sur le point d'activer une configuration SMTP. Nous allons d’abord désactiver le fournisseur actif actuel, puis activer cette configuration. Etes-vous sûr?", "DEACTIVATE_WARN_TITLE": "Désactiver la configuration SMTP", - "DEACTIVATE_WARN_DESCRIPTION": "Vous êtes sur le point de désactiver une configuration SMTP. Es-tu sûr?", + "DEACTIVATE_WARN_DESCRIPTION": "Vous êtes sur le point de désactiver une configuration SMTP. Etes-vous sûr?", "DEACTIVATED": "La configuration SMTP a été désactivée", "DELETE_TITLE": "Supprimer la configuration SMTP", "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer une configuration. Confirmez cette action en tapant le nom de l'expéditeur", @@ -2253,7 +2258,16 @@ "CURRENT_DESC_TITLE": "Ce sont vos paramètres SMTP", "PROVIDER_SETTINGS": "Paramètres du fournisseur SMTP", "SENDER_SETTINGS": "Paramètres de l'expéditeur", - "TEST_SETTINGS": "Tester les paramètres SMTP" + "TEST_SETTINGS": "Tester les paramètres SMTP", + "NEXT_STEPS": "Prochaines étapes", + "ACTIVATE": { + "TITLE": "Activez votre fournisseur SMTP", + "DESCRIPTION": "ZITADEL ne peut pas utiliser ce fournisseur SMTP pour envoyer des notifications tant que vous ne l'avez pas activé. Si vous activez ce fournisseur, tout autre fournisseur qui était actif sera désormais désactivé." + }, + "DEACTIVATE": { + "TITLE": "Désactivez votre fournisseur SMTP", + "DESCRIPTION": "Si vous désactivez l'option SMTP, vous ne pourrez pas vous connecter à l'application, le dossier sera alors désactivé." + } } }, "DETAIL": { @@ -2274,9 +2288,9 @@ "TITLE": "Application", "ID": "ID", "DESCRIPTION": "Ici vous pouvez modifier les données de votre application et sa configuration.", - "CREATE": "Application OIDC", + "CREATE": "Créer une application", "CREATE_SELECT_PROJECT": "Sélectionnez d'abord votre projet", - "CREATE_NEW_PROJECT": "ou créez-en un nouveau here.", + "CREATE_NEW_PROJECT": "ou entrez le nom de votre nouveau projet", "CREATE_DESC_TITLE": "Entrez les détails de votre application étape par étape", "CREATE_DESC_SUB": "Une configuration recommandée sera automatiquement générée.", "STATE": "Statut", @@ -2327,7 +2341,7 @@ "TYPE": "Type d'application", "AUTHMETHOD": "Méthode d'authentification", "AUTHMETHODSECTION": "Méthode d'authentification", - "GRANT": "Types de subventions", + "GRANT": "Types d'octrois", "ADDITIONALORIGINS": "Origines supplémentaires", "ADDITIONALORIGINSDESC": "Si vous voulez ajouter des origines supplémentaires à votre application qui n'est pas utilisée comme une redirection, vous pouvez le faire ici.", "ORIGINS": "Origines", @@ -2338,17 +2352,17 @@ "ISSUER": "Émetteur", "CLIENTID": "Id client" }, - "CURRENT": "Current Config", + "CURRENT": "Configuration actuelle", "TOKENSECTIONTITLE": "Options AuthToken", "REDIRECTSECTIONTITLE": "Paramètres de redirection", "PROSWITCH": "Je suis un pro. Sautez cet assistant.", "NAMEANDTYPESECTION": "Nom et type", "TITLEFIRST": "Commencez par insérer un nom.", "TYPETITLE": "Quel type d'application voulez-vous créer ?", - "REDIRECTTITLE": "Indiquez les URI vers lesquels le login sera redirigé.", + "REDIRECTTITLE": "Indiquez les URIs vers lesquels le login sera redirigé.", "POSTREDIRECTTITLE": "Il s'agit de l'URI de redirection après la déconnexion.", - "REDIRECTDESCRIPTIONWEB": "Les URI de redirection doivent commencer par https.", - "REDIRECTDESCRIPTIONNATIVE": "Les URI de redirection doivent commencer par votre propre protocole, http.", + "REDIRECTDESCRIPTIONWEB": "Les URIs de redirection doivent commencer par https.", + "REDIRECTDESCRIPTIONNATIVE": "Les URIs de redirection doivent commencer par votre propre protocole, http://127.0.0.1, http://[::1] ou http://localhost.", "REDIRECTNOTVALID": "Cet URI de redirection n'est pas valide.", "COMMAORENTERSEPERATION": "séparer par ↵", "TYPEREQUIRED": "Le type est obligatoire.", @@ -2364,22 +2378,22 @@ "DEVMODEDESC": "Attention", "SKIPNATIVEAPPSUCCESSPAGE": "Sauter la page de succès de connexion", "SKIPNATIVEAPPSUCCESSPAGE_DESCRIPTION": "Sauter la page de succès après la connexion pour cette application native", - "REDIRECT": "Rediriger les URI", - "REDIRECTSECTION": "URI de redirection", + "REDIRECT": "Rediriger les URIs", + "REDIRECTSECTION": "URIs de redirection", "POSTLOGOUTREDIRECT": "URIs de post-déconnexion", "RESPONSESECTION": "Types de réponses", - "GRANTSECTION": "Types de subventions", - "GRANTTITLE": "Sélectionnez vos types de subventions. Note", + "GRANTSECTION": "Types d'octrois", + "GRANTTITLE": "Sélectionnez vos types d'octrois. Note : Implicite est uniquement disponible pour les applications basées sur le navigateur.", "APPTYPE": { "0": "Web", - "1": "Agent utilisateur", + "1": "User Agent", "2": "Natif" }, "RESPONSETYPE": "Types de réponse", "RESPONSE": { "0": "Code", - "1": "ID-Jeton", - "2": "ID-Jeton Jeton" + "1": "ID Token", + "2": "Token-ID Token" }, "REFRESHTOKEN": "Jeton de rafraîchissement", "GRANTTYPE": "Types d'octroi", @@ -2407,7 +2421,7 @@ "IDTOKENROLEASSERTION": "Rôles de l'utilisateur dans le jeton d'identification", "IDTOKENROLEASSERTION_DESCRIPTION": "Si sélectionné, les rôles demandés à l'utilisateur authentifié sont ajoutés au jeton d'identification.", "IDTOKENUSERINFOASSERTION": "Informations sur l'utilisateur dans le jeton d'identification", - "IDTOKENUSERINFOASSERTION_DESCRIPTION": "Permet aux clients de récupérer le profil, l'email, le téléphone et l'adresse à partir du jeton d'identification.", + "IDTOKENUSERINFOASSERTION_DESCRIPTION": "Permet aux clients de récupérer le profil, l'e-mail, le téléphone et l'adresse à partir du jeton d'identification.", "CLOCKSKEW": "Permet aux clients de gérer le décalage d'horloge de l'OP et du client. La durée (0-5s) sera ajoutée à la réclamation exp et soustraite de iats, auth_time et nbf.", "RECOMMENDED": "recommandé", "NOTRECOMMENDED": "non recommandé", @@ -2448,7 +2462,7 @@ "DESCRIPTION": "Applications SAML" }, "CONFIGSECTION": "Configuration SAML", - "CHOOSEMETADATASOURCE": "Fournissez votre configuration SAML à l'aide de l'une des options suivantes :", + "CHOOSEMETADATASOURCE": "Fournissez votre configuration SAML à l'aide de l'une des options suivantes :", "METADATAOPT1": "Option 1. Spécifiez l'URL où se trouve le fichier de métadonnées", "METADATAOPT2": "Option 2. Téléchargez un fichier contenant vos métadonnées XML", "METADATAOPT3": "Option 3. Créer un fichier de métadonnées minimal à la volée fournissant l'ENTITYID et l'URL ACS", @@ -2530,20 +2544,20 @@ "nl": "Nederlands" }, "MEMBER": { - "ADD": "Ajouter un manager", + "ADD": "Ajouter un responsable", "CREATIONTYPE": "Type de création", "CREATIONTYPES": { "3": "IAM", "2": "Organisation", "0": "Projet Détenu", - "1": "Projet Concédé", + "1": "Projet Octroyé", "4": "Projet" }, "EDITROLE": "Modifier les rôles", "EDITFOR": "Modifier les rôles de l'utilisateur", "DIALOG": { - "DELETE_TITLE": "Supprimer un manager", - "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer un manager. Vous êtes sûr ?" + "DELETE_TITLE": "Supprimer un responsable", + "DELETE_DESCRIPTION": "Vous êtes sur le point de supprimer un responsable. Etes-vous sûr ?" }, "SHOWDETAILS": "Cliquez pour afficher les détails." }, diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json index ae2f2fd43d..258635148e 100644 --- a/console/src/assets/i18n/it.json +++ b/console/src/assets/i18n/it.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Link Esterni", - "DESCRIPTION": "Guida i tuoi utenti verso risorse esterne personalizzate mostrate nella pagina di login. Gli utenti devono accettare i Termini di Servizio e la Politica sulla Privacy prima che possano iscriversi." + "DESCRIPTION": "Guida i tuoi utenti alle risorse esterne personalizzate mostrate nella pagina di accesso. Gli utenti devono accettare i Termini di servizio e l'Informativa sulla privacy prima di potersi registrare. Cambia il collegamento alla tua documentazione o imposta una stringa vuota per nascondere il pulsante della documentazione dalla console. Aggiungi un collegamento esterno personalizzato e un testo personalizzato per quel collegamento nella console oppure impostali vuoti per nascondere quel pulsante." }, "SMTP_PROVIDER": { "TITLE": "Impostazioni SMTP", @@ -593,6 +593,7 @@ "INVALID_FORMAT": "Il formato non è valido.", "NOTANEMAIL": "Il valore dato non è un indirizzo e-mail.", "MINLENGTH": "Deve essere lunga almeno {{requiredLength}} caratteri.", + "MAXLENGTH": "Deve contenere meno di {{requiredLength}} caratteri.", "UPPERCASEMISSING": "Deve includere un carattere maiuscolo.", "LOWERCASEMISSING": "Deve includere un carattere minuscolo.", "SYMBOLERROR": "Deve includere un simbolo o un segno di punteggiatura.", @@ -878,7 +879,8 @@ "SET": "Imposta nuova password", "RESENDNOTIFICATION": "Invia email per la reimpostazione", "REQUIRED": "Mancano alcuni campi obbligatori.", - "MINLENGTHERROR": "Deve essere lunga almeno {{valore}} caratteri." + "MINLENGTHERROR": "Deve essere lunga almeno {{valore}} caratteri.", + "MAXLENGTHERROR": "Deve contenere meno di {{value}} caratteri" }, "ID": "ID", "EMAIL": "E-mail", @@ -1570,6 +1572,9 @@ "POLICYLINK": "Link all'informativa sulla privacy", "HELPLINK": "link per l'aiuto", "SUPPORTEMAIL": "e-mail di supporto", + "DOCSLINK": "Collegamento a Documenti (Console)", + "CUSTOMLINK": "Collegamento personalizzato (Console)", + "CUSTOMLINKTEXT": "Testo del collegamento personalizzato (Console)", "SAVED": "Salvato con successo!", "RESET_TITLE": "Ripristina i valori predefiniti", "RESET_DESCRIPTION": "Stai per ripristinare i link predefiniti per i TOS e l'informativa sulla privacy. Vuoi davvero continuare?" @@ -2225,7 +2230,7 @@ "SMTP": { "LIST": { "TITLE": "Fornitore SMTP", - "DESCRIPTION": "Questi sono i provider SMTP per la tua istanza Zitadel. Attiva quello che desideri utilizzare per inviare notifiche ai tuoi utenti.", + "DESCRIPTION": "Questi sono i provider SMTP per la tua istanza ZITADEL. Attiva quello che desideri utilizzare per inviare notifiche ai tuoi utenti.", "EMPTY": "Nessun provider SMTP disponibile", "ACTIVATED": "Attivato", "ACTIVATE": "Attiva fornitore", @@ -2253,7 +2258,16 @@ "CURRENT_DESC_TITLE": "Queste sono le tue impostazioni SMTP", "PROVIDER_SETTINGS": "Impostazioni del provider SMTP", "SENDER_SETTINGS": "Impostazioni mittente", - "TEST_SETTINGS": "Testare le impostazioni SMTP" + "TEST_SETTINGS": "Testare le impostazioni SMTP", + "NEXT_STEPS": "Prossimi passi", + "ACTIVATE": { + "TITLE": "Attiva il tuo provider SMTP", + "DESCRIPTION": "ZITADEL non può utilizzare questo provider SMTP per inviare notifiche finché non lo attivi. Se attivi questo fornitore, qualsiasi altro fornitore che era attivo verrà ora disattivato." + }, + "DEACTIVATE": { + "TITLE": "Disattiva il tuo provider SMTP", + "DESCRIPTION": "Dopo aver disattivato l'archivio SMTP, la schermata non è disponibile per l'utente, il documento è nuovo e non è attivo." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/ja.json b/console/src/assets/i18n/ja.json index 65eb2615d7..30f1f8485c 100644 --- a/console/src/assets/i18n/ja.json +++ b/console/src/assets/i18n/ja.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "外部リンク", - "DESCRIPTION": "ログインページに表示されるカスタム外部リソースへのユーザーガイドです。ユーザーは、サインアップする前に利用規約とプライバシーポリシーを受け入れる必要があります。" + "DESCRIPTION": "ログイン ページに表示されるカスタム外部リソースにユーザーを誘導します。ユーザーはサインアップする前に、サービス利用規約とプライバシー ポリシーに同意する必要があります。ドキュメントへのリンクを変更するか、空の文字列を設定してコンソールからドキュメント ボタンを非表示にします。カスタム外部リンクとそのリンクのカスタム テキストをコンソールに追加するか、それらを空に設定してそのボタンを非表示にします。" }, "SMTP_PROVIDER": { "TITLE": "SMTP設定", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "不正なフォーマットです", "NOTANEMAIL": "入力された値がメールアドレスではありません。", "MINLENGTH": "{{requiredLength}} 文字以上の文字列が必要です。", + "MAXLENGTH": "{{requiredLength}}文字以下でなければなりません.", "UPPERCASEMISSING": "大文字を含める必要があります。", "LOWERCASEMISSING": "小文字を含める必要があります。", "SYMBOLERROR": "記号を含める必要があります。", @@ -880,7 +881,8 @@ "SET": "新しいパスワードを設定する", "RESENDNOTIFICATION": "パスワードリセットのリンクを送信する", "REQUIRED": "一部の必須項目が不足しています。", - "MINLENGTHERROR": "最小で{{value}}文字の長さが必要です。" + "MINLENGTHERROR": "最小で{{value}}文字の長さが必要です。", + "MAXLENGTHERROR": "{{value}}文字以下でなければなりません" }, "ID": "id", "EMAIL": "Eメール", @@ -1566,6 +1568,10 @@ "TOSLINK": "利用規約へのリンク", "POLICYLINK": "プライバシーポリシーへのリンク", "HELPLINK": "ヘルプへのリンク", + "SUPPORTEMAIL": "サポートメール", + "DOCSLINK": "ドキュメントリンク (Console)", + "CUSTOMLINK": "カスタムリンク(Console)", + "CUSTOMLINKTEXT": "カスタム リンク テキスト (Console)", "SAVED": "正常に保存されました!", "RESET_TITLE": "デフォルト値を復元する", "RESET_DESCRIPTION": "TOSおよびプライバシーポリシーのデフォルトリンクを復元しようとしています。本当によろしいですか?" @@ -2216,7 +2222,7 @@ "SMTP": { "LIST": { "TITLE": "SMTPプロバイダー", - "DESCRIPTION": "これらは、Zitadel インスタンスの SMTP プロバイダーです。ユーザーに通知を送信するために使用するものをアクティブにします。", + "DESCRIPTION": "これらは、ZITADEL インスタンスの SMTP プロバイダーです。ユーザーに通知を送信するために使用するものをアクティブにします。", "EMPTY": "使用可能な SMTP プロバイダーがありません", "ACTIVATED": "アクティブ化された", "ACTIVATE": "プロバイダーをアクティブ化する", @@ -2244,7 +2250,16 @@ "CURRENT_DESC_TITLE": "これらは SMTP 設定です", "PROVIDER_SETTINGS": "SMTPプロバイダーの設定", "SENDER_SETTINGS": "送信者の設定", - "TEST_SETTINGS": "SMTP設定をテストする" + "TEST_SETTINGS": "SMTP設定をテストする", + "NEXT_STEPS": "次のステップ", + "ACTIVATE": { + "TITLE": "SMTP プロバイダーをアクティブ化する", + "DESCRIPTION": "ZITADEL は、アクティブ化するまで、この SMTP プロバイダーを使用して通知を送信できません。このプロバイダーをアクティブ化すると、アクティブだった他のプロバイダーは非アクティブ化されます。" + }, + "DEACTIVATE": { + "TITLE": "SMTPプロバイダーを非アクティブ化します", + "DESCRIPTION": "この SMTP プロバイダーを非アクティブ化すると、再度アクティブ化するまで、Zitadel はそれを使用して通知を送信できなくなります。" + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/mk.json b/console/src/assets/i18n/mk.json index 6df94a7445..55f52bc24b 100644 --- a/console/src/assets/i18n/mk.json +++ b/console/src/assets/i18n/mk.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Надворешни врски", - "DESCRIPTION": "Упатете ги вашите корисници кон прилагодени надворешни ресурси прикажани на страницата за најава. Корисниците треба да ги прифатат условите за користење и политиката за приватност пред да се регистрираат." + "DESCRIPTION": "Водете ги вашите корисници до сопствени надворешни ресурси прикажани на страницата за најавување. Корисниците треба да ги прифатат Условите за користење и Политиката за приватност пред да можат да се регистрираат. Променете ја врската до вашата документација или поставете празна низа за да го скриете копчето за документација од конзолата. Додајте приспособена надворешна врска и прилагоден текст за таа врска во конзолата или поставете ги празни за да го скриете тоа копче." }, "SMTP_PROVIDER": { "TITLE": "SMTP поставки", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "Невалиден формат.", "NOTANEMAIL": "Внесената вредност не е е-пошта.", "MINLENGTH": "Мора да биде најмалку {{requiredLength}} карактери долга.", + "MAXLENGTH": "Мора да биде помалку од {{requiredLength}} карактери.", "UPPERCASEMISSING": "Мора да содржи голема буква.", "LOWERCASEMISSING": "Мора да содржи мала буква.", "SYMBOLERROR": "Мора да содржи симбол или знак за интерпункција.", @@ -880,7 +881,8 @@ "SET": "Постави нова лозинка", "RESENDNOTIFICATION": "Испрати линк за ресетирање на лозинката", "REQUIRED": "Некои задолжителни полиња не се пополнети.", - "MINLENGTHERROR": "Мора да биде најмалку {{value}} карактери долга." + "MINLENGTHERROR": "Мора да биде најмалку {{value}} карактери долга.", + "MAXLENGTHERROR": "Мора да биде помалку од {{value}} карактери" }, "ID": "ID", "EMAIL": "E-пошта", @@ -1572,6 +1574,9 @@ "POLICYLINK": "Линк кон Политиката за приватност", "HELPLINK": "Линк кон Помош", "SUPPORTEMAIL": "Е-пошта за поддршка", + "DOCSLINK": "Врска за документи (Console)", + "CUSTOMLINK": "Прилагодена врска (Console)", + "CUSTOMLINKTEXT": "Текст за приспособена врска (Console)", "SAVED": "Успешно зачувано!", "RESET_TITLE": "Врати на стандардни вредности", "RESET_DESCRIPTION": "Се подготвувате да ги вратите стандардните линкови за Условите за користење и Политиката за приватност. Дали сте сигурни дека сакате да продолжите?" @@ -2222,7 +2227,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP провајдер", - "DESCRIPTION": "Ова се давателите на SMTP за вашиот пример Zitadel. Активирајте го оној што сакате да го користите за испраќање известувања до вашите корисници.", + "DESCRIPTION": "Ова се давателите на SMTP за вашиот пример ZITADEL. Активирајте го оној што сакате да го користите за испраќање известувања до вашите корисници.", "EMPTY": "Нема достапен SMTP провајдер", "ACTIVATED": "Активиран", "ACTIVATE": "Активирајте го провајдерот", @@ -2250,7 +2255,16 @@ "CURRENT_DESC_TITLE": "Ова се вашите поставки за SMTP", "PROVIDER_SETTINGS": "Поставки на провајдерот SMTP", "SENDER_SETTINGS": "Поставки на испраќачот", - "TEST_SETTINGS": "Тестирајте ги поставките за SMTP" + "TEST_SETTINGS": "Тестирајте ги поставките за SMTP", + "NEXT_STEPS": "Следните чекори", + "ACTIVATE": { + "TITLE": "Активирајте го вашиот SMTP провајдер", + "DESCRIPTION": "ZITADEL не може да го користи овој SMTP провајдер за да испраќа известувања додека не го активирате. Ако го активирате овој добавувач, секој друг провајдер што бил активен сега ќе се деактивира." + }, + "DEACTIVATE": { + "TITLE": "Деактивирајте го вашиот SMTP провајдер", + "DESCRIPTION": "Ако го деактивирате овој SMTP провајдер, ZITADEL не може да го користи за испраќање известувања додека не го активирате повторно." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/nl.json b/console/src/assets/i18n/nl.json index f31731eefc..c2526c848d 100644 --- a/console/src/assets/i18n/nl.json +++ b/console/src/assets/i18n/nl.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Externe links", - "DESCRIPTION": "Leid je gebruikers naar aangepaste externe bronnen die worden getoond op de inlogpagina. Gebruikers moeten de Algemene Voorwaarden en het Privacybeleid accepteren voordat ze zich kunnen aanmelden." + "DESCRIPTION": "Leid uw gebruikers naar aangepaste externe bronnen die op de inlogpagina worden weergegeven. Gebruikers moeten de Servicevoorwaarden en het Privacybeleid accepteren voordat ze zich kunnen aanmelden. Wijzig de link naar uw documentatie of stel een lege string in om de documentatieknop voor de console te verbergen. Voeg een aangepaste externe link en een aangepaste tekst voor die link toe in de console, of stel ze leeg om die knop te verbergen." }, "SMTP_PROVIDER": { "TITLE": "SMTP-instellingen", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "De opmaak is ongeldig.", "NOTANEMAIL": "De opgegeven waarde is geen e-mailadres.", "MINLENGTH": "Moet minimaal {{requiredLength}} tekens lang zijn.", + "MAXLENGTH": "Moet minder dan {{requiredLength}} tekens bevatten.", "UPPERCASEMISSING": "Moet een hoofdletter bevatten.", "LOWERCASEMISSING": "Moet een kleine letter bevatten.", "SYMBOLERROR": "Moet een symbool of leesteken bevatten.", @@ -880,7 +881,8 @@ "SET": "Stel nieuw wachtwoord in", "RESENDNOTIFICATION": "Stuur wachtwoord reset link", "REQUIRED": "Sommige verplichte velden ontbreken.", - "MINLENGTHERROR": "Moet minstens {{value}} tekens lang zijn." + "MINLENGTHERROR": "Moet minstens {{value}} tekens lang zijn.", + "MAXLENGTHERROR": "Moet minder dan {{value}} tekens bevatten" }, "ID": "ID", "EMAIL": "E-mail", @@ -1571,6 +1573,9 @@ "POLICYLINK": "Link naar Privacybeleid", "HELPLINK": "Link naar Help", "SUPPORTEMAIL": "Ondersteuning Email", + "DOCSLINK": "Documentenlink (Console)", + "CUSTOMLINK": "Aangepaste link (Console)", + "CUSTOMLINKTEXT": "Aangepaste linktekst (Console)", "SAVED": "Succesvol opgeslagen!", "RESET_TITLE": "Herstel Standaard Waarden", "RESET_DESCRIPTION": "U staat op het punt de standaard Links voor TOS en Privacybeleid te herstellen. Weet u zeker dat u wilt doorgaan?" @@ -2041,7 +2046,7 @@ "DESCRIPTION": "Voer de inloggegevens in voor uw Apple Provider" }, "SAML": { - "TITLE": "Log in met Saml SP", + "TITLE": "Log in met SAML SP", "DESCRIPTION": "Voer de inloggegevens in voor uw SAML Provider" } }, @@ -2243,7 +2248,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP-provider", - "DESCRIPTION": "Dit zijn de SMTP-providers voor uw Zitadel-instantie. Activeer degene die u wilt gebruiken om meldingen naar uw gebruikers te sturen.", + "DESCRIPTION": "Dit zijn de SMTP-providers voor uw ZITADEL-instantie. Activeer degene die u wilt gebruiken om meldingen naar uw gebruikers te sturen.", "EMPTY": "Geen SMTP-provider beschikbaar", "ACTIVATED": "Geactiveerd", "ACTIVATE": "Aanbieder activeren", @@ -2271,7 +2276,16 @@ "CURRENT_DESC_TITLE": "Dit zijn uw SMTP-instellingen", "PROVIDER_SETTINGS": "SMTP-providerinstellingen", "SENDER_SETTINGS": "Afzenderinstellingen", - "TEST_SETTINGS": "SMTP-instellingen testen" + "TEST_SETTINGS": "SMTP-instellingen testen", + "NEXT_STEPS": "Volgende stappen", + "ACTIVATE": { + "TITLE": "Activeer uw SMTP-provider", + "DESCRIPTION": "ZITADEL kan deze SMTP-provider niet gebruiken om meldingen te verzenden totdat u deze activeert. Als u deze provider activeert, worden alle andere actieve providers nu gedeactiveerd." + }, + "DEACTIVATE": { + "TITLE": "Deactiveer uw SMTP-provider", + "DESCRIPTION": "Als u deze SMTP-provider deactiveert, kan ZITADEL deze niet gebruiken om meldingen te verzenden totdat u deze opnieuw activeert." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json index 1857872e2f..65e13ce71f 100644 --- a/console/src/assets/i18n/pl.json +++ b/console/src/assets/i18n/pl.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Linki zewnętrzne", - "DESCRIPTION": "Przekieruj użytkowników do niestandardowych zasobów zewnętrznych pokazanych na stronie logowania. Użytkownicy muszą zaakceptować Warunki korzystania z usługi i Politykę prywatności, zanim będą mogli się zarejestrować." + "DESCRIPTION": "Poprowadź użytkowników do niestandardowych zasobów zewnętrznych wyświetlanych na stronie logowania. Użytkownicy muszą zaakceptować Warunki świadczenia usług i Politykę prywatności, zanim będą mogli się zarejestrować. Zmień łącze do dokumentacji lub ustaw pusty ciąg, aby ukryć przycisk dokumentacji w konsoli. Dodaj niestandardowy link zewnętrzny i niestandardowy tekst dla tego łącza w konsoli lub ustaw je puste, aby ukryć ten przycisk." }, "SMTP_PROVIDER": { "TITLE": "Ustawienia SMTP", @@ -594,6 +594,7 @@ "INVALID_FORMAT": "Format jest nieprawidłowy.", "NOTANEMAIL": "Podana wartość nie jest adresem e-mail.", "MINLENGTH": "Musi mieć co najmniej {{requiredLength}} znaków.", + "MAXLENGTH": "Musi zawierać mniej niż {{requiredLength}} znaków.", "UPPERCASEMISSING": "Musi zawierać wielką literę.", "LOWERCASEMISSING": "Musi zawierać małą literę.", "SYMBOLERROR": "Musi zawierać symbol lub znak interpunkcyjny.", @@ -879,7 +880,8 @@ "SET": "Ustaw nowe hasło", "RESENDNOTIFICATION": "Wyślij link resetowania hasła", "REQUIRED": "Brakuje niektórych wymaganych pól.", - "MINLENGTHERROR": "Musi mieć co najmniej {{value}} znaków." + "MINLENGTHERROR": "Musi mieć co najmniej {{value}} znaków.", + "MAXLENGTHERROR": "Musi zawierać mniej niż {{value}} znaków" }, "ID": "ID", "EMAIL": "E-mail", @@ -1570,6 +1572,9 @@ "POLICYLINK": "Link do polityki prywatności", "HELPLINK": "Link do pomocy", "SUPPORTEMAIL": "E-mail wsparcia", + "DOCSLINK": "Link do Dokumentów (Console)", + "CUSTOMLINK": "Link niestandardowy (Console)", + "CUSTOMLINKTEXT": "Niestandardowy tekst łącza (Console)", "SAVED": "Pomyślnie zapisano!", "RESET_TITLE": "Przywróć wartości domyślne", "RESET_DESCRIPTION": "Masz zamiar przywrócić domyślne linki dla TOS i polityki prywatności. Czy na pewno chcesz kontynuować?" @@ -2225,7 +2230,7 @@ "SMTP": { "LIST": { "TITLE": "Dostawca SMTP", - "DESCRIPTION": "To są dostawcy SMTP dla Twojej instancji Zitadel. Aktywuj ten, którego chcesz używać do wysyłania powiadomień do użytkowników.", + "DESCRIPTION": "To są dostawcy SMTP dla Twojej instancji ZITADEL. Aktywuj ten, którego chcesz używać do wysyłania powiadomień do użytkowników.", "EMPTY": "Brak dostępnego dostawcy SMTP", "ACTIVATED": "Aktywowany", "ACTIVATE": "Aktywuj dostawcę", @@ -2253,7 +2258,16 @@ "CURRENT_DESC_TITLE": "To są Twoje ustawienia SMTP", "PROVIDER_SETTINGS": "Ustawienia dostawcy SMTP", "SENDER_SETTINGS": "Ustawienia nadawcy", - "TEST_SETTINGS": "Przetestuj ustawienia SMTP" + "TEST_SETTINGS": "Przetestuj ustawienia SMTP", + "NEXT_STEPS": "Następne kroki", + "ACTIVATE": { + "TITLE": "Aktywuj swojego dostawcę SMTP", + "DESCRIPTION": "ZITADEL nie może używać tego dostawcy SMTP do wysyłania powiadomień, dopóki go nie aktywujesz. Jeśli aktywujesz tego dostawcę, każdy inny aktywny dostawca zostanie teraz dezaktywowany." + }, + "DEACTIVATE": { + "TITLE": "Dezaktywuj swojego dostawcę SMTP", + "DESCRIPTION": "Jeśli dezaktywujesz tego dostawcę SMTP, ZITADEL nie będzie mógł go używać do wysyłania powiadomień, dopóki nie aktywujesz go ponownie." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/pt.json b/console/src/assets/i18n/pt.json index 929b137fc7..aee0da5a02 100644 --- a/console/src/assets/i18n/pt.json +++ b/console/src/assets/i18n/pt.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Links Externos", - "DESCRIPTION": "Guie seus usuários para recursos externos personalizados mostrados na página de login. Os usuários precisam aceitar os Termos de Serviço e a Política de Privacidade antes de poderem se inscrever." + "DESCRIPTION": "Oriente seus usuários sobre recursos externos personalizados mostrados na página de login. Os usuários precisam aceitar os Termos de Serviço e a Política de Privacidade antes de se inscreverem. Altere o link para sua documentação ou defina uma string vazia para ocultar o botão de documentação do console. Adicione um link externo personalizado e um texto personalizado para esse link no console ou deixe-os vazios para ocultar esse botão." }, "SMTP_PROVIDER": { "TITLE": "Configurações de SMTP", @@ -595,6 +595,7 @@ "INVALID_FORMAT": "O formato é inválido.", "NOTANEMAIL": "O valor fornecido não é um endereço de e-mail.", "MINLENGTH": "Deve ter pelo menos {{requiredLength}} caracteres.", + "MAXLENGTH": "Deve ter menos de {{requiredLength}} caracteres.", "UPPERCASEMISSING": "Deve incluir uma letra maiúscula.", "LOWERCASEMISSING": "Deve incluir uma letra minúscula.", "SYMBOLERROR": "Deve incluir um símbolo ou caractere de pontuação.", @@ -880,7 +881,8 @@ "SET": "Definir Nova Senha", "RESENDNOTIFICATION": "Enviar Link de Redefinição de Senha", "REQUIRED": "Algumas informações obrigatórias estão faltando.", - "MINLENGTHERROR": "Deve ter pelo menos {{value}} caracteres." + "MINLENGTHERROR": "Deve ter pelo menos {{value}} caracteres.", + "MAXLENGTHERROR": "Deve ter menos de {{value}} caracteres" }, "ID": "ID", "EMAIL": "E-mail", @@ -1572,6 +1574,9 @@ "POLICYLINK": "Link para a Política de Privacidade", "HELPLINK": "Link para Ajuda", "SUPPORTEMAIL": "E-mail de suporte", + "DOCSLINK": "Link do Documentos (Console)", + "CUSTOMLINK": "Link personalizado (Console)", + "CUSTOMLINKTEXT": "Texto do link personalizado (Console)", "SAVED": "Salvo com sucesso!", "RESET_TITLE": "Restaurar valores padrão", "RESET_DESCRIPTION": "Você está prestes a restaurar os Links padrão para TOS e Política de Privacidade. Deseja realmente continuar?" @@ -2220,7 +2225,7 @@ "SMTP": { "LIST": { "TITLE": "Provedor SMTP", - "DESCRIPTION": "Estes são os provedores SMTP para sua instância Zitadel. Ative aquele que deseja usar para enviar notificações aos seus usuários.", + "DESCRIPTION": "Estes são os provedores SMTP para sua instância ZITADEL. Ative aquele que deseja usar para enviar notificações aos seus usuários.", "EMPTY": "Nenhum provedor SMTP disponível", "ACTIVATED": "Ativado", "ACTIVATE": "Ativar provedor", @@ -2248,7 +2253,16 @@ "CURRENT_DESC_TITLE": "Estas são suas configurações de SMTP", "PROVIDER_SETTINGS": "Configurações do provedor SMTP", "SENDER_SETTINGS": "Configurações do remetente", - "TEST_SETTINGS": "Testar configurações de SMTP" + "TEST_SETTINGS": "Testar configurações de SMTP", + "NEXT_STEPS": "Próximos passos", + "ACTIVATE": { + "TITLE": "Ative seu provedor SMTP", + "DESCRIPTION": "ZITADEL não pode usar este provedor SMTP para enviar notificações até que você o ative. Se você ativar este provedor, qualquer outro provedor que estava ativo será desativado." + }, + "DEACTIVATE": { + "TITLE": "Desative seu provedor SMTP", + "DESCRIPTION": "Se você desativar este provedor SMTP, a ZITADEL não poderá usá-lo para enviar notificações até que você o ative novamente." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/ru.json b/console/src/assets/i18n/ru.json index eda731d47f..294039adc9 100644 --- a/console/src/assets/i18n/ru.json +++ b/console/src/assets/i18n/ru.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "Внешние ссылки", - "DESCRIPTION": "Направьте ваших пользователей к пользовательским внешним ресурсам, показанным на странице входа. Пользователи должны принять Условия обслуживания и Политику конфиденциальности, прежде чем они смогут зарегистрироваться." + "DESCRIPTION": "Guide your users to custom external resources shown on the login page. Users need to accept the Terms of Service and Privacy Policy before they can sign up. Change the link to your documentation or set an empty string to hide the documentation button from the console. Add a custom external link and a custom text for that link in the console, or set them empty to hide that button." }, "SMTP_PROVIDER": { "TITLE": "Настройки SMTP", @@ -594,6 +594,7 @@ "INVALID_FORMAT": "Форматирование неверно.", "NOTANEMAIL": "Данное значение не является адресом электронной почты.", "MINLENGTH": "Должно быть не менее {{requiredLength}} символов.", + "MAXLENGTH": "Должно быть меньше {{requiredLength}} символов.", "UPPERCASEMISSING": "Должен содержать символ верхнего регистра.", "LOWERCASEMISSING": "Должен включать строчные буквы.", "SYMBOLERROR": "Должен содержать символ или знак препинания.", @@ -887,7 +888,8 @@ "RESENDNOTIFICATION": "Отправить ссылку для сброса пароля", "REQUIRED": "Отсутствуют некоторые обязательные поля.", "MINLENGTHERROR": "Должно быть не менее {{value}} символов.", - "NOTEQUAL": "Указанные пароли не совпадают." + "NOTEQUAL": "Указанные пароли не совпадают.", + "MAXLENGTHERROR": "Должно быть меньше {{value}} символов" }, "ID": "Идентификатор", "EMAIL": "Электронная почта", @@ -1626,6 +1628,9 @@ "POLICYLINK": "Ссылка на Политику конфиденциальности", "HELPLINK": "Ссылка на Помощь", "SUPPORTEMAIL": "Электронная почта поддержки", + "DOCSLINK": "Ссылка на Документы (Console)", + "CUSTOMLINK": "Пользовательская ссылка (Console)", + "CUSTOMLINKTEXT": "Пользовательский текст ссылки (Console)", "SAVED": "Успешно сохранено!", "RESET_TITLE": "Восстановить значения по умолчанию", "RESET_DESCRIPTION": "Вы собираетесь восстановить ссылки по умолчанию для Пользовательского соглашения и Политики конфиденциальности. Вы действительно хотите продолжить?" @@ -2337,7 +2342,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP-провайдер", - "DESCRIPTION": "Это поставщики SMTP для вашего экземпляра Zitadel. Активируйте тот, который вы хотите использовать для отправки уведомлений вашим пользователям.", + "DESCRIPTION": "Это поставщики SMTP для вашего экземпляра ZITADEL. Активируйте тот, который вы хотите использовать для отправки уведомлений вашим пользователям.", "EMPTY": "SMTP-провайдер не доступен", "ACTIVATED": "Активировано", "ACTIVATE": "Активировать провайдера", @@ -2365,7 +2370,16 @@ "CURRENT_DESC_TITLE": "Это ваши настройки SMTP", "PROVIDER_SETTINGS": "Настройки SMTP-провайдера", "SENDER_SETTINGS": "Настройки отправителя", - "TEST_SETTINGS": "Проверка настроек SMTP" + "TEST_SETTINGS": "Проверка настроек SMTP", + "NEXT_STEPS": "Следующие шаги", + "ACTIVATE": { + "TITLE": "Активируйте своего SMTP-провайдера", + "DESCRIPTION": "ZITADEL не может использовать этого поставщика SMTP для отправки уведомлений, пока вы его не активируете. Если вы активируете этого провайдера, любой другой провайдер, который был активен, теперь будет деактивирован." + }, + "DEACTIVATE": { + "TITLE": "Деактивируйте своего SMTP-провайдера", + "DESCRIPTION": "Если вы деактивируете этого поставщика SMTP, ZITADEL не сможет использовать его для отправки уведомлений, пока вы не активируете его снова." + } } }, "DETAIL": { diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json index 005a81480d..c8b2baa0a1 100644 --- a/console/src/assets/i18n/zh.json +++ b/console/src/assets/i18n/zh.json @@ -129,7 +129,7 @@ }, "PRIVACY_POLICY": { "TITLE": "外部链接", - "DESCRIPTION": "引导您的用户到登录页面上显示的自定义外部资源。用户需要在注册前接受服务条款和隐私政策。" + "DESCRIPTION": "引导您的用户访问登录页面上显示的自定义外部资源。用户需要先接受服务条款和隐私政策,然后才能注册。更改文档的链接或设置空字符串以在控制台中隐藏文档按钮。在控制台中添加自定义外部链接和该链接的自定义文本,或将它们设置为空以隐藏该按钮。" }, "SMTP_PROVIDER": { "TITLE": "SMTP设置", @@ -594,6 +594,7 @@ "INVALID_FORMAT": "格式是无效的。", "NOTANEMAIL": "给定的值不是合法电子邮件地址。", "MINLENGTH": "长度必须至少是{{requiredLength}}字符。", + "MAXLENGTH": "必须少于{{requiredLength}}个字符.", "UPPERCASEMISSING": "密码必须包含大写字符。", "LOWERCASEMISSING": "密码必须包含小写字符。", "SYMBOLERROR": "密码必须包含符号或标点符号。", @@ -879,7 +880,8 @@ "SET": "设置新密码", "RESENDNOTIFICATION": "发送重置密码链接", "REQUIRED": "缺少必填字段。", - "MINLENGTHERROR": "密码长度必须至少为 {{value}} 个字符。" + "MINLENGTHERROR": "密码长度必须至少为 {{value}} 个字符。", + "MAXLENGTHERROR": "必须少于{{value}}个字符" }, "ID": "ID", "EMAIL": "电子邮件", @@ -1569,6 +1571,9 @@ "POLICYLINK": "链接到隐私政策", "HELPLINK": "链接到帮助", "SUPPORTEMAIL": "支持邮箱", + "DOCSLINK": "文档链接(Console)", + "CUSTOMLINK": "自定义链接(Console)", + "CUSTOMLINKTEXT": "自定义链接文本(Console)", "SAVED": "保存成功!", "RESET_TITLE": "恢复默认值", "RESET_DESCRIPTION": "您即将恢复 TOS 和隐私政策的默认链接。你真的要继续吗?" @@ -2224,7 +2229,7 @@ "SMTP": { "LIST": { "TITLE": "SMTP 提供商", - "DESCRIPTION": "这些是您的 Zitadel 实例的 SMTP 提供商。激活您想要用来向用户发送通知的通知。", + "DESCRIPTION": "这些是您的 ZITADEL 实例的 SMTP 提供商。激活您想要用来向用户发送通知的通知。", "EMPTY": "没有可用的 SMTP 提供商", "ACTIVATED": "活性", "ACTIVATE": "激活提供商", @@ -2252,7 +2257,16 @@ "CURRENT_DESC_TITLE": "这些是您的 SMTP 设置", "PROVIDER_SETTINGS": "SMTP 提供商设置", "SENDER_SETTINGS": "发件人设置", - "TEST_SETTINGS": "测试 SMTP 设置" + "TEST_SETTINGS": "测试 SMTP 设置", + "NEXT_STEPS": "下一步", + "ACTIVATE": { + "TITLE": "激活您的 SMTP 提供商", + "DESCRIPTION": "在您激活此 SMTP 提供程序之前,Zitadel 无法使用它来发送通知。如果您激活此提供程序,任何其他处于活动状态的提供程序现在都将被停用。" + }, + "DEACTIVATE": { + "TITLE": "停用您的 SMTP 提供商", + "DESCRIPTION": "如果您停用此 SMTP 提供程序,Zitadel 将无法使用它发送通知,直到您再次激活它。" + } } }, "DETAIL": { diff --git a/docs/docs/apis/actionsv2/introduction.md b/docs/docs/apis/actionsv2/introduction.md index 16adaac423..e6362c1aee 100644 --- a/docs/docs/apis/actionsv2/introduction.md +++ b/docs/docs/apis/actionsv2/introduction.md @@ -86,6 +86,11 @@ And if you use a different service, for example `zitadel.session.v2.SessionServi ### Targets and Includes +:::info +Includes are limited to 3 levels, which mean that include1->include2->include3 is the maximum for now. +If you have feedback to the include logic, or a reason why 3 levels are not enough, please open [an issue on github](https://github.com/zitadel/zitadel/issues) or [start a discussion on github](https://github.com/zitadel/zitadel/discussions)/[start a topic on discord](https://zitadel.com/chat) +::: + An execution can not only contain a list of Targets, but also Includes. The Includes can be defined in the Execution directly, which means you include all defined Targets by a before set Execution. diff --git a/docs/docs/concepts/features/account-linking.md b/docs/docs/concepts/features/account-linking.md new file mode 100644 index 0000000000..43a5066763 --- /dev/null +++ b/docs/docs/concepts/features/account-linking.md @@ -0,0 +1,36 @@ +--- +title: Account linking +--- + +ZITADEL supports linking of user accounts from different external identity providers such as social logins or enterprise IdPs. +A user can authenticate from any of their accounts and still be recognized by your app and associated with the same user profile. + +In ZITADEL, users have one user account to simplify access management and provide a consistent audit trail. +A user account can have a link to multiple external identities. + +### Advantages + +- Users can login with multiple identity providers without managing separate profiles +- Already registered users can link existing profiles +- Provide backup authentication methods in case an IdP is unavailable +- Unified audit trail across multiple identities + +### How it works + +ZITADEL gives you great flexibility to configure account linking for an organization and based on the external identity provider. + +When using external identity providers (ie. social login, enterprise SSO), a user account will be created in ZITADEL. +The [external identity](../structure/users#federated-users) will be linked to the ZITADEL account. + +If login with "Username / Password" (ie. local account) is enabled and you have configured external IDPs, the user can decide if they want to login with an external IDP or the local account. + +When only one external identity provider is configured and login with "Username / Password" is disabled, then the user is immediately redirected to the external identity provider. + +In cases when a local account already exists and a user logs in with an external identity provider, you can instruct ZITADEL to link the external identity to the local account based on the username or email address. + +### Automatic account linking + +You can link accounts with the same email or username and prompt users to link them. +On an [identity provider template settings](/docs/guides/integrate/identity-providers/introduction#key-settings-on-the-templates), you must enable "Account linking allowed". + +Automatic account linking is beneficial for users who wish to associate multiple login methods with their ZITADEL account, providing flexibility and convenience in how they access your application. diff --git a/docs/docs/concepts/features/audit-trail.md b/docs/docs/concepts/features/audit-trail.md index a4c79e003e..355029a6a4 100644 --- a/docs/docs/concepts/features/audit-trail.md +++ b/docs/docs/concepts/features/audit-trail.md @@ -14,6 +14,15 @@ This form of audit log has several benefits over storing classic audit logs. You can view past data in-context of the whole system at a single point in time. Reviewing a past state of the application can be important when tracing an incident that happened months back. Moreover the eventstore provides a truly complete and clean audit log. +:::info Future Plans +There will be three major areas for future development on the audit data + +- [Metrics](https://github.com/zitadel/zitadel/issues/4458) and [standard reports](https://github.com/zitadel/zitadel/discussions/2162#discussioncomment-1153259) +- [Feedback loop](https://github.com/zitadel/zitadel/issues/5102) and threat detection +- Forensics and replay of events + +::: + ## Accessing the Audit Log ### Last changes of an object @@ -42,24 +51,6 @@ Access to the API is possible with a [Service User](/docs/guides/integrate/servi ## Using logs in external systems -You can use the [Event API](#event-api) to pull data and ingest it in an external system. +You can use the events from the audit log in external systems such as a SOC/SIEM solution. -[Actions](actions.md) can be used to write events to the stdout and [process the events as logs](../../self-hosting/manage/production#logging). -Please refer to the zitadel/actions repository for a [code sample](https://github.com/zitadel/actions/blob/main/examples/post_auth_log.js). -You can use your log processing pipeline to parse and ingest the events in your favorite analytics tool. - -It is possible to send events directly with an http request to an external tool. -We don't recommend this approach since this would create back-pressure and increase the overall processing time for requests. - -:::info Scope of Actions -At this moment Actions can be invoked on certain events, but not generally on every event. -This is not a technical limitation, but a [feature on our backlog](https://github.com/zitadel/zitadel/issues/5101). -::: - -## Future plans - -There will be three major areas for future development on the audit data - -- [Metrics](https://github.com/zitadel/zitadel/issues/4458) and [standard reports](https://github.com/zitadel/zitadel/discussions/2162#discussioncomment-1153259) -- [Feedback loop](https://github.com/zitadel/zitadel/issues/5102) and threat detection -- Forensics and replay of events +Follow our guide on how to [integrate ZITADEL with external systems for streaming events and audit logs](/docs/guides/integrate/external-audit-log). diff --git a/docs/docs/concepts/structure/applications.md b/docs/docs/concepts/structure/applications.md index 1a3343b620..183e4bc032 100644 --- a/docs/docs/concepts/structure/applications.md +++ b/docs/docs/concepts/structure/applications.md @@ -1,10 +1,28 @@ --- -title: ZITADEL Applications +title: Configure applications for your frontend and backend services and clients sidebar_label: Applications +sidebar_position: 5 --- +import AppType from "../../guides/manage/console/_application-types.mdx"; -# Applications +Applications are the entry point to your project. +[Users](users.md) either login into one of your clients and interact with them directly or use one of your APIs. +All applications share the roles and authorizations of their [project](projects.md). -Applications are the entry point to your project. Users either login into one of your clients and interact with them directly or use one of your APIs. All applications share the roles and authorizations of their project. +## Supported application types -To read more about available authentication types and how to setup applications, read this guide [here](../../guides/manage/console/applications) +ZITADEL supports the following client types: + + + +## Security considerations + +Ensure the configuration of application settings is limited to authorized users only. + +- Use [Manager roles](managers.mdx) to limit permissions for your users to make changes to your applications +- When [granting projects](granted_projects.md) to other organizations, the receiving organization can't see or change application configuration + +## References + +- [Configure Applications in the Console](../../guides/manage/console/applications) +- [ZITADEL API: Applications](/docs/category/apis/resources/mgmt/applications) diff --git a/docs/docs/concepts/structure/instance.mdx b/docs/docs/concepts/structure/instance.mdx index d6d166f466..419fa0b938 100644 --- a/docs/docs/concepts/structure/instance.mdx +++ b/docs/docs/concepts/structure/instance.mdx @@ -1,6 +1,7 @@ --- title: ZITADEL Instances sidebar_label: Instances +sidebar_position: 1 --- ## Instance Structure diff --git a/docs/docs/concepts/structure/organizations.md b/docs/docs/concepts/structure/organizations.md index c3366bab12..f84a68dd54 100644 --- a/docs/docs/concepts/structure/organizations.md +++ b/docs/docs/concepts/structure/organizations.md @@ -1,6 +1,7 @@ --- title: ZITADEL Organizations sidebar_label: Organizations +sidebar_position: 2 --- import OrgDescription from './_org_description.mdx'; diff --git a/docs/docs/concepts/structure/projects.md b/docs/docs/concepts/structure/projects.md index 179c5c62e6..f7035a1e23 100644 --- a/docs/docs/concepts/structure/projects.md +++ b/docs/docs/concepts/structure/projects.md @@ -1,10 +1,9 @@ --- -title: ZITADEL Projects +title: Organize applications, services, and roles with projects sidebar_label: Projects +sidebar_position: 4 --- -# Project - import ProjectDescription from './\_project_description.mdx'; diff --git a/docs/docs/concepts/structure/users.md b/docs/docs/concepts/structure/users.md index 5ece5af7bd..b6440f33ad 100644 --- a/docs/docs/concepts/structure/users.md +++ b/docs/docs/concepts/structure/users.md @@ -1,6 +1,7 @@ --- title: ZITADEL Users sidebar_label: Users +sidebar_position: 3 --- ## Types of users @@ -15,18 +16,36 @@ Human users typically logon with an interactive login. This means that an application redirects a user to a website ("login page") where the user can provide the credentials. ZITADEL handles the authentication and provides the application with a token that verifies the authentication process. +Read more on how to [login users with ZITADEL](/docs/guides/integrate/login/login-users). + ### Service users Service users are for machine-to-machine communication and you would use those typically to access secure backend services. For example in ZITADEL you would require an authenticated Service User to access the Management API. The main difference between human and machine users is the type of credentials that can be used for authentication: Human users typically logon via an login prompt, but Machine users require a non-interactive logon process. +Learn how to [use service users](/docs/guides/integrate/service-users/authenticate-service-users) with ZITADEL. + ### Managers Any user, human or service user, can be given a [Manager](/concepts/structure/managers) role. Given a manager role, a user is not only an end-user of ZITADEL but can also manage certain aspects of ZITADEL itself. -## Constraints +### Federated users + +Federated users are identities that are managed by a third-party identity provider. +Users can login via an external identity provider, using [identity brokering](../features/identity-brokering) ("Single-sign-on"). +Federated user [accounts are linked](../features/account-linking) to internal users to be able to assign roles and keep an audit trail. + +### External users + +In a multi-tenancy architecture, you might use [organizations](organizations) to separate user groups. +By using [external user grants](../features/external-user-grant) an organization is able to invite users from another organization. +These invited users are called external users. + +## Considerations + +### Uniqueness of users Users can only exist within one [organization](/concepts/structure/organizations). It is currently not possible to move users between organizations. @@ -34,20 +53,30 @@ It is currently not possible to move users between organizations. User accounts are uniquely identified by their `id` or `loginname` in combination of the `organization domain` (eg, `road.runner@acme.zitadel.local`). You can use the same email address for different user accounts. -## Where to store users +### How to structure user pools -Depending on your [scenario](/guides/solution-scenarios/introduction), you might want to store all users in one organization (CIAM / B2C) or create a new organization for each logical group of users, e.g. each business customer (B2B). -With a project grant, you can delegate the access management of an organization's project to another organization. -You can also create a user grant to allow single users to access projects from another organization. -This is also an alternative to cases where you might want to move users between organizations. +Consider this general recommendation as a starting point: -## Identity linking +- Create one organization ("default organization") for your own company +- Configure projects and applications in the default organization +- Structure users in organizations based on common domains that are self-managed (eg, company) +- Grant your projects to the organizations, allow Managers to give granted roles to their users -When using external identity providers (ie. social login, enterprise SSO), a user account will be created in ZITADEL. -The external identity will be linked to the ZITADEL account. +You might want to adjust this general setup based on your [scenario](/guides/solution-scenarios/introduction). -You can link multiple external accounts to a ZITADEl account. -If login with "Username / Password" (ie. local account) is enabled and you have configured external IDPs, the user can decide if she wants to login with an external IDP or the local account. -When only one external identity provider is configured and login with "Username / Password" is disabled, then the user is immediately redirected to the external identity provider. +One important consideration in the setup is that you can only have a domain once for an organization. If you have multiple teams working with the same email address, you might need to add them to one single organization that has the domain verified for the teams' domain. -More about how to manage your users read our [users guide](../../guides/manage/console/users). \ No newline at end of file +For a CIAM / B2C setup, you might want to store all users in one organization and allow that organization to use a specific set of social logins. +In a multitenancy / B2B scenario, you might have thousands of smaller teams. + +#### Hierarchy + +There is no concept of hierarchies and inheritance based on users or organizations. +This is why we recommend to structure users along the smallest unit of groups. +You can use organization metadata or your own business logic to describe a hierarchy of organizations or user groups. + +## References + +- [Manage users in the Console](../../guides/manage/console/users) +- [ZITADEL APIs: Users](/docs/category/apis/resources/mgmt/users) +- [User onboarding and registration](/docs/guides/integrate/onboarding) diff --git a/docs/docs/examples/secure-api/go.md b/docs/docs/examples/secure-api/go.md index f6a1fd7474..ab45e2a6b7 100644 --- a/docs/docs/examples/secure-api/go.md +++ b/docs/docs/examples/secure-api/go.md @@ -8,7 +8,7 @@ OAuth 2 Token Introspection. At the end of the guide you should have an API with a protected endpoint. -> This documentation references our HTTP example. There's also one for GRPC. Check them out on [GitHub](https://github.com/zitadel/zitadel-go/tree/authorization/example/api). +> This documentation references our HTTP example. There's also one for GRPC. Check them out on [GitHub](https://github.com/zitadel/zitadel-go/blob/next/example/api/http/main.go). ## Set up application and obtain keys diff --git a/docs/docs/guides/integrate/login-ui/_update_session_webauthn.mdx b/docs/docs/guides/integrate/login-ui/_update_session_webauthn.mdx index 0acbf805f9..430a31b33b 100644 --- a/docs/docs/guides/integrate/login-ui/_update_session_webauthn.mdx +++ b/docs/docs/guides/integrate/login-ui/_update_session_webauthn.mdx @@ -13,7 +13,6 @@ curl --request PATCH \ --header 'Authorization: Bearer '"$TOKEN"''\ --header 'Content-Type: application/json' \ --data '{ - "sessionToken": "yMDi6uVPJAcphbbz0LaxC07ihWkNTe7m0Xqch8SzfM5Cz3HSIQIDZ65x1f5Qal0jxz0MEyo-_zYcUg", "checks": { "webAuthN": { "credentialAssertionData": {} diff --git a/docs/docs/guides/integrate/login-ui/mfa.mdx b/docs/docs/guides/integrate/login-ui/mfa.mdx index 65ee8da475..8f6fe60e37 100644 --- a/docs/docs/guides/integrate/login-ui/mfa.mdx +++ b/docs/docs/guides/integrate/login-ui/mfa.mdx @@ -140,7 +140,6 @@ curl --request PATCH \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{ - "sessionToken": "W3mEoesTiYOsiR1LYUCRw3vaEwXKLGDTsqOV_bkOhlah_-ZbuiLgvnzADwe_iYMusbwkMhp7VfMn8j", "checks": { "totp": { "code": "323764" @@ -270,7 +269,6 @@ curl --request PATCH \ --header 'Authorization: Bearer '"$TOKEN"'' \ --header 'Content-Type: application/json' \ --data '{ - "sessionToken": "W3mEoesTiYOsiR1LYUCRw3WaFwXKLGDRsqOV_bkOhlah_-ZpuiLgvnzADwe_iYMusbwkMhp7VfMn8g", "checks": { "otpSms": { "code": "3237642" @@ -359,7 +357,6 @@ curl --request PATCH \ --header 'Authorization: Bearer '"$TOKEN"'' \ --header 'Content-Type: application/json' \ --data '{ - "sessionToken": "W3mEoesTiYOsiR1LYUCRw3WaFwXKLGDRsqOV_bkOhlah_-ZpuiLgvnzADwe_iYMusbwkMhp7VfMn8g", "checks": { "otpEmail": { "code": "3237642" diff --git a/docs/docs/guides/integrate/login-ui/typescript-repo.mdx b/docs/docs/guides/integrate/login-ui/typescript-repo.mdx index a47090eb3b..817a99645a 100644 --- a/docs/docs/guides/integrate/login-ui/typescript-repo.mdx +++ b/docs/docs/guides/integrate/login-ui/typescript-repo.mdx @@ -76,12 +76,14 @@ The application can then request a token calling the /token endpoint of the logi - [ ] AuthRequest UI locales - Multifactor - [x] Passkeys - - [ ] TOTP + - [x] TOTP + - [x] OTP via email + - [x] OTP via SMS - Passwordless - [x] Passkeys - Security Prompts - [x] Setup Passkey as Passwordless method - - [ ] Setup TOTP as Multifactor + - [x] Setup TOTP as Multifactor - [ ] Password Change - Login - [x] Email Password @@ -89,7 +91,7 @@ The application can then request a token calling the /token endpoint of the logi - [x] IDPs - [x] Google - [ ] GitHub - - [ ] GitLab + - [x] GitLab - [ ] Azure - [ ] Apple - Register @@ -104,8 +106,12 @@ Authenticated users are directly able to self service their account. - [ ] Change user information - [ ] Password Change - [x] Setup Passkey -- [ ] Setup Multifactor TOTP -- [ ] Setup Multifactor Passkey (U2F) +- [x] Setup Multifactor + - [x] Passkeys + - [x] TOTP + - [x] OTP via email + - [x] OTP via SMS +- [x] Setup Multifactor Passkey (U2F) - [ ] Validate Account (email verification) ### Setup diff --git a/docs/docs/guides/integrate/login-ui/username-password.mdx b/docs/docs/guides/integrate/login-ui/username-password.mdx index 2f1dcf4be1..1be65bebce 100644 --- a/docs/docs/guides/integrate/login-ui/username-password.mdx +++ b/docs/docs/guides/integrate/login-ui/username-password.mdx @@ -163,7 +163,7 @@ Checkout how to handle [session validation](./session-validation). Your session already has a username check. The next step is to check the password. -To update an existing session, add the session ID to the URL and the session token you got in the previous step to the request body. +To update an existing session, add the session ID you got in the previous step to the URL. ### Request @@ -174,7 +174,6 @@ curl --request PATCH \ --header 'Authorization: Bearer '"$TOKEN"''\ --header 'Content-Type: application/json' \ --data '{ - "sessionToken": "yMDi6uVPJAcphbbz0LaxC07ihWkNTe7m0Xqch8SzfM5Cz3HSIQIDZ65x1f5Qal0jxz0MEyo-_zYcUg", "checks": { "password": { "password": "Secr3tP4ssw0rd!" diff --git a/docs/docs/guides/manage/console/_application-types.mdx b/docs/docs/guides/manage/console/_application-types.mdx new file mode 100644 index 0000000000..53bbff2753 --- /dev/null +++ b/docs/docs/guides/manage/console/_application-types.mdx @@ -0,0 +1,5 @@ +- [**Web**](#web) (Server-side web applications such as java, .net, ...) +- [**Native**](#native) (native, mobile or desktop applications) +- [**User Agent**](#user-agent) (single page applications / SPA, generally JavaScript executed in the browser) +- [**API**](#api) (OAuth Resource Server) +- [**SAML**](#saml) \ No newline at end of file diff --git a/docs/docs/guides/manage/console/applications.mdx b/docs/docs/guides/manage/console/applications.mdx index ace8d32e20..3d143c3299 100644 --- a/docs/docs/guides/manage/console/applications.mdx +++ b/docs/docs/guides/manage/console/applications.mdx @@ -7,6 +7,7 @@ import ThemedImage from "@theme/ThemedImage"; import AuthType from "../../integrate/application/_auth-type.mdx"; import ReviewConfig from "../../integrate/application/_review-config.mdx"; +import AppType from "./_application-types.mdx"; ## What is an application? @@ -36,13 +37,9 @@ To add an application to your project, click on the add button and select your a ## Application Types -At the moment ZITADEL offers four client types: +At the moment ZITADEL offers five client types: -- [**Web**](#web) (Server-side web applications such as java, .net, ...) -- [**Native**](#native) (native, mobile or desktop applications) -- [**User Agent**](#user-agent) (single page applications / SPA, generally JavaScript executed in the browser) -- [**API**](#api) (OAuth Resource Server) -- [**SAML**](#saml) + The first three options (Web, Native and User Agent) require user interaction, the fourth option (API) has no direct user-interaction. Depending on the app type, there are small differences in the possible settings. diff --git a/docs/docs/guides/manage/console/default-settings.mdx b/docs/docs/guides/manage/console/default-settings.mdx index 4a0090a7c0..810ca5d0f3 100644 --- a/docs/docs/guides/manage/console/default-settings.mdx +++ b/docs/docs/guides/manage/console/default-settings.mdx @@ -26,8 +26,7 @@ When you configure your default settings, you can set the following: - [**Branding**](#branding): Appearance of the login interface. - [**Message Texts**](#message-texts): Text and internationalization for emails - [**Login Interface Texts**](#login-interface-texts): Text and internationalization for the login interface -- [**Languages**](#languages): Select which supported langauges are shown to your users. Set the default language if no context is provided. -- [**Privacy Policy**](#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page. +- [**External Links**](#external-links): Links to your own Terms of Service and Privacy Policy regulations, Help Page, Support email, documentation link... - [**OIDC Token Lifetimes and Expiration**](#oidc-token-lifetimes-and-expiration): Token lifetime and expiration settings. - [**Secret Generator**](#secret-generator): Appearance and expiration of the generated codes and secrets used in mails for verification etc. @@ -256,9 +255,10 @@ You can either set this attribute on your whole ZITADEL instance or just on some Please refer to the [configuration guide](/docs/guides/solution-scenarios/configurations#use-email-to-login) for more information. -## Privacy Policy and TOS +## External links With this setting you are able to configure your privacy policy, terms of service, help links and help/support email address. + On register each user has to accept these policies. This policy can be also be overriden by your organizations. @@ -269,8 +269,16 @@ Example: `https://demo.com/tos-{{.Lang}}` Privacy Policy + +Also you can set the link associated to the Documentation button in the console. Set an empty text if you don't want to show a Documentation button in your console. If you need a custom button to be shown in the console you can set the button text and the link associated to the button (if the button text is button no text will be shown). + +Custom button diff --git a/docs/docs/guides/manage/console/organizations.mdx b/docs/docs/guides/manage/console/organizations.mdx index 6763a09670..077ad4023e 100644 --- a/docs/docs/guides/manage/console/organizations.mdx +++ b/docs/docs/guides/manage/console/organizations.mdx @@ -114,7 +114,7 @@ Those settings are the same as on your instance. - [**Branding**](./default-settings#branding): Appearance of the login interface. - [**Message Texts**](./default-settings#message-texts): Text and internationalization for emails - [**Login Interface Texts**](./default-settings#login-interface-texts): Text and internationalization for the login interface -- [**Privacy Policy**](./default-settings#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page. +- [**External Links**](./default-settings#external-links): Links to your own Terms of Service and Privacy Policy regulations, Help Page, Support email, documentation link... If you need custom branding on a organization (for example in a B2B scenario, where organizations are allowed to use their custom design), navigate back to the home page, choose your organization in the header above, navigate to the organization settings and set the custom design here. diff --git a/docs/docs/guides/start/quickstart.mdx b/docs/docs/guides/start/quickstart.mdx index e0805a4a0a..e76c98bd05 100644 --- a/docs/docs/guides/start/quickstart.mdx +++ b/docs/docs/guides/start/quickstart.mdx @@ -181,7 +181,7 @@ As a user of the ZITADEL Cloud Customer Portal, you now can create multiple inst ![Add Role](/img/guides/quickstart/25.png) -### 6. Add authorizations to your project +### 6. Add authorizations to your project (optional) 1. Click on “Authorizations” on the top menu. diff --git a/docs/docs/legal/policies/rate-limit-policy.md b/docs/docs/legal/policies/rate-limit-policy.md index 378bab28e4..6075b7e6ab 100644 --- a/docs/docs/legal/policies/rate-limit-policy.md +++ b/docs/docs/legal/policies/rate-limit-policy.md @@ -3,7 +3,7 @@ title: Rate Limit Policy custom_edit_url: null --- -Last updated on April 20, 2023 +Last updated on April 24, 2024 This policy is an annex to the [Terms of Service](../terms-of-service) and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our [Acceptable Use Policy](acceptable-use-policy). @@ -35,10 +35,12 @@ For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register Rate limits are implemented with the following rules: -| Path | Description | Rate Limiting | One Minute Banning | -|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------| -| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes | -| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes | +| Path | Description | Rate Limiting | One Minute Banning | +| -------------------- | -------------------------------------------------------------- | ------------------------------------ | ------------------------------------- | +| /ui/login\* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes | +| /oauth/v2/keys | OAuth/OpenID Public Keys Endpoint | 20 requests per second over a minute | 15 requests per second over 3 minutes | +| /oauth/v2/introspect | OAuth Introspection Endpoint | 20 requests per second over a minute | 15 requests per second over 3 minutes | +| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes | ## Load Testing diff --git a/docs/docs/sdk-examples/introduction.mdx b/docs/docs/sdk-examples/introduction.mdx index d3f279bbba..45e2465fb8 100644 --- a/docs/docs/sdk-examples/introduction.mdx +++ b/docs/docs/sdk-examples/introduction.mdx @@ -6,7 +6,7 @@ sidebar_label: Introduction You can integrate ZITADEL quickly into your application and be up and running within minutes. To achieve your goals as fast as possible, we provide you with SDKs, Example Repositories and Guides. -The SDKs and Integration depend on the framework and language you are using. +The SDKs and integration depend on the framework and language you are using. import { Frameworks } from "../../src/components/frameworks"; @@ -14,6 +14,12 @@ import { Frameworks } from "../../src/components/frameworks"; +To further streamline your setup, simply visit the console in ZITADEL where you can select one of the languages or frameworks. This will allow you to instantly set up the configuration for that specific sample in ZITADEL, ensuring you have everything you need to get started right away. + +![Console](/img/sdk-examples/console.png) + +To begin configuring login for any of these samples, start [here](https://zitadel.com/signin). + ### OIDC Libraries OIDC is a standard for authentication and most languages and frameworks do provide a OIDC library which can be easily integrated to your application. diff --git a/docs/docs/self-hosting/manage/database/_cockroachdb.mdx b/docs/docs/self-hosting/manage/database/_cockroachdb.mdx index 2836640669..edc3f139fd 100644 --- a/docs/docs/self-hosting/manage/database/_cockroachdb.mdx +++ b/docs/docs/self-hosting/manage/database/_cockroachdb.mdx @@ -2,6 +2,8 @@ The default database of ZITADEL is [CockroachDB](https://www.cockroachlabs.com). The SQL database provides a bunch of features like horizontal scalability, data regionality and many more. +Currently versions >= 23.2 are supported. + The default configuration of the database looks like this: ```yaml diff --git a/docs/docs/support/advisory/a10009.md b/docs/docs/support/advisory/a10009.md new file mode 100644 index 0000000000..7137fdceaf --- /dev/null +++ b/docs/docs/support/advisory/a10009.md @@ -0,0 +1,27 @@ +--- +title: Technical Advisory 10009 +--- + +## Date and Version + +Version: 2.53.0 + +Date: Calendar week 23/24 2024 + +## Description + +There were rare cases where Cockroachdb got blocked during runtime of ZITADEL and returned `WRITE_TOO_OLD`-errors to ZITADEL. The root cause of the problem is described in [this github issue of the database](https://github.com/cockroachdb/cockroach/issues/77119). The workaround provided by the database is enabling the `enable_durable_locking_for_serializable`-flag as described [here](https://github.com/cockroachdb/cockroach/issues/75456#issuecomment-1936277716). + +Because enabling flags requires admin privileges the statement must be executed manually or by executing `zitadel init` command. + +## Statement + +Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb. + +## Mitigation + +Cockroachdb version >= 23.2. + +## Impact + +Adding additional raft queries to `FOR UPDATE`-statements can impact performance slightly but ensures availability of the system. diff --git a/docs/docs/support/technical_advisory.mdx b/docs/docs/support/technical_advisory.mdx index d1a865f88d..565dae3904 100644 --- a/docs/docs/support/technical_advisory.mdx +++ b/docs/docs/support/technical_advisory.mdx @@ -149,11 +149,23 @@ We understand that these advisories may include breaking changes, and we aim to New flag to prefill projections during setup instead of after start Feature description - new flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`) + New flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`) 2.44.0, 2.43.6, 2.42.12 2024-01-25 + + + A-10009 + + Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb + Feature description + + Fixes rare cases where updating projections was blocked by a `WRITE_TOO_OLD`-error when using cockroachdb. + + 2.53.0 + 2024-05-27 + ## Subscribe to our Mailing List diff --git a/docs/sidebars.js b/docs/sidebars.js index 48eda263da..d0a0ab9cf0 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -474,17 +474,29 @@ module.exports = { "This part of our documentation contains ZITADEL specific or general concepts required to understand the system or our guides.", }, items: [ - "concepts/structure/instance", - "concepts/structure/organizations", - "concepts/structure/projects", - "concepts/structure/applications", - "concepts/structure/granted_projects", - "concepts/structure/users", - "concepts/structure/managers", - "concepts/structure/policies", { - type: "autogenerated", - dirName: "concepts/features", + type: "category", + label: "Resources", + collapsed: false, + items: [ + { + type: "autogenerated", + dirName: "concepts/structure", + } + ] + + }, + { + type: "category", + label: "Features", + collapsed: false, + items: [ + { + type: "autogenerated", + dirName: "concepts/features", + } + ] + }, { type: "autogenerated", diff --git a/docs/static/img/guides/console/external_links_1.png b/docs/static/img/guides/console/external_links_1.png new file mode 100644 index 0000000000..c14f432180 Binary files /dev/null and b/docs/static/img/guides/console/external_links_1.png differ diff --git a/docs/static/img/guides/console/external_links_2.png b/docs/static/img/guides/console/external_links_2.png new file mode 100644 index 0000000000..0f7e3f1a5f Binary files /dev/null and b/docs/static/img/guides/console/external_links_2.png differ diff --git a/docs/static/img/guides/console/privacypolicy.png b/docs/static/img/guides/console/privacypolicy.png deleted file mode 100644 index 4a5c9a96eb..0000000000 Binary files a/docs/static/img/guides/console/privacypolicy.png and /dev/null differ diff --git a/docs/static/img/sdk-examples/console.png b/docs/static/img/sdk-examples/console.png new file mode 100644 index 0000000000..4dce7de502 Binary files /dev/null and b/docs/static/img/sdk-examples/console.png differ diff --git a/e2e/cypress/e2e/instance/settings/notifications.cy.ts b/e2e/cypress/e2e/instance/settings/notifications.cy.ts index 24ac3488c6..ce500fc92e 100644 --- a/e2e/cypress/e2e/instance/settings/notifications.cy.ts +++ b/e2e/cypress/e2e/instance/settings/notifications.cy.ts @@ -32,6 +32,7 @@ describe('instance notifications', () => { cy.get('[formcontrolname="replyToAddress"]').clear().type('replyto1@example.com'); cy.get('[data-e2e="create-button"]').click(); cy.shouldConfirmSuccess(); + cy.get('[data-e2e="close-button"]').click(); cy.get('tr').contains('mailgun'); cy.get('tr').contains('smtp.mailgun.org:587'); cy.get('tr').contains('sender1@example.com'); @@ -51,6 +52,7 @@ describe('instance notifications', () => { cy.get('[formcontrolname="senderName"]').clear().type('Change1'); cy.get('[data-e2e="create-button"]').click(); cy.shouldConfirmSuccess(); + cy.get('[data-e2e="close-button"]').click(); rowSelector = `tr:contains('mailgun')`; cy.get(rowSelector).contains('mailgun'); cy.get(rowSelector).contains('smtp.mailgun.org:587'); @@ -81,6 +83,7 @@ describe('instance notifications', () => { cy.get('[formcontrolname="replyToAddress"]').clear().type('replyto2@example.com'); cy.get('[data-e2e="create-button"]').click(); cy.shouldConfirmSuccess(); + cy.get('[data-e2e="close-button"]').click(); rowSelector = `tr:contains('mailjet')`; cy.get(rowSelector).contains('mailjet'); cy.get(rowSelector).contains('in-v3.mailjet.com:587'); @@ -130,6 +133,51 @@ describe('instance notifications', () => { rowSelector = `tr:contains('mailgun')`; cy.get(rowSelector).should('not.exist'); }); + it(`should add Mailgun SMTP provider settings and activate it using wizard`, () => { + let rowSelector = `a:contains('Mailgun')`; + cy.visit(smtpPath); + cy.get(rowSelector).click(); + cy.get('[formcontrolname="hostAndPort"]').should('have.value', 'smtp.mailgun.org:587'); + cy.get('[formcontrolname="user"]').clear().type('user@example.com'); + cy.get('[formcontrolname="password"]').clear().type('password'); + cy.get('[data-e2e="continue-button"]').click(); + cy.get('[formcontrolname="senderAddress"]').clear().type('sender1@example.com'); + cy.get('[formcontrolname="senderName"]').clear().type('Test1'); + cy.get('[formcontrolname="replyToAddress"]').clear().type('replyto1@example.com'); + cy.get('[data-e2e="create-button"]').click(); + cy.shouldConfirmSuccess(); + cy.get('[data-e2e="activate-button"]').click(); + cy.shouldConfirmSuccess(); + cy.get('[data-e2e="close-button"]').click(); + rowSelector = `tr:contains('smtp.mailgun.org:587')`; + cy.get(rowSelector).find('[data-e2e="active-provider"]'); + cy.get(rowSelector).contains('mailgun'); + cy.get(rowSelector).contains('smtp.mailgun.org:587'); + cy.get(rowSelector).contains('sender1@example.com'); + }); + it(`should add Mailgun SMTP provider settings and deactivate it using wizard`, () => { + let rowSelector = `tr:contains('mailgun')`; + cy.visit(smtpPath); + cy.get(rowSelector).click(); + cy.get('[data-e2e="continue-button"]').click(); + cy.get('[data-e2e="create-button"]').click(); + cy.shouldConfirmSuccess(); + cy.get('[data-e2e="deactivate-button"]').click(); + cy.shouldConfirmSuccess(); + cy.get('[data-e2e="close-button"]').click(); + rowSelector = `tr:contains('mailgun')`; + cy.get(rowSelector).find('[data-e2e="active-provider"]').should('not.exist'); + }); + it(`should delete Mailgun SMTP provider`, () => { + let rowSelector = `tr:contains('mailgun')`; + cy.visit(smtpPath); + cy.get(rowSelector).find('[data-e2e="delete-provider-button"]').click({ force: true }); + cy.get('[data-e2e="confirm-dialog-input"]').focus().type('Test1'); + cy.get('[data-e2e="confirm-dialog-button"]').click(); + cy.shouldConfirmSuccess(); + rowSelector = `tr:contains('mailgun')`; + cy.get(rowSelector).should('not.exist'); + }); }); describe('sms settings', () => { diff --git a/e2e/cypress/e2e/organization/organizations.cy.ts b/e2e/cypress/e2e/organization/organizations.cy.ts index b0e1f515e9..37e29e7f48 100644 --- a/e2e/cypress/e2e/organization/organizations.cy.ts +++ b/e2e/cypress/e2e/organization/organizations.cy.ts @@ -26,8 +26,9 @@ describe('organizations', () => { it('should delete an org', () => { cy.visit(orgsPath); cy.contains('tr', newOrg).click(); + cy.wait(3000); cy.get('[data-e2e="actions"]').click(); - cy.get('[data-e2e="delete"]', { timeout: 3000 }).should('be.visible').click(); + cy.get('[data-e2e="delete"]', { timeout: 1000 }).should('be.visible').click(); cy.get('[data-e2e="confirm-dialog-input"]').focus().clear().type(newOrg); cy.get('[data-e2e="confirm-dialog-button"]').click(); cy.shouldConfirmSuccess(); diff --git a/e2e/cypress/e2e/settings/external-links-settings.cy.ts b/e2e/cypress/e2e/settings/external-links-settings.cy.ts new file mode 100644 index 0000000000..9d8d9fcfff --- /dev/null +++ b/e2e/cypress/e2e/settings/external-links-settings.cy.ts @@ -0,0 +1,104 @@ +import { ensureExternalLinksSettingsSet } from 'support/api/external-links-settings'; +import { apiAuth } from '../../support/api/apiauth'; + +describe('instance external link settings', () => { + const externalLinkSettingsPath = `/instance?id=privacypolicy`; + + const tosLink = 'https://zitadel.com/docs/legal/terms-of-service'; + const privacyPolicyLink = 'https://zitadel.com/docs/legal/privacy-policy'; + const helpLink = ''; + const supportEmail = ''; + const customLink = ''; + const customLinkText = ''; + const docsLink = 'https://zitadel.com/docs'; + + beforeEach(`ensure they are set`, () => { + apiAuth().then((apiCallProperties) => { + ensureExternalLinksSettingsSet(apiCallProperties, tosLink, privacyPolicyLink, docsLink); + cy.visit(externalLinkSettingsPath); + }); + }); + + it(`should have default settings`, () => { + cy.get('[formcontrolname="tosLink"]').should('value', tosLink); + cy.get('[formcontrolname="privacyLink"]').should('value', privacyPolicyLink); + cy.get('[formcontrolname="helpLink"]').should('value', helpLink); + cy.get('[formcontrolname="supportEmail"]').should('value', supportEmail); + cy.get('[formcontrolname="customLink"]').should('value', customLink); + cy.get('[formcontrolname="customLinkText"]').should('value', customLinkText); + cy.get('[formcontrolname="docsLink"]').should('value', docsLink); + }); + + it(`should update external links`, () => { + cy.get('[formcontrolname="tosLink"]').clear().type('tosLink2'); + cy.get('[formcontrolname="privacyLink"]').clear().type('privacyLink2'); + cy.get('[formcontrolname="helpLink"]').clear().type('helpLink'); + cy.get('[formcontrolname="supportEmail"]').clear().type('support@example.com'); + cy.get('[formcontrolname="customLink"]').clear().type('customLink'); + cy.get('[formcontrolname="customLinkText"]').clear().type('customLinkText'); + cy.get('[formcontrolname="docsLink"]').clear().type('docsLink'); + cy.get('[data-e2e="save-button"]').click(); + cy.shouldConfirmSuccess(); + }); + + it(`should return to default values`, () => { + cy.get('[formcontrolname="tosLink"]').should('value', tosLink); + cy.get('[formcontrolname="privacyLink"]').should('value', privacyPolicyLink); + cy.get('[formcontrolname="helpLink"]').should('value', helpLink); + cy.get('[formcontrolname="supportEmail"]').should('value', supportEmail); + cy.get('[formcontrolname="customLink"]').should('value', customLink); + cy.get('[formcontrolname="customLinkText"]').should('value', customLinkText); + cy.get('[formcontrolname="docsLink"]').should('value', docsLink); + }); +}); + +describe('instance external link settings', () => { + const externalLinkSettingsPath = `/org-settings?id=privacypolicy`; + + const tosLink = 'https://zitadel.com/docs/legal/terms-of-service'; + const privacyPolicyLink = 'https://zitadel.com/docs/legal/privacy-policy'; + const helpLink = ''; + const supportEmail = ''; + const customLink = ''; + const customLinkText = ''; + const docsLink = 'https://zitadel.com/docs'; + + beforeEach(() => { + cy.context().as('ctx'); + cy.visit(externalLinkSettingsPath); + }); + + it(`should have default settings`, () => { + cy.get('[formcontrolname="tosLink"]').should('value', tosLink); + cy.get('[formcontrolname="privacyLink"]').should('value', privacyPolicyLink); + cy.get('[formcontrolname="helpLink"]').should('value', helpLink); + cy.get('[formcontrolname="supportEmail"]').should('value', supportEmail); + cy.get('[formcontrolname="customLink"]').should('value', customLink); + cy.get('[formcontrolname="customLinkText"]').should('value', customLinkText); + cy.get('[formcontrolname="docsLink"]').should('value', docsLink); + }); + + it(`should update external links`, () => { + cy.get('[formcontrolname="tosLink"]').clear().type('tosLink2'); + cy.get('[formcontrolname="privacyLink"]').clear().type('privacyLink2'); + cy.get('[formcontrolname="helpLink"]').clear().type('helpLink'); + cy.get('[formcontrolname="supportEmail"]').clear().type('support@example.com'); + cy.get('[formcontrolname="customLink"]').clear().type('customLink'); + cy.get('[formcontrolname="customLinkText"]').clear().type('customLinkText'); + cy.get('[formcontrolname="docsLink"]').clear().type('docsLink'); + cy.get('[data-e2e="save-button"]').click(); + cy.shouldConfirmSuccess(); + }); + + it(`should return to default values`, () => { + cy.get('[data-e2e="reset-button"]').click(); + cy.get('[data-e2e="confirm-dialog-button"]').click(); + cy.get('[formcontrolname="tosLink"]').should('value', tosLink); + cy.get('[formcontrolname="privacyLink"]').should('value', privacyPolicyLink); + cy.get('[formcontrolname="helpLink"]').should('value', helpLink); + cy.get('[formcontrolname="supportEmail"]').should('value', supportEmail); + cy.get('[formcontrolname="customLink"]').should('value', customLink); + cy.get('[formcontrolname="customLinkText"]').should('value', customLinkText); + cy.get('[formcontrolname="docsLink"]').should('value', docsLink); + }); +}); diff --git a/e2e/cypress/support/api/external-links-settings.ts b/e2e/cypress/support/api/external-links-settings.ts new file mode 100644 index 0000000000..eb4e30a3a2 --- /dev/null +++ b/e2e/cypress/support/api/external-links-settings.ts @@ -0,0 +1,32 @@ +import { ensureSetting } from './ensure'; +import { API } from './types'; + +export function ensureExternalLinksSettingsSet(api: API, tosLink: string, privacyPolicyLink: string, docsLink: string) { + return ensureSetting( + api, + `${api.adminBaseURL}/policies/privacy`, + (body: any) => { + const result = { + sequence: body.policy?.details?.sequence, + id: body.policy.id, + entity: null, + }; + + if ( + body.policy && + body.policy.tosLink === tosLink && + body.policy.privacyLink === privacyPolicyLink && + body.policy.docsLink === docsLink + ) { + return { ...result, entity: body.policy }; + } + return result; + }, + `${api.adminBaseURL}/policies/privacy`, + { + tosLink, + privacyLink: privacyPolicyLink, + docsLink, + }, + ); +} diff --git a/go.mod b/go.mod index cb443c0053..9d0da91cba 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/nicksnyder/go-i18n/v2 v2.4.0 github.com/pquerna/otp v1.4.0 github.com/rakyll/statik v0.1.7 - github.com/rs/cors v1.10.1 + github.com/rs/cors v1.11.0 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 github.com/sony/sonyflake v1.2.0 github.com/spf13/cobra v1.8.0 @@ -58,20 +58,20 @@ require ( github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203 github.com/ttacon/libphonenumber v1.2.1 github.com/zitadel/logging v0.6.0 - github.com/zitadel/oidc/v3 v3.21.0 + github.com/zitadel/oidc/v3 v3.23.2 github.com/zitadel/passwap v0.5.0 github.com/zitadel/saml v0.1.3 github.com/zitadel/schema v1.3.0 - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 - go.opentelemetry.io/otel v1.25.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.25.0 - go.opentelemetry.io/otel/exporters/prometheus v0.47.0 - go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0 - go.opentelemetry.io/otel/metric v1.25.0 - go.opentelemetry.io/otel/sdk v1.25.0 - go.opentelemetry.io/otel/sdk/metric v1.25.0 - go.opentelemetry.io/otel/trace v1.25.0 + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 + go.opentelemetry.io/otel v1.26.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 + go.opentelemetry.io/otel/exporters/prometheus v0.48.0 + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 + go.opentelemetry.io/otel/metric v1.26.0 + go.opentelemetry.io/otel/sdk v1.26.0 + go.opentelemetry.io/otel/sdk/metric v1.26.0 + go.opentelemetry.io/otel/trace v1.26.0 go.uber.org/mock v0.4.0 golang.org/x/crypto v0.22.0 golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8 @@ -80,9 +80,9 @@ require ( golang.org/x/sync v0.7.0 golang.org/x/text v0.14.0 google.golang.org/api v0.172.0 - google.golang.org/genproto/googleapis/api v0.0.0-20240412170617-26222e5d3d56 + google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 google.golang.org/grpc v1.63.2 - google.golang.org/protobuf v1.33.0 + google.golang.org/protobuf v1.34.0 sigs.k8s.io/yaml v1.4.0 ) @@ -116,7 +116,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240412170617-26222e5d3d56 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect ) require ( @@ -183,8 +183,8 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.0 github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.52.3 // indirect - github.com/prometheus/procfs v0.13.0 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.14.0 // indirect github.com/rs/xid v1.5.0 // indirect github.com/russellhaering/goxmldsig v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 @@ -196,7 +196,7 @@ require ( github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect go.opentelemetry.io/proto/otlp v1.2.0 // indirect golang.org/x/sys v0.19.0 gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 85420a32f2..dd1521bb3f 100644 --- a/go.sum +++ b/go.sum @@ -618,16 +618,16 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/common v0.52.3 h1:5f8uj6ZwHSscOGNdIQg6OiZv/ybiK2CO2q2drVZAQSA= -github.com/prometheus/common v0.52.3/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.3.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o= -github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g= +github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s= +github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ= github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ= github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= @@ -639,8 +639,8 @@ github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6po github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= -github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo= -github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= +github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys= @@ -731,8 +731,8 @@ github.com/zenazn/goji v1.0.1 h1:4lbD8Mx2h7IvloP7r2C0D6ltZP6Ufip8Hn0wmSK5LR8= github.com/zenazn/goji v1.0.1/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= github.com/zitadel/logging v0.6.0 h1:t5Nnt//r+m2ZhhoTmoPX+c96pbMarqJvW1Vq6xFTank= github.com/zitadel/logging v0.6.0/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow= -github.com/zitadel/oidc/v3 v3.21.0 h1:dvhPLAOCJQHxZq+1vqd2+TYu1EzwrHhnPSSh4nVamgo= -github.com/zitadel/oidc/v3 v3.21.0/go.mod h1:3uCwJc680oWoTBdzIppMZQS+VNxq+sVcwgodbreuatM= +github.com/zitadel/oidc/v3 v3.23.2 h1:vRUM6SKudr6WR/lqxue4cvCbgR+IdEJGVBklucKKXgk= +github.com/zitadel/oidc/v3 v3.23.2/go.mod h1:9snlhm3W/GNURqxtchjL1AAuClWRZ2NTkn9sLs1WYfM= github.com/zitadel/passwap v0.5.0 h1:kFMoRyo0GnxtOz7j9+r/CsRwSCjHGRaAKoUe69NwPvs= github.com/zitadel/passwap v0.5.0/go.mod h1:uqY7D3jqdTFcKsW0Q3Pcv5qDMmSHpVTzUZewUKC1KZA= github.com/zitadel/saml v0.1.3 h1:LI4DOCVyyU1qKPkzs3vrGcA5J3H4pH3+CL9zr9ShkpM= @@ -746,28 +746,28 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0 h1:zvpPXY7RfYAGSdYQLjp6zxdJNSYD/+FFoCTQN9IPxBs= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0/go.mod h1:BMn8NB1vsxTljvuorms2hyOs8IBuuBEq0pl7ltOfy30= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8= -go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k= -go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0 h1:dT33yIHtmsqpixFsSQPwNeY5drM9wTcoL8h0FWF4oGM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0/go.mod h1:h95q0LBGh7hlAC08X2DhSeyIG02YQ0UyioTCVAqRPmc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.25.0 h1:vOL89uRfOCCNIjkisd0r7SEdJF3ZJFyCNY34fdZs8eU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.25.0/go.mod h1:8GlBGcDk8KKi7n+2S4BT/CPZQYH3erLu0/k64r1MYgo= -go.opentelemetry.io/otel/exporters/prometheus v0.47.0 h1:OL6yk1Z/pEGdDnrBbxSsH+t4FY1zXfBRGd7bjwhlMLU= -go.opentelemetry.io/otel/exporters/prometheus v0.47.0/go.mod h1:xF3N4OSICZDVbbYZydz9MHFro1RjmkPUKEvar2utG+Q= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0 h1:0vZZdECYzhTt9MKQZ5qQ0V+J3MFu4MQaQ3COfugF+FQ= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0/go.mod h1:e7iXx3HjaSSBXfy9ykVUlupS2Vp7LBIBuT21ousM2Hk= -go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA= -go.opentelemetry.io/otel/metric v1.25.0/go.mod h1:rkDLUSd2lC5lq2dFNrX9LGAbINP5B7WBkC78RXCpH5s= -go.opentelemetry.io/otel/sdk v1.25.0 h1:PDryEJPC8YJZQSyLY5eqLeafHtG+X7FWnf3aXMtxbqo= -go.opentelemetry.io/otel/sdk v1.25.0/go.mod h1:oFgzCM2zdsxKzz6zwpTZYLLQsFwc+K0daArPdIhuxkw= -go.opentelemetry.io/otel/sdk/metric v1.25.0 h1:7CiHOy08LbrxMAp4vWpbiPcklunUshVpAvGBrdDRlGw= -go.opentelemetry.io/otel/sdk/metric v1.25.0/go.mod h1:LzwoKptdbBBdYfvtGCzGwk6GWMA3aUzBOwtQpR6Nz7o= -go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM= -go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 h1:A3SayB3rNyt+1S6qpI9mHPkeHTZbD7XILEqWnYZb2l0= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc= +go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs= +go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 h1:Waw9Wfpo/IXzOI8bCB7DIk+0JZcqqsyn1JFnAc+iam8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0/go.mod h1:wnJIG4fOqyynOnnQF/eQb4/16VlX2EJAHhHgqIqWfAo= +go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s= +go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 h1:0W5o9SzoR15ocYHEQfvfipzcNog1lBxOLfnex91Hk6s= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0/go.mod h1:zVZ8nz+VSggWmnh6tTsJqXQ7rU4xLwRtna1M4x5jq58= +go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30= +go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4= +go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8= +go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs= +go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y= +go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE= +go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA= +go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0= go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94= go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -991,10 +991,10 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 h1:LlcUFJ4BLmJVS4Kly+WCK7LQqcevmycHj88EPgyhNx8= google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56/go.mod h1:n1CaIKYMIlxFt1zJE/1kU40YpSL0drGMbl0Idum1VSs= -google.golang.org/genproto/googleapis/api v0.0.0-20240412170617-26222e5d3d56 h1:KuFzeG+qPmpT8KpJXcrKAyeHhn64dgEICWlccP9qp0U= -google.golang.org/genproto/googleapis/api v0.0.0-20240412170617-26222e5d3d56/go.mod h1:wTHjrkbcS8AoQbb/0v9bFIPItZQPAsyVfgG9YPUhjAM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240412170617-26222e5d3d56 h1:zviK8GX4VlMstrK3JkexM5UHjH1VOkRebH9y3jhSBGk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240412170617-26222e5d3d56/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 h1:DTJM0R8LECCgFeUwApvcEJHz85HLagW8uRENYxHh1ww= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6/go.mod h1:10yRODfgim2/T8csjQsMPgZOMvtytXKTDRzH6HRGzRw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= @@ -1022,8 +1022,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4= +google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/internal/api/grpc/action/v3alpha/execution_integration_test.go b/internal/api/grpc/action/v3alpha/execution_integration_test.go index 4ca1b97d6f..fcbdb2b576 100644 --- a/internal/api/grpc/action/v3alpha/execution_integration_test.go +++ b/internal/api/grpc/action/v3alpha/execution_integration_test.go @@ -196,6 +196,33 @@ func TestServer_SetExecution_Request_Include(t *testing.T) { executionTargetsSingleTarget(targetResp.GetId()), ) + circularExecutionService := &action.Condition{ + ConditionType: &action.Condition_Request{ + Request: &action.RequestExecution{ + Condition: &action.RequestExecution_Service{ + Service: "zitadel.session.v2beta.SessionService", + }, + }, + }, + } + Tester.SetExecution(CTX, t, + circularExecutionService, + executionTargetsSingleInclude(executionCond), + ) + circularExecutionMethod := &action.Condition{ + ConditionType: &action.Condition_Request{ + Request: &action.RequestExecution{ + Condition: &action.RequestExecution_Method{ + Method: "/zitadel.session.v2beta.SessionService/ListSessions", + }, + }, + }, + } + Tester.SetExecution(CTX, t, + circularExecutionMethod, + executionTargetsSingleInclude(circularExecutionService), + ) + tests := []struct { name string ctx context.Context @@ -203,6 +230,15 @@ func TestServer_SetExecution_Request_Include(t *testing.T) { want *action.SetExecutionResponse wantErr bool }{ + { + name: "method, circular error", + ctx: CTX, + req: &action.SetExecutionRequest{ + Condition: circularExecutionService, + Targets: executionTargetsSingleInclude(circularExecutionMethod), + }, + wantErr: true, + }, { name: "method, ok", ctx: CTX, @@ -247,30 +283,6 @@ func TestServer_SetExecution_Request_Include(t *testing.T) { }, }, }, - /* circular - { - name: "all, ok", - ctx: CTX, - req: &action.SetExecutionRequest{ - Condition: &action.Condition{ - ConditionType: &action.Condition_Request{ - Request: &action.RequestExecution{ - Condition: &action.RequestExecution_All{ - All: true, - }, - }, - }, - }, - Targets: executionTargetsSingleInclude(executionCond), - }, - want: &action.SetExecutionResponse{ - Details: &object.Details{ - ChangeDate: timestamppb.Now(), - ResourceOwner: Tester.Instance.InstanceID(), - }, - }, - }, - */ } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/api/grpc/admin/export.go b/internal/api/grpc/admin/export.go index 13a11c14db..9a8f075c7c 100644 --- a/internal/api/grpc/admin/export.go +++ b/internal/api/grpc/admin/export.go @@ -534,10 +534,13 @@ func (s *Server) getPrivacyPolicy(ctx context.Context, orgID string) (_ *managem } if !queriedPrivacy.IsDefault { return &management_pb.AddCustomPrivacyPolicyRequest{ - TosLink: queriedPrivacy.TOSLink, - PrivacyLink: queriedPrivacy.PrivacyLink, - HelpLink: queriedPrivacy.HelpLink, - SupportEmail: string(queriedPrivacy.SupportEmail), + TosLink: queriedPrivacy.TOSLink, + PrivacyLink: queriedPrivacy.PrivacyLink, + HelpLink: queriedPrivacy.HelpLink, + SupportEmail: string(queriedPrivacy.SupportEmail), + DocsLink: queriedPrivacy.DocsLink, + CustomLink: queriedPrivacy.CustomLink, + CustomLinkText: queriedPrivacy.CustomLinkText, }, nil } return nil, nil diff --git a/internal/api/grpc/admin/feature.go b/internal/api/grpc/admin/feature.go index a63825171a..cac9d99f28 100644 --- a/internal/api/grpc/admin/feature.go +++ b/internal/api/grpc/admin/feature.go @@ -4,7 +4,6 @@ import ( "context" "github.com/muhlemmer/gu" - "github.com/zitadel/logging" object_pb "github.com/zitadel/zitadel/internal/api/grpc/object" diff --git a/internal/api/grpc/admin/iam_settings_converter.go b/internal/api/grpc/admin/iam_settings_converter.go index 66e0dd3653..b967faf4c5 100644 --- a/internal/api/grpc/admin/iam_settings_converter.go +++ b/internal/api/grpc/admin/iam_settings_converter.go @@ -172,6 +172,7 @@ func SMTPConfigToPb(smtp *query.SMTPConfig) *settings_pb.SMTPConfig { User: smtp.User, Details: obj_grpc.ToViewDetailsPb(smtp.Sequence, smtp.CreationDate, smtp.ChangeDate, smtp.ResourceOwner), Id: smtp.ID, + State: settings_pb.SMTPConfigState(smtp.State), } return mapped } diff --git a/internal/api/grpc/admin/idp_converter.go b/internal/api/grpc/admin/idp_converter.go index ce3884d2b5..2914f94b30 100644 --- a/internal/api/grpc/admin/idp_converter.go +++ b/internal/api/grpc/admin/idp_converter.go @@ -2,6 +2,7 @@ package admin import ( "github.com/crewjam/saml" + "github.com/muhlemmer/gu" idp_grpc "github.com/zitadel/zitadel/internal/api/grpc/idp" "github.com/zitadel/zitadel/internal/api/grpc/object" @@ -469,24 +470,36 @@ func updateAppleProviderToCommand(req *admin_pb.UpdateAppleProviderRequest) comm } func addSAMLProviderToCommand(req *admin_pb.AddSAMLProviderRequest) command.SAMLProvider { + var nameIDFormat *domain.SAMLNameIDFormat + if req.NameIdFormat != nil { + nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat())) + } return command.SAMLProvider{ - Name: req.Name, - Metadata: req.GetMetadataXml(), - MetadataURL: req.GetMetadataUrl(), - Binding: bindingToCommand(req.Binding), - WithSignedRequest: req.WithSignedRequest, - IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), + Name: req.Name, + Metadata: req.GetMetadataXml(), + MetadataURL: req.GetMetadataUrl(), + Binding: bindingToCommand(req.Binding), + WithSignedRequest: req.WithSignedRequest, + NameIDFormat: nameIDFormat, + TransientMappingAttributeName: req.GetTransientMappingAttributeName(), + IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), } } func updateSAMLProviderToCommand(req *admin_pb.UpdateSAMLProviderRequest) command.SAMLProvider { + var nameIDFormat *domain.SAMLNameIDFormat + if req.NameIdFormat != nil { + nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat())) + } return command.SAMLProvider{ - Name: req.Name, - Metadata: req.GetMetadataXml(), - MetadataURL: req.GetMetadataUrl(), - Binding: bindingToCommand(req.Binding), - WithSignedRequest: req.WithSignedRequest, - IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), + Name: req.Name, + Metadata: req.GetMetadataXml(), + MetadataURL: req.GetMetadataUrl(), + Binding: bindingToCommand(req.Binding), + WithSignedRequest: req.WithSignedRequest, + NameIDFormat: nameIDFormat, + TransientMappingAttributeName: req.GetTransientMappingAttributeName(), + IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), } } diff --git a/internal/api/grpc/admin/org_converter.go b/internal/api/grpc/admin/org_converter.go index 7f3066925e..62887cc34c 100644 --- a/internal/api/grpc/admin/org_converter.go +++ b/internal/api/grpc/admin/org_converter.go @@ -5,7 +5,6 @@ import ( org_grpc "github.com/zitadel/zitadel/internal/api/grpc/org" "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/pkg/grpc/admin" - "github.com/zitadel/zitadel/pkg/grpc/org" ) func listOrgRequestToModel(req *admin.ListOrgsRequest) (*query.OrgSearchQueries, error) { @@ -18,18 +17,9 @@ func listOrgRequestToModel(req *admin.ListOrgsRequest) (*query.OrgSearchQueries, SearchRequest: query.SearchRequest{ Offset: offset, Limit: limit, - SortingColumn: fieldNameToOrgColumn(req.SortingColumn), + SortingColumn: org_grpc.FieldNameToOrgColumn(req.SortingColumn), Asc: asc, }, Queries: queries, }, nil } - -func fieldNameToOrgColumn(fieldName org.OrgFieldName) query.Column { - switch fieldName { - case org.OrgFieldName_ORG_FIELD_NAME_NAME: - return query.OrgColumnName - default: - return query.Column{} - } -} diff --git a/internal/api/grpc/admin/privacy_policy_converter.go b/internal/api/grpc/admin/privacy_policy_converter.go index 910267e14e..3cb14dec15 100644 --- a/internal/api/grpc/admin/privacy_policy_converter.go +++ b/internal/api/grpc/admin/privacy_policy_converter.go @@ -7,9 +7,12 @@ import ( func UpdatePrivacyPolicyToDomain(req *admin_pb.UpdatePrivacyPolicyRequest) *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - TOSLink: req.TosLink, - PrivacyLink: req.PrivacyLink, - HelpLink: req.HelpLink, - SupportEmail: domain.EmailAddress(req.SupportEmail), + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + HelpLink: req.HelpLink, + SupportEmail: domain.EmailAddress(req.SupportEmail), + DocsLink: req.DocsLink, + CustomLink: req.CustomLink, + CustomLinkText: req.CustomLinkText, } } diff --git a/internal/api/grpc/auth/user.go b/internal/api/grpc/auth/user.go index f32af2f74b..1efdbe8dd2 100644 --- a/internal/api/grpc/auth/user.go +++ b/internal/api/grpc/auth/user.go @@ -266,9 +266,10 @@ func ListMyProjectOrgsRequestToQuery(req *auth_pb.ListMyProjectOrgsRequest) (*qu } return &query.OrgSearchQueries{ SearchRequest: query.SearchRequest{ - Offset: offset, - Limit: limit, - Asc: asc, + Offset: offset, + Limit: limit, + Asc: asc, + SortingColumn: org.FieldNameToOrgColumn(req.SortingColumn), }, Queries: queries, }, nil diff --git a/internal/api/grpc/feature/v2/converter.go b/internal/api/grpc/feature/v2/converter.go index aa8b1287f4..259a6f8a42 100644 --- a/internal/api/grpc/feature/v2/converter.go +++ b/internal/api/grpc/feature/v2/converter.go @@ -16,6 +16,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command. UserSchema: req.UserSchema, Actions: req.Actions, TokenExchange: req.OidcTokenExchange, + ImprovedPerformance: improvedPerformanceListToDomain(req.ImprovedPerformance), } } @@ -28,6 +29,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe UserSchema: featureSourceToFlagPb(&f.UserSchema), OidcTokenExchange: featureSourceToFlagPb(&f.TokenExchange), Actions: featureSourceToFlagPb(&f.Actions), + ImprovedPerformance: featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance), } } @@ -39,6 +41,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm UserSchema: req.UserSchema, TokenExchange: req.OidcTokenExchange, Actions: req.Actions, + ImprovedPerformance: improvedPerformanceListToDomain(req.ImprovedPerformance), } } @@ -51,6 +54,14 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat UserSchema: featureSourceToFlagPb(&f.UserSchema), OidcTokenExchange: featureSourceToFlagPb(&f.TokenExchange), Actions: featureSourceToFlagPb(&f.Actions), + ImprovedPerformance: featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance), + } +} + +func featureSourceToImprovedPerformanceFlagPb(fs *query.FeatureSource[[]feature.ImprovedPerformanceType]) *feature_pb.ImprovedPerformanceFeatureFlag { + return &feature_pb.ImprovedPerformanceFeatureFlag{ + ExecutionPaths: improvedPerformanceTypesToPb(fs.Value), + Source: featureLevelToSourcePb(fs.Level), } } @@ -81,3 +92,48 @@ func featureLevelToSourcePb(level feature.Level) feature_pb.Source { return feature_pb.Source(level) } } + +func improvedPerformanceTypesToPb(types []feature.ImprovedPerformanceType) []feature_pb.ImprovedPerformance { + res := make([]feature_pb.ImprovedPerformance, len(types)) + + for i, typ := range types { + res[i] = improvedPerformanceTypeToPb(typ) + } + + return res +} + +func improvedPerformanceTypeToPb(typ feature.ImprovedPerformanceType) feature_pb.ImprovedPerformance { + switch typ { + case feature.ImprovedPerformanceTypeUnknown: + return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED + case feature.ImprovedPerformanceTypeOrgByID: + return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID + default: + return feature_pb.ImprovedPerformance(typ) + } +} + +func improvedPerformanceListToDomain(list []feature_pb.ImprovedPerformance) []feature.ImprovedPerformanceType { + if list == nil { + return nil + } + res := make([]feature.ImprovedPerformanceType, len(list)) + + for i, typ := range list { + res[i] = improvedPerformanceToDomain(typ) + } + + return res +} + +func improvedPerformanceToDomain(typ feature_pb.ImprovedPerformance) feature.ImprovedPerformanceType { + switch typ { + case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED: + return feature.ImprovedPerformanceTypeUnknown + case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID: + return feature.ImprovedPerformanceTypeOrgByID + default: + return feature.ImprovedPerformanceTypeUnknown + } +} diff --git a/internal/api/grpc/feature/v2/converter_test.go b/internal/api/grpc/feature/v2/converter_test.go index 78aea5eb15..35dbf98014 100644 --- a/internal/api/grpc/feature/v2/converter_test.go +++ b/internal/api/grpc/feature/v2/converter_test.go @@ -24,6 +24,7 @@ func Test_systemFeaturesToCommand(t *testing.T) { UserSchema: gu.Ptr(true), Actions: gu.Ptr(true), OidcTokenExchange: gu.Ptr(true), + ImprovedPerformance: nil, } want := &command.SystemFeatures{ LoginDefaultOrg: gu.Ptr(true), @@ -32,6 +33,7 @@ func Test_systemFeaturesToCommand(t *testing.T) { UserSchema: gu.Ptr(true), Actions: gu.Ptr(true), TokenExchange: gu.Ptr(true), + ImprovedPerformance: nil, } got := systemFeaturesToCommand(arg) assert.Equal(t, want, got) @@ -68,6 +70,10 @@ func Test_systemFeaturesToPb(t *testing.T) { Level: feature.LevelSystem, Value: false, }, + ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{ + Level: feature.LevelSystem, + Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID}, + }, } want := &feature_pb.GetSystemFeaturesResponse{ Details: &object.Details{ @@ -99,6 +105,10 @@ func Test_systemFeaturesToPb(t *testing.T) { Enabled: true, Source: feature_pb.Source_SOURCE_SYSTEM, }, + ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{ + ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID}, + Source: feature_pb.Source_SOURCE_SYSTEM, + }, } got := systemFeaturesToPb(arg) assert.Equal(t, want, got) @@ -112,6 +122,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) { UserSchema: gu.Ptr(true), OidcTokenExchange: gu.Ptr(true), Actions: gu.Ptr(true), + ImprovedPerformance: nil, } want := &command.InstanceFeatures{ LoginDefaultOrg: gu.Ptr(true), @@ -120,6 +131,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) { UserSchema: gu.Ptr(true), TokenExchange: gu.Ptr(true), Actions: gu.Ptr(true), + ImprovedPerformance: nil, } got := instanceFeaturesToCommand(arg) assert.Equal(t, want, got) @@ -156,6 +168,10 @@ func Test_instanceFeaturesToPb(t *testing.T) { Level: feature.LevelSystem, Value: false, }, + ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{ + Level: feature.LevelSystem, + Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID}, + }, } want := &feature_pb.GetInstanceFeaturesResponse{ Details: &object.Details{ @@ -187,6 +203,10 @@ func Test_instanceFeaturesToPb(t *testing.T) { Enabled: false, Source: feature_pb.Source_SOURCE_SYSTEM, }, + ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{ + ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID}, + Source: feature_pb.Source_SOURCE_SYSTEM, + }, } got := instanceFeaturesToPb(arg) assert.Equal(t, want, got) diff --git a/internal/api/grpc/idp/converter.go b/internal/api/grpc/idp/converter.go index 2acaf4d3d8..9b3e09a10c 100644 --- a/internal/api/grpc/idp/converter.go +++ b/internal/api/grpc/idp/converter.go @@ -2,6 +2,7 @@ package idp import ( "github.com/crewjam/saml" + "github.com/muhlemmer/gu" "google.golang.org/protobuf/types/known/durationpb" obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object" @@ -339,6 +340,21 @@ func azureADTenantTypeToCommand(tenantType idp_pb.AzureADTenantType) azuread.Ten } } +func SAMLNameIDFormatToDomain(format idp_pb.SAMLNameIDFormat) domain.SAMLNameIDFormat { + switch format { + case idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED: + return domain.SAMLNameIDFormatUnspecified + case idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_EMAIL_ADDRESS: + return domain.SAMLNameIDFormatEmailAddress + case idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_PERSISTENT: + return domain.SAMLNameIDFormatPersistent + case idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_TRANSIENT: + return domain.SAMLNameIDFormatTransient + default: + return domain.SAMLNameIDFormatUnspecified + } +} + func ProvidersToPb(providers []*query.IDPTemplate) []*idp_pb.Provider { list := make([]*idp_pb.Provider, len(providers)) for i, provider := range providers { @@ -639,11 +655,17 @@ func appleConfigToPb(providerConfig *idp_pb.ProviderConfig, template *query.Appl } func samlConfigToPb(providerConfig *idp_pb.ProviderConfig, template *query.SAMLIDPTemplate) { + nameIDFormat := idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_PERSISTENT + if template.NameIDFormat.Valid { + nameIDFormat = nameIDToPb(template.NameIDFormat.V) + } providerConfig.Config = &idp_pb.ProviderConfig_Saml{ Saml: &idp_pb.SAMLConfig{ - MetadataXml: template.Metadata, - Binding: bindingToPb(template.Binding), - WithSignedRequest: template.WithSignedRequest, + MetadataXml: template.Metadata, + Binding: bindingToPb(template.Binding), + WithSignedRequest: template.WithSignedRequest, + NameIdFormat: nameIDFormat, + TransientMappingAttributeName: gu.Ptr(template.TransientMappingAttributeName), }, } } @@ -662,3 +684,18 @@ func bindingToPb(binding string) idp_pb.SAMLBinding { return idp_pb.SAMLBinding_SAML_BINDING_UNSPECIFIED } } + +func nameIDToPb(format domain.SAMLNameIDFormat) idp_pb.SAMLNameIDFormat { + switch format { + case domain.SAMLNameIDFormatUnspecified: + return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED + case domain.SAMLNameIDFormatEmailAddress: + return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_EMAIL_ADDRESS + case domain.SAMLNameIDFormatPersistent: + return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_PERSISTENT + case domain.SAMLNameIDFormatTransient: + return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_TRANSIENT + default: + return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED + } +} diff --git a/internal/api/grpc/management/idp_converter.go b/internal/api/grpc/management/idp_converter.go index d8949a5444..48d5a85a99 100644 --- a/internal/api/grpc/management/idp_converter.go +++ b/internal/api/grpc/management/idp_converter.go @@ -4,6 +4,7 @@ import ( "context" "github.com/crewjam/saml" + "github.com/muhlemmer/gu" "github.com/zitadel/zitadel/internal/api/authz" idp_grpc "github.com/zitadel/zitadel/internal/api/grpc/idp" @@ -462,24 +463,36 @@ func updateAppleProviderToCommand(req *mgmt_pb.UpdateAppleProviderRequest) comma } func addSAMLProviderToCommand(req *mgmt_pb.AddSAMLProviderRequest) command.SAMLProvider { + var nameIDFormat *domain.SAMLNameIDFormat + if req.NameIdFormat != nil { + nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat())) + } return command.SAMLProvider{ - Name: req.Name, - Metadata: req.GetMetadataXml(), - MetadataURL: req.GetMetadataUrl(), - Binding: bindingToCommand(req.Binding), - WithSignedRequest: req.WithSignedRequest, - IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), + Name: req.Name, + Metadata: req.GetMetadataXml(), + MetadataURL: req.GetMetadataUrl(), + Binding: bindingToCommand(req.Binding), + WithSignedRequest: req.WithSignedRequest, + NameIDFormat: nameIDFormat, + TransientMappingAttributeName: req.GetTransientMappingAttributeName(), + IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), } } func updateSAMLProviderToCommand(req *mgmt_pb.UpdateSAMLProviderRequest) command.SAMLProvider { + var nameIDFormat *domain.SAMLNameIDFormat + if req.NameIdFormat != nil { + nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat())) + } return command.SAMLProvider{ - Name: req.Name, - Metadata: req.GetMetadataXml(), - MetadataURL: req.GetMetadataUrl(), - Binding: bindingToCommand(req.Binding), - WithSignedRequest: req.WithSignedRequest, - IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), + Name: req.Name, + Metadata: req.GetMetadataXml(), + MetadataURL: req.GetMetadataUrl(), + Binding: bindingToCommand(req.Binding), + WithSignedRequest: req.WithSignedRequest, + NameIDFormat: nameIDFormat, + TransientMappingAttributeName: req.GetTransientMappingAttributeName(), + IDPOptions: idp_grpc.OptionsToCommand(req.ProviderOptions), } } diff --git a/internal/api/grpc/management/policy_privacy_converter.go b/internal/api/grpc/management/policy_privacy_converter.go index 323c162142..a3c77a8637 100644 --- a/internal/api/grpc/management/policy_privacy_converter.go +++ b/internal/api/grpc/management/policy_privacy_converter.go @@ -7,18 +7,24 @@ import ( func AddPrivacyPolicyToDomain(req *mgmt_pb.AddCustomPrivacyPolicyRequest) *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - TOSLink: req.TosLink, - PrivacyLink: req.PrivacyLink, - HelpLink: req.HelpLink, - SupportEmail: domain.EmailAddress(req.SupportEmail), + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + HelpLink: req.HelpLink, + SupportEmail: domain.EmailAddress(req.SupportEmail), + DocsLink: req.DocsLink, + CustomLink: req.CustomLink, + CustomLinkText: req.CustomLinkText, } } func UpdatePrivacyPolicyToDomain(req *mgmt_pb.UpdateCustomPrivacyPolicyRequest) *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - TOSLink: req.TosLink, - PrivacyLink: req.PrivacyLink, - HelpLink: req.HelpLink, - SupportEmail: domain.EmailAddress(req.SupportEmail), + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + HelpLink: req.HelpLink, + SupportEmail: domain.EmailAddress(req.SupportEmail), + DocsLink: req.DocsLink, + CustomLink: req.CustomLink, + CustomLinkText: req.CustomLinkText, } } diff --git a/internal/api/grpc/oidc/v2/oidc.go b/internal/api/grpc/oidc/v2/oidc.go index 258ebd6a69..7a13c7ea99 100644 --- a/internal/api/grpc/oidc/v2/oidc.go +++ b/internal/api/grpc/oidc/v2/oidc.go @@ -112,7 +112,7 @@ func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID str if aar.ResponseType == domain.OIDCResponseTypeCode { callback, err = oidc.CreateCodeCallbackURL(ctx, authReq, s.op.Provider()) } else { - callback, err = oidc.CreateTokenCallbackURL(ctx, authReq, s.op.Provider()) + callback, err = s.op.CreateTokenCallbackURL(ctx, authReq) } if err != nil { return nil, err diff --git a/internal/api/grpc/org/converter.go b/internal/api/grpc/org/converter.go index d3c3cb3c11..3f0084c978 100644 --- a/internal/api/grpc/org/converter.go +++ b/internal/api/grpc/org/converter.go @@ -186,3 +186,14 @@ func DomainValidationTypeFromModel(validationType domain.OrgDomainValidationType return org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_UNSPECIFIED } } + +func FieldNameToOrgColumn(fieldName org_pb.OrgFieldName) query.Column { + switch fieldName { + case org_pb.OrgFieldName_ORG_FIELD_NAME_NAME: + return query.OrgColumnName + case org_pb.OrgFieldName_ORG_FIELD_NAME_UNSPECIFIED: + return query.Column{} + default: + return query.Column{} + } +} diff --git a/internal/api/grpc/policy/privacy_policy.go b/internal/api/grpc/policy/privacy_policy.go index f86bc48e3f..ab87cd31d9 100644 --- a/internal/api/grpc/policy/privacy_policy.go +++ b/internal/api/grpc/policy/privacy_policy.go @@ -19,5 +19,8 @@ func ModelPrivacyPolicyToPb(policy *query.PrivacyPolicy) *policy_pb.PrivacyPolic policy.ChangeDate, policy.ResourceOwner, ), + DocsLink: policy.DocsLink, + CustomLink: policy.CustomLink, + CustomLinkText: policy.CustomLinkText, } } diff --git a/internal/api/grpc/session/v2/session.go b/internal/api/grpc/session/v2/session.go index df07602e85..7af87798e6 100644 --- a/internal/api/grpc/session/v2/session.go +++ b/internal/api/grpc/session/v2/session.go @@ -7,6 +7,7 @@ import ( "time" "github.com/muhlemmer/gu" + "golang.org/x/text/language" "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" @@ -88,14 +89,10 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest) return nil, err } - set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.GetSessionId(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) if err != nil { return nil, err } - // if there's no new token, just return the current - if set.NewToken == "" { - set.NewToken = req.GetSessionToken() - } return &session.SetSessionResponse{ Details: object.DomainToDetailsPb(set.ObjectDetails), SessionToken: set.NewToken, @@ -352,7 +349,12 @@ func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([ if !user.State.IsEnabled() { return nil, zerrors.ThrowPreconditionFailed(nil, "SESSION-Gj4ko", "Errors.User.NotActive") } - sessionChecks = append(sessionChecks, command.CheckUser(user.ID, user.ResourceOwner)) + + var preferredLanguage *language.Tag + if user.Human != nil && !user.Human.PreferredLanguage.IsRoot() { + preferredLanguage = &user.Human.PreferredLanguage + } + sessionChecks = append(sessionChecks, command.CheckUser(user.ID, user.ResourceOwner, preferredLanguage)) } if password := checks.GetPassword(); password != nil { sessionChecks = append(sessionChecks, command.CheckPassword(password.GetPassword())) diff --git a/internal/api/grpc/session/v2/session_integration_test.go b/internal/api/grpc/session/v2/session_integration_test.go index 6818b627e8..9423eea9ae 100644 --- a/internal/api/grpc/session/v2/session_integration_test.go +++ b/internal/api/grpc/session/v2/session_integration_test.go @@ -13,6 +13,7 @@ import ( "github.com/pquerna/otp/totp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/zitadel/logging" "google.golang.org/grpc/metadata" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/durationpb" @@ -43,26 +44,43 @@ func TestMain(m *testing.M) { Client = Tester.Client.SessionV2 CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx - User = Tester.CreateHumanUser(CTX) - Tester.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ - UserId: User.GetUserId(), - VerificationCode: User.GetEmailCode(), - }) - Tester.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ - UserId: User.GetUserId(), - VerificationCode: User.GetPhoneCode(), - }) - Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword, false) - Tester.RegisterUserPasskey(CTX, User.GetUserId()) - DeactivatedUser = Tester.CreateHumanUser(CTX) - Tester.Client.UserV2.DeactivateUser(CTX, &user.DeactivateUserRequest{UserId: DeactivatedUser.GetUserId()}) - LockedUser = Tester.CreateHumanUser(CTX) - Tester.Client.UserV2.LockUser(CTX, &user.LockUserRequest{UserId: LockedUser.GetUserId()}) + User = createFullUser(CTX) + DeactivatedUser = createDeactivatedUser(CTX) + LockedUser = createLockedUser(CTX) return m.Run() }()) } -func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, window time.Duration, metadata map[string][]byte, userAgent *session.UserAgent, expirationWindow time.Duration, factors ...wantFactor) *session.Session { +func createFullUser(ctx context.Context) *user.AddHumanUserResponse { + userResp := Tester.CreateHumanUser(ctx) + Tester.Client.UserV2.VerifyEmail(ctx, &user.VerifyEmailRequest{ + UserId: userResp.GetUserId(), + VerificationCode: userResp.GetEmailCode(), + }) + Tester.Client.UserV2.VerifyPhone(ctx, &user.VerifyPhoneRequest{ + UserId: userResp.GetUserId(), + VerificationCode: userResp.GetPhoneCode(), + }) + Tester.SetUserPassword(ctx, userResp.GetUserId(), integration.UserPassword, false) + Tester.RegisterUserPasskey(ctx, userResp.GetUserId()) + return userResp +} + +func createDeactivatedUser(ctx context.Context) *user.AddHumanUserResponse { + userResp := Tester.CreateHumanUser(ctx) + _, err := Tester.Client.UserV2.DeactivateUser(ctx, &user.DeactivateUserRequest{UserId: userResp.GetUserId()}) + logging.OnError(err).Fatal("deactivate human user") + return userResp +} + +func createLockedUser(ctx context.Context) *user.AddHumanUserResponse { + userResp := Tester.CreateHumanUser(ctx) + _, err := Tester.Client.UserV2.LockUser(ctx, &user.LockUserRequest{UserId: userResp.GetUserId()}) + logging.OnError(err).Fatal("lock human user") + return userResp +} + +func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, window time.Duration, metadata map[string][]byte, userAgent *session.UserAgent, expirationWindow time.Duration, userID string, factors ...wantFactor) *session.Session { t.Helper() require.NotEmpty(t, id) require.NotEmpty(t, token) @@ -89,7 +107,7 @@ func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, windo assert.WithinRange(t, s.GetExpirationDate().AsTime(), time.Now().Add(-expirationWindow), time.Now().Add(expirationWindow)) } - verifyFactors(t, s.GetFactors(), window, factors) + verifyFactors(t, s.GetFactors(), window, userID, factors) return s } @@ -106,14 +124,14 @@ const ( wantOTPEmailFactor ) -func verifyFactors(t testing.TB, factors *session.Factors, window time.Duration, want []wantFactor) { +func verifyFactors(t testing.TB, factors *session.Factors, window time.Duration, userID string, want []wantFactor) { for _, w := range want { switch w { case wantUserFactor: uf := factors.GetUser() assert.NotNil(t, uf) assert.WithinRange(t, uf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window)) - assert.Equal(t, User.GetUserId(), uf.GetId()) + assert.Equal(t, userID, uf.GetId()) case wantPasswordFactor: pf := factors.GetPassword() assert.NotNil(t, pf) @@ -318,7 +336,7 @@ func TestServer_CreateSession(t *testing.T) { require.NoError(t, err) integration.AssertDetails(t, tt.want, got) - verifyCurrentSession(t, got.GetSessionId(), got.GetSessionToken(), got.GetDetails().GetSequence(), time.Minute, tt.req.GetMetadata(), tt.wantUserAgent, tt.wantExpirationWindow, tt.wantFactors...) + verifyCurrentSession(t, got.GetSessionId(), got.GetSessionToken(), got.GetDetails().GetSequence(), time.Minute, tt.req.GetMetadata(), tt.wantUserAgent, tt.wantExpirationWindow, User.GetUserId(), tt.wantFactors...) }) } } @@ -341,15 +359,14 @@ func TestServer_CreateSession_webauthn(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) assertionData, err := Tester.WebAuthN.CreateAssertionResponse(createResp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) // update the session with webauthn assertion data updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ CredentialAssertionData: assertionData, @@ -357,7 +374,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactorUserVerified) + verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactorUserVerified) } func TestServer_CreateSession_successfulIntent(t *testing.T) { @@ -372,12 +389,11 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, User.GetUserId(), "id") updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ IdpIntentId: intentID, @@ -386,7 +402,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantIntentFactor) + verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor) } func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { @@ -407,7 +423,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantIntentFactor) + verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor) } func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { @@ -423,13 +439,12 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) idpUserID := "id" intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", idpUserID) updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ IdpIntentId: intentID, @@ -441,8 +456,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Tester.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) intentID, token, _, _ = Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, User.GetUserId(), idpUserID) updateResp, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ IdpIntentId: intentID, @@ -451,7 +465,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantIntentFactor) + verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor) } func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { @@ -467,12 +481,11 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intentID := Tester.CreateIntent(t, CTX, idpID) _, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ IdpIntentId: intentID, @@ -514,17 +527,131 @@ func registerOTPEmail(ctx context.Context, t *testing.T, userID string) { require.NoError(t, err) } +func TestServer_SetSession_flow_totp(t *testing.T) { + userExisting := createFullUser(CTX) + + // create new, empty session + createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + require.NoError(t, err) + sessionToken := createResp.GetSessionToken() + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") + + t.Run("check user", func(t *testing.T) { + resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createResp.GetSessionId(), + Checks: &session.Checks{ + User: &session.CheckUser{ + Search: &session.CheckUser_UserId{ + UserId: userExisting.GetUserId(), + }, + }, + }, + }) + require.NoError(t, err) + sessionToken = resp.GetSessionToken() + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userExisting.GetUserId(), wantUserFactor) + }) + + t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { + resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createResp.GetSessionId(), + Challenges: &session.RequestChallenges{ + WebAuthN: &session.RequestChallenges_WebAuthN{ + Domain: Tester.Config.ExternalDomain, + UserVerificationRequirement: session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_REQUIRED, + }, + }, + }) + require.NoError(t, err) + verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userExisting.GetUserId()) + sessionToken = resp.GetSessionToken() + + assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) + require.NoError(t, err) + + resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createResp.GetSessionId(), + Checks: &session.Checks{ + WebAuthN: &session.CheckWebAuthN{ + CredentialAssertionData: assertionData, + }, + }, + }) + require.NoError(t, err) + sessionToken = resp.GetSessionToken() + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userExisting.GetUserId(), wantUserFactor, wantWebAuthNFactorUserVerified) + }) + + userAuthCtx := Tester.WithAuthorizationToken(CTX, sessionToken) + Tester.RegisterUserU2F(userAuthCtx, userExisting.GetUserId()) + totpSecret := registerTOTP(userAuthCtx, t, userExisting.GetUserId()) + registerOTPSMS(userAuthCtx, t, userExisting.GetUserId()) + registerOTPEmail(userAuthCtx, t, userExisting.GetUserId()) + + t.Run("check TOTP", func(t *testing.T) { + code, err := totp.GenerateCode(totpSecret, time.Now()) + require.NoError(t, err) + resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createResp.GetSessionId(), + Checks: &session.Checks{ + Totp: &session.CheckTOTP{ + Code: code, + }, + }, + }) + require.NoError(t, err) + sessionToken = resp.GetSessionToken() + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userExisting.GetUserId(), wantUserFactor, wantTOTPFactor) + }) + + userImport := Tester.CreateHumanUserWithTOTP(CTX, totpSecret) + createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + require.NoError(t, err) + sessionTokenImport := createRespImport.GetSessionToken() + verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") + + t.Run("check user", func(t *testing.T) { + resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createRespImport.GetSessionId(), + Checks: &session.Checks{ + User: &session.CheckUser{ + Search: &session.CheckUser_UserId{ + UserId: userImport.GetUserId(), + }, + }, + }, + }) + require.NoError(t, err) + sessionTokenImport = resp.GetSessionToken() + verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userImport.GetUserId(), wantUserFactor) + }) + t.Run("check TOTP", func(t *testing.T) { + code, err := totp.GenerateCode(totpSecret, time.Now()) + require.NoError(t, err) + resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createRespImport.GetSessionId(), + Checks: &session.Checks{ + Totp: &session.CheckTOTP{ + Code: code, + }, + }, + }) + require.NoError(t, err) + sessionTokenImport = resp.GetSessionToken() + verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, userImport.GetUserId(), wantUserFactor, wantTOTPFactor) + }) +} + func TestServer_SetSession_flow(t *testing.T) { // create new, empty session createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -535,13 +662,12 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor) }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ Domain: Tester.Config.ExternalDomain, @@ -550,15 +676,14 @@ func TestServer_SetSession_flow(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) sessionToken = resp.GetSessionToken() assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ CredentialAssertionData: assertionData, @@ -567,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactorUserVerified) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactorUserVerified) }) userAuthCtx := Tester.WithAuthorizationToken(CTX, sessionToken) @@ -584,8 +709,7 @@ func TestServer_SetSession_flow(t *testing.T) { } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ Domain: Tester.Config.ExternalDomain, @@ -594,15 +718,14 @@ func TestServer_SetSession_flow(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) sessionToken = resp.GetSessionToken() assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ CredentialAssertionData: assertionData, @@ -611,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactor) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactor) }) } }) @@ -620,8 +743,7 @@ func TestServer_SetSession_flow(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ Code: code, @@ -630,27 +752,25 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactor, wantTOTPFactor) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactor, wantTOTPFactor) }) t.Run("check OTP SMS", func(t *testing.T) { resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) sessionToken = resp.GetSessionToken() otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ Code: otp, @@ -659,13 +779,12 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactor, wantOTPSMSFactor) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactor, wantOTPSMSFactor) }) t.Run("check OTP Email", func(t *testing.T) { resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ DeliveryType: &session.RequestChallenges_OTPEmail_ReturnCode_{}, @@ -673,15 +792,14 @@ func TestServer_SetSession_flow(t *testing.T) { }, }) require.NoError(t, err) - verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0) + verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) sessionToken = resp.GetSessionToken() otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionToken, + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ Code: otp, @@ -690,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) require.NoError(t, err) sessionToken = resp.GetSessionToken() - verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, wantUserFactor, wantWebAuthNFactor, wantOTPEmailFactor) + verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantWebAuthNFactor, wantOTPEmailFactor) }) } @@ -701,19 +819,17 @@ func TestServer_SetSession_expired(t *testing.T) { require.NoError(t, err) // test session token works - sessionResp, err := Tester.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), - Lifetime: durationpb.New(20 * time.Second), + _, err = Tester.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ + SessionId: createResp.GetSessionId(), + Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // ensure session expires and does not work anymore time.Sleep(20 * time.Second) _, err = Tester.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: sessionResp.GetSessionToken(), - Lifetime: durationpb.New(20 * time.Second), + SessionId: createResp.GetSessionId(), + Lifetime: durationpb.New(20 * time.Second), }) require.Error(t, err) } diff --git a/internal/api/grpc/settings/v2/settings_converter.go b/internal/api/grpc/settings/v2/settings_converter.go index f00bbf0f9d..78c440012a 100644 --- a/internal/api/grpc/settings/v2/settings_converter.go +++ b/internal/api/grpc/settings/v2/settings_converter.go @@ -154,6 +154,9 @@ func legalAndSupportSettingsToPb(current *query.PrivacyPolicy) *settings.LegalAn HelpLink: current.HelpLink, SupportEmail: string(current.SupportEmail), ResourceOwnerType: isDefaultToResourceOwnerTypePb(current.IsDefault), + DocsLink: current.DocsLink, + CustomLink: current.CustomLink, + CustomLinkText: current.CustomLinkText, } } diff --git a/internal/api/grpc/settings/v2/settings_converter_test.go b/internal/api/grpc/settings/v2/settings_converter_test.go index d1cde07b87..078483042a 100644 --- a/internal/api/grpc/settings/v2/settings_converter_test.go +++ b/internal/api/grpc/settings/v2/settings_converter_test.go @@ -316,17 +316,23 @@ func Test_domainSettingsToPb(t *testing.T) { func Test_legalSettingsToPb(t *testing.T) { arg := &query.PrivacyPolicy{ - TOSLink: "http://example.com/tos", - PrivacyLink: "http://example.com/pricacy", - HelpLink: "http://example.com/help", - SupportEmail: "support@zitadel.com", - IsDefault: true, + TOSLink: "http://example.com/tos", + PrivacyLink: "http://example.com/pricacy", + HelpLink: "http://example.com/help", + SupportEmail: "support@zitadel.com", + IsDefault: true, + DocsLink: "http://example.com/docs", + CustomLink: "http://example.com/custom", + CustomLinkText: "Custom", } want := &settings.LegalAndSupportSettings{ TosLink: "http://example.com/tos", PrivacyPolicyLink: "http://example.com/pricacy", HelpLink: "http://example.com/help", SupportEmail: "support@zitadel.com", + DocsLink: "http://example.com/docs", + CustomLink: "http://example.com/custom", + CustomLinkText: "Custom", ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE, } got := legalAndSupportSettingsToPb(arg) diff --git a/internal/api/grpc/user/v2/user.go b/internal/api/grpc/user/v2/user.go index 6ff420a44b..dc91fe3eff 100644 --- a/internal/api/grpc/user/v2/user.go +++ b/internal/api/grpc/user/v2/user.go @@ -95,6 +95,7 @@ func AddUserRequestToAddHuman(req *user.AddHumanUserRequest) (*command.AddHuman, Register: false, Metadata: metadata, Links: links, + TOTPSecret: req.GetTotpSecret(), }, nil } diff --git a/internal/api/grpc/user/v2/user_integration_test.go b/internal/api/grpc/user/v2/user_integration_test.go index 132ed0b30f..824029724e 100644 --- a/internal/api/grpc/user/v2/user_integration_test.go +++ b/internal/api/grpc/user/v2/user_integration_test.go @@ -449,6 +449,52 @@ func TestServer_AddHumanUser(t *testing.T) { }, }, }, + { + name: "with totp", + args: args{ + CTX, + &user.AddHumanUserRequest{ + Organization: &object.Organization{ + Org: &object.Organization_OrgId{ + OrgId: Tester.Organisation.ID, + }, + }, + Profile: &user.SetHumanProfile{ + GivenName: "Donald", + FamilyName: "Duck", + NickName: gu.Ptr("Dukkie"), + DisplayName: gu.Ptr("Donald Duck"), + PreferredLanguage: gu.Ptr("en"), + Gender: user.Gender_GENDER_DIVERSE.Enum(), + }, + Email: &user.SetHumanEmail{ + Email: "livio@zitadel.com", + Verification: &user.SetHumanEmail_IsVerified{ + IsVerified: true, + }, + }, + Metadata: []*user.SetMetadataEntry{ + { + Key: "somekey", + Value: []byte("somevalue"), + }, + }, + PasswordType: &user.AddHumanUserRequest_Password{ + Password: &user.Password{ + Password: "DifficultPW666!", + ChangeRequired: false, + }, + }, + TotpSecret: gu.Ptr("secret"), + }, + }, + want: &user.AddHumanUserResponse{ + Details: &object.Details{ + ChangeDate: timestamppb.Now(), + ResourceOwner: Tester.Organisation.ID, + }, + }, + }, { name: "password not complexity conform", args: args{ @@ -1837,7 +1883,7 @@ func TestServer_StartIdentityProviderIntent(t *testing.T) { orgResp := Tester.CreateOrganization(IamCTX, fmt.Sprintf("NotDefaultOrg%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())) notDefaultOrgIdpID := Tester.AddOrgGenericOAuthProvider(t, CTX, orgResp.OrganizationId) samlIdpID := Tester.AddSAMLProvider(t, CTX) - samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX) + samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX, "") samlPostIdpID := Tester.AddSAMLPostProvider(t, CTX) type args struct { ctx context.Context diff --git a/internal/api/idp/idp.go b/internal/api/idp/idp.go index 6a2cb6e32e..0209e0337d 100644 --- a/internal/api/idp/idp.go +++ b/internal/api/idp/idp.go @@ -229,11 +229,6 @@ func (h *Handler) handleACS(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusBadRequest) return } - sp, err := samlProvider.GetSP() - if err != nil { - http.Error(w, err.Error(), http.StatusBadRequest) - return - } intent, err := h.commands.GetActiveIntent(ctx, data.RelayState) if err != nil { @@ -245,10 +240,10 @@ func (h *Handler) handleACS(w http.ResponseWriter, r *http.Request) { return } - session := saml2.Session{ - ServiceProvider: sp, - RequestID: intent.RequestID, - Request: r, + session, err := saml2.NewSession(samlProvider, intent.RequestID, r) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return } idpUser, err := session.FetchUser(r.Context()) diff --git a/internal/api/idp/idp_integration_test.go b/internal/api/idp/idp_integration_test.go index 1ade5d7f3e..8fdc24539c 100644 --- a/internal/api/idp/idp_integration_test.go +++ b/internal/api/idp/idp_integration_test.go @@ -52,7 +52,7 @@ func TestMain(m *testing.M) { } func TestServer_SAMLCertificate(t *testing.T) { - samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX) + samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX, "") oauthIdpID := Tester.AddGenericOAuthProvider(t, CTX) type args struct { @@ -109,7 +109,7 @@ func TestServer_SAMLCertificate(t *testing.T) { } func TestServer_SAMLMetadata(t *testing.T) { - samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX) + samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX, "") oauthIdpID := Tester.AddGenericOAuthProvider(t, CTX) type args struct { @@ -167,7 +167,7 @@ func TestServer_SAMLMetadata(t *testing.T) { func TestServer_SAMLACS(t *testing.T) { userHuman := Tester.CreateHumanUser(CTX) - samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX) + samlRedirectIdpID := Tester.AddSAMLRedirectProvider(t, CTX, "urn:oid:0.9.2342.19200300.100.1.1") // the username is set in urn:oid:0.9.2342.19200300.100.1.1 externalUserID := "test1" linkedExternalUserID := "test2" Tester.CreateUserIDPlink(CTX, userHuman.UserId, linkedExternalUserID, samlRedirectIdpID, linkedExternalUserID) @@ -180,13 +180,15 @@ func TestServer_SAMLACS(t *testing.T) { assert.NoError(t, err) type args struct { - ctx context.Context - successURL string - failureURL string - idpID string - username string - intentID string - response string + ctx context.Context + successURL string + failureURL string + idpID string + username string + nameID string + nameIDFormat string + intentID string + response string } type want struct { successful bool @@ -201,12 +203,14 @@ func TestServer_SAMLACS(t *testing.T) { { name: "intent invalid", args: args{ - ctx: CTX, - successURL: "https://example.com/success", - failureURL: "https://example.com/failure", - idpID: samlRedirectIdpID, - username: externalUserID, - intentID: "notexisting", + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: externalUserID, + nameID: externalUserID, + nameIDFormat: string(saml.PersistentNameIDFormat), + intentID: "notexisting", }, want: want{ successful: false, @@ -217,12 +221,14 @@ func TestServer_SAMLACS(t *testing.T) { { name: "response invalid", args: args{ - ctx: CTX, - successURL: "https://example.com/success", - failureURL: "https://example.com/failure", - idpID: samlRedirectIdpID, - username: externalUserID, - response: "invalid", + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: externalUserID, + nameID: externalUserID, + nameIDFormat: string(saml.PersistentNameIDFormat), + response: "invalid", }, want: want{ successful: false, @@ -232,11 +238,13 @@ func TestServer_SAMLACS(t *testing.T) { { name: "saml flow redirect, ok", args: args{ - ctx: CTX, - successURL: "https://example.com/success", - failureURL: "https://example.com/failure", - idpID: samlRedirectIdpID, - username: externalUserID, + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: externalUserID, + nameID: externalUserID, + nameIDFormat: string(saml.PersistentNameIDFormat), }, want: want{ successful: true, @@ -246,11 +254,45 @@ func TestServer_SAMLACS(t *testing.T) { { name: "saml flow redirect with link, ok", args: args{ - ctx: CTX, - successURL: "https://example.com/success", - failureURL: "https://example.com/failure", - idpID: samlRedirectIdpID, - username: linkedExternalUserID, + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: linkedExternalUserID, + nameID: linkedExternalUserID, + nameIDFormat: string(saml.PersistentNameIDFormat), + }, + want: want{ + successful: true, + user: userHuman.UserId, + }, + }, + { + name: "saml flow redirect (transient), ok", + args: args{ + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: externalUserID, + nameID: "genericID", + nameIDFormat: string(saml.TransientNameIDFormat), + }, + want: want{ + successful: true, + user: "", + }, + }, + { + name: "saml flow redirect with link (transient), ok", + args: args{ + ctx: CTX, + successURL: "https://example.com/success", + failureURL: "https://example.com/failure", + idpID: samlRedirectIdpID, + username: linkedExternalUserID, + nameID: "genericID", + nameIDFormat: string(saml.TransientNameIDFormat), }, want: want{ successful: true, @@ -287,7 +329,7 @@ func TestServer_SAMLACS(t *testing.T) { relayState = tt.args.intentID } callbackURL := http_util.BuildOrigin(Tester.Host(), Tester.Server.Config.ExternalSecure) + "/idps/" + tt.args.idpID + "/saml/acs" - response := createResponse(t, idp, samlRequest, tt.args.username) + response := createResponse(t, idp, samlRequest, tt.args.nameID, tt.args.nameIDFormat, tt.args.username) //test purposes, use defined response if tt.args.response != "" { response = tt.args.response @@ -432,14 +474,16 @@ func getIDP(zitadelBaseURL string, idpIDs []string, user1, user2 string) (*saml. return &idpServer.IDP, nil } -func createResponse(t *testing.T, idp *saml.IdentityProvider, req *http.Request, username string) string { +func createResponse(t *testing.T, idp *saml.IdentityProvider, req *http.Request, nameID, nameIDFormat, username string) string { authnReq, err := saml.NewIdpAuthnRequest(idp, req) assert.NoError(t, authnReq.Validate()) err = idp.AssertionMaker.MakeAssertion(authnReq, &saml.Session{ - CreateTime: time.Now().UTC(), - Index: "", - NameID: username, + CreateTime: time.Now().UTC(), + Index: "", + NameID: nameID, + NameIDFormat: nameIDFormat, + UserName: username, }) assert.NoError(t, err) err = authnReq.MakeResponse() diff --git a/internal/api/oidc/access_token.go b/internal/api/oidc/access_token.go index fce600b62b..4ac1646edf 100644 --- a/internal/api/oidc/access_token.go +++ b/internal/api/oidc/access_token.go @@ -6,8 +6,10 @@ import ( "strings" "time" + "github.com/muhlemmer/gu" "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/command" @@ -19,19 +21,20 @@ import ( ) type accessToken struct { - tokenID string - userID string - resourceOwner string - subject string - clientID string - audience []string - scope []string - authMethods []domain.UserAuthMethodType - authTime time.Time - tokenCreation time.Time - tokenExpiration time.Time - isPAT bool - actor *domain.TokenActor + tokenID string + userID string + resourceOwner string + subject string + preferredLanguage *language.Tag + clientID string + audience []string + scope []string + authMethods []domain.UserAuthMethodType + authTime time.Time + tokenCreation time.Time + tokenExpiration time.Time + isPAT bool + actor *domain.TokenActor } var ErrInvalidTokenFormat = errors.New("invalid token format") @@ -73,35 +76,41 @@ func (s *Server) verifyAccessToken(ctx context.Context, tkn string) (_ *accessTo } func accessTokenV1(tokenID, subject string, token *model.TokenView) *accessToken { + var preferredLanguage *language.Tag + if token.PreferredLanguage != "" { + preferredLanguage = gu.Ptr(language.Make(token.PreferredLanguage)) + } return &accessToken{ - tokenID: tokenID, - userID: token.UserID, - resourceOwner: token.ResourceOwner, - subject: subject, - clientID: token.ApplicationID, - audience: token.Audience, - scope: token.Scopes, - tokenCreation: token.CreationDate, - tokenExpiration: token.Expiration, - isPAT: token.IsPAT, - actor: token.Actor, + tokenID: tokenID, + userID: token.UserID, + resourceOwner: token.ResourceOwner, + subject: subject, + preferredLanguage: preferredLanguage, + clientID: token.ApplicationID, + audience: token.Audience, + scope: token.Scopes, + tokenCreation: token.CreationDate, + tokenExpiration: token.Expiration, + isPAT: token.IsPAT, + actor: token.Actor, } } func accessTokenV2(tokenID, subject string, token *query.OIDCSessionAccessTokenReadModel) *accessToken { return &accessToken{ - tokenID: tokenID, - userID: token.UserID, - resourceOwner: token.ResourceOwner, - subject: subject, - clientID: token.ClientID, - audience: token.Audience, - scope: token.Scope, - authMethods: token.AuthMethods, - authTime: token.AuthTime, - tokenCreation: token.AccessTokenCreation, - tokenExpiration: token.AccessTokenExpiration, - actor: token.Actor, + tokenID: tokenID, + userID: token.UserID, + resourceOwner: token.ResourceOwner, + subject: subject, + preferredLanguage: token.PreferredLanguage, + clientID: token.ClientID, + audience: token.Audience, + scope: token.Scope, + authMethods: token.AuthMethods, + authTime: token.AuthTime, + tokenCreation: token.AccessTokenCreation, + tokenExpiration: token.AccessTokenExpiration, + actor: token.Actor, } } diff --git a/internal/api/oidc/amr.go b/internal/api/oidc/amr.go index 4f773f1759..83856af99b 100644 --- a/internal/api/oidc/amr.go +++ b/internal/api/oidc/amr.go @@ -1,6 +1,10 @@ package oidc -import "github.com/zitadel/zitadel/internal/domain" +import ( + "slices" + + "github.com/zitadel/zitadel/internal/domain" +) const ( // Password states that the users password has been verified @@ -87,5 +91,5 @@ func AMRToAuthMethodTypes(amr []string) []domain.UserAuthMethodType { authMethods = append(authMethods, domain.UserAuthMethodTypeU2F) } } - return authMethods + return slices.Compact(authMethods) // remove duplicate entries } diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go index 7cb7ca7af0..1abe59dc88 100644 --- a/internal/api/oidc/auth_request.go +++ b/internal/api/oidc/auth_request.go @@ -3,6 +3,9 @@ package oidc import ( "context" "encoding/base64" + "fmt" + "net/http" + "slices" "strings" "time" @@ -10,7 +13,6 @@ import ( "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" - "github.com/zitadel/zitadel/internal/activity" "github.com/zitadel/zitadel/internal/api/authz" http_utils "github.com/zitadel/zitadel/internal/api/http" "github.com/zitadel/zitadel/internal/api/http/middleware" @@ -64,18 +66,19 @@ func (o *OPStorage) createAuthRequestLoginClient(ctx context.Context, req *oidc. return nil, err } authRequest := &command.AuthRequest{ - LoginClient: loginClient, - ClientID: req.ClientID, - RedirectURI: req.RedirectURI, - State: req.State, - Nonce: req.Nonce, - Scope: scope, - Audience: audience, - ResponseType: ResponseTypeToBusiness(req.ResponseType), - CodeChallenge: CodeChallengeToBusiness(req.CodeChallenge, req.CodeChallengeMethod), - Prompt: PromptToBusiness(req.Prompt), - UILocales: UILocalesToBusiness(req.UILocales), - MaxAge: MaxAgeToBusiness(req.MaxAge), + LoginClient: loginClient, + ClientID: req.ClientID, + RedirectURI: req.RedirectURI, + State: req.State, + Nonce: req.Nonce, + Scope: scope, + Audience: audience, + NeedRefreshToken: slices.Contains(scope, oidc.ScopeOfflineAccess), + ResponseType: ResponseTypeToBusiness(req.ResponseType), + CodeChallenge: CodeChallengeToBusiness(req.CodeChallenge, req.CodeChallengeMethod), + Prompt: PromptToBusiness(req.Prompt), + UILocales: UILocalesToBusiness(req.UILocales), + MaxAge: MaxAgeToBusiness(req.MaxAge), } if req.LoginHint != "" { authRequest.LoginHint = &req.LoginHint @@ -149,28 +152,7 @@ func (o *OPStorage) AuthRequestByID(ctx context.Context, id string) (_ op.AuthRe } func (o *OPStorage) AuthRequestByCode(ctx context.Context, code string) (_ op.AuthRequest, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - - plainCode, err := o.decryptGrant(code) - if err != nil { - return nil, zerrors.ThrowInvalidArgument(err, "OIDC-ahLi2", "Errors.User.Code.Invalid") - } - if strings.HasPrefix(plainCode, command.IDPrefixV2) { - authReq, err := o.command.ExchangeAuthCode(ctx, plainCode) - if err != nil { - return nil, err - } - return &AuthRequestV2{authReq}, nil - } - resp, err := o.repo.AuthRequestByCode(ctx, code) - if err != nil { - return nil, err - } - return AuthRequestFromBusiness(resp) + panic(o.panicErr("AuthRequestByCode")) } // decryptGrant decrypts a code or refresh_token @@ -201,136 +183,23 @@ func (o *OPStorage) SaveAuthCode(ctx context.Context, id, code string) (err erro } func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) (err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - - return o.repo.DeleteAuthRequest(ctx, id) + panic(o.panicErr("DeleteAuthRequest")) } -func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) (_ string, _ time.Time, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - if authReq, ok := req.(*AuthRequestV2); ok { - activity.Trigger(ctx, "", authReq.CurrentAuthRequest.UserID, activity.OIDCAccessToken, o.eventstore.FilterToQueryReducer) - return o.command.AddOIDCSessionAccessToken(setContextUserSystem(ctx), authReq.GetID()) - } - - userAgentID, applicationID, userOrgID, authTime, amr, reason, actor := getInfoFromRequest(req) - accessTokenLifetime, _, _, _, err := o.getOIDCSettings(ctx) - if err != nil { - return "", time.Time{}, err - } - - resp, err := o.command.AddUserToken(setContextUserSystem(ctx), userOrgID, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), amr, accessTokenLifetime, authTime, reason, actor) - if err != nil { - return "", time.Time{}, err - } - - // trigger activity log for authentication for user - activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCAccessToken, o.eventstore.FilterToQueryReducer) - return resp.TokenID, resp.Expiration, nil +func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) (string, time.Time, error) { + panic(o.panicErr("CreateAccessToken")) } -func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.TokenRequest, refreshToken string) (_, _ string, _ time.Time, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - - // handle V2 request directly - switch tokenReq := req.(type) { - case *AuthRequestV2: - // trigger activity log for authentication for user - activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) - return o.command.AddOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.GetID()) - case *RefreshTokenRequestV2: - // trigger activity log for authentication for user - activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) - return o.command.ExchangeOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.OIDCSessionWriteModel.AggregateID, refreshToken, tokenReq.RequestedScopes) - } - - userAgentID, applicationID, userOrgID, authTime, authMethodsReferences, reason, actor := getInfoFromRequest(req) - scopes, err := o.assertProjectRoleScopes(ctx, applicationID, req.GetScopes()) - if err != nil { - return "", "", time.Time{}, zerrors.ThrowPreconditionFailed(err, "OIDC-Df2fq", "Errors.Internal") - } - if request, ok := req.(op.RefreshTokenRequest); ok { - request.SetCurrentScopes(scopes) - } - - accessTokenLifetime, _, refreshTokenIdleExpiration, refreshTokenExpiration, err := o.getOIDCSettings(ctx) - if err != nil { - return "", "", time.Time{}, err - } - - resp, token, err := o.command.AddAccessAndRefreshToken(setContextUserSystem(ctx), userOrgID, userAgentID, applicationID, req.GetSubject(), - refreshToken, req.GetAudience(), scopes, authMethodsReferences, accessTokenLifetime, - refreshTokenIdleExpiration, refreshTokenExpiration, authTime, reason, actor) //PLANNED: lifetime from client - if err != nil { - if zerrors.IsErrorInvalidArgument(err) { - err = oidc.ErrInvalidGrant().WithParent(err) - } - return "", "", time.Time{}, err - } - - // trigger activity log for authentication for user - activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) - return resp.TokenID, token, resp.Expiration, nil +func (o *OPStorage) CreateAccessAndRefreshTokens(context.Context, op.TokenRequest, string) (string, string, time.Time, error) { + panic(o.panicErr("CreateAccessAndRefreshTokens")) } -func getInfoFromRequest(req op.TokenRequest) (agentID string, clientID string, userOrgID string, authTime time.Time, amr []string, reason domain.TokenReason, actor *domain.TokenActor) { - switch r := req.(type) { - case *AuthRequest: - return r.AgentID, r.ApplicationID, r.UserOrgID, r.AuthTime, r.GetAMR(), domain.TokenReasonAuthRequest, nil - case *RefreshTokenRequest: - return r.UserAgentID, r.ClientID, "", r.AuthTime, r.AuthMethodsReferences, domain.TokenReasonRefresh, r.Actor - case op.IDTokenRequest: - return "", r.GetClientID(), "", r.GetAuthTime(), r.GetAMR(), domain.TokenReasonAuthRequest, nil - case *oidc.JWTTokenRequest: - return "", "", "", r.GetAuthTime(), nil, domain.TokenReasonJWTProfile, nil - case *clientCredentialsRequest: - return "", "", "", time.Time{}, nil, domain.TokenReasonClientCredentials, nil - default: - return "", "", "", time.Time{}, nil, domain.TokenReasonAuthRequest, nil - } +func (*OPStorage) panicErr(method string) error { + return fmt.Errorf("OPStorage.%s should not be called anymore. This is a bug. Please report https://github.com/zitadel/zitadel/issues", method) } func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (_ op.RefreshTokenRequest, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - - plainToken, err := o.decryptGrant(refreshToken) - if err != nil { - return nil, op.ErrInvalidRefreshToken - } - if strings.HasPrefix(plainToken, command.IDPrefixV2) { - oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken) - if err != nil { - return nil, err - } - // trigger activity log for authentication for user - activity.Trigger(ctx, "", oidcSession.UserID, activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) - return &RefreshTokenRequestV2{OIDCSessionWriteModel: oidcSession}, nil - } - - tokenView, err := o.repo.RefreshTokenByToken(ctx, refreshToken) - if err != nil { - return nil, err - } - - // trigger activity log for use of refresh token for user - activity.Trigger(ctx, tokenView.ResourceOwner, tokenView.UserID, activity.OIDCRefreshToken, o.eventstore.FilterToQueryReducer) - return RefreshTokenRequestFromBusiness(tokenView), nil + panic("TokenRequestByRefreshToken should not be called anymore. This is a bug. Please report https://github.com/zitadel/zitadel/issues") } func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID string) (err error) { @@ -368,18 +237,19 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR }() // check for the login client header - // and if not provided, terminate the session using the V1 method headers, _ := http_utils.HeadersFromCtx(ctx) - if loginClient := headers.Get(LoginClientHeader); loginClient == "" { - return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID) - } - - // in case there are not id_token_hint, redirect to the UI and let it decide which session to terminate - if endSessionRequest.IDTokenHintClaims == nil { + // in case there is no id_token_hint, redirect to the UI and let it decide which session to terminate + if headers.Get(LoginClientHeader) != "" && endSessionRequest.IDTokenHintClaims == nil { return o.defaultLogoutURLV2 + endSessionRequest.RedirectURI, nil } - // terminate the session of the id_token_hint + // If there is no login client header and no id_token_hint or the id_token_hint does not have a session ID, + // do a v1 Terminate session. + if endSessionRequest.IDTokenHintClaims == nil || endSessionRequest.IDTokenHintClaims.SessionID == "" { + return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID) + } + + // terminate the v2 session of the id_token_hint _, err = o.command.TerminateSessionWithoutTokenCheck(ctx, endSessionRequest.IDTokenHintClaims.SessionID) if err != nil { return "", err @@ -543,18 +413,6 @@ func setContextUserSystem(ctx context.Context) context.Context { return authz.SetCtxData(ctx, data) } -func (o *OPStorage) getOIDCSettings(ctx context.Context) (accessTokenLifetime, idTokenLifetime, refreshTokenIdleExpiration, refreshTokenExpiration time.Duration, _ error) { - oidcSettings, err := o.query.OIDCSettingsByAggID(ctx, authz.GetInstance(ctx).InstanceID()) - if err != nil && !zerrors.IsNotFound(err) { - return time.Duration(0), time.Duration(0), time.Duration(0), time.Duration(0), err - } - - if oidcSettings != nil { - return oidcSettings.AccessTokenLifetime, oidcSettings.IdTokenLifetime, oidcSettings.RefreshTokenIdleExpiration, oidcSettings.RefreshTokenExpiration, nil - } - return o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime, o.defaultRefreshTokenIdleExpiration, o.defaultRefreshTokenExpiration, nil -} - func CreateErrorCallbackURL(authReq op.AuthRequest, reason, description, uri string, authorizer op.Authorizer) (string, error) { e := struct { Error string `schema:"error"` @@ -593,19 +451,137 @@ func CreateCodeCallbackURL(ctx context.Context, authReq op.AuthRequest, authoriz return callback, err } -func CreateTokenCallbackURL(ctx context.Context, req op.AuthRequest, authorizer op.Authorizer) (string, error) { - client, err := authorizer.Storage().GetClientByClientID(ctx, req.GetClientID()) +func (s *Server) CreateTokenCallbackURL(ctx context.Context, req op.AuthRequest) (string, error) { + provider := s.Provider() + opClient, err := provider.Storage().GetClientByClientID(ctx, req.GetClientID()) if err != nil { return "", err } - createAccessToken := req.GetResponseType() != oidc.ResponseTypeIDTokenOnly - resp, err := op.CreateTokenResponse(ctx, req, client, authorizer, createAccessToken, "", "") + client, ok := opClient.(*Client) + if !ok { + return "", zerrors.ThrowInternal(nil, "OIDC-waeN6", "Error.Internal") + } + + session, state, err := s.command.CreateOIDCSessionFromAuthRequest( + setContextUserSystem(ctx), + req.GetID(), + implicitFlowComplianceChecker(), + slices.Contains(client.GrantTypes(), oidc.GrantTypeRefreshToken), + ) if err != nil { return "", err } - callback, err := op.AuthResponseURL(req.GetRedirectURI(), req.GetResponseType(), req.GetResponseMode(), resp, authorizer.Encoder()) + resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion) + if err != nil { + return "", err + } + callback, err := op.AuthResponseURL(req.GetRedirectURI(), req.GetResponseType(), req.GetResponseMode(), resp, provider.Encoder()) if err != nil { return "", err } return callback, err } + +func implicitFlowComplianceChecker() command.AuthRequestComplianceChecker { + return func(_ context.Context, authReq *command.AuthRequestWriteModel) error { + if err := authReq.CheckAuthenticated(); err != nil { + return err + } + return nil + } +} + +func (s *Server) authorizeCallbackHandler(w http.ResponseWriter, r *http.Request) { + authorizer := s.Provider() + authReq, err := func(ctx context.Context) (authReq *AuthRequest, err error) { + ctx, span := tracing.NewSpan(ctx) + r = r.WithContext(ctx) + defer func() { span.EndWithError(err) }() + + id, err := op.ParseAuthorizeCallbackRequest(r) + if err != nil { + return nil, err + } + authReq, err = s.getAuthRequestV1ByID(ctx, id) + if err != nil { + return nil, err + } + if !authReq.Done() { + return authReq, oidc.ErrInteractionRequired().WithDescription("Unfortunately, the user may be not logged in and/or additional interaction is required.") + } + return authReq, s.authResponse(authReq, authorizer, w, r) + }(r.Context()) + if err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + } +} + +func (s *Server) authResponse(authReq *AuthRequest, authorizer op.Authorizer, w http.ResponseWriter, r *http.Request) (err error) { + ctx, span := tracing.NewSpan(r.Context()) + r = r.WithContext(ctx) + defer func() { span.EndWithError(err) }() + + client, err := authorizer.Storage().GetClientByClientID(ctx, authReq.GetClientID()) + if err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + return err + } + if authReq.GetResponseType() == oidc.ResponseTypeCode { + op.AuthResponseCode(w, r, authReq, authorizer) + return nil + } + return s.authResponseToken(authReq, authorizer, client, w, r) +} + +func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorizer, opClient op.Client, w http.ResponseWriter, r *http.Request) (err error) { + ctx, span := tracing.NewSpan(r.Context()) + r = r.WithContext(ctx) + defer func() { span.EndWithError(err) }() + + client, ok := opClient.(*Client) + if !ok { + return zerrors.ThrowInternal(nil, "OIDC-waeN6", "Error.Internal") + } + + scope := authReq.GetScopes() + session, err := s.command.CreateOIDCSession(ctx, + authReq.UserID, + authReq.UserOrgID, + client.client.ClientID, + scope, + authReq.Audience, + authReq.AuthMethods(), + authReq.AuthTime, + authReq.GetNonce(), + authReq.PreferredLanguage, + authReq.BrowserInfo.ToUserAgent(), + domain.TokenReasonAuthRequest, + nil, + slices.Contains(scope, oidc.ScopeOfflineAccess), + ) + if err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + return err + } + resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion) + if err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + return err + } + + if authReq.GetResponseMode() == oidc.ResponseModeFormPost { + if err = op.AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder()); err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + return err + } + return nil + } + + callback, err := op.AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), resp, authorizer.Encoder()) + if err != nil { + op.AuthRequestError(w, r, authReq, err, authorizer) + return err + } + http.Redirect(w, r, callback, http.StatusFound) + return nil +} diff --git a/internal/api/oidc/auth_request_converter.go b/internal/api/oidc/auth_request_converter.go index 76cbc655dc..9a1aee2aa4 100644 --- a/internal/api/oidc/auth_request_converter.go +++ b/internal/api/oidc/auth_request_converter.go @@ -94,7 +94,7 @@ func (a *AuthRequest) oidc() *domain.AuthRequestOIDC { return a.Request.(*domain.AuthRequestOIDC) } -func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ op.AuthRequest, err error) { +func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ *AuthRequest, err error) { if _, ok := authReq.Request.(*domain.AuthRequestOIDC); !ok { return nil, zerrors.ThrowInvalidArgument(nil, "OIDC-Haz7A", "auth request is not of type oidc") } diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go index a80d4ad95e..8dc7c58ad5 100644 --- a/internal/api/oidc/client.go +++ b/internal/api/oidc/client.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "slices" "strings" "time" @@ -69,7 +70,7 @@ func (o *OPStorage) GetKeyByIDAndIssuer(ctx context.Context, keyID, issuer strin err = oidcError(err) span.EndWithError(err) }() - publicKeyData, err := o.query.GetAuthNKeyPublicKeyByIDAndIdentifier(ctx, keyID, issuer, false) + publicKeyData, err := o.query.GetAuthNKeyPublicKeyByIDAndIdentifier(ctx, keyID, issuer) if err != nil { return nil, err } @@ -1040,3 +1041,26 @@ func (s *Server) verifyClientSecret(ctx context.Context, client *query.OIDCClien s.command.OIDCSecretCheckSucceeded(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner, updated) return nil } + +func (s *Server) checkOrgScopes(ctx context.Context, user *query.User, scopes []string) ([]string, error) { + if slices.ContainsFunc(scopes, func(scope string) bool { + return strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) + }) { + org, err := s.query.OrgByID(ctx, false, user.ResourceOwner) + if err != nil { + return nil, err + } + scopes = slices.DeleteFunc(scopes, func(scope string) bool { + if domain, ok := strings.CutPrefix(scope, domain.OrgDomainPrimaryScope); ok { + return domain != org.Domain + } + return false + }) + } + return slices.DeleteFunc(scopes, func(scope string) bool { + if orgID, ok := strings.CutPrefix(scope, domain.OrgIDScope); ok { + return orgID != user.ResourceOwner + } + return false + }), nil +} diff --git a/internal/api/oidc/client_converter.go b/internal/api/oidc/client_converter.go index 74d983c811..f5e53312d0 100644 --- a/internal/api/oidc/client_converter.go +++ b/internal/api/oidc/client_converter.go @@ -104,28 +104,7 @@ func (c *Client) AccessTokenType() op.AccessTokenType { } func (c *Client) IsScopeAllowed(scope string) bool { - if strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) { - return true - } - if strings.HasPrefix(scope, domain.OrgIDScope) { - return true - } - if strings.HasPrefix(scope, domain.ProjectIDScope) { - return true - } - if strings.HasPrefix(scope, domain.SelectIDPScope) { - return true - } - if scope == ScopeUserMetaData { - return true - } - if scope == ScopeResourceOwner { - return true - } - if scope == ScopeProjectsRoles { - return true - } - return slices.Contains(c.allowedScopes, scope) + return isScopeAllowed(scope, c.allowedScopes...) } func (c *Client) ClockSkew() time.Duration { @@ -249,3 +228,28 @@ func clientIDFromCredentials(cc *op.ClientCredentials) (clientID string, asserti } return cc.ClientID, false, nil } + +func isScopeAllowed(scope string, allowedScopes ...string) bool { + if strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) { + return true + } + if strings.HasPrefix(scope, domain.OrgIDScope) { + return true + } + if strings.HasPrefix(scope, domain.ProjectIDScope) { + return true + } + if strings.HasPrefix(scope, domain.SelectIDPScope) { + return true + } + if scope == ScopeUserMetaData { + return true + } + if scope == ScopeResourceOwner { + return true + } + if scope == ScopeProjectsRoles { + return true + } + return slices.Contains(allowedScopes, scope) +} diff --git a/internal/api/oidc/client_credentials.go b/internal/api/oidc/client_credentials.go index a62fa54a2b..b2821bcb70 100644 --- a/internal/api/oidc/client_credentials.go +++ b/internal/api/oidc/client_credentials.go @@ -2,6 +2,7 @@ package oidc import ( "context" + "strings" "time" "github.com/zitadel/oidc/v3/pkg/oidc" @@ -136,9 +137,8 @@ func (c *clientCredentialsClient) RestrictAdditionalAccessTokenScopes() func(sco } } -// IsScopeAllowed returns null false as the check is executed during the auth request validation func (c *clientCredentialsClient) IsScopeAllowed(scope string) bool { - return false + return isScopeAllowed(scope) || strings.HasPrefix(scope, ScopeProjectRolePrefix) } // IDTokenUserinfoClaimsAssertion returns null false as no id_token is issued diff --git a/internal/api/oidc/client_integration_test.go b/internal/api/oidc/client_integration_test.go index 2ad88cf096..58fdebef07 100644 --- a/internal/api/oidc/client_integration_test.go +++ b/internal/api/oidc/client_integration_test.go @@ -7,7 +7,6 @@ import ( "testing" "time" - "github.com/brianvoe/gofakeit/v6" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/zitadel/oidc/v3/pkg/client" @@ -22,7 +21,6 @@ import ( "github.com/zitadel/zitadel/pkg/grpc/authn" "github.com/zitadel/zitadel/pkg/grpc/management" oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta" - "github.com/zitadel/zitadel/pkg/grpc/user" ) func TestServer_Introspect(t *testing.T) { @@ -346,73 +344,3 @@ func createInvalidKeyData(t testing.TB, client *management.AddOIDCAppResponse) [ require.NoError(t, err) return data } - -func TestServer_CreateAccessToken_ClientCredentials(t *testing.T) { - _, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX) - require.NoError(t, err) - - type clientDetails struct { - clientID string - clientSecret string - keyData []byte - } - tests := []struct { - name string - clientID string - clientSecret string - wantErr bool - }{ - { - name: "missing client ID error", - clientID: "", - clientSecret: clientSecret, - wantErr: true, - }, - { - name: "client not found error", - clientID: "foo", - clientSecret: clientSecret, - wantErr: true, - }, - { - name: "machine user without secret error", - clientID: func() string { - name := gofakeit.Username() - _, err := Tester.Client.Mgmt.AddMachineUser(CTX, &management.AddMachineUserRequest{ - Name: name, - UserName: name, - AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT, - }) - require.NoError(t, err) - return name - }(), - clientSecret: clientSecret, - wantErr: true, - }, - { - name: "wrong secret error", - clientID: clientID, - clientSecret: "bar", - wantErr: true, - }, - { - name: "success", - clientID: clientID, - clientSecret: clientSecret, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - provider, err := rp.NewRelyingPartyOIDC(CTX, Tester.OIDCIssuer(), tt.clientID, tt.clientSecret, redirectURI, []string{oidc.ScopeOpenID}) - require.NoError(t, err) - tokens, err := rp.ClientCredentials(CTX, provider, nil) - if tt.wantErr { - require.Error(t, err) - return - } - require.NoError(t, err) - assert.NotNil(t, tokens) - assert.NotEmpty(t, tokens.AccessToken) - }) - } -} diff --git a/internal/api/oidc/device_auth.go b/internal/api/oidc/device_auth.go index 45f6453556..0fe5a7d8c7 100644 --- a/internal/api/oidc/device_auth.go +++ b/internal/api/oidc/device_auth.go @@ -2,14 +2,14 @@ package oidc import ( "context" + "slices" "time" "github.com/zitadel/logging" + "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" "github.com/zitadel/zitadel/internal/api/ui/login" - "github.com/zitadel/zitadel/internal/domain" - "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/internal/telemetry/tracing" ) @@ -80,7 +80,7 @@ func (o *OPStorage) StoreDeviceAuthorization(ctx context.Context, clientID, devi if err != nil { return err } - details, err := o.command.AddDeviceAuth(ctx, clientID, deviceCode, userCode, expires, scope, audience) + details, err := o.command.AddDeviceAuth(ctx, clientID, deviceCode, userCode, expires, scope, audience, slices.Contains(scope, oidc.ScopeOfflineAccess)) if err == nil { logger.SetFields("details", details).Debug(logMsg) } @@ -88,50 +88,6 @@ func (o *OPStorage) StoreDeviceAuthorization(ctx context.Context, clientID, devi return err } -func newDeviceAuthorizationState(d *query.DeviceAuth) *op.DeviceAuthorizationState { - return &op.DeviceAuthorizationState{ - ClientID: d.ClientID, - Scopes: d.Scopes, - Audience: d.Audience, - Expires: d.Expires, - Done: d.State.Done(), - Denied: d.State.Denied(), - Subject: d.Subject, - AMR: AuthMethodTypesToAMR(d.UserAuthMethods), - AuthTime: d.AuthTime, - } -} - -// GetDeviceAuthorizatonState retrieves the current state of the Device Authorization process. -// It implements the [op.DeviceAuthorizationStorage] interface and is used by devices that -// are polling until they successfully receive a token or we indicate a denied or expired state. -// As generated user codes are of low entropy, this implementation also takes care or -// device authorization request cleanup, when it has been Approved, Denied or Expired. -func (o *OPStorage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (state *op.DeviceAuthorizationState, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { - err = oidcError(err) - span.EndWithError(err) - }() - - deviceAuth, err := o.query.DeviceAuthByDeviceCode(ctx, deviceCode) - if err != nil { - return nil, err - } - logging.WithFields( - "device_code", deviceCode, - "expires", deviceAuth.Expires, "scopes", deviceAuth.Scopes, - "subject", deviceAuth.Subject, "state", deviceAuth.State, - ).Debug("device authorization state") - - // Cancel the request if it is expired, only if it wasn't Done meanwhile - if !deviceAuth.State.Done() && deviceAuth.Expires.Before(time.Now()) { - _, err = o.command.CancelDeviceAuth(ctx, deviceAuth.DeviceCode, domain.DeviceAuthCanceledExpired) - if err != nil { - return nil, err - } - deviceAuth.State = domain.DeviceAuthStateExpired - } - - return newDeviceAuthorizationState(deviceAuth), nil +func (o *OPStorage) GetDeviceAuthorizatonState(ctx context.Context, _, deviceCode string) (state *op.DeviceAuthorizationState, err error) { + return nil, nil } diff --git a/internal/api/oidc/oidc_integration_test.go b/internal/api/oidc/oidc_integration_test.go index 09e76391bd..c7a101afd3 100644 --- a/internal/api/oidc/oidc_integration_test.go +++ b/internal/api/oidc/oidc_integration_test.go @@ -18,6 +18,7 @@ import ( "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/integration" "github.com/zitadel/zitadel/pkg/grpc/auth" + mgmt "github.com/zitadel/zitadel/pkg/grpc/management" oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta" session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta" user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta" @@ -26,6 +27,7 @@ import ( var ( CTX context.Context CTXLOGIN context.Context + CTXIAM context.Context Tester *integration.Tester User *user.AddHumanUserResponse ) @@ -50,6 +52,7 @@ func TestMain(m *testing.M) { Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword, false) Tester.RegisterUserPasskey(CTX, User.GetUserId()) CTXLOGIN = Tester.WithAuthorization(ctx, integration.Login) + CTXIAM = Tester.WithAuthorization(ctx, integration.IAMOwner) return m.Run() }()) } @@ -117,10 +120,13 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { require.Nil(t, myUserResp) } -func Test_ZITADEL_API_missing_mfa(t *testing.T) { +func Test_ZITADEL_API_missing_mfa_2fa_setup(t *testing.T) { clientID, _ := createClient(t) + userResp := Tester.CreateHumanUser(CTX) + Tester.SetUserPassword(CTX, userResp.GetUserId(), integration.UserPassword, false) + Tester.RegisterUserU2F(CTX, userResp.GetUserId()) authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) - sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword) + sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, userResp.GetUserId(), integration.UserPassword) linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{ AuthRequestId: authRequestID, CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -136,7 +142,7 @@ func Test_ZITADEL_API_missing_mfa(t *testing.T) { code := assertCodeResponse(t, linkResp.GetCallbackUrl()) tokens, err := exchangeTokens(t, clientID, code, redirectURI) require.NoError(t, err) - assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPassword, startTime, changeTime) + assertIDTokenClaims(t, tokens.IDTokenClaims, userResp.GetUserId(), armPassword, startTime, changeTime) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken)) @@ -145,6 +151,62 @@ func Test_ZITADEL_API_missing_mfa(t *testing.T) { require.Nil(t, myUserResp) } +func Test_ZITADEL_API_missing_mfa_policy(t *testing.T) { + clientID, _ := createClient(t) + org := Tester.CreateOrganization(CTXIAM, fmt.Sprintf("ZITADEL_API_MISSING_MFA_%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())) + userID := org.CreatedAdmins[0].GetUserId() + Tester.SetUserPassword(CTXIAM, userID, integration.UserPassword, false) + authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) + sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, userID, integration.UserPassword) + linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{ + AuthRequestId: authRequestID, + CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ + Session: &oidc_pb.Session{ + SessionId: sessionID, + SessionToken: sessionToken, + }, + }, + }) + require.NoError(t, err) + + // code exchange + code := assertCodeResponse(t, linkResp.GetCallbackUrl()) + tokens, err := exchangeTokens(t, clientID, code, redirectURI) + require.NoError(t, err) + assertIDTokenClaims(t, tokens.IDTokenClaims, userID, armPassword, startTime, changeTime) + + ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken)) + + // pre check if request would succeed + myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{}) + require.NoError(t, err) + require.Equal(t, userID, myUserResp.GetUser().GetId()) + + // require MFA + ctxOrg := metadata.AppendToOutgoingContext(CTXIAM, "x-zitadel-orgid", org.GetOrganizationId()) + _, err = Tester.Client.Mgmt.AddCustomLoginPolicy(ctxOrg, &mgmt.AddCustomLoginPolicyRequest{ + ForceMfa: true, + }) + require.NoError(t, err) + + // make sure policy is projected + retryDuration := 5 * time.Second + if ctxDeadline, ok := CTX.Deadline(); ok { + retryDuration = time.Until(ctxDeadline) + } + require.EventuallyWithT(t, func(ttt *assert.CollectT) { + got, getErr := Tester.Client.Mgmt.GetLoginPolicy(ctxOrg, &mgmt.GetLoginPolicyRequest{}) + assert.NoError(ttt, getErr) + assert.False(ttt, got.GetPolicy().IsDefault) + + }, retryDuration, time.Millisecond*100, "timeout waiting for login policy") + + // now it must fail + myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{}) + require.Error(t, err) + require.Nil(t, myUserResp) +} + func Test_ZITADEL_API_success(t *testing.T) { clientID, _ := createClient(t) authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) diff --git a/internal/api/oidc/op.go b/internal/api/oidc/op.go index 3daa7e61ff..24e201e620 100644 --- a/internal/api/oidc/op.go +++ b/internal/api/oidc/op.go @@ -140,10 +140,13 @@ func NewServer( fallbackLogger: fallbackLogger, hasher: hasher, signingKeyAlgorithm: config.SigningKeyAlgorithm, + encAlg: encryptionAlg, + opCrypto: op.NewAESCrypto(opConfig.CryptoKey), assetAPIPrefix: assets.AssetAPI(externalSecure), } metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount} server.Handler = op.RegisterLegacyServer(server, + server.authorizeCallbackHandler, op.WithFallbackLogger(fallbackLogger), op.WithHTTPMiddleware( middleware.MetricsHandler(metricTypes), diff --git a/internal/api/oidc/server.go b/internal/api/oidc/server.go index e164740539..f461996ef2 100644 --- a/internal/api/oidc/server.go +++ b/internal/api/oidc/server.go @@ -37,7 +37,10 @@ type Server struct { fallbackLogger *slog.Logger hasher *crypto.Hasher signingKeyAlgorithm string - assetAPIPrefix func(ctx context.Context) string + encAlg crypto.EncryptionAlgorithm + opCrypto op.Crypto + + assetAPIPrefix func(ctx context.Context) string } func endpoints(endpointConfig *EndpointConfig) op.Endpoints { @@ -153,41 +156,6 @@ func (s *Server) DeviceAuthorization(ctx context.Context, r *op.ClientRequest[oi return s.LegacyServer.DeviceAuthorization(ctx, r) } -func (s *Server) CodeExchange(ctx context.Context, r *op.ClientRequest[oidc.AccessTokenRequest]) (_ *op.Response, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - return s.LegacyServer.CodeExchange(ctx, r) -} - -func (s *Server) RefreshToken(ctx context.Context, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - return s.LegacyServer.RefreshToken(ctx, r) -} - -func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGrantRequest]) (_ *op.Response, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - return s.LegacyServer.JWTProfile(ctx, r) -} - -func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequest[oidc.ClientCredentialsRequest]) (_ *op.Response, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - return s.LegacyServer.ClientCredentialsExchange(ctx, r) -} - -func (s *Server) DeviceToken(ctx context.Context, r *op.ClientRequest[oidc.DeviceAccessTokenRequest]) (_ *op.Response, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - return s.LegacyServer.DeviceToken(ctx, r) -} - func (s *Server) Revocation(ctx context.Context, r *op.ClientRequest[oidc.RevocationRequest]) (_ *op.Response, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() @@ -232,3 +200,10 @@ func (s *Server) createDiscoveryConfig(ctx context.Context, supportedUILocales o RequestParameterSupported: s.Provider().RequestObjectSupported(), } } + +func response(resp any, err error) (*op.Response, error) { + if err != nil { + return nil, err + } + return op.NewResponse(resp), nil +} diff --git a/internal/api/oidc/token.go b/internal/api/oidc/token.go new file mode 100644 index 0000000000..c45eb98acb --- /dev/null +++ b/internal/api/oidc/token.go @@ -0,0 +1,198 @@ +package oidc + +import ( + "context" + "encoding/base64" + "slices" + "sync" + "time" + + "github.com/go-jose/go-jose/v4" + "github.com/zitadel/oidc/v3/pkg/crypto" + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/command" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/telemetry/tracing" +) + +/* +For each grant-type, tokens creation follows the same rough logical steps: + +1. Information gathering: who is requesting the token, what do we put in the claims? +2. Decision making: is the request authorized? (valid exchange code, auth request completed, valid token etc...) +3. Build an OIDC session in storage: inform the eventstore we are creating tokens. +4. Use the OIDC session to encrypt and / or sign the requested tokens + +In some cases step 1 till 3 are completely implemented in the command package, +for example the v2 code exchange and refresh token. +*/ + +func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion bool) (_ *oidc.AccessTokenResponse, err error) { + getUserInfo := s.getUserInfoOnce(session.UserID, projectID, projectRoleAssertion, session.Scope) + getSigner := s.getSignerOnce() + + resp := &oidc.AccessTokenResponse{ + TokenType: oidc.BearerToken, + RefreshToken: session.RefreshToken, + ExpiresIn: timeToOIDCExpiresIn(session.Expiration), + State: state, + } + + // If the session does not have a token ID, it is an implicit ID-Token only response. + if session.TokenID != "" { + if client.AccessTokenType() == op.AccessTokenTypeJWT { + resp.AccessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner) + } else { + resp.AccessToken, err = op.CreateBearerToken(session.TokenID, session.UserID, s.opCrypto) + } + if err != nil { + return nil, err + } + } + + if slices.Contains(session.Scope, oidc.ScopeOpenID) { + resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, session.SessionID, resp.AccessToken, session.Audience, session.AuthMethods, session.AuthTime, session.Nonce, session.Actor) + } + return resp, err +} + +// signerFunc is a getter function that allows add-hoc retrieval of the instance's signer. +type signerFunc func(ctx context.Context) (jose.Signer, jose.SignatureAlgorithm, error) + +// getSignerOnce returns a function which retrieves the instance's signer from the database once. +// Repeated calls of the returned function return the same results. +func (s *Server) getSignerOnce() signerFunc { + var ( + once sync.Once + signer jose.Signer + signAlg jose.SignatureAlgorithm + err error + ) + return func(ctx context.Context) (jose.Signer, jose.SignatureAlgorithm, error) { + once.Do(func() { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + var signingKey op.SigningKey + signingKey, err = s.Provider().Storage().SigningKey(ctx) + if err != nil { + return + } + signAlg = signingKey.SignatureAlgorithm() + + signer, err = op.SignerFromKey(signingKey) + if err != nil { + return + } + }) + return signer, signAlg, err + } +} + +// userInfoFunc is a getter function that allows add-hoc retrieval of a user. +type userInfoFunc func(ctx context.Context) (*oidc.UserInfo, error) + +// getUserInfoOnce returns a function which retrieves userinfo from the database once. +// Repeated calls of the returned function return the same results. +func (s *Server) getUserInfoOnce(userID, projectID string, projectRoleAssertion bool, scope []string) userInfoFunc { + var ( + once sync.Once + userInfo *oidc.UserInfo + err error + ) + return func(ctx context.Context) (*oidc.UserInfo, error) { + once.Do(func() { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + userInfo, err = s.userInfo(ctx, userID, scope, projectID, projectRoleAssertion, false) + }) + return userInfo, err + } +} + +func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + userInfo, err := getUserInfo(ctx) + if err != nil { + return "", 0, err + } + + signer, signAlg, err := getSigningKey(ctx) + if err != nil { + return "", 0, err + } + + expTime := time.Now().Add(client.IDTokenLifetime()).Add(client.ClockSkew()) + claims := oidc.NewIDTokenClaims( + op.IssuerFromContext(ctx), + "", + audience, + expTime, + authTime, + nonce, + "", + AuthMethodTypesToAMR(authMethods), + client.GetID(), + client.ClockSkew(), + ) + claims.SessionID = sessionID + claims.Actor = actorDomainToClaims(actor) + claims.SetUserInfo(userInfo) + if accessToken != "" { + claims.AccessTokenHash, err = oidc.ClaimHash(accessToken, signAlg) + if err != nil { + return "", 0, err + } + } + idToken, err = crypto.Sign(claims, signer) + return idToken, timeToOIDCExpiresIn(expTime), err +} + +func timeToOIDCExpiresIn(exp time.Time) uint64 { + return uint64(time.Until(exp) / time.Second) +} + +func (*Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, getSigner signerFunc) (_ string, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + userInfo, err := getUserInfo(ctx) + if err != nil { + return "", err + } + signer, _, err := getSigner(ctx) + if err != nil { + return "", err + } + + expTime := session.Expiration.Add(client.ClockSkew()) + claims := oidc.NewAccessTokenClaims( + op.IssuerFromContext(ctx), + userInfo.Subject, + session.Audience, + expTime, + session.TokenID, + client.GetID(), + client.ClockSkew(), + ) + claims.Actor = actorDomainToClaims(session.Actor) + claims.Claims = userInfo.Claims + + return crypto.Sign(claims, signer) +} + +// decryptCode decrypts a code or refresh_token +func (s *Server) decryptCode(ctx context.Context, code string) (_ string, err error) { + _, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + decoded, err := base64.RawURLEncoding.DecodeString(code) + if err != nil { + return "", err + } + return s.encAlg.DecryptString(decoded, s.encAlg.EncryptionKeyID()) +} diff --git a/internal/api/oidc/token_client_credentials.go b/internal/api/oidc/token_client_credentials.go new file mode 100644 index 0000000000..e0cb29770b --- /dev/null +++ b/internal/api/oidc/token_client_credentials.go @@ -0,0 +1,51 @@ +package oidc + +import ( + "context" + "time" + + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/zerrors" +) + +func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequest[oidc.ClientCredentialsRequest]) (_ *op.Response, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { + span.EndWithError(err) + err = oidcError(err) + }() + client, ok := r.Client.(*clientCredentialsClient) + if !ok { + return nil, zerrors.ThrowInternal(nil, "OIDC-ga0EP", "Error.Internal") + } + scope, err := op.ValidateAuthReqScopes(client, r.Data.Scope) + if err != nil { + return nil, err + } + scope, err = s.checkOrgScopes(ctx, client.user, scope) + if err != nil { + return nil, err + } + + session, err := s.command.CreateOIDCSession(ctx, + client.user.ID, + client.user.ResourceOwner, + "", + scope, + domain.AddAudScopeToAudience(ctx, nil, r.Data.Scope), + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + time.Now(), + "", + nil, + nil, + domain.TokenReasonClientCredentials, + nil, + false, + ) + + return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false)) +} diff --git a/internal/api/oidc/token_client_credentials_integration_test.go b/internal/api/oidc/token_client_credentials_integration_test.go new file mode 100644 index 0000000000..3517438596 --- /dev/null +++ b/internal/api/oidc/token_client_credentials_integration_test.go @@ -0,0 +1,143 @@ +//go:build integration + +package oidc_test + +import ( + "testing" + + "github.com/brianvoe/gofakeit/v6" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/zitadel/oidc/v3/pkg/client/rp" + "github.com/zitadel/oidc/v3/pkg/oidc" + + oidc_api "github.com/zitadel/zitadel/internal/api/oidc" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/pkg/grpc/management" + "github.com/zitadel/zitadel/pkg/grpc/user" +) + +func TestServer_ClientCredentialsExchange(t *testing.T) { + userID, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX) + require.NoError(t, err) + + type claims struct { + resourceOwnerID any + resourceOwnerName any + resourceOwnerPrimaryDomain any + orgDomain any + } + tests := []struct { + name string + clientID string + clientSecret string + scope []string + wantClaims claims + wantErr bool + }{ + { + name: "missing client ID error", + clientID: "", + clientSecret: clientSecret, + scope: []string{oidc.ScopeOpenID}, + wantErr: true, + }, + { + name: "client not found error", + clientID: "foo", + clientSecret: clientSecret, + scope: []string{oidc.ScopeOpenID}, + wantErr: true, + }, + { + name: "machine user without secret error", + clientID: func() string { + name := gofakeit.Username() + _, err := Tester.Client.Mgmt.AddMachineUser(CTX, &management.AddMachineUserRequest{ + Name: name, + UserName: name, + AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT, + }) + require.NoError(t, err) + return name + }(), + clientSecret: clientSecret, + scope: []string{oidc.ScopeOpenID}, + wantErr: true, + }, + { + name: "wrong secret error", + clientID: clientID, + clientSecret: "bar", + scope: []string{oidc.ScopeOpenID}, + wantErr: true, + }, + { + name: "success", + clientID: clientID, + clientSecret: clientSecret, + scope: []string{oidc.ScopeOpenID}, + }, + { + name: "org id and domain scope", + clientID: clientID, + clientSecret: clientSecret, + scope: []string{ + oidc.ScopeOpenID, + domain.OrgIDScope + Tester.Organisation.ID, + domain.OrgDomainPrimaryScope + Tester.Organisation.Domain, + }, + wantClaims: claims{ + resourceOwnerID: Tester.Organisation.ID, + resourceOwnerName: Tester.Organisation.Name, + resourceOwnerPrimaryDomain: Tester.Organisation.Domain, + orgDomain: Tester.Organisation.Domain, + }, + }, + { + name: "invalid org domain filtered", + clientID: clientID, + clientSecret: clientSecret, + scope: []string{ + oidc.ScopeOpenID, + domain.OrgDomainPrimaryScope + Tester.Organisation.Domain, + domain.OrgDomainPrimaryScope + "foo"}, + wantClaims: claims{ + orgDomain: Tester.Organisation.Domain, + }, + }, + { + name: "invalid org id filtered", + clientID: clientID, + clientSecret: clientSecret, + scope: []string{oidc.ScopeOpenID, + domain.OrgIDScope + Tester.Organisation.ID, + domain.OrgIDScope + "foo", + }, + wantClaims: claims{ + resourceOwnerID: Tester.Organisation.ID, + resourceOwnerName: Tester.Organisation.Name, + resourceOwnerPrimaryDomain: Tester.Organisation.Domain, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + provider, err := rp.NewRelyingPartyOIDC(CTX, Tester.OIDCIssuer(), tt.clientID, tt.clientSecret, redirectURI, tt.scope) + require.NoError(t, err) + tokens, err := rp.ClientCredentials(CTX, provider, nil) + if tt.wantErr { + require.Error(t, err) + return + } + require.NoError(t, err) + require.NotNil(t, tokens) + userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, userID, provider) + require.NoError(t, err) + assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID]) + assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName]) + assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain]) + assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim]) + }) + } +} diff --git a/internal/api/oidc/token_code.go b/internal/api/oidc/token_code.go new file mode 100644 index 0000000000..85aa847579 --- /dev/null +++ b/internal/api/oidc/token_code.go @@ -0,0 +1,135 @@ +package oidc + +import ( + "context" + "slices" + "strings" + + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/api/http/middleware" + "github.com/zitadel/zitadel/internal/command" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/zerrors" +) + +func (s *Server) CodeExchange(ctx context.Context, r *op.ClientRequest[oidc.AccessTokenRequest]) (_ *op.Response, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { + span.EndWithError(err) + err = oidcError(err) + }() + + client, ok := r.Client.(*Client) + if !ok { + return nil, zerrors.ThrowInternal(nil, "OIDC-Ae2ph", "Error.Internal") + } + + plainCode, err := s.decryptCode(ctx, r.Data.Code) + if err != nil { + return nil, zerrors.ThrowInvalidArgument(err, "OIDC-ahLi2", "Errors.User.Code.Invalid") + } + + var ( + session *command.OIDCSession + state string + ) + if strings.HasPrefix(plainCode, command.IDPrefixV2) { + session, state, err = s.command.CreateOIDCSessionFromAuthRequest( + setContextUserSystem(ctx), + plainCode, + codeExchangeComplianceChecker(client, r.Data), + slices.Contains(client.GrantTypes(), oidc.GrantTypeRefreshToken), + ) + } else { + session, state, err = s.codeExchangeV1(ctx, client, r.Data, r.Data.Code) + } + if err != nil { + return nil, err + } + return response(s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion)) +} + +// codeExchangeV1 creates a v2 token from a v1 auth request. +func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.AccessTokenRequest, code string) (session *command.OIDCSession, state string, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + authReq, err := s.getAuthRequestV1ByCode(ctx, code) + if err != nil { + return nil, "", err + } + + if challenge := authReq.GetCodeChallenge(); challenge != nil || client.AuthMethod() == oidc.AuthMethodNone { + if err = op.AuthorizeCodeChallenge(req.CodeVerifier, challenge); err != nil { + return nil, "", err + } + } + if req.RedirectURI != authReq.GetRedirectURI() { + return nil, "", oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond") + } + + scope := authReq.GetScopes() + session, err = s.command.CreateOIDCSession(ctx, + authReq.UserID, + authReq.UserOrgID, + client.client.ClientID, + scope, + authReq.Audience, + authReq.AuthMethods(), + authReq.AuthTime, + authReq.GetNonce(), + authReq.PreferredLanguage, + authReq.BrowserInfo.ToUserAgent(), + domain.TokenReasonAuthRequest, + nil, + slices.Contains(scope, oidc.ScopeOfflineAccess), + ) + if err != nil { + return nil, "", err + } + return session, authReq.TransferState, s.repo.DeleteAuthRequest(ctx, authReq.ID) +} + +// getAuthRequestV1ByCode finds the v1 auth request by code. +// code needs to be the encrypted version of the ID, +// this is required by the underlying repo. +func (s *Server) getAuthRequestV1ByCode(ctx context.Context, code string) (*AuthRequest, error) { + authReq, err := s.repo.AuthRequestByCode(ctx, code) + if err != nil { + return nil, err + } + return AuthRequestFromBusiness(authReq) +} + +func (s *Server) getAuthRequestV1ByID(ctx context.Context, id string) (*AuthRequest, error) { + userAgentID, ok := middleware.UserAgentIDFromCtx(ctx) + if !ok { + return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-TiTu7", "no user agent id") + } + resp, err := s.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID) + if err != nil { + return nil, err + } + return AuthRequestFromBusiness(resp) +} + +func codeExchangeComplianceChecker(client *Client, req *oidc.AccessTokenRequest) command.AuthRequestComplianceChecker { + return func(ctx context.Context, authReq *command.AuthRequestWriteModel) error { + if authReq.CodeChallenge != nil || client.AuthMethod() == oidc.AuthMethodNone { + err := op.AuthorizeCodeChallenge(req.CodeVerifier, CodeChallengeToOIDC(authReq.CodeChallenge)) + if err != nil { + return err + } + } + if req.RedirectURI != authReq.RedirectURI { + return oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond") + } + if err := authReq.CheckAuthenticated(); err != nil { + return err + } + return nil + } +} diff --git a/internal/api/oidc/token_device.go b/internal/api/oidc/token_device.go new file mode 100644 index 0000000000..c70fa9c1e9 --- /dev/null +++ b/internal/api/oidc/token_device.go @@ -0,0 +1,46 @@ +package oidc + +import ( + "context" + "errors" + + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/command" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/zerrors" +) + +func (s *Server) DeviceToken(ctx context.Context, r *op.ClientRequest[oidc.DeviceAccessTokenRequest]) (_ *op.Response, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { + span.EndWithError(err) + err = oidcError(err) + }() + + client, ok := r.Client.(*Client) + if !ok { + return nil, zerrors.ThrowInternal(nil, "OIDC-Ae2ph", "Error.Internal") + } + session, err := s.command.CreateOIDCSessionFromDeviceAuth(ctx, r.Data.DeviceCode) + if err == nil { + return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion)) + } + if errors.Is(err, context.DeadlineExceeded) { + return nil, oidc.ErrSlowDown().WithParent(err) + } + + var target command.DeviceAuthStateError + if errors.As(err, &target) { + state := domain.DeviceAuthState(target) + if state == domain.DeviceAuthStateInitiated { + return nil, oidc.ErrAuthorizationPending() + } + if state == domain.DeviceAuthStateExpired { + return nil, oidc.ErrExpiredDeviceCode() + } + } + return nil, oidc.ErrAccessDenied().WithParent(err) +} diff --git a/internal/api/oidc/token_exchange.go b/internal/api/oidc/token_exchange.go index e9c6ed27d4..31b1a37db3 100644 --- a/internal/api/oidc/token_exchange.go +++ b/internal/api/oidc/token_exchange.go @@ -5,9 +5,9 @@ import ( "slices" "time" - "github.com/zitadel/oidc/v3/pkg/crypto" "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/domain" @@ -134,13 +134,16 @@ func (s *Server) verifyExchangeToken(ctx context.Context, client *Client, token return idTokenClaimsToExchangeToken(claims, resourceOwner), nil case oidc.JWTTokenType: - resourceOwner := new(string) - verifier := op.NewJWTProfileVerifierKeySet(keySetMap(client.client.PublicKeys), op.IssuerFromContext(ctx), time.Hour, client.client.ClockSkew, s.jwtProfileUserCheck(ctx, resourceOwner)) + var ( + resourceOwner string + preferredLanguage *language.Tag + ) + verifier := op.NewJWTProfileVerifierKeySet(keySetMap(client.client.PublicKeys), op.IssuerFromContext(ctx), time.Hour, client.client.ClockSkew, s.jwtProfileUserCheck(ctx, &resourceOwner, &preferredLanguage)) jwt, err := op.VerifyJWTAssertion(ctx, token, verifier) if err != nil { return nil, zerrors.ThrowPermissionDenied(err, "OIDC-eiS6o", "Errors.TokenExchange.Token.Invalid") } - return jwtToExchangeToken(jwt, *resourceOwner), nil + return jwtToExchangeToken(jwt, resourceOwner, preferredLanguage), nil case UserIDTokenType: user, err := s.query.GetUserByID(ctx, false, token) @@ -156,13 +159,18 @@ func (s *Server) verifyExchangeToken(ctx context.Context, client *Client, token } } -func (s *Server) jwtProfileUserCheck(ctx context.Context, resourceOwner *string) op.JWTProfileVerifierOption { +// jwtProfileUserCheck finds the user by subject (user ID) and sets the resourceOwner through the pointer. +// preferred Language is set only if it was defined for a Human user, else the pointed pointer remains nil. +func (s *Server) jwtProfileUserCheck(ctx context.Context, resourceOwner *string, preferredLanguage **language.Tag) op.JWTProfileVerifierOption { return op.SubjectCheck(func(request *oidc.JWTTokenRequest) error { user, err := s.query.GetUserByID(ctx, false, request.Subject) if err != nil { return zerrors.ThrowPermissionDenied(err, "OIDC-Nee6r", "Errors.TokenExchange.Token.Invalid") } *resourceOwner = user.ResourceOwner + if user.Human != nil && !user.Human.PreferredLanguage.IsRoot() { + *preferredLanguage = &user.Human.PreferredLanguage + } return nil }) } @@ -210,21 +218,8 @@ func validateTokenExchangeAudience(requestedAudience, subjectAudience, actorAudi // Both tokens may point to the same object (subjectToken) in case of a regular Token Exchange. // When the subject and actor Tokens point to different objects, the new tokens will be for impersonation / delegation. func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenType, client *Client, subjectToken, actorToken *exchangeToken, audience, scopes []string) (_ *oidc.TokenExchangeResponse, err error) { - var ( - userInfo *oidc.UserInfo - signingKey op.SigningKey - ) - if slices.Contains(scopes, oidc.ScopeOpenID) || tokenType == oidc.JWTTokenType || tokenType == oidc.IDTokenType { - projectID := client.client.ProjectID - userInfo, err = s.userInfo(ctx, subjectToken.userID, scopes, projectID, client.client.ProjectRoleAssertion, false) - if err != nil { - return nil, err - } - signingKey, err = s.Provider().Storage().SigningKey(ctx) - if err != nil { - return nil, err - } - } + getUserInfo := s.getUserInfoOnce(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, scopes) + getSigner := s.getSignerOnce() resp := &oidc.TokenExchangeResponse{ Scopes: scopes, @@ -237,21 +232,23 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT actor = actorToken.nestedActor() } + var sessionID string switch tokenType { case oidc.AccessTokenType, "": - resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeAccessToken(ctx, client, subjectToken.resourceOwner, subjectToken.userID, audience, scopes, actorToken.authMethods, actorToken.authTime, reason, actor) + resp.AccessToken, resp.RefreshToken, sessionID, resp.ExpiresIn, err = s.createExchangeAccessToken(ctx, client, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor) resp.TokenType = oidc.BearerToken resp.IssuedTokenType = oidc.AccessTokenType case oidc.JWTTokenType: - resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, signingKey, client, subjectToken.resourceOwner, subjectToken.userID, audience, scopes, actorToken.authMethods, actorToken.authTime, reason, actor, userInfo.Claims) + resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, client, getUserInfo, getSigner, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor) resp.TokenType = oidc.BearerToken resp.IssuedTokenType = oidc.JWTTokenType case oidc.IDTokenType: - resp.AccessToken, resp.ExpiresIn, err = s.createExchangeIDToken(ctx, signingKey, client, subjectToken.userID, "", audience, userInfo, actorToken.authMethods, actorToken.authTime, reason, actor) + resp.AccessToken, resp.ExpiresIn, err = s.createIDToken(ctx, client, getUserInfo, getSigner, "", resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor) resp.TokenType = TokenTypeNA resp.IssuedTokenType = oidc.IDTokenType + case oidc.RefreshTokenType, UserIDTokenType: fallthrough default: @@ -262,7 +259,7 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT } if slices.Contains(scopes, oidc.ScopeOpenID) && tokenType != oidc.IDTokenType { - resp.IDToken, _, err = s.createExchangeIDToken(ctx, signingKey, client, subjectToken.userID, resp.AccessToken, audience, userInfo, actorToken.authMethods, actorToken.authTime, reason, actor) + resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, sessionID, resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor) if err != nil { return nil, err } @@ -271,77 +268,83 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT return resp, nil } -func (s *Server) createExchangeAccessToken(ctx context.Context, client *Client, resourceOwner, userID string, audience, scopes []string, authMethods []domain.UserAuthMethodType, authTime time.Time, reason domain.TokenReason, actor *domain.TokenActor) (accessToken string, refreshToken string, exp uint64, err error) { - tokenInfo, refreshToken, err := s.createAccessTokenCommands(ctx, client, resourceOwner, userID, audience, scopes, authMethods, authTime, reason, actor) - if err != nil { - return "", "", 0, err - } - accessToken, err = op.CreateBearerToken(tokenInfo.TokenID, userID, s.Provider().Crypto()) - if err != nil { - return "", "", 0, err - } - return accessToken, refreshToken, timeToOIDCExpiresIn(tokenInfo.Expiration), nil -} +func (s *Server) createExchangeAccessToken( + ctx context.Context, + client *Client, + userID, + resourceOwner string, + audience, + scope []string, + authMethods []domain.UserAuthMethodType, + authTime time.Time, + preferredLanguage *language.Tag, + reason domain.TokenReason, + actor *domain.TokenActor, +) (accessToken, refreshToken, sessionID string, exp uint64, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() -func (s *Server) createExchangeJWT(ctx context.Context, signingKey op.SigningKey, client *Client, resourceOwner, userID string, audience, scopes []string, authMethods []domain.UserAuthMethodType, authTime time.Time, reason domain.TokenReason, actor *domain.TokenActor, privateClaims map[string]any) (accessToken string, refreshToken string, exp uint64, err error) { - tokenInfo, refreshToken, err := s.createAccessTokenCommands(ctx, client, resourceOwner, userID, audience, scopes, authMethods, authTime, reason, actor) - if err != nil { - return "", "", 0, err - } - - expTime := tokenInfo.Expiration.Add(client.ClockSkew()) - claims := oidc.NewAccessTokenClaims(op.IssuerFromContext(ctx), userID, tokenInfo.Audience, expTime, tokenInfo.TokenID, client.GetID(), client.ClockSkew()) - claims.Actor = actorDomainToClaims(tokenInfo.Actor) - claims.Claims = privateClaims - - signer, err := op.SignerFromKey(signingKey) - if err != nil { - return "", "", 0, err - } - - accessToken, err = crypto.Sign(claims, signer) - if err != nil { - return "", "", 0, nil - } - return accessToken, refreshToken, timeToOIDCExpiresIn(expTime), nil -} - -func (s *Server) createExchangeIDToken(ctx context.Context, signingKey op.SigningKey, client *Client, userID, accessToken string, audience []string, userInfo *oidc.UserInfo, authMethods []domain.UserAuthMethodType, authTime time.Time, reason domain.TokenReason, actor *domain.TokenActor) (idToken string, exp uint64, err error) { - expTime := time.Now().Add(client.IDTokenLifetime()).Add(client.ClockSkew()) - claims := oidc.NewIDTokenClaims(op.IssuerFromContext(ctx), userID, audience, expTime, authTime, "", "", AuthMethodTypesToAMR(authMethods), client.GetID(), client.ClockSkew()) - claims.Actor = actorDomainToClaims(actor) - claims.SetUserInfo(userInfo) - if accessToken != "" { - claims.AccessTokenHash, err = oidc.ClaimHash(accessToken, signingKey.SignatureAlgorithm()) - if err != nil { - return "", 0, err - } - } - signer, err := op.SignerFromKey(signingKey) - if err != nil { - return "", 0, err - } - idToken, err = crypto.Sign(claims, signer) - return idToken, timeToOIDCExpiresIn(expTime), err -} - -func timeToOIDCExpiresIn(exp time.Time) uint64 { - return uint64(time.Until(exp) / time.Second) -} - -func (s *Server) createAccessTokenCommands(ctx context.Context, client *Client, resourceOwner, userID string, audience, scopes []string, authMethods []domain.UserAuthMethodType, authTime time.Time, reason domain.TokenReason, actor *domain.TokenActor) (tokenInfo *domain.Token, refreshToken string, err error) { - settings := client.client.Settings - if slices.Contains(scopes, oidc.ScopeOfflineAccess) { - return s.command.AddAccessAndRefreshToken( - ctx, resourceOwner, "", client.GetID(), userID, "", audience, scopes, AuthMethodTypesToAMR(authMethods), - settings.AccessTokenLifetime, settings.RefreshTokenIdleExpiration, settings.RefreshTokenExpiration, - authTime, reason, actor, - ) - } - tokenInfo, err = s.command.AddUserToken( - ctx, resourceOwner, "", client.GetID(), userID, audience, scopes, AuthMethodTypesToAMR(authMethods), - settings.AccessTokenLifetime, - authTime, reason, actor, + session, err := s.command.CreateOIDCSession(ctx, + userID, + resourceOwner, + client.client.ClientID, + scope, + audience, + authMethods, + authTime, + "", + preferredLanguage, + nil, + reason, + actor, + slices.Contains(scope, oidc.ScopeOfflineAccess), ) - return tokenInfo, "", err + if err != nil { + return "", "", "", 0, err + } + accessToken, err = op.CreateBearerToken(session.TokenID, userID, s.opCrypto) + if err != nil { + return "", "", "", 0, err + } + return accessToken, session.RefreshToken, session.SessionID, timeToOIDCExpiresIn(session.Expiration), nil +} + +func (s *Server) createExchangeJWT( + ctx context.Context, + client *Client, + getUserInfo userInfoFunc, + getSigner signerFunc, + userID, + resourceOwner string, + audience, + scope []string, + authMethods []domain.UserAuthMethodType, + authTime time.Time, + preferredLanguage *language.Tag, + reason domain.TokenReason, + actor *domain.TokenActor, +) (accessToken string, refreshToken string, exp uint64, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + session, err := s.command.CreateOIDCSession(ctx, + userID, + resourceOwner, + client.client.ClientID, + scope, + audience, + authMethods, + authTime, + "", + preferredLanguage, + nil, + reason, + actor, + slices.Contains(scope, oidc.ScopeOfflineAccess), + ) + accessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner) + if err != nil { + return "", "", 0, err + } + return accessToken, session.RefreshToken, timeToOIDCExpiresIn(session.Expiration), nil } diff --git a/internal/api/oidc/token_exchange_converter.go b/internal/api/oidc/token_exchange_converter.go index 98bddc1bbd..4c37bc93a4 100644 --- a/internal/api/oidc/token_exchange_converter.go +++ b/internal/api/oidc/token_exchange_converter.go @@ -4,21 +4,23 @@ import ( "time" "github.com/zitadel/oidc/v3/pkg/oidc" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/query" ) type exchangeToken struct { - tokenType oidc.TokenType - userID string - issuer string - resourceOwner string - authTime time.Time - authMethods []domain.UserAuthMethodType - actor *domain.TokenActor - audience []string - scopes []string + tokenType oidc.TokenType + userID string + issuer string + resourceOwner string + authTime time.Time + authMethods []domain.UserAuthMethodType + actor *domain.TokenActor + audience []string + scopes []string + preferredLanguage *language.Tag } func (et *exchangeToken) nestedActor() *domain.TokenActor { @@ -31,27 +33,33 @@ func (et *exchangeToken) nestedActor() *domain.TokenActor { func accessToExchangeToken(token *accessToken, issuer string) *exchangeToken { return &exchangeToken{ - tokenType: oidc.AccessTokenType, - userID: token.userID, - issuer: issuer, - resourceOwner: token.resourceOwner, - authMethods: token.authMethods, - actor: token.actor, - audience: token.audience, - scopes: token.scope, + tokenType: oidc.AccessTokenType, + userID: token.userID, + issuer: issuer, + resourceOwner: token.resourceOwner, + authMethods: token.authMethods, + actor: token.actor, + audience: token.audience, + scopes: token.scope, + preferredLanguage: token.preferredLanguage, } } func idTokenClaimsToExchangeToken(claims *oidc.IDTokenClaims, resourceOwner string) *exchangeToken { + var preferredLanguage *language.Tag + if tag := claims.Locale.Tag(); !tag.IsRoot() { + preferredLanguage = &tag + } return &exchangeToken{ - tokenType: oidc.IDTokenType, - userID: claims.Subject, - issuer: claims.Issuer, - resourceOwner: resourceOwner, - authTime: claims.GetAuthTime(), - authMethods: AMRToAuthMethodTypes(claims.AuthenticationMethodsReferences), - actor: actorClaimsToDomain(claims.Actor), - audience: claims.Audience, + tokenType: oidc.IDTokenType, + userID: claims.Subject, + issuer: claims.Issuer, + resourceOwner: resourceOwner, + authTime: claims.GetAuthTime(), + authMethods: AMRToAuthMethodTypes(claims.AuthenticationMethodsReferences), + actor: actorClaimsToDomain(claims.Actor), + audience: claims.Audience, + preferredLanguage: preferredLanguage, } } @@ -77,7 +85,7 @@ func actorDomainToClaims(actor *domain.TokenActor) *oidc.ActorClaims { } } -func jwtToExchangeToken(jwt *oidc.JWTTokenRequest, resourceOwner string) *exchangeToken { +func jwtToExchangeToken(jwt *oidc.JWTTokenRequest, resourceOwner string, preferredLanguage *language.Tag) *exchangeToken { return &exchangeToken{ tokenType: oidc.JWTTokenType, userID: jwt.Subject, @@ -86,6 +94,7 @@ func jwtToExchangeToken(jwt *oidc.JWTTokenRequest, resourceOwner string) *exchan scopes: jwt.Scopes, authTime: jwt.IssuedAt.AsTime(), // audience omitted as we don't thrust audiences not signed by us + preferredLanguage: preferredLanguage, } } diff --git a/internal/api/oidc/token_exchange_integration_test.go b/internal/api/oidc/token_exchange_integration_test.go index e1fb8fad07..2636b85d86 100644 --- a/internal/api/oidc/token_exchange_integration_test.go +++ b/internal/api/oidc/token_exchange_integration_test.go @@ -587,5 +587,5 @@ func TestImpersonation_API_Call(t *testing.T) { _, err = Tester.Client.Admin.GetAllowedLanguages(impersonatedCTX, &admin.GetAllowedLanguagesRequest{}) status := status.Convert(err) assert.Equal(t, codes.PermissionDenied, status.Code()) - assert.Equal(t, "Errors.TokenExchange.Token.NotForAPI (APP-wai8O)", status.Message()) + assert.Equal(t, "Errors.TokenExchange.Token.NotForAPI (APP-Shi0J)", status.Message()) } diff --git a/internal/api/oidc/token_jwt_profile.go b/internal/api/oidc/token_jwt_profile.go new file mode 100644 index 0000000000..b23a24f77f --- /dev/null +++ b/internal/api/oidc/token_jwt_profile.go @@ -0,0 +1,99 @@ +package oidc + +import ( + "context" + "time" + + "github.com/go-jose/go-jose/v4" + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/query" + "github.com/zitadel/zitadel/internal/telemetry/tracing" +) + +func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGrantRequest]) (_ *op.Response, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { + span.EndWithError(err) + err = oidcError(err) + }() + + user, jwtReq, err := s.verifyJWTProfile(ctx, r.Data) + if err != nil { + return nil, err + } + + client := &clientCredentialsClient{ + id: jwtReq.Subject, + user: user, + } + scope, err := op.ValidateAuthReqScopes(client, r.Data.Scope) + if err != nil { + return nil, err + } + scope, err = s.checkOrgScopes(ctx, client.user, scope) + if err != nil { + return nil, err + } + + session, err := s.command.CreateOIDCSession(ctx, + user.ID, + user.ResourceOwner, + "", + scope, + domain.AddAudScopeToAudience(ctx, nil, r.Data.Scope), + []domain.UserAuthMethodType{domain.UserAuthMethodTypePrivateKey}, + time.Now(), + "", + nil, + nil, + domain.TokenReasonJWTProfile, + nil, + false, + ) + return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false)) +} + +func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (user *query.User, tokenRequest *oidc.JWTTokenRequest, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + checkSubject := func(jwt *oidc.JWTTokenRequest) (err error) { + user, err = s.query.GetUserByID(ctx, true, jwt.Subject) + return err + } + verifier := op.NewJWTProfileVerifier( + &jwtProfileKeyStorage{query: s.query}, + op.IssuerFromContext(ctx), + time.Hour, time.Second, + op.SubjectCheck(checkSubject), + ) + tokenRequest, err = op.VerifyJWTAssertion(ctx, req.Assertion, verifier) + if err != nil { + return nil, nil, err + } + return user, tokenRequest, nil +} + +type jwtProfileKeyStorage struct { + query *query.Queries +} + +func (s *jwtProfileKeyStorage) GetKeyByIDAndClientID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error) { + publicKeyData, err := s.query.GetAuthNKeyPublicKeyByIDAndIdentifier(ctx, keyID, userID) + if err != nil { + return nil, err + } + publicKey, err := crypto.BytesToPublicKey(publicKeyData) + if err != nil { + return nil, err + } + return &jose.JSONWebKey{ + KeyID: keyID, + Use: "sig", + Key: publicKey, + }, nil +} diff --git a/internal/api/oidc/token_jwt_profile_integration_test.go b/internal/api/oidc/token_jwt_profile_integration_test.go new file mode 100644 index 0000000000..b80ea09bcd --- /dev/null +++ b/internal/api/oidc/token_jwt_profile_integration_test.go @@ -0,0 +1,103 @@ +//go:build integration + +package oidc_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/zitadel/oidc/v3/pkg/client/profile" + "github.com/zitadel/oidc/v3/pkg/client/rp" + "github.com/zitadel/oidc/v3/pkg/oidc" + + oidc_api "github.com/zitadel/zitadel/internal/api/oidc" + "github.com/zitadel/zitadel/internal/domain" +) + +func TestServer_JWTProfile(t *testing.T) { + userID, keyData, err := Tester.CreateOIDCJWTProfileClient(CTX) + require.NoError(t, err) + + type claims struct { + resourceOwnerID any + resourceOwnerName any + resourceOwnerPrimaryDomain any + orgDomain any + } + tests := []struct { + name string + keyData []byte + scope []string + wantClaims claims + wantErr bool + }{ + { + name: "success", + keyData: keyData, + scope: []string{oidc.ScopeOpenID}, + }, + { + name: "org id and domain scope", + keyData: keyData, + scope: []string{ + oidc.ScopeOpenID, + domain.OrgIDScope + Tester.Organisation.ID, + domain.OrgDomainPrimaryScope + Tester.Organisation.Domain, + }, + wantClaims: claims{ + resourceOwnerID: Tester.Organisation.ID, + resourceOwnerName: Tester.Organisation.Name, + resourceOwnerPrimaryDomain: Tester.Organisation.Domain, + orgDomain: Tester.Organisation.Domain, + }, + }, + { + name: "invalid org domain filtered", + keyData: keyData, + scope: []string{ + oidc.ScopeOpenID, + domain.OrgDomainPrimaryScope + Tester.Organisation.Domain, + domain.OrgDomainPrimaryScope + "foo"}, + wantClaims: claims{ + orgDomain: Tester.Organisation.Domain, + }, + }, + { + name: "invalid org id filtered", + keyData: keyData, + scope: []string{oidc.ScopeOpenID, + domain.OrgIDScope + Tester.Organisation.ID, + domain.OrgIDScope + "foo", + }, + wantClaims: claims{ + resourceOwnerID: Tester.Organisation.ID, + resourceOwnerName: Tester.Organisation.Name, + resourceOwnerPrimaryDomain: Tester.Organisation.Domain, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tokenSource, err := profile.NewJWTProfileTokenSourceFromKeyFileData(CTX, Tester.OIDCIssuer(), tt.keyData, tt.scope) + require.NoError(t, err) + + tokens, err := tokenSource.TokenCtx(CTX) + if tt.wantErr { + require.Error(t, err) + return + } + require.NoError(t, err) + require.NotNil(t, tokens) + + provider, err := rp.NewRelyingPartyOIDC(CTX, Tester.OIDCIssuer(), "", "", redirectURI, tt.scope) + require.NoError(t, err) + userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, userID, provider) + require.NoError(t, err) + assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID]) + assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName]) + assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain]) + assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim]) + }) + } +} diff --git a/internal/api/oidc/token_refresh.go b/internal/api/oidc/token_refresh.go new file mode 100644 index 0000000000..66a8b8a263 --- /dev/null +++ b/internal/api/oidc/token_refresh.go @@ -0,0 +1,101 @@ +package oidc + +import ( + "context" + "errors" + "slices" + + "github.com/zitadel/oidc/v3/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/op" + + "github.com/zitadel/zitadel/internal/command" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/zerrors" +) + +func (s *Server) RefreshToken(ctx context.Context, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { + span.EndWithError(err) + err = oidcError(err) + }() + + client, ok := r.Client.(*Client) + if !ok { + return nil, zerrors.ThrowInternal(nil, "OIDC-ga0EP", "Error.Internal") + } + + session, err := s.command.ExchangeOIDCSessionRefreshAndAccessToken(ctx, r.Data.RefreshToken, r.Data.Scopes, refreshTokenComplianceChecker()) + if err == nil { + return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion)) + } else if errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid")) { + // We try again for v1 tokens when we encountered specific parsing error + return s.refreshTokenV1(ctx, client, r) + } + return nil, err +} + +// refreshTokenV1 verifies a v1 refresh token. +// When valid a v2 OIDC session is created and v2 tokens are returned. +// This "upgrades" existing v1 sessions to v2 session without requiring users to re-login. +// +// This function can be removed when we retire the v1 token repo. +func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) { + refreshToken, err := s.repo.RefreshTokenByToken(ctx, r.Data.RefreshToken) + if err != nil { + return nil, err + } + scope, err := validateRefreshTokenScopes(refreshToken.Scopes, r.Data.Scopes) + if err != nil { + return nil, err + } + session, err := s.command.CreateOIDCSession(ctx, + refreshToken.UserID, + refreshToken.ResourceOwner, + refreshToken.ClientID, + scope, + refreshToken.Audience, + AMRToAuthMethodTypes(refreshToken.AuthMethodsReferences), + refreshToken.AuthTime, + "", + nil, // Preferred language not in refresh token view + &domain.UserAgent{ + FingerprintID: &refreshToken.UserAgentID, + Description: &refreshToken.UserAgentID, + }, + domain.TokenReasonRefresh, + refreshToken.Actor, + true, + ) + if err != nil { + return nil, err + } + + // make sure the v1 refresh token can't be reused. + _, err = s.command.RevokeRefreshToken(ctx, refreshToken.UserID, refreshToken.ResourceOwner, refreshToken.ID) + if err != nil { + return nil, err + } + + return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion)) +} + +// refreshTokenComplianceChecker validates that the requested scope is a subset of the original auth request scope. +func refreshTokenComplianceChecker() command.RefreshTokenComplianceChecker { + return func(_ context.Context, model *command.OIDCSessionWriteModel, requestedScope []string) ([]string, error) { + return validateRefreshTokenScopes(model.Scope, requestedScope) + } +} + +func validateRefreshTokenScopes(currentScope, requestedScope []string) ([]string, error) { + if len(requestedScope) == 0 { + return currentScope, nil + } + for _, s := range requestedScope { + if !slices.Contains(currentScope, s) { + return nil, oidc.ErrInvalidScope() + } + } + return requestedScope, nil +} diff --git a/internal/api/oidc/userinfo.go b/internal/api/oidc/userinfo.go index 6d01e6bf9c..c21b746c49 100644 --- a/internal/api/oidc/userinfo.go +++ b/internal/api/oidc/userinfo.go @@ -20,6 +20,7 @@ import ( "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/zerrors" ) func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoRequest]) (_ *op.Response, err error) { @@ -48,7 +49,8 @@ func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoReques ) if token.clientID != "" { projectID, assertion, err = s.query.GetOIDCUserinfoClientByID(ctx, token.clientID) - if err != nil { + // token.clientID might contain a username (e.g. client credentials) -> ignore the not found + if err != nil && !zerrors.IsNotFound(err) { return nil, err } } diff --git a/internal/api/ui/login/device_auth.go b/internal/api/ui/login/device_auth.go index afaf639ca9..0d5349903e 100644 --- a/internal/api/ui/login/device_auth.go +++ b/internal/api/ui/login/device_auth.go @@ -111,6 +111,7 @@ func (l *Login) handleDeviceAuthUserCode(w http.ResponseWriter, r *http.Request) } authRequest, err := l.authRepo.CreateAuthRequest(ctx, &domain.AuthRequest{ CreationDate: time.Now(), + BrowserInfo: domain.BrowserInfoFromRequest(r), AgentID: userAgentID, ApplicationID: deviceAuthReq.ClientID, InstanceID: authz.GetInstance(ctx).InstanceID(), @@ -161,7 +162,7 @@ func (l *Login) handleDeviceAuthAction(w http.ResponseWriter, r *http.Request) { action := mux.Vars(r)["action"] switch action { case deviceAuthAllowed: - _, err = l.command.ApproveDeviceAuth(r.Context(), authDev.DeviceCode, authReq.UserID, authReq.UserAuthMethodTypes(), authReq.AuthTime) + _, err = l.command.ApproveDeviceAuth(r.Context(), authDev.DeviceCode, authReq.UserID, authReq.UserOrgID, authReq.UserAuthMethodTypes(), authReq.AuthTime, authReq.PreferredLanguage, authReq.BrowserInfo.ToUserAgent()) case deviceAuthDenied: _, err = l.command.CancelDeviceAuth(r.Context(), authDev.DeviceCode, domain.DeviceAuthCanceledDenied) default: diff --git a/internal/api/ui/login/external_provider_handler.go b/internal/api/ui/login/external_provider_handler.go index 2622c2242e..ab0d98b997 100644 --- a/internal/api/ui/login/external_provider_handler.go +++ b/internal/api/ui/login/external_provider_handler.go @@ -319,12 +319,11 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque l.externalAuthFailed(w, r, authReq, nil, nil, err) return } - sp, err := provider.(*saml.Provider).GetSP() + session, err = saml.NewSession(provider.(*saml.Provider), authReq.SAMLRequestID, r) if err != nil { l.externalAuthFailed(w, r, authReq, nil, nil, err) return } - session = &saml.Session{ServiceProvider: sp, RequestID: authReq.SAMLRequestID, Request: r} case domain.IDPTypeJWT, domain.IDPTypeLDAP, domain.IDPTypeUnspecified: @@ -1029,13 +1028,19 @@ func (l *Login) samlProvider(ctx context.Context, identityProvider *query.IDPTem if err != nil { return nil, err } - opts := make([]saml.ProviderOpts, 0, 2) + opts := make([]saml.ProviderOpts, 0, 6) if identityProvider.SAMLIDPTemplate.WithSignedRequest { opts = append(opts, saml.WithSignedRequest()) } if identityProvider.SAMLIDPTemplate.Binding != "" { opts = append(opts, saml.WithBinding(identityProvider.SAMLIDPTemplate.Binding)) } + if identityProvider.SAMLIDPTemplate.NameIDFormat.Valid { + opts = append(opts, saml.WithNameIDFormat(identityProvider.SAMLIDPTemplate.NameIDFormat.V)) + } + if identityProvider.SAMLIDPTemplate.TransientMappingAttributeName != "" { + opts = append(opts, saml.WithTransientMappingAttributeName(identityProvider.SAMLIDPTemplate.TransientMappingAttributeName)) + } opts = append(opts, saml.WithEntityID(http_utils.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), l.externalSecure)+"/idps/"+identityProvider.ID+"/saml/metadata"), saml.WithCustomRequestTracker( diff --git a/internal/api/ui/login/static/i18n/bg.yaml b/internal/api/ui/login/static/i18n/bg.yaml index 12f5e57bd6..61ef709f69 100644 --- a/internal/api/ui/login/static/i18n/bg.yaml +++ b/internal/api/ui/login/static/i18n/bg.yaml @@ -27,19 +27,22 @@ SelectAccount: SessionState0: активен SessionState1: Не сте в профила си MustBeMemberOfOrg: 'Потребителят трябва да е член на {{.OrgName}} организация.' + Password: Title: Парола - Description: Въведете вашите данни за вход. + Description: Въведете данните си за вход. PasswordLabel: Парола - MinLength: Минимална дължина - HasUppercase: Главна буква - HasLowercase: Малка буква - HasNumber: Номер - HasSymbol: Символ - Confirmation: Съвпадение за потвърждение - ResetLinkText: нулиране на парола - BackButtonText: обратно - NextButtonText: следващия + MinLength: Трябва да е поне + MinLengthp2: символа дълга. + MaxLength: Трябва да е по-малко от 70 символа. + HasUppercase: Трябва да включва главна буква. + HasLowercase: Трябва да включва малка буква. + HasNumber: Трябва да включва число. + HasSymbol: Трябва да включва символ. + Confirmation: Потвърждението на паролата съвпада. + ResetLinkText: Нулиране на паролата + BackButtonText: Назад + NextButtonText: Напред UsernameChange: Title: Промяна на потребителското име Description: Задайте новото си потребителско име diff --git a/internal/api/ui/login/static/i18n/cs.yaml b/internal/api/ui/login/static/i18n/cs.yaml index 3b97b14bf2..52e88e526b 100644 --- a/internal/api/ui/login/static/i18n/cs.yaml +++ b/internal/api/ui/login/static/i18n/cs.yaml @@ -32,12 +32,14 @@ Password: Title: Heslo Description: Zadejte své přihlašovací údaje. PasswordLabel: Heslo - MinLength: Minimální délka - HasUppercase: Velké písmeno - HasLowercase: Malé písmeno - HasNumber: Číslo - HasSymbol: Symbol - Confirmation: Potvrzení shody + MinLength: Musí být alespoň + MinLengthp2: znaků dlouhé. + MaxLength: Musí být kratší než 70 znaků. + HasUppercase: Musí obsahovat velké písmeno. + HasLowercase: Musí obsahovat malé písmeno. + HasNumber: Musí obsahovat číslo. + HasSymbol: Musí obsahovat symbol. + Confirmation: Potvrzení hesla odpovídá. ResetLinkText: Obnovit heslo BackButtonText: Zpět NextButtonText: Další diff --git a/internal/api/ui/login/static/i18n/de.yaml b/internal/api/ui/login/static/i18n/de.yaml index d258f09aa6..4022abfa74 100644 --- a/internal/api/ui/login/static/i18n/de.yaml +++ b/internal/api/ui/login/static/i18n/de.yaml @@ -29,15 +29,17 @@ SelectAccount: MustBeMemberOfOrg: Der Benutzer muss der Organisation {{.OrgName}} angehören. Password: - Title: Willkommen zurück! - Description: Gib deine Benutzerdaten ein. + Title: Passwort + Description: Geben Sie Ihre Anmeldedaten ein. PasswordLabel: Passwort - MinLength: Mindestlänge - HasUppercase: Großbuchstaben - HasLowercase: Kleinbuchstaben - HasNumber: Nummer - HasSymbol: Symbol - Confirmation: Wiederholung stimmt überein + MinLength: Muss mindestens + MinLengthp2: Zeichen lang sein. + MaxLength: Muss weniger als 70 Zeichen lang sein. + HasUppercase: Muss einen Großbuchstaben enthalten. + HasLowercase: Muss einen Kleinbuchstaben enthalten. + HasNumber: Muss eine Zahl enthalten. + HasSymbol: Muss ein Symbol enthalten. + Confirmation: Passwortbestätigung stimmt überein. ResetLinkText: Passwort zurücksetzen BackButtonText: Zurück NextButtonText: Weiter diff --git a/internal/api/ui/login/static/i18n/en.yaml b/internal/api/ui/login/static/i18n/en.yaml index 338107060d..b3f6cd4793 100644 --- a/internal/api/ui/login/static/i18n/en.yaml +++ b/internal/api/ui/login/static/i18n/en.yaml @@ -32,12 +32,14 @@ Password: Title: Password Description: Enter your login data. PasswordLabel: Password - MinLength: Minimum length - HasUppercase: Uppercase letter - HasLowercase: Lowercase letter - HasNumber: Number - HasSymbol: Symbol - Confirmation: Confirmation match + MinLength: Must be at least + MinLengthp2: characters long. + MaxLength: Must be less than 70 characters long. + HasUppercase: Must include an uppercase letter. + HasLowercase: Must include a lowercase letter. + HasNumber: Must include a number. + HasSymbol: Must include a symbol. + Confirmation: Password confirmation matched. ResetLinkText: Reset Password BackButtonText: Back NextButtonText: Next diff --git a/internal/api/ui/login/static/i18n/es.yaml b/internal/api/ui/login/static/i18n/es.yaml index ef091f2910..29336ab5a2 100644 --- a/internal/api/ui/login/static/i18n/es.yaml +++ b/internal/api/ui/login/static/i18n/es.yaml @@ -30,17 +30,19 @@ SelectAccount: Password: Title: Contraseña - Description: Introduce tus datos de inicio de sesión. + Description: Introduce tus datos de acceso. PasswordLabel: Contraseña - MinLength: Longitud mínima - HasUppercase: Una letra mayúscula - HasLowercase: Una letra minúscula - HasNumber: Número - HasSymbol: Símbolo - Confirmation: Las contraseñas coinciden - ResetLinkText: restablecer contraseña - BackButtonText: atrás - NextButtonText: siguiente + MinLength: Debe tener al menos + MinLengthp2: caracteres de longitud. + MaxLength: Debe tener menos de 70 caracteres de longitud. + HasUppercase: Debe incluir una letra mayúscula. + HasLowercase: Debe incluir una letra minúscula. + HasNumber: Debe incluir un número. + HasSymbol: Debe incluir un símbolo. + Confirmation: La confirmación de la contraseña coincide. + ResetLinkText: Restablecer contraseña + BackButtonText: Atrás + NextButtonText: Siguiente UsernameChange: Title: Cambiar nombre de usuario diff --git a/internal/api/ui/login/static/i18n/fr.yaml b/internal/api/ui/login/static/i18n/fr.yaml index de5d1ca495..69cd70518a 100644 --- a/internal/api/ui/login/static/i18n/fr.yaml +++ b/internal/api/ui/login/static/i18n/fr.yaml @@ -4,68 +4,70 @@ Login: TitleLinking: Login pour la liaison des utilisateurs DescriptionLinking: Entrez vos données de connexion pour lier votre utilisateur externe avec un utilisateur ZITADEL. LoginNameLabel: Identifiant - UsernamePlaceHolder: nom d'utilisateur - LoginnamePlaceHolder: nom d'utilisateur@domaine + UsernamePlaceHolder: Nom d'utilisateur + LoginnamePlaceHolder: Nom d'utilisateur ExternalUserDescription: Se connecter avec un utilisateur externe. - MustBeMemberOfOrg: L'utilisateur doit être membre de l'organisation {{.OrgName}} . - RegisterButtonText: s'inscrire - NextButtonText: suivant + MustBeMemberOfOrg: L'utilisateur doit être membre de l'organisation {{.OrgName}}. + RegisterButtonText: S'inscrire + NextButtonText: Suivant LDAP: Title: Connexion Description: Entrez vos données de connexion. LoginNameLabel: Identifiant PasswordLabel: Mot de passe - NextButtonText: suivant + NextButtonText: Suivant SelectAccount: Title: Sélectionner un compte - Description: Utilisez votre compte ZITADEL + Description: Utilisez votre compte ZITADEL. TitleLinking: Sélectionnez le compte pour le lien avec l'utilisateur DescriptionLinking: Sélectionnez votre compte pour établir un lien avec votre utilisateur externe. OtherUser: Autre utilisateur - SessionState0: actif + SessionState0: Actif SessionState1: Déconnecté MustBeMemberOfOrg: L'utilisateur doit être membre de l'organisation {{.OrgName}}. Password: Title: Mot de passe - Description: Entrez vos données de connexion. + Description: Entrez vos identifiants. PasswordLabel: Mot de passe - MinLength: Longueur minimale - HasUppercase: Lettre majuscule - HasLowercase: Lettre minuscule - HasNumber: Numéro - HasSymbol: Symbole - Confirmation: Correspondance de confirmation - ResetLinkText: réinitialiser le mot de passe - BackButtonText: retour - NextButtonText: suivant + MinLength: Doit contenir au moins + MinLengthp2: caractères. + MaxLength: Doit contenir moins de 70 caractères. + HasUppercase: Doit inclure une lettre majuscule. + HasLowercase: Doit inclure une lettre minuscule. + HasNumber: Doit inclure un chiffre. + HasSymbol: Doit inclure un symbole. + Confirmation: La confirmation du mot de passe correspond. + ResetLinkText: Réinitialiser le mot de passe + BackButtonText: Retour + NextButtonText: Suivant UsernameChange: Title: Modifier le nom d'utilisateur - Description: Définissez votre nouveau nom d'utilisateur + Description: Définissez votre nouveau nom d'utilisateur. UsernameLabel: Nom d'utilisateur - CancelButtonText: annuler - NextButtonText: suivant + CancelButtonText: Annuler + NextButtonText: Suivant UsernameChangeDone: Title: Nom d'utilisateur modifié - Description: Votre nom d'utilisateur a été changé avec succès. - NextButtonText: suivant + Description: Votre nom d'utilisateur a bien été modifié. + NextButtonText: Suivant InitPassword: Title: Définir un mot de passe - Description: Vous avez reçu un code, que vous devez saisir dans le formulaire ci-dessous, pour définir votre nouveau mot de passe. + Description: Vous avez reçu un code, que vous devez saisir dans le formulaire ci-dessous pour définir votre nouveau mot de passe. CodeLabel: Code NewPasswordLabel: Nouveau mot de passe NewPasswordConfirmLabel: Confirmer le mot de passe - ResendButtonText: renvoyer le code - NextButtonText: suivant + ResendButtonText: Renvoyer le code + NextButtonText: Suivant InitPasswordDone: Title: Mot de passe défini - Description: Mot de passe défini avec succès + Description: Mot de passe défini avec succès. NextButtonText: Suivant CancelButtonText: Annuler @@ -76,17 +78,17 @@ InitUser: NewPasswordLabel: Nouveau mot de passe NewPasswordConfirm: Confirmer le mot de passe NextButtonText: Suivant - ResendButtonText: renvoyer le code + ResendButtonText: Renvoyer le code InitUserDone: - Title: User Utilisateur activé - Description: Email vérifié et mot de passe défini avec succès + Title: Utilisateur activé + Description: Email vérifié et mot de passe défini avec succès. NextButtonText: Suivant - CancelButtonText: annuler + CancelButtonText: Annuler InitMFAPrompt: - Title: Configuration à 2 facteurs - Description: L'authentification à deux facteurs vous offre une sécurité supplémentaire pour votre compte d'utilisateur. Vous êtes ainsi assuré d'être le seul à avoir accès à votre compte. + Title: Configuration authentification à 2 facteurs + Description: L'authentification authentification à 2 facteurs vous offre une sécurité supplémentaire pour votre compte d'utilisateur. Vous êtes ainsi assuré d'être le seul à avoir accès à votre compte. Provider0: Application d'authentification (par exemple, Google/Microsoft Authenticator, Authy) Provider1: Dépend de l'appareil (par ex. FaceID, Windows Hello, empreinte digitale) Provider3: OTP SMS @@ -95,15 +97,15 @@ InitMFAPrompt: SkipButtonText: Passer InitMFAOTP: - Title: Vérification à deux facteurs - Description: Créez votre 2-facteurs. Téléchargez une application d'authentification si vous n'en avez pas déjà une. + Title: Vérification authentification à 2 facteurs + Description: Créez votre authentification à 2 facteurs. Téléchargez une application d'authentification si vous n'en avez pas déjà une. OTPDescription: Scannez le code avec votre application d'authentification (par exemple Google Authenticator) ou copiez le secret et insérez le code généré ci-dessous. SecretLabel: Secret CodeLabel: Code NextButtonText: Suivant CancelButtonText: Annuler -InitMFASMS: +InitMFAOTPSMS: Title: Vérification à deux facteurs DescriptionPhone: Créez votre 2-facteurs. Entrez votre numéro de téléphone pour le vérifier. DescriptionCode: Créez votre 2-facteurs. Entrez le code reçu pour vérifier votre numéro de téléphone. @@ -118,12 +120,12 @@ InitMFAU2F: Description: Une clé de sécurité est une méthode de vérification qui peut être intégrée à votre téléphone, utiliser Bluetooth ou se brancher directement sur le port USB de votre ordinateur. TokenNameLabel: Nom de la clé de sécurité / de l'appareil NotSupported: WebAuthN n'est pas pris en charge par votre navigateur. Veuillez vous assurer qu'il est à jour ou utiliser un autre navigateur (par exemple Chrome, Safari, Firefox). - RegisterTokenButtonText: Enregistrez 2-facteurs + RegisterTokenButtonText: Enregistrez l'authentification à 2 facteurs ErrorRetry: Réessayez, créez un nouveau défi ou choisissez une autre méthode. InitMFADone: Title: Clé de sécurité ajoutée - Description: Génial! Vous venez de configurer avec succès votre facteur 2 et de rendre votre compte beaucoup plus sûr. Le facteur doit être saisi à chaque connexion. + Description: Génial! Vous venez de configurer avec succès votre authentification à 2 facteurs et de rendre votre compte beaucoup plus sûr. Le code doit être saisi à chaque connexion. NextButtonText: Suivant CancelButtonText: Annuler @@ -132,58 +134,58 @@ MFAProvider: Provider1: Dépend de l'appareil (par ex. FaceID, Windows Hello, empreinte digitale) Provider3: OTP SMS Provider4: OTP e-mail - ChooseOther: ou choisissez une autre option + ChooseOther: Ou choisissez une autre option VerifyMFAOTP: - Title: Vérifier 2-Facteurs - Description: Vérifiez votre second facteur + Title: Vérifier authentification à 2 facteurs + Description: Vérifiez votre authentification à 2 facteurs CodeLabel: Code NextButtonText: Suivant VerifyOTP: - Title: Vérifier 2-Facteurs - Description: Vérifiez votre second facteur + Title: Vérifier authentification à 2 facteurs + Description: Vérifiez votre authentification à 2 facteurs CodeLabel: Code ResendButtonText: Renvoyer le code NextButtonText: Suivant VerifyMFAU2F: - Title: Vérifier 2-Facteurs - Description: Vérifiez votre facteur 2 avec l'appareil enregistré (par exemple FaceID, Windows Hello, empreinte digitale). + Title: Vérifier authentification à 2 facteurs + Description: Vérifiez votre authentification à 2 facteurs avec l'appareil enregistré (par exemple FaceID, Windows Hello, empreinte digitale). NotSupported: WebAuthN n'est pas pris en charge par votre navigateur. Assurez-vous que vous utilisez la dernière version ou changez votre navigateur pour un navigateur pris en charge (Chrome, Safari, Firefox). - ErrorRetry: Réessayer, créer une nouvelle demande ou choisir une autre méthode. - ValidateTokenButtonText: Vérifier 2-Facteurs + ErrorRetry: Réessayez, créez une nouvelle demande ou choisissez une autre méthode. + ValidateTokenButtonText: Vérifier l'authentification à 2 facteurs Passwordless: Title: Connexion sans mot de passe Description: Connectez-vous avec les méthodes d'authentification fournies par votre appareil, comme FaceID, Windows Hello ou les empreintes digitales. NotSupported: WebAuthN n'est pas pris en charge par votre navigateur. Veuillez vous assurer qu'il est à jour ou utiliser un autre navigateur (par exemple Chrome, Safari, Firefox). ErrorRetry: Réessayez, créez un nouveau défi ou choisissez une autre méthode. - LoginWithPwButtonText: Connectez-vous avec le mot de passe + LoginWithPwButtonText: Connexion avec mot de passe ValidateTokenButtonText: Connexion sans mot de passe PasswordlessPrompt: - Title: Configuration sans mot de passe - Description: Souhaitez-vous configurer une connexion sans mot de passe? Méthodes d'authentification de votre appareil comme FaceID, Windows Hello ou Fingerprint. + Title: Configuration connexion sans mot de passe + Description: Souhaitez-vous configurer une connexion sans mot de passe ? (Méthodes d'authentification de votre appareil comme FaceID, Windows Hello ou empreintes digitales) DescriptionInit: Vous devez configurer la connexion sans mot de passe. Utilisez le lien qui vous a été donné pour enregistrer votre appareil. - PasswordlessButtonText: Aller sans mot de passe - NextButtonText: suivant + PasswordlessButtonText: Configurer la connexion sans mot de passe + NextButtonText: Suivant SkipButtonText: Passer PasswordlessRegistration: - Title: Configuration sans mot de passe - Description: Ajoutez votre authentification en fournissant un nom (par exemple MyMobilePhone, MacBook, etc.) et cliquez ensuite sur le bouton "Register passwordless" ci-dessous. + Title: Configuration connexion sans mot de passe + Description: Ajoutez votre authentification en fournissant un nom (par exemple MyMobilePhone, MacBook, etc.) et cliquez ensuite sur le bouton "Enregistrer la connexion sans mot de passe" ci-dessous. TokenNameLabel: Nom de l'appareil NotSupported: WebAuthN n'est pas pris en charge par votre navigateur. Veuillez vous assurer qu'il est à jour ou utiliser un autre navigateur (par exemple Chrome, Safari, Firefox). - RegisterTokenButtonText: Enregistrement sans mot de passe - ErrorRetry: Réessayer, créer un nouveau défi ou choisir une autre méthode. + RegisterTokenButtonText: Enregistrer la connexion sans mot de passe + ErrorRetry: Réessayez, créez un nouveau défi ou choisissez une autre méthode. PasswordlessRegistrationDone: - Title: Configuration sans mot de passe - Description: Le dispositif sans mot de passe a été ajouté avec succès. + Title: Configuration connexion sans mot de passe + Description: Le dispositif de connexion sans mot de passe a été ajouté avec succès. DescriptionClose: Vous pouvez maintenant fermer cette fenêtre. - NextButtonText: suivant - CancelButtonText: annuler + NextButtonText: Suivant + CancelButtonText: Annuler PasswordChange: Title: Changer le mot de passe @@ -191,46 +193,46 @@ PasswordChange: OldPasswordLabel: Ancien mot de passe NewPasswordLabel: Nouveau mot de passe NewPasswordConfirmLabel: Confirmation du mot de passe - CancelButtonText: annuler - NextButtonText: suivant + CancelButtonText: Annuler + NextButtonText: Suivant Footer: Bas de page PasswordChangeDone: Title: Changer le mot de passe Description: Votre mot de passe a été modifié avec succès. - NextButtonText: suivant + NextButtonText: Suivant PasswordResetDone: Title: Lien de réinitialisation du mot de passe envoyé Description: Vérifiez votre e-mail pour réinitialiser votre mot de passe. - NextButtonText: suivant + NextButtonText: Suivant EmailVerification: - Title: Vérification de l'email + Title: Vérification de l'e-mail Description: Nous vous avons envoyé un e-mail pour vérifier votre adresse. Veuillez saisir le code dans le formulaire ci-dessous. CodeLabel: Code - NextButtonText: suivant - ResendButtonText: renvoyer le code + NextButtonText: Suivant + ResendButtonText: Renvoyer le code EmailVerificationDone: - Title: E-Mail Verification + Title: E-mail Verification Description: Votre adresse électronique a été vérifiée avec succès. - NextButtonText: suivant - CancelButtonText: annuler - LoginButtonText: connexion + NextButtonText: Suivant + CancelButtonText: Annuler + LoginButtonText: Connexion RegisterOption: Title: Options d'enregistrement - Description: Choisissez comment vous souhaitez vous enregistrer + Description: Choisissez comment vous souhaitez vous enregistrer. RegisterUsernamePasswordButtonText: Avec nom d'utilisateur et mot de passe - ExternalLoginDescription: ou s'enregistrer avec un utilisateur externe - LoginButtonText: connexion + ExternalLoginDescription: Ou s'enregistrer avec un utilisateur externe + LoginButtonText: Connexion RegistrationUser: Title: Inscription Description: Entrez vos données d'utilisateur. Votre adresse e-mail sera utilisée comme nom de connexion. DescriptionOrgRegister: Entrez vos données d'utilisateur. - EmailLabel: E-Mail + EmailLabel: Email UsernameLabel: Identifiant FirstnameLabel: Prénom LastnameLabel: Nom de famille @@ -252,22 +254,22 @@ RegistrationUser: GenderLabel: Genre Female: Femme Male: Homme - Diverse: divers / X + Diverse: Divers / X PasswordLabel: Mot de passe PasswordConfirmLabel: Confirmation du mot de passe TosAndPrivacyLabel: Termes et conditions TosConfirm: J'accepte les TosLinkText: TOS PrivacyConfirm: J'accepte les - PrivacyLinkText: politique de confidentialité - ExternalLogin: ou m'inscrire avec un utilisateur externe - BackButtonText: connexion - NextButtonText: suivant + PrivacyLinkText: Politique de confidentialité + ExternalLogin: Ou m'inscrire avec un utilisateur externe + BackButtonText: Connexion + NextButtonText: Suivant ExternalRegistrationUserOverview: Title: Enregistrement des utilisateurs externes - Description: Nous avons pris vos coordonnées d'utilisateur auprès du fournisseur sélectionné. Vous pouvez maintenant les modifier ou les compléter. - EmailLabel: E-Mail + Description: Nous avons récupéré vos coordonnées d'utilisateur auprès du fournisseur sélectionné. Vous pouvez maintenant les modifier ou les compléter. + EmailLabel: E-mail UsernameLabel: Identifiant FirstnameLabel: Prénom LastnameLabel: Nom de famille @@ -292,16 +294,16 @@ ExternalRegistrationUserOverview: TosConfirm: J'accepte les TosLinkText: TOS PrivacyConfirm: J'accepte les - PrivacyLinkText: politique de confidentialité - ExternalLogin: ou m'inscrire avec un utilisateur externe - BackButtonText: retour - NextButtonText: enregistrer + PrivacyLinkText: Politique de confidentialité + ExternalLogin: Ou m'inscrire avec un utilisateur externe + BackButtonText: Retour + NextButtonText: Enregistrer RegistrationOrg: Title: Enregistrement de l'organisation Description: Entrez le nom de votre organisation et vos données d'utilisateur. OrgNameLabel: Nom de l'organisation - EmailLabel: E-Mail + EmailLabel: E-mail UsernameLabel: Nom d'utilisateur FirstnameLabel: Prénom LastnameLabel: Nom de famille @@ -311,42 +313,42 @@ RegistrationOrg: TosConfirm: J'accepte les TosLinkText: TOS PrivacyConfirm: J'accepte les - PrivacyLinkText: politique de confidentialité + PrivacyLinkText: Politique de confidentialité SaveButtonText: Créer une organisation LoginSuccess: Title: Connexion réussie AutoRedirectDescription: Vous serez automatiquement redirigé vers votre application. Si ce n'est pas le cas, cliquez sur le bouton ci-dessous. Vous pouvez ensuite fermer la fenêtre. RedirectedDescription: Vous pouvez maintenant fermer cette fenêtre. - NextButtonText: suivant + NextButtonText: Suivant LogoutDone: Title: Déconnecté Description: Vous vous êtes déconnecté avec succès. - LoginButtonText: connexion + LoginButtonText: Connexion LinkingUserPrompt: Title: Utilisateur existant trouvé - Description: "Souhaitez-vous associer votre compte existant:" + Description: "Souhaitez-vous associer votre compte existant :" LinkButtonText: Lier OtherButtonText: Autres options LinkingUsersDone: - Title: Userlinking + Title: Lier utilisateur Description: Le lien avec l'utilisateur est terminé. - CancelButtonText: annuler - NextButtonText: suivant + CancelButtonText: Annuler + NextButtonText: Suivant ExternalNotFound: Title: Utilisateur externe introuvable - Description: Utilisateur externe non trouvé. Voulez-vous lier votre utilisateur ou enregistrer automatiquement un nouvel utilisateur. + Description: Utilisateur externe non trouvé. Voulez-vous lier votre utilisateur ou enregistrer automatiquement un nouvel utilisateur ? LinkButtonText: Lier - AutoRegisterButtonText: enregistrer + AutoRegisterButtonText: Enregistrer TosAndPrivacyLabel: Termes et conditions TosConfirm: J'accepte les TosLinkText: TOS PrivacyConfirm: J'accepte les - PrivacyLinkText: politique de confidentialité + PrivacyLinkText: Politique de confidentialité German: Deutsch English: English Italian: Italiano @@ -367,14 +369,14 @@ DeviceAuth: UserCode: Label: Code d'utilisateur Description: Saisissez le code utilisateur présenté sur l'appareil. - ButtonNext: suivant + ButtonNext: Suivant Action: Description: Accordez l'accès à l'appareil. GrantDevice: vous êtes sur le point d'accorder un appareil AccessToScopes: accès aux périmètres suivants Button: - Allow: permettre - Deny: refuser + Allow: Autoriser + Deny: Refuser Done: Description: Fait. Approved: Autorisation de l'appareil approuvée. Vous pouvez maintenant retourner à l'appareil. @@ -392,7 +394,7 @@ SignIn: Connexion avec {{.Provider}} Errors: Internal: Une erreur interne s'est produite AuthRequest: - NotFound: Impossible de trouver l'authrequest + NotFound: Impossible de trouver la requête d'authentification UserAgentNotCorresponding: L'agent utilisateur ne correspond pas UserAgentNotFound: L'ID de l'agent utilisateur n'a pas été trouvé TokenNotFound: Token non trouvé @@ -404,7 +406,7 @@ Errors: Inactive: L'utilisateur est inactif NotFoundOnOrg: L'utilisateur n'a pas été trouvé dans l'organisation choisie NotAllowedOrg: L'utilisateur n'est pas membre de l'organisation requise - NotMatchingUserID: L'utilisateur et l'utilisateur dans l'authrequest ne correspondent pas. + NotMatchingUserID: L'utilisateur et l'utilisateur dans la requête d'authentification ne correspondent pas. UserIDMissing: UserID est vide Invalid: Données utilisateur non valides DomainNotAllowedAsUsername: Le domaine est déjà réservé et ne peut pas être utilisé. @@ -418,7 +420,7 @@ Errors: IDMissing: Profil ID manquant Email: NotFound: Email non trouvé - Invalid: L'email n'est pas valide + Invalid: L'e-mail n'est pas valide AlreadyVerified: L'adresse électronique est déjà vérifiée NotChanged: L'adresse électronique n'a pas changé Empty: Email est vide @@ -445,7 +447,7 @@ Errors: UsernameOrPassword: Invalid: Le nom d'utilisateur ou le mot de passe n'est pas valide PasswordComplexityPolicy: - NotFound: Politique de mot de passe non trouvée + NotFound: Politique des mots de passe non trouvée MinLength: Le mot de passe est trop court HasLower: Le mot de passe doit contenir une lettre minuscule HasUpper: Le mot de passe doit contenir une lettre majuscule diff --git a/internal/api/ui/login/static/i18n/it.yaml b/internal/api/ui/login/static/i18n/it.yaml index 24e9733943..8b969e6c6f 100644 --- a/internal/api/ui/login/static/i18n/it.yaml +++ b/internal/api/ui/login/static/i18n/it.yaml @@ -32,14 +32,16 @@ Password: Title: Password Description: Inserisci i tuoi dati di accesso. PasswordLabel: Password - MinLength: Lunghezza minima - HasUppercase: Lettera maiuscola - HasLowercase: Lettera minuscola - HasNumber: Numero - HasSymbol: Simbolo - Confirmation: Conferma password - ResetLinkText: Password dimenticata? - BackButtonText: indietro + MinLength: Deve contenere almeno + MinLengthp2: caratteri. + MaxLength: Deve contenere meno di 70 caratteri. + HasUppercase: Deve includere una lettera maiuscola. + HasLowercase: Deve includere una lettera minuscola. + HasNumber: Deve includere un numero. + HasSymbol: Deve includere un simbolo. + Confirmation: La conferma della password corrisponde. + ResetLinkText: Reimposta password + BackButtonText: Indietro NextButtonText: Avanti UsernameChange: diff --git a/internal/api/ui/login/static/i18n/ja.yaml b/internal/api/ui/login/static/i18n/ja.yaml index e4ca75bad7..da55ccb523 100644 --- a/internal/api/ui/login/static/i18n/ja.yaml +++ b/internal/api/ui/login/static/i18n/ja.yaml @@ -22,16 +22,18 @@ SelectAccount: MustBeMemberOfOrg: ユーザーは組織 {{.OrgName}} のメンバーである必要があります。 Password: - Title: パスワードの入力 - Description: ログインデータを入力します。 + Title: パスワード + Description: ログインデータを入力してください。 PasswordLabel: パスワード - MinLength: 文字列の長さ - HasUppercase: 大文字 - HasLowercase: 小文字 - HasNumber: 数字 - HasSymbol: シンボル - Confirmation: パスワードの確認 - ResetLinkText: パスワードを再設定する + MinLength: 少なくとも + MinLengthp2: 文字でなければなりません。 + MaxLength: 70文字以下でなければなりません。 + HasUppercase: 大文字を含む必要があります。 + HasLowercase: 小文字を含む必要があります。 + HasNumber: 数字を含む必要があります。 + HasSymbol: 記号を含む必要があります。 + Confirmation: パスワードの確認が一致しました。 + ResetLinkText: パスワードをリセット BackButtonText: 戻る NextButtonText: 次へ diff --git a/internal/api/ui/login/static/i18n/mk.yaml b/internal/api/ui/login/static/i18n/mk.yaml index dafc520d56..c05af2b691 100644 --- a/internal/api/ui/login/static/i18n/mk.yaml +++ b/internal/api/ui/login/static/i18n/mk.yaml @@ -32,15 +32,17 @@ Password: Title: Лозинка Description: Внесете ги вашите податоци за најава. PasswordLabel: Лозинка - MinLength: Минимална должина - HasUppercase: Голема буква - HasLowercase: Мала буква - HasNumber: Број - HasSymbol: Симбол - Confirmation: Потврда на лозинка - ResetLinkText: ресетирај лозинка - BackButtonText: назад - NextButtonText: следно + MinLength: Мора да биде најмалку + MinLengthp2: карактери долго. + MaxLength: Мора да биде помалку од 70 карактери. + HasUppercase: Мора да вклучи голема буква. + HasLowercase: Мора да вклучи мала буква. + HasNumber: Мора да вклучи број. + HasSymbol: Мора да вклучи симбол. + Confirmation: Потврдата за лозинката се совпаѓа. + ResetLinkText: Ресетирај лозинка + BackButtonText: Назад + NextButtonText: Напред UsernameChange: Title: Промена на корисничко име diff --git a/internal/api/ui/login/static/i18n/nl.yaml b/internal/api/ui/login/static/i18n/nl.yaml index 68d8ffa4a1..5b76ee4179 100644 --- a/internal/api/ui/login/static/i18n/nl.yaml +++ b/internal/api/ui/login/static/i18n/nl.yaml @@ -32,13 +32,15 @@ Password: Title: Wachtwoord Description: Voer uw inloggegevens in. PasswordLabel: Wachtwoord - MinLength: Minimum lengte - HasUppercase: Hoofdletter - HasLowercase: Kleine letter - HasNumber: Nummer - HasSymbol: Symbool - Confirmation: Bevestiging komt overeen - ResetLinkText: Reset Wachtwoord + MinLength: Moet minstens + MinLengthp2: tekens lang zijn. + MaxLength: Moet minder dan 70 tekens lang zijn. + HasUppercase: Moet een hoofdletter bevatten. + HasLowercase: Moet een kleine letter bevatten. + HasNumber: Moet een nummer bevatten. + HasSymbol: Moet een symbool bevatten. + Confirmation: Wachtwoordbevestiging komt overeen. + ResetLinkText: Wachtwoord resetten BackButtonText: Terug NextButtonText: Volgende diff --git a/internal/api/ui/login/static/i18n/pl.yaml b/internal/api/ui/login/static/i18n/pl.yaml index e23ce3fa71..3f9def93a2 100644 --- a/internal/api/ui/login/static/i18n/pl.yaml +++ b/internal/api/ui/login/static/i18n/pl.yaml @@ -32,15 +32,17 @@ Password: Title: Hasło Description: Wprowadź swoje dane logowania. PasswordLabel: Hasło - MinLength: Minimalna długość - HasUppercase: Duża litera - HasLowercase: Mała litera - HasNumber: Liczba - HasSymbol: Symbol - Confirmation: Potwierdzenie zgodności - ResetLinkText: zresetuj hasło - BackButtonText: wróć - NextButtonText: dalej + MinLength: Musi zawierać co najmniej + MinLengthp2: znaków. + MaxLength: Musi zawierać mniej niż 70 znaków. + HasUppercase: Musi zawierać dużą literę. + HasLowercase: Musi zawierać małą literę. + HasNumber: Musi zawierać numer. + HasSymbol: Musi zawierać symbol. + Confirmation: Potwierdzenie hasła pasuje. + ResetLinkText: Zresetuj hasło + BackButtonText: Wstecz + NextButtonText: Dalej UsernameChange: Title: Zmiana nazwy użytkownika diff --git a/internal/api/ui/login/static/i18n/pt.yaml b/internal/api/ui/login/static/i18n/pt.yaml index 19d00c72f4..99aff3a8c3 100644 --- a/internal/api/ui/login/static/i18n/pt.yaml +++ b/internal/api/ui/login/static/i18n/pt.yaml @@ -32,15 +32,17 @@ Password: Title: Senha Description: Insira seus dados de login. PasswordLabel: Senha - MinLength: Comprimento mínimo - HasUppercase: Letra maiúscula - HasLowercase: Letra minúscula - HasNumber: Número - HasSymbol: Símbolo - Confirmation: Confirmação corresponde - ResetLinkText: redefinir senha - BackButtonText: voltar - NextButtonText: próximo + MinLength: Deve ter pelo menos + MinLengthp2: caracteres. + MaxLength: Deve ter menos de 70 caracteres. + HasUppercase: Deve incluir uma letra maiúscula. + HasLowercase: Deve incluir uma letra minúscula. + HasNumber: Deve incluir um número. + HasSymbol: Deve incluir um símbolo. + Confirmation: A confirmação da senha corresponde. + ResetLinkText: Redefinir senha + BackButtonText: Voltar + NextButtonText: Próximo UsernameChange: Title: Alterar nome de usuário diff --git a/internal/api/ui/login/static/i18n/ru.yaml b/internal/api/ui/login/static/i18n/ru.yaml index fb88312486..cd756cbdd8 100644 --- a/internal/api/ui/login/static/i18n/ru.yaml +++ b/internal/api/ui/login/static/i18n/ru.yaml @@ -29,17 +29,19 @@ SelectAccount: Password: Title: Пароль - Description: Введите ваши данные. + Description: Введите свои данные для входа. PasswordLabel: Пароль - MinLength: Минимальная длина - HasUppercase: Заглавная буква - HasLowercase: Строчная буква - HasNumber: Цифра - HasSymbol: Символ - Confirmation: Подтверждение пароля - ResetLinkText: сброс пароля - BackButtonText: назад - NextButtonText: далее + MinLength: Должно быть не менее + MinLengthp2: символов. + MaxLength: Должно быть меньше 70 символов. + HasUppercase: Должно содержать заглавную букву. + HasLowercase: Должно содержать строчную букву. + HasNumber: Должно содержать число. + HasSymbol: Должно содержать символ. + Confirmation: Подтверждение пароля совпадает. + ResetLinkText: Сбросить пароль + BackButtonText: Назад + NextButtonText: Вперед UsernameChange: Title: Изменение логина diff --git a/internal/api/ui/login/static/i18n/zh.yaml b/internal/api/ui/login/static/i18n/zh.yaml index bf31d270bb..85230efe0f 100644 --- a/internal/api/ui/login/static/i18n/zh.yaml +++ b/internal/api/ui/login/static/i18n/zh.yaml @@ -32,15 +32,17 @@ Password: Title: 密码 Description: 输入您的登录数据。 PasswordLabel: 密码 - MinLength: 密码 - HasUppercase: 大写字母 - HasLowercase: 小写字母 - HasNumber: 数字 - HasSymbol: 符号 - Confirmation: 确认匹配 - ResetLinkText: 重设密码 - BackButtonText: 后退 - NextButtonText: 继续 + MinLength: 必须至少有 + MinLengthp2: 个字符。 + MaxLength: 必须少于70个字符。 + HasUppercase: 必须包含一个大写字母。 + HasLowercase: 必须包含一个小写字母。 + HasNumber: 必须包含一个数字。 + HasSymbol: 必须包含一个符号。 + Confirmation: 密码确认匹配。 + ResetLinkText: 重置密码 + BackButtonText: 返回 + NextButtonText: 下一步 UsernameChange: Title: 更改用户名 diff --git a/internal/api/ui/login/static/resources/scripts/password_policy_check.js b/internal/api/ui/login/static/resources/scripts/password_policy_check.js index ce5936b32b..4a9712f815 100644 --- a/internal/api/ui/login/static/resources/scripts/password_policy_check.js +++ b/internal/api/ui/login/static/resources/scripts/password_policy_check.js @@ -15,6 +15,14 @@ function ComplexityPolicyCheck(passwordElement, passwordConfirmationElement) { invalid++; } + const maxLengthElem = document.getElementById("maxlength"); + if (passwordElement.value.length <= 70) { + ValidPolicyFlipped(maxLengthElem); + } else { + InvalidPolicyFlipped(maxLengthElem); + invalid++; + } + const upper = document.getElementById("uppercase"); if (upperRegex !== "") { if (RegExp(upperRegex).test(passwordElement.value)) { @@ -84,6 +92,14 @@ function ValidPolicy(element) { element.getElementsByTagName("i")[0].classList.add("lgn-valid"); } +function ValidPolicyFlipped(element) { + element.classList.add("valid"); + element.getElementsByTagName("i")[0].classList.remove("lgn-warn"); + element.getElementsByTagName("i")[0].classList.remove("lgn-icon-times-solid"); + element.getElementsByTagName("i")[0].classList.add("lgn-valid"); + element.getElementsByTagName("i")[0].classList.add("lgn-icon-check-solid"); +} + function InvalidPolicy(element) { element.classList.add("invalid"); element.getElementsByTagName("i")[0].classList.remove("lgn-valid"); @@ -91,3 +107,11 @@ function InvalidPolicy(element) { element.getElementsByTagName("i")[0].classList.add("lgn-warn"); element.getElementsByTagName("i")[0].classList.add("lgn-icon-times-solid"); } + +function InvalidPolicyFlipped(element) { + element.classList.remove("valid"); + element.getElementsByTagName("i")[0].classList.remove("lgn-icon-check-solid"); + element.getElementsByTagName("i")[0].classList.remove("lgn-valid"); + element.getElementsByTagName("i")[0].classList.add("lgn-icon-times-solid"); + element.getElementsByTagName("i")[0].classList.add("lgn-warn"); +} diff --git a/internal/api/ui/login/static/templates/password_complexity_policy.html b/internal/api/ui/login/static/templates/password_complexity_policy.html index f8f5d34765..19a4c9ce96 100644 --- a/internal/api/ui/login/static/templates/password_complexity_policy.html +++ b/internal/api/ui/login/static/templates/password_complexity_policy.html @@ -1,6 +1,7 @@ {{define "password-complexity-policy-description"}}
    -
  • {{t "Password.MinLength"}} {{.MinLength}}
    • +
  • {{t "Password.MinLength"}} {{.MinLength}} {{t "Password.MinLengthp2"}}
    • +
  • {{t "Password.MaxLength"}}
    • {{if .HasUppercase }}
  • {{t "Password.HasUppercase"}}
    • {{end}} diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index 129369a71f..a5105d1f5b 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -2,10 +2,13 @@ package eventstore import ( "context" + "slices" "strings" "time" + "github.com/muhlemmer/gu" "github.com/zitadel/logging" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view" @@ -267,6 +270,7 @@ func (repo *AuthRequestRepo) CheckExternalUserLogin(ctx context.Context, authReq return err } + request.IDPLoginChecked = true err = repo.Command.UserIDPLoginChecked(ctx, request.UserOrgID, request.UserID, request.WithCurrentInfo(info)) if err != nil { return err @@ -514,6 +518,7 @@ func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, u return err } request.LinkingUsers = nil + request.IDPLoginChecked = true return repo.AuthRequests.UpdateAuthRequest(ctx, request) } @@ -558,6 +563,7 @@ func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, regis request.SetUserInfo(human.ID, human.Username, human.Username, human.DisplayName, "", resourceOwner) request.SelectedIDPConfigID = externalIDP.IDPConfigID request.LinkingUsers = nil + request.IDPLoginChecked = true err = repo.Command.UserIDPLoginChecked(ctx, request.UserOrgID, request.UserID, request.WithCurrentInfo(info)) if err != nil { return err @@ -1016,21 +1022,20 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth } request.DisplayName = userSession.DisplayName request.AvatarKey = userSession.AvatarKey + if user.HumanView != nil && user.HumanView.PreferredLanguage != "" { + request.PreferredLanguage = gu.Ptr(language.Make(user.HumanView.PreferredLanguage)) + } isInternalLogin := request.SelectedIDPConfigID == "" && userSession.SelectedIDPConfigID == "" idps, err := checkExternalIDPsOfUser(ctx, repo.IDPUserLinksProvider, user.ID) if err != nil { return nil, err } - if (!isInternalLogin || len(idps.Links) > 0) && len(request.LinkingUsers) == 0 && !checkVerificationTimeMaxAge(userSession.ExternalLoginVerification, request.LoginPolicy.ExternalLoginCheckLifetime, request) { - selectedIDPConfigID := request.SelectedIDPConfigID - if selectedIDPConfigID == "" { - selectedIDPConfigID = userSession.SelectedIDPConfigID + if (!isInternalLogin || len(idps.Links) > 0) && len(request.LinkingUsers) == 0 { + step := repo.idpChecked(request, idps.Links, userSession) + if step != nil { + return append(steps, step), nil } - if selectedIDPConfigID == "" { - selectedIDPConfigID = idps.Links[0].IDPID - } - return append(steps, &domain.ExternalLoginStep{SelectedIDPConfigID: selectedIDPConfigID}), nil } if isInternalLogin || (!isInternalLogin && len(request.LinkingUsers) > 0) { step := repo.firstFactorChecked(request, user, userSession) @@ -1108,19 +1113,24 @@ func (repo *AuthRequestRepo) nextStepsUser(ctx context.Context, request *domain. if len(request.Prompt) > 0 && !domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) { return append(steps, new(domain.LoginStep)), nil } else { - // if no user was specified, no prompt or select_account was provided, + // if no user was specified, either select_account or no prompt was provided, // then check the active user sessions (of the user agent) users, err := repo.usersForUserSelection(ctx, request) if err != nil { return nil, err } - if domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) { + // in case select_account was specified ignore it if there aren't any user sessions + if domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) && len(users) > 0 { steps = append(steps, &domain.SelectUserStep{Users: users}) } + // If we get here, either no sessions were found for select_account + // or no prompt was provided. + // In either case if there was a specific idp is selected (scope), directly redirect if request.SelectedIDPConfigID != "" { steps = append(steps, &domain.RedirectToExternalIDPStep{}) } - if len(request.Prompt) == 0 && len(users) == 0 { + // or there aren't any sessions to use, present the login page (https://github.com/zitadel/zitadel/issues/7213) + if len(users) == 0 { steps = append(steps, new(domain.LoginStep)) } // if no prompt was provided, but there are multiple user sessions, then the user must decide which to use @@ -1185,6 +1195,7 @@ func (repo *AuthRequestRepo) firstFactorChecked(request *domain.AuthRequest, use var step domain.NextStep if request.LoginPolicy.PasswordlessType != domain.PasswordlessTypeNotAllowed && user.IsPasswordlessReady() { if checkVerificationTimeMaxAge(userSession.PasswordlessVerification, request.LoginPolicy.MultiFactorCheckLifetime, request) { + request.MFAsVerified = append(request.MFAsVerified, domain.MFATypeU2FUserVerification) request.AuthTime = userSession.PasswordlessVerification return nil } @@ -1212,8 +1223,27 @@ func (repo *AuthRequestRepo) firstFactorChecked(request *domain.AuthRequest, use return &domain.PasswordStep{} } +func (repo *AuthRequestRepo) idpChecked(request *domain.AuthRequest, idps []*query.IDPUserLink, userSession *user_model.UserSessionView) domain.NextStep { + if checkVerificationTimeMaxAge(userSession.ExternalLoginVerification, request.LoginPolicy.ExternalLoginCheckLifetime, request) { + request.IDPLoginChecked = true + request.AuthTime = userSession.ExternalLoginVerification + return nil + } + selectedIDPConfigID := request.SelectedIDPConfigID + if selectedIDPConfigID == "" { + selectedIDPConfigID = userSession.SelectedIDPConfigID + } + if selectedIDPConfigID == "" && len(idps) > 0 { + selectedIDPConfigID = idps[0].IDPID + } + return &domain.ExternalLoginStep{SelectedIDPConfigID: selectedIDPConfigID} +} + func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *domain.AuthRequest, user *user_model.UserView, isInternalAuthentication bool) (domain.NextStep, bool, error) { mfaLevel := request.MFALevel() + if slices.Contains(request.MFAsVerified, domain.MFATypeU2FUserVerification) { + return nil, true, nil + } allowedProviders, required := user.MFATypesAllowed(mfaLevel, request.LoginPolicy, isInternalAuthentication) promptRequired := (user.MFAMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required) if promptRequired || !repo.mfaSkippedOrSetUp(user, request) { @@ -1286,12 +1316,15 @@ func privacyPolicyToDomain(p *query.PrivacyPolicy) *domain.PrivacyPolicy { CreationDate: p.CreationDate, ChangeDate: p.ChangeDate, }, - State: p.State, - Default: p.IsDefault, - TOSLink: p.TOSLink, - PrivacyLink: p.PrivacyLink, - HelpLink: p.HelpLink, - SupportEmail: p.SupportEmail, + State: p.State, + Default: p.IsDefault, + TOSLink: p.TOSLink, + PrivacyLink: p.PrivacyLink, + HelpLink: p.HelpLink, + SupportEmail: p.SupportEmail, + DocsLink: p.DocsLink, + CustomLink: p.CustomLink, + CustomLinkText: p.CustomLinkText, } } @@ -1504,12 +1537,12 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve user_repo.HumanPasswordlessTokenCheckFailedType, user_repo.HumanU2FTokenCheckSucceededType, user_repo.HumanU2FTokenCheckFailedType: - eventData, err := user_view_model.UserSessionFromEvent(event) + userAgentID, err := user_view_model.UserAgentIDFromEvent(event) if err != nil { logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).WithError(err).Debug("error getting event data") return user_view_model.UserSessionToModel(session), nil } - if eventData.UserAgentID != agentID { + if userAgentID != agentID { continue } case user_repo.UserRemovedType: diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go index d5dcf0257d..35ce216877 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go @@ -2,6 +2,7 @@ package eventstore import ( "context" + "database/sql" "encoding/json" "testing" "time" @@ -75,11 +76,11 @@ type mockUser struct { func (m *mockViewUserSession) UserSessionByIDs(string, string, string) (*user_view_model.UserSessionView, error) { return &user_view_model.UserSessionView{ - ExternalLoginVerification: m.ExternalLoginVerification, - PasswordlessVerification: m.PasswordlessVerification, - PasswordVerification: m.PasswordVerification, - SecondFactorVerification: m.SecondFactorVerification, - MultiFactorVerification: m.MultiFactorVerification, + ExternalLoginVerification: sql.NullTime{Time: m.ExternalLoginVerification}, + PasswordlessVerification: sql.NullTime{Time: m.PasswordlessVerification}, + PasswordVerification: sql.NullTime{Time: m.PasswordVerification}, + SecondFactorVerification: sql.NullTime{Time: m.SecondFactorVerification}, + MultiFactorVerification: sql.NullTime{Time: m.MultiFactorVerification}, }, nil } @@ -88,9 +89,9 @@ func (m *mockViewUserSession) UserSessionsByAgentID(string, string) ([]*user_vie for i, user := range m.Users { sessions[i] = &user_view_model.UserSessionView{ ResourceOwner: user.ResourceOwner, - State: int32(user.SessionState), + State: sql.Null[domain.UserSessionState]{V: user.SessionState}, UserID: user.UserID, - LoginName: user.LoginName, + LoginName: sql.NullString{String: user.LoginName}, } } return sessions, nil @@ -466,7 +467,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) { nil, }, { - "user not set, prompt select account, no active session, select account step", + "user not set, prompt select account, no active session, login step", fields{ userSessionViewProvider: &mockViewUserSession{ Users: nil, @@ -475,9 +476,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) { }, args{&domain.AuthRequest{Prompt: []domain.Prompt{domain.PromptSelectAccount}}, false}, []domain.NextStep{ - &domain.SelectUserStep{ - Users: []domain.UserSelection{}, - }}, + &domain.LoginStep{}}, nil, }, { @@ -1683,11 +1682,12 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { isInternal bool } tests := []struct { - name string - args args - want domain.NextStep - wantChecked bool - errFunc func(err error) bool + name string + args args + want domain.NextStep + wantChecked bool + errFunc func(err error) bool + wantMFAVerified []domain.MFAType }{ //{ // "required, prompt and false", //TODO: enable when LevelsOfAssurance is checked @@ -1719,6 +1719,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, false, zerrors.IsPreconditionFailed, + nil, }, { "not set up, no mfas configured, no prompt and true", @@ -1738,6 +1739,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, true, nil, + nil, }, { "not set up, prompt and false", @@ -1762,6 +1764,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { }, false, nil, + nil, }, { "not set up, forced by org, true", @@ -1788,6 +1791,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { }, false, nil, + nil, }, { "not set up and skipped, true", @@ -1808,6 +1812,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, true, nil, + nil, }, { "checked second factor, true", @@ -1830,6 +1835,38 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, true, nil, + []domain.MFAType{domain.MFATypeTOTP}, + }, + { + "checked passwordless, true", + args{ + request: &domain.AuthRequest{ + LoginPolicy: &domain.LoginPolicy{ + SecondFactors: []domain.SecondFactorType{domain.SecondFactorTypeTOTP}, + SecondFactorCheckLifetime: 18 * time.Hour, + MultiFactors: []domain.MultiFactorType{domain.MultiFactorTypeU2FWithPIN}, + MultiFactorCheckLifetime: 18 * time.Hour, + }, + MFAsVerified: []domain.MFAType{domain.MFATypeU2FUserVerification}, + }, + user: &user_model.UserView{ + HumanView: &user_model.HumanView{ + MFAMaxSetUp: domain.MFALevelMultiFactor, + PasswordlessTokens: []*user_model.WebAuthNView{ + { + TokenID: "tokenID", + State: user_model.MFAStateReady, + }, + }, + }, + }, + userSession: &user_model.UserSessionView{PasswordlessVerification: testNow.Add(-5 * time.Hour)}, + isInternal: true, + }, + nil, + true, + nil, + []domain.MFAType{domain.MFATypeU2FUserVerification}, }, { "not checked, check and false", @@ -1855,6 +1892,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { }, false, nil, + nil, }, { "external not checked or forced but set up, want step", @@ -1879,6 +1917,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { }, false, nil, + nil, }, { "external not forced but checked", @@ -1901,6 +1940,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, true, nil, + []domain.MFAType{domain.MFATypeTOTP}, }, { "external not checked but required, want step", @@ -1928,6 +1968,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { }, false, nil, + nil, }, { "external not checked but local required", @@ -1951,6 +1992,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { nil, true, nil, + nil, }, } for _, tt := range tests { @@ -1965,6 +2007,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) { t.Errorf("mfaChecked() checked = %v, want %v", ok, tt.wantChecked) } assert.Equal(t, tt.want, got) + assert.ElementsMatch(t, tt.args.request.MFAsVerified, tt.wantMFAVerified) }) } } diff --git a/internal/auth/repository/eventsourcing/eventstore/user.go b/internal/auth/repository/eventsourcing/eventstore/user.go index 83f09be6ae..cfa573e7e3 100644 --- a/internal/auth/repository/eventsourcing/eventstore/user.go +++ b/internal/auth/repository/eventsourcing/eventstore/user.go @@ -32,7 +32,7 @@ func (repo *UserRepo) UserSessionUserIDsByAgentID(ctx context.Context, agentID s } userIDs := make([]string, 0, len(userSessions)) for _, session := range userSessions { - if session.State == int32(domain.UserSessionStateActive) { + if session.State.V == domain.UserSessionStateActive { userIDs = append(userIDs, session.UserID) } } diff --git a/internal/auth/repository/eventsourcing/handler/refresh_token.go b/internal/auth/repository/eventsourcing/handler/refresh_token.go index 4dac7eab6f..c63f581237 100644 --- a/internal/auth/repository/eventsourcing/handler/refresh_token.go +++ b/internal/auth/repository/eventsourcing/handler/refresh_token.go @@ -3,8 +3,6 @@ package handler import ( "context" - "github.com/zitadel/logging" - auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/eventstore/handler/v2" @@ -98,50 +96,84 @@ func (t *RefreshToken) Reducers() []handler.AggregateReducer { } func (t *RefreshToken) Reduce(event eventstore.Event) (_ *handler.Statement, err error) { - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - switch event.Type() { - case user.HumanRefreshTokenAddedType: - token := new(view_model.RefreshTokenView) - err := token.AppendEvent(event) - if err != nil { - return err - } - - return t.view.PutRefreshToken(token) - case user.HumanRefreshTokenRenewedType: - e := new(user.HumanRefreshTokenRenewedEvent) - if err := event.Unmarshal(e); err != nil { - logging.WithError(err).Error("could not unmarshal event data") - return zerrors.ThrowInternal(nil, "MODEL-BHn75", "could not unmarshal data") - } - token, err := t.view.RefreshTokenByID(e.TokenID, event.Aggregate().InstanceID) - if err != nil { - return err - } - err = token.AppendEvent(event) - if err != nil { - return err - } - return t.view.PutRefreshToken(token) - case user.HumanRefreshTokenRemovedType: - e := new(user.HumanRefreshTokenRemovedEvent) - if err := event.Unmarshal(e); err != nil { - logging.WithError(err).Error("could not unmarshal event data") - return zerrors.ThrowInternal(nil, "MODEL-Bz653", "could not unmarshal data") - } - return t.view.DeleteRefreshToken(e.TokenID, event.Aggregate().InstanceID) - case user.UserLockedType, - user.UserDeactivatedType, - user.UserRemovedType: - - return t.view.DeleteUserRefreshTokens(event.Aggregate().ID, event.Aggregate().InstanceID) - case instance.InstanceRemovedEventType: - - return t.view.DeleteInstanceRefreshTokens(event.Aggregate().InstanceID) - case org.OrgRemovedEventType: - return t.view.DeleteOrgRefreshTokens(event) - default: - return nil + // in case anything needs to be change here check if appendEvent function needs the change as well + switch event.Type() { + case user.HumanRefreshTokenAddedType: + e, ok := event.(*user.HumanRefreshTokenAddedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-IoF6j", "reduce.wrong.event.type %s", user.HumanRefreshTokenAddedType) } - }), nil + columns := []handler.Column{ + handler.NewCol(view_model.RefreshTokenKeyClientID, e.ClientID), + handler.NewCol(view_model.RefreshTokenKeyUserAgentID, e.UserAgentID), + handler.NewCol(view_model.RefreshTokenKeyUserID, e.Aggregate().ID), + handler.NewCol(view_model.RefreshTokenKeyInstanceID, e.Aggregate().InstanceID), + handler.NewCol(view_model.RefreshTokenKeyTokenID, e.TokenID), + handler.NewCol(view_model.RefreshTokenKeyResourceOwner, e.Aggregate().ResourceOwner), + handler.NewCol(view_model.RefreshTokenKeyCreationDate, event.CreatedAt()), + handler.NewCol(view_model.RefreshTokenKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.RefreshTokenKeySequence, event.Sequence()), + handler.NewCol(view_model.RefreshTokenKeyAMR, e.AuthMethodsReferences), + handler.NewCol(view_model.RefreshTokenKeyAuthTime, e.AuthTime), + handler.NewCol(view_model.RefreshTokenKeyAudience, e.Audience), + handler.NewCol(view_model.RefreshTokenKeyExpiration, event.CreatedAt().Add(e.Expiration)), + handler.NewCol(view_model.RefreshTokenKeyIdleExpiration, event.CreatedAt().Add(e.IdleExpiration)), + handler.NewCol(view_model.RefreshTokenKeyScopes, e.Scopes), + handler.NewCol(view_model.RefreshTokenKeyToken, e.TokenID), + handler.NewCol(view_model.RefreshTokenKeyActor, view_model.TokenActor{TokenActor: e.Actor}), + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.HumanRefreshTokenRenewedType: + e, ok := event.(*user.HumanRefreshTokenRenewedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-AG43hq", "reduce.wrong.event.type %s", user.HumanRefreshTokenRenewedType) + } + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.RefreshTokenKeyIdleExpiration, event.CreatedAt().Add(e.IdleExpiration)), + handler.NewCol(view_model.RefreshTokenKeyToken, e.RefreshToken), + handler.NewCol(view_model.RefreshTokenKeyChangeDate, e.CreatedAt()), + handler.NewCol(view_model.RefreshTokenKeySequence, event.Sequence()), + }, + []handler.Condition{ + handler.NewCond(view_model.RefreshTokenKeyTokenID, e.TokenID), + handler.NewCond(view_model.RefreshTokenKeyInstanceID, e.Aggregate().InstanceID), + }, + ), nil + case user.HumanRefreshTokenRemovedType: + e, ok := event.(*user.HumanRefreshTokenRemovedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-SFF3t", "reduce.wrong.event.type %s", user.HumanRefreshTokenRemovedType) + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.RefreshTokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.RefreshTokenKeyTokenID, e.TokenID), + }, + ), nil + case user.UserLockedType, + user.UserDeactivatedType, + user.UserRemovedType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.RefreshTokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.RefreshTokenKeyUserID, event.Aggregate().ID), + }, + ), nil + case instance.InstanceRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.RefreshTokenKeyInstanceID, event.Aggregate().InstanceID), + }, + ), nil + case org.OrgRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.RefreshTokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.RefreshTokenKeyResourceOwner, event.Aggregate().ResourceOwner), + }, + ), nil + default: + return handler.NewNoOpStatement(event), nil + } } diff --git a/internal/auth/repository/eventsourcing/handler/token.go b/internal/auth/repository/eventsourcing/handler/token.go index 4b0a7194de..d915037cb7 100644 --- a/internal/auth/repository/eventsourcing/handler/token.go +++ b/internal/auth/repository/eventsourcing/handler/token.go @@ -3,6 +3,7 @@ package handler import ( "context" + "github.com/muhlemmer/gu" "github.com/zitadel/logging" auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view" @@ -150,129 +151,189 @@ func (t *Token) Reducers() []handler.AggregateReducer { } func (t *Token) Reduce(event eventstore.Event) (_ *handler.Statement, err error) { //nolint:gocognit - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - switch event.Type() { - case user.UserTokenAddedType, - user.PersonalAccessTokenAddedType: - token := new(view_model.TokenView) - err := token.AppendEvent(event) - if err != nil { - return err - } - return t.view.PutToken(token) - case user.UserV1ProfileChangedType, - user.HumanProfileChangedType: - user := new(view_model.UserView) - err := user.AppendEvent(event) - if err != nil { - return err - } - tokens, err := t.view.TokensByUserID(event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - return err - } - for _, token := range tokens { - token.PreferredLanguage = user.PreferredLanguage - } - return t.view.PutTokens(tokens) - case user.UserV1SignedOutType, - user.HumanSignedOutType: - id, err := agentIDFromSession(event) - if err != nil { - return err - } - - return t.view.DeleteSessionTokens(id, event) - case user.UserLockedType, - user.UserDeactivatedType, - user.UserRemovedType: - - return t.view.DeleteUserTokens(event) - case user.UserTokenRemovedType, - user.PersonalAccessTokenRemovedType: - id, err := tokenIDFromRemovedEvent(event) - if err != nil { - return err - } - - return t.view.DeleteToken(id, event.Aggregate().InstanceID) - case user.HumanRefreshTokenRemovedType: - id, err := refreshTokenIDFromRemovedEvent(event) - if err != nil { - return err - } - - return t.view.DeleteTokensFromRefreshToken(id, event.Aggregate().InstanceID) - case project.ApplicationDeactivatedType, - project.ApplicationRemovedType: - application, err := applicationFromSession(event) - if err != nil { - return err - } - - return t.view.DeleteApplicationTokens(event, application.AppID) - case project.ProjectDeactivatedType, - project.ProjectRemovedType: - project, err := t.getProjectByID(context.Background(), event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - return err - } - applicationIDs := make([]string, 0, len(project.Applications)) - for _, app := range project.Applications { - if app.OIDCConfig != nil && app.OIDCConfig.ClientID != "" { - applicationIDs = append(applicationIDs, app.OIDCConfig.ClientID) - } - } - - return t.view.DeleteApplicationTokens(event, applicationIDs...) - case instance.InstanceRemovedEventType: - return t.view.DeleteInstanceTokens(event) - case org.OrgRemovedEventType: - // deletes all tokens including PATs, which is expected for now - // if there is an undo of the org deletion in the future, - // we will need to have a look on how to handle the deleted PATs - return t.view.DeleteOrgTokens(event) - default: - return nil + // in case anything needs to be change here check if appendEvent function needs the change as well + switch event.Type() { + case user.UserTokenAddedType: + e, ok := event.(*user.UserTokenAddedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-W4tnq", "reduce.wrong.event.type %s", user.UserTokenAddedType) } - }), nil + return handler.NewCreateStatement(event, + []handler.Column{ + handler.NewCol(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCol(view_model.TokenKeyUserID, event.Aggregate().ID), + handler.NewCol(view_model.TokenKeyResourceOwner, event.Aggregate().ResourceOwner), + handler.NewCol(view_model.TokenKeyID, e.TokenID), + handler.NewCol(view_model.TokenKeyCreationDate, event.CreatedAt()), + handler.NewCol(view_model.TokenKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.TokenKeySequence, event.Sequence()), + handler.NewCol(view_model.TokenKeyApplicationID, e.ApplicationID), + handler.NewCol(view_model.TokenKeyUserAgentID, e.UserAgentID), + handler.NewCol(view_model.TokenKeyAudience, e.Audience), + handler.NewCol(view_model.TokenKeyScopes, e.Scopes), + handler.NewCol(view_model.TokenKeyExpiration, e.Expiration), + handler.NewCol(view_model.TokenKeyPreferredLanguage, e.PreferredLanguage), + handler.NewCol(view_model.TokenKeyRefreshTokenID, e.RefreshTokenID), + handler.NewCol(view_model.TokenKeyActor, view_model.TokenActor{TokenActor: e.Actor}), + handler.NewCol(view_model.TokenKeyIsPat, false), + }, + ), nil + case user.PersonalAccessTokenAddedType: + e, ok := event.(*user.PersonalAccessTokenAddedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-zF3rb", "reduce.wrong.event.type %s", user.PersonalAccessTokenAddedType) + } + return handler.NewCreateStatement(event, + []handler.Column{ + handler.NewCol(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCol(view_model.TokenKeyUserID, event.Aggregate().ID), + handler.NewCol(view_model.TokenKeyResourceOwner, event.Aggregate().ResourceOwner), + handler.NewCol(view_model.TokenKeyID, e.TokenID), + handler.NewCol(view_model.TokenKeyCreationDate, event.CreatedAt()), + handler.NewCol(view_model.TokenKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.TokenKeySequence, event.Sequence()), + handler.NewCol(view_model.TokenKeyScopes, e.Scopes), + handler.NewCol(view_model.TokenKeyExpiration, e.Expiration), + handler.NewCol(view_model.TokenKeyIsPat, true), + }, + ), nil + case user.UserV1ProfileChangedType, + user.HumanProfileChangedType: + e, ok := event.(*user.HumanProfileChangedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-ASF2t", "reduce.wrong.event.type %s", user.HumanProfileChangedType) + } + if e.PreferredLanguage == nil { + return handler.NewNoOpStatement(event), nil + } + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.TokenKeyPreferredLanguage, gu.Value(e.PreferredLanguage).String()), + handler.NewCol(view_model.TokenKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.TokenKeySequence, event.Sequence()), + }, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, e.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyUserID, e.Aggregate().ID), + }, + ), nil + case user.UserV1SignedOutType, + user.HumanSignedOutType: + e, ok := event.(*user.HumanSignedOutEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-Wtn2q", "reduce.wrong.event.type %s", user.HumanSignedOutType) + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyUserID, event.Aggregate().ID), + handler.NewCond(view_model.TokenKeyUserAgentID, e.UserAgentID), + }, + ), nil + case user.UserLockedType, + user.UserDeactivatedType, + user.UserRemovedType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyUserID, event.Aggregate().ID), + }, + ), nil + case user.UserTokenRemovedType, + user.PersonalAccessTokenRemovedType: + var tokenID string + switch e := event.(type) { + case *user.UserTokenRemovedEvent: + tokenID = e.TokenID + case *user.PersonalAccessTokenRemovedEvent: + tokenID = e.TokenID + default: + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-SF3ga", "reduce.wrong.event.type %s", user.UserTokenRemovedType) + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyID, tokenID), + }, + ), nil + case user.HumanRefreshTokenRemovedType: + e, ok := event.(*user.HumanRefreshTokenRemovedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-Sfe11", "reduce.wrong.event.type %s", user.HumanRefreshTokenRemovedType) + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyRefreshTokenID, e.TokenID), + }, + ), nil + case project.ApplicationDeactivatedType, + project.ApplicationRemovedType: + var applicationID string + switch e := event.(type) { + case *project.ApplicationDeactivatedEvent: + applicationID = e.AppID + case *project.ApplicationRemovedEvent: + applicationID = e.AppID + default: + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-SF3fq", "reduce.wrong.event.type %v", []eventstore.EventType{project.ApplicationDeactivatedType, project.ApplicationRemovedType}) + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyApplicationID, applicationID), + }, + ), nil + case project.ProjectDeactivatedType, + project.ProjectRemovedType: + project, err := t.getProjectByID(context.Background(), event.Aggregate().ID, event.Aggregate().InstanceID) + if err != nil { + return nil, err + } + applicationIDs := make([]string, 0, len(project.Applications)) + for _, app := range project.Applications { + if app.OIDCConfig != nil && app.OIDCConfig.ClientID != "" { + applicationIDs = append(applicationIDs, app.OIDCConfig.ClientID) + } + } + if len(applicationIDs) == 0 { + return handler.NewNoOpStatement(event), nil + } + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewOneOfTextCond(view_model.TokenKeyApplicationID, applicationIDs), + }, + ), nil + case instance.InstanceRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + }, + ), nil + case org.OrgRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.TokenKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.TokenKeyResourceOwner, event.Aggregate().ResourceOwner), + }, + ), nil + default: + return handler.NewNoOpStatement(event), nil + } +} + +type userAgentIDPayload struct { + ID string `json:"userAgentID"` } func agentIDFromSession(event eventstore.Event) (string, error) { - session := make(map[string]interface{}) - if err := event.Unmarshal(&session); err != nil { + payload := new(userAgentIDPayload) + if err := event.Unmarshal(payload); err != nil { logging.WithError(err).Error("could not unmarshal event data") return "", zerrors.ThrowInternal(nil, "MODEL-sd325", "could not unmarshal data") } - agentID, _ := session["userAgentID"].(string) - return agentID, nil -} - -func applicationFromSession(event eventstore.Event) (*project_es_model.Application, error) { - application := new(project_es_model.Application) - if err := event.Unmarshal(application); err != nil { - logging.WithError(err).Error("could not unmarshal event data") - return nil, zerrors.ThrowInternal(nil, "MODEL-Hrw1q", "could not unmarshal data") - } - return application, nil -} - -func tokenIDFromRemovedEvent(event eventstore.Event) (string, error) { - removed := make(map[string]interface{}) - if err := event.Unmarshal(&removed); err != nil { - logging.WithError(err).Error("could not unmarshal event data") - return "", zerrors.ThrowInternal(nil, "MODEL-Sff32", "could not unmarshal data") - } - return removed["tokenId"].(string), nil -} - -func refreshTokenIDFromRemovedEvent(event eventstore.Event) (string, error) { - removed := make(map[string]interface{}) - if err := event.Unmarshal(&removed); err != nil { - logging.WithError(err).Error("could not unmarshal event data") - return "", zerrors.ThrowInternal(nil, "MODEL-Dfb3w", "could not unmarshal data") - } - return removed["tokenId"].(string), nil + return payload.ID, nil } func (t *Token) getProjectByID(ctx context.Context, projID, instanceID string) (*proj_model.Project, error) { diff --git a/internal/auth/repository/eventsourcing/handler/user.go b/internal/auth/repository/eventsourcing/handler/user.go index c93dc06477..2333d5242e 100644 --- a/internal/auth/repository/eventsourcing/handler/user.go +++ b/internal/auth/repository/eventsourcing/handler/user.go @@ -4,25 +4,20 @@ import ( "context" "time" - "github.com/zitadel/zitadel/internal/api/authz" auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view" + "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/eventstore/handler/v2" - es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models" - org_model "github.com/zitadel/zitadel/internal/org/model" - org_es_model "github.com/zitadel/zitadel/internal/org/repository/eventsourcing/model" - org_view "github.com/zitadel/zitadel/internal/org/repository/view" query2 "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/internal/repository/instance" "github.com/zitadel/zitadel/internal/repository/org" user_repo "github.com/zitadel/zitadel/internal/repository/user" - usr_view "github.com/zitadel/zitadel/internal/user/repository/view" view_model "github.com/zitadel/zitadel/internal/user/repository/view/model" "github.com/zitadel/zitadel/internal/zerrors" ) const ( - userTable = "auth.users2" + userTable = "auth.users3" ) type User struct { @@ -58,26 +53,14 @@ func (u *User) Reducers() []handler.AggregateReducer { { Aggregate: user_repo.AggregateType, EventReducers: []handler.EventReducer{ - { - Event: user_repo.HumanOTPSMSAddedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanOTPSMSRemovedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.HumanOTPEmailAddedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanOTPEmailRemovedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.MachineAddedEventType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanAddedType, Reduce: u.ProcessUser, @@ -94,62 +77,14 @@ func (u *User) Reducers() []handler.AggregateReducer { Event: user_repo.HumanRegisteredType, Reduce: u.ProcessUser, }, - { - Event: user_repo.UserV1ProfileChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserV1EmailChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserV1EmailVerifiedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserV1PhoneChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserV1PhoneVerifiedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.UserV1PhoneRemovedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.UserV1AddressChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserDeactivatedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserReactivatedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserLockedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserUnlockedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserV1MFAOTPAddedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.UserV1MFAOTPVerifiedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.UserV1MFAOTPRemovedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.UserV1MFAInitSkippedType, Reduce: u.ProcessUser, @@ -158,86 +93,22 @@ func (u *User) Reducers() []handler.AggregateReducer { Event: user_repo.UserV1PasswordChangedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.HumanProfileChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanEmailChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanEmailVerifiedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanAvatarAddedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanAvatarRemovedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanPhoneChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanPhoneVerifiedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanPhoneRemovedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.HumanAddressChangedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanMFAOTPAddedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanMFAOTPVerifiedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.HumanMFAOTPRemovedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanU2FTokenAddedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanU2FTokenVerifiedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.HumanU2FTokenRemovedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanPasswordlessTokenAddedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanPasswordlessTokenVerifiedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.HumanPasswordlessTokenRemovedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanMFAInitSkippedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.MachineChangedEventType, - Reduce: u.ProcessUser, - }, { Event: user_repo.HumanPasswordChangedType, Reduce: u.ProcessUser, @@ -266,14 +137,6 @@ func (u *User) Reducers() []handler.AggregateReducer { Event: user_repo.HumanPasswordlessInitCodeRequestedType, Reduce: u.ProcessUser, }, - { - Event: user_repo.UserDomainClaimedType, - Reduce: u.ProcessUser, - }, - { - Event: user_repo.UserUserNameChangedType, - Reduce: u.ProcessUser, - }, { Event: user_repo.UserRemovedType, Reduce: u.ProcessUser, @@ -283,30 +146,6 @@ func (u *User) Reducers() []handler.AggregateReducer { { Aggregate: org.AggregateType, EventReducers: []handler.EventReducer{ - { - Event: org.OrgDomainVerifiedEventType, - Reduce: u.ProcessOrg, - }, - { - Event: org.OrgDomainRemovedEventType, - Reduce: u.ProcessOrg, - }, - { - Event: org.DomainPolicyAddedEventType, - Reduce: u.ProcessOrg, - }, - { - Event: org.DomainPolicyChangedEventType, - Reduce: u.ProcessOrg, - }, - { - Event: org.DomainPolicyRemovedEventType, - Reduce: u.ProcessOrg, - }, - { - Event: org.OrgDomainPrimarySetEventType, - Reduce: u.ProcessOrg, - }, { Event: org.OrgRemovedEventType, Reduce: u.ProcessOrg, @@ -327,141 +166,124 @@ func (u *User) Reducers() []handler.AggregateReducer { //nolint:gocognit func (u *User) ProcessUser(event eventstore.Event) (_ *handler.Statement, err error) { - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - user := new(view_model.UserView) - switch event.Type() { - case user_repo.UserV1AddedType, - user_repo.MachineAddedEventType, - user_repo.HumanAddedType, - user_repo.UserV1RegisteredType, - user_repo.HumanRegisteredType: - err = user.AppendEvent(event) - if err != nil { - return err - } - err = u.fillLoginNames(user) - case user_repo.UserV1ProfileChangedType, - user_repo.UserV1EmailChangedType, - user_repo.UserV1EmailVerifiedType, - user_repo.UserV1PhoneChangedType, - user_repo.UserV1PhoneVerifiedType, - user_repo.UserV1PhoneRemovedType, - user_repo.UserV1AddressChangedType, - user_repo.UserDeactivatedType, - user_repo.UserReactivatedType, - user_repo.UserLockedType, - user_repo.UserUnlockedType, - user_repo.UserV1MFAOTPAddedType, - user_repo.UserV1MFAOTPVerifiedType, - user_repo.UserV1MFAOTPRemovedType, - user_repo.UserV1MFAInitSkippedType, - user_repo.UserV1PasswordChangedType, - user_repo.HumanProfileChangedType, - user_repo.HumanEmailChangedType, - user_repo.HumanEmailVerifiedType, - user_repo.HumanAvatarAddedType, - user_repo.HumanAvatarRemovedType, - user_repo.HumanPhoneChangedType, - user_repo.HumanPhoneVerifiedType, - user_repo.HumanPhoneRemovedType, - user_repo.HumanAddressChangedType, - user_repo.HumanMFAOTPAddedType, - user_repo.HumanMFAOTPVerifiedType, - user_repo.HumanMFAOTPRemovedType, - user_repo.HumanOTPSMSAddedType, - user_repo.HumanOTPSMSRemovedType, - user_repo.HumanOTPEmailAddedType, - user_repo.HumanOTPEmailRemovedType, - user_repo.HumanU2FTokenAddedType, - user_repo.HumanU2FTokenVerifiedType, - user_repo.HumanU2FTokenRemovedType, - user_repo.HumanPasswordlessTokenAddedType, - user_repo.HumanPasswordlessTokenVerifiedType, - user_repo.HumanPasswordlessTokenRemovedType, - user_repo.HumanMFAInitSkippedType, - user_repo.MachineChangedEventType, - user_repo.HumanPasswordChangedType, - user_repo.HumanInitialCodeAddedType, - user_repo.UserV1InitialCodeAddedType, - user_repo.UserV1InitializedCheckSucceededType, - user_repo.HumanInitializedCheckSucceededType, - user_repo.HumanPasswordlessInitCodeAddedType, - user_repo.HumanPasswordlessInitCodeRequestedType: - user, err = u.view.UserByID(event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - if !zerrors.IsNotFound(err) { - return err - } - user, err = u.userFromEventstore(event.Aggregate(), user.EventTypes()) - if err != nil { - return err - } - } - err = user.AppendEvent(event) - case user_repo.UserDomainClaimedType, - user_repo.UserUserNameChangedType: - user, err = u.view.UserByID(event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - if !zerrors.IsNotFound(err) { - return err - } - user, err = u.userFromEventstore(event.Aggregate(), user.EventTypes()) - if err != nil { - return err - } - } - err = user.AppendEvent(event) - if err != nil { - return err - } - err = u.fillLoginNames(user) - case user_repo.UserRemovedType: - return u.view.DeleteUser(event.Aggregate().ID, event.Aggregate().InstanceID, event) - default: - return nil + // in case anything needs to be change here check if appendEvent function needs the change as well + switch event.Type() { + case user_repo.UserV1AddedType, + user_repo.HumanAddedType: + e, ok := event.(*user_repo.HumanAddedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-SDAGF", "reduce.wrong.event.type %s", user_repo.HumanAddedType) } - if err != nil { - return err + return u.setPasswordData(event, e.Secret, e.EncodedHash), nil + case user_repo.UserV1RegisteredType, + user_repo.HumanRegisteredType: + e, ok := event.(*user_repo.HumanRegisteredEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-AS1hz", "reduce.wrong.event.type %s", user_repo.HumanRegisteredType) } - return u.view.PutUser(user, event) - }), nil + return u.setPasswordData(event, e.Secret, e.EncodedHash), nil + case user_repo.UserV1PasswordChangedType, + user_repo.HumanPasswordChangedType: + e, ok := event.(*user_repo.HumanPasswordChangedEvent) + if !ok { + return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-Gd31w", "reduce.wrong.event.type %s", user_repo.HumanPasswordChangedType) + } + return u.setPasswordData(event, e.Secret, e.EncodedHash), nil + case user_repo.UserV1PhoneRemovedType, + user_repo.HumanPhoneRemovedType, + user_repo.UserV1MFAOTPVerifiedType, + user_repo.HumanMFAOTPVerifiedType, + user_repo.HumanOTPSMSRemovedType, + user_repo.HumanOTPEmailRemovedType, + user_repo.HumanU2FTokenVerifiedType: + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.UserKeyMFAInitSkipped, time.Time{}), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + }, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + }), nil + case user_repo.UserV1MFAInitSkippedType, + user_repo.HumanMFAInitSkippedType: + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.UserKeyMFAInitSkipped, event.CreatedAt()), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + }, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + }), nil + case user_repo.UserV1InitialCodeAddedType, + user_repo.HumanInitialCodeAddedType: + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.UserKeyInitRequired, true), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + }, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + }), nil + case user_repo.UserV1InitializedCheckSucceededType, + user_repo.HumanInitializedCheckSucceededType: + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.UserKeyInitRequired, false), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + }, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + }), nil + case user_repo.HumanPasswordlessInitCodeAddedType, + user_repo.HumanPasswordlessInitCodeRequestedType: + return handler.NewUpdateStatement(event, + []handler.Column{ + handler.NewCol(view_model.UserKeyPasswordlessInitRequired, true), + handler.NewCol(view_model.UserKeyPasswordInitRequired, false), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + }, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + handler.NewCond(view_model.UserKeyPasswordSet, false), + }), nil + case user_repo.UserRemovedType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID), + }), nil + default: + return handler.NewNoOpStatement(event), nil + } } -func (u *User) fillLoginNames(user *view_model.UserView) (err error) { - userLoginMustBeDomain, primaryDomain, domains, err := u.loginNameInformation(context.Background(), user.ResourceOwner, user.InstanceID) - if err != nil { - return err +func (u *User) setPasswordData(event eventstore.Event, secret *crypto.CryptoValue, hash string) *handler.Statement { + set := secret != nil || hash != "" + columns := []handler.Column{ + handler.NewCol(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCol(view_model.UserKeyUserID, event.Aggregate().ID), + handler.NewCol(view_model.UserKeyResourceOwner, event.Aggregate().ResourceOwner), + handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserKeyPasswordSet, set), + handler.NewCol(view_model.UserKeyPasswordInitRequired, !set), + handler.NewCol(view_model.UserKeyPasswordChange, event.CreatedAt()), } - user.SetLoginNames(userLoginMustBeDomain, domains) - user.PreferredLoginName = user.GenerateLoginName(primaryDomain, userLoginMustBeDomain) - return nil + return handler.NewUpsertStatement(event, columns[0:2], columns) } func (u *User) ProcessOrg(event eventstore.Event) (_ *handler.Statement, err error) { - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - switch event.Type() { - case org.OrgDomainVerifiedEventType, - org.OrgDomainRemovedEventType, - org.DomainPolicyAddedEventType, - org.DomainPolicyChangedEventType, - org.DomainPolicyRemovedEventType: - return u.fillLoginNamesOnOrgUsers(event) - case org.OrgDomainPrimarySetEventType: - return u.fillPreferredLoginNamesOnOrgUsers(event) - case org.OrgRemovedEventType: - return u.view.UpdateOrgOwnerRemovedUsers(event) - default: - return nil - } - }), nil -} - -func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, err error) { + // in case anything needs to be change here check if appendEvent function needs the change as well switch event.Type() { - case instance.InstanceRemovedEventType: - return handler.NewStatement(event, - func(ex handler.Executer, projectionName string) error { - return u.view.DeleteInstanceUsers(event) + case org.OrgRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserKeyResourceOwner, event.Aggregate().ID), }, ), nil default: @@ -469,97 +291,16 @@ func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, er } } -func (u *User) fillLoginNamesOnOrgUsers(event eventstore.Event) error { - userLoginMustBeDomain, _, domains, err := u.loginNameInformation(context.Background(), event.Aggregate().ResourceOwner, event.Aggregate().InstanceID) - if err != nil { - return err +func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, err error) { + // in case anything needs to be change here check if appendEvent function needs the change as well + switch event.Type() { + case instance.InstanceRemovedEventType: + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID), + }, + ), nil + default: + return handler.NewNoOpStatement(event), nil } - users, err := u.view.UsersByOrgID(event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - return err - } - for _, user := range users { - user.SetLoginNames(userLoginMustBeDomain, domains) - } - return u.view.PutUsers(users, event) -} - -func (u *User) fillPreferredLoginNamesOnOrgUsers(event eventstore.Event) error { - userLoginMustBeDomain, primaryDomain, _, err := u.loginNameInformation(context.Background(), event.Aggregate().ResourceOwner, event.Aggregate().InstanceID) - if err != nil { - return err - } - if !userLoginMustBeDomain { - return nil - } - users, err := u.view.UsersByOrgID(event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - return err - } - for _, user := range users { - user.PreferredLoginName = user.GenerateLoginName(primaryDomain, userLoginMustBeDomain) - } - return u.view.PutUsers(users, event) -} - -func (u *User) getOrgByID(ctx context.Context, orgID, instanceID string) (*org_model.Org, error) { - query, err := org_view.OrgByIDQuery(orgID, instanceID, 0) - if err != nil { - return nil, err - } - - esOrg := &org_es_model.Org{ - ObjectRoot: es_models.ObjectRoot{ - AggregateID: orgID, - }, - } - events, err := u.es.Filter(ctx, query) - if err != nil { - return nil, err - } - if err = esOrg.AppendEvents(events...); err != nil { - return nil, err - } - if esOrg.Sequence == 0 { - return nil, zerrors.ThrowNotFound(nil, "EVENT-3m9vs", "Errors.Org.NotFound") - } - - return org_es_model.OrgToModel(esOrg), nil -} - -func (u *User) loginNameInformation(ctx context.Context, orgID string, instanceID string) (userLoginMustBeDomain bool, primaryDomain string, domains []*org_model.OrgDomain, err error) { - org, err := u.getOrgByID(ctx, orgID, instanceID) - if err != nil { - return false, "", nil, err - } - primaryDomain, err = org.GetPrimaryDomain() - if err != nil { - return false, "", nil, err - } - if org.DomainPolicy != nil { - return org.DomainPolicy.UserLoginMustBeDomain, primaryDomain, org.Domains, nil - } - policy, err := u.queries.DefaultDomainPolicy(authz.WithInstanceID(ctx, org.InstanceID)) - if err != nil { - return false, "", nil, err - } - return policy.UserLoginMustBeDomain, primaryDomain, org.Domains, nil -} - -func (u *User) userFromEventstore(agg *eventstore.Aggregate, eventTypes []eventstore.EventType) (*view_model.UserView, error) { - query, err := usr_view.UserByIDQuery(agg.ID, agg.InstanceID, time.Time{}, eventTypes) - if err != nil { - return nil, err - } - events, err := u.es.Filter(context.Background(), query) - if err != nil { - return nil, err - } - user := &view_model.UserView{} - for _, e := range events { - if err = user.AppendEvent(e); err != nil { - return nil, err - } - } - return user, nil } diff --git a/internal/auth/repository/eventsourcing/handler/user_session.go b/internal/auth/repository/eventsourcing/handler/user_session.go index fc22856846..3147b336f3 100644 --- a/internal/auth/repository/eventsourcing/handler/user_session.go +++ b/internal/auth/repository/eventsourcing/handler/user_session.go @@ -12,8 +12,8 @@ import ( "github.com/zitadel/zitadel/internal/repository/instance" "github.com/zitadel/zitadel/internal/repository/org" "github.com/zitadel/zitadel/internal/repository/user" + es_model "github.com/zitadel/zitadel/internal/user/repository/eventsourcing/model" view_model "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/zerrors" ) const ( @@ -187,64 +187,163 @@ func (s *UserSession) Reducers() []handler.AggregateReducer { } } +func sessionColumns(event eventstore.Event, columns ...handler.Column) ([]handler.Column, error) { + userAgent, err := agentIDFromSession(event) + if err != nil { + return nil, err + } + return append([]handler.Column{ + handler.NewCol(view_model.UserSessionKeyUserAgentID, userAgent), + handler.NewCol(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.NewCol(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCol(view_model.UserSessionKeyCreationDate, handler.OnlySetValueOnInsert(userSessionTable, event.CreatedAt())), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeyResourceOwner, event.Aggregate().ResourceOwner), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), + }, columns...), nil +} + func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err error) { + // in case anything needs to be change here check if appendEvent function needs the change as well switch event.Type() { case user.UserV1PasswordCheckSucceededType, - user.UserV1PasswordCheckFailedType, - user.UserV1MFAOTPCheckSucceededType, - user.UserV1MFAOTPCheckFailedType, - user.UserV1SignedOutType, - user.HumanPasswordCheckSucceededType, - user.HumanPasswordCheckFailedType, - user.UserIDPLoginCheckSucceededType, - user.HumanMFAOTPCheckSucceededType, + user.HumanPasswordCheckSucceededType: + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyPasswordVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.UserV1PasswordCheckFailedType, + user.HumanPasswordCheckFailedType: + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.UserV1MFAOTPCheckSucceededType, + user.HumanMFAOTPCheckSucceededType: + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySecondFactorVerificationType, domain.MFATypeTOTP), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.UserV1MFAOTPCheckFailedType, user.HumanMFAOTPCheckFailedType, - user.HumanU2FTokenCheckSucceededType, - user.HumanU2FTokenCheckFailedType, - user.HumanPasswordlessTokenCheckSucceededType, - user.HumanPasswordlessTokenCheckFailedType, + user.HumanU2FTokenCheckFailedType: + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.UserV1SignedOutType, user.HumanSignedOutType: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - var session *view_model.UserSessionView - eventData, err := view_model.UserSessionFromEvent(event) - if err != nil { - return err - } - session, err = u.view.UserSessionByIDs(eventData.UserAgentID, event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil { - if !zerrors.IsNotFound(err) { - return err - } - session = &view_model.UserSessionView{ - CreationDate: event.CreatedAt(), - ResourceOwner: event.Aggregate().ResourceOwner, - UserAgentID: eventData.UserAgentID, - UserID: event.Aggregate().ID, - State: int32(domain.UserSessionStateActive), - InstanceID: event.Aggregate().InstanceID, - } - } - return u.updateSession(session, event) - }), nil + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyPasswordlessVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeySecondFactorVerificationType, domain.MFALevelNotSetUp), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerificationType, domain.MFALevelNotSetUp), + handler.NewCol(view_model.UserSessionKeyExternalLoginVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateTerminated), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.UserIDPLoginCheckSucceededType: + data := new(es_model.AuthRequest) + err := data.SetData(event) + if err != nil { + return nil, err + } + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyExternalLoginVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySelectedIDPConfigID, data.SelectedIDPConfigID), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.HumanU2FTokenCheckSucceededType: + data := new(es_model.AuthRequest) + err := data.SetData(event) + if err != nil { + return nil, err + } + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySecondFactorVerificationType, domain.MFATypeU2F), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.HumanPasswordlessTokenCheckSucceededType: + data := new(es_model.AuthRequest) + err := data.SetData(event) + if err != nil { + return nil, err + } + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyPasswordlessVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerificationType, domain.MFATypeU2FUserVerification), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil + case user.HumanPasswordlessTokenCheckFailedType: + data := new(es_model.AuthRequest) + err := data.SetData(event) + if err != nil { + return nil, err + } + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyPasswordlessVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + ) + if err != nil { + return nil, err + } + return handler.NewUpsertStatement(event, columns[0:3], columns), nil case user.UserLockedType, user.UserDeactivatedType: return handler.NewUpdateStatement(event, []handler.Column{ - handler.NewCol("passwordless_verification", time.Time{}), - handler.NewCol("password_verification", time.Time{}), - handler.NewCol("second_factor_verification", time.Time{}), - handler.NewCol("second_factor_verification_type", domain.MFALevelNotSetUp), - handler.NewCol("multi_factor_verification", time.Time{}), - handler.NewCol("multi_factor_verification_type", domain.MFALevelNotSetUp), - handler.NewCol("external_login_verification", time.Time{}), - handler.NewCol("state", domain.UserSessionStateTerminated), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeyPasswordlessVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeySecondFactorVerificationType, domain.MFALevelNotSetUp), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerificationType, domain.MFALevelNotSetUp), + handler.NewCol(view_model.UserSessionKeyExternalLoginVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateTerminated), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.Not(handler.NewCond(view_model.UserSessionKeyState, domain.UserSessionStateTerminated)), }, ), nil case user.UserV1PasswordChangedType, @@ -256,26 +355,26 @@ func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err return handler.NewMultiStatement(event, handler.AddUpdateStatement( []handler.Column{ - handler.NewCol("password_verification", event.CreatedAt()), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeyPasswordVerification, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.NewCond("user_agent_id", userAgent), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.NewCond(view_model.UserSessionKeyUserAgentID, userAgent), }), handler.AddUpdateStatement( []handler.Column{ - handler.NewCol("password_verification", time.Time{}), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.Not(handler.NewCond("user_agent_id", userAgent)), - handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.Not(handler.NewCond(view_model.UserSessionKeyUserAgentID, userAgent)), + handler.Not(handler.NewCond(view_model.UserSessionKeyState, domain.UserSessionStateTerminated)), }), ), nil case user.UserV1MFAOTPRemovedType, @@ -283,84 +382,77 @@ func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err user.HumanU2FTokenRemovedType: return handler.NewUpdateStatement(event, []handler.Column{ - handler.NewCol("second_factor_verification", time.Time{}), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeySecondFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.Not(handler.NewCond(view_model.UserSessionKeyState, domain.UserSessionStateTerminated)), }, ), nil case user.UserIDPLinkRemovedType, user.UserIDPLinkCascadeRemovedType: return handler.NewUpdateStatement(event, []handler.Column{ - handler.NewCol("external_login_verification", time.Time{}), - handler.NewCol("selected_idp_config_id", ""), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeyExternalLoginVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeySelectedIDPConfigID, ""), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.Not(handler.NewCond("selected_idp_config_id", "")), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.Not(handler.NewCond(view_model.UserSessionKeySelectedIDPConfigID, "")), }, ), nil case user.HumanPasswordlessTokenRemovedType: return handler.NewUpdateStatement(event, []handler.Column{ - handler.NewCol("passwordless_verification", time.Time{}), - handler.NewCol("multi_factor_verification", time.Time{}), - handler.NewCol("change_date", event.CreatedAt()), - handler.NewCol("sequence", event.Sequence()), + handler.NewCol(view_model.UserSessionKeyPasswordlessVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyMultiFactorVerification, time.Time{}), + handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()), + handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()), }, []handler.Condition{ - handler.NewCond("instance_id", event.Aggregate().InstanceID), - handler.NewCond("user_id", event.Aggregate().ID), - handler.Not(handler.NewCond("state", domain.UserSessionStateTerminated)), + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + handler.Not(handler.NewCond(view_model.UserSessionKeyState, domain.UserSessionStateTerminated)), }, ), nil case user.UserRemovedType: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - return u.view.DeleteUserSessions(event.Aggregate().ID, event.Aggregate().InstanceID) - }), nil + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID), + }, + ), nil case user.HumanRegisteredType: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - eventData, err := view_model.UserSessionFromEvent(event) - if err != nil { - return err - } - session := &view_model.UserSessionView{ - CreationDate: event.CreatedAt(), - ResourceOwner: event.Aggregate().ResourceOwner, - UserAgentID: eventData.UserAgentID, - UserID: event.Aggregate().ID, - State: int32(domain.UserSessionStateActive), - InstanceID: event.Aggregate().InstanceID, - PasswordVerification: event.CreatedAt(), - } - return u.updateSession(session, event) - }), nil + columns, err := sessionColumns(event, + handler.NewCol(view_model.UserSessionKeyState, domain.UserSessionStateActive), + handler.NewCol(view_model.UserSessionKeyPasswordVerification, event.CreatedAt()), + ) + if err != nil { + return nil, err + } + return handler.NewCreateStatement(event, + columns, + ), nil case instance.InstanceRemovedEventType: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - return u.view.DeleteInstanceUserSessions(event.Aggregate().InstanceID) - }), nil + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + }, + ), nil case org.OrgRemovedEventType: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - return u.view.DeleteOrgUserSessions(event) - }), nil + return handler.NewDeleteStatement(event, + []handler.Condition{ + handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID), + handler.NewCond(view_model.UserSessionKeyResourceOwner, event.Aggregate().ResourceOwner), + }, + ), nil default: - return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error { - return nil - }), nil + return handler.NewNoOpStatement(event), nil } } - -func (u *UserSession) updateSession(session *view_model.UserSessionView, event eventstore.Event) error { - if err := session.AppendEvent(event); err != nil { - return err - } - return u.view.PutUserSession(session) -} diff --git a/internal/auth/repository/eventsourcing/view/refresh_token.go b/internal/auth/repository/eventsourcing/view/refresh_token.go index b45f769cb7..ce268ba139 100644 --- a/internal/auth/repository/eventsourcing/view/refresh_token.go +++ b/internal/auth/repository/eventsourcing/view/refresh_token.go @@ -4,13 +4,10 @@ import ( "context" "github.com/zitadel/zitadel/internal/api/authz" - "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/eventstore/v1/models" "github.com/zitadel/zitadel/internal/query" user_model "github.com/zitadel/zitadel/internal/user/model" usr_view "github.com/zitadel/zitadel/internal/user/repository/view" "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/zerrors" ) const ( @@ -29,54 +26,6 @@ func (v *View) SearchRefreshTokens(request *user_model.RefreshTokenSearchRequest return usr_view.SearchRefreshTokens(v.Db, refreshTokenTable, request) } -func (v *View) PutRefreshToken(token *model.RefreshTokenView) error { - return usr_view.PutRefreshToken(v.Db, refreshTokenTable, token) -} - -func (v *View) PutRefreshTokens(token []*model.RefreshTokenView) error { - return usr_view.PutRefreshTokens(v.Db, refreshTokenTable, token...) -} - -func (v *View) DeleteRefreshToken(tokenID, instanceID string) error { - err := usr_view.DeleteRefreshToken(v.Db, refreshTokenTable, tokenID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteUserRefreshTokens(userID, instanceID string) error { - err := usr_view.DeleteUserRefreshTokens(v.Db, refreshTokenTable, userID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteApplicationRefreshTokens(event *models.Event, ids ...string) error { - err := usr_view.DeleteApplicationTokens(v.Db, refreshTokenTable, event.InstanceID, ids) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteInstanceRefreshTokens(instanceID string) error { - err := usr_view.DeleteInstanceRefreshTokens(v.Db, refreshTokenTable, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteOrgRefreshTokens(event eventstore.Event) error { - err := usr_view.DeleteOrgRefreshTokens(v.Db, refreshTokenTable, event.Aggregate().InstanceID, event.Aggregate().ResourceOwner) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - func (v *View) GetLatestRefreshTokenSequence(ctx context.Context) (_ *query.CurrentState, err error) { q := &query.CurrentStateSearchQueries{ Queries: make([]query.SearchQuery, 2), diff --git a/internal/auth/repository/eventsourcing/view/token.go b/internal/auth/repository/eventsourcing/view/token.go index 0fe1d6d187..92713dc28c 100644 --- a/internal/auth/repository/eventsourcing/view/token.go +++ b/internal/auth/repository/eventsourcing/view/token.go @@ -3,12 +3,10 @@ package view import ( "context" - "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/internal/telemetry/tracing" usr_view "github.com/zitadel/zitadel/internal/user/repository/view" "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/zerrors" ) const ( @@ -23,70 +21,6 @@ func (v *View) TokensByUserID(userID, instanceID string) ([]*model.TokenView, er return usr_view.TokensByUserID(v.Db, tokenTable, userID, instanceID) } -func (v *View) PutToken(token *model.TokenView) error { - return usr_view.PutToken(v.Db, tokenTable, token) -} - -func (v *View) PutTokens(token []*model.TokenView) error { - return usr_view.PutTokens(v.Db, tokenTable, token...) -} - -func (v *View) DeleteToken(tokenID, instanceID string) error { - err := usr_view.DeleteToken(v.Db, tokenTable, tokenID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteSessionTokens(agentID string, event eventstore.Event) error { - err := usr_view.DeleteSessionTokens(v.Db, tokenTable, agentID, event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteUserTokens(event eventstore.Event) error { - err := usr_view.DeleteUserTokens(v.Db, tokenTable, event.Aggregate().ID, event.Aggregate().InstanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteApplicationTokens(event eventstore.Event, ids ...string) error { - err := usr_view.DeleteApplicationTokens(v.Db, tokenTable, event.Aggregate().InstanceID, ids) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteTokensFromRefreshToken(refreshTokenID, instanceID string) error { - err := usr_view.DeleteTokensFromRefreshToken(v.Db, tokenTable, refreshTokenID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteInstanceTokens(event eventstore.Event) error { - err := usr_view.DeleteInstanceTokens(v.Db, tokenTable, event.Aggregate().InstanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteOrgTokens(event eventstore.Event) error { - err := usr_view.DeleteOrgTokens(v.Db, tokenTable, event.Aggregate().InstanceID, event.Aggregate().ResourceOwner) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - func (v *View) GetLatestTokenSequence(ctx context.Context, instanceID string) (_ *query.CurrentState, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() diff --git a/internal/auth/repository/eventsourcing/view/user.go b/internal/auth/repository/eventsourcing/view/user.go index 3c1c3ddcc1..e75846471d 100644 --- a/internal/auth/repository/eventsourcing/view/user.go +++ b/internal/auth/repository/eventsourcing/view/user.go @@ -5,7 +5,6 @@ import ( "github.com/zitadel/logging" - "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/query" usr_model "github.com/zitadel/zitadel/internal/user/model" "github.com/zitadel/zitadel/internal/user/repository/view" @@ -14,7 +13,7 @@ import ( ) const ( - userTable = "auth.users2" + userTable = "auth.users3" ) func (v *View) UserByID(userID, instanceID string) (*model.UserView, error) { @@ -142,42 +141,6 @@ func (v *View) userByID(ctx context.Context, instanceID string, queries ...query return user, nil } -func (v *View) UsersByOrgID(orgID, instanceID string) ([]*model.UserView, error) { - return view.UsersByOrgID(v.Db, userTable, orgID, instanceID) -} - -func (v *View) PutUser(user *model.UserView, event eventstore.Event) error { - return view.PutUser(v.Db, userTable, user) -} - -func (v *View) PutUsers(users []*model.UserView, event eventstore.Event) error { - return view.PutUsers(v.Db, userTable, users...) -} - -func (v *View) DeleteUser(userID, instanceID string, event eventstore.Event) error { - err := view.DeleteUser(v.Db, userTable, userID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteInstanceUsers(event eventstore.Event) error { - err := view.DeleteInstanceUsers(v.Db, userTable, event.Aggregate().InstanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) UpdateOrgOwnerRemovedUsers(event eventstore.Event) error { - err := view.UpdateOrgOwnerRemovedUsers(v.Db, userTable, event.Aggregate().InstanceID, event.Aggregate().ID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - func (v *View) GetLatestUserSequence(ctx context.Context, instanceID string) (_ *query.CurrentState, err error) { q := &query.CurrentStateSearchQueries{ Queries: make([]query.SearchQuery, 2), diff --git a/internal/auth/repository/eventsourcing/view/user_session.go b/internal/auth/repository/eventsourcing/view/user_session.go index 59d2a967ab..893e5872ac 100644 --- a/internal/auth/repository/eventsourcing/view/user_session.go +++ b/internal/auth/repository/eventsourcing/view/user_session.go @@ -3,11 +3,9 @@ package view import ( "context" - "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/query" "github.com/zitadel/zitadel/internal/user/repository/view" "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/zerrors" ) const ( @@ -22,34 +20,6 @@ func (v *View) UserSessionsByAgentID(agentID, instanceID string) ([]*model.UserS return view.UserSessionsByAgentID(v.client, agentID, instanceID) } -func (v *View) PutUserSession(userSession *model.UserSessionView) error { - return view.PutUserSession(v.Db, userSessionTable, userSession) -} - -func (v *View) DeleteUserSessions(userID, instanceID string) error { - err := view.DeleteUserSessions(v.Db, userSessionTable, userID, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteInstanceUserSessions(instanceID string) error { - err := view.DeleteInstanceUserSessions(v.Db, userSessionTable, instanceID) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - -func (v *View) DeleteOrgUserSessions(event eventstore.Event) error { - err := view.DeleteOrgUserSessions(v.Db, userSessionTable, event.Aggregate().InstanceID, event.Aggregate().ResourceOwner) - if err != nil && !zerrors.IsNotFound(err) { - return err - } - return nil -} - func (v *View) GetLatestUserSessionSequence(ctx context.Context, instanceID string) (_ *query.CurrentState, err error) { q := &query.CurrentStateSearchQueries{ Queries: make([]query.SearchQuery, 2), diff --git a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go index 097a922653..603146f511 100644 --- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go +++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go @@ -8,6 +8,7 @@ import ( "time" "github.com/go-jose/go-jose/v4" + "github.com/muhlemmer/gu" "github.com/zitadel/logging" "github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/op" @@ -96,8 +97,7 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin return "", "", "", "", "", zerrors.ThrowUnauthenticated(nil, "APP-Reb32", "invalid token") } if strings.HasPrefix(tokenID, command.IDPrefixV2) { - userID, clientID, resourceOwner, err = repo.verifyAccessTokenV2(ctx, tokenID, verifierClientID, projectID) - return + return repo.verifyAccessTokenV2(ctx, tokenID, verifierClientID, projectID) } if sessionID, ok := strings.CutPrefix(tokenID, authz.SessionTokenPrefix); ok { userID, clientID, resourceOwner, err = repo.verifySessionToken(ctx, sessionID, tokenString) @@ -106,7 +106,7 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin return repo.verifyAccessTokenV1(ctx, tokenID, subject, verifierClientID, projectID) } -func (repo *TokenVerifierRepo) verifyAccessTokenV1(ctx context.Context, tokenID, subject, verifierClientID, projectID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) { +func (repo *TokenVerifierRepo) verifyAccessTokenV1(ctx context.Context, tokenID, subject, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() @@ -131,24 +131,27 @@ func (repo *TokenVerifierRepo) verifyAccessTokenV1(ctx context.Context, tokenID, return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil } -func (repo *TokenVerifierRepo) verifyAccessTokenV2(ctx context.Context, token, verifierClientID, projectID string) (userID, clientID, resourceOwner string, err error) { +func (repo *TokenVerifierRepo) verifyAccessTokenV2(ctx context.Context, token, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() activeToken, err := repo.Query.ActiveAccessTokenByToken(ctx, token) if err != nil { - return "", "", "", err + return "", "", "", "", "", err } if activeToken.Actor != nil { - return "", "", "", zerrors.ThrowPermissionDenied(nil, "APP-Shi0J", "Errors.TokenExchange.Token.NotForAPI") + return "", "", "", "", "", zerrors.ThrowPermissionDenied(nil, "APP-Shi0J", "Errors.TokenExchange.Token.NotForAPI") } if err = verifyAudience(activeToken.Audience, verifierClientID, projectID); err != nil { - return "", "", "", err + return "", "", "", "", "", err } if err = repo.checkAuthentication(ctx, activeToken.AuthMethods, activeToken.UserID); err != nil { - return "", "", "", err + return "", "", "", "", "", err } - return activeToken.UserID, activeToken.ClientID, activeToken.ResourceOwner, nil + prefLang = gu.Value(activeToken.PreferredLanguage).String() + agentID = gu.Value(gu.Value(activeToken.UserAgent).FingerprintID) + + return activeToken.UserID, agentID, activeToken.ClientID, prefLang, activeToken.ResourceOwner, nil } func (repo *TokenVerifierRepo) verifySessionToken(ctx context.Context, sessionID, token string) (userID, clientID, resourceOwner string, err error) { @@ -169,7 +172,7 @@ func (repo *TokenVerifierRepo) verifySessionToken(ctx context.Context, sessionID } // checkAuthentication ensures the session or token was authenticated (at least a single [domain.UserAuthMethodType]). -// It will also check if there was a multi factor authentication, if either MFA is forced by the login policy or if the user has set up any +// It will also check if there was a multi factor authentication, if either MFA is forced by the login policy or if the user has set up any second factor func (repo *TokenVerifierRepo) checkAuthentication(ctx context.Context, authMethods []domain.UserAuthMethodType, userID string) error { if len(authMethods) == 0 { return zerrors.ThrowPermissionDenied(nil, "AUTHZ-Kl3p0", "authentication required") @@ -177,11 +180,18 @@ func (repo *TokenVerifierRepo) checkAuthentication(ctx context.Context, authMeth if domain.HasMFA(authMethods) { return nil } - availableAuthMethods, forceMFA, forceMFALocalOnly, err := repo.Query.ListUserAuthMethodTypesRequired(setCallerCtx(ctx, userID), userID) + requirements, err := repo.Query.ListUserAuthMethodTypesRequired(setCallerCtx(ctx, userID), userID) if err != nil { return err } - if domain.RequiresMFA(forceMFA, forceMFALocalOnly, hasIDPAuthentication(authMethods)) || domain.HasMFA(availableAuthMethods) { + if requirements.UserType == domain.UserTypeMachine { + return nil + } + if domain.RequiresMFA( + requirements.ForceMFA, + requirements.ForceMFALocalOnly, + !hasIDPAuthentication(authMethods)) || + domain.Has2FA(requirements.AuthMethods) { return zerrors.ThrowPermissionDenied(nil, "AUTHZ-Kl3p0", "mfa required") } return nil diff --git a/internal/command/action_v2_execution.go b/internal/command/action_v2_execution.go index 422e053daf..7fb08a4a32 100644 --- a/internal/command/action_v2_execution.go +++ b/internal/command/action_v2_execution.go @@ -216,7 +216,9 @@ func (e *SetExecution) Existing(c *Commands, ctx context.Context, resourceOwner if len(includes) > 0 && !c.existsExecutionsByIDs(ctx, includes, resourceOwner) { return zerrors.ThrowNotFound(nil, "COMMAND-slgj0l4cdz", "Errors.Execution.IncludeNotFound") } - return nil + get, set := createIncludeCacheFunctions() + // maxLevels could be configurable, but set as 3 for now + return checkForIncludeCircular(ctx, e.AggregateID, resourceOwner, includes, c.getExecutionIncludes(get, set), 3) } func (c *Commands) setExecution(ctx context.Context, set *SetExecution, resourceOwner string) (_ *domain.ObjectDetails, err error) { @@ -309,3 +311,75 @@ func (c *Commands) getExecutionWriteModelByID(ctx context.Context, id string, re } return wm, nil } + +func createIncludeCacheFunctions() (func(s string) ([]string, bool), func(s string, strings []string)) { + tempCache := make(map[string][]string) + return func(s string) ([]string, bool) { + include, ok := tempCache[s] + return include, ok + }, func(s string, strings []string) { + tempCache[s] = strings + } +} + +type includeCacheFunc func(ctx context.Context, id string, resourceOwner string) ([]string, error) + +func checkForIncludeCircular(ctx context.Context, id string, resourceOwner string, includes []string, cache includeCacheFunc, maxLevels int) error { + if len(includes) == 0 { + return nil + } + level := 0 + for _, include := range includes { + if id == include { + return zerrors.ThrowPreconditionFailed(nil, "COMMAND-mo1cmjp5k7", "Errors.Execution.CircularInclude") + } + if err := checkForIncludeCircularRecur(ctx, []string{id}, resourceOwner, include, cache, maxLevels, level); err != nil { + return err + } + } + return nil +} + +func (c *Commands) getExecutionIncludes( + getCache func(string) ([]string, bool), + setCache func(string, []string), +) includeCacheFunc { + return func(ctx context.Context, id string, resourceOwner string) ([]string, error) { + included, ok := getCache(id) + if !ok { + included, err := c.getExecutionWriteModelByID(ctx, id, resourceOwner) + if err != nil { + return nil, err + } + includes := included.IncludeList() + setCache(id, includes) + return includes, nil + } + return included, nil + } +} + +func checkForIncludeCircularRecur(ctx context.Context, ids []string, resourceOwner string, include string, cache includeCacheFunc, maxLevels, level int) error { + included, err := cache(ctx, include, resourceOwner) + if err != nil { + return err + } + currentLevel := level + 1 + if currentLevel >= maxLevels { + return zerrors.ThrowPreconditionFailed(nil, "COMMAND-gbhd3g57oo", "Errors.Execution.MaxLevelsInclude") + } + for _, includedInclude := range included { + if include == includedInclude { + return zerrors.ThrowPreconditionFailed(nil, "COMMAND-iuch02i656", "Errors.Execution.CircularInclude") + } + for _, id := range ids { + if includedInclude == id { + return zerrors.ThrowPreconditionFailed(nil, "COMMAND-819opvhgjv", "Errors.Execution.CircularInclude") + } + } + if err := checkForIncludeCircularRecur(ctx, append(ids, include), resourceOwner, includedInclude, cache, maxLevels, currentLevel); err != nil { + return err + } + } + return nil +} diff --git a/internal/command/action_v2_execution_model.go b/internal/command/action_v2_execution_model.go index c53992856e..30cab0f56e 100644 --- a/internal/command/action_v2_execution_model.go +++ b/internal/command/action_v2_execution_model.go @@ -3,6 +3,7 @@ package command import ( "slices" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/execution" ) @@ -15,6 +16,16 @@ type ExecutionWriteModel struct { ExecutionTargets []*execution.Target } +func (e *ExecutionWriteModel) IncludeList() []string { + includes := make([]string, 0) + for i := range e.ExecutionTargets { + if e.ExecutionTargets[i].Type == domain.ExecutionTargetTypeInclude { + includes = append(includes, e.ExecutionTargets[i].Target) + } + } + return includes +} + func (e *ExecutionWriteModel) Exists() bool { return len(e.ExecutionTargets) > 0 || len(e.Includes) > 0 || len(e.Targets) > 0 } diff --git a/internal/command/action_v2_execution_test.go b/internal/command/action_v2_execution_test.go index c8f91f49b2..5a9c0ecb1d 100644 --- a/internal/command/action_v2_execution_test.go +++ b/internal/command/action_v2_execution_test.go @@ -348,6 +348,16 @@ func TestCommands_SetExecutionRequest(t *testing.T) { "push ok, method include", fields{ eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeTarget, Target: "target"}, + }, + ), + ), + ), expectFilter( eventFromEventPusher( execution.NewSetEventV2(context.Background(), @@ -419,6 +429,16 @@ func TestCommands_SetExecutionRequest(t *testing.T) { "push ok, service include", fields{ eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeTarget, Target: "target"}, + }, + ), + ), + ), expectFilter( eventFromEventPusher( execution.NewSetEventV2(context.Background(), @@ -489,6 +509,16 @@ func TestCommands_SetExecutionRequest(t *testing.T) { "push ok, all include", fields{ eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeTarget, Target: "target"}, + }, + ), + ), + ), expectFilter( eventFromEventPusher( execution.NewSetEventV2(context.Background(), @@ -2373,3 +2403,470 @@ func TestCommands_DeleteExecutionFunction(t *testing.T) { }) } } + +func mockExecutionIncludesCache(cache map[string][]string) includeCacheFunc { + return func(ctx context.Context, id string, resourceOwner string) ([]string, error) { + included, ok := cache[id] + if !ok { + return nil, zerrors.ThrowPreconditionFailed(nil, "", "cache failed") + } + return included, nil + } +} + +func TestCommands_checkForIncludeCircular(t *testing.T) { + type args struct { + ctx context.Context + id string + resourceOwner string + includes []string + cache map[string][]string + } + type res struct { + err func(error) bool + } + tests := []struct { + name string + args args + res res + }{ + { + "not found, error", + args{ + ctx: context.Background(), + id: "id", + resourceOwner: "", + includes: []string{"notexistent"}, + cache: map[string][]string{}, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "single, ok", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id2"}, + cache: map[string][]string{ + "id2": {}, + }, + }, + res{}, + }, + { + "single, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id1"}, + cache: map[string][]string{}, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 3, ok", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id2"}, + cache: map[string][]string{ + "id2": {"id3"}, + "id3": {}, + }, + }, + res{}, + }, + { + "multi 3, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id2"}, + cache: map[string][]string{ + "id2": {"id3"}, + "id3": {"id1"}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 5, ok", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id11", "id12"}, + cache: map[string][]string{ + "id11": {"id21", "id23"}, + "id12": {"id22"}, + "id21": {}, + "id22": {}, + "id23": {}, + }, + }, + res{}, + }, + { + "multi 5, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id11", "id12"}, + cache: map[string][]string{ + "id11": {"id21", "id23"}, + "id12": {"id22"}, + "id21": {}, + "id22": {}, + "id23": {"id1"}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 5, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id11", "id12"}, + cache: map[string][]string{ + "id11": {"id21", "id23"}, + "id12": {"id22"}, + "id21": {}, + "id22": {}, + "id23": {"id11"}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 5, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id11", "id12"}, + cache: map[string][]string{ + "id11": {"id21", "id23"}, + "id12": {"id22"}, + "id21": {"id11"}, + "id22": {}, + "id23": {}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 5, circular", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id11", "id12"}, + cache: map[string][]string{ + "id11": {"id21", "id23"}, + "id12": {"id22"}, + "id21": {}, + "id22": {"id12"}, + "id23": {}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + { + "multi 3, maxlevel", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id2"}, + cache: map[string][]string{ + "id2": {"id3"}, + "id3": {}, + }, + }, + res{}, + }, + { + "multi 4, over maxlevel", + args{ + ctx: context.Background(), + id: "id1", + resourceOwner: "", + includes: []string{"id2"}, + cache: map[string][]string{ + "id2": {"id3"}, + "id3": {"id4"}, + "id4": {}, + }, + }, + res{ + err: zerrors.IsPreconditionFailed, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := mockExecutionIncludesCache(tt.args.cache) + err := checkForIncludeCircular(tt.args.ctx, tt.args.id, tt.args.resourceOwner, tt.args.includes, f, 3) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + }) + } +} + +func mockExecutionIncludesCacheFuncs(cache map[string][]string) (func(string) ([]string, bool), func(string, []string)) { + return func(s string) ([]string, bool) { + includes, ok := cache[s] + return includes, ok + }, func(s string, strings []string) { + cache[s] = strings + } +} + +func TestCommands_getExecutionIncludes(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + } + type args struct { + ctx context.Context + cache map[string][]string + id string + resourceOwner string + } + type res struct { + includes []string + cache map[string][]string + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + "new empty, ok", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeTarget, Target: "target"}, + }, + ), + ), + ), + ), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{}, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: []string{}, + cache: map[string][]string{"id": {}}, + }, + }, + { + "new includes, ok", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeInclude, Target: "include"}, + }, + ), + ), + ), + ), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{}, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: []string{"include"}, + cache: map[string][]string{"id": {"include"}}, + }, + }, + { + "found, ok", + fields{ + eventstore: expectEventstore(), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{"id": nil}, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: nil, + cache: map[string][]string{"id": nil}, + }, + }, + { + "found includes, ok", + fields{ + eventstore: expectEventstore(), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{"id": {"include1", "include2", "include3"}}, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: []string{"include1", "include2", "include3"}, + cache: map[string][]string{"id": {"include1", "include2", "include3"}}, + }, + }, + { + "found multiple, ok", + fields{ + eventstore: expectEventstore(), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + }, + id: "id2", + resourceOwner: "instance", + }, + res{ + includes: []string{"include1", "include2", "include3"}, + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + }, + }, + }, + { + "new multiple, ok", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeTarget, Target: "target"}, + }, + ), + ), + ), + ), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + }, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: []string{}, + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + "id": {}, + }, + }, + }, + { + "new multiple includes, ok", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + execution.NewSetEventV2(context.Background(), + execution.NewAggregate("request/include", "instance"), + []*execution.Target{ + {Type: domain.ExecutionTargetTypeInclude, Target: "include"}, + }, + ), + ), + ), + ), + }, + args{ + ctx: context.Background(), + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + }, + id: "id", + resourceOwner: "instance", + }, + res{ + includes: []string{"include"}, + cache: map[string][]string{ + "id1": {"include1", "include2", "include3"}, + "id2": {"include1", "include2", "include3"}, + "id3": {"include1", "include2", "include3"}, + "id": {"include"}, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := &Commands{ + eventstore: tt.fields.eventstore(t), + } + includes, err := c.getExecutionIncludes(mockExecutionIncludesCacheFuncs(tt.args.cache))(tt.args.ctx, tt.args.id, tt.args.resourceOwner) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.cache, tt.args.cache) + assert.Equal(t, tt.res.includes, includes) + } + }) + } +} diff --git a/internal/command/auth_request.go b/internal/command/auth_request.go index 1a24e75b5c..2acf08bf4f 100644 --- a/internal/command/auth_request.go +++ b/internal/command/auth_request.go @@ -12,21 +12,22 @@ import ( ) type AuthRequest struct { - ID string - LoginClient string - ClientID string - RedirectURI string - State string - Nonce string - Scope []string - Audience []string - ResponseType domain.OIDCResponseType - CodeChallenge *domain.OIDCCodeChallenge - Prompt []domain.Prompt - UILocales []string - MaxAge *time.Duration - LoginHint *string - HintUserID *string + ID string + LoginClient string + ClientID string + RedirectURI string + State string + Nonce string + Scope []string + Audience []string + ResponseType domain.OIDCResponseType + CodeChallenge *domain.OIDCCodeChallenge + Prompt []domain.Prompt + UILocales []string + MaxAge *time.Duration + LoginHint *string + HintUserID *string + NeedRefreshToken bool } type CurrentAuthRequest struct { @@ -69,6 +70,7 @@ func (c *Commands) AddAuthRequest(ctx context.Context, authRequest *AuthRequest) authRequest.MaxAge, authRequest.LoginHint, authRequest.HintUserID, + authRequest.NeedRefreshToken, )) if err != nil { return nil, err @@ -148,25 +150,6 @@ func (c *Commands) AddAuthRequestCode(ctx context.Context, authRequestID, code s &authrequest.NewAggregate(writeModel.AggregateID, authz.GetInstance(ctx).InstanceID()).Aggregate)) } -func (c *Commands) ExchangeAuthCode(ctx context.Context, code string) (authRequest *CurrentAuthRequest, err error) { - if code == "" { - return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sf3g2", "Errors.AuthRequest.InvalidCode") - } - writeModel, err := c.getAuthRequestWriteModel(ctx, code) - if err != nil { - return nil, err - } - if writeModel.AuthRequestState != domain.AuthRequestStateCodeAdded { - return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFwd2", "Errors.AuthRequest.NoCode") - } - err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewCodeExchangedEvent(ctx, - &authrequest.NewAggregate(writeModel.AggregateID, authz.GetInstance(ctx).InstanceID()).Aggregate)) - if err != nil { - return nil, err - } - return authRequestWriteModelToCurrentAuthRequest(writeModel), nil -} - func authRequestWriteModelToCurrentAuthRequest(writeModel *AuthRequestWriteModel) (_ *CurrentAuthRequest) { return &CurrentAuthRequest{ AuthRequest: &AuthRequest{ diff --git a/internal/command/auth_request_model.go b/internal/command/auth_request_model.go index 235477f627..6390eb7235 100644 --- a/internal/command/auth_request_model.go +++ b/internal/command/auth_request_model.go @@ -34,6 +34,7 @@ type AuthRequestWriteModel struct { AuthTime time.Time AuthMethods []domain.UserAuthMethodType AuthRequestState domain.AuthRequestState + NeedRefreshToken bool } func NewAuthRequestWriteModel(ctx context.Context, id string) *AuthRequestWriteModel { @@ -64,6 +65,7 @@ func (m *AuthRequestWriteModel) Reduce() error { m.LoginHint = e.LoginHint m.HintUserID = e.HintUserID m.AuthRequestState = domain.AuthRequestStateAdded + m.NeedRefreshToken = e.NeedRefreshToken case *authrequest.SessionLinkedEvent: m.SessionID = e.SessionID m.UserID = e.UserID diff --git a/internal/command/auth_request_test.go b/internal/command/auth_request_test.go index a70a592bb0..92b90e3e24 100644 --- a/internal/command/auth_request_test.go +++ b/internal/command/auth_request_test.go @@ -10,6 +10,7 @@ import ( "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/domain" @@ -59,6 +60,7 @@ func TestCommands_AddAuthRequest(t *testing.T) { nil, nil, nil, + false, ), ), ), @@ -96,6 +98,7 @@ func TestCommands_AddAuthRequest(t *testing.T) { gu.Ptr(time.Duration(0)), gu.Ptr("loginHint"), gu.Ptr("hintUserID"), + false, ), ), ), @@ -223,6 +226,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), eventFromEventPusher( @@ -263,6 +267,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -301,6 +306,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -338,6 +344,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -354,7 +361,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { )), eventFromEventPusher( session.NewUserCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow.Add(-5*time.Minute)), + "userID", "org1", testNow.Add(-5*time.Minute), &language.Afrikaans), ), eventFromEventPusher( session.NewPasswordCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -398,6 +405,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -447,6 +455,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -463,7 +472,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { )), eventFromEventPusher( session.NewUserCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow), + "userID", "org1", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewPasswordCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -532,6 +541,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -548,7 +558,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { )), eventFromEventPusher( session.NewUserCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow), + "userID", "org1", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewPasswordCheckedEvent(mockCtx, &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -674,6 +684,7 @@ func TestCommands_FailAuthRequest(t *testing.T) { nil, nil, nil, + true, ), ), ), @@ -771,6 +782,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) { gu.Ptr(time.Duration(0)), gu.Ptr("loginHint"), gu.Ptr("hintUserID"), + true, ), ), ), @@ -807,6 +819,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) { gu.Ptr(time.Duration(0)), gu.Ptr("loginHint"), gu.Ptr("hintUserID"), + true, ), ), eventFromEventPusher( @@ -841,166 +854,3 @@ func TestCommands_AddAuthRequestCode(t *testing.T) { }) } } - -func TestCommands_ExchangeAuthCode(t *testing.T) { - mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") - type fields struct { - eventstore *eventstore.Eventstore - } - type args struct { - ctx context.Context - code string - } - type res struct { - authRequest *CurrentAuthRequest - err error - } - tests := []struct { - name string - fields fields - args args - res res - }{ - { - "empty code error", - fields{ - eventstore: eventstoreExpect(t), - }, - args{ - ctx: mockCtx, - code: "", - }, - res{ - err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sf3g2", "Errors.AuthRequest.InvalidCode"), - }, - }, - { - "no code added error", - fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "loginClient", - "clientID", - "redirectURI", - "state", - "nonce", - []string{"openid"}, - []string{"audience"}, - domain.OIDCResponseTypeCode, - &domain.OIDCCodeChallenge{ - Challenge: "challenge", - Method: domain.CodeChallengeMethodS256, - }, - []domain.Prompt{domain.PromptNone}, - []string{"en", "de"}, - gu.Ptr(time.Duration(0)), - gu.Ptr("loginHint"), - gu.Ptr("hintUserID"), - ), - ), - ), - ), - }, - args{ - ctx: mockCtx, - code: "V2_authRequestID", - }, - res{ - err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFwd2", "Errors.AuthRequest.NoCode"), - }, - }, - { - "code exchanged", - fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "loginClient", - "clientID", - "redirectURI", - "state", - "nonce", - []string{"openid"}, - []string{"audience"}, - domain.OIDCResponseTypeCode, - &domain.OIDCCodeChallenge{ - Challenge: "challenge", - Method: domain.CodeChallengeMethodS256, - }, - []domain.Prompt{domain.PromptNone}, - []string{"en", "de"}, - gu.Ptr(time.Duration(0)), - gu.Ptr("loginHint"), - gu.Ptr("hintUserID"), - ), - ), - eventFromEventPusher( - authrequest.NewSessionLinkedEvent(mockCtx, &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "sessionID", - "userID", - testNow, - []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - ), - ), - eventFromEventPusher( - authrequest.NewCodeAddedEvent(mockCtx, &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - ), - expectPush( - authrequest.NewCodeExchangedEvent(mockCtx, &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - ), - }, - args{ - ctx: mockCtx, - code: "V2_authRequestID", - }, - res{ - authRequest: &CurrentAuthRequest{ - AuthRequest: &AuthRequest{ - ID: "V2_authRequestID", - LoginClient: "loginClient", - ClientID: "clientID", - RedirectURI: "redirectURI", - State: "state", - Nonce: "nonce", - Scope: []string{"openid"}, - Audience: []string{"audience"}, - ResponseType: domain.OIDCResponseTypeCode, - CodeChallenge: &domain.OIDCCodeChallenge{ - Challenge: "challenge", - Method: domain.CodeChallengeMethodS256, - }, - Prompt: []domain.Prompt{domain.PromptNone}, - UILocales: []string{"en", "de"}, - MaxAge: gu.Ptr(time.Duration(0)), - LoginHint: gu.Ptr("loginHint"), - HintUserID: gu.Ptr("hintUserID"), - }, - SessionID: "sessionID", - UserID: "userID", - AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := &Commands{ - eventstore: tt.fields.eventstore, - } - got, err := c.ExchangeAuthCode(tt.args.ctx, tt.args.code) - assert.ErrorIs(t, tt.res.err, err) - - if err == nil { - // equal on time won't work -> test separately and clear it before comparing the rest - assert.WithinRange(t, got.AuthTime, testNow, testNow) - got.AuthTime = time.Time{} - } - assert.Equal(t, tt.res.authRequest, got) - }) - } -} diff --git a/internal/command/command.go b/internal/command/command.go index 8d77be765e..d8e6cfb7cf 100644 --- a/internal/command/command.go +++ b/internal/command/command.go @@ -82,6 +82,8 @@ type Commands struct { ActionFunctionExisting func(function string) bool EventExisting func(event string) bool EventGroupExisting func(group string) bool + + GenerateDomain func(instanceName, domain string) (string, error) } func StartCommands( @@ -168,6 +170,7 @@ func StartCommands( Issuer: defaults.Multifactors.OTP.Issuer, }, }, + GenerateDomain: domain.NewGeneratedInstanceDomain, } if defaultSecretGenerators != nil && defaultSecretGenerators.ClientSecret != nil { diff --git a/internal/command/device_auth.go b/internal/command/device_auth.go index fe8b131071..67e42b7637 100644 --- a/internal/command/device_auth.go +++ b/internal/command/device_auth.go @@ -2,16 +2,20 @@ package command import ( "context" + "fmt" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/deviceauth" + "github.com/zitadel/zitadel/internal/telemetry/tracing" "github.com/zitadel/zitadel/internal/zerrors" ) -func (c *Commands) AddDeviceAuth(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes, audience []string) (*domain.ObjectDetails, error) { +func (c *Commands) AddDeviceAuth(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes, audience []string, needRefreshToken bool) (*domain.ObjectDetails, error) { aggr := deviceauth.NewAggregate(deviceCode, authz.GetInstance(ctx).InstanceID()) model := NewDeviceAuthWriteModel(deviceCode, aggr.ResourceOwner) @@ -24,6 +28,7 @@ func (c *Commands) AddDeviceAuth(ctx context.Context, clientID, deviceCode, user expires, scopes, audience, + needRefreshToken, )) if err != nil { return nil, err @@ -36,7 +41,16 @@ func (c *Commands) AddDeviceAuth(ctx context.Context, clientID, deviceCode, user return writeModelToObjectDetails(&model.WriteModel), nil } -func (c *Commands) ApproveDeviceAuth(ctx context.Context, deviceCode, subject string, authMethods []domain.UserAuthMethodType, authTime time.Time) (*domain.ObjectDetails, error) { +func (c *Commands) ApproveDeviceAuth( + ctx context.Context, + deviceCode, + userID, + userOrgID string, + authMethods []domain.UserAuthMethodType, + authTime time.Time, + preferredLanguage *language.Tag, + userAgent *domain.UserAgent, +) (*domain.ObjectDetails, error) { model, err := c.getDeviceAuthWriteModelByDeviceCode(ctx, deviceCode) if err != nil { return nil, err @@ -44,9 +58,7 @@ func (c *Commands) ApproveDeviceAuth(ctx context.Context, deviceCode, subject st if !model.State.Exists() { return nil, zerrors.ThrowNotFound(nil, "COMMAND-Hief9", "Errors.DeviceAuth.NotFound") } - aggr := deviceauth.NewAggregate(model.AggregateID, model.InstanceID) - - pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(ctx, aggr, subject, authMethods, authTime)) + pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(ctx, model.aggregate, userID, userOrgID, authMethods, authTime, preferredLanguage, userAgent)) if err != nil { return nil, err } @@ -66,9 +78,7 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai if !model.State.Exists() { return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound") } - aggr := deviceauth.NewAggregate(model.AggregateID, model.InstanceID) - - pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, aggr, reason)) + pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason)) if err != nil { return nil, err } @@ -81,10 +91,89 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai } func (c *Commands) getDeviceAuthWriteModelByDeviceCode(ctx context.Context, deviceCode string) (*DeviceAuthWriteModel, error) { - model := &DeviceAuthWriteModel{WriteModel: eventstore.WriteModel{AggregateID: deviceCode}} + model := &DeviceAuthWriteModel{ + WriteModel: eventstore.WriteModel{AggregateID: deviceCode}, + } err := c.eventstore.FilterToQueryReducer(ctx, model) if err != nil { return nil, err } + model.aggregate = deviceauth.NewAggregate(model.AggregateID, model.InstanceID) return model, nil } + +type DeviceAuthStateError domain.DeviceAuthState + +func (e DeviceAuthStateError) Error() string { + return fmt.Sprintf("device auth state not approved: %s", domain.DeviceAuthState(e).String()) +} + +// CreateOIDCSessionFromDeviceAuth creates a new OIDC session if the device authorization +// flow is completed (user logged in). +// A [DeviceAuthStateError] is returned if the device authorization was not approved, +// containing a [domain.DeviceAuthState] which can be used to inform the client about the state. +// +// As devices can poll at various intervals, an explicit state takes precedence over expiry. +// This is to prevent cases where users might approve or deny the authorization on time, but the next poll +// happens after expiry. +func (c *Commands) CreateOIDCSessionFromDeviceAuth(ctx context.Context, deviceCode string) (_ *OIDCSession, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + deviceAuthModel, err := c.getDeviceAuthWriteModelByDeviceCode(ctx, deviceCode) + if err != nil { + return nil, err + } + + switch deviceAuthModel.State { + case domain.DeviceAuthStateApproved: + break + case domain.DeviceAuthStateUndefined: + return nil, zerrors.ThrowNotFound(nil, "COMMAND-ua1Vo", "Errors.DeviceAuth.NotFound") + + case domain.DeviceAuthStateInitiated: + if deviceAuthModel.Expires.Before(time.Now()) { + c.asyncPush(ctx, deviceauth.NewCanceledEvent(ctx, deviceAuthModel.aggregate, domain.DeviceAuthCanceledExpired)) + return nil, DeviceAuthStateError(domain.DeviceAuthStateExpired) + } + fallthrough + case domain.DeviceAuthStateDenied, domain.DeviceAuthStateExpired, domain.DeviceAuthStateDone: + fallthrough + default: + return nil, DeviceAuthStateError(deviceAuthModel.State) + } + + cmd, err := c.newOIDCSessionAddEvents(ctx, deviceAuthModel.UserOrgID) + if err != nil { + return nil, err + } + + cmd.AddSession(ctx, + deviceAuthModel.UserID, + deviceAuthModel.UserOrgID, + "", + deviceAuthModel.ClientID, + deviceAuthModel.Audience, + deviceAuthModel.Scopes, + deviceAuthModel.UserAuthMethods, + deviceAuthModel.AuthTime, + "", + deviceAuthModel.PreferredLanguage, + deviceAuthModel.UserAgent, + ) + if err = cmd.AddAccessToken(ctx, deviceAuthModel.Scopes, deviceAuthModel.UserID, deviceAuthModel.UserOrgID, domain.TokenReasonAuthRequest, nil); err != nil { + return nil, err + } + + if deviceAuthModel.NeedRefreshToken { + if err = cmd.AddRefreshToken(ctx, deviceAuthModel.UserID); err != nil { + return nil, err + } + } + cmd.DeviceAuthRequestDone(ctx, deviceAuthModel.aggregate) + return cmd.PushEvents(ctx) +} + +func (cmd *OIDCSessionEvents) DeviceAuthRequestDone(ctx context.Context, deviceAuthAggregate *eventstore.Aggregate) { + cmd.events = append(cmd.events, deviceauth.NewDoneEvent(ctx, deviceAuthAggregate)) +} diff --git a/internal/command/device_auth_model.go b/internal/command/device_auth_model.go index 69a457c514..a97b8b8529 100644 --- a/internal/command/device_auth_model.go +++ b/internal/command/device_auth_model.go @@ -3,6 +3,8 @@ package command import ( "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/deviceauth" @@ -10,16 +12,22 @@ import ( type DeviceAuthWriteModel struct { eventstore.WriteModel + aggregate *eventstore.Aggregate - ClientID string - DeviceCode string - UserCode string - Expires time.Time - Scopes []string - State domain.DeviceAuthState - Subject string - UserAuthMethods []domain.UserAuthMethodType - AuthTime time.Time + ClientID string + DeviceCode string + UserCode string + Expires time.Time + Scopes []string + Audience []string + State domain.DeviceAuthState + UserID string + UserOrgID string + UserAuthMethods []domain.UserAuthMethodType + AuthTime time.Time + PreferredLanguage *language.Tag + UserAgent *domain.UserAgent + NeedRefreshToken bool } func NewDeviceAuthWriteModel(deviceCode, resourceOwner string) *DeviceAuthWriteModel { @@ -28,6 +36,7 @@ func NewDeviceAuthWriteModel(deviceCode, resourceOwner string) *DeviceAuthWriteM AggregateID: deviceCode, ResourceOwner: resourceOwner, }, + aggregate: deviceauth.NewAggregate(deviceCode, resourceOwner), } } @@ -40,14 +49,21 @@ func (m *DeviceAuthWriteModel) Reduce() error { m.UserCode = e.UserCode m.Expires = e.Expires m.Scopes = e.Scopes + m.Audience = e.Audience m.State = e.State + m.NeedRefreshToken = e.NeedRefreshToken case *deviceauth.ApprovedEvent: m.State = domain.DeviceAuthStateApproved - m.Subject = e.Subject + m.UserID = e.UserID + m.UserOrgID = e.UserOrgID m.UserAuthMethods = e.UserAuthMethods m.AuthTime = e.AuthTime + m.PreferredLanguage = e.PreferredLanguage + m.UserAgent = e.UserAgent case *deviceauth.CanceledEvent: m.State = e.Reason.State() + case *deviceauth.DoneEvent: + m.State = domain.DeviceAuthStateDone } } diff --git a/internal/command/device_auth_test.go b/internal/command/device_auth_test.go index a6f3ff9389..3191e8dce9 100644 --- a/internal/command/device_auth_test.go +++ b/internal/command/device_auth_test.go @@ -3,16 +3,27 @@ package command import ( "context" "errors" + "io" + "net" + "net/http" "testing" "time" + "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" + "github.com/zitadel/zitadel/internal/id" + "github.com/zitadel/zitadel/internal/id/mock" "github.com/zitadel/zitadel/internal/repository/deviceauth" + "github.com/zitadel/zitadel/internal/repository/oidcsession" + "github.com/zitadel/zitadel/internal/repository/user" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -25,16 +36,17 @@ func TestCommands_AddDeviceAuth(t *testing.T) { require.Len(t, unique, 2) type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore } type args struct { - ctx context.Context - clientID string - deviceCode string - userCode string - expires time.Time - scopes []string - audience []string + ctx context.Context + clientID string + deviceCode string + userCode string + expires time.Time + scopes []string + audience []string + needRefreshToken bool } tests := []struct { name string @@ -46,24 +58,25 @@ func TestCommands_AddDeviceAuth(t *testing.T) { { name: "success", fields: fields{ - eventstore: eventstoreExpect(t, expectPush( + eventstore: expectEventstore(expectPush( deviceauth.NewAddedEvent( ctx, deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), }, args: args{ - ctx: authz.WithInstanceID(context.Background(), "instance1"), - clientID: "client_id", - deviceCode: "123", - userCode: "456", - expires: now, - scopes: []string{"a", "b", "c"}, - audience: []string{"projectID", "clientID"}, + ctx: authz.WithInstanceID(context.Background(), "instance1"), + clientID: "client_id", + deviceCode: "123", + userCode: "456", + expires: now, + scopes: []string{"a", "b", "c"}, + audience: []string{"projectID", "clientID"}, + needRefreshToken: true, }, wantDetails: &domain.ObjectDetails{ ResourceOwner: "instance1", @@ -72,24 +85,25 @@ func TestCommands_AddDeviceAuth(t *testing.T) { { name: "push error", fields: fields{ - eventstore: eventstoreExpect(t, expectPushFailed(pushErr, + eventstore: expectEventstore(expectPushFailed(pushErr, deviceauth.NewAddedEvent( ctx, deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, false, )), ), }, args: args{ - ctx: authz.WithInstanceID(context.Background(), "instance1"), - clientID: "client_id", - deviceCode: "123", - userCode: "456", - expires: now, - scopes: []string{"a", "b", "c"}, - audience: []string{"projectID", "clientID"}, + ctx: authz.WithInstanceID(context.Background(), "instance1"), + clientID: "client_id", + deviceCode: "123", + userCode: "456", + expires: now, + scopes: []string{"a", "b", "c"}, + audience: []string{"projectID", "clientID"}, + needRefreshToken: false, }, wantErr: pushErr, }, @@ -97,9 +111,9 @@ func TestCommands_AddDeviceAuth(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), } - gotDetails, err := c.AddDeviceAuth(tt.args.ctx, tt.args.clientID, tt.args.deviceCode, tt.args.userCode, tt.args.expires, tt.args.scopes, tt.args.audience) + gotDetails, err := c.AddDeviceAuth(tt.args.ctx, tt.args.clientID, tt.args.deviceCode, tt.args.userCode, tt.args.expires, tt.args.scopes, tt.args.audience, tt.args.needRefreshToken) require.ErrorIs(t, err, tt.wantErr) assert.Equal(t, tt.wantDetails, gotDetails) }) @@ -115,11 +129,14 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) { eventstore *eventstore.Eventstore } type args struct { - ctx context.Context - id string - subject string - authMethods []domain.UserAuthMethodType - authTime time.Time + ctx context.Context + id string + userID string + userOrgID string + authMethods []domain.UserAuthMethodType + authTime time.Time + preferredLanguage *language.Tag + userAgent *domain.UserAgent } tests := []struct { name string @@ -136,9 +153,14 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) { ), }, args: args{ - ctx, "123", "subj", + ctx, "123", "subj", "orgID", []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - time.Unix(123, 456), + time.Unix(123, 456), &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, }, wantErr: zerrors.ThrowNotFound(nil, "COMMAND-Hief9", "Errors.DeviceAuth.NotFound"), }, @@ -153,22 +175,32 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) { deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), expectPushFailed(pushErr, deviceauth.NewApprovedEvent( - ctx, deviceauth.NewAggregate("123", "instance1"), "subj", + ctx, deviceauth.NewAggregate("123", "instance1"), "subj", "orgID", []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - time.Unix(123, 456), + time.Unix(123, 456), &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, ), ), ), }, args: args{ - ctx, "123", "subj", + ctx, "123", "subj", "orgID", []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - time.Unix(123, 456), + time.Unix(123, 456), &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, }, wantErr: pushErr, }, @@ -183,22 +215,32 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) { deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), expectPush( deviceauth.NewApprovedEvent( - ctx, deviceauth.NewAggregate("123", "instance1"), "subj", + ctx, deviceauth.NewAggregate("123", "instance1"), "subj", "orgID", []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - time.Unix(123, 456), + time.Unix(123, 456), &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, ), ), ), }, args: args{ - ctx, "123", "subj", + ctx, "123", "subj", "orgID", []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - time.Unix(123, 456), + time.Unix(123, 456), &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, }, wantDetails: &domain.ObjectDetails{ ResourceOwner: "instance1", @@ -210,7 +252,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) { c := &Commands{ eventstore: tt.fields.eventstore, } - gotDetails, err := c.ApproveDeviceAuth(tt.args.ctx, tt.args.id, tt.args.subject, tt.args.authMethods, tt.args.authTime) + gotDetails, err := c.ApproveDeviceAuth(tt.args.ctx, tt.args.id, tt.args.userID, tt.args.userOrgID, tt.args.authMethods, tt.args.authTime, tt.args.preferredLanguage, tt.args.userAgent) require.ErrorIs(t, err, tt.wantErr) assert.Equal(t, gotDetails, tt.wantDetails) }) @@ -258,7 +300,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), expectPushFailed(pushErr, @@ -283,7 +325,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), expectPush( @@ -310,7 +352,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { deviceauth.NewAggregate("123", "instance1"), "client_id", "123", "456", now, []string{"a", "b", "c"}, - []string{"projectID", "clientID"}, + []string{"projectID", "clientID"}, true, ), )), expectPush( @@ -338,3 +380,392 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { }) } } + +func TestCommands_CreateOIDCSessionFromDeviceAuth(t *testing.T) { + ctx := authz.WithInstanceID(context.Background(), "instance1") + + type fields struct { + eventstore func(*testing.T) *eventstore.Eventstore + idGenerator id.Generator + defaultAccessTokenLifetime time.Duration + defaultRefreshTokenLifetime time.Duration + defaultRefreshTokenIdleLifetime time.Duration + keyAlgorithm crypto.EncryptionAlgorithm + } + type args struct { + ctx context.Context + deviceCode string + } + tests := []struct { + name string + fields fields + args args + want *OIDCSession + wantErr error + }{ + { + name: "device auth filter error", + fields: fields{ + eventstore: expectEventstore( + expectFilterError(io.ErrClosedPipe), + ), + }, + args: args{ + ctx, + "device1", + }, + wantErr: io.ErrClosedPipe, + }, + { + name: "not yet approved", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + ), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: DeviceAuthStateError(domain.DeviceAuthStateInitiated), + }, + { + name: "not found", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: zerrors.ThrowNotFound(nil, "COMMAND-ua1Vo", "Errors.DeviceAuth.NotFound"), + }, + { + name: "expired", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + ), + expectPushSlow(time.Second, deviceauth.NewCanceledEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + domain.DeviceAuthCanceledExpired, + )), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: DeviceAuthStateError(domain.DeviceAuthStateExpired), + }, + { + name: "already expired", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewCanceledEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + domain.DeviceAuthCanceledExpired, + ), + ), + ), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: DeviceAuthStateError(domain.DeviceAuthStateExpired), + }, + { + name: "denied", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewCanceledEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + domain.DeviceAuthCanceledDenied, + ), + ), + ), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: DeviceAuthStateError(domain.DeviceAuthStateDenied), + }, + { + name: "already done", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewCanceledEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + domain.DeviceAuthCanceledDenied, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewDoneEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + ), + ), + ), + ), + }, + args: args{ + ctx, + "123", + }, + wantErr: DeviceAuthStateError(domain.DeviceAuthStateDone), + }, + { + name: "approved, success", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, false, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewApprovedEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + "userID", "org1", + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + testNow, &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + ), + ), + expectFilter(), // token lifetime + expectPush( + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "", &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + oidcsession.NewAccessTokenAddedEvent(context.Background(), + &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, nil, + ), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), + deviceauth.NewDoneEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + ), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx, + "123", + }, + want: &OIDCSession{ + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonAuthRequest, + }, + }, + { + name: "approved, with refresh token", + fields: fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "clientID", "123", "456", time.Now().Add(-time.Minute), + []string{"openid", "offline_access"}, + []string{"audience"}, true, + ), + ), + eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewApprovedEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + "userID", "org1", + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + testNow, &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + ), + ), + expectFilter(), // token lifetime + expectPush( + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "", &language.Afrikaans, &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + oidcsession.NewAccessTokenAddedEvent(context.Background(), + &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, nil, + ), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), + oidcsession.NewRefreshTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour, + ), + deviceauth.NewDoneEvent(ctx, + deviceauth.NewAggregate("123", "instance1"), + ), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID", "refreshTokenID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx, + "123", + }, + want: &OIDCSession{ + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonAuthRequest, + RefreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID-rt_refreshTokenID:userID + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + defaultAccessTokenLifetime: tt.fields.defaultAccessTokenLifetime, + defaultRefreshTokenLifetime: tt.fields.defaultRefreshTokenLifetime, + defaultRefreshTokenIdleLifetime: tt.fields.defaultRefreshTokenIdleLifetime, + keyAlgorithm: tt.fields.keyAlgorithm, + } + got, err := c.CreateOIDCSessionFromDeviceAuth(tt.args.ctx, tt.args.deviceCode) + c.jobs.Wait() + + require.ErrorIs(t, err, tt.wantErr) + + if got != nil { + assert.WithinRange(t, got.AuthTime, tt.want.AuthTime.Add(-time.Second), tt.want.AuthTime.Add(time.Second)) + got.AuthTime = time.Time{} + tt.want.AuthTime = time.Time{} + } + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/internal/command/idp.go b/internal/command/idp.go index a8b041c335..229d19b6e1 100644 --- a/internal/command/idp.go +++ b/internal/command/idp.go @@ -5,6 +5,7 @@ import ( "time" "github.com/zitadel/zitadel/internal/command/preparation" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/repository/idp" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -110,12 +111,14 @@ type LDAPProvider struct { } type SAMLProvider struct { - Name string - Metadata []byte - MetadataURL string - Binding string - WithSignedRequest bool - IDPOptions idp.Options + Name string + Metadata []byte + MetadataURL string + Binding string + WithSignedRequest bool + NameIDFormat *domain.SAMLNameIDFormat + TransientMappingAttributeName string + IDPOptions idp.Options } type AppleProvider struct { diff --git a/internal/command/idp_intent_test.go b/internal/command/idp_intent_test.go index 8bdbcb4716..efcc9e0ddc 100644 --- a/internal/command/idp_intent_test.go +++ b/internal/command/idp_intent_test.go @@ -6,6 +6,7 @@ import ( "testing" "github.com/crewjam/saml" + "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/zitadel/oidc/v3/pkg/oidc" @@ -631,6 +632,8 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) { []byte("certificate"), "", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", rep_idp.Options{}, )), ), @@ -649,6 +652,8 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) { }, []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"), "", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", rep_idp.Options{}, )), ), diff --git a/internal/command/idp_model.go b/internal/command/idp_model.go index 12bccd39f7..fa38b4a075 100644 --- a/internal/command/idp_model.go +++ b/internal/command/idp_model.go @@ -1726,13 +1726,15 @@ func (wm *AppleIDPWriteModel) GetProviderOptions() idp.Options { type SAMLIDPWriteModel struct { eventstore.WriteModel - Name string - ID string - Metadata []byte - Key *crypto.CryptoValue - Certificate []byte - Binding string - WithSignedRequest bool + Name string + ID string + Metadata []byte + Key *crypto.CryptoValue + Certificate []byte + Binding string + WithSignedRequest bool + NameIDFormat *domain.SAMLNameIDFormat + TransientMappingAttributeName string idp.Options State domain.IDPState @@ -1759,6 +1761,8 @@ func (wm *SAMLIDPWriteModel) reduceAddedEvent(e *idp.SAMLIDPAddedEvent) { wm.Certificate = e.Certificate wm.Binding = e.Binding wm.WithSignedRequest = e.WithSignedRequest + wm.NameIDFormat = e.NameIDFormat + wm.TransientMappingAttributeName = e.TransientMappingAttributeName wm.Options = e.Options wm.State = domain.IDPStateActive } @@ -1782,6 +1786,12 @@ func (wm *SAMLIDPWriteModel) reduceChangedEvent(e *idp.SAMLIDPChangedEvent) { if e.WithSignedRequest != nil { wm.WithSignedRequest = *e.WithSignedRequest } + if e.NameIDFormat != nil { + wm.NameIDFormat = e.NameIDFormat + } + if e.TransientMappingAttributeName != nil { + wm.TransientMappingAttributeName = *e.TransientMappingAttributeName + } wm.Options.ReduceChanges(e.OptionChanges) } @@ -1793,6 +1803,8 @@ func (wm *SAMLIDPWriteModel) NewChanges( secretCrypto crypto.EncryptionAlgorithm, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options idp.Options, ) ([]idp.SAMLIDPChanges, error) { changes := make([]idp.SAMLIDPChanges, 0) @@ -1818,6 +1830,12 @@ func (wm *SAMLIDPWriteModel) NewChanges( if wm.WithSignedRequest != withSignedRequest { changes = append(changes, idp.ChangeSAMLWithSignedRequest(withSignedRequest)) } + if wm.NameIDFormat != nameIDFormat { + changes = append(changes, idp.ChangeSAMLNameIDFormat(nameIDFormat)) + } + if wm.TransientMappingAttributeName != transientMappingAttributeName { + changes = append(changes, idp.ChangeSAMLTransientMappingAttributeName(transientMappingAttributeName)) + } opts := wm.Options.Changes(options) if !opts.IsZero() { changes = append(changes, idp.ChangeSAMLOptions(opts)) @@ -1850,6 +1868,12 @@ func (wm *SAMLIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encryp if wm.Binding != "" { opts = append(opts, saml2.WithBinding(wm.Binding)) } + if wm.NameIDFormat != nil { + opts = append(opts, saml2.WithNameIDFormat(*wm.NameIDFormat)) + } + if wm.TransientMappingAttributeName != "" { + opts = append(opts, saml2.WithTransientMappingAttributeName(wm.TransientMappingAttributeName)) + } opts = append(opts, saml2.WithCustomRequestTracker( requesttracker.New( addRequest, diff --git a/internal/command/instance.go b/internal/command/instance.go index a31c00aadf..b5fb700459 100644 --- a/internal/command/instance.go +++ b/internal/command/instance.go @@ -81,10 +81,13 @@ type InstanceSetup struct { PasswordChange bool } PrivacyPolicy struct { - TOSLink string - PrivacyLink string - HelpLink string - SupportEmail domain.EmailAddress + TOSLink string + PrivacyLink string + HelpLink string + SupportEmail domain.EmailAddress + DocsLink string + CustomLink string + CustomLinkText string } LabelPolicy struct { PrimaryColor string @@ -139,6 +142,8 @@ type SecretGenerators struct { } type ZitadelConfig struct { + instanceID string + orgID string projectID string mgmtAppID string adminAppID string @@ -149,6 +154,16 @@ type ZitadelConfig struct { } func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) { + s.zitadel.instanceID, err = idGenerator.Next() + if err != nil { + return err + } + + s.zitadel.orgID, err = idGenerator.Next() + if err != nil { + return err + } + s.zitadel.projectID, err = idGenerator.Next() if err != nil { return err @@ -182,36 +197,88 @@ func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) { } func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (string, string, *MachineKey, *domain.ObjectDetails, error) { - instanceID, err := c.idGenerator.Next() + if err := setup.generateIDs(c.idGenerator); err != nil { + return "", "", nil, nil, err + } + ctx = contextWithInstanceSetupInfo(ctx, setup.zitadel.instanceID, setup.zitadel.projectID, setup.zitadel.consoleAppID, c.externalDomain) + + validations, pat, machineKey, err := setUpInstance(ctx, c, setup) if err != nil { return "", "", nil, nil, err } - ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), c.externalDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID}) - - orgID, err := c.idGenerator.Next() + //nolint:staticcheck + cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...) if err != nil { return "", "", nil, nil, err } - userID, err := c.idGenerator.Next() + events, err := c.eventstore.Push(ctx, cmds...) if err != nil { return "", "", nil, nil, err } - if err = setup.generateIDs(c.idGenerator); err != nil { - return "", "", nil, nil, err + var token string + if pat != nil { + token = pat.Token } - ctx = authz.WithConsole(ctx, setup.zitadel.projectID, setup.zitadel.consoleAppID) - instanceAgg := instance.NewAggregate(instanceID) - orgAgg := org.NewAggregate(orgID) - userAgg := user.NewAggregate(userID, orgID) - projectAgg := project.NewAggregate(setup.zitadel.projectID, orgID) - limitsAgg := limits.NewAggregate(setup.zitadel.limitsID, instanceID) - restrictionsAgg := restrictions.NewAggregate(setup.zitadel.restrictionsID, instanceID, instanceID) + return setup.zitadel.instanceID, token, machineKey, &domain.ObjectDetails{ + Sequence: events[len(events)-1].Sequence(), + EventDate: events[len(events)-1].CreatedAt(), + ResourceOwner: setup.zitadel.orgID, + }, nil +} - validations := []preparation.Validation{ +func contextWithInstanceSetupInfo(ctx context.Context, instanceID, projectID, consoleAppID, externalDomain string) context.Context { + return authz.WithConsole( + authz.SetCtxData( + authz.WithRequestedDomain( + authz.WithInstanceID( + ctx, + instanceID), + externalDomain, + ), + authz.CtxData{ResourceOwner: instanceID}, + ), + projectID, + consoleAppID, + ) +} + +func setUpInstance(ctx context.Context, c *Commands, setup *InstanceSetup) (validations []preparation.Validation, pat *PersonalAccessToken, machineKey *MachineKey, err error) { + instanceAgg := instance.NewAggregate(setup.zitadel.instanceID) + + validations = setupInstanceElements(instanceAgg, setup) + + // default organization on setup'd instance + pat, machineKey, err = setupDefaultOrg(ctx, c, &validations, instanceAgg, setup.Org.Name, setup.Org.Machine, setup.Org.Human, setup.zitadel) + if err != nil { + return nil, nil, nil, err + } + + // domains + if err := setupGeneratedDomain(ctx, c, &validations, instanceAgg, setup.InstanceName); err != nil { + return nil, nil, nil, err + } + setupCustomDomain(c, &validations, instanceAgg, setup.CustomDomain) + + // optional setting if set + setupMessageTexts(&validations, setup.MessageTexts, instanceAgg) + if err := setupQuotas(c, &validations, setup.Quotas, setup.zitadel.instanceID); err != nil { + return nil, nil, nil, err + } + setupSMTPSettings(c, &validations, setup.SMTPConfiguration, instanceAgg) + setupOIDCSettings(c, &validations, setup.OIDCSettings, instanceAgg) + setupFeatures(&validations, setup.Features, setup.zitadel.instanceID) + setupLimits(c, &validations, limits.NewAggregate(setup.zitadel.limitsID, setup.zitadel.instanceID), setup.Limits) + setupRestrictions(c, &validations, restrictions.NewAggregate(setup.zitadel.restrictionsID, setup.zitadel.instanceID, setup.zitadel.instanceID), setup.Restrictions) + + return validations, pat, machineKey, nil +} + +func setupInstanceElements(instanceAgg *instance.Aggregate, setup *InstanceSetup) []preparation.Validation { + return []preparation.Validation{ prepareAddInstance(instanceAgg, setup.InstanceName, setup.DefaultLanguage), prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeAppSecret, setup.SecretGenerators.ClientSecret), prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeInitCode, setup.SecretGenerators.InitializeUserCode), @@ -270,7 +337,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str */ prepareAddMultiFactorToDefaultLoginPolicy(instanceAgg, domain.MultiFactorTypeU2FWithPIN), - prepareAddDefaultPrivacyPolicy(instanceAgg, setup.PrivacyPolicy.TOSLink, setup.PrivacyPolicy.PrivacyLink, setup.PrivacyPolicy.HelpLink, setup.PrivacyPolicy.SupportEmail), + prepareAddDefaultPrivacyPolicy(instanceAgg, setup.PrivacyPolicy.TOSLink, setup.PrivacyPolicy.PrivacyLink, setup.PrivacyPolicy.HelpLink, setup.PrivacyPolicy.SupportEmail, setup.PrivacyPolicy.DocsLink, setup.PrivacyPolicy.CustomLink, setup.PrivacyPolicy.CustomLinkText), prepareAddDefaultNotificationPolicy(instanceAgg, setup.NotificationPolicy.PasswordChange), prepareAddDefaultLockoutPolicy(instanceAgg, setup.LockoutPolicy.MaxPasswordAttempts, setup.LockoutPolicy.MaxOTPAttempts, setup.LockoutPolicy.ShouldShowLockoutFailure), @@ -289,54 +356,8 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str setup.LabelPolicy.DisableWatermark, setup.LabelPolicy.ThemeMode, ), - prepareActivateDefaultLabelPolicy(instanceAgg), - prepareAddDefaultEmailTemplate(instanceAgg, setup.EmailTemplate), } - if err := setupQuotas(c, &validations, setup.Quotas, instanceID); err != nil { - return "", "", nil, nil, err - } - setupMessageTexts(&validations, setup.MessageTexts, instanceAgg) - validations = append(validations, - AddOrgCommand(ctx, orgAgg, setup.Org.Name), - c.prepareSetDefaultOrg(instanceAgg, orgAgg.ID), - ) - pat, machineKey, err := setupAdmin(c, &validations, setup.Org.Machine, setup.Org.Human, orgID, userID, userAgg) - if err != nil { - return "", "", nil, nil, err - } - setupMinimalInterfaces(c, &validations, instanceAgg, projectAgg, orgAgg, userID, setup.zitadel) - if err := setupGeneratedDomain(ctx, c, &validations, instanceAgg, setup.InstanceName); err != nil { - return "", "", nil, nil, err - } - setupCustomDomain(c, &validations, instanceAgg, setup.CustomDomain) - setupSMTPSettings(c, &validations, setup.SMTPConfiguration, instanceAgg) - setupOIDCSettings(c, &validations, setup.OIDCSettings, instanceAgg) - setupFeatures(&validations, setup.Features, instanceID) - setupLimits(c, &validations, limitsAgg, setup.Limits) - setupRestrictions(c, &validations, restrictionsAgg, setup.Restrictions) - - //nolint:staticcheck - cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...) - if err != nil { - return "", "", nil, nil, err - } - - events, err := c.eventstore.Push(ctx, cmds...) - if err != nil { - return "", "", nil, nil, err - } - - var token string - if pat != nil { - token = pat.Token - } - - return instanceID, token, machineKey, &domain.ObjectDetails{ - Sequence: events[len(events)-1].Sequence(), - EventDate: events[len(events)-1].CreatedAt(), - ResourceOwner: orgID, - }, nil } func setupLimits(commands *Commands, validations *[]preparation.Validation, limitsAgg *limits.Aggregate, setLimits *SetLimits) { @@ -366,7 +387,9 @@ func setupQuotas(commands *Commands, validations *[]preparation.Validation, setQ } func setupFeatures(validations *[]preparation.Validation, features *InstanceFeatures, instanceID string) { - *validations = append(*validations, prepareSetFeatures(instanceID, features)) + if features != nil { + *validations = append(*validations, prepareSetFeatures(instanceID, features)) + } } func setupOIDCSettings(commands *Commands, validations *[]preparation.Validation, oidcSettings *OIDCSettings, instanceAgg *instance.Aggregate) { @@ -422,7 +445,9 @@ func setupGeneratedDomain(ctx context.Context, commands *Commands, validations * return nil } -func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, projectAgg *project.Aggregate, orgAgg *org.Aggregate, userID string, ids ZitadelConfig) { +func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, orgAgg *org.Aggregate, projectOwner string, ids ZitadelConfig) { + projectAgg := project.NewAggregate(ids.projectID, orgAgg.ID) + cnsl := &addOIDCApp{ AddApp: AddApp{ Aggregate: *projectAgg, @@ -443,10 +468,9 @@ func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Valid IDTokenUserinfoAssertion: false, ClockSkew: 0, } + *validations = append(*validations, - commands.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner), - commands.AddInstanceMemberCommand(instanceAgg, userID, domain.RoleIAMOwner), - AddProjectCommand(projectAgg, zitadelProjectName, userID, false, false, false, domain.PrivateLabelingSettingUnspecified), + AddProjectCommand(projectAgg, zitadelProjectName, projectOwner, false, false, false, domain.PrivateLabelingSettingUnspecified), SetIAMProject(instanceAgg, projectAgg.ID), commands.AddAPIAppCommand( @@ -487,37 +511,103 @@ func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Valid ) } -func setupAdmin(commands *Commands, validations *[]preparation.Validation, machine *AddMachine, human *AddHuman, orgID, userID string, userAgg *user.Aggregate) (pat *PersonalAccessToken, machineKey *MachineKey, err error) { - // only a human or a machine user should be created as owner +func setupDefaultOrg(ctx context.Context, + commands *Commands, + validations *[]preparation.Validation, + instanceAgg *instance.Aggregate, + name string, + machine *AddMachine, + human *AddHuman, + ids ZitadelConfig, +) (pat *PersonalAccessToken, machineKey *MachineKey, err error) { + orgAgg := org.NewAggregate(ids.orgID) + + *validations = append( + *validations, + AddOrgCommand(ctx, orgAgg, name), + commands.prepareSetDefaultOrg(instanceAgg, ids.orgID), + ) + + projectOwner, pat, machineKey, err := setupAdmins(commands, validations, instanceAgg, orgAgg, machine, human) + if err != nil { + return nil, nil, err + } + setupMinimalInterfaces(commands, validations, instanceAgg, orgAgg, projectOwner, ids) + return pat, machineKey, nil +} + +func setupAdmins(commands *Commands, + validations *[]preparation.Validation, + instanceAgg *instance.Aggregate, + orgAgg *org.Aggregate, + machine *AddMachine, + human *AddHuman, +) (owner string, pat *PersonalAccessToken, machineKey *MachineKey, err error) { + if human == nil && machine == nil { + return "", nil, nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-z1yi2q2ot7", "Error.Instance.NoAdmin") + } + if machine != nil && machine.Machine != nil && !machine.Machine.IsZero() { - *validations = append(*validations, - AddMachineCommand(userAgg, machine.Machine), - ) - if machine.Pat != nil { - pat = NewPersonalAccessToken(orgID, userID, machine.Pat.ExpirationDate, machine.Pat.Scopes, domain.UserTypeMachine) - pat.TokenID, err = commands.idGenerator.Next() - if err != nil { - return nil, nil, err - } - *validations = append(*validations, prepareAddPersonalAccessToken(pat, commands.keyAlgorithm)) + machineUserID, err := commands.idGenerator.Next() + if err != nil { + return "", nil, nil, err } - if machine.MachineKey != nil { - machineKey = NewMachineKey(orgID, userID, machine.MachineKey.ExpirationDate, machine.MachineKey.Type) - machineKey.KeyID, err = commands.idGenerator.Next() - if err != nil { - return nil, nil, err - } - *validations = append(*validations, prepareAddUserMachineKey(machineKey, commands.machineKeySize)) + owner = machineUserID + + pat, machineKey, err = setupMachineAdmin(commands, validations, machine, orgAgg.ID, machineUserID) + if err != nil { + return "", nil, nil, err } - } else if human != nil { - human.ID = userID + + setupAdminMembers(commands, validations, instanceAgg, orgAgg, machineUserID) + } + if human != nil { + humanUserID, err := commands.idGenerator.Next() + if err != nil { + return "", nil, nil, err + } + owner = humanUserID + human.ID = humanUserID + *validations = append(*validations, - commands.AddHumanCommand(human, orgID, commands.userPasswordHasher, commands.userEncryption, true), + commands.AddHumanCommand(human, orgAgg.ID, commands.userPasswordHasher, commands.userEncryption, true), ) + + setupAdminMembers(commands, validations, instanceAgg, orgAgg, humanUserID) + } + return owner, pat, machineKey, nil +} + +func setupMachineAdmin(commands *Commands, validations *[]preparation.Validation, machine *AddMachine, orgID, userID string) (pat *PersonalAccessToken, machineKey *MachineKey, err error) { + *validations = append(*validations, + AddMachineCommand(user.NewAggregate(userID, orgID), machine.Machine), + ) + if machine.Pat != nil { + pat = NewPersonalAccessToken(orgID, userID, machine.Pat.ExpirationDate, machine.Pat.Scopes, domain.UserTypeMachine) + pat.TokenID, err = commands.idGenerator.Next() + if err != nil { + return nil, nil, err + } + *validations = append(*validations, prepareAddPersonalAccessToken(pat, commands.keyAlgorithm)) + } + if machine.MachineKey != nil { + machineKey = NewMachineKey(orgID, userID, machine.MachineKey.ExpirationDate, machine.MachineKey.Type) + machineKey.KeyID, err = commands.idGenerator.Next() + if err != nil { + return nil, nil, err + } + *validations = append(*validations, prepareAddUserMachineKey(machineKey, commands.machineKeySize)) } return pat, machineKey, nil } +func setupAdminMembers(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, orgAgg *org.Aggregate, userID string) { + *validations = append(*validations, + commands.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner), + commands.AddInstanceMemberCommand(instanceAgg, userID, domain.RoleIAMOwner), + ) +} + func setupMessageTexts(validations *[]preparation.Validation, setupMessageTexts []*domain.CustomMessageText, instanceAgg *instance.Aggregate) { for _, msg := range setupMessageTexts { *validations = append(*validations, prepareSetInstanceCustomMessageTexts(instanceAgg, msg)) diff --git a/internal/command/instance_converter.go b/internal/command/instance_converter.go index 1ed1cc123a..e4e4d2ac4b 100644 --- a/internal/command/instance_converter.go +++ b/internal/command/instance_converter.go @@ -116,11 +116,14 @@ func writeModelToLockoutPolicy(wm *LockoutPolicyWriteModel) *domain.LockoutPolic func writeModelToPrivacyPolicy(wm *PrivacyPolicyWriteModel) *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - ObjectRoot: writeModelToObjectRoot(wm.WriteModel), - TOSLink: wm.TOSLink, - PrivacyLink: wm.PrivacyLink, - HelpLink: wm.HelpLink, - SupportEmail: wm.SupportEmail, + ObjectRoot: writeModelToObjectRoot(wm.WriteModel), + TOSLink: wm.TOSLink, + PrivacyLink: wm.PrivacyLink, + HelpLink: wm.HelpLink, + SupportEmail: wm.SupportEmail, + DocsLink: wm.DocsLink, + CustomLink: wm.CustomLink, + CustomLinkText: wm.CustomLinkText, } } diff --git a/internal/command/instance_domain.go b/internal/command/instance_domain.go index d5f6808cfb..43e1aebbf8 100644 --- a/internal/command/instance_domain.go +++ b/internal/command/instance_domain.go @@ -74,7 +74,7 @@ func (c *Commands) RemoveInstanceDomain(ctx context.Context, instanceDomain stri } func (c *Commands) addGeneratedInstanceDomain(ctx context.Context, a *instance.Aggregate, instanceName string) ([]preparation.Validation, error) { - domain, err := domain.NewGeneratedInstanceDomain(instanceName, authz.GetInstance(ctx).RequestedDomain()) + domain, err := c.GenerateDomain(instanceName, authz.GetInstance(ctx).RequestedDomain()) if err != nil { return nil, err } diff --git a/internal/command/instance_features.go b/internal/command/instance_features.go index 35ef57da37..3acc789d1b 100644 --- a/internal/command/instance_features.go +++ b/internal/command/instance_features.go @@ -7,6 +7,7 @@ import ( "github.com/zitadel/zitadel/internal/command/preparation" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" + "github.com/zitadel/zitadel/internal/feature" "github.com/zitadel/zitadel/internal/repository/feature/feature_v2" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -18,6 +19,7 @@ type InstanceFeatures struct { UserSchema *bool TokenExchange *bool Actions *bool + ImprovedPerformance []feature.ImprovedPerformanceType } func (m *InstanceFeatures) isEmpty() bool { @@ -26,7 +28,9 @@ func (m *InstanceFeatures) isEmpty() bool { m.LegacyIntrospection == nil && m.UserSchema == nil && m.TokenExchange == nil && - m.Actions == nil + m.Actions == nil && + // nil check to allow unset improvements + m.ImprovedPerformance == nil } func (c *Commands) SetInstanceFeatures(ctx context.Context, f *InstanceFeatures) (*domain.ObjectDetails, error) { @@ -37,11 +41,11 @@ func (c *Commands) SetInstanceFeatures(ctx context.Context, f *InstanceFeatures) if err := c.eventstore.FilterToQueryReducer(ctx, wm); err != nil { return nil, err } - cmds := wm.setCommands(ctx, f) - if len(cmds) == 0 { + commands := wm.setCommands(ctx, f) + if len(commands) == 0 { return writeModelToObjectDetails(wm.WriteModel), nil } - events, err := c.eventstore.Push(ctx, cmds...) + events, err := c.eventstore.Push(ctx, commands...) if err != nil { return nil, err } diff --git a/internal/command/instance_features_model.go b/internal/command/instance_features_model.go index 55ce5ea3da..bfd606e672 100644 --- a/internal/command/instance_features_model.go +++ b/internal/command/instance_features_model.go @@ -30,14 +30,23 @@ func (m *InstanceFeaturesWriteModel) Reduce() (err error) { case *feature_v2.ResetEvent: m.reduceReset() case *feature_v1.SetEvent[feature_v1.Boolean]: - err = m.reduceBoolFeature( - feature_v1.DefaultLoginInstanceEventToV2(e), + reduceInstanceFeature( + &m.InstanceFeatures, + feature.KeyLoginDefaultOrg, + feature_v1.DefaultLoginInstanceEventToV2(e).Value, ) case *feature_v2.SetEvent[bool]: - err = m.reduceBoolFeature(e) - } - if err != nil { - return err + _, key, err := e.FeatureInfo() + if err != nil { + return err + } + reduceInstanceFeature(&m.InstanceFeatures, key, e.Value) + case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]: + _, key, err := e.FeatureInfo() + if err != nil { + return err + } + reduceInstanceFeature(&m.InstanceFeatures, key, e.Value) } } return m.WriteModel.Reduce() @@ -57,41 +66,41 @@ func (m *InstanceFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder { feature_v2.InstanceUserSchemaEventType, feature_v2.InstanceTokenExchangeEventType, feature_v2.InstanceActionsEventType, + feature_v2.InstanceImprovedPerformanceEventType, ). Builder().ResourceOwner(m.ResourceOwner) } func (m *InstanceFeaturesWriteModel) reduceReset() { - m.LoginDefaultOrg = nil - m.TriggerIntrospectionProjections = nil - m.LegacyIntrospection = nil - m.UserSchema = nil - m.TokenExchange = nil - m.Actions = nil + m.InstanceFeatures = InstanceFeatures{} } -func (m *InstanceFeaturesWriteModel) reduceBoolFeature(event *feature_v2.SetEvent[bool]) error { - _, key, err := event.FeatureInfo() - if err != nil { - return err - } +func reduceInstanceFeature(features *InstanceFeatures, key feature.Key, value any) { switch key { case feature.KeyUnspecified: - return nil + return case feature.KeyLoginDefaultOrg: - m.LoginDefaultOrg = &event.Value + v := value.(bool) + features.LoginDefaultOrg = &v case feature.KeyTriggerIntrospectionProjections: - m.TriggerIntrospectionProjections = &event.Value + v := value.(bool) + features.TriggerIntrospectionProjections = &v case feature.KeyLegacyIntrospection: - m.LegacyIntrospection = &event.Value + v := value.(bool) + features.LegacyIntrospection = &v case feature.KeyTokenExchange: - m.TokenExchange = &event.Value + v := value.(bool) + features.TokenExchange = &v case feature.KeyUserSchema: - m.UserSchema = &event.Value + v := value.(bool) + features.UserSchema = &v case feature.KeyActions: - m.Actions = &event.Value + v := value.(bool) + features.Actions = &v + case feature.KeyImprovedPerformance: + v := value.([]feature.ImprovedPerformanceType) + features.ImprovedPerformance = v } - return nil } func (wm *InstanceFeaturesWriteModel) setCommands(ctx context.Context, f *InstanceFeatures) []eventstore.Command { @@ -103,5 +112,6 @@ func (wm *InstanceFeaturesWriteModel) setCommands(ctx context.Context, f *Instan cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.TokenExchange, f.TokenExchange, feature_v2.InstanceTokenExchangeEventType) cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.UserSchema, f.UserSchema, feature_v2.InstanceUserSchemaEventType) cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.Actions, f.Actions, feature_v2.InstanceActionsEventType) + cmds = appendFeatureSliceUpdate(ctx, cmds, aggregate, wm.ImprovedPerformance, f.ImprovedPerformance, feature_v2.InstanceImprovedPerformanceEventType) return cmds } diff --git a/internal/command/instance_idp.go b/internal/command/instance_idp.go index ed8d458e18..539136a08d 100644 --- a/internal/command/instance_idp.go +++ b/internal/command/instance_idp.go @@ -1763,6 +1763,8 @@ func (c *Commands) prepareAddInstanceSAMLProvider(a *instance.Aggregate, writeMo cert, provider.Binding, provider.WithSignedRequest, + provider.NameIDFormat, + provider.TransientMappingAttributeName, provider.IDPOptions, ), }, nil @@ -1811,6 +1813,8 @@ func (c *Commands) prepareUpdateInstanceSAMLProvider(a *instance.Aggregate, writ c.idpConfigEncryption, provider.Binding, provider.WithSignedRequest, + provider.NameIDFormat, + provider.TransientMappingAttributeName, provider.IDPOptions, ) if err != nil || event == nil { @@ -1854,6 +1858,8 @@ func (c *Commands) prepareRegenerateInstanceSAMLProviderCertificate(a *instance. c.idpConfigEncryption, writeModel.Binding, writeModel.WithSignedRequest, + writeModel.NameIDFormat, + writeModel.TransientMappingAttributeName, writeModel.Options, ) if err != nil || event == nil { diff --git a/internal/command/instance_idp_model.go b/internal/command/instance_idp_model.go index 6759442553..5c895b1fc7 100644 --- a/internal/command/instance_idp_model.go +++ b/internal/command/instance_idp_model.go @@ -5,6 +5,7 @@ import ( "time" "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/idp" "github.com/zitadel/zitadel/internal/repository/instance" @@ -915,6 +916,8 @@ func (wm *InstanceSAMLIDPWriteModel) NewChangedEvent( secretCrypto crypto.EncryptionAlgorithm, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options idp.Options, ) (*instance.SAMLIDPChangedEvent, error) { changes, err := wm.SAMLIDPWriteModel.NewChanges( @@ -925,6 +928,8 @@ func (wm *InstanceSAMLIDPWriteModel) NewChangedEvent( secretCrypto, binding, withSignedRequest, + nameIDFormat, + transientMappingAttributeName, options, ) if err != nil || len(changes) == 0 { diff --git a/internal/command/instance_idp_test.go b/internal/command/instance_idp_test.go index 3ff14610dc..0f7998a632 100644 --- a/internal/command/instance_idp_test.go +++ b/internal/command/instance_idp_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" openid "github.com/zitadel/oidc/v3/pkg/oidc" "go.uber.org/mock/gomock" @@ -23,7 +24,7 @@ import ( func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -45,7 +46,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -61,7 +62,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -79,7 +80,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -98,7 +99,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -118,7 +119,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -139,7 +140,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -161,7 +162,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { "invalid id attribute", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -184,7 +185,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -229,7 +230,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -287,7 +288,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -308,7 +309,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -329,7 +330,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -344,7 +345,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -360,7 +361,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -378,7 +379,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -397,7 +398,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -417,7 +418,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -438,7 +439,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { "invalid id attribute", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -460,7 +461,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -483,7 +484,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -525,7 +526,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -607,7 +608,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGenericOAuthProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -626,7 +627,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) { func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -648,7 +649,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -664,7 +665,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -682,7 +683,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -701,7 +702,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -721,7 +722,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -761,7 +762,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -815,7 +816,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -836,7 +837,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -857,7 +858,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -872,7 +873,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -888,7 +889,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -906,7 +907,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -925,7 +926,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -945,7 +946,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -982,7 +983,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1058,7 +1059,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGenericOIDCProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -1077,7 +1078,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) { func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1099,7 +1100,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1114,7 +1115,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1131,7 +1132,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1149,7 +1150,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1169,7 +1170,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { name: "migrate ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1227,7 +1228,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { { name: "migrate ok full", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1300,7 +1301,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.MigrateInstanceGenericOIDCToAzureADProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -1319,7 +1320,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) { func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1340,7 +1341,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1355,7 +1356,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1372,7 +1373,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1391,7 +1392,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { { name: "migrate ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1443,7 +1444,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { { name: "migrate ok full", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1508,7 +1509,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.MigrateInstanceGenericOIDCToGoogleProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -1527,7 +1528,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) { func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -1549,7 +1550,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1565,7 +1566,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1583,7 +1584,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1602,7 +1603,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewAzureADIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1641,7 +1642,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewAzureADIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1695,7 +1696,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -1716,7 +1717,7 @@ func TestCommandSide_AddInstanceAzureADIDP(t *testing.T) { func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1737,7 +1738,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1752,7 +1753,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1768,7 +1769,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -1786,7 +1787,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1805,7 +1806,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewAzureADIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1841,7 +1842,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewAzureADIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -1917,7 +1918,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceAzureADProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -1936,7 +1937,7 @@ func TestCommandSide_UpdateInstanceAzureADIDP(t *testing.T) { func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -1958,7 +1959,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1974,7 +1975,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1992,7 +1993,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitHubIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2028,7 +2029,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitHubIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2078,7 +2079,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -2099,7 +2100,7 @@ func TestCommandSide_AddInstanceGitHubIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -2120,7 +2121,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2135,7 +2136,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2151,7 +2152,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -2169,7 +2170,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitHubIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2202,7 +2203,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitHubIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2272,7 +2273,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGitHubProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -2291,7 +2292,7 @@ func TestCommandSide_UpdateInstanceGitHubIDP(t *testing.T) { func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -2313,7 +2314,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2329,7 +2330,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2347,7 +2348,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2366,7 +2367,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2386,7 +2387,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2407,7 +2408,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2429,7 +2430,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2472,7 +2473,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2528,7 +2529,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -2549,7 +2550,7 @@ func TestCommandSide_AddInstanceGitHubEnterpriseIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -2570,7 +2571,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2585,7 +2586,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2601,7 +2602,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2619,7 +2620,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2638,7 +2639,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2658,7 +2659,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -2679,7 +2680,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -2701,7 +2702,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2741,7 +2742,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2820,7 +2821,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGitHubEnterpriseProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -2839,7 +2840,7 @@ func TestCommandSide_UpdateInstanceGitHubEnterpriseIDP(t *testing.T) { func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -2861,7 +2862,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2877,7 +2878,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2895,7 +2896,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitLabIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2931,7 +2932,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitLabIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -2980,7 +2981,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3001,7 +3002,7 @@ func TestCommandSide_AddInstanceGitLabIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3022,7 +3023,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3037,7 +3038,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3053,7 +3054,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3071,7 +3072,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitLabIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3104,7 +3105,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitLabIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3172,7 +3173,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGitLabProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -3191,7 +3192,7 @@ func TestCommandSide_UpdateInstanceGitLabIDP(t *testing.T) { func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -3213,7 +3214,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3229,7 +3230,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3247,7 +3248,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3266,7 +3267,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3286,7 +3287,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3325,7 +3326,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3377,7 +3378,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3398,7 +3399,7 @@ func TestCommandSide_AddInstanceGitLabSelfHostedIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3419,7 +3420,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3434,7 +3435,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3450,7 +3451,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3468,7 +3469,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3487,7 +3488,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3507,7 +3508,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3543,7 +3544,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3616,7 +3617,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGitLabSelfHostedProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -3635,7 +3636,7 @@ func TestCommandSide_UpdateInstanceGitLabSelfHostedIDP(t *testing.T) { func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -3657,7 +3658,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3673,7 +3674,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3691,7 +3692,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGoogleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3727,7 +3728,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewGoogleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3776,7 +3777,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3797,7 +3798,7 @@ func TestCommandSide_AddInstanceGoogleIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3818,7 +3819,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3833,7 +3834,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -3849,7 +3850,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3867,7 +3868,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGoogleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3900,7 +3901,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewGoogleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -3968,7 +3969,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceGoogleProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -3987,7 +3988,7 @@ func TestCommandSide_UpdateInstanceGoogleIDP(t *testing.T) { func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -4009,7 +4010,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4025,7 +4026,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid baseDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4043,7 +4044,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid bindDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4062,7 +4063,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid bindPassword", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4082,7 +4083,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid userBase", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4103,7 +4104,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid servers", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4125,7 +4126,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid userObjectClasses", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4148,7 +4149,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { "invalid userFilters", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4172,7 +4173,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewLDAPIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4223,7 +4224,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewLDAPIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4315,7 +4316,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -4336,7 +4337,7 @@ func TestCommandSide_AddInstanceLDAPIDP(t *testing.T) { func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -4357,7 +4358,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4372,7 +4373,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4388,7 +4389,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid baseDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4406,7 +4407,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid bindDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4425,7 +4426,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid userbase", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4445,7 +4446,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid servers", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4466,7 +4467,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid userObjectClasses", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4488,7 +4489,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { "invalid userFilters", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4511,7 +4512,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -4538,7 +4539,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewLDAPIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4586,7 +4587,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewLDAPIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4705,7 +4706,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceLDAPProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -4724,7 +4725,7 @@ func TestCommandSide_UpdateInstanceLDAPIDP(t *testing.T) { func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -4746,7 +4747,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4762,7 +4763,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { "invalid teamID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4780,7 +4781,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { "invalid keyID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4799,7 +4800,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { "invalid privateKey", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4819,7 +4820,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewAppleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4859,7 +4860,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewAppleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -4912,7 +4913,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -4933,7 +4934,7 @@ func TestCommandSide_AddInstanceAppleIDP(t *testing.T) { func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -4954,7 +4955,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4969,7 +4970,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -4985,7 +4986,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { "invalid teamID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5003,7 +5004,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { "invalid keyID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5022,7 +5023,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5042,7 +5043,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewAppleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5079,7 +5080,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewAppleIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5153,7 +5154,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceAppleProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -5172,7 +5173,7 @@ func TestCommandSide_UpdateInstanceAppleIDP(t *testing.T) { func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm certificateAndKeyGenerator func(id string) ([]byte, []byte, error) @@ -5195,7 +5196,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -5211,7 +5212,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { { "invalid metadata", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -5229,7 +5230,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5245,6 +5246,8 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { []byte("certificate"), "", false, + nil, + "", idp.Options{}, ), ), @@ -5268,7 +5271,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5284,6 +5287,8 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { []byte("certificate"), "binding", true, + gu.Ptr(domain.SAMLNameIDFormatTransient), + "customAttribute", idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5300,10 +5305,12 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { args: args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), provider: SAMLProvider{ - Name: "name", - Metadata: []byte("metadata"), - Binding: "binding", - WithSignedRequest: true, + Name: "name", + Metadata: []byte("metadata"), + Binding: "binding", + WithSignedRequest: true, + NameIDFormat: gu.Ptr(domain.SAMLNameIDFormatTransient), + TransientMappingAttributeName: "customAttribute", IDPOptions: idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5321,7 +5328,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, samlCertificateAndKeyGenerator: tt.fields.certificateAndKeyGenerator, @@ -5343,7 +5350,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) { func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -5364,7 +5371,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5379,7 +5386,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5395,7 +5402,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { "invalid metadata", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5413,7 +5420,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5432,7 +5439,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5448,6 +5455,8 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { []byte("certificate"), "", false, + nil, + "", idp.Options{}, )), ), @@ -5468,7 +5477,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5484,6 +5493,8 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { []byte("certificate"), "binding", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", idp.Options{}, )), ), @@ -5497,6 +5508,8 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { idp.ChangeSAMLMetadata([]byte("new metadata")), idp.ChangeSAMLBinding("new binding"), idp.ChangeSAMLWithSignedRequest(true), + idp.ChangeSAMLNameIDFormat(gu.Ptr(domain.SAMLNameIDFormatTransient)), + idp.ChangeSAMLTransientMappingAttributeName("customAttribute"), idp.ChangeSAMLOptions(idp.OptionChanges{ IsCreationAllowed: &t, IsLinkingAllowed: &t, @@ -5515,10 +5528,12 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { ctx: authz.WithInstanceID(context.Background(), "instance1"), id: "id1", provider: SAMLProvider{ - Name: "new name", - Metadata: []byte("new metadata"), - Binding: "new binding", - WithSignedRequest: true, + Name: "new name", + Metadata: []byte("new metadata"), + Binding: "new binding", + WithSignedRequest: true, + NameIDFormat: gu.Ptr(domain.SAMLNameIDFormatTransient), + TransientMappingAttributeName: "customAttribute", IDPOptions: idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5535,7 +5550,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateInstanceSAMLProvider(tt.args.ctx, tt.args.id, tt.args.provider) @@ -5554,7 +5569,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) { func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm certificateAndKeyGenerator func(id string) ([]byte, []byte, error) } @@ -5575,7 +5590,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: authz.WithInstanceID(context.Background(), "instance1"), @@ -5589,7 +5604,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5604,7 +5619,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance1").Aggregate, @@ -5620,6 +5635,8 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { []byte("certificate"), "binding", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", idp.Options{}, )), ), @@ -5658,7 +5675,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, samlCertificateAndKeyGenerator: tt.fields.certificateAndKeyGenerator, } diff --git a/internal/command/instance_policy_label.go b/internal/command/instance_policy_label.go index 8392a7d564..3d047f65bc 100644 --- a/internal/command/instance_policy_label.go +++ b/internal/command/instance_policy_label.go @@ -12,38 +12,6 @@ import ( "github.com/zitadel/zitadel/internal/zerrors" ) -func (c *Commands) AddDefaultLabelPolicy( - ctx context.Context, - primaryColor, backgroundColor, warnColor, fontColor, primaryColorDark, backgroundColorDark, warnColorDark, fontColorDark string, - hideLoginNameSuffix, errorMsgPopup, disableWatermark bool, themeMode domain.LabelPolicyThemeMode, -) (*domain.ObjectDetails, error) { - instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID()) - cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, - prepareAddDefaultLabelPolicy( - instanceAgg, - primaryColor, - backgroundColor, - warnColor, - fontColor, - primaryColorDark, - backgroundColorDark, - warnColorDark, - fontColorDark, - hideLoginNameSuffix, - errorMsgPopup, - disableWatermark, - themeMode, - )) - if err != nil { - return nil, err - } - pushedEvents, err := c.eventstore.Push(ctx, cmds...) - if err != nil { - return nil, err - } - return pushedEventsToObjectDetails(pushedEvents), nil -} - func (c *Commands) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) { if err := policy.IsValid(); err != nil { return nil, err @@ -373,6 +341,8 @@ func (c *Commands) getDefaultLabelPolicy(ctx context.Context) (*domain.LabelPoli return policy, nil } +// prepareAddDefaultLabelPolicy adds a default label policy, if none exists prior, and activates it directly +// this functions is only used on instance setup so the policy can be activated directly func prepareAddDefaultLabelPolicy( a *instance.Aggregate, primaryColor, @@ -417,6 +387,7 @@ func prepareAddDefaultLabelPolicy( disableWatermark, themeMode, ), + instance.NewLabelPolicyActivatedEvent(ctx, &a.Aggregate), }, nil }, nil } diff --git a/internal/command/instance_policy_label_test.go b/internal/command/instance_policy_label_test.go index ca508d414b..3720fba094 100644 --- a/internal/command/instance_policy_label_test.go +++ b/internal/command/instance_policy_label_test.go @@ -19,160 +19,6 @@ import ( "github.com/zitadel/zitadel/internal/zerrors" ) -func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) { - type fields struct { - eventstore *eventstore.Eventstore - } - type args struct { - ctx context.Context - primaryColor string - backgroundColor string - warnColor string - fontColor string - primaryColorDark string - backgroundColorDark string - warnColorDark string - fontColorDark string - hideLoginNameSuffix bool - errorMsgPopup bool - disableWatermark bool - themeMode domain.LabelPolicyThemeMode - } - type res struct { - want *domain.ObjectDetails - err func(error) bool - } - tests := []struct { - name string - fields fields - args args - res res - }{ - { - name: "labelpolicy already existing, already exists error", - fields: fields{ - eventstore: eventstoreExpect( - t, - expectFilter( - eventFromEventPusher( - instance.NewLabelPolicyAddedEvent(context.Background(), - &instance.NewAggregate("INSTANCE").Aggregate, - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - true, - true, - true, - domain.LabelPolicyThemeAuto, - ), - ), - ), - ), - }, - args: args{ - ctx: context.Background(), - primaryColor: "#ffffff", - backgroundColor: "#ffffff", - warnColor: "#ffffff", - fontColor: "#ffffff", - primaryColorDark: "#ffffff", - backgroundColorDark: "#ffffff", - warnColorDark: "#ffffff", - fontColorDark: "#ffffff", - hideLoginNameSuffix: true, - errorMsgPopup: true, - disableWatermark: true, - themeMode: domain.LabelPolicyThemeAuto, - }, - res: res{ - err: zerrors.IsErrorAlreadyExists, - }, - }, - { - name: "add policy,ok", - fields: fields{ - eventstore: eventstoreExpect( - t, - expectFilter(), - expectPush( - instance.NewLabelPolicyAddedEvent(context.Background(), - &instance.NewAggregate("INSTANCE").Aggregate, - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - "#ffffff", - true, - true, - true, - domain.LabelPolicyThemeDark, - ), - ), - ), - }, - args: args{ - ctx: authz.WithInstanceID(context.Background(), "INSTANCE"), - primaryColor: "#ffffff", - backgroundColor: "#ffffff", - warnColor: "#ffffff", - fontColor: "#ffffff", - primaryColorDark: "#ffffff", - backgroundColorDark: "#ffffff", - warnColorDark: "#ffffff", - fontColorDark: "#ffffff", - hideLoginNameSuffix: true, - errorMsgPopup: true, - disableWatermark: true, - themeMode: domain.LabelPolicyThemeDark, - }, - res: res{ - want: &domain.ObjectDetails{ - ResourceOwner: "INSTANCE", - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - r := &Commands{ - eventstore: tt.fields.eventstore, - } - got, err := r.AddDefaultLabelPolicy( - tt.args.ctx, - tt.args.primaryColor, - tt.args.backgroundColor, - tt.args.warnColor, - tt.args.fontColor, - tt.args.primaryColorDark, - tt.args.backgroundColorDark, - tt.args.warnColorDark, - tt.args.fontColorDark, - tt.args.hideLoginNameSuffix, - tt.args.errorMsgPopup, - tt.args.disableWatermark, - tt.args.themeMode, - ) - if tt.res.err == nil { - assert.NoError(t, err) - } - if tt.res.err != nil && !tt.res.err(err) { - t.Errorf("got wrong err: %v ", err) - } - if tt.res.err == nil { - assert.Equal(t, tt.res.want, got) - } - }) - } -} - func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) { type fields struct { eventstore *eventstore.Eventstore diff --git a/internal/command/instance_policy_privacy.go b/internal/command/instance_policy_privacy.go index f239bad144..8ef8be4216 100644 --- a/internal/command/instance_policy_privacy.go +++ b/internal/command/instance_policy_privacy.go @@ -12,17 +12,37 @@ import ( "github.com/zitadel/zitadel/internal/zerrors" ) -func (c *Commands) AddDefaultPrivacyPolicy(ctx context.Context, tosLink, privacyLink, helpLink string, supportEmail domain.EmailAddress) (*domain.ObjectDetails, error) { +func (c *Commands) AddDefaultPrivacyPolicy(ctx context.Context, tosLink, privacyLink, helpLink string, supportEmail domain.EmailAddress, docsLink, customLink, customLinkText string) (*domain.ObjectDetails, error) { instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID()) - cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, prepareAddDefaultPrivacyPolicy(instanceAgg, tosLink, privacyLink, helpLink, supportEmail)) + + if supportEmail != "" { + if err := supportEmail.Validate(); err != nil { + return nil, err + } + supportEmail = supportEmail.Normalize() + } + + writeModel := NewInstancePrivacyPolicyWriteModel(ctx) + err := c.eventstore.FilterToQueryReducer(ctx, writeModel) if err != nil { return nil, err } - pushedEvents, err := c.eventstore.Push(ctx, cmds...) + if writeModel.State.Exists() { + return nil, zerrors.ThrowAlreadyExists(nil, "INSTANCE-M00rJ", "Errors.Instance.PrivacyPolicy.AlreadyExists") + } + + event := instance.NewPrivacyPolicyAddedEvent(ctx, &instanceAgg.Aggregate, tosLink, privacyLink, helpLink, supportEmail, docsLink, customLink, customLinkText) + + pushedEvents, err := c.eventstore.Push(ctx, event) if err != nil { return nil, err } - return pushedEventsToObjectDetails(pushedEvents), nil + err = AppendAndReduce(writeModel, pushedEvents...) + if err != nil { + return nil, err + } + + return writeModelToObjectDetails(&writeModel.WriteModel), nil } func (c *Commands) ChangeDefaultPrivacyPolicy(ctx context.Context, policy *domain.PrivacyPolicy) (*domain.PrivacyPolicy, error) { @@ -42,7 +62,7 @@ func (c *Commands) ChangeDefaultPrivacyPolicy(ctx context.Context, policy *domai } instanceAgg := InstanceAggregateFromWriteModel(&existingPolicy.PrivacyPolicyWriteModel.WriteModel) - changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.TOSLink, policy.PrivacyLink, policy.HelpLink, policy.SupportEmail) + changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.TOSLink, policy.PrivacyLink, policy.HelpLink, policy.SupportEmail, policy.DocsLink, policy.CustomLink, policy.CustomLinkText) if !hasChanged { return nil, zerrors.ThrowPreconditionFailed(nil, "INSTANCE-9jJfs", "Errors.IAM.PrivacyPolicy.NotChanged") } @@ -89,6 +109,7 @@ func prepareAddDefaultPrivacyPolicy( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) preparation.Validation { return func() (preparation.CreateCommands, error) { if supportEmail != "" { @@ -111,7 +132,7 @@ func prepareAddDefaultPrivacyPolicy( return nil, zerrors.ThrowAlreadyExists(nil, "INSTANCE-M00rJ", "Errors.Instance.PrivacyPolicy.AlreadyExists") } return []eventstore.Command{ - instance.NewPrivacyPolicyAddedEvent(ctx, &a.Aggregate, tosLink, privacyLink, helpLink, supportEmail), + instance.NewPrivacyPolicyAddedEvent(ctx, &a.Aggregate, tosLink, privacyLink, helpLink, supportEmail, docsLink, customLink, customLinkText), }, nil }, nil } diff --git a/internal/command/instance_policy_privacy_model.go b/internal/command/instance_policy_privacy_model.go index 24263a05de..630a28b92b 100644 --- a/internal/command/instance_policy_privacy_model.go +++ b/internal/command/instance_policy_privacy_model.go @@ -59,6 +59,7 @@ func (wm *InstancePrivacyPolicyWriteModel) NewChangedEvent( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) (*instance.PrivacyPolicyChangedEvent, bool) { changes := make([]policy.PrivacyPolicyChanges, 0) @@ -74,6 +75,15 @@ func (wm *InstancePrivacyPolicyWriteModel) NewChangedEvent( if wm.SupportEmail != supportEmail { changes = append(changes, policy.ChangeSupportEmail(supportEmail)) } + if wm.DocsLink != docsLink { + changes = append(changes, policy.ChangeDocsLink(docsLink)) + } + if wm.CustomLink != customLink { + changes = append(changes, policy.ChangeCustomLink(customLink)) + } + if wm.CustomLinkText != customLinkText { + changes = append(changes, policy.ChangeCustomLinkText(customLinkText)) + } if len(changes) == 0 { return nil, false } diff --git a/internal/command/instance_policy_privacy_test.go b/internal/command/instance_policy_privacy_test.go index a5b8932b38..ed09ba0f53 100644 --- a/internal/command/instance_policy_privacy_test.go +++ b/internal/command/instance_policy_privacy_test.go @@ -20,11 +20,14 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { eventstore *eventstore.Eventstore } type args struct { - ctx context.Context - tosLink string - privacyLink string - helpLink string - supportEmail domain.EmailAddress + ctx context.Context + tosLink string + privacyLink string + helpLink string + supportEmail domain.EmailAddress + docsLink string + customLink string + customLinkText string } type res struct { want *domain.ObjectDetails @@ -49,17 +52,23 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "Custom", ), ), ), ), }, args: args{ - ctx: context.Background(), - tosLink: "TOSLink", - privacyLink: "PrivacyLink", - helpLink: "HelpLink", - supportEmail: "support@example.com", + ctx: context.Background(), + tosLink: "TOSLink", + privacyLink: "PrivacyLink", + helpLink: "HelpLink", + supportEmail: "support@example.com", + docsLink: "DocsLink", + customLink: "CustomLink", + customLinkText: "Custom", }, res: res{ err: zerrors.IsErrorAlreadyExists, @@ -78,16 +87,22 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "Custom", ), ), ), }, args: args{ - ctx: authz.WithInstanceID(context.Background(), "INSTANCE"), - tosLink: "TOSLink", - privacyLink: "PrivacyLink", - helpLink: "HelpLink", - supportEmail: "support@example.com", + ctx: authz.WithInstanceID(context.Background(), "INSTANCE"), + tosLink: "TOSLink", + privacyLink: "PrivacyLink", + helpLink: "HelpLink", + supportEmail: "support@example.com", + docsLink: "DocsLink", + customLink: "CustomLink", + customLinkText: "Custom", }, res: res{ want: &domain.ObjectDetails{ @@ -103,11 +118,14 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { ), }, args: args{ - ctx: authz.WithInstanceID(context.Background(), "INSTANCE"), - tosLink: "TOSLink", - privacyLink: "PrivacyLink", - helpLink: "HelpLink", - supportEmail: "wrong email", + ctx: authz.WithInstanceID(context.Background(), "INSTANCE"), + tosLink: "TOSLink", + privacyLink: "PrivacyLink", + helpLink: "HelpLink", + supportEmail: "wrong email", + docsLink: "DocsLink", + customLink: "CustomLink", + customLinkText: "Custom", }, res: res{ err: zerrors.IsErrorInvalidArgument, @@ -126,6 +144,9 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { "", "", "", + "", + "", + "", ), ), ), @@ -149,7 +170,7 @@ func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { r := &Commands{ eventstore: tt.fields.eventstore, } - got, err := r.AddDefaultPrivacyPolicy(tt.args.ctx, tt.args.tosLink, tt.args.privacyLink, tt.args.helpLink, tt.args.supportEmail) + got, err := r.AddDefaultPrivacyPolicy(tt.args.ctx, tt.args.tosLink, tt.args.privacyLink, tt.args.helpLink, tt.args.supportEmail, tt.args.docsLink, tt.args.customLink, tt.args.customLinkText) if tt.res.err == nil { assert.NoError(t, err) } @@ -192,10 +213,13 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -215,6 +239,9 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), @@ -223,10 +250,13 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -243,10 +273,13 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "wrong email", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "wrong email", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -266,6 +299,9 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), @@ -275,6 +311,9 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { "PrivacyLinkChanged", "HelpLinkChanged", "support2@example.com", + "DocsLinkChanged", + "CustomLinkChanged", + "CustomLinkTextChanged", ), ), ), @@ -282,10 +321,13 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLinkChanged", - PrivacyLink: "PrivacyLinkChanged", - HelpLink: "HelpLinkChanged", - SupportEmail: "support2@example.com", + TOSLink: "TOSLinkChanged", + PrivacyLink: "PrivacyLinkChanged", + HelpLink: "HelpLinkChanged", + SupportEmail: "support2@example.com", + DocsLink: "DocsLinkChanged", + CustomLink: "CustomLinkChanged", + CustomLinkText: "CustomLinkTextChanged", }, }, res: res{ @@ -295,10 +337,13 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { ResourceOwner: "INSTANCE", InstanceID: "INSTANCE", }, - TOSLink: "TOSLinkChanged", - PrivacyLink: "PrivacyLinkChanged", - HelpLink: "HelpLinkChanged", - SupportEmail: "support2@example.com", + TOSLink: "TOSLinkChanged", + PrivacyLink: "PrivacyLinkChanged", + HelpLink: "HelpLinkChanged", + SupportEmail: "support2@example.com", + DocsLink: "DocsLinkChanged", + CustomLink: "CustomLinkChanged", + CustomLinkText: "CustomLinkTextChanged", }, }, }, @@ -322,7 +367,7 @@ func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { } } -func newDefaultPrivacyPolicyChangedEvent(ctx context.Context, tosLink, privacyLink, helpLink, supportEmail string) *instance.PrivacyPolicyChangedEvent { +func newDefaultPrivacyPolicyChangedEvent(ctx context.Context, tosLink, privacyLink, helpLink, supportEmail, docsLink, customLink, customLinkText string) *instance.PrivacyPolicyChangedEvent { event, _ := instance.NewPrivacyPolicyChangedEvent(ctx, &instance.NewAggregate("INSTANCE").Aggregate, []policy.PrivacyPolicyChanges{ @@ -330,6 +375,9 @@ func newDefaultPrivacyPolicyChangedEvent(ctx context.Context, tosLink, privacyLi policy.ChangePrivacyLink(privacyLink), policy.ChangeHelpLink(helpLink), policy.ChangeSupportEmail(domain.EmailAddress(supportEmail)), + policy.ChangeDocsLink(docsLink), + policy.ChangeCustomLink(customLink), + policy.ChangeCustomLinkText(customLinkText), }, ) return event diff --git a/internal/command/instance_test.go b/internal/command/instance_test.go index 8f4f5b68e3..9cfcbb6926 100644 --- a/internal/command/instance_test.go +++ b/internal/command/instance_test.go @@ -2,17 +2,1224 @@ package command import ( "context" + "encoding/json" + "slices" + "strings" "testing" + "time" "github.com/stretchr/testify/assert" + "go.uber.org/mock/gomock" + "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/command/preparation" + "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" + "github.com/zitadel/zitadel/internal/id" + id_mock "github.com/zitadel/zitadel/internal/id/mock" "github.com/zitadel/zitadel/internal/repository/instance" + "github.com/zitadel/zitadel/internal/repository/org" + "github.com/zitadel/zitadel/internal/repository/project" + "github.com/zitadel/zitadel/internal/repository/user" "github.com/zitadel/zitadel/internal/zerrors" ) +func instanceSetupZitadelIDs() ZitadelConfig { + return ZitadelConfig{ + instanceID: "INSTANCE", + orgID: "ORG", + projectID: "PROJECT", + consoleAppID: "console-id", + authAppID: "auth-id", + mgmtAppID: "mgmt-id", + adminAppID: "admin-id", + } +} + +func projectAddedEvents(ctx context.Context, instanceID, orgID, id, owner string, externalSecure bool) []eventstore.Command { + events := []eventstore.Command{ + project.NewProjectAddedEvent(ctx, + &project.NewAggregate(id, orgID).Aggregate, + "ZITADEL", + false, + false, + false, + domain.PrivateLabelingSettingUnspecified, + ), + project.NewProjectMemberAddedEvent(ctx, + &project.NewAggregate(id, orgID).Aggregate, + owner, + domain.RoleProjectOwner, + ), + instance.NewIAMProjectSetEvent(ctx, + &instance.NewAggregate(instanceID).Aggregate, + id, + ), + } + events = append(events, apiAppEvents(ctx, orgID, id, "mgmt-id", "Management-API")...) + events = append(events, apiAppEvents(ctx, orgID, id, "admin-id", "Admin-API")...) + events = append(events, apiAppEvents(ctx, orgID, id, "auth-id", "Auth-API")...) + + consoleAppID := "console-id" + consoleClientID := "clientID@zitadel" + events = append(events, oidcAppEvents(ctx, orgID, id, consoleAppID, "Console", consoleClientID, externalSecure)...) + events = append(events, + instance.NewIAMConsoleSetEvent(ctx, + &instance.NewAggregate(instanceID).Aggregate, + &consoleClientID, + &consoleAppID, + ), + ) + return events +} + +func projectClientIDs() []string { + return []string{"clientID", "clientID", "clientID", "clientID"} +} + +func apiAppEvents(ctx context.Context, orgID, projectID, id, name string) []eventstore.Command { + return []eventstore.Command{ + project.NewApplicationAddedEvent( + ctx, + &project.NewAggregate(projectID, orgID).Aggregate, + id, + name, + ), + project.NewAPIConfigAddedEvent(ctx, + &project.NewAggregate(projectID, orgID).Aggregate, + id, + "clientID@zitadel", + "", + domain.APIAuthMethodTypePrivateKeyJWT, + ), + } +} + +func oidcAppEvents(ctx context.Context, orgID, projectID, id, name, clientID string, externalSecure bool) []eventstore.Command { + return []eventstore.Command{ + project.NewApplicationAddedEvent( + ctx, + &project.NewAggregate(projectID, orgID).Aggregate, + id, + name, + ), + project.NewOIDCConfigAddedEvent(ctx, + &project.NewAggregate(projectID, orgID).Aggregate, + domain.OIDCVersionV1, + id, + clientID, + "", + []string{}, + []domain.OIDCResponseType{domain.OIDCResponseTypeCode}, + []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}, + domain.OIDCApplicationTypeUserAgent, + domain.OIDCAuthMethodTypeNone, + []string{}, + !externalSecure, + domain.OIDCTokenTypeBearer, + false, + false, + false, + 0, + nil, + false, + ), + } +} + +func orgFilters(orgID string, machine, human bool) []expect { + filters := []expect{ + expectFilter(), + expectFilter( + org.NewOrgAddedEvent(context.Background(), &org.NewAggregate(orgID).Aggregate, ""), + ), + } + if machine { + filters = append(filters, machineFilters(orgID, true)...) + filters = append(filters, adminMemberFilters(orgID, "USER-MACHINE")...) + } + if human { + filters = append(filters, humanFilters(orgID)...) + filters = append(filters, adminMemberFilters(orgID, "USER")...) + } + + return append(filters, + projectFilters()..., + ) +} + +func orgEvents(ctx context.Context, instanceID, orgID, name, projectID, defaultDomain string, externalSecure bool, machine, human bool) []eventstore.Command { + instanceAgg := instance.NewAggregate(instanceID) + orgAgg := org.NewAggregate(orgID) + domain := strings.ToLower(name + "." + defaultDomain) + events := []eventstore.Command{ + org.NewOrgAddedEvent(ctx, &orgAgg.Aggregate, name), + org.NewDomainAddedEvent(ctx, &orgAgg.Aggregate, domain), + org.NewDomainVerifiedEvent(ctx, &orgAgg.Aggregate, domain), + org.NewDomainPrimarySetEvent(ctx, &orgAgg.Aggregate, domain), + instance.NewDefaultOrgSetEventEvent(ctx, &instanceAgg.Aggregate, orgID), + } + + owner := "" + if machine { + machineID := "USER-MACHINE" + events = append(events, machineEvents(ctx, instanceID, orgID, machineID, "PAT")...) + owner = machineID + } + if human { + userID := "USER" + events = append(events, humanEvents(ctx, instanceID, orgID, userID)...) + owner = userID + } + + events = append(events, projectAddedEvents(ctx, instanceID, orgID, projectID, owner, externalSecure)...) + return events +} + +func orgIDs() []string { + return slices.Concat([]string{"USER-MACHINE", "PAT", "USER"}, projectClientIDs()) +} + +func instancePoliciesFilters(instanceID string) []expect { + return []expect{ + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + } +} + +func instancePoliciesEvents(ctx context.Context, instanceID string) []eventstore.Command { + instanceAgg := instance.NewAggregate(instanceID) + return []eventstore.Command{ + instance.NewPasswordComplexityPolicyAddedEvent(ctx, &instanceAgg.Aggregate, 8, true, true, true, true), + instance.NewPasswordAgePolicyAddedEvent(ctx, &instanceAgg.Aggregate, 0, 0), + instance.NewDomainPolicyAddedEvent(ctx, &instanceAgg.Aggregate, false, false, false), + instance.NewLoginPolicyAddedEvent(ctx, &instanceAgg.Aggregate, true, true, true, false, false, false, false, true, false, false, domain.PasswordlessTypeAllowed, "", 240*time.Hour, 240*time.Hour, 720*time.Hour, 18*time.Hour, 12*time.Hour), + instance.NewLoginPolicySecondFactorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecondFactorTypeTOTP), + instance.NewLoginPolicySecondFactorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecondFactorTypeU2F), + instance.NewLoginPolicyMultiFactorAddedEvent(ctx, &instanceAgg.Aggregate, domain.MultiFactorTypeU2FWithPIN), + instance.NewPrivacyPolicyAddedEvent(ctx, &instanceAgg.Aggregate, "", "", "", "", "", "", ""), + instance.NewNotificationPolicyAddedEvent(ctx, &instanceAgg.Aggregate, true), + instance.NewLockoutPolicyAddedEvent(ctx, &instanceAgg.Aggregate, 0, 0, true), + instance.NewLabelPolicyAddedEvent(ctx, &instanceAgg.Aggregate, "#5469d4", "#fafafa", "#cd3d56", "#000000", "#2073c4", "#111827", "#ff3b5b", "#ffffff", false, false, false, domain.LabelPolicyThemeAuto), + instance.NewLabelPolicyActivatedEvent(ctx, &instanceAgg.Aggregate), + } +} + +func instanceSetupPoliciesConfig() *InstanceSetup { + return &InstanceSetup{ + PasswordComplexityPolicy: struct { + MinLength uint64 + HasLowercase bool + HasUppercase bool + HasNumber bool + HasSymbol bool + }{8, true, true, true, true}, + PasswordAgePolicy: struct { + ExpireWarnDays uint64 + MaxAgeDays uint64 + }{0, 0}, + DomainPolicy: struct { + UserLoginMustBeDomain bool + ValidateOrgDomains bool + SMTPSenderAddressMatchesInstanceDomain bool + }{false, false, false}, + LoginPolicy: struct { + AllowUsernamePassword bool + AllowRegister bool + AllowExternalIDP bool + ForceMFA bool + ForceMFALocalOnly bool + HidePasswordReset bool + IgnoreUnknownUsername bool + AllowDomainDiscovery bool + DisableLoginWithEmail bool + DisableLoginWithPhone bool + PasswordlessType domain.PasswordlessType + DefaultRedirectURI string + PasswordCheckLifetime time.Duration + ExternalLoginCheckLifetime time.Duration + MfaInitSkipLifetime time.Duration + SecondFactorCheckLifetime time.Duration + MultiFactorCheckLifetime time.Duration + }{true, true, true, false, false, false, false, true, false, false, domain.PasswordlessTypeAllowed, "", 240 * time.Hour, 240 * time.Hour, 720 * time.Hour, 18 * time.Hour, 12 * time.Hour}, + NotificationPolicy: struct { + PasswordChange bool + }{true}, + PrivacyPolicy: struct { + TOSLink string + PrivacyLink string + HelpLink string + SupportEmail domain.EmailAddress + DocsLink string + CustomLink string + CustomLinkText string + }{"", "", "", "", "", "", ""}, + LabelPolicy: struct { + PrimaryColor string + BackgroundColor string + WarnColor string + FontColor string + PrimaryColorDark string + BackgroundColorDark string + WarnColorDark string + FontColorDark string + HideLoginNameSuffix bool + ErrorMsgPopup bool + DisableWatermark bool + ThemeMode domain.LabelPolicyThemeMode + }{"#5469d4", "#fafafa", "#cd3d56", "#000000", "#2073c4", "#111827", "#ff3b5b", "#ffffff", false, false, false, domain.LabelPolicyThemeAuto}, + LockoutPolicy: struct { + MaxPasswordAttempts uint64 + MaxOTPAttempts uint64 + ShouldShowLockoutFailure bool + }{0, 0, true}, + } +} + +func setupInstanceElementsFilters(instanceID string) []expect { + return slices.Concat( + instanceElementsFilters(), + instancePoliciesFilters(instanceID), + // email template + []expect{expectFilter()}, + ) +} + +func setupInstanceElementsConfig() *InstanceSetup { + conf := instanceSetupPoliciesConfig() + conf.InstanceName = "ZITADEL" + conf.DefaultLanguage = language.English + conf.zitadel = instanceSetupZitadelIDs() + conf.SecretGenerators = instanceElementsConfig() + conf.EmailTemplate = []byte("something") + return conf +} + +func setupInstanceElementsEvents(ctx context.Context, instanceID, instanceName string, defaultLanguage language.Tag) []eventstore.Command { + instanceAgg := instance.NewAggregate(instanceID) + return slices.Concat( + instanceElementsEvents(ctx, instanceID, instanceName, defaultLanguage), + instancePoliciesEvents(ctx, instanceID), + []eventstore.Command{instance.NewMailTemplateAddedEvent(ctx, &instanceAgg.Aggregate, []byte("something"))}, + ) +} + +func instanceElementsFilters() []expect { + return []expect{ + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + } +} + +func instanceElementsEvents(ctx context.Context, instanceID, instanceName string, defaultLanguage language.Tag) []eventstore.Command { + instanceAgg := instance.NewAggregate(instanceID) + return []eventstore.Command{ + instance.NewInstanceAddedEvent(ctx, &instanceAgg.Aggregate, instanceName), + instance.NewDefaultLanguageSetEvent(ctx, &instanceAgg.Aggregate, defaultLanguage), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeAppSecret, 64, 0, true, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeInitCode, 6, 72*time.Hour, false, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeVerifyEmailCode, 6, time.Hour, false, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeVerifyPhoneCode, 6, time.Hour, false, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypePasswordResetCode, 6, time.Hour, false, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypePasswordlessInitCode, 12, time.Hour, true, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeVerifyDomain, 32, 0, true, true, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeOTPSMS, 8, 5*time.Minute, false, false, true, false), + instance.NewSecretGeneratorAddedEvent(ctx, &instanceAgg.Aggregate, domain.SecretGeneratorTypeOTPEmail, 8, 5*time.Minute, false, false, true, false), + } +} +func instanceElementsConfig() *SecretGenerators { + return &SecretGenerators{ + ClientSecret: &crypto.GeneratorConfig{Length: 64, IncludeLowerLetters: true, IncludeUpperLetters: true, IncludeDigits: true}, + InitializeUserCode: &crypto.GeneratorConfig{Length: 6, Expiry: 72 * time.Hour, IncludeUpperLetters: true, IncludeDigits: true}, + EmailVerificationCode: &crypto.GeneratorConfig{Length: 6, Expiry: time.Hour, IncludeUpperLetters: true, IncludeDigits: true}, + PhoneVerificationCode: &crypto.GeneratorConfig{Length: 6, Expiry: time.Hour, IncludeUpperLetters: true, IncludeDigits: true}, + PasswordVerificationCode: &crypto.GeneratorConfig{Length: 6, Expiry: time.Hour, IncludeUpperLetters: true, IncludeDigits: true}, + PasswordlessInitCode: &crypto.GeneratorConfig{Length: 12, Expiry: time.Hour, IncludeLowerLetters: true, IncludeUpperLetters: true, IncludeDigits: true}, + DomainVerification: &crypto.GeneratorConfig{Length: 32, IncludeLowerLetters: true, IncludeUpperLetters: true, IncludeDigits: true}, + OTPSMS: &crypto.GeneratorConfig{Length: 8, Expiry: 5 * time.Minute, IncludeDigits: true}, + OTPEmail: &crypto.GeneratorConfig{Length: 8, Expiry: 5 * time.Minute, IncludeDigits: true}, + } +} + +func setupInstanceFilters(instanceID, orgID, projectID, appID, domain string) []expect { + return slices.Concat( + setupInstanceElementsFilters(instanceID), + orgFilters(orgID, true, true), + generatedDomainFilters(instanceID, orgID, projectID, appID, domain), + ) +} + +func setupInstanceEvents(ctx context.Context, instanceID, orgID, projectID, appID, instanceName, orgName string, defaultLanguage language.Tag, domain string, externalSecure bool) []eventstore.Command { + return slices.Concat( + setupInstanceElementsEvents(ctx, instanceID, instanceName, defaultLanguage), + orgEvents(ctx, instanceID, orgID, orgName, projectID, domain, externalSecure, true, true), + generatedDomainEvents(ctx, instanceID, orgID, projectID, appID, domain), + ) +} + +func setupInstanceConfig() *InstanceSetup { + conf := setupInstanceElementsConfig() + conf.Org = InstanceOrgSetup{ + Name: "ZITADEL", + Machine: instanceSetupMachineConfig(), + Human: instanceSetupHumanConfig(), + } + conf.CustomDomain = "" + return conf +} + +func generatedDomainEvents(ctx context.Context, instanceID, orgID, projectID, appID, defaultDomain string) []eventstore.Command { + instanceAgg := instance.NewAggregate(instanceID) + changed, _ := project.NewOIDCConfigChangedEvent(ctx, &project.NewAggregate(projectID, orgID).Aggregate, appID, + []project.OIDCConfigChanges{ + project.ChangeRedirectURIs([]string{"http://" + defaultDomain + "/ui/console/auth/callback"}), + project.ChangePostLogoutRedirectURIs([]string{"http://" + defaultDomain + "/ui/console/signedout"}), + }, + ) + return []eventstore.Command{ + instance.NewDomainAddedEvent(ctx, &instanceAgg.Aggregate, defaultDomain, true), + changed, + instance.NewDomainPrimarySetEvent(ctx, &instanceAgg.Aggregate, defaultDomain), + } +} + +func generatedDomainFilters(instanceID, orgID, projectID, appID, generatedDomain string) []expect { + return []expect{ + expectFilter(), + expectFilter( + project.NewApplicationAddedEvent(context.Background(), + &project.NewAggregate(projectID, orgID).Aggregate, + appID, + "console", + ), + project.NewOIDCConfigAddedEvent(context.Background(), + &project.NewAggregate(projectID, orgID).Aggregate, + domain.OIDCVersionV1, + appID, + "clientID", + "", + []string{}, + []domain.OIDCResponseType{domain.OIDCResponseTypeCode}, + []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}, + domain.OIDCApplicationTypeUserAgent, + domain.OIDCAuthMethodTypeNone, + []string{}, + true, + domain.OIDCTokenTypeBearer, + false, + false, + false, + 0, + nil, + false, + ), + ), + expectFilter( + func() eventstore.Event { + event := instance.NewDomainAddedEvent(context.Background(), + &instance.NewAggregate(instanceID).Aggregate, + generatedDomain, + true, + ) + event.Data, _ = json.Marshal(event) + return event + }(), + ), + } +} + +func humanFilters(orgID string) []expect { + return []expect{ + expectFilter(), + expectFilter( + org.NewDomainPolicyAddedEvent( + context.Background(), + &org.NewAggregate(orgID).Aggregate, + true, + true, + true, + ), + ), + expectFilter( + org.NewPasswordComplexityPolicyAddedEvent( + context.Background(), + &org.NewAggregate(orgID).Aggregate, + 2, + false, + false, + false, + false, + ), + ), + } +} + +func instanceSetupHumanConfig() *AddHuman { + return &AddHuman{ + Username: "zitadel-admin", + FirstName: "ZITADEL", + LastName: "Admin", + Email: Email{ + Address: domain.EmailAddress("admin@zitadel.test"), + Verified: true, + }, + PreferredLanguage: language.English, + Password: "password", + PasswordChangeRequired: false, + } +} + +func machineFilters(orgID string, pat bool) []expect { + filters := []expect{ + expectFilter(), + expectFilter( + org.NewDomainPolicyAddedEvent( + context.Background(), + &org.NewAggregate(orgID).Aggregate, + true, + true, + true, + ), + ), + } + if pat { + filters = append(filters, + expectFilter(), + expectFilter(), + ) + } + return filters +} + +func instanceSetupMachineConfig() *AddMachine { + return &AddMachine{ + Machine: &Machine{ + Username: "zitadel-admin-machine", + Name: "ZITADEL-machine", + Description: "Admin", + AccessTokenType: domain.OIDCTokenTypeBearer, + }, + Pat: &AddPat{ + ExpirationDate: time.Time{}, + Scopes: nil, + }, + /* not predictable with the key value in the events + MachineKey: &AddMachineKey{ + Type: domain.AuthNKeyTypeJSON, + ExpirationDate: time.Time{}, + }, + */ + } +} + +func projectFilters() []expect { + return []expect{ + expectFilter(), + expectFilter(), + expectFilter(), + expectFilter(), + } +} + +func adminMemberFilters(orgID, userID string) []expect { + return []expect{ + expectFilter( + addHumanEvent(context.Background(), orgID, userID), + ), + expectFilter(), + expectFilter( + addHumanEvent(context.Background(), orgID, userID), + ), + expectFilter(), + } +} + +func humanEvents(ctx context.Context, instanceID, orgID, userID string) []eventstore.Command { + agg := user.NewAggregate(userID, orgID) + instanceAgg := instance.NewAggregate(instanceID) + orgAgg := org.NewAggregate(orgID) + return []eventstore.Command{ + addHumanEvent(ctx, orgID, userID), + user.NewHumanEmailVerifiedEvent(ctx, &agg.Aggregate), + org.NewMemberAddedEvent(ctx, &orgAgg.Aggregate, userID, domain.RoleOrgOwner), + instance.NewMemberAddedEvent(ctx, &instanceAgg.Aggregate, userID, domain.RoleIAMOwner), + } +} + +func addHumanEvent(ctx context.Context, orgID, userID string) *user.HumanAddedEvent { + agg := user.NewAggregate(userID, orgID) + return func() *user.HumanAddedEvent { + event := user.NewHumanAddedEvent( + ctx, + &agg.Aggregate, + "zitadel-admin", + "ZITADEL", + "Admin", + "", + "ZITADEL Admin", + language.English, + 0, + "admin@zitadel.test", + false, + ) + event.AddPasswordData("$plain$x$password", false) + return event + }() +} + +// machineEvents all events from setup to create the machine user, machinekey can't be tested here, as the public key is not provided and as such the value in the event can't be expected +func machineEvents(ctx context.Context, instanceID, orgID, userID, patID string) []eventstore.Command { + agg := user.NewAggregate(userID, orgID) + instanceAgg := instance.NewAggregate(instanceID) + orgAgg := org.NewAggregate(orgID) + events := []eventstore.Command{addMachineEvent(ctx, orgID, userID)} + if patID != "" { + events = append(events, + user.NewPersonalAccessTokenAddedEvent( + ctx, + &agg.Aggregate, + patID, + time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC), + nil, + ), + ) + } + return append(events, + org.NewMemberAddedEvent(ctx, &orgAgg.Aggregate, userID, domain.RoleOrgOwner), + instance.NewMemberAddedEvent(ctx, &instanceAgg.Aggregate, userID, domain.RoleIAMOwner), + ) +} + +func addMachineEvent(ctx context.Context, orgID, userID string) *user.MachineAddedEvent { + agg := user.NewAggregate(userID, orgID) + return user.NewMachineAddedEvent(ctx, + &agg.Aggregate, + "zitadel-admin-machine", + "ZITADEL-machine", + "Admin", + false, + domain.OIDCTokenTypeBearer, + ) +} + +func testSetup(ctx context.Context, c *Commands, validations []preparation.Validation) error { + //nolint:staticcheck + cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...) + if err != nil { + return err + } + + _, err = c.eventstore.Push(ctx, cmds...) + return err +} + +func TestCommandSide_setupMinimalInterfaces(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + idGenerator id.Generator + } + type args struct { + ctx context.Context + instanceAgg *instance.Aggregate + orgAgg *org.Aggregate + owner string + ids ZitadelConfig + } + type res struct { + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "create, ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + projectFilters(), + []expect{expectPush( + projectAddedEvents(context.Background(), + "INSTANCE", + "ORG", + "PROJECT", + "owner", + false, + )..., + ), + }, + )..., + ), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, projectClientIDs()...), + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + orgAgg: org.NewAggregate("ORG"), + owner: "owner", + ids: instanceSetupZitadelIDs(), + }, + res: res{ + err: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + } + validations := make([]preparation.Validation, 0) + setupMinimalInterfaces(r, &validations, tt.args.instanceAgg, tt.args.orgAgg, tt.args.owner, tt.args.ids) + + err := testSetup(tt.args.ctx, r, validations) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + }) + } +} + +func TestCommandSide_setupAdmins(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + idGenerator id.Generator + userPasswordHasher *crypto.Hasher + roles []authz.RoleMapping + keyAlgorithm crypto.EncryptionAlgorithm + } + type args struct { + ctx context.Context + instanceAgg *instance.Aggregate + orgAgg *org.Aggregate + machine *AddMachine + human *AddHuman + } + type res struct { + owner string + pat bool + machineKey bool + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "human, ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + humanFilters("ORG"), + adminMemberFilters("ORG", "USER"), + []expect{ + expectPush( + humanEvents(context.Background(), + "INSTANCE", + "ORG", + "USER", + )..., + ), + }, + )..., + ), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "USER"), + userPasswordHasher: mockPasswordHasher("x"), + roles: []authz.RoleMapping{ + {Role: domain.RoleOrgOwner, Permissions: []string{""}}, + {Role: domain.RoleIAMOwner, Permissions: []string{""}}, + }, + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + orgAgg: org.NewAggregate("ORG"), + human: instanceSetupHumanConfig(), + }, + res: res{ + owner: "USER", + pat: false, + machineKey: false, + err: nil, + }, + }, + { + name: "machine, ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + machineFilters("ORG", true), + adminMemberFilters("ORG", "USER-MACHINE"), + []expect{ + expectPush( + machineEvents(context.Background(), + "INSTANCE", + "ORG", + "USER-MACHINE", + "PAT", + )..., + ), + }, + )..., + ), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "USER-MACHINE", "PAT"), + roles: []authz.RoleMapping{ + {Role: domain.RoleOrgOwner, Permissions: []string{""}}, + {Role: domain.RoleIAMOwner, Permissions: []string{""}}, + }, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + orgAgg: org.NewAggregate("ORG"), + machine: instanceSetupMachineConfig(), + }, + res: res{ + owner: "USER-MACHINE", + pat: true, + machineKey: false, + err: nil, + }, + }, + { + name: "human and machine, ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + machineFilters("ORG", true), + adminMemberFilters("ORG", "USER-MACHINE"), + humanFilters("ORG"), + adminMemberFilters("ORG", "USER"), + []expect{ + expectPush( + slices.Concat( + machineEvents(context.Background(), + "INSTANCE", + "ORG", + "USER-MACHINE", + "PAT", + ), + humanEvents(context.Background(), + "INSTANCE", + "ORG", + "USER", + ), + )..., + ), + }, + )..., + ), + userPasswordHasher: mockPasswordHasher("x"), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "USER-MACHINE", "PAT", "USER"), + roles: []authz.RoleMapping{ + {Role: domain.RoleOrgOwner, Permissions: []string{""}}, + {Role: domain.RoleIAMOwner, Permissions: []string{""}}, + }, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + orgAgg: org.NewAggregate("ORG"), + machine: instanceSetupMachineConfig(), + human: instanceSetupHumanConfig(), + }, + res: res{ + owner: "USER", + pat: true, + machineKey: false, + err: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + zitadelRoles: tt.fields.roles, + userPasswordHasher: tt.fields.userPasswordHasher, + keyAlgorithm: tt.fields.keyAlgorithm, + } + validations := make([]preparation.Validation, 0) + owner, pat, mk, err := setupAdmins(r, &validations, tt.args.instanceAgg, tt.args.orgAgg, tt.args.machine, tt.args.human) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + err = testSetup(tt.args.ctx, r, validations) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + if tt.res.err == nil { + assert.Equal(t, owner, tt.res.owner) + if tt.res.pat { + assert.NotNil(t, pat) + } + if tt.res.machineKey { + assert.NotNil(t, mk) + } + } + }) + } +} + +func TestCommandSide_setupDefaultOrg(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + idGenerator id.Generator + userPasswordHasher *crypto.Hasher + roles []authz.RoleMapping + keyAlgorithm crypto.EncryptionAlgorithm + } + type args struct { + ctx context.Context + instanceAgg *instance.Aggregate + orgName string + machine *AddMachine + human *AddHuman + ids ZitadelConfig + } + type res struct { + pat bool + machineKey bool + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "human and machine, ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + orgFilters( + "ORG", + true, + true, + ), + []expect{ + expectPush( + slices.Concat( + orgEvents(context.Background(), + "INSTANCE", + "ORG", + "ZITADEL", + "PROJECT", + "DOMAIN", + false, + true, + true, + ), + )..., + ), + }, + )..., + ), + userPasswordHasher: mockPasswordHasher("x"), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, orgIDs()...), + roles: []authz.RoleMapping{ + {Role: domain.RoleOrgOwner, Permissions: []string{""}}, + {Role: domain.RoleIAMOwner, Permissions: []string{""}}, + }, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + orgName: "ZITADEL", + machine: &AddMachine{ + Machine: &Machine{ + Username: "zitadel-admin-machine", + Name: "ZITADEL-machine", + Description: "Admin", + AccessTokenType: domain.OIDCTokenTypeBearer, + }, + Pat: &AddPat{ + ExpirationDate: time.Time{}, + Scopes: nil, + }, + /* not predictable with the key value in the events + MachineKey: &AddMachineKey{ + Type: domain.AuthNKeyTypeJSON, + ExpirationDate: time.Time{}, + }, + */ + }, + human: &AddHuman{ + Username: "zitadel-admin", + FirstName: "ZITADEL", + LastName: "Admin", + Email: Email{ + Address: domain.EmailAddress("admin@zitadel.test"), + Verified: true, + }, + PreferredLanguage: language.English, + Password: "password", + PasswordChangeRequired: false, + }, + ids: ZitadelConfig{ + instanceID: "INSTANCE", + orgID: "ORG", + projectID: "PROJECT", + consoleAppID: "console-id", + authAppID: "auth-id", + mgmtAppID: "mgmt-id", + adminAppID: "admin-id", + }, + }, + res: res{ + pat: true, + machineKey: false, + err: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + zitadelRoles: tt.fields.roles, + userPasswordHasher: tt.fields.userPasswordHasher, + keyAlgorithm: tt.fields.keyAlgorithm, + } + validations := make([]preparation.Validation, 0) + pat, mk, err := setupDefaultOrg(tt.args.ctx, r, &validations, tt.args.instanceAgg, tt.args.orgName, tt.args.machine, tt.args.human, tt.args.ids) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + err = testSetup(context.Background(), r, validations) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + if tt.res.err == nil { + if tt.res.pat { + assert.NotNil(t, pat) + } + if tt.res.machineKey { + assert.NotNil(t, mk) + } + } + }) + } +} + +func TestCommandSide_setupInstanceElements(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + } + type args struct { + ctx context.Context + instanceAgg *instance.Aggregate + setup *InstanceSetup + } + type res struct { + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + setupInstanceElementsFilters("INSTANCE"), + []expect{ + expectPush( + setupInstanceElementsEvents(context.Background(), + "INSTANCE", + "ZITADEL", + language.English, + )..., + ), + }, + )..., + ), + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + instanceAgg: instance.NewAggregate("INSTANCE"), + setup: setupInstanceElementsConfig(), + }, + res: res{ + err: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore(t), + } + validations := setupInstanceElements(tt.args.instanceAgg, tt.args.setup) + + err := testSetup(context.Background(), r, validations) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + }) + } +} + +func TestCommandSide_setUpInstance(t *testing.T) { + type fields struct { + eventstore func(t *testing.T) *eventstore.Eventstore + idGenerator id.Generator + userPasswordHasher *crypto.Hasher + roles []authz.RoleMapping + keyAlgorithm crypto.EncryptionAlgorithm + generateDomain func(string, string) (string, error) + } + type args struct { + ctx context.Context + setup *InstanceSetup + } + type res struct { + pat bool + machineKey bool + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "ok", + fields: fields{ + eventstore: expectEventstore( + slices.Concat( + setupInstanceFilters("INSTANCE", "ORG", "PROJECT", "console-id", "DOMAIN"), + []expect{ + expectPush( + setupInstanceEvents(context.Background(), + "INSTANCE", + "ORG", + "PROJECT", + "console-id", + "ZITADEL", + "ZITADEL", + language.English, + "DOMAIN", + false, + )..., + ), + }, + )..., + ), + userPasswordHasher: mockPasswordHasher("x"), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, orgIDs()...), + roles: []authz.RoleMapping{ + {Role: domain.RoleOrgOwner, Permissions: []string{""}}, + {Role: domain.RoleIAMOwner, Permissions: []string{""}}, + }, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + generateDomain: func(string, string) (string, error) { + return "DOMAIN", nil + }, + }, + args: args{ + ctx: contextWithInstanceSetupInfo(context.Background(), "INSTANCE", "PROJECT", "console-id", "DOMAIN"), + setup: setupInstanceConfig(), + }, + res: res{ + err: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + zitadelRoles: tt.fields.roles, + userPasswordHasher: tt.fields.userPasswordHasher, + keyAlgorithm: tt.fields.keyAlgorithm, + GenerateDomain: tt.fields.generateDomain, + } + + validations, pat, mk, err := setUpInstance(tt.args.ctx, r, tt.args.setup) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + err = testSetup(tt.args.ctx, r, validations) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + + if tt.res.err == nil { + if tt.res.pat { + assert.NotNil(t, pat) + } + if tt.res.machineKey { + assert.NotNil(t, mk) + } + } + }) + } +} + func TestCommandSide_UpdateInstance(t *testing.T) { type fields struct { eventstore *eventstore.Eventstore diff --git a/internal/command/oidc_session.go b/internal/command/oidc_session.go index 7d04205aa4..fc384d0d30 100644 --- a/internal/command/oidc_session.go +++ b/internal/command/oidc_session.go @@ -8,7 +8,9 @@ import ( "time" "github.com/zitadel/logging" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/activity" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" @@ -17,6 +19,7 @@ import ( "github.com/zitadel/zitadel/internal/repository/authrequest" "github.com/zitadel/zitadel/internal/repository/oidcsession" "github.com/zitadel/zitadel/internal/repository/user" + "github.com/zitadel/zitadel/internal/telemetry/tracing" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -28,60 +31,175 @@ const ( oidcTokenFormat = "%s" + oidcTokenSubjectDelimiter + "%s" ) -// AddOIDCSessionAccessToken creates a new OIDC Session, creates an access token and returns its id and expiration. -// If the underlying [AuthRequest] is a OIDC Auth Code Flow, it will set the code as exchanged. -func (c *Commands) AddOIDCSessionAccessToken(ctx context.Context, authRequestID string) (string, time.Time, error) { - cmd, err := c.newOIDCSessionAddEvents(ctx, authRequestID) - if err != nil { - return "", time.Time{}, err - } - cmd.AddSession(ctx) - if err = cmd.AddAccessToken(ctx, cmd.authRequestWriteModel.Scope, domain.TokenReasonAuthRequest, nil); err != nil { - return "", time.Time{}, err - } - cmd.SetAuthRequestSuccessful(ctx) - accessTokenID, _, accessTokenExpiration, err := cmd.PushEvents(ctx) - return accessTokenID, accessTokenExpiration, err +type OIDCSession struct { + SessionID string + TokenID string + ClientID string + UserID string + Audience []string + Expiration time.Time + Scope []string + AuthMethods []domain.UserAuthMethodType + AuthTime time.Time + Nonce string + PreferredLanguage *language.Tag + UserAgent *domain.UserAgent + Reason domain.TokenReason + Actor *domain.TokenActor + RefreshToken string } -// AddOIDCSessionRefreshAndAccessToken creates a new OIDC Session, creates an access token and refresh token. +type AuthRequestComplianceChecker func(context.Context, *AuthRequestWriteModel) error + +// CreateOIDCSessionFromAuthRequest creates a new OIDC Session, creates an access token and refresh token. // It returns the access token id, expiration and the refresh token. // If the underlying [AuthRequest] is a OIDC Auth Code Flow, it will set the code as exchanged. -func (c *Commands) AddOIDCSessionRefreshAndAccessToken(ctx context.Context, authRequestID string) (tokenID, refreshToken string, tokenExpiration time.Time, err error) { - cmd, err := c.newOIDCSessionAddEvents(ctx, authRequestID) +func (c *Commands) CreateOIDCSessionFromAuthRequest(ctx context.Context, authReqId string, complianceCheck AuthRequestComplianceChecker, needRefreshToken bool) (session *OIDCSession, state string, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + if authReqId == "" { + return nil, "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sf3g2", "Errors.AuthRequest.InvalidCode") + } + + authReqModel, err := c.getAuthRequestWriteModel(ctx, authReqId) if err != nil { - return "", "", time.Time{}, err + return nil, "", err } - cmd.AddSession(ctx) - if err = cmd.AddAccessToken(ctx, cmd.authRequestWriteModel.Scope, domain.TokenReasonAuthRequest, nil); err != nil { - return "", "", time.Time{}, err + + if authReqModel.ResponseType == domain.OIDCResponseTypeCode && authReqModel.AuthRequestState != domain.AuthRequestStateCodeAdded { + return nil, "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Iung5", "Errors.AuthRequest.NoCode") } - if err = cmd.AddRefreshToken(ctx); err != nil { - return "", "", time.Time{}, err + + sessionModel := NewSessionWriteModel(authReqModel.SessionID, authz.GetInstance(ctx).InstanceID()) + err = c.eventstore.FilterToQueryReducer(ctx, sessionModel) + if err != nil { + return nil, "", err + } + if err = sessionModel.CheckIsActive(); err != nil { + return nil, "", err + } + + cmd, err := c.newOIDCSessionAddEvents(ctx, sessionModel.UserResourceOwner) + if err != nil { + return nil, "", err + } + if authReqModel.ResponseType == domain.OIDCResponseTypeCode { + if err = cmd.SetAuthRequestCodeExchanged(ctx, authReqModel); err != nil { + return nil, "", err + } + } + if err = complianceCheck(ctx, authReqModel); err != nil { + return nil, "", err + } + + cmd.AddSession(ctx, + sessionModel.UserID, + sessionModel.UserResourceOwner, + sessionModel.AggregateID, + authReqModel.ClientID, + authReqModel.Audience, + authReqModel.Scope, + authReqModel.AuthMethods, + authReqModel.AuthTime, + authReqModel.Nonce, + sessionModel.PreferredLanguage, + sessionModel.UserAgent, + ) + + if authReqModel.ResponseType != domain.OIDCResponseTypeIDToken { + if err = cmd.AddAccessToken(ctx, authReqModel.Scope, sessionModel.UserID, sessionModel.UserResourceOwner, domain.TokenReasonAuthRequest, nil); err != nil { + return nil, "", err + } + } + if authReqModel.NeedRefreshToken && needRefreshToken { + if err = cmd.AddRefreshToken(ctx, sessionModel.UserID); err != nil { + return nil, "", err + } + } + cmd.SetAuthRequestSuccessful(ctx, authReqModel.aggregate) + session, err = cmd.PushEvents(ctx) + return session, authReqModel.State, err +} + +func (c *Commands) CreateOIDCSession(ctx context.Context, + userID, + resourceOwner, + clientID string, + scope, + audience []string, + authMethods []domain.UserAuthMethodType, + authTime time.Time, + nonce string, + preferredLanguage *language.Tag, + userAgent *domain.UserAgent, + reason domain.TokenReason, + actor *domain.TokenActor, + needRefreshToken bool, +) (session *OIDCSession, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + cmd, err := c.newOIDCSessionAddEvents(ctx, resourceOwner) + if err != nil { + return nil, err + } + if reason == domain.TokenReasonImpersonation { + if err := c.checkPermission(ctx, "impersonation", resourceOwner, userID); err != nil { + return nil, err + } + cmd.UserImpersonated(ctx, userID, resourceOwner, clientID, actor) + } + + cmd.AddSession(ctx, userID, resourceOwner, "", clientID, audience, scope, authMethods, authTime, nonce, preferredLanguage, userAgent) + if err = cmd.AddAccessToken(ctx, scope, userID, resourceOwner, reason, actor); err != nil { + return nil, err + } + if needRefreshToken { + if err = cmd.AddRefreshToken(ctx, userID); err != nil { + return nil, err + } } - cmd.SetAuthRequestSuccessful(ctx) return cmd.PushEvents(ctx) } +type RefreshTokenComplianceChecker func(ctx context.Context, wm *OIDCSessionWriteModel, requestedScope []string) (scope []string, err error) + // ExchangeOIDCSessionRefreshAndAccessToken updates an existing OIDC Session, creates a new access and refresh token. // It returns the access token id and expiration and the new refresh token. -func (c *Commands) ExchangeOIDCSessionRefreshAndAccessToken(ctx context.Context, oidcSessionID, refreshToken string, scope []string) (tokenID, newRefreshToken string, tokenExpiration time.Time, err error) { - cmd, err := c.newOIDCSessionUpdateEvents(ctx, oidcSessionID, refreshToken) +func (c *Commands) ExchangeOIDCSessionRefreshAndAccessToken(ctx context.Context, refreshToken string, scope []string, complianceCheck RefreshTokenComplianceChecker) (_ *OIDCSession, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + cmd, err := c.newOIDCSessionUpdateEvents(ctx, refreshToken) if err != nil { - return "", "", time.Time{}, err + return nil, err } - if err = cmd.AddAccessToken(ctx, scope, domain.TokenReasonRefresh, nil); err != nil { - return "", "", time.Time{}, err + scope, err = complianceCheck(ctx, cmd.oidcSessionWriteModel, scope) + if err != nil { + return nil, err + } + err = cmd.AddAccessToken(ctx, scope, + cmd.oidcSessionWriteModel.UserID, + cmd.oidcSessionWriteModel.UserResourceOwner, + domain.TokenReasonRefresh, + cmd.oidcSessionWriteModel.AccessTokenActor, + ) + if err != nil { + return nil, err } if err = cmd.RenewRefreshToken(ctx); err != nil { - return "", "", time.Time{}, err + return nil, err } return cmd.PushEvents(ctx) } // OIDCSessionByRefreshToken computes the current state of an existing OIDCSession by a refresh_token (to start a Refresh Token Grant). // If either the session is not active, the token is invalid or expired (incl. idle expiration) an invalid refresh token error will be returned. -func (c *Commands) OIDCSessionByRefreshToken(ctx context.Context, refreshToken string) (*OIDCSessionWriteModel, error) { +func (c *Commands) OIDCSessionByRefreshToken(ctx context.Context, refreshToken string) (_ *OIDCSessionWriteModel, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + oidcSessionID, refreshTokenID, err := parseRefreshToken(refreshToken) if err != nil { return nil, err @@ -146,26 +264,7 @@ func (c *Commands) RevokeOIDCSessionToken(ctx context.Context, token, clientID s return c.pushAppendAndReduce(ctx, writeModel, oidcsession.NewAccessTokenRevokedEvent(ctx, writeModel.aggregate)) } -func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, authRequestID string) (*OIDCSessionEvents, error) { - authRequestWriteModel, err := c.getAuthRequestWriteModel(ctx, authRequestID) - if err != nil { - return nil, err - } - if err = authRequestWriteModel.CheckAuthenticated(); err != nil { - return nil, err - } - sessionWriteModel := NewSessionWriteModel(authRequestWriteModel.SessionID, authz.GetInstance(ctx).InstanceID()) - err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) - if err != nil { - return nil, err - } - if err = sessionWriteModel.CheckIsActive(); err != nil { - return nil, err - } - resourceOwner, err := c.getResourceOwnerOfSessionUser(ctx, sessionWriteModel.UserID, sessionWriteModel.InstanceID) - if err != nil { - return nil, err - } +func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, resourceOwner string, pending ...eventstore.Command) (*OIDCSessionEvents, error) { accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx) if err != nil { return nil, err @@ -179,42 +278,24 @@ func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, authRequestID st eventstore: c.eventstore, idGenerator: c.idGenerator, encryptionAlg: c.keyAlgorithm, + events: pending, oidcSessionWriteModel: NewOIDCSessionWriteModel(sessionID, resourceOwner), - sessionWriteModel: sessionWriteModel, - authRequestWriteModel: authRequestWriteModel, accessTokenLifetime: accessTokenLifetime, refreshTokenLifeTime: refreshTokenLifeTime, refreshTokenIdleLifetime: refreshTokenIdleLifetime, }, nil } -func (c *Commands) getResourceOwnerOfSessionUser(ctx context.Context, userID, instanceID string) (string, error) { - events, err := c.eventstore.Filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent). - InstanceID(instanceID). - AllowTimeTravel(). - OrderAsc(). - Limit(1). - AddQuery(). - AggregateTypes(user.AggregateType). - AggregateIDs(userID). - Builder()) - if err != nil || len(events) != 1 { - return "", zerrors.ThrowInternal(err, "OIDCS-sferh", "Errors.Internal") - } - return events[0].Aggregate().ResourceOwner, nil -} - -func (c *Commands) decryptRefreshToken(refreshToken string) (refreshTokenID string, err error) { +func (c *Commands) decryptRefreshToken(refreshToken string) (sessionID, refreshTokenID string, err error) { decoded, err := base64.RawURLEncoding.DecodeString(refreshToken) if err != nil { - return "", zerrors.ThrowInvalidArgument(err, "OIDCS-Cux9a", "Errors.User.RefreshToken.Invalid") + return "", "", zerrors.ThrowInvalidArgument(err, "OIDCS-Cux9a", "Errors.User.RefreshToken.Invalid") } decrypted, err := c.keyAlgorithm.DecryptString(decoded, c.keyAlgorithm.EncryptionKeyID()) if err != nil { - return "", err + return "", "", err } - _, refreshTokenID, err = parseRefreshToken(decrypted) - return refreshTokenID, err + return parseRefreshToken(decrypted) } func parseRefreshToken(refreshToken string) (oidcSessionID, refreshTokenID string, err error) { @@ -227,8 +308,8 @@ func parseRefreshToken(refreshToken string) (oidcSessionID, refreshTokenID strin return split[0], strings.Split(split[1], oidcTokenSubjectDelimiter)[0], nil } -func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, oidcSessionID, refreshToken string) (*OIDCSessionEvents, error) { - refreshTokenID, err := c.decryptRefreshToken(refreshToken) +func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, refreshToken string) (*OIDCSessionEvents, error) { + oidcSessionID, refreshTokenID, err := c.decryptRefreshToken(refreshToken) if err != nil { return nil, err } @@ -255,13 +336,12 @@ func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, oidcSessionID } type OIDCSessionEvents struct { - eventstore *eventstore.Eventstore - idGenerator id.Generator - encryptionAlg crypto.EncryptionAlgorithm - events []eventstore.Command - oidcSessionWriteModel *OIDCSessionWriteModel - sessionWriteModel *SessionWriteModel - authRequestWriteModel *AuthRequestWriteModel + eventstore *eventstore.Eventstore + idGenerator id.Generator + encryptionAlg crypto.EncryptionAlgorithm + events []eventstore.Command + oidcSessionWriteModel *OIDCSessionWriteModel + accessTokenLifetime time.Duration refreshTokenLifeTime time.Duration refreshTokenIdleLifetime time.Duration @@ -270,44 +350,75 @@ type OIDCSessionEvents struct { accessTokenID string // refreshToken is set by the command - refreshToken string + refreshTokenID string + refreshToken string } -func (c *OIDCSessionEvents) AddSession(ctx context.Context) { +func (c *OIDCSessionEvents) AddSession( + ctx context.Context, + userID, + userResourceOwner, + sessionID, + clientID string, + audience, + scope []string, + authMethods []domain.UserAuthMethodType, + authTime time.Time, + nonce string, + preferredLanguage *language.Tag, + userAgent *domain.UserAgent, +) { c.events = append(c.events, oidcsession.NewAddedEvent( ctx, c.oidcSessionWriteModel.aggregate, - c.sessionWriteModel.UserID, - c.sessionWriteModel.AggregateID, - c.authRequestWriteModel.ClientID, - c.authRequestWriteModel.Audience, - c.authRequestWriteModel.Scope, - c.sessionWriteModel.AuthMethodTypes(), - c.sessionWriteModel.AuthenticationTime(), + userID, + userResourceOwner, + sessionID, + clientID, + audience, + scope, + authMethods, + authTime, + nonce, + preferredLanguage, + userAgent, )) } -func (c *OIDCSessionEvents) SetAuthRequestSuccessful(ctx context.Context) { - c.events = append(c.events, authrequest.NewSucceededEvent(ctx, c.authRequestWriteModel.aggregate)) +func (c *OIDCSessionEvents) SetAuthRequestCodeExchanged(ctx context.Context, model *AuthRequestWriteModel) error { + event := authrequest.NewCodeExchangedEvent(ctx, model.aggregate) + model.AppendEvents(event) + c.events = append(c.events, event) + return model.Reduce() } -func (c *OIDCSessionEvents) AddAccessToken(ctx context.Context, scope []string, reason domain.TokenReason, actor *domain.TokenActor) error { +func (c *OIDCSessionEvents) SetAuthRequestSuccessful(ctx context.Context, authRequestAggregate *eventstore.Aggregate) { + c.events = append(c.events, authrequest.NewSucceededEvent(ctx, authRequestAggregate)) +} + +func (c *OIDCSessionEvents) SetAuthRequestFailed(ctx context.Context, authRequestAggregate *eventstore.Aggregate, err error) { + c.events = append(c.events, authrequest.NewFailedEvent(ctx, authRequestAggregate, domain.OIDCErrorReasonFromError(err))) +} + +func (c *OIDCSessionEvents) AddAccessToken(ctx context.Context, scope []string, userID, resourceOwner string, reason domain.TokenReason, actor *domain.TokenActor) error { accessTokenID, err := c.idGenerator.Next() if err != nil { return err } c.accessTokenID = AccessTokenPrefix + accessTokenID - c.events = append(c.events, oidcsession.NewAccessTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.accessTokenID, scope, c.accessTokenLifetime, reason, actor)) + c.events = append(c.events, + oidcsession.NewAccessTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.accessTokenID, scope, c.accessTokenLifetime, reason, actor), + user.NewUserTokenV2AddedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, c.accessTokenID), // for user audit log + ) return nil } -func (c *OIDCSessionEvents) AddRefreshToken(ctx context.Context) (err error) { - var refreshTokenID string - refreshTokenID, c.refreshToken, err = c.generateRefreshToken(c.sessionWriteModel.UserID) +func (c *OIDCSessionEvents) AddRefreshToken(ctx context.Context, userID string) (err error) { + c.refreshTokenID, c.refreshToken, err = c.generateRefreshToken(userID) if err != nil { return err } - c.events = append(c.events, oidcsession.NewRefreshTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, refreshTokenID, c.refreshTokenLifeTime, c.refreshTokenIdleLifetime)) + c.events = append(c.events, oidcsession.NewRefreshTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.refreshTokenID, c.refreshTokenLifeTime, c.refreshTokenIdleLifetime)) return nil } @@ -321,6 +432,10 @@ func (c *OIDCSessionEvents) RenewRefreshToken(ctx context.Context) (err error) { return nil } +func (c *OIDCSessionEvents) UserImpersonated(ctx context.Context, userID, resourceOwner, clientID string, actor *domain.TokenActor) { + c.events = append(c.events, user.NewUserImpersonatedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, clientID, actor)) +} + func (c *OIDCSessionEvents) generateRefreshToken(userID string) (refreshTokenID, refreshToken string, err error) { refreshTokenID, err = c.idGenerator.Next() if err != nil { @@ -334,18 +449,38 @@ func (c *OIDCSessionEvents) generateRefreshToken(userID string) (refreshTokenID, return refreshTokenID, base64.RawURLEncoding.EncodeToString(token), nil } -func (c *OIDCSessionEvents) PushEvents(ctx context.Context) (accessTokenID string, refreshToken string, accessTokenExpiration time.Time, err error) { +func (c *OIDCSessionEvents) PushEvents(ctx context.Context) (*OIDCSession, error) { pushedEvents, err := c.eventstore.Push(ctx, c.events...) if err != nil { - return "", "", time.Time{}, err + return nil, err } err = AppendAndReduce(c.oidcSessionWriteModel, pushedEvents...) if err != nil { - return "", "", time.Time{}, err + return nil, err } - // prefix the returned id with the oidcSessionID so that we can retrieve it later on - // we need to use `-` as a delimiter because the OIDC library uses `:` and will check for a length of 2 parts - return c.oidcSessionWriteModel.AggregateID + TokenDelimiter + c.accessTokenID, c.refreshToken, c.oidcSessionWriteModel.AccessTokenExpiration, nil + session := &OIDCSession{ + SessionID: c.oidcSessionWriteModel.SessionID, + ClientID: c.oidcSessionWriteModel.ClientID, + UserID: c.oidcSessionWriteModel.UserID, + Audience: c.oidcSessionWriteModel.Audience, + Expiration: c.oidcSessionWriteModel.AccessTokenExpiration, + Scope: c.oidcSessionWriteModel.Scope, + AuthMethods: c.oidcSessionWriteModel.AuthMethods, + AuthTime: c.oidcSessionWriteModel.AuthTime, + Nonce: c.oidcSessionWriteModel.Nonce, + PreferredLanguage: c.oidcSessionWriteModel.PreferredLanguage, + UserAgent: c.oidcSessionWriteModel.UserAgent, + Reason: c.oidcSessionWriteModel.AccessTokenReason, + Actor: c.oidcSessionWriteModel.AccessTokenActor, + RefreshToken: c.refreshToken, + } + if c.accessTokenID != "" { + // prefix the returned id with the oidcSessionID so that we can retrieve it later on + // we need to use `-` as a delimiter because the OIDC library uses `:` and will check for a length of 2 parts + session.TokenID = c.oidcSessionWriteModel.AggregateID + TokenDelimiter + c.accessTokenID + } + activity.Trigger(ctx, c.oidcSessionWriteModel.UserResourceOwner, c.oidcSessionWriteModel.UserID, tokenReasonToActivityMethodType(c.oidcSessionWriteModel.AccessTokenReason), c.eventstore.FilterToQueryReducer) + return session, nil } func (c *Commands) tokenTokenLifetimes(ctx context.Context) (accessTokenLifetime time.Duration, refreshTokenLifetime time.Duration, refreshTokenIdleLifetime time.Duration, err error) { @@ -368,3 +503,14 @@ func (c *Commands) tokenTokenLifetimes(ctx context.Context) (accessTokenLifetime } return accessTokenLifetime, refreshTokenLifetime, refreshTokenIdleLifetime, nil } + +func tokenReasonToActivityMethodType(r domain.TokenReason) activity.TriggerMethod { + if r == domain.TokenReasonUnspecified { + return activity.Unspecified + } + if r == domain.TokenReasonRefresh { + return activity.OIDCRefreshToken + } + // all other reasons result in an access token + return activity.OIDCAccessToken +} diff --git a/internal/command/oidc_session_model.go b/internal/command/oidc_session_model.go index a561fc4165..9468f95c48 100644 --- a/internal/command/oidc_session_model.go +++ b/internal/command/oidc_session_model.go @@ -3,6 +3,8 @@ package command import ( "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/oidcsession" @@ -13,12 +15,16 @@ type OIDCSessionWriteModel struct { eventstore.WriteModel UserID string + UserResourceOwner string + PreferredLanguage *language.Tag SessionID string ClientID string Audience []string Scope []string AuthMethods []domain.UserAuthMethodType AuthTime time.Time + Nonce string + UserAgent *domain.UserAgent State domain.OIDCSessionState AccessTokenID string AccessTokenCreation time.Time @@ -85,12 +91,16 @@ func (wm *OIDCSessionWriteModel) Query() *eventstore.SearchQueryBuilder { func (wm *OIDCSessionWriteModel) reduceAdded(e *oidcsession.AddedEvent) { wm.UserID = e.UserID + wm.UserResourceOwner = e.UserResourceOwner wm.SessionID = e.SessionID wm.ClientID = e.ClientID wm.Audience = e.Audience wm.Scope = e.Scope wm.AuthMethods = e.AuthMethods wm.AuthTime = e.AuthTime + wm.Nonce = e.Nonce + wm.PreferredLanguage = e.PreferredLanguage + wm.UserAgent = e.UserAgent wm.State = domain.OIDCSessionStateActive // the write model might be initialized without resource owner, // so update the aggregate diff --git a/internal/command/oidc_session_test.go b/internal/command/oidc_session_test.go index 6dcd96c623..bbaff1df6b 100644 --- a/internal/command/oidc_session_test.go +++ b/internal/command/oidc_session_test.go @@ -2,6 +2,7 @@ package command import ( "context" + "io" "net" "net/http" "testing" @@ -27,213 +28,18 @@ import ( ) var ( - testNow = time.Now() - tokenCreationNow = time.Time{} + testNow = time.Now() ) -func TestCommands_AddOIDCSessionAccessToken(t *testing.T) { - type fields struct { - eventstore *eventstore.Eventstore - idGenerator id.Generator - defaultAccessTokenLifetime time.Duration - defaultRefreshTokenLifetime time.Duration - defaultRefreshTokenIdleLifetime time.Duration - keyAlgorithm crypto.EncryptionAlgorithm - } - type args struct { - ctx context.Context - authRequestID string - } - type res struct { - id string - expiration time.Time - err error - } - tests := []struct { - name string - fields fields - args args - res res - }{ - { - "unauthenticated error", - fields{ - eventstore: eventstoreExpect(t, - expectFilter(), - ), - }, - args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", - }, - res{ - err: zerrors.ThrowPreconditionFailed(nil, "AUTHR-SF2r2", "Errors.AuthRequest.NotAuthenticated"), - }, - }, - { - "inactive session error", - fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "loginClient", - "clientID", - "redirectURI", - "state", - "nonce", - []string{"openid"}, - []string{"audience"}, - domain.OIDCResponseTypeCode, - &domain.OIDCCodeChallenge{ - Challenge: "challenge", - Method: domain.CodeChallengeMethodS256, - }, - []domain.Prompt{domain.PromptNone}, - []string{"en", "de"}, - gu.Ptr(time.Duration(0)), - gu.Ptr("loginHint"), - gu.Ptr("hintUserID"), - ), - ), - eventFromEventPusher( - authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "sessionID", - "userID", - testNow, - []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - ), - ), - eventFromEventPusher( - authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - eventFromEventPusher( - authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - ), - expectFilter(), // inactive session - ), - }, - args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", - }, - res{ - err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Flk38", "Errors.Session.NotExisting"), - }, - }, - { - "add successful", - fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "loginClient", - "clientID", - "redirectURI", - "state", - "nonce", - []string{"openid"}, - []string{"audience"}, - domain.OIDCResponseTypeCode, - &domain.OIDCCodeChallenge{ - Challenge: "challenge", - Method: domain.CodeChallengeMethodS256, - }, - []domain.Prompt{domain.PromptNone}, - []string{"en", "de"}, - gu.Ptr(time.Duration(0)), - gu.Ptr("loginHint"), - gu.Ptr("hintUserID"), - ), - ), - eventFromEventPusher( - authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, - "sessionID", - "userID", - testNow, - []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, - ), - ), - eventFromEventPusher( - authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - eventFromEventPusher( - authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - ), - expectFilter( - eventFromEventPusher( - session.NewAddedEvent(context.Background(), - &session.NewAggregate("sessionID", "instance1").Aggregate, - &domain.UserAgent{ - FingerprintID: gu.Ptr("fp1"), - IP: net.ParseIP("1.2.3.4"), - Description: gu.Ptr("firefox"), - Header: http.Header{"foo": []string{"bar"}}, - }, - ), - ), - eventFromEventPusher( - session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, - "userID", "org1", testNow), - ), - eventFromEventPusher( - session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, - testNow), - ), - ), - expectFilter( - eventFromEventPusher( - user.NewHumanAddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, - "username", "firstName", "lastName", "", "", language.English, domain.GenderUnspecified, "", false, - ), - ), - ), - expectFilter(), // token lifetime - expectPush( - oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), - oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "at_accessTokenID", []string{"openid"}, time.Hour, domain.TokenReasonAuthRequest, nil), - authrequest.NewSucceededEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - ), - idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID"), - defaultAccessTokenLifetime: time.Hour, - }, - args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", - }, - res{ - id: "V2_oidcSessionID-at_accessTokenID", - expiration: tokenCreationNow.Add(time.Hour), - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := &Commands{ - eventstore: tt.fields.eventstore, - idGenerator: tt.fields.idGenerator, - defaultAccessTokenLifetime: tt.fields.defaultAccessTokenLifetime, - defaultRefreshTokenLifetime: tt.fields.defaultRefreshTokenLifetime, - defaultRefreshTokenIdleLifetime: tt.fields.defaultRefreshTokenIdleLifetime, - keyAlgorithm: tt.fields.keyAlgorithm, - } - gotID, gotExpiration, err := c.AddOIDCSessionAccessToken(tt.args.ctx, tt.args.authRequestID) - assert.Equal(t, tt.res.id, gotID) - assert.Equal(t, tt.res.expiration, gotExpiration) - assert.ErrorIs(t, err, tt.res.err) - }) +func mockAuthRequestComplianceChecker(returnErr error) AuthRequestComplianceChecker { + return func(context.Context, *AuthRequestWriteModel) error { + return returnErr } } -func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { +func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator defaultAccessTokenLifetime time.Duration defaultRefreshTokenLifetime time.Duration @@ -241,14 +47,15 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm crypto.EncryptionAlgorithm } type args struct { - ctx context.Context - authRequestID string + ctx context.Context + authRequestID string + complianceCheck AuthRequestComplianceChecker + needRefreshToken bool } type res struct { - id string - refreshToken string - expiration time.Time - err error + session *OIDCSession + state string + err error } tests := []struct { name string @@ -257,24 +64,55 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { res res }{ { - "unauthenticated error", + "missing code", fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore(), + }, + args{ + ctx: context.Background(), + authRequestID: "", + complianceCheck: mockAuthRequestComplianceChecker(nil), + }, + res{ + err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sf3g2", "Errors.AuthRequest.InvalidCode"), + }, + }, + { + "filter error", + fields{ + eventstore: expectEventstore( + expectFilterError(io.ErrClosedPipe), + ), + }, + args{ + ctx: context.Background(), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), + }, + res{ + err: io.ErrClosedPipe, + }, + }, + { + "code not found", + fields{ + eventstore: expectEventstore( expectFilter(), ), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", + ctx: context.Background(), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), }, res{ - err: zerrors.ThrowPreconditionFailed(nil, "AUTHR-SF2r2", "Errors.AuthRequest.NotAuthenticated"), + err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Iung5", "Errors.AuthRequest.NoCode"), }, }, { - "inactive session error", + "session filter error", fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, @@ -295,8 +133,55 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { gu.Ptr(time.Duration(0)), gu.Ptr("loginHint"), gu.Ptr("hintUserID"), + true, ), ), + eventFromEventPusher( + authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), + ), + ), + expectFilterError(io.ErrClosedPipe), + ), + }, + args{ + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), + }, + res{ + err: io.ErrClosedPipe, + }, + }, + { + "inactive session error", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, + "loginClient", + "clientID", + "redirectURI", + "state", + "nonce", + []string{"openid", "offline_access"}, + []string{"audience"}, + domain.OIDCResponseTypeCode, + &domain.OIDCCodeChallenge{ + Challenge: "challenge", + Method: domain.CodeChallengeMethodS256, + }, + []domain.Prompt{domain.PromptNone}, + []string{"en", "de"}, + gu.Ptr(time.Duration(0)), + gu.Ptr("loginHint"), + gu.Ptr("hintUserID"), + true, + ), + ), + eventFromEventPusher( + authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), + ), eventFromEventPusher( authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, "sessionID", @@ -305,19 +190,14 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, ), ), - eventFromEventPusher( - authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - eventFromEventPusher( - authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), ), expectFilter(), // inactive session ), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), }, res{ err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Flk38", "Errors.Session.NotExisting"), @@ -326,7 +206,7 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { { "add successful", fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, @@ -347,8 +227,12 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { gu.Ptr(time.Duration(0)), gu.Ptr("loginHint"), gu.Ptr("hintUserID"), + true, ), ), + eventFromEventPusher( + authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), + ), eventFromEventPusher( authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, "sessionID", @@ -357,12 +241,6 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, ), ), - eventFromEventPusher( - authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), - eventFromEventPusher( - authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), - ), ), expectFilter( eventFromEventPusher( @@ -378,26 +256,29 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { ), eventFromEventPusher( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, - "userID", "org1", testNow), + "userID", "org1", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, testNow), ), ), - expectFilter( - eventFromEventPusher( - user.NewHumanAddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, - "username", "firstName", "lastName", "", "", language.English, domain.GenderUnspecified, "", false, - ), - ), - ), expectFilter(), // token lifetime expectPush( + authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, nil), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), oidcsession.NewRefreshTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, "rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour), authrequest.NewSucceededEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), @@ -410,35 +291,574 @@ func TestCommands_AddOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - authRequestID: "V2_authRequestID", + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), + needRefreshToken: true, }, res{ - id: "V2_oidcSessionID-at_accessTokenID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID-rt_refreshTokenID:userID - expiration: tokenCreationNow.Add(time.Hour), + session: &OIDCSession{ + SessionID: "sessionID", + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonAuthRequest, + RefreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID-rt_refreshTokenID:userID + }, + state: "state", + }, + }, + { + "without ID token only (implicit)", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, + "loginClient", + "clientID", + "redirectURI", + "state", + "nonce", + []string{"openid"}, + []string{"audience"}, + domain.OIDCResponseTypeIDToken, + &domain.OIDCCodeChallenge{ + Challenge: "challenge", + Method: domain.CodeChallengeMethodS256, + }, + []domain.Prompt{domain.PromptNone}, + []string{"en", "de"}, + gu.Ptr(time.Duration(0)), + gu.Ptr("loginHint"), + gu.Ptr("hintUserID"), + false, + ), + ), + eventFromEventPusher( + authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate, + "sessionID", + "userID", + testNow, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + ), + ), + ), + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + ), + eventFromEventPusher( + session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, + "userID", "org1", testNow, &language.Afrikaans), + ), + eventFromEventPusher( + session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, + testNow), + ), + ), + expectFilter(), // token lifetime + expectPush( + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + authrequest.NewSucceededEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args{ + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + authRequestID: "V2_authRequestID", + complianceCheck: mockAuthRequestComplianceChecker(nil), + }, + res{ + session: &OIDCSession{ + SessionID: "sessionID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Scope: []string{"openid"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + }, + state: "state", }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, defaultAccessTokenLifetime: tt.fields.defaultAccessTokenLifetime, defaultRefreshTokenLifetime: tt.fields.defaultRefreshTokenLifetime, defaultRefreshTokenIdleLifetime: tt.fields.defaultRefreshTokenIdleLifetime, keyAlgorithm: tt.fields.keyAlgorithm, } - gotID, gotRefreshToken, gotExpiration, err := c.AddOIDCSessionRefreshAndAccessToken(tt.args.ctx, tt.args.authRequestID) - assert.Equal(t, tt.res.id, gotID) - assert.Equal(t, tt.res.refreshToken, gotRefreshToken) - assert.Equal(t, tt.res.expiration, gotExpiration) - assert.ErrorIs(t, err, tt.res.err) + gotSession, gotState, err := c.CreateOIDCSessionFromAuthRequest(tt.args.ctx, tt.args.authRequestID, tt.args.complianceCheck, tt.args.needRefreshToken) + require.ErrorIs(t, err, tt.res.err) + + if gotSession != nil { + assert.WithinRange(t, gotSession.AuthTime, tt.res.session.AuthTime.Add(-time.Second), tt.res.session.AuthTime.Add(time.Second)) + gotSession.AuthTime = time.Time{} + tt.res.session.AuthTime = time.Time{} + } + assert.Equal(t, tt.res.session, gotSession) + assert.Equal(t, tt.res.state, gotState) }) } } +func TestCommands_CreateOIDCSession(t *testing.T) { + type fields struct { + eventstore func(*testing.T) *eventstore.Eventstore + idGenerator id.Generator + defaultAccessTokenLifetime time.Duration + defaultRefreshTokenLifetime time.Duration + defaultRefreshTokenIdleLifetime time.Duration + keyAlgorithm crypto.EncryptionAlgorithm + checkPermission domain.PermissionCheck + } + type args struct { + ctx context.Context + userID string + resourceOwner string + clientID string + audience []string + scope []string + authMethods []domain.UserAuthMethodType + authTime time.Time + nonce string + preferredLanguage *language.Tag + userAgent *domain.UserAgent + reason domain.TokenReason + actor *domain.TokenActor + needRefreshToken bool + } + tests := []struct { + name string + fields fields + args args + want *OIDCSession + wantErr error + }{ + { + name: "filter error", + fields: fields{ + eventstore: expectEventstore( + expectFilterError(io.ErrClosedPipe), + ), + }, + args: args{ + ctx: context.Background(), + userID: "userID", + resourceOwner: "orgID", + clientID: "clientID", + audience: []string{"audience"}, + scope: []string{"openid", "offline_access"}, + authMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + authTime: testNow, + nonce: "nonce", + preferredLanguage: &language.Afrikaans, + userAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + reason: domain.TokenReasonAuthRequest, + actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + needRefreshToken: false, + }, + wantErr: io.ErrClosedPipe, + }, + { + name: "without refresh token", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), // token lifetime + expectPush( + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + oidcsession.NewAccessTokenAddedEvent(context.Background(), + &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, + &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + ), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx: context.Background(), + userID: "userID", + resourceOwner: "org1", + clientID: "clientID", + audience: []string{"audience"}, + scope: []string{"openid", "offline_access"}, + authMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + authTime: testNow, + nonce: "nonce", + preferredLanguage: &language.Afrikaans, + userAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + reason: domain.TokenReasonAuthRequest, + actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + needRefreshToken: false, + }, + want: &OIDCSession{ + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonAuthRequest, + Actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + }, + }, + { + name: "with refresh token", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), // token lifetime + expectPush( + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + oidcsession.NewAccessTokenAddedEvent(context.Background(), + &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, + &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), + oidcsession.NewRefreshTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID", "refreshTokenID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + args: args{ + ctx: context.Background(), + userID: "userID", + resourceOwner: "org1", + clientID: "clientID", + audience: []string{"audience"}, + scope: []string{"openid", "offline_access"}, + authMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + authTime: testNow, + nonce: "nonce", + preferredLanguage: &language.Afrikaans, + userAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + reason: domain.TokenReasonAuthRequest, + actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + needRefreshToken: true, + }, + want: &OIDCSession{ + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonAuthRequest, + Actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + RefreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID-rt_refreshTokenID:userID + }, + }, + { + name: "impersonation not allowed", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), // token lifetime + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + checkPermission: domain.PermissionCheck(func(_ context.Context, _, _, _ string) (err error) { + return zerrors.ThrowPermissionDenied(nil, "test", "test") + }), + }, + args: args{ + ctx: context.Background(), + userID: "userID", + resourceOwner: "org1", + clientID: "clientID", + audience: []string{"audience"}, + scope: []string{"openid", "offline_access"}, + authMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + authTime: testNow, + nonce: "nonce", + preferredLanguage: &language.Afrikaans, + userAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + reason: domain.TokenReasonImpersonation, + actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + needRefreshToken: false, + }, + wantErr: zerrors.ThrowPermissionDenied(nil, "test", "test"), + }, + { + name: "impersonation allowed", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), // token lifetime + expectPush( + user.NewUserImpersonatedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "clientID", &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }), + oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + ), + oidcsession.NewAccessTokenAddedEvent(context.Background(), + &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, + "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonImpersonation, + &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + ), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), + ), + ), + idGenerator: mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID"), + defaultAccessTokenLifetime: time.Hour, + defaultRefreshTokenLifetime: 7 * 24 * time.Hour, + defaultRefreshTokenIdleLifetime: 24 * time.Hour, + keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + checkPermission: domain.PermissionCheck(func(_ context.Context, _, _, _ string) (err error) { + return nil + }), + }, + args: args{ + ctx: context.Background(), + userID: "userID", + resourceOwner: "org1", + clientID: "clientID", + audience: []string{"audience"}, + scope: []string{"openid", "offline_access"}, + authMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + authTime: testNow, + nonce: "nonce", + preferredLanguage: &language.Afrikaans, + userAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + reason: domain.TokenReasonImpersonation, + actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + needRefreshToken: false, + }, + want: &OIDCSession{ + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + Reason: domain.TokenReasonImpersonation, + Actor: &domain.TokenActor{ + UserID: "user2", + Issuer: "foo.com", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := &Commands{ + eventstore: tt.fields.eventstore(t), + idGenerator: tt.fields.idGenerator, + defaultAccessTokenLifetime: tt.fields.defaultAccessTokenLifetime, + defaultRefreshTokenLifetime: tt.fields.defaultRefreshTokenLifetime, + defaultRefreshTokenIdleLifetime: tt.fields.defaultRefreshTokenIdleLifetime, + keyAlgorithm: tt.fields.keyAlgorithm, + checkPermission: tt.fields.checkPermission, + } + got, err := c.CreateOIDCSession(tt.args.ctx, + tt.args.userID, + tt.args.resourceOwner, + tt.args.clientID, + tt.args.scope, + tt.args.audience, + tt.args.authMethods, + tt.args.authTime, + tt.args.nonce, + tt.args.preferredLanguage, + tt.args.userAgent, + tt.args.reason, + tt.args.actor, + tt.args.needRefreshToken, + ) + require.ErrorIs(t, err, tt.wantErr) + if got != nil { + assert.WithinRange(t, got.AuthTime, tt.want.AuthTime.Add(-time.Second), tt.want.AuthTime.Add(time.Second)) + got.AuthTime = time.Time{} + tt.want.AuthTime = time.Time{} + } + assert.Equal(t, tt.want, got) + }) + } +} + +func mockRefreshTokenComplianceChecker(returnErr error) RefreshTokenComplianceChecker { + return func(_ context.Context, wm *OIDCSessionWriteModel, scope []string) ([]string, error) { + if returnErr != nil { + return nil, returnErr + } + if len(scope) > 0 { + return scope, nil + } + return wm.Scope, nil + } +} + func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { type fields struct { eventstore func(*testing.T) *eventstore.Eventstore @@ -449,16 +869,14 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm crypto.EncryptionAlgorithm } type args struct { - ctx context.Context - oidcSessionID string - refreshToken string - scope []string + ctx context.Context + refreshToken string + scope []string + complianceCheck RefreshTokenComplianceChecker } type res struct { - id string - refreshToken string - expiration time.Time - err error + session *OIDCSession + err error } tests := []struct { name string @@ -473,9 +891,9 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - oidcSessionID: "V2_oidcSessionID", - refreshToken: "aW52YWxpZA", // invalid + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + refreshToken: "aW52YWxpZA", // invalid + complianceCheck: mockRefreshTokenComplianceChecker(nil), }, res{ err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid"), @@ -490,9 +908,9 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - oidcSessionID: "V2_oidcSessionID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + complianceCheck: mockRefreshTokenComplianceChecker(nil), }, res{ err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-s3hjk", "Errors.OIDCSession.RefreshTokenInvalid"), @@ -505,7 +923,10 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusher( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -516,9 +937,9 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - oidcSessionID: "V2_oidcSessionID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + complianceCheck: mockRefreshTokenComplianceChecker(nil), }, res{ err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-28ubl", "Errors.OIDCSession.RefreshTokenInvalid"), @@ -531,7 +952,10 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusher( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -546,9 +970,9 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - oidcSessionID: "V2_oidcSessionID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + complianceCheck: mockRefreshTokenComplianceChecker(nil), }, res{ err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-3jt2w", "Errors.OIDCSession.RefreshTokenInvalid"), @@ -561,7 +985,10 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { expectFilter( eventFromEventPusherWithCreationDateNow( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusherWithCreationDateNow( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -576,6 +1003,7 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { expectPush( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, "at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonRefresh, nil), + user.NewUserTokenV2AddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "at_accessTokenID"), oidcsession.NewRefreshTokenRenewedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, "rt_refreshTokenID2", 24*time.Hour), ), @@ -587,15 +1015,28 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), }, args{ - ctx: authz.WithInstanceID(context.Background(), "instanceID"), - oidcSessionID: "V2_oidcSessionID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID - scope: []string{"openid", "offline_access"}, + ctx: authz.WithInstanceID(context.Background(), "instanceID"), + refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID + scope: []string{"openid", "offline_access"}, + complianceCheck: mockRefreshTokenComplianceChecker(nil), }, res{ - id: "V2_oidcSessionID-at_accessTokenID", - refreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDI6dXNlcklE", // V2_oidcSessionID-rt_refreshTokenID2:userID% - expiration: time.Time{}.Add(time.Hour), + session: &OIDCSession{ + SessionID: "sessionID", + TokenID: "V2_oidcSessionID-at_accessTokenID", + ClientID: "clientID", + UserID: "userID", + Audience: []string{"audience"}, + RefreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDI6dXNlcklE", // V2_oidcSessionID-rt_refreshTokenID2:userID% + Expiration: time.Time{}.Add(time.Hour), + Scope: []string{"openid", "profile", "offline_access"}, + AuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, + AuthTime: testNow, + Nonce: "nonce", + PreferredLanguage: &language.Afrikaans, + UserAgent: &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + Reason: domain.TokenReasonRefresh, + }, }, }, } @@ -609,11 +1050,14 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) { defaultRefreshTokenIdleLifetime: tt.fields.defaultRefreshTokenIdleLifetime, keyAlgorithm: tt.fields.keyAlgorithm, } - gotID, gotRefreshToken, gotExpiration, err := c.ExchangeOIDCSessionRefreshAndAccessToken(tt.args.ctx, tt.args.oidcSessionID, tt.args.refreshToken, tt.args.scope) - assert.Equal(t, tt.res.id, gotID) - assert.Equal(t, tt.res.refreshToken, gotRefreshToken) - assert.Equal(t, tt.res.expiration, gotExpiration) - assert.ErrorIs(t, err, tt.res.err) + got, err := c.ExchangeOIDCSessionRefreshAndAccessToken(tt.args.ctx, tt.args.refreshToken, tt.args.scope, tt.args.complianceCheck) + require.ErrorIs(t, err, tt.res.err) + if got != nil { + assert.WithinRange(t, got.AuthTime, tt.res.session.AuthTime.Add(-time.Second), tt.res.session.AuthTime.Add(time.Second)) + got.AuthTime = time.Time{} + tt.res.session.AuthTime = time.Time{} + } + assert.Equal(t, tt.res.session, got) }) } } @@ -678,7 +1122,10 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusher( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -703,7 +1150,10 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusher( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -732,7 +1182,10 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) { expectFilter( eventFromEventPusherWithCreationDateNow( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusherWithCreationDateNow( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -844,7 +1297,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), ), ), @@ -866,7 +1322,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "otherClientID", []string{"otherClientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "otherClientID", []string{"otherClientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), ), ), @@ -888,7 +1347,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusherWithCreationDateNow( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, @@ -921,7 +1383,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), ), ), @@ -943,7 +1408,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "otherClientID", []string{"otherClientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "otherClientID", []string{"otherClientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), ), ), @@ -965,7 +1433,10 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) { expectFilter( eventFromEventPusher( oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, - "userID", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow), + "userID", "org1", "sessionID", "clientID", []string{"clientID"}, []string{"openid", "profile", "offline_access"}, + []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans, + &domain.UserAgent{FingerprintID: gu.Ptr("browserFP")}, + ), ), eventFromEventPusherWithCreationDateNow( oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate, diff --git a/internal/command/org.go b/internal/command/org.go index 5f997183af..db963762b1 100644 --- a/internal/command/org.go +++ b/internal/command/org.go @@ -63,7 +63,7 @@ type CreatedOrgAdmin struct { } func (c *Commands) setUpOrgWithIDs(ctx context.Context, o *OrgSetup, orgID string, allowInitialMail bool, userIDs ...string) (_ *CreatedOrg, err error) { - cmds := c.newOrgSetupCommands(ctx, orgID, o, userIDs) + cmds := c.newOrgSetupCommands(ctx, orgID, o) for _, admin := range o.Admins { if err = cmds.setupOrgAdmin(admin, allowInitialMail); err != nil { return nil, err @@ -76,10 +76,10 @@ func (c *Commands) setUpOrgWithIDs(ctx context.Context, o *OrgSetup, orgID strin return cmds.push(ctx) } -func (c *Commands) newOrgSetupCommands(ctx context.Context, orgID string, orgSetup *OrgSetup, userIDs []string) *orgSetupCommands { +func (c *Commands) newOrgSetupCommands(ctx context.Context, orgID string, orgSetup *OrgSetup) *orgSetupCommands { orgAgg := org.NewAggregate(orgID) validations := []preparation.Validation{ - AddOrgCommand(ctx, orgAgg, orgSetup.Name, userIDs...), + AddOrgCommand(ctx, orgAgg, orgSetup.Name), } return &orgSetupCommands{ validations: validations, @@ -233,7 +233,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, allowInitialMail b // AddOrgCommand defines the commands to create a new org, // this includes the verified default domain -func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string, userIDs ...string) preparation.Validation { +func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string) preparation.Validation { return func() (preparation.CreateCommands, error) { if name = strings.TrimSpace(name); name == "" { return nil, zerrors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument") diff --git a/internal/command/org_converter.go b/internal/command/org_converter.go index 667dae1984..e9bd3351f1 100644 --- a/internal/command/org_converter.go +++ b/internal/command/org_converter.go @@ -46,10 +46,13 @@ func orgDomainWriteModelToOrgDomain(wm *OrgDomainWriteModel) *domain.OrgDomain { func orgWriteModelToPrivacyPolicy(wm *OrgPrivacyPolicyWriteModel) *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - ObjectRoot: writeModelToObjectRoot(wm.PrivacyPolicyWriteModel.WriteModel), - TOSLink: wm.TOSLink, - PrivacyLink: wm.PrivacyLink, - HelpLink: wm.HelpLink, - SupportEmail: wm.SupportEmail, + ObjectRoot: writeModelToObjectRoot(wm.PrivacyPolicyWriteModel.WriteModel), + TOSLink: wm.TOSLink, + PrivacyLink: wm.PrivacyLink, + HelpLink: wm.HelpLink, + SupportEmail: wm.SupportEmail, + DocsLink: wm.DocsLink, + CustomLink: wm.CustomLink, + CustomLinkText: wm.CustomLinkText, } } diff --git a/internal/command/org_idp.go b/internal/command/org_idp.go index f9d83ff9c5..597783c78f 100644 --- a/internal/command/org_idp.go +++ b/internal/command/org_idp.go @@ -1746,6 +1746,8 @@ func (c *Commands) prepareAddOrgSAMLProvider(a *org.Aggregate, writeModel *OrgSA cert, provider.Binding, provider.WithSignedRequest, + provider.NameIDFormat, + provider.TransientMappingAttributeName, provider.IDPOptions, ), }, nil @@ -1794,6 +1796,8 @@ func (c *Commands) prepareUpdateOrgSAMLProvider(a *org.Aggregate, writeModel *Or c.idpConfigEncryption, provider.Binding, provider.WithSignedRequest, + provider.NameIDFormat, + provider.TransientMappingAttributeName, provider.IDPOptions, ) if err != nil || event == nil { @@ -1837,6 +1841,8 @@ func (c *Commands) prepareRegenerateOrgSAMLProviderCertificate(a *org.Aggregate, c.idpConfigEncryption, writeModel.Binding, writeModel.WithSignedRequest, + writeModel.NameIDFormat, + writeModel.TransientMappingAttributeName, writeModel.Options, ) if err != nil || event == nil { diff --git a/internal/command/org_idp_model.go b/internal/command/org_idp_model.go index 2d8bc8f8f1..df00096095 100644 --- a/internal/command/org_idp_model.go +++ b/internal/command/org_idp_model.go @@ -5,6 +5,7 @@ import ( "time" "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/idp" "github.com/zitadel/zitadel/internal/repository/org" @@ -927,6 +928,8 @@ func (wm *OrgSAMLIDPWriteModel) NewChangedEvent( secretCrypto crypto.EncryptionAlgorithm, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options idp.Options, ) (*org.SAMLIDPChangedEvent, error) { changes, err := wm.SAMLIDPWriteModel.NewChanges( @@ -937,6 +940,8 @@ func (wm *OrgSAMLIDPWriteModel) NewChangedEvent( secretCrypto, binding, withSignedRequest, + nameIDFormat, + transientMappingAttributeName, options, ) if err != nil || len(changes) == 0 { diff --git a/internal/command/org_idp_test.go b/internal/command/org_idp_test.go index ebb8682125..bcda24df2d 100644 --- a/internal/command/org_idp_test.go +++ b/internal/command/org_idp_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" openid "github.com/zitadel/oidc/v3/pkg/oidc" "go.uber.org/mock/gomock" @@ -22,7 +23,7 @@ import ( func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -45,7 +46,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -62,7 +63,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -81,7 +82,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -101,7 +102,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -122,7 +123,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -144,7 +145,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -167,7 +168,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { "invalid id attribute", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -191,7 +192,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewOAuthIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -237,7 +238,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewOAuthIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -296,7 +297,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -317,7 +318,7 @@ func TestCommandSide_AddOrgGenericOAuthIDP(t *testing.T) { func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -339,7 +340,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -355,7 +356,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -372,7 +373,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -391,7 +392,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -411,7 +412,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -432,7 +433,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -454,7 +455,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { "invalid id attribute", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -477,7 +478,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -501,7 +502,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOAuthIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -544,7 +545,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOAuthIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -627,7 +628,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGenericOAuthProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -646,7 +647,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) { func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -669,7 +670,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -686,7 +687,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -705,7 +706,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -725,7 +726,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -746,7 +747,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -787,7 +788,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -842,7 +843,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -863,7 +864,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) { func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -885,7 +886,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -901,7 +902,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -918,7 +919,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -937,7 +938,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -957,7 +958,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -978,7 +979,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1016,7 +1017,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1093,7 +1094,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGenericOIDCProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -1112,7 +1113,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) { func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1134,7 +1135,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1150,7 +1151,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1168,7 +1169,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1187,7 +1188,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1208,7 +1209,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { name: "migrate ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1267,7 +1268,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { { name: "migrate full ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1338,7 +1339,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.MigrateOrgGenericOIDCToAzureADProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -1357,7 +1358,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) { func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1379,7 +1380,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1396,7 +1397,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1415,7 +1416,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { { "not found", fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1435,7 +1436,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { { name: "migrate ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1488,7 +1489,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { { name: "migrate full ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewOIDCIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1554,7 +1555,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.MigrateOrgGenericOIDCToGoogleProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -1573,7 +1574,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) { func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -1596,7 +1597,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1613,7 +1614,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1632,7 +1633,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -1652,7 +1653,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewAzureADIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1692,7 +1693,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewAzureADIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1747,7 +1748,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -1768,7 +1769,7 @@ func TestCommandSide_AddOrgAzureADIDP(t *testing.T) { func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -1790,7 +1791,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1806,7 +1807,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1823,7 +1824,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -1842,7 +1843,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -1862,7 +1863,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewAzureADIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1899,7 +1900,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewAzureADIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -1976,7 +1977,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgAzureADProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -1995,7 +1996,7 @@ func TestCommandSide_UpdateOrgAzureADIDP(t *testing.T) { func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -2018,7 +2019,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2035,7 +2036,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { { "invalid client secret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2054,7 +2055,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitHubIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2091,7 +2092,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitHubIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2142,7 +2143,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -2163,7 +2164,7 @@ func TestCommandSide_AddOrgGitHubIDP(t *testing.T) { func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -2185,7 +2186,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2201,7 +2202,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { { "invalid client id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2218,7 +2219,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -2237,7 +2238,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitHubIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2271,7 +2272,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitHubIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2342,7 +2343,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGitHubProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -2361,7 +2362,7 @@ func TestCommandSide_UpdateOrgGitHubIDP(t *testing.T) { func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -2384,7 +2385,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2401,7 +2402,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2420,7 +2421,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2440,7 +2441,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2461,7 +2462,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2483,7 +2484,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2506,7 +2507,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2550,7 +2551,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2607,7 +2608,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -2628,7 +2629,7 @@ func TestCommandSide_AddOrgGitHubEnterpriseIDP(t *testing.T) { func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -2650,7 +2651,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2666,7 +2667,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2683,7 +2684,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2702,7 +2703,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid auth endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2722,7 +2723,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid token endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2743,7 +2744,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { "invalid user endpoint", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -2765,7 +2766,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -2788,7 +2789,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2829,7 +2830,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitHubEnterpriseIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -2909,7 +2910,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGitHubEnterpriseProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -2928,7 +2929,7 @@ func TestCommandSide_UpdateOrgGitHubEnterpriseIDP(t *testing.T) { func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -2951,7 +2952,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2968,7 +2969,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -2987,7 +2988,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitLabIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3024,7 +3025,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitLabIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3074,7 +3075,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3095,7 +3096,7 @@ func TestCommandSide_AddOrgGitLabIDP(t *testing.T) { func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3117,7 +3118,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3133,7 +3134,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3150,7 +3151,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3169,7 +3170,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitLabIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3203,7 +3204,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitLabIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3272,7 +3273,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGitLabProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -3291,7 +3292,7 @@ func TestCommandSide_UpdateOrgGitLabIDP(t *testing.T) { func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -3314,7 +3315,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3331,7 +3332,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3350,7 +3351,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3370,7 +3371,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3391,7 +3392,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3431,7 +3432,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3484,7 +3485,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3505,7 +3506,7 @@ func TestCommandSide_AddOrgGitLabSelfHostedIDP(t *testing.T) { func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3527,7 +3528,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3543,7 +3544,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3560,7 +3561,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid issuer", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3579,7 +3580,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3599,7 +3600,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3620,7 +3621,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3657,7 +3658,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGitLabSelfHostedIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3731,7 +3732,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGitLabSelfHostedProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -3750,7 +3751,7 @@ func TestCommandSide_UpdateOrgGitLabSelfHostedIDP(t *testing.T) { func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -3773,7 +3774,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3790,7 +3791,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { { "invalid clientSecret", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -3809,7 +3810,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGoogleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3846,7 +3847,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewGoogleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -3896,7 +3897,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -3917,7 +3918,7 @@ func TestCommandSide_AddOrgGoogleIDP(t *testing.T) { func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -3939,7 +3940,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3955,7 +3956,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -3972,7 +3973,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -3991,7 +3992,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGoogleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4025,7 +4026,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewGoogleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4094,7 +4095,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgGoogleProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -4113,7 +4114,7 @@ func TestCommandSide_UpdateOrgGoogleIDP(t *testing.T) { func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -4136,7 +4137,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4153,7 +4154,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid baseDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4172,7 +4173,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid binddn", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4192,7 +4193,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid password", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4213,7 +4214,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid userbase", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4235,7 +4236,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid servers", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4258,7 +4259,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid userObjectClasses", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4282,7 +4283,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { "invalid userFilters", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4307,7 +4308,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4359,7 +4360,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4452,7 +4453,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -4473,7 +4474,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) { func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -4495,7 +4496,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4511,7 +4512,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4528,7 +4529,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid baseDN", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4547,7 +4548,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid binddn", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4567,7 +4568,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid userbase", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4588,7 +4589,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid servers", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4610,7 +4611,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid userObjectClasses", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4633,7 +4634,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { "invalid userFilters", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -4657,7 +4658,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -4685,7 +4686,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4733,7 +4734,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewLDAPIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -4853,7 +4854,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgLDAPProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -4872,7 +4873,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) { func TestCommandSide_AddOrgAppleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm } @@ -4895,7 +4896,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4912,7 +4913,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { "invalid teamID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4931,7 +4932,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { "invalid keyID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4951,7 +4952,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { "invalid privateKey", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -4972,7 +4973,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewAppleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5013,7 +5014,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewAppleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5067,7 +5068,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, } @@ -5088,7 +5089,7 @@ func TestCommandSide_AddOrgAppleIDP(t *testing.T) { func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -5110,7 +5111,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5126,7 +5127,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { "invalid clientID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5143,7 +5144,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { "invalid teamID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5162,7 +5163,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { "invalid keyID", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5182,7 +5183,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5203,7 +5204,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewAppleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5241,7 +5242,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewAppleIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5316,7 +5317,7 @@ func TestCommandSide_UpdateOrgAppleIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgAppleProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -5339,7 +5340,7 @@ func stringPointer(s string) *string { func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore idGenerator id.Generator secretCrypto crypto.EncryptionAlgorithm certificateAndKeyGenerator func(id string) ([]byte, []byte, error) @@ -5363,7 +5364,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -5380,7 +5381,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { { "invalid metadata", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"), }, args{ @@ -5399,7 +5400,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { { name: "ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewSAMLIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5415,6 +5416,8 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { []byte("certificate"), "", false, + nil, + "", idp.Options{}, ), ), @@ -5438,7 +5441,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { { name: "ok all set", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), expectPush( org.NewSAMLIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5454,6 +5457,8 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { []byte("certificate"), "binding", true, + gu.Ptr(domain.SAMLNameIDFormatTransient), + "customAttribute", idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5471,10 +5476,12 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { ctx: context.Background(), resourceOwner: "org1", provider: SAMLProvider{ - Name: "name", - Metadata: []byte("metadata"), - Binding: "binding", - WithSignedRequest: true, + Name: "name", + Metadata: []byte("metadata"), + Binding: "binding", + WithSignedRequest: true, + NameIDFormat: gu.Ptr(domain.SAMLNameIDFormatTransient), + TransientMappingAttributeName: "customAttribute", IDPOptions: idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5492,7 +5499,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idGenerator: tt.fields.idGenerator, idpConfigEncryption: tt.fields.secretCrypto, samlCertificateAndKeyGenerator: tt.fields.certificateAndKeyGenerator, @@ -5514,7 +5521,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) { func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm } type args struct { @@ -5536,7 +5543,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5552,7 +5559,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { "invalid name", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5569,7 +5576,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { "invalid metadata", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5588,7 +5595,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5610,7 +5617,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { name: "no changes", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewSAMLIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5626,6 +5633,8 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { []byte("certificate"), "", false, + nil, + "", idp.Options{}, )), ), @@ -5647,7 +5656,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewSAMLIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5663,6 +5672,8 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { []byte("certificate"), "binding", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", idp.Options{}, )), ), @@ -5676,6 +5687,8 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { idp.ChangeSAMLMetadata([]byte("new metadata")), idp.ChangeSAMLBinding("new binding"), idp.ChangeSAMLWithSignedRequest(true), + idp.ChangeSAMLNameIDFormat(gu.Ptr(domain.SAMLNameIDFormatTransient)), + idp.ChangeSAMLTransientMappingAttributeName("customAttribute"), idp.ChangeSAMLOptions(idp.OptionChanges{ IsCreationAllowed: &t, IsLinkingAllowed: &t, @@ -5695,10 +5708,12 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { resourceOwner: "org1", id: "id1", provider: SAMLProvider{ - Name: "new name", - Metadata: []byte("new metadata"), - Binding: "new binding", - WithSignedRequest: true, + Name: "new name", + Metadata: []byte("new metadata"), + Binding: "new binding", + WithSignedRequest: true, + NameIDFormat: gu.Ptr(domain.SAMLNameIDFormatTransient), + TransientMappingAttributeName: "customAttribute", IDPOptions: idp.Options{ IsCreationAllowed: true, IsLinkingAllowed: true, @@ -5715,7 +5730,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, } got, err := c.UpdateOrgSAMLProvider(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.provider) @@ -5734,7 +5749,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) { func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { type fields struct { - eventstore *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore secretCrypto crypto.EncryptionAlgorithm certificateAndKeyGenerator func(id string) ([]byte, []byte, error) } @@ -5756,7 +5771,7 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { { "invalid id", fields{ - eventstore: eventstoreExpect(t), + eventstore: expectEventstore(), }, args{ ctx: context.Background(), @@ -5771,7 +5786,7 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { { name: "not found", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter(), ), }, @@ -5789,7 +5804,7 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { { name: "change ok", fields: fields{ - eventstore: eventstoreExpect(t, + eventstore: expectEventstore( expectFilter( eventFromEventPusher( org.NewSAMLIDPAddedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, @@ -5805,6 +5820,8 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { []byte("certificate"), "binding", false, + gu.Ptr(domain.SAMLNameIDFormatUnspecified), + "", idp.Options{}, )), ), @@ -5844,7 +5861,7 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore, + eventstore: tt.fields.eventstore(t), idpConfigEncryption: tt.fields.secretCrypto, samlCertificateAndKeyGenerator: tt.fields.certificateAndKeyGenerator, } diff --git a/internal/command/org_policy_privacy.go b/internal/command/org_policy_privacy.go index c4cf6f4591..3e0497ccb4 100644 --- a/internal/command/org_policy_privacy.go +++ b/internal/command/org_policy_privacy.go @@ -58,7 +58,10 @@ func (c *Commands) AddPrivacyPolicy(ctx context.Context, resourceOwner string, p policy.TOSLink, policy.PrivacyLink, policy.HelpLink, - policy.SupportEmail)) + policy.SupportEmail, + policy.DocsLink, + policy.CustomLink, + policy.CustomLinkText)) if err != nil { return nil, err } @@ -91,7 +94,7 @@ func (c *Commands) ChangePrivacyPolicy(ctx context.Context, resourceOwner string } orgAgg := OrgAggregateFromWriteModel(&existingPolicy.PrivacyPolicyWriteModel.WriteModel) - changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.TOSLink, policy.PrivacyLink, policy.HelpLink, policy.SupportEmail) + changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.TOSLink, policy.PrivacyLink, policy.HelpLink, policy.SupportEmail, policy.DocsLink, policy.CustomLink, policy.CustomLinkText) if !hasChanged { return nil, zerrors.ThrowPreconditionFailed(nil, "Org-4N9fs", "Errors.Org.PrivacyPolicy.NotChanged") } diff --git a/internal/command/org_policy_privacy_model.go b/internal/command/org_policy_privacy_model.go index 262935e0ff..d4b5a8547e 100644 --- a/internal/command/org_policy_privacy_model.go +++ b/internal/command/org_policy_privacy_model.go @@ -60,6 +60,7 @@ func (wm *OrgPrivacyPolicyWriteModel) NewChangedEvent( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) (*org.PrivacyPolicyChangedEvent, bool) { changes := make([]policy.PrivacyPolicyChanges, 0) @@ -75,6 +76,15 @@ func (wm *OrgPrivacyPolicyWriteModel) NewChangedEvent( if wm.SupportEmail != supportEmail { changes = append(changes, policy.ChangeSupportEmail(supportEmail)) } + if wm.DocsLink != docsLink { + changes = append(changes, policy.ChangeDocsLink(docsLink)) + } + if wm.CustomLink != customLink { + changes = append(changes, policy.ChangeCustomLink(customLink)) + } + if wm.CustomLinkText != customLinkText { + changes = append(changes, policy.ChangeCustomLinkText(customLinkText)) + } if len(changes) == 0 { return nil, false } diff --git a/internal/command/org_policy_privacy_test.go b/internal/command/org_policy_privacy_test.go index 3b251326d8..147d4d3e56 100644 --- a/internal/command/org_policy_privacy_test.go +++ b/internal/command/org_policy_privacy_test.go @@ -43,10 +43,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -66,7 +69,9 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", - ), + "DocsLink", + "CustomLink", + "CustomLinkText"), ), ), ), @@ -75,10 +80,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -98,6 +106,9 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), @@ -106,10 +117,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -118,10 +132,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { AggregateID: "org1", ResourceOwner: "org1", }, - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, }, @@ -136,10 +153,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "wrong email", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "wrong email", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -159,6 +179,9 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { "", "", "", + "", + "", + "", ), ), ), @@ -167,10 +190,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "", - PrivacyLink: "", - HelpLink: "", - SupportEmail: "", + TOSLink: "", + PrivacyLink: "", + HelpLink: "", + SupportEmail: "", + DocsLink: "", + CustomLink: "", + CustomLinkText: "", }, }, res: res{ @@ -179,10 +205,13 @@ func TestCommandSide_AddPrivacyPolicy(t *testing.T) { AggregateID: "org1", ResourceOwner: "org1", }, - TOSLink: "", - PrivacyLink: "", - HelpLink: "", - SupportEmail: "", + TOSLink: "", + PrivacyLink: "", + HelpLink: "", + SupportEmail: "", + DocsLink: "", + CustomLink: "", + CustomLinkText: "", }, }, }, @@ -235,10 +264,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { args: args{ ctx: context.Background(), policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -257,10 +289,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -280,6 +315,9 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), @@ -289,10 +327,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLink", - PrivacyLink: "PrivacyLink", - HelpLink: "HelpLink", - SupportEmail: "support@example.com", + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + HelpLink: "HelpLink", + SupportEmail: "support@example.com", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -305,10 +346,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLinkChange", - PrivacyLink: "PrivacyLinkChange", - HelpLink: "HelpLinkChange", - SupportEmail: "wrong email", + TOSLink: "TOSLinkChange", + PrivacyLink: "PrivacyLinkChange", + HelpLink: "HelpLinkChange", + SupportEmail: "wrong email", + DocsLink: "DocsLink", + CustomLink: "CustomLink", + CustomLinkText: "CustomLinkText", }, }, res: res{ @@ -328,11 +372,14 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), expectPush( - newPrivacyPolicyChangedEvent(context.Background(), "org1", "TOSLinkChange", "PrivacyLinkChange", "HelpLinkChange", "support2@example.com"), + newPrivacyPolicyChangedEvent(context.Background(), "org1", "TOSLinkChange", "PrivacyLinkChange", "HelpLinkChange", "support2@example.com", "DocsLinkChange", "CustomLinkChange", "CustomLinkTextChange"), ), ), }, @@ -340,10 +387,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "TOSLinkChange", - PrivacyLink: "PrivacyLinkChange", - HelpLink: "HelpLinkChange", - SupportEmail: "support2@example.com", + TOSLink: "TOSLinkChange", + PrivacyLink: "PrivacyLinkChange", + HelpLink: "HelpLinkChange", + SupportEmail: "support2@example.com", + DocsLink: "DocsLinkChange", + CustomLink: "CustomLinkChange", + CustomLinkText: "CustomLinkTextChange", }, }, res: res{ @@ -352,10 +402,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { AggregateID: "org1", ResourceOwner: "org1", }, - TOSLink: "TOSLinkChange", - PrivacyLink: "PrivacyLinkChange", - HelpLink: "HelpLinkChange", - SupportEmail: "support2@example.com", + TOSLink: "TOSLinkChange", + PrivacyLink: "PrivacyLinkChange", + HelpLink: "HelpLinkChange", + SupportEmail: "support2@example.com", + DocsLink: "DocsLinkChange", + CustomLink: "CustomLinkChange", + CustomLinkText: "CustomLinkTextChange", }, }, }, @@ -372,11 +425,14 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), expectPush( - newPrivacyPolicyChangedEvent(context.Background(), "org1", "", "", "", ""), + newPrivacyPolicyChangedEvent(context.Background(), "org1", "", "", "", "", "", "", ""), ), ), }, @@ -384,10 +440,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { ctx: context.Background(), orgID: "org1", policy: &domain.PrivacyPolicy{ - TOSLink: "", - PrivacyLink: "", - HelpLink: "", - SupportEmail: "", + TOSLink: "", + PrivacyLink: "", + HelpLink: "", + SupportEmail: "", + DocsLink: "", + CustomLink: "", + CustomLinkText: "", }, }, res: res{ @@ -396,10 +455,13 @@ func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { AggregateID: "org1", ResourceOwner: "org1", }, - TOSLink: "", - PrivacyLink: "", - HelpLink: "", - SupportEmail: "", + TOSLink: "", + PrivacyLink: "", + HelpLink: "", + SupportEmail: "", + DocsLink: "", + CustomLink: "", + CustomLinkText: "", }, }, }, @@ -484,6 +546,9 @@ func TestCommandSide_RemovePrivacyPolicy(t *testing.T) { "PrivacyLink", "HelpLink", "support@example.com", + "DocsLink", + "CustomLink", + "CustomLinkText", ), ), ), @@ -523,7 +588,7 @@ func TestCommandSide_RemovePrivacyPolicy(t *testing.T) { } } -func newPrivacyPolicyChangedEvent(ctx context.Context, orgID string, tosLink, privacyLink, helpLink, supportEmail string) *org.PrivacyPolicyChangedEvent { +func newPrivacyPolicyChangedEvent(ctx context.Context, orgID string, tosLink, privacyLink, helpLink, supportEmail, docsLink, customLink, customLinkText string) *org.PrivacyPolicyChangedEvent { event, _ := org.NewPrivacyPolicyChangedEvent(ctx, &org.NewAggregate(orgID).Aggregate, []policy.PrivacyPolicyChanges{ @@ -531,6 +596,9 @@ func newPrivacyPolicyChangedEvent(ctx context.Context, orgID string, tosLink, pr policy.ChangePrivacyLink(privacyLink), policy.ChangeHelpLink(helpLink), policy.ChangeSupportEmail(domain.EmailAddress(supportEmail)), + policy.ChangeDocsLink(docsLink), + policy.ChangeCustomLink(customLink), + policy.ChangeCustomLinkText(customLinkText), }, ) return event diff --git a/internal/command/policy_privacy_model.go b/internal/command/policy_privacy_model.go index 1831176d7a..aba64f7f6b 100644 --- a/internal/command/policy_privacy_model.go +++ b/internal/command/policy_privacy_model.go @@ -9,11 +9,14 @@ import ( type PrivacyPolicyWriteModel struct { eventstore.WriteModel - TOSLink string - PrivacyLink string - HelpLink string - SupportEmail domain.EmailAddress - State domain.PolicyState + TOSLink string + PrivacyLink string + HelpLink string + SupportEmail domain.EmailAddress + State domain.PolicyState + DocsLink string + CustomLink string + CustomLinkText string } func (wm *PrivacyPolicyWriteModel) Reduce() error { @@ -25,6 +28,9 @@ func (wm *PrivacyPolicyWriteModel) Reduce() error { wm.HelpLink = e.HelpLink wm.SupportEmail = e.SupportEmail wm.State = domain.PolicyStateActive + wm.DocsLink = e.DocsLink + wm.CustomLink = e.CustomLink + wm.CustomLinkText = e.CustomLinkText case *policy.PrivacyPolicyChangedEvent: if e.PrivacyLink != nil { wm.PrivacyLink = *e.PrivacyLink @@ -38,6 +44,15 @@ func (wm *PrivacyPolicyWriteModel) Reduce() error { if e.SupportEmail != nil { wm.SupportEmail = *e.SupportEmail } + if e.DocsLink != nil { + wm.DocsLink = *e.DocsLink + } + if e.CustomLink != nil { + wm.CustomLink = *e.CustomLink + } + if e.CustomLinkText != nil { + wm.CustomLinkText = *e.CustomLinkText + } case *policy.PrivacyPolicyRemovedEvent: wm.State = domain.PolicyStateRemoved } diff --git a/internal/command/session.go b/internal/command/session.go index f7e0f889cd..c9fd29ac46 100644 --- a/internal/command/session.go +++ b/internal/command/session.go @@ -7,6 +7,8 @@ import ( "fmt" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/activity" "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/crypto" @@ -56,12 +58,12 @@ func (c *Commands) NewSessionCommands(cmds []SessionCommand, session *SessionWri } // CheckUser defines a user check to be executed for a session update -func CheckUser(id string, resourceOwner string) SessionCommand { +func CheckUser(id string, resourceOwner string, preferredLanguage *language.Tag) SessionCommand { return func(ctx context.Context, cmd *SessionCommands) error { if cmd.sessionWriteModel.UserID != "" && id != "" && cmd.sessionWriteModel.UserID != id { return zerrors.ThrowInvalidArgument(nil, "", "user change not possible") } - return cmd.UserChecked(ctx, id, resourceOwner, cmd.now()) + return cmd.UserChecked(ctx, id, resourceOwner, cmd.now(), preferredLanguage) } } @@ -171,8 +173,8 @@ func (s *SessionCommands) Start(ctx context.Context, userAgent *domain.UserAgent s.eventCommands = append(s.eventCommands, session.NewAddedEvent(ctx, s.sessionWriteModel.aggregate, userAgent)) } -func (s *SessionCommands) UserChecked(ctx context.Context, userID, resourceOwner string, checkedAt time.Time) error { - s.eventCommands = append(s.eventCommands, session.NewUserCheckedEvent(ctx, s.sessionWriteModel.aggregate, userID, resourceOwner, checkedAt)) +func (s *SessionCommands) UserChecked(ctx context.Context, userID, resourceOwner string, checkedAt time.Time, preferredLanguage *language.Tag) error { + s.eventCommands = append(s.eventCommands, session.NewUserCheckedEvent(ctx, s.sessionWriteModel.aggregate, userID, resourceOwner, checkedAt, preferredLanguage)) // set the userID so other checks can use it s.sessionWriteModel.UserID = userID s.sessionWriteModel.UserResourceOwner = resourceOwner @@ -310,15 +312,12 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met return c.updateSession(ctx, cmd, metadata, lifetime) } -func (c *Commands) UpdateSession(ctx context.Context, sessionID, sessionToken string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()) err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) if err != nil { return nil, err } - if err := c.sessionTokenVerifier(ctx, sessionToken, sessionWriteModel.AggregateID, sessionWriteModel.TokenID); err != nil { - return nil, err - } cmd := c.NewSessionCommands(cmds, sessionWriteModel) return c.updateSession(ctx, cmd, metadata, lifetime) } diff --git a/internal/command/session_model.go b/internal/command/session_model.go index 6076461f5a..e418a3adb3 100644 --- a/internal/command/session_model.go +++ b/internal/command/session_model.go @@ -3,6 +3,8 @@ package command import ( "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" @@ -40,6 +42,7 @@ type SessionWriteModel struct { TokenID string UserID string UserResourceOwner string + PreferredLanguage *language.Tag UserCheckedAt time.Time PasswordCheckedAt time.Time IntentCheckedAt time.Time @@ -50,6 +53,7 @@ type SessionWriteModel struct { WebAuthNUserVerified bool Metadata map[string][]byte State domain.SessionState + UserAgent *domain.UserAgent Expiration time.Time WebAuthNChallenge *WebAuthNChallengeModel @@ -137,12 +141,14 @@ func (wm *SessionWriteModel) Query() *eventstore.SearchQueryBuilder { func (wm *SessionWriteModel) reduceAdded(e *session.AddedEvent) { wm.State = domain.SessionStateActive + wm.UserAgent = e.UserAgent } func (wm *SessionWriteModel) reduceUserChecked(e *session.UserCheckedEvent) { wm.UserID = e.UserID wm.UserResourceOwner = e.UserResourceOwner wm.UserCheckedAt = e.CheckedAt + wm.PreferredLanguage = e.PreferredLanguage } func (wm *SessionWriteModel) reducePasswordChecked(e *session.PasswordCheckedEvent) { diff --git a/internal/command/session_test.go b/internal/command/session_test.go index 58f5f73706..b41a886aa2 100644 --- a/internal/command/session_test.go +++ b/internal/command/session_test.go @@ -288,12 +288,11 @@ func TestCommands_UpdateSession(t *testing.T) { tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) } type args struct { - ctx context.Context - sessionID string - sessionToken string - checks []SessionCommand - metadata map[string][]byte - lifetime time.Duration + ctx context.Context + sessionID string + checks []SessionCommand + metadata map[string][]byte + lifetime time.Duration } type res struct { want *SessionChanged @@ -319,37 +318,6 @@ func TestCommands_UpdateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, - { - "invalid session token", - fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - session.NewAddedEvent(context.Background(), - &session.NewAggregate("sessionID", "instance1").Aggregate, - &domain.UserAgent{ - FingerprintID: gu.Ptr("fp1"), - IP: net.ParseIP("1.2.3.4"), - Description: gu.Ptr("firefox"), - Header: http.Header{"foo": []string{"bar"}}, - }, - )), - eventFromEventPusher( - session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, - "tokenID")), - ), - ), - tokenVerifier: newMockTokenVerifierInvalid(), - }, - args{ - ctx: context.Background(), - sessionID: "sessionID", - sessionToken: "invalid", - }, - res{ - err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"), - }, - }, { "no change", fields{ @@ -375,9 +343,8 @@ func TestCommands_UpdateSession(t *testing.T) { }, }, args{ - ctx: context.Background(), - sessionID: "sessionID", - sessionToken: "token", + ctx: context.Background(), + sessionID: "sessionID", }, res{ want: &SessionChanged{ @@ -397,7 +364,7 @@ func TestCommands_UpdateSession(t *testing.T) { eventstore: tt.fields.eventstore, sessionTokenVerifier: tt.fields.tokenVerifier, } - got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime) + got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) assert.Equal(t, tt.res.want, got) }) @@ -566,7 +533,7 @@ func TestCommands_updateSession(t *testing.T) { eventstore: eventstoreExpect(t, expectPush( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow, + "userID", "org1", testNow, &language.Afrikaans, ), session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, testNow, @@ -585,7 +552,7 @@ func TestCommands_updateSession(t *testing.T) { checks: &SessionCommands{ sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"), sessionCommands: []SessionCommand{ - CheckUser("userID", "org1"), + CheckUser("userID", "org1", &language.Afrikaans), CheckPassword("password"), }, eventstore: eventstoreExpect(t, @@ -634,7 +601,7 @@ func TestCommands_updateSession(t *testing.T) { checks: &SessionCommands{ sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"), sessionCommands: []SessionCommand{ - CheckUser("userID", "org1"), + CheckUser("userID", "org1", &language.Afrikaans), CheckIntent("intent", "aW50ZW50"), }, eventstore: eventstoreExpect(t, @@ -673,7 +640,7 @@ func TestCommands_updateSession(t *testing.T) { checks: &SessionCommands{ sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"), sessionCommands: []SessionCommand{ - CheckUser("userID", "org1"), + CheckUser("userID", "org1", &language.Afrikaans), CheckIntent("intent", "aW50ZW50"), }, eventstore: eventstoreExpect(t, @@ -723,7 +690,7 @@ func TestCommands_updateSession(t *testing.T) { checks: &SessionCommands{ sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"), sessionCommands: []SessionCommand{ - CheckUser("userID", "org1"), + CheckUser("userID", "org1", &language.Afrikaans), CheckIntent("intent2", "aW50ZW50"), }, eventstore: eventstoreExpect(t), @@ -751,7 +718,7 @@ func TestCommands_updateSession(t *testing.T) { eventstore: eventstoreExpect(t, expectPush( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow), + "userID", "org1", testNow, &language.Afrikaans), session.NewIntentCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, testNow), session.NewMetadataSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -766,7 +733,7 @@ func TestCommands_updateSession(t *testing.T) { checks: &SessionCommands{ sessionWriteModel: NewSessionWriteModel("sessionID", "instance1"), sessionCommands: []SessionCommand{ - CheckUser("userID", "org1"), + CheckUser("userID", "org1", &language.Afrikaans), CheckIntent("intent", "aW50ZW50"), }, eventstore: eventstoreExpect(t, @@ -829,7 +796,9 @@ func TestCheckTOTP(t *testing.T) { ctx := authz.NewMockContext("instance1", "org1", "user1") cryptoAlg := crypto.CreateMockEncryptionAlg(gomock.NewController(t)) - key, secret, err := domain.NewTOTPKey("example.com", "user1", cryptoAlg) + key, err := domain.NewTOTPKey("example.com", "user1") + require.NoError(t, err) + secret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg) require.NoError(t, err) sessAgg := &session.NewAggregate("session1", "instance1").Aggregate @@ -1186,7 +1155,7 @@ func TestCommands_TerminateSession(t *testing.T) { ), eventFromEventPusher( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, - "user1", "org1", testNow), + "user1", "org1", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -1227,7 +1196,7 @@ func TestCommands_TerminateSession(t *testing.T) { ), eventFromEventPusher( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, - "userID", "org1", testNow), + "userID", "org1", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, @@ -1269,7 +1238,7 @@ func TestCommands_TerminateSession(t *testing.T) { ), eventFromEventPusher( session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "org2").Aggregate, - "userID", "", testNow), + "userID", "", testNow, &language.Afrikaans), ), eventFromEventPusher( session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org2").Aggregate, diff --git a/internal/command/system_features.go b/internal/command/system_features.go index 838fef5b9d..5aa7c8dda1 100644 --- a/internal/command/system_features.go +++ b/internal/command/system_features.go @@ -4,6 +4,7 @@ import ( "context" "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/feature" "github.com/zitadel/zitadel/internal/repository/feature/feature_v2" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -15,6 +16,7 @@ type SystemFeatures struct { TokenExchange *bool UserSchema *bool Actions *bool + ImprovedPerformance []feature.ImprovedPerformanceType } func (m *SystemFeatures) isEmpty() bool { @@ -23,7 +25,9 @@ func (m *SystemFeatures) isEmpty() bool { m.LegacyIntrospection == nil && m.UserSchema == nil && m.TokenExchange == nil && - m.Actions == nil + m.Actions == nil && + // nil check to allow unset improvements + m.ImprovedPerformance == nil } func (c *Commands) SetSystemFeatures(ctx context.Context, f *SystemFeatures) (*domain.ObjectDetails, error) { diff --git a/internal/command/system_features_model.go b/internal/command/system_features_model.go index d21aa85cbc..46b36d15ad 100644 --- a/internal/command/system_features_model.go +++ b/internal/command/system_features_model.go @@ -23,16 +23,23 @@ func NewSystemFeaturesWriteModel() *SystemFeaturesWriteModel { return m } -func (m *SystemFeaturesWriteModel) Reduce() (err error) { +func (m *SystemFeaturesWriteModel) Reduce() error { for _, event := range m.Events { switch e := event.(type) { case *feature_v2.ResetEvent: m.reduceReset() case *feature_v2.SetEvent[bool]: - err = m.reduceBoolFeature(e) - } - if err != nil { - return err + _, key, err := e.FeatureInfo() + if err != nil { + return err + } + reduceSystemFeature(&m.SystemFeatures, key, e.Value) + case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]: + _, key, err := e.FeatureInfo() + if err != nil { + return err + } + reduceSystemFeature(&m.SystemFeatures, key, e.Value) } } return m.WriteModel.Reduce() @@ -52,41 +59,40 @@ func (m *SystemFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder { feature_v2.SystemUserSchemaEventType, feature_v2.SystemTokenExchangeEventType, feature_v2.SystemActionsEventType, + feature_v2.SystemImprovedPerformanceEventType, ). Builder().ResourceOwner(m.ResourceOwner) } func (m *SystemFeaturesWriteModel) reduceReset() { - m.LoginDefaultOrg = nil - m.TriggerIntrospectionProjections = nil - m.LegacyIntrospection = nil - m.TokenExchange = nil - m.UserSchema = nil - m.Actions = nil + m.SystemFeatures = SystemFeatures{} } -func (m *SystemFeaturesWriteModel) reduceBoolFeature(event *feature_v2.SetEvent[bool]) error { - _, key, err := event.FeatureInfo() - if err != nil { - return err - } +func reduceSystemFeature(features *SystemFeatures, key feature.Key, value any) { switch key { case feature.KeyUnspecified: - return nil + return case feature.KeyLoginDefaultOrg: - m.LoginDefaultOrg = &event.Value + v := value.(bool) + features.LoginDefaultOrg = &v case feature.KeyTriggerIntrospectionProjections: - m.TriggerIntrospectionProjections = &event.Value + v := value.(bool) + features.TriggerIntrospectionProjections = &v case feature.KeyLegacyIntrospection: - m.LegacyIntrospection = &event.Value + v := value.(bool) + features.LegacyIntrospection = &v case feature.KeyUserSchema: - m.UserSchema = &event.Value + v := value.(bool) + features.UserSchema = &v case feature.KeyTokenExchange: - m.TokenExchange = &event.Value + v := value.(bool) + features.TokenExchange = &v case feature.KeyActions: - m.Actions = &event.Value + v := value.(bool) + features.Actions = &v + case feature.KeyImprovedPerformance: + features.ImprovedPerformance = value.([]feature.ImprovedPerformanceType) } - return nil } func (wm *SystemFeaturesWriteModel) setCommands(ctx context.Context, f *SystemFeatures) []eventstore.Command { @@ -98,6 +104,7 @@ func (wm *SystemFeaturesWriteModel) setCommands(ctx context.Context, f *SystemFe cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.UserSchema, f.UserSchema, feature_v2.SystemUserSchemaEventType) cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.TokenExchange, f.TokenExchange, feature_v2.SystemTokenExchangeEventType) cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.Actions, f.Actions, feature_v2.SystemActionsEventType) + cmds = appendFeatureSliceUpdate(ctx, cmds, aggregate, wm.ImprovedPerformance, f.ImprovedPerformance, feature_v2.SystemImprovedPerformanceEventType) return cmds } @@ -107,3 +114,15 @@ func appendFeatureUpdate[T comparable](ctx context.Context, cmds []eventstore.Co } return cmds } + +func appendFeatureSliceUpdate[T comparable](ctx context.Context, cmds []eventstore.Command, aggregate *feature_v2.Aggregate, oldValues, newValues []T, eventType eventstore.EventType) []eventstore.Command { + if len(newValues) != len(oldValues) { + return append(cmds, feature_v2.NewSetEvent[[]T](ctx, aggregate, eventType, newValues)) + } + for i, oldValue := range oldValues { + if oldValue != newValues[i] { + return append(cmds, feature_v2.NewSetEvent[[]T](ctx, aggregate, eventType, newValues)) + } + } + return cmds +} diff --git a/internal/command/user.go b/internal/command/user.go index 9253da5719..17b0913c5e 100644 --- a/internal/command/user.go +++ b/internal/command/user.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "strings" - "time" "github.com/zitadel/logging" @@ -13,7 +12,6 @@ import ( "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/eventstore/v1/models" "github.com/zitadel/zitadel/internal/repository/user" "github.com/zitadel/zitadel/internal/telemetry/tracing" "github.com/zitadel/zitadel/internal/zerrors" @@ -232,35 +230,6 @@ func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string, return writeModelToObjectDetails(&existingUser.WriteModel), nil } -func (c *Commands) AddUserToken( - ctx context.Context, - orgID, - agentID, - clientID, - userID string, - audience, - scopes, - authMethodsReferences []string, - lifetime time.Duration, - authTime time.Time, - reason domain.TokenReason, - actor *domain.TokenActor, -) (*domain.Token, error) { - if userID == "" { //do not check for empty orgID (JWT Profile requests won't provide it, so service user requests fail) - return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Dbge4", "Errors.IDMissing") - } - userWriteModel := NewUserWriteModel(userID, orgID) - cmds, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, "", audience, scopes, authMethodsReferences, lifetime, authTime, reason, actor) - if err != nil { - return nil, err - } - _, err = c.eventstore.Push(ctx, cmds...) - if err != nil { - return nil, err - } - return accessToken, nil -} - func (c *Commands) RevokeAccessToken(ctx context.Context, userID, orgID, tokenID string) (*domain.ObjectDetails, error) { removeEvent, accessTokenWriteModel, err := c.removeAccessToken(ctx, userID, orgID, tokenID) if err != nil { @@ -277,61 +246,6 @@ func (c *Commands) RevokeAccessToken(ctx context.Context, userID, orgID, tokenID return writeModelToObjectDetails(&accessTokenWriteModel.WriteModel), nil } -func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteModel, agentID, clientID, refreshTokenID string, audience, scopes, authMethodsReferences []string, lifetime time.Duration, authTime time.Time, reason domain.TokenReason, actor *domain.TokenActor) ([]eventstore.Command, *domain.Token, error) { - err := c.eventstore.FilterToQueryReducer(ctx, userWriteModel) - if err != nil { - return nil, nil, err - } - if userWriteModel.UserState != domain.UserStateActive { - return nil, nil, zerrors.ThrowNotFound(nil, "COMMAND-1d6Gg", "Errors.User.NotFound") - } - - //nolint:contextcheck - userAgg := UserAggregateFromWriteModel(&userWriteModel.WriteModel) - - var cmds []eventstore.Command - if reason == domain.TokenReasonImpersonation { - if err := c.checkPermission(ctx, "impersonation", userWriteModel.ResourceOwner, userWriteModel.AggregateID); err != nil { - return nil, nil, err - } - cmds = append(cmds, user.NewUserImpersonatedEvent(ctx, userAgg, clientID, actor)) - } - - preferredLanguage := "" - existingHuman, err := c.getHumanWriteModelByID(ctx, userWriteModel.AggregateID, userWriteModel.ResourceOwner) - if err != nil { - return nil, nil, err - } - if existingHuman != nil { - preferredLanguage = existingHuman.PreferredLanguage.String() - } - expiration := time.Now().UTC().Add(lifetime) - tokenID, err := c.idGenerator.Next() - if err != nil { - return nil, nil, err - } - - cmds = append(cmds, - user.NewUserTokenAddedEvent(ctx, userAgg, tokenID, clientID, agentID, preferredLanguage, refreshTokenID, audience, scopes, authMethodsReferences, authTime, expiration, reason, actor), - ) - - return cmds, &domain.Token{ - ObjectRoot: models.ObjectRoot{ - AggregateID: userWriteModel.AggregateID, - }, - TokenID: tokenID, - UserAgentID: agentID, - ApplicationID: clientID, - RefreshTokenID: refreshTokenID, - Audience: audience, - Scopes: scopes, - Expiration: expiration, - PreferredLanguage: preferredLanguage, - Reason: reason, - Actor: actor, - }, nil -} - func (c *Commands) removeAccessToken(ctx context.Context, userID, orgID, tokenID string) (*user.UserTokenRemovedEvent, *UserAccessTokenWriteModel, error) { if userID == "" || orgID == "" || tokenID == "" { return nil, nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Dng42", "Errors.IDMissing") diff --git a/internal/command/user_converter.go b/internal/command/user_converter.go index 076b0bfd52..484cdc35f4 100644 --- a/internal/command/user_converter.go +++ b/internal/command/user_converter.go @@ -1,9 +1,6 @@ package command import ( - "encoding/base64" - - "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/repository/user" ) @@ -81,16 +78,6 @@ func writeModelToAddress(wm *HumanAddressWriteModel) *domain.Address { } } -func writeModelToMachine(wm *MachineWriteModel) *domain.Machine { - return &domain.Machine{ - ObjectRoot: writeModelToObjectRoot(wm.WriteModel), - Username: wm.UserName, - Name: wm.Name, - Description: wm.Description, - State: wm.UserState, - } -} - func keyWriteModelToMachineKey(wm *MachineKeyWriteModel) *domain.MachineKey { return &domain.MachineKey{ ObjectRoot: writeModelToObjectRoot(wm.WriteModel), @@ -100,18 +87,6 @@ func keyWriteModelToMachineKey(wm *MachineKeyWriteModel) *domain.MachineKey { } } -func personalTokenWriteModelToToken(wm *PersonalAccessTokenWriteModel, algorithm crypto.EncryptionAlgorithm) (*domain.Token, string, error) { - encrypted, err := algorithm.Encrypt([]byte(wm.TokenID + ":" + wm.AggregateID)) - if err != nil { - return nil, "", err - } - return &domain.Token{ - ObjectRoot: writeModelToObjectRoot(wm.WriteModel), - TokenID: wm.TokenID, - Expiration: wm.ExpirationDate, - }, base64.RawURLEncoding.EncodeToString(encrypted), nil -} - func readModelToWebAuthNTokens(readModel HumanWebAuthNTokensReadModel) []*domain.WebAuthNToken { tokens := make([]*domain.WebAuthNToken, len(readModel.GetWebAuthNTokens())) for i, token := range readModel.GetWebAuthNTokens() { diff --git a/internal/command/user_human.go b/internal/command/user_human.go index 41ce13f950..7f117751b7 100644 --- a/internal/command/user_human.go +++ b/internal/command/user_human.go @@ -68,6 +68,9 @@ type AddHuman struct { // Links are optional Links []*AddLink + // TOTPSecret is optional + TOTPSecret string + // Details are set after a successful execution of the command Details *domain.ObjectDetails diff --git a/internal/command/user_human_otp.go b/internal/command/user_human_otp.go index a24751f570..c368167b3d 100644 --- a/internal/command/user_human_otp.go +++ b/internal/command/user_human_otp.go @@ -106,7 +106,11 @@ func (c *Commands) createHumanTOTP(ctx context.Context, userID, resourceOwner st if issuer == "" { issuer = authz.GetInstance(ctx).RequestedDomain() } - key, secret, err := domain.NewTOTPKey(issuer, accountName, c.multifactors.OTP.CryptoMFA) + key, err := domain.NewTOTPKey(issuer, accountName) + if err != nil { + return nil, err + } + encryptedSecret, err := crypto.Encrypt([]byte(key.Secret()), c.multifactors.OTP.CryptoMFA) if err != nil { return nil, err } @@ -115,7 +119,7 @@ func (c *Commands) createHumanTOTP(ctx context.Context, userID, resourceOwner st userAgg: userAgg, key: key, cmds: []eventstore.Command{ - user.NewHumanOTPAddedEvent(ctx, userAgg, secret), + user.NewHumanOTPAddedEvent(ctx, userAgg, encryptedSecret), }, }, nil } diff --git a/internal/command/user_human_otp_test.go b/internal/command/user_human_otp_test.go index 0cfba917c7..81615a4f6e 100644 --- a/internal/command/user_human_otp_test.go +++ b/internal/command/user_human_otp_test.go @@ -620,7 +620,9 @@ func TestCommands_HumanCheckMFATOTPSetup(t *testing.T) { ctx := authz.NewMockContext("", "org1", "user1") cryptoAlg := crypto.CreateMockEncryptionAlg(gomock.NewController(t)) - key, secret, err := domain.NewTOTPKey("example.com", "user1", cryptoAlg) + key, err := domain.NewTOTPKey("example.com", "user1") + require.NoError(t, err) + secret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg) require.NoError(t, err) userAgg := &user.NewAggregate("user1", "org1").Aggregate userAgg2 := &user.NewAggregate("user2", "org1").Aggregate diff --git a/internal/command/user_human_refresh_token.go b/internal/command/user_human_refresh_token.go index 76f5847168..2a5fb9ec05 100644 --- a/internal/command/user_human_refresh_token.go +++ b/internal/command/user_human_refresh_token.go @@ -2,7 +2,6 @@ package command import ( "context" - "time" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" @@ -10,98 +9,6 @@ import ( "github.com/zitadel/zitadel/internal/zerrors" ) -func (c *Commands) AddAccessAndRefreshToken( - ctx context.Context, - orgID, - agentID, - clientID, - userID, - refreshToken string, - audience, - scopes, - authMethodsReferences []string, - accessLifetime, - refreshIdleExpiration, - refreshExpiration time.Duration, - authTime time.Time, - reason domain.TokenReason, - actor *domain.TokenActor, -) (accessToken *domain.Token, newRefreshToken string, err error) { - if refreshToken == "" { - return c.AddNewRefreshTokenAndAccessToken(ctx, userID, orgID, agentID, clientID, audience, scopes, authMethodsReferences, refreshExpiration, accessLifetime, refreshIdleExpiration, authTime, reason, actor) - } - return c.RenewRefreshTokenAndAccessToken(ctx, userID, orgID, refreshToken, agentID, clientID, audience, scopes, refreshIdleExpiration, accessLifetime, actor) -} - -func (c *Commands) AddNewRefreshTokenAndAccessToken( - ctx context.Context, - userID, - orgID, - agentID, - clientID string, - audience, - scopes, - authMethodsReferences []string, - refreshExpiration, - accessLifetime, - refreshIdleExpiration time.Duration, - authTime time.Time, - reason domain.TokenReason, - actor *domain.TokenActor, -) (accessToken *domain.Token, newRefreshToken string, err error) { - if userID == "" || clientID == "" { - return nil, "", zerrors.ThrowInvalidArgument(nil, "COMMAND-adg4r", "Errors.IDMissing") - } - userWriteModel := NewUserWriteModel(userID, orgID) - refreshTokenID, err := c.idGenerator.Next() - if err != nil { - return nil, "", err - } - cmds, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, refreshTokenID, audience, scopes, authMethodsReferences, accessLifetime, authTime, reason, actor) - if err != nil { - return nil, "", err - } - refreshTokenEvent, newRefreshToken, err := c.addRefreshToken(ctx, accessToken, authMethodsReferences, authTime, refreshIdleExpiration, refreshExpiration, actor) - if err != nil { - return nil, "", err - } - cmds = append(cmds, refreshTokenEvent) - _, err = c.eventstore.Push(ctx, cmds...) - if err != nil { - return nil, "", err - } - return accessToken, newRefreshToken, nil -} - -func (c *Commands) RenewRefreshTokenAndAccessToken( - ctx context.Context, - userID, - orgID, - refreshToken, - agentID, - clientID string, - audience, - scopes []string, - idleExpiration, - accessLifetime time.Duration, - actor *domain.TokenActor, -) (accessToken *domain.Token, newRefreshToken string, err error) { - renewed, err := c.renewRefreshToken(ctx, userID, orgID, refreshToken, idleExpiration) - if err != nil { - return nil, "", err - } - userWriteModel := NewUserWriteModel(userID, orgID) - cmds, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, renewed.tokenID, audience, scopes, renewed.authMethodsReferences, accessLifetime, renewed.authTime, domain.TokenReasonRefresh, actor) - if err != nil { - return nil, "", err - } - _, err = c.eventstore.Push(ctx, append(cmds, renewed.event)...) - if err != nil { - return nil, "", err - } - return accessToken, renewed.token, nil -} - func (c *Commands) RevokeRefreshToken(ctx context.Context, userID, orgID, tokenID string) (*domain.ObjectDetails, error) { removeEvent, refreshTokenWriteModel, err := c.removeRefreshToken(ctx, userID, orgID, tokenID) if err != nil { @@ -134,70 +41,6 @@ func (c *Commands) RevokeRefreshTokens(ctx context.Context, userID, orgID string return err } -func (c *Commands) addRefreshToken(ctx context.Context, accessToken *domain.Token, authMethodsReferences []string, authTime time.Time, idleExpiration, expiration time.Duration, actor *domain.TokenActor) (*user.HumanRefreshTokenAddedEvent, string, error) { - refreshToken, err := domain.NewRefreshToken(accessToken.AggregateID, accessToken.RefreshTokenID, c.keyAlgorithm) - if err != nil { - return nil, "", err - } - refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(accessToken.AggregateID, accessToken.ResourceOwner, accessToken.RefreshTokenID) - userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel) - return user.NewHumanRefreshTokenAddedEvent(ctx, userAgg, accessToken.RefreshTokenID, accessToken.ApplicationID, accessToken.UserAgentID, - accessToken.PreferredLanguage, accessToken.Audience, accessToken.Scopes, authMethodsReferences, authTime, idleExpiration, expiration, actor), - refreshToken, nil -} - -type renewedRefreshToken struct { - event *user.HumanRefreshTokenRenewedEvent - authTime time.Time - authMethodsReferences []string - tokenID string - token string -} - -func (c *Commands) renewRefreshToken(ctx context.Context, userID, orgID, refreshToken string, idleExpiration time.Duration) (*renewedRefreshToken, error) { - if refreshToken == "" { - return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-DHrr3", "Errors.IDMissing") - } - - tokenUserID, tokenID, token, err := domain.FromRefreshToken(refreshToken, c.keyAlgorithm) - if err != nil { - return nil, err - } - if tokenUserID != userID { - return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Ht2g2", "Errors.User.RefreshToken.Invalid") - } - refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(userID, orgID, tokenID) - err = c.eventstore.FilterToQueryReducer(ctx, refreshTokenWriteModel) - if err != nil { - return nil, err - } - if refreshTokenWriteModel.UserState != domain.UserStateActive { - return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-BHnhs", "Errors.User.RefreshToken.Invalid") - } - if refreshTokenWriteModel.RefreshToken != token || - refreshTokenWriteModel.IdleExpiration.Before(time.Now()) || - refreshTokenWriteModel.Expiration.Before(time.Now()) { - return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Vr43e", "Errors.User.RefreshToken.Invalid") - } - - newToken, err := c.idGenerator.Next() - if err != nil { - return nil, err - } - newRefreshToken, err := domain.RefreshToken(userID, tokenID, newToken, c.keyAlgorithm) - if err != nil { - return nil, err - } - userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel) - return &renewedRefreshToken{ - event: user.NewHumanRefreshTokenRenewedEvent(ctx, userAgg, tokenID, newToken, idleExpiration), - authTime: refreshTokenWriteModel.AuthTime, - authMethodsReferences: refreshTokenWriteModel.AuthMethodsReferences, - tokenID: tokenID, - token: newRefreshToken, - }, nil -} - func (c *Commands) removeRefreshToken(ctx context.Context, userID, orgID, tokenID string) (*user.HumanRefreshTokenRemovedEvent, *HumanRefreshTokenWriteModel, error) { if userID == "" || orgID == "" || tokenID == "" { return nil, nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-GVDgf", "Errors.IDMissing") diff --git a/internal/command/user_human_refresh_token_test.go b/internal/command/user_human_refresh_token_test.go index ca9279ac1a..c3b992535e 100644 --- a/internal/command/user_human_refresh_token_test.go +++ b/internal/command/user_human_refresh_token_test.go @@ -2,316 +2,18 @@ package command import ( "context" - "encoding/base64" "testing" "time" "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" "github.com/zitadel/oidc/v3/pkg/oidc" - "go.uber.org/mock/gomock" - "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/eventstore/v1/models" - "github.com/zitadel/zitadel/internal/id" - id_mock "github.com/zitadel/zitadel/internal/id/mock" "github.com/zitadel/zitadel/internal/repository/user" "github.com/zitadel/zitadel/internal/zerrors" ) -func TestCommands_AddAccessAndRefreshToken(t *testing.T) { - type fields struct { - eventstore *eventstore.Eventstore - idGenerator id.Generator - keyAlgorithm crypto.EncryptionAlgorithm - } - type args struct { - ctx context.Context - orgID string - agentID string - clientID string - userID string - refreshToken string - audience []string - scopes []string - authMethodsReferences []string - lifetime time.Duration - authTime time.Time - refreshIdleExpiration time.Duration - refreshExpiration time.Duration - reason domain.TokenReason - actor *domain.TokenActor - } - type res struct { - token *domain.Token - refreshToken string - err func(error) bool - } - tests := []struct { - name string - fields fields - args args - res res - }{ - { - name: "missing ID, error", - fields: fields{ - eventstore: eventstoreExpect(t), - }, - args: args{}, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - { - name: "add refresh token, user deactivated, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher( - user.NewUserDeactivatedEvent(context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - ), - ), - ), - ), - idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "refreshTokenID1"), - }, - args: args{ - ctx: context.Background(), - orgID: "orgID", - agentID: "agentID", - userID: "userID", - clientID: "clientID", - }, - res: res{ - err: zerrors.IsNotFound, - }, - }, - { - name: "renew refresh token, invalid token, error", - fields: fields{ - eventstore: eventstoreExpect(t), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - refreshToken: "invalid", - }, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - { - name: "renew refresh token, invalid token (invalid userID), error", - fields: fields{ - eventstore: eventstoreExpect(t), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID2:tokenID:token")), - }, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - { - name: "renew refresh token, token inactive, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - eventFromEventPusher(user.NewHumanRefreshTokenRemovedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - )), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:token")), - }, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - { - name: "renew refresh token, token expired, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - -1*time.Hour, - 24*time.Hour, - nil, - )), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - }, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - //fails because of timestamp equality - //{ - // name: "push failed, error", - // fields: fields{ - // eventstore: eventstoreExpect(t, - // expectFilter( - // eventFromEventPusher(user.NewHumanAddedEvent( - // context.Background(), - // &user.NewAggregate("userID", "orgID").Aggregate, - // "username", - // "firstname", - // "lastname", - // "nickname", - // "displayname", - // language.German, - // domain.GenderUnspecified, - // "email", - // true, - // )), - // ), - // expectFilter( - // eventFromEventPusherWithCreationDateNow(user.NewHumanAddedEvent( - // context.Background(), - // &user.NewAggregate("userID", "orgID").Aggregate, - // "username", - // "firstname", - // "lastname", - // "nickname", - // "displayname", - // language.German, - // domain.GenderUnspecified, - // "email", - // true, - // )), - // ), - // expectFilter( - // eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( - // context.Background(), - // &user.NewAggregate("userID", "orgID").Aggregate, - // "tokenID", - // "applicationID", - // "userAgentID", - // "de", - // []string{"clientID1"}, - // []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - // []string{"password"}, - // time.Now(), - // 1*time.Hour, - // 24*time.Hour, - // )), - // ), - // expectPushFailed( - // zerrors.ThrowInternal(nil, "ERROR", "internal"), - // []*repository.Event{ - // eventFromEventPusher(user.NewUserTokenAddedEvent( - // context.Background(), - // &user.NewAggregate("userID", "orgID").Aggregate, - // "accessTokenID1", - // "clientID", - // "agentID", - // "de", - // []string{"clientID1"}, - // []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - // time.Now().Add(5*time.Minute), - // )), - // eventFromEventPusher(user.NewHumanRefreshTokenRenewedEvent( - // context.Background(), - // &user.NewAggregate("userID", "orgID").Aggregate, - // "tokenID", - // "refreshToken1", - // 1*time.Hour, - // )), - // }, - // ), - // ), - // idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "accessTokenID1", "refreshToken1"), - // keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - // }, - // args: args{ - // ctx: context.Background(), - // orgID: "orgID", - // agentID: "agentID", - // clientID: "clientID", - // userID: "userID", - // refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - // audience: []string{"clientID1"}, - // scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - // authMethodsReferences: []string{"password"}, - // lifetime: 5 * time.Minute, - // authTime: time.Now(), - // }, - // res: res{ - // err: zerrors.IsInternal, - // }, - //}, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := &Commands{ - eventstore: tt.fields.eventstore, - idGenerator: tt.fields.idGenerator, - keyAlgorithm: tt.fields.keyAlgorithm, - } - got, gotRefresh, err := c.AddAccessAndRefreshToken(tt.args.ctx, tt.args.orgID, tt.args.agentID, tt.args.clientID, tt.args.userID, tt.args.refreshToken, - tt.args.audience, tt.args.scopes, tt.args.authMethodsReferences, tt.args.lifetime, tt.args.refreshIdleExpiration, tt.args.refreshExpiration, tt.args.authTime, tt.args.reason, tt.args.actor) - if tt.res.err == nil { - assert.NoError(t, err) - } - if tt.res.err != nil && !tt.res.err(err) { - t.Errorf("got wrong err: %v ", err) - } - if tt.res.err == nil { - assert.Equal(t, tt.res.token, got) - assert.Equal(t, tt.res.refreshToken, gotRefresh) - } - }) - } -} - func TestCommands_RevokeRefreshToken(t *testing.T) { type fields struct { eventstore *eventstore.Eventstore @@ -669,395 +371,3 @@ func TestCommands_RevokeRefreshTokens(t *testing.T) { }) } } - -func refreshTokenEncryptionAlgorithm(ctrl *gomock.Controller) crypto.EncryptionAlgorithm { - mCrypto := crypto.NewMockEncryptionAlgorithm(ctrl) - mCrypto.EXPECT().Algorithm().AnyTimes().Return("enc") - mCrypto.EXPECT().EncryptionKeyID().AnyTimes().Return("id") - mCrypto.EXPECT().Encrypt(gomock.Any()).AnyTimes().DoAndReturn( - func(refrehToken []byte) ([]byte, error) { - return refrehToken, nil - }, - ) - mCrypto.EXPECT().Decrypt(gomock.Any(), gomock.Any()).AnyTimes().DoAndReturn( - func(refrehToken []byte, keyID string) ([]byte, error) { - if keyID != "id" { - return nil, zerrors.ThrowInternal(nil, "id", "invalid key id") - } - return refrehToken, nil - }, - ) - return mCrypto -} - -func TestCommands_addRefreshToken(t *testing.T) { - authTime := time.Now().Add(-1 * time.Hour) - type fields struct { - eventstore *eventstore.Eventstore - keyAlgorithm crypto.EncryptionAlgorithm - } - type args struct { - ctx context.Context - accessToken *domain.Token - authMethodsReferences []string - authTime time.Time - idleExpiration time.Duration - expiration time.Duration - actor *domain.TokenActor - } - type res struct { - event *user.HumanRefreshTokenAddedEvent - refreshToken string - err func(error) bool - } - tests := []struct { - name string - fields fields - args args - res res - }{ - - { - name: "add refresh Token", - fields: fields{ - eventstore: eventstoreExpect(t), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - accessToken: &domain.Token{ - ObjectRoot: models.ObjectRoot{ - AggregateID: "userID", - ResourceOwner: "org1", - }, - TokenID: "accessTokenID1", - ApplicationID: "clientID", - UserAgentID: "agentID", - RefreshTokenID: "refreshTokenID", - Audience: []string{"clientID1"}, - Expiration: time.Now().Add(5 * time.Minute), - Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - PreferredLanguage: "de", - }, - authMethodsReferences: []string{"password"}, - authTime: authTime, - idleExpiration: 1 * time.Hour, - expiration: 10 * time.Hour, - }, - res: res{ - event: user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "org1").Aggregate, - "refreshTokenID", - "clientID", - "agentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - authTime, - 1*time.Hour, - 10*time.Hour, - nil, - ), - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:refreshTokenID:refreshTokenID")), - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := &Commands{ - eventstore: tt.fields.eventstore, - keyAlgorithm: tt.fields.keyAlgorithm, - } - gotEvent, gotRefreshToken, err := c.addRefreshToken(tt.args.ctx, tt.args.accessToken, tt.args.authMethodsReferences, tt.args.authTime, tt.args.idleExpiration, tt.args.expiration, tt.args.actor) - if tt.res.err == nil { - assert.NoError(t, err) - } - if tt.res.err != nil && !tt.res.err(err) { - t.Errorf("got wrong err: %v ", err) - } - if tt.res.err == nil { - assert.Equal(t, tt.res.event, gotEvent) - assert.Equal(t, tt.res.refreshToken, gotRefreshToken) - } - }) - } -} - -func TestCommands_renewRefreshToken(t *testing.T) { - type fields struct { - eventstore *eventstore.Eventstore - idGenerator id.Generator - keyAlgorithm crypto.EncryptionAlgorithm - } - type args struct { - ctx context.Context - userID string - orgID string - refreshToken string - idleExpiration time.Duration - } - type res struct { - event *user.HumanRefreshTokenRenewedEvent - refreshTokenID string - newRefreshToken string - } - tests := []struct { - name string - fields fields - args args - want *renewedRefreshToken - wantErr func(error) bool - }{ - { - name: "empty token, error", - fields: fields{ - eventstore: eventstoreExpect(t), - }, - args: args{ - ctx: context.Background(), - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "invalid token, error", - fields: fields{ - eventstore: eventstoreExpect(t), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - refreshToken: "invalid", - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "invalid token (invalid userID), error", - fields: fields{ - eventstore: eventstoreExpect(t), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID2:tokenID:token")), - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "token inactive, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - eventFromEventPusher(user.NewHumanRefreshTokenRemovedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - )), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:token")), - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "token expired, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "user deactivated, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - eventFromEventPusher( - user.NewUserDeactivatedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - ), - ), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - idleExpiration: 1 * time.Hour, - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "user signedout, error", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - eventFromEventPusher( - user.NewHumanSignedOutEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "userAgentID", - ), - ), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - idleExpiration: 1 * time.Hour, - }, - wantErr: zerrors.IsErrorInvalidArgument, - }, - { - name: "token renewed, ok", - fields: fields{ - eventstore: eventstoreExpect(t, - expectFilter( - eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "applicationID", - "userAgentID", - "de", - []string{"clientID1"}, - []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}, - []string{"password"}, - time.Now(), - 1*time.Hour, - 24*time.Hour, - nil, - )), - ), - ), - keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)), - idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "refreshToken1"), - }, - args: args{ - ctx: context.Background(), - userID: "userID", - orgID: "orgID", - refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")), - idleExpiration: 1 * time.Hour, - }, - want: &renewedRefreshToken{ - event: user.NewHumanRefreshTokenRenewedEvent( - context.Background(), - &user.NewAggregate("userID", "orgID").Aggregate, - "tokenID", - "refreshToken1", - 1*time.Hour, - ), - authMethodsReferences: []string{"password"}, - tokenID: "tokenID", - token: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:refreshToken1")), - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := &Commands{ - eventstore: tt.fields.eventstore, - idGenerator: tt.fields.idGenerator, - keyAlgorithm: tt.fields.keyAlgorithm, - } - got, err := c.renewRefreshToken(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.refreshToken, tt.args.idleExpiration) - if tt.wantErr != nil && !tt.wantErr(err) { - t.Errorf("got wrong err: %v ", err) - } - if tt.wantErr == nil { - require.NoError(t, err) - assert.Equal(t, tt.want.event, got.event) - assert.Equal(t, tt.want.authMethodsReferences, got.authMethodsReferences) - assert.Equal(t, tt.want.tokenID, got.tokenID) - assert.Equal(t, tt.want.token, got.token) - } - }) - } -} diff --git a/internal/command/user_test.go b/internal/command/user_test.go index b906b7b5b5..5de57a153a 100644 --- a/internal/command/user_test.go +++ b/internal/command/user_test.go @@ -11,7 +11,6 @@ import ( "github.com/zitadel/zitadel/internal/command/preparation" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/id" "github.com/zitadel/zitadel/internal/repository/instance" "github.com/zitadel/zitadel/internal/repository/org" "github.com/zitadel/zitadel/internal/repository/project" @@ -1433,91 +1432,6 @@ func TestCommandSide_RemoveUser(t *testing.T) { } } -func TestCommandSide_AddUserToken(t *testing.T) { - type fields struct { - eventstore *eventstore.Eventstore - idGenerator id.Generator - } - type ( - args struct { - ctx context.Context - orgID string - agentID string - clientID string - userID string - audience []string - scopes []string - authMethodsReferences []string - lifetime time.Duration - authTime time.Time - reason domain.TokenReason - actor *domain.TokenActor - } - ) - type res struct { - want *domain.Token - err func(error) bool - } - tests := []struct { - name string - fields fields - args args - res res - }{ - { - name: "userid missing, invalid argument error", - fields: fields{ - eventstore: eventstoreExpect( - t, - ), - }, - args: args{ - ctx: context.Background(), - orgID: "org1", - userID: "", - }, - res: res{ - err: zerrors.IsErrorInvalidArgument, - }, - }, - { - name: "user not existing, not found error", - fields: fields{ - eventstore: eventstoreExpect( - t, - expectFilter(), - ), - }, - args: args{ - ctx: context.Background(), - orgID: "org1", - userID: "user1", - }, - res: res{ - err: zerrors.IsNotFound, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - r := &Commands{ - eventstore: tt.fields.eventstore, - idGenerator: tt.fields.idGenerator, - } - got, err := r.AddUserToken(tt.args.ctx, tt.args.orgID, tt.args.agentID, tt.args.clientID, tt.args.userID, tt.args.audience, tt.args.scopes, tt.args.authMethodsReferences, tt.args.lifetime, tt.args.authTime, tt.args.reason, tt.args.actor) - if tt.res.err == nil { - assert.NoError(t, err) - } - if tt.res.err != nil && !tt.res.err(err) { - t.Errorf("got wrong err: %v ", err) - } - if tt.res.err == nil { - assert.Equal(t, tt.res.want, got) - } - }) - } -} - func TestCommands_RevokeAccessToken(t *testing.T) { type fields struct { eventstore *eventstore.Eventstore diff --git a/internal/command/user_v2_human.go b/internal/command/user_v2_human.go index 68955b4a07..c89629ec44 100644 --- a/internal/command/user_v2_human.go +++ b/internal/command/user_v2_human.go @@ -218,6 +218,17 @@ func (c *Commands) AddUserHuman(ctx context.Context, resourceOwner string, human cmds = append(cmds, cmd) } + if human.TOTPSecret != "" { + encryptedSecret, err := crypto.Encrypt([]byte(human.TOTPSecret), c.multifactors.OTP.CryptoMFA) + if err != nil { + return err + } + cmds = append(cmds, + user.NewHumanOTPAddedEvent(ctx, &existingHuman.Aggregate().Aggregate, encryptedSecret), + user.NewHumanOTPVerifiedEvent(ctx, &existingHuman.Aggregate().Aggregate, ""), + ) + } + if len(cmds) == 0 { human.Details = writeModelToObjectDetails(&existingHuman.WriteModel) return nil diff --git a/internal/command/user_v2_human_test.go b/internal/command/user_v2_human_test.go index 59f0935968..e3dccde360 100644 --- a/internal/command/user_v2_human_test.go +++ b/internal/command/user_v2_human_test.go @@ -8,6 +8,7 @@ import ( "github.com/muhlemmer/gu" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/mock/gomock" "golang.org/x/text/language" @@ -47,6 +48,11 @@ func TestCommandSide_AddUserHuman(t *testing.T) { userAgg := user.NewAggregate("user1", "org1") + cryptoAlg := crypto.CreateMockEncryptionAlg(gomock.NewController(t)) + totpSecret := "TOTPSecret" + totpSecretEnc, err := crypto.Encrypt([]byte(totpSecret), cryptoAlg) + require.NoError(t, err) + tests := []struct { name string fields fields @@ -1394,6 +1400,89 @@ func TestCommandSide_AddUserHuman(t *testing.T) { wantID: "user1", }, }, + { + name: "register human with TOTPSecret, ok", + fields: fields{ + eventstore: expectEventstore( + expectFilter(), + expectFilter( + eventFromEventPusher( + org.NewDomainPolicyAddedEvent(context.Background(), + &userAgg.Aggregate, + true, + true, + true, + ), + ), + ), + expectPush( + user.NewHumanRegisteredEvent(context.Background(), + &userAgg.Aggregate, + "username", + "firstname", + "lastname", + "", + "firstname lastname", + language.English, + domain.GenderUnspecified, + "email@test.ch", + true, + "userAgentID", + ), + user.NewHumanInitialCodeAddedEvent(context.Background(), + &userAgg.Aggregate, + &crypto.CryptoValue{ + CryptoType: crypto.TypeEncryption, + Algorithm: "enc", + KeyID: "id", + Crypted: []byte("userinit"), + }, + time.Hour*1, + "authRequestID", + ), + user.NewHumanOTPAddedEvent(context.Background(), + &userAgg.Aggregate, + totpSecretEnc, + ), + user.NewHumanOTPVerifiedEvent(context.Background(), + &userAgg.Aggregate, + "", + ), + ), + ), + checkPermission: newMockPermissionCheckAllowed(), + idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"), + newCode: mockEncryptedCode("userinit", time.Hour), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + human: &AddHuman{ + Username: "username", + FirstName: "firstname", + LastName: "lastname", + Email: Email{ + Address: "email@test.ch", + }, + PreferredLanguage: language.English, + Register: true, + UserAgentID: "userAgentID", + AuthRequestID: "authRequestID", + TOTPSecret: totpSecret, + }, + secretGenerator: GetMockSecretGenerator(t), + allowInitMail: true, + codeAlg: crypto.CreateMockEncryptionAlg(gomock.NewController(t)), + }, + res: res{ + want: &domain.ObjectDetails{ + Sequence: 0, + EventDate: time.Time{}, + ResourceOwner: "org1", + }, + wantID: "user1", + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1403,6 +1492,12 @@ func TestCommandSide_AddUserHuman(t *testing.T) { idGenerator: tt.fields.idGenerator, newEncryptedCode: tt.fields.newCode, checkPermission: tt.fields.checkPermission, + multifactors: domain.MultifactorConfigs{ + OTP: domain.OTPConfig{ + Issuer: "zitadel.com", + CryptoMFA: cryptoAlg, + }, + }, } err := r.AddUserHuman(tt.args.ctx, tt.args.orgID, tt.args.human, tt.args.allowInitMail, tt.args.codeAlg) if tt.res.err == nil { diff --git a/internal/command/user_v2_totp_test.go b/internal/command/user_v2_totp_test.go index d05bdc9647..f1a4968275 100644 --- a/internal/command/user_v2_totp_test.go +++ b/internal/command/user_v2_totp_test.go @@ -262,8 +262,11 @@ func TestCommands_CheckUserTOTP(t *testing.T) { ctx := authz.NewMockContext("", "org1", "user1") cryptoAlg := crypto.CreateMockEncryptionAlg(gomock.NewController(t)) - key, secret, err := domain.NewTOTPKey("example.com", "user1", cryptoAlg) + key, err := domain.NewTOTPKey("example.com", "user1") require.NoError(t, err) + secret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg) + require.NoError(t, err) + userAgg := &user.NewAggregate("user1", "org1").Aggregate code, err := totp.GenerateCode(key.Secret(), time.Now()) diff --git a/internal/domain/auth_request.go b/internal/domain/auth_request.go index 0a7704d691..1aaf2bb63d 100644 --- a/internal/domain/auth_request.go +++ b/internal/domain/auth_request.go @@ -1,6 +1,7 @@ package domain import ( + "slices" "strings" "time" @@ -34,6 +35,7 @@ type AuthRequest struct { AvatarKey string PresignedAvatar string UserOrgID string + PreferredLanguage *language.Tag RequestedOrgID string RequestedOrgName string RequestedPrimaryDomain string @@ -44,6 +46,7 @@ type AuthRequest struct { LinkingUsers []*ExternalUser PossibleSteps []NextStep `json:"-"` PasswordVerified bool + IDPLoginChecked bool MFAsVerified []MFAType Audience []string AuthTime time.Time @@ -68,6 +71,20 @@ func (a *AuthRequest) PolicyOrgID() string { return a.policyOrgID } +func (a *AuthRequest) AuthMethods() []UserAuthMethodType { + list := make([]UserAuthMethodType, 0, len(a.MFAsVerified)+2) + if a.PasswordVerified { + list = append(list, UserAuthMethodTypePassword) + } + if a.IDPLoginChecked { + list = append(list, UserAuthMethodTypeIDP) + } + for _, mfa := range a.MFAsVerified { + list = append(list, mfa.UserAuthMethodType()) + } + return slices.Compact(list) +} + type ExternalUser struct { IDPConfigID string ExternalUserID string diff --git a/internal/domain/browser_info.go b/internal/domain/browser_info.go index bd5b5d7d97..7261cb3e6e 100644 --- a/internal/domain/browser_info.go +++ b/internal/domain/browser_info.go @@ -11,6 +11,7 @@ type BrowserInfo struct { UserAgent string AcceptLanguage string RemoteIP net.IP + Header net_http.Header } func BrowserInfoFromRequest(r *net_http.Request) *BrowserInfo { @@ -18,5 +19,18 @@ func BrowserInfoFromRequest(r *net_http.Request) *BrowserInfo { UserAgent: r.Header.Get(http_util.UserAgentHeader), AcceptLanguage: r.Header.Get(http_util.AcceptLanguage), RemoteIP: http_util.RemoteIPFromRequest(r), + Header: r.Header, + } +} + +func (b *BrowserInfo) ToUserAgent() *UserAgent { + if b == nil { + return nil + } + return &UserAgent{ + FingerprintID: &b.UserAgent, + IP: b.RemoteIP, + Description: &b.UserAgent, + Header: b.Header, } } diff --git a/internal/domain/device_auth.go b/internal/domain/device_auth.go index d8e4bb3870..eb37e90216 100644 --- a/internal/domain/device_auth.go +++ b/internal/domain/device_auth.go @@ -18,6 +18,7 @@ const ( DeviceAuthStateApproved // approved DeviceAuthStateDenied // denied DeviceAuthStateExpired // expired + DeviceAuthStateDone // done deviceAuthStateCount // invalid ) diff --git a/internal/domain/deviceauthstate_string.go b/internal/domain/deviceauthstate_string.go index 0381287c71..df61b82bb2 100644 --- a/internal/domain/deviceauthstate_string.go +++ b/internal/domain/deviceauthstate_string.go @@ -13,12 +13,13 @@ func _() { _ = x[DeviceAuthStateApproved-2] _ = x[DeviceAuthStateDenied-3] _ = x[DeviceAuthStateExpired-4] - _ = x[deviceAuthStateCount-5] + _ = x[DeviceAuthStateDone-5] + _ = x[deviceAuthStateCount-6] } -const _DeviceAuthState_name = "undefinedinitiatedapproveddeniedexpiredinvalid" +const _DeviceAuthState_name = "undefinedinitiatedapproveddeniedexpireddoneinvalid" -var _DeviceAuthState_index = [...]uint8{0, 9, 18, 26, 32, 39, 46} +var _DeviceAuthState_index = [...]uint8{0, 9, 18, 26, 32, 39, 43, 50} func (i DeviceAuthState) String() string { if i >= DeviceAuthState(len(_DeviceAuthState_index)-1) { diff --git a/internal/domain/human_otp.go b/internal/domain/human_otp.go index 68b4b4ca0d..fcadb32a72 100644 --- a/internal/domain/human_otp.go +++ b/internal/domain/human_otp.go @@ -15,16 +15,12 @@ type TOTP struct { URI string } -func NewTOTPKey(issuer, accountName string, cryptoAlg crypto.EncryptionAlgorithm) (*otp.Key, *crypto.CryptoValue, error) { +func NewTOTPKey(issuer, accountName string) (*otp.Key, error) { key, err := totp.Generate(totp.GenerateOpts{Issuer: issuer, AccountName: accountName}) if err != nil { - return nil, nil, zerrors.ThrowInternal(err, "TOTP-ieY3o", "Errors.Internal") + return nil, zerrors.ThrowInternal(err, "TOTP-ieY3o", "Errors.Internal") } - encryptedSecret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg) - if err != nil { - return nil, nil, err - } - return key, encryptedSecret, nil + return key, nil } func VerifyTOTP(code string, secret *crypto.CryptoValue, cryptoAlg crypto.EncryptionAlgorithm) error { diff --git a/internal/domain/idp.go b/internal/domain/idp.go index 3df11fa0d7..e2571f6b0d 100644 --- a/internal/domain/idp.go +++ b/internal/domain/idp.go @@ -134,3 +134,12 @@ const ( AutoLinkingOptionUsername AutoLinkingOptionEmail ) + +type SAMLNameIDFormat uint8 + +const ( + SAMLNameIDFormatUnspecified SAMLNameIDFormat = iota + SAMLNameIDFormatEmailAddress + SAMLNameIDFormatPersistent + SAMLNameIDFormatTransient +) diff --git a/internal/domain/oidc_error_reason.go b/internal/domain/oidc_error_reason.go index 5a4c8d2c7a..889ea4c751 100644 --- a/internal/domain/oidc_error_reason.go +++ b/internal/domain/oidc_error_reason.go @@ -1,5 +1,13 @@ package domain +import ( + "errors" + + "github.com/zitadel/oidc/v3/pkg/oidc" + + "github.com/zitadel/zitadel/internal/zerrors" +) + type OIDCErrorReason int32 const ( @@ -20,4 +28,21 @@ const ( OIDCErrorReasonRequestNotSupported OIDCErrorReasonRequestURINotSupported OIDCErrorReasonRegistrationNotSupported + OIDCErrorReasonInvalidGrant ) + +func OIDCErrorReasonFromError(err error) OIDCErrorReason { + if errors.Is(err, oidc.ErrInvalidRequest()) { + return OIDCErrorReasonInvalidRequest + } + if errors.Is(err, oidc.ErrInvalidGrant()) { + return OIDCErrorReasonInvalidGrant + } + if zerrors.IsPreconditionFailed(err) { + return OIDCErrorReasonAccessDenied + } + if zerrors.IsInternal(err) { + return OIDCErrorReasonServerError + } + return OIDCErrorReasonUnspecified +} diff --git a/internal/domain/oidc_error_reason_test.go b/internal/domain/oidc_error_reason_test.go new file mode 100644 index 0000000000..75ab456a09 --- /dev/null +++ b/internal/domain/oidc_error_reason_test.go @@ -0,0 +1,51 @@ +package domain + +import ( + "io" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/zitadel/oidc/v3/pkg/oidc" + + "github.com/zitadel/zitadel/internal/zerrors" +) + +func TestOIDCErrorReasonFromError(t *testing.T) { + tests := []struct { + name string + err error + want OIDCErrorReason + }{ + { + name: "invalid request", + err: oidc.ErrInvalidRequest().WithDescription("foo"), + want: OIDCErrorReasonInvalidRequest, + }, + { + name: "invalid grant", + err: oidc.ErrInvalidGrant().WithDescription("foo"), + want: OIDCErrorReasonInvalidGrant, + }, + { + name: "precondition failed", + err: zerrors.ThrowPreconditionFailed(nil, "123", "bar"), + want: OIDCErrorReasonAccessDenied, + }, + { + name: "internal", + err: zerrors.ThrowInternal(nil, "123", "bar"), + want: OIDCErrorReasonServerError, + }, + { + name: "unspecified", + err: io.ErrClosedPipe, + want: OIDCErrorReasonUnspecified, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := OIDCErrorReasonFromError(tt.err) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/internal/domain/policy_privacy.go b/internal/domain/policy_privacy.go index 0851582815..7e254bd2da 100644 --- a/internal/domain/policy_privacy.go +++ b/internal/domain/policy_privacy.go @@ -10,8 +10,11 @@ type PrivacyPolicy struct { State PolicyState Default bool - TOSLink string - PrivacyLink string - HelpLink string - SupportEmail EmailAddress + TOSLink string + PrivacyLink string + HelpLink string + SupportEmail EmailAddress + DocsLink string + CustomLink string + CustomLinkText string } diff --git a/internal/domain/token.go b/internal/domain/token.go index 1c12efc28d..83937554c0 100644 --- a/internal/domain/token.go +++ b/internal/domain/token.go @@ -3,27 +3,10 @@ package domain import ( "context" "strings" - "time" "github.com/zitadel/zitadel/internal/api/authz" - es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models" ) -type Token struct { - es_models.ObjectRoot - - TokenID string - ApplicationID string - UserAgentID string - RefreshTokenID string - Audience []string - Expiration time.Time - Scopes []string - PreferredLanguage string - Reason TokenReason - Actor *TokenActor -} - func AddAudScopeToAudience(ctx context.Context, audience, scopes []string) []string { for _, scope := range scopes { if !(strings.HasPrefix(scope, ProjectIDScope) && strings.HasSuffix(scope, AudSuffix)) { diff --git a/internal/domain/user.go b/internal/domain/user.go index 8677a997f7..da32e17490 100644 --- a/internal/domain/user.go +++ b/internal/domain/user.go @@ -43,6 +43,7 @@ const ( UserAuthMethodTypeOTPSMS UserAuthMethodTypeOTPEmail UserAuthMethodTypeOTP // generic OTP when parsing AMR from OIDC + UserAuthMethodTypePrivateKey userAuthMethodTypeCount ) @@ -61,7 +62,8 @@ func HasMFA(methods []UserAuthMethodType) bool { UserAuthMethodTypeOTPSMS, UserAuthMethodTypeOTPEmail, UserAuthMethodTypeIDP, - UserAuthMethodTypeOTP: + UserAuthMethodTypeOTP, + UserAuthMethodTypePrivateKey: factors++ case UserAuthMethodTypeUnspecified, userAuthMethodTypeCount: @@ -71,6 +73,30 @@ func HasMFA(methods []UserAuthMethodType) bool { return factors > 1 } +// Has2FA checks whether the auth factors provided are a second factor and will return true if at least one is. +func Has2FA(methods []UserAuthMethodType) bool { + var factors int + for _, method := range methods { + switch method { + case + UserAuthMethodTypeU2F, + UserAuthMethodTypeTOTP, + UserAuthMethodTypeOTPSMS, + UserAuthMethodTypeOTPEmail, + UserAuthMethodTypeOTP: + factors++ + case UserAuthMethodTypeUnspecified, + UserAuthMethodTypePassword, + UserAuthMethodTypePasswordless, + UserAuthMethodTypeIDP, + UserAuthMethodTypePrivateKey, + userAuthMethodTypeCount: + // ignore + } + } + return factors > 0 +} + // RequiresMFA checks whether the user requires to authenticate with multiple auth factors based on the LoginPolicy and the authentication type. // Internal authentication will require MFA if either option is activated. // External authentication will only require MFA if it's forced generally and not local only. diff --git a/internal/domain/user_agent.go b/internal/domain/user_agent.go index ca72c6bec4..9a52f62460 100644 --- a/internal/domain/user_agent.go +++ b/internal/domain/user_agent.go @@ -15,3 +15,10 @@ type UserAgent struct { func (ua UserAgent) IsEmpty() bool { return ua.FingerprintID == nil && len(ua.IP) == 0 && ua.Description == nil && ua.Header == nil } + +func (ua *UserAgent) GetFingerprintID() string { + if ua == nil || ua.FingerprintID == nil { + return "" + } + return *ua.FingerprintID +} diff --git a/internal/domain/user_agent_test.go b/internal/domain/user_agent_test.go new file mode 100644 index 0000000000..0a2b293977 --- /dev/null +++ b/internal/domain/user_agent_test.go @@ -0,0 +1,42 @@ +package domain + +import ( + "testing" + + "github.com/muhlemmer/gu" + "github.com/stretchr/testify/assert" +) + +func TestUserAgent_GetFingerprintID(t *testing.T) { + tests := []struct { + name string + fields *UserAgent + want string + }{ + { + name: "nil useragent", + fields: nil, + want: "", + }, + { + name: "nil fingerprintID", + fields: &UserAgent{ + FingerprintID: nil, + }, + want: "", + }, + { + name: "value", + fields: &UserAgent{ + FingerprintID: gu.Ptr("fp"), + }, + want: "fp", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := tt.fields.GetFingerprintID() + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/internal/eventstore/handler/v2/statement.go b/internal/eventstore/handler/v2/statement.go index 802bacc068..2eb9193083 100644 --- a/internal/eventstore/handler/v2/statement.go +++ b/internal/eventstore/handler/v2/statement.go @@ -565,6 +565,13 @@ func Not(condition Condition) Condition { } } +// NewOneOfTextCond returns a Condition that checks if the column that stores a text is one of the given values +func NewOneOfTextCond(column string, values []string) Condition { + return func(param string) (string, []any) { + return column + " = ANY(" + param + ")", []any{database.TextArray[string](values)} + } +} + type Executer interface { Exec(string, ...interface{}) (sql.Result, error) } diff --git a/internal/eventstore/local_crdb_test.go b/internal/eventstore/local_crdb_test.go index fc7a35daf9..6df9e9fd29 100644 --- a/internal/eventstore/local_crdb_test.go +++ b/internal/eventstore/local_crdb_test.go @@ -88,7 +88,8 @@ func initDB(db *database.DB) error { err := initialise.Init(db, initialise.VerifyUser(config.Username(), ""), initialise.VerifyDatabase(config.DatabaseName()), - initialise.VerifyGrant(config.DatabaseName(), config.Username())) + initialise.VerifyGrant(config.DatabaseName(), config.Username()), + initialise.VerifySettings(config.DatabaseName(), config.Username())) if err != nil { return err } diff --git a/internal/eventstore/repository/sql/local_crdb_test.go b/internal/eventstore/repository/sql/local_crdb_test.go index ca5128aaf7..fccb169341 100644 --- a/internal/eventstore/repository/sql/local_crdb_test.go +++ b/internal/eventstore/repository/sql/local_crdb_test.go @@ -60,7 +60,8 @@ func initDB(db *database.DB) error { err := initialise.Init(db, initialise.VerifyUser(config.Username(), ""), initialise.VerifyDatabase(config.DatabaseName()), - initialise.VerifyGrant(config.DatabaseName(), config.Username())) + initialise.VerifyGrant(config.DatabaseName(), config.Username()), + initialise.VerifySettings(config.DatabaseName(), config.Username())) if err != nil { return err } diff --git a/internal/feature/feature.go b/internal/feature/feature.go index 5edab4a8ba..dc3e0eb597 100644 --- a/internal/feature/feature.go +++ b/internal/feature/feature.go @@ -11,6 +11,7 @@ const ( KeyUserSchema KeyTokenExchange KeyActions + KeyImprovedPerformance ) //go:generate enumer -type Level -transform snake -trimprefix Level @@ -27,10 +28,27 @@ const ( ) type Features struct { - LoginDefaultOrg bool `json:"login_default_org,omitempty"` - TriggerIntrospectionProjections bool `json:"trigger_introspection_projections,omitempty"` - LegacyIntrospection bool `json:"legacy_introspection,omitempty"` - UserSchema bool `json:"user_schema,omitempty"` - TokenExchange bool `json:"token_exchange,omitempty"` - Actions bool `json:"actions,omitempty"` + LoginDefaultOrg bool `json:"login_default_org,omitempty"` + TriggerIntrospectionProjections bool `json:"trigger_introspection_projections,omitempty"` + LegacyIntrospection bool `json:"legacy_introspection,omitempty"` + UserSchema bool `json:"user_schema,omitempty"` + TokenExchange bool `json:"token_exchange,omitempty"` + Actions bool `json:"actions,omitempty"` + ImprovedPerformance []ImprovedPerformanceType `json:"improved_performance,omitempty"` +} + +type ImprovedPerformanceType int32 + +const ( + ImprovedPerformanceTypeUnknown = iota + ImprovedPerformanceTypeOrgByID +) + +func (f Features) ShouldUseImprovedPerformance(typ ImprovedPerformanceType) bool { + for _, improvedType := range f.ImprovedPerformance { + if improvedType == typ { + return true + } + } + return false } diff --git a/internal/feature/key_enumer.go b/internal/feature/key_enumer.go index 172d5f9d01..ca3e156b61 100644 --- a/internal/feature/key_enumer.go +++ b/internal/feature/key_enumer.go @@ -7,11 +7,11 @@ import ( "strings" ) -const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactions" +const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performance" -var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113} +var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113, 133} -const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactions" +const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performance" func (i Key) String() string { if i < 0 || i >= Key(len(_KeyIndex)-1) { @@ -31,9 +31,10 @@ func _KeyNoOp() { _ = x[KeyUserSchema-(4)] _ = x[KeyTokenExchange-(5)] _ = x[KeyActions-(6)] + _ = x[KeyImprovedPerformance-(7)] } -var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions} +var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions, KeyImprovedPerformance} var _KeyNameToValueMap = map[string]Key{ _KeyName[0:11]: KeyUnspecified, @@ -50,6 +51,8 @@ var _KeyNameToValueMap = map[string]Key{ _KeyLowerName[92:106]: KeyTokenExchange, _KeyName[106:113]: KeyActions, _KeyLowerName[106:113]: KeyActions, + _KeyName[113:133]: KeyImprovedPerformance, + _KeyLowerName[113:133]: KeyImprovedPerformance, } var _KeyNames = []string{ @@ -60,6 +63,7 @@ var _KeyNames = []string{ _KeyName[81:92], _KeyName[92:106], _KeyName[106:113], + _KeyName[113:133], } // KeyString retrieves an enum value from the enum constants string name. diff --git a/internal/idp/providers/saml/mapper.go b/internal/idp/providers/saml/mapper.go index 506d9b3a03..eef16dfbb5 100644 --- a/internal/idp/providers/saml/mapper.go +++ b/internal/idp/providers/saml/mapper.go @@ -1,7 +1,6 @@ package saml import ( - "github.com/crewjam/saml" "golang.org/x/text/language" "github.com/zitadel/zitadel/internal/domain" @@ -20,8 +19,8 @@ func NewUser() *UserMapper { return &UserMapper{Attributes: map[string][]string{}} } -func (u *UserMapper) SetID(id *saml.NameID) { - u.ID = id.Value +func (u *UserMapper) SetID(id string) { + u.ID = id } // GetID is an implementation of the [idp.User] interface. diff --git a/internal/idp/providers/saml/saml.go b/internal/idp/providers/saml/saml.go index fc08f6e808..702e1481e3 100644 --- a/internal/idp/providers/saml/saml.go +++ b/internal/idp/providers/saml/saml.go @@ -11,6 +11,7 @@ import ( "github.com/crewjam/saml" "github.com/crewjam/saml/samlsp" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/idp" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -26,7 +27,9 @@ type Provider struct { spOptions *samlsp.Options - binding string + binding string + nameIDFormat saml.NameIDFormat + transientMappingAttributeName string isLinkingAllowed bool isCreationAllowed bool @@ -77,6 +80,18 @@ func WithBinding(binding string) ProviderOpts { } } +func WithNameIDFormat(format domain.SAMLNameIDFormat) ProviderOpts { + return func(p *Provider) { + p.nameIDFormat = nameIDFormatFromDomain(format) + } +} + +func WithTransientMappingAttributeName(attribute string) ProviderOpts { + return func(p *Provider) { + p.transientMappingAttributeName = attribute + } +} + func WithCustomRequestTracker(tracker samlsp.RequestTracker) ProviderOpts { return func(p *Provider) { p.requestTracker = tracker @@ -124,6 +139,8 @@ func New( name: name, spOptions: &opts, Certificate: certificate, + // the library uses transient as default, which does not make sense for federating accounts + nameIDFormat: saml.PersistentNameIDFormat, } for _, option := range options { option(provider) @@ -156,10 +173,7 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) { if err != nil { return nil, zerrors.ThrowInternal(err, "SAML-qee09ffuq5", "Errors.Intent.IDPInvalid") } - // the library uses transient as default, which we currently can't handle (https://github.com/zitadel/zitadel/discussions/7421) - // for the moment we'll use persistent (for those who actually use it from the saml request) and add an option - // later on to specify on the provider: https://github.com/zitadel/zitadel/issues/7743 - sp.ServiceProvider.AuthnNameIDFormat = saml.PersistentNameIDFormat + sp.ServiceProvider.AuthnNameIDFormat = p.nameIDFormat if p.requestTracker != nil { sp.RequestTracker = p.requestTracker } @@ -180,3 +194,22 @@ func (p *Provider) BeginAuth(ctx context.Context, state string, _ ...idp.Paramet state: state, }, nil } + +func (p *Provider) TransientMappingAttributeName() string { + return p.transientMappingAttributeName +} + +func nameIDFormatFromDomain(format domain.SAMLNameIDFormat) saml.NameIDFormat { + switch format { + case domain.SAMLNameIDFormatUnspecified: + return saml.UnspecifiedNameIDFormat + case domain.SAMLNameIDFormatEmailAddress: + return saml.EmailAddressNameIDFormat + case domain.SAMLNameIDFormatPersistent: + return saml.PersistentNameIDFormat + case domain.SAMLNameIDFormatTransient: + return saml.TransientNameIDFormat + default: + return saml.UnspecifiedNameIDFormat + } +} diff --git a/internal/idp/providers/saml/saml_test.go b/internal/idp/providers/saml/saml_test.go index 28dc921681..dc8e8e2115 100644 --- a/internal/idp/providers/saml/saml_test.go +++ b/internal/idp/providers/saml/saml_test.go @@ -3,10 +3,12 @@ package saml import ( "testing" + "github.com/crewjam/saml" "github.com/crewjam/saml/samlsp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/idp/providers/saml/requesttracker" ) @@ -20,16 +22,18 @@ func TestProvider_Options(t *testing.T) { options []ProviderOpts } type want struct { - err bool - name string - linkingAllowed bool - creationAllowed bool - autoCreation bool - autoUpdate bool - binding string - withSignedRequest bool - requesttracker samlsp.RequestTracker - entityID string + err bool + name string + linkingAllowed bool + creationAllowed bool + autoCreation bool + autoUpdate bool + binding string + nameIDFormat saml.NameIDFormat + transientMappingAttributeName string + withSignedRequest bool + requesttracker samlsp.RequestTracker + entityID string } tests := []struct { name string @@ -103,10 +107,11 @@ func TestProvider_Options(t *testing.T) { creationAllowed: false, autoCreation: false, autoUpdate: false, + nameIDFormat: saml.PersistentNameIDFormat, }, }, { - name: "all true", + name: "all set / true", fields: fields{ name: "saml", key: []byte("-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAxHd087RoEm9ywVWZ/H+tDWxQsmVvhfRz4jAq/RfU+OWXNH4J\njMMSHdFs0Q+WP98nNXRyc7fgbMb8NdmlB2yD4qLYapN5SDaBc5dh/3EnyFt53oSs\njTlKnQUPAeJr2qh/NY046CfyUyQMM4JR5OiQFo4TssfWnqdcgamGt0AEnk2lvbMZ\nKQdAqNS9lDzYbjMGavEQPTZE35mFXFQXjaooZXq+TIa7hbaq7/idH7cHNbLcPLgj\nfPQA8q+DYvnvhXlmq0LPQZH3Oiixf+SF2vRwrBzT2mqGD2OiOkUmhuPwyqEiiBHt\nfxklRtRU6WfLa1Gcb1PsV0uoBGpV3KybIl/GlwIDAQABAoIBAEQjDduLgOCL6Gem\n0X3hpdnW6/HC/jed/Sa//9jBECq2LYeWAqff64ON40hqOHi0YvvGA/+gEOSI6mWe\nsv5tIxxRz+6+cLybsq+tG96kluCE4TJMHy/nY7orS/YiWbd+4odnEApr+D3fbZ/b\nnZ1fDsHTyn8hkYx6jLmnWsJpIHDp7zxD76y7k2Bbg6DZrCGiVxngiLJk23dvz79W\np03lHLM7XE92aFwXQmhfxHGxrbuoB/9eY4ai5IHp36H4fw0vL6NXdNQAo/bhe0p9\nAYB7y0ZumF8Hg0Z/BmMeEzLy6HrYB+VE8cO93pNjhSyH+p2yDB/BlUyTiRLQAoM0\nVTmOZXECgYEA7NGlzpKNhyQEJihVqt0MW0LhKIO/xbBn+XgYfX6GpqPa/ucnMx5/\nVezpl3gK8IU4wPUhAyXXAHJiqNBcEeyxrw0MXLujDVMJgYaLysCLJdvMVgoY08mS\nK5IQivpbozpf4+0y3mOnA+Sy1kbfxv2X8xiWLODRQW3f3q/xoklwOR8CgYEA1GEe\nfaibOFTQAYcIVj77KXtBfYZsX3EGAyfAN9O7cKHq5oaxVstwnF47WxpuVtoKZxCZ\nbNm9D5WvQ9b+Ztpioe42tzwE7Bff/Osj868GcDdRPK7nFlh9N2yVn/D514dOYVwR\n4MBr1KrJzgRWt4QqS4H+to1GzudDTSNlG7gnK4kCgYBUi6AbOHzoYzZL/RhgcJwp\ntJ23nhmH1Su5h2OO4e3mbhcP66w19sxU+8iFN+kH5zfUw26utgKk+TE5vXExQQRK\nT2k7bg2PAzcgk80ybD0BHhA8I0yrx4m0nmfjhe/TPVLgh10iwgbtP+eM0i6v1vc5\nZWyvxu9N4ZEL6lpkqr0y1wKBgG/NAIQd8jhhTW7Aav8cAJQBsqQl038avJOEpYe+\nCnpsgoAAf/K0/f8TDCQVceh+t+MxtdK7fO9rWOxZjWsPo8Si5mLnUaAHoX4/OpnZ\nlYYVWMqdOEFnK+O1Yb7k2GFBdV2DXlX2dc1qavntBsls5ecB89id3pyk2aUN8Pf6\npYQhAoGAMGtrHFely9wyaxI0RTCyfmJbWZHGVGkv6ELK8wneJjdjl82XOBUGCg5q\naRCrTZ3dPitKwrUa6ibJCIFCIziiriBmjDvTHzkMvoJEap2TVxYNDR6IfINVsQ57\nlOsiC4A2uGq4Lbfld+gjoplJ5GX6qXtTgZ6m7eo0y7U6zm2tkN0=\n-----END RSA PRIVATE KEY-----\n"), @@ -121,18 +126,22 @@ func TestProvider_Options(t *testing.T) { WithSignedRequest(), WithCustomRequestTracker(&requesttracker.RequestTracker{}), WithEntityID("entityID"), + WithNameIDFormat(domain.SAMLNameIDFormatTransient), + WithTransientMappingAttributeName("attribute"), }, }, want: want{ - name: "saml", - linkingAllowed: true, - creationAllowed: true, - autoCreation: true, - autoUpdate: true, - binding: "binding", - withSignedRequest: true, - requesttracker: &requesttracker.RequestTracker{}, - entityID: "entityID", + name: "saml", + linkingAllowed: true, + creationAllowed: true, + autoCreation: true, + autoUpdate: true, + binding: "binding", + entityID: "entityID", + nameIDFormat: saml.TransientNameIDFormat, + transientMappingAttributeName: "attribute", + withSignedRequest: true, + requesttracker: &requesttracker.RequestTracker{}, }, }, } @@ -152,6 +161,8 @@ func TestProvider_Options(t *testing.T) { a.Equal(tt.want.autoCreation, provider.IsAutoCreation()) a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate()) a.Equal(tt.want.binding, provider.binding) + a.Equal(tt.want.nameIDFormat, provider.nameIDFormat) + a.Equal(tt.want.transientMappingAttributeName, provider.transientMappingAttributeName) a.Equal(tt.want.withSignedRequest, provider.spOptions.SignRequest) a.Equal(tt.want.requesttracker, provider.requestTracker) a.Equal(tt.want.entityID, provider.spOptions.EntityID) diff --git a/internal/idp/providers/saml/session.go b/internal/idp/providers/saml/session.go index af5ec0caf7..577e6a7649 100644 --- a/internal/idp/providers/saml/session.go +++ b/internal/idp/providers/saml/session.go @@ -17,8 +17,9 @@ var _ idp.Session = (*Session)(nil) // Session is the [idp.Session] implementation for the SAML provider. type Session struct { - ServiceProvider *samlsp.Middleware - state string + ServiceProvider *samlsp.Middleware + state string + TransientMappingAttributeName string RequestID string Request *http.Request @@ -26,6 +27,19 @@ type Session struct { Assertion *saml.Assertion } +func NewSession(provider *Provider, requestID string, request *http.Request) (*Session, error) { + sp, err := provider.GetSP() + if err != nil { + return nil, err + } + return &Session{ + ServiceProvider: sp, + TransientMappingAttributeName: provider.TransientMappingAttributeName(), + RequestID: requestID, + Request: request, + }, nil +} + // GetAuth implements the [idp.Session] interface. func (s *Session) GetAuth(ctx context.Context) (string, bool) { url, _ := url.Parse(s.state) @@ -56,8 +70,17 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) { return nil, zerrors.ThrowInvalidArgument(err, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid") } + nameID := s.Assertion.Subject.NameID userMapper := NewUser() - userMapper.SetID(s.Assertion.Subject.NameID) + // use the nameID as default mapping id + userMapper.SetID(nameID.Value) + if nameID.Format == string(saml.TransientNameIDFormat) { + mappingID, err := s.transientMappingID() + if err != nil { + return nil, err + } + userMapper.SetID(mappingID) + } for _, statement := range s.Assertion.AttributeStatements { for _, attribute := range statement.Attributes { values := make([]string, len(attribute.Values)) @@ -70,6 +93,21 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) { return userMapper, nil } +func (s *Session) transientMappingID() (string, error) { + for _, statement := range s.Assertion.AttributeStatements { + for _, attribute := range statement.Attributes { + if attribute.Name != s.TransientMappingAttributeName { + continue + } + if len(attribute.Values) != 1 { + return "", zerrors.ThrowInvalidArgument(nil, "SAML-Soij4", "Errors.Intent.MissingSingleMappingAttribute") + } + return attribute.Values[0].Value, nil + } + } + return "", zerrors.ThrowInvalidArgument(nil, "SAML-swwg2", "Errors.Intent.MissingSingleMappingAttribute") +} + type TempResponseWriter struct { header http.Header content *bytes.Buffer diff --git a/internal/idp/providers/saml/session_test.go b/internal/idp/providers/saml/session_test.go index 3ab33a8558..f162234385 100644 --- a/internal/idp/providers/saml/session_test.go +++ b/internal/idp/providers/saml/session_test.go @@ -27,7 +27,6 @@ func TestSession_FetchUser(t *testing.T) { options []ProviderOpts } type args struct { - intentID string requestID string request *http.Request } @@ -143,6 +142,7 @@ func TestSession_FetchUser(t *testing.T) { WithBinding(saml.HTTPRedirectBinding), WithSignedRequest(), WithCustomRequestTracker(&requesttracker.RequestTracker{}), + WithTransientMappingAttributeName("urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), }, rootURL: "http://localhost:8080/idps/228968792372281708/", }, @@ -166,6 +166,76 @@ func TestSession_FetchUser(t *testing.T) { }, }, }, + { + name: "post with user param (transient with custom mapping)", + fields: fields{ + name: "saml", + key: []byte("-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAxHd087RoEm9ywVWZ/H+tDWxQsmVvhfRz4jAq/RfU+OWXNH4J\njMMSHdFs0Q+WP98nNXRyc7fgbMb8NdmlB2yD4qLYapN5SDaBc5dh/3EnyFt53oSs\njTlKnQUPAeJr2qh/NY046CfyUyQMM4JR5OiQFo4TssfWnqdcgamGt0AEnk2lvbMZ\nKQdAqNS9lDzYbjMGavEQPTZE35mFXFQXjaooZXq+TIa7hbaq7/idH7cHNbLcPLgj\nfPQA8q+DYvnvhXlmq0LPQZH3Oiixf+SF2vRwrBzT2mqGD2OiOkUmhuPwyqEiiBHt\nfxklRtRU6WfLa1Gcb1PsV0uoBGpV3KybIl/GlwIDAQABAoIBAEQjDduLgOCL6Gem\n0X3hpdnW6/HC/jed/Sa//9jBECq2LYeWAqff64ON40hqOHi0YvvGA/+gEOSI6mWe\nsv5tIxxRz+6+cLybsq+tG96kluCE4TJMHy/nY7orS/YiWbd+4odnEApr+D3fbZ/b\nnZ1fDsHTyn8hkYx6jLmnWsJpIHDp7zxD76y7k2Bbg6DZrCGiVxngiLJk23dvz79W\np03lHLM7XE92aFwXQmhfxHGxrbuoB/9eY4ai5IHp36H4fw0vL6NXdNQAo/bhe0p9\nAYB7y0ZumF8Hg0Z/BmMeEzLy6HrYB+VE8cO93pNjhSyH+p2yDB/BlUyTiRLQAoM0\nVTmOZXECgYEA7NGlzpKNhyQEJihVqt0MW0LhKIO/xbBn+XgYfX6GpqPa/ucnMx5/\nVezpl3gK8IU4wPUhAyXXAHJiqNBcEeyxrw0MXLujDVMJgYaLysCLJdvMVgoY08mS\nK5IQivpbozpf4+0y3mOnA+Sy1kbfxv2X8xiWLODRQW3f3q/xoklwOR8CgYEA1GEe\nfaibOFTQAYcIVj77KXtBfYZsX3EGAyfAN9O7cKHq5oaxVstwnF47WxpuVtoKZxCZ\nbNm9D5WvQ9b+Ztpioe42tzwE7Bff/Osj868GcDdRPK7nFlh9N2yVn/D514dOYVwR\n4MBr1KrJzgRWt4QqS4H+to1GzudDTSNlG7gnK4kCgYBUi6AbOHzoYzZL/RhgcJwp\ntJ23nhmH1Su5h2OO4e3mbhcP66w19sxU+8iFN+kH5zfUw26utgKk+TE5vXExQQRK\nT2k7bg2PAzcgk80ybD0BHhA8I0yrx4m0nmfjhe/TPVLgh10iwgbtP+eM0i6v1vc5\nZWyvxu9N4ZEL6lpkqr0y1wKBgG/NAIQd8jhhTW7Aav8cAJQBsqQl038avJOEpYe+\nCnpsgoAAf/K0/f8TDCQVceh+t+MxtdK7fO9rWOxZjWsPo8Si5mLnUaAHoX4/OpnZ\nlYYVWMqdOEFnK+O1Yb7k2GFBdV2DXlX2dc1qavntBsls5ecB89id3pyk2aUN8Pf6\npYQhAoGAMGtrHFely9wyaxI0RTCyfmJbWZHGVGkv6ELK8wneJjdjl82XOBUGCg5q\naRCrTZ3dPitKwrUa6ibJCIFCIziiriBmjDvTHzkMvoJEap2TVxYNDR6IfINVsQ57\nlOsiC4A2uGq4Lbfld+gjoplJ5GX6qXtTgZ6m7eo0y7U6zm2tkN0=\n-----END RSA PRIVATE KEY-----\n"), + certificate: []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"), + metadata: []byte("\n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n \n urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n \n \n \n"), + options: []ProviderOpts{ + WithLinkingAllowed(), + WithCreationAllowed(), + WithAutoCreation(), + WithAutoUpdate(), + WithBinding(saml.HTTPRedirectBinding), + WithSignedRequest(), + WithCustomRequestTracker(&requesttracker.RequestTracker{}), + WithTransientMappingAttributeName("urn:oid:0.9.2342.19200300.100.1.1"), + }, + rootURL: "http://localhost:8080/idps/228968792372281708/", + }, + args: args{ + request: httpPostFormRequest(t, + "http://localhost:8080/idps/228968792372281708/saml/acs", + "232881438356144492", + "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9ImlkLTA4ZTA3MTFhYzYwZjE2Mzc2MTdhYjZhNDZkZDk0ZTZkMWQ3MDgzMWQiIEluUmVzcG9uc2VUbz0iaWQtYjIyYzkwZGI4OGJmMDFkODJmZmIwYTdiNmZlMjVhYzlmY2IyYzY3OSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDktMjFUMTM6NDk6MjMuOTM4WiIgRGVzdGluYXRpb249Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9pZHBzLzIyODk2ODc5MjM3MjI4MTcwOC9zYW1sL2FjcyI+PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vbG9jYWxob3N0OjgwMDAvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQtMDhlMDcxMWFjNjBmMTYzNzYxN2FiNmE0NmRkOTRlNmQxZDcwODMxZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+OWF2ektOOWhpazE4ZkFRdnZNZzJBZFoyYm9VPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5VMkFJOFNzMng5TDAwV3RkaVFlbldCSVFCcGJLNnU4ZU9XVGE2WExKR0lWMWg4d3VOdURqM2luVGpMVUhITkNUSHhTdTFXSE9OSW1CL3QwWlE1Z3EvYXlkcVVqaEVkNG50LysyaXBKelZjZHVHUG5nYjlMWjJ5R1Rsd1JiQkcyMzd4eCtlRWhUMUcrTUFGa3BtbnUrei9RN09vUjdQWHVZOWt6NTRCb0tVM1htK1UyWm9GVy9pVjhId01kYTJMajVLT0pjcnppSWVtNHF0dHlIZXBqcjI3NUhPM2hybzgvVW0xMm8wdk10OUhwaHJua0RNVzgzM3Q5c0k2aW5GRndiOUJkdm5ORkVxYkhCZ2RsemR5T0NqaWdreVNlTzZQNzhQQlhUTWlhM3RVaGxEL0dlZ2hmbTJ4NVI1Q2QrOXJ5RktjYlBKLzlUaFhwbTlIYUJ4R1RZNEE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJREJ6Q0NBZStnQXdJQkFnSUpBUHIvTXJsYzhFR2hNQTBHQ1NxR1NJYjNEUUVCQlFVQU1Cb3hHREFXQmdOVkJBTU1EM2QzZHk1bGVHRnRjR3hsTG1OdmJUQWVGdzB4TlRFeU1qZ3hPVEU1TkRWYUZ3MHlOVEV5TWpVeE9URTVORFZhTUJveEdEQVdCZ05WQkFNTUQzZDNkeTVsZUdGdGNHeGxMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkRvV3pMb3M0TFd4VG44R3l1MmxFYmw0V2NlbFViZ0xONXpZbTRyb244QWhzK3J2Y3N1MnprZEQvczZqZEdKSThXcUpLaFlLMnU2MXlnblhnQVpxQzZnZ3RGUG5CcGl6Y0R6amdORDJnK2F1Y1NvVU9ESHQ2N2YwZlF1QW11cE4venA1TVp5c0o2SUhMSm5ZTE5wZkpZazk2bFJ6OU9Ebk8xTXBxdHI5UFd4bStwejduenE1RjB2UmVwa2dwY1J4djZ1ZlFCamxyRnl0Y2N5RVZkWHJ2RnRralhjbmhWVk5TUjRrSHVPT01TNkQ3cGViU0oxbXJDbXNoYkQ1U1gxalhQQktGUEFqb3pZWDZQeHFMeFV4MVk0ZmFGRWY0TUJCVmNJbnlCNG9VUk5CMnM1OWhFRWkyanE5aXpORTdFYkVLNkJZNXNFaG9DUGw5bTMyekU2bGprQ0F3RUFBYU5RTUU0d0hRWURWUjBPQkJZRUZCOVprbEMxT3JrMnpsNTZ6ZzA4ZWk3c3MvK2lNQjhHQTFVZEl3UVlNQmFBRkI5WmtsQzFPcmsyemw1NnpnMDhlaTdzcy8raU1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRkJRQURnZ0VCQUFWb1RTUTVwQWlydzhPUjlGWjFiUlN1VERoWTl1eHpsL09MN2xVbXN2MmNNTmVDQjNCUlpxbTNtRnQrY3dOOEdzSDZmM3V2Tk9OSWhnRnBUR041TEVjWFF6ODl6SkV6QitxYUhxbWJGcEhRbC9zeDJCOGV6TmdULzg4MkgySUgwMGRYRVNFZnkvKzFnSGcycHhqR25oUkJONmVsL2dTYURpeVNJTUtiaWxEcmZmdXZ4aUNmYnBQTjBOUlJpUEpoZDJheTlLdUwvUnhRUmwxZ2w5Y0hhV2lvdVdXYmExYlNCYjJaUGh2MnJQTVVzRm85OG50a0dDT2JEWDZZMVNwa3Ftb1RicnNiR0ZzVEcyREx4bnZyNEdkTjFCU3IwVXUvS1YzYWRqNDdXa1hWUGVNWVF0aS9iUW14UUI4dFJGaHJ3ODBxYWtUTFV6cmVPOTZXemxCQk10WT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9ImlkLTQ1ZTcyMTkyNjU4NmNkZGUzNDQ2NmI0MzQ5NDg4YjA5MDZhNTU3OGIiIElzc3VlSW5zdGFudD0iMjAyMy0wOS0yMVQxMzo0OToyMy45NDFaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cDovL2xvY2FsaG9zdDo4MDAwL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkLTQ1ZTcyMTkyNjU4NmNkZGUzNDQ2NmI0MzQ5NDg4YjA5MDZhNTU3OGIiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmVHeTMzcWpjZjYrT3R4YlVpVm5DUjFNdnlaaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cDBEekU3Q0lTVTVNQjNvclpReGtUWHFsQXJRMjlFb0tXOUZuVWx5aUhYWGtmK2lXNGZ5SW9wYjcrTUk1VUk5TjVTQVdiVzV4U0R3NFJMMWNDaVNxdWJyU29pRi83MXdiM29naWlQOHhyYmJiajY3RHZMcUU3OVJDQXdySDlEU0FlZFlReVBOQ0tFQ0U0L3NvdnFEeUg5OTAwZEI4aTQ3VHdQRkhIclBlWE8wUGVoR0NWNTVEeTZJdC92Ull1VFRqU0tiVTczV014c1A5Mk9yVEdqamN1Smx1bFdSclBxNDk0aEpNMFJxV3gwN2RoWHJEbzlJY1JpK2RCOVhRN3UwbGJicEthQ0p6R2RiUG9JanJ1ZDhaWnh2djdiaDFtV1lEeGFodExvd2I1eGtDWlQrNFMybklrSWgwNEoxUURsZm1WSVdlRWljVW5odXpIcVBkU1RldklnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURCekNDQWUrZ0F3SUJBZ0lKQVByL01ybGM4RUdoTUEwR0NTcUdTSWIzRFFFQkJRVUFNQm94R0RBV0JnTlZCQU1NRDNkM2R5NWxlR0Z0Y0d4bExtTnZiVEFlRncweE5URXlNamd4T1RFNU5EVmFGdzB5TlRFeU1qVXhPVEU1TkRWYU1Cb3hHREFXQmdOVkJBTU1EM2QzZHk1bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5Eb1d6TG9zNExXeFRuOEd5dTJsRWJsNFdjZWxVYmdMTjV6WW00cm9uOEFocytydmNzdTJ6a2REL3M2amRHSkk4V3FKS2hZSzJ1NjF5Z25YZ0FacUM2Z2d0RlBuQnBpemNEempnTkQyZythdWNTb1VPREh0NjdmMGZRdUFtdXBOL3pwNU1aeXNKNklITEpuWUxOcGZKWWs5NmxSejlPRG5PMU1wcXRyOVBXeG0rcHo3bnpxNUYwdlJlcGtncGNSeHY2dWZRQmpsckZ5dGNjeUVWZFhydkZ0a2pYY25oVlZOU1I0a0h1T09NUzZEN3BlYlNKMW1yQ21zaGJENVNYMWpYUEJLRlBBam96WVg2UHhxTHhVeDFZNGZhRkVmNE1CQlZjSW55QjRvVVJOQjJzNTloRUVpMmpxOWl6TkU3RWJFSzZCWTVzRWhvQ1BsOW0zMnpFNmxqa0NBd0VBQWFOUU1FNHdIUVlEVlIwT0JCWUVGQjlaa2xDMU9yazJ6bDU2emcwOGVpN3NzLytpTUI4R0ExVWRJd1FZTUJhQUZCOVprbEMxT3JrMnpsNTZ6ZzA4ZWk3c3MvK2lNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFBVm9UU1E1cEFpcnc4T1I5RloxYlJTdVREaFk5dXh6bC9PTDdsVW1zdjJjTU5lQ0IzQlJacW0zbUZ0K2N3TjhHc0g2ZjN1dk5PTkloZ0ZwVEdONUxFY1hRejg5ekpFekIrcWFIcW1iRnBIUWwvc3gyQjhlek5nVC84ODJIMklIMDBkWEVTRWZ5LysxZ0hnMnB4akduaFJCTjZlbC9nU2FEaXlTSU1LYmlsRHJmZnV2eGlDZmJwUE4wTlJSaVBKaGQyYXk5S3VML1J4UVJsMWdsOWNIYVdpb3VXV2JhMWJTQmIyWlBodjJyUE1Vc0ZvOThudGtHQ09iRFg2WTFTcGtxbW9UYnJzYkdGc1RHMkRMeG52cjRHZE4xQlNyMFV1L0tWM2FkajQ3V2tYVlBlTVlRdGkvYlFteFFCOHRSRmhydzgwcWFrVExVenJlTzk2V3psQkJNdFk9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9tZXRhZGF0YSI+YWxpY2VAZXhhbXBsZS5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBBZGRyZXNzPSJbOjoxXTo1OTMzNCIgSW5SZXNwb25zZVRvPSJpZC1iMjJjOTBkYjg4YmYwMWQ4MmZmYjBhN2I2ZmUyNWFjOWZjYjJjNjc5IiBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDktMjFUMTM6NTA6NTMuOTM4WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMy0wOS0yMVQxMzo0OToxNC4yOThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDktMjFUMTM6NTA6NDQuMjk4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9tZXRhZGF0YTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMDktMjFUMTM6NDc6MzUuMTAzWiIgU2Vzc2lvbkluZGV4PSI0YzM5YjE5NTQyYzdjZTFjMzllOWMwNWJlMTdhNzJhNmQ4OGU1NWE3ZGFiYWRhZWQ3ODYxMDBiOWUzODBmYTA4Ij48c2FtbDpTdWJqZWN0TG9jYWxpdHkgQWRkcmVzcz0iWzo6MV06NTkzMzQiLz48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9InVpZCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+YWxpY2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuNiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFsaWNlQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0ic24iIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNtaXRoPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iZ2l2ZW5OYW1lIiBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+QWxpY2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJjbiIgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+QWxpY2UgU21pdGg8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5BZG1pbmlzdHJhdG9yczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Vc2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", + ), + requestID: "id-b22c90db88bf01d82ffb0a7b6fe25ac9fcb2c679", + }, + want: want{ + id: "alice", + attributes: map[string][]string{ + "urn:oid:0.9.2342.19200300.100.1.1": {"alice"}, + "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": {"alice@example.com"}, + "urn:oid:2.5.4.4": {"Smith"}, + "urn:oid:2.5.4.42": {"Alice"}, + "urn:oid:2.5.4.3": {"Alice Smith"}, + "urn:oid:1.3.6.1.4.1.5923.1.1.1.1": {"Administrators", "Users"}, + }, + }, + }, + { + name: "post with user param (transient with wrong existing custom mapping)", + fields: fields{ + name: "saml", + key: []byte("-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAxHd087RoEm9ywVWZ/H+tDWxQsmVvhfRz4jAq/RfU+OWXNH4J\njMMSHdFs0Q+WP98nNXRyc7fgbMb8NdmlB2yD4qLYapN5SDaBc5dh/3EnyFt53oSs\njTlKnQUPAeJr2qh/NY046CfyUyQMM4JR5OiQFo4TssfWnqdcgamGt0AEnk2lvbMZ\nKQdAqNS9lDzYbjMGavEQPTZE35mFXFQXjaooZXq+TIa7hbaq7/idH7cHNbLcPLgj\nfPQA8q+DYvnvhXlmq0LPQZH3Oiixf+SF2vRwrBzT2mqGD2OiOkUmhuPwyqEiiBHt\nfxklRtRU6WfLa1Gcb1PsV0uoBGpV3KybIl/GlwIDAQABAoIBAEQjDduLgOCL6Gem\n0X3hpdnW6/HC/jed/Sa//9jBECq2LYeWAqff64ON40hqOHi0YvvGA/+gEOSI6mWe\nsv5tIxxRz+6+cLybsq+tG96kluCE4TJMHy/nY7orS/YiWbd+4odnEApr+D3fbZ/b\nnZ1fDsHTyn8hkYx6jLmnWsJpIHDp7zxD76y7k2Bbg6DZrCGiVxngiLJk23dvz79W\np03lHLM7XE92aFwXQmhfxHGxrbuoB/9eY4ai5IHp36H4fw0vL6NXdNQAo/bhe0p9\nAYB7y0ZumF8Hg0Z/BmMeEzLy6HrYB+VE8cO93pNjhSyH+p2yDB/BlUyTiRLQAoM0\nVTmOZXECgYEA7NGlzpKNhyQEJihVqt0MW0LhKIO/xbBn+XgYfX6GpqPa/ucnMx5/\nVezpl3gK8IU4wPUhAyXXAHJiqNBcEeyxrw0MXLujDVMJgYaLysCLJdvMVgoY08mS\nK5IQivpbozpf4+0y3mOnA+Sy1kbfxv2X8xiWLODRQW3f3q/xoklwOR8CgYEA1GEe\nfaibOFTQAYcIVj77KXtBfYZsX3EGAyfAN9O7cKHq5oaxVstwnF47WxpuVtoKZxCZ\nbNm9D5WvQ9b+Ztpioe42tzwE7Bff/Osj868GcDdRPK7nFlh9N2yVn/D514dOYVwR\n4MBr1KrJzgRWt4QqS4H+to1GzudDTSNlG7gnK4kCgYBUi6AbOHzoYzZL/RhgcJwp\ntJ23nhmH1Su5h2OO4e3mbhcP66w19sxU+8iFN+kH5zfUw26utgKk+TE5vXExQQRK\nT2k7bg2PAzcgk80ybD0BHhA8I0yrx4m0nmfjhe/TPVLgh10iwgbtP+eM0i6v1vc5\nZWyvxu9N4ZEL6lpkqr0y1wKBgG/NAIQd8jhhTW7Aav8cAJQBsqQl038avJOEpYe+\nCnpsgoAAf/K0/f8TDCQVceh+t+MxtdK7fO9rWOxZjWsPo8Si5mLnUaAHoX4/OpnZ\nlYYVWMqdOEFnK+O1Yb7k2GFBdV2DXlX2dc1qavntBsls5ecB89id3pyk2aUN8Pf6\npYQhAoGAMGtrHFely9wyaxI0RTCyfmJbWZHGVGkv6ELK8wneJjdjl82XOBUGCg5q\naRCrTZ3dPitKwrUa6ibJCIFCIziiriBmjDvTHzkMvoJEap2TVxYNDR6IfINVsQ57\nlOsiC4A2uGq4Lbfld+gjoplJ5GX6qXtTgZ6m7eo0y7U6zm2tkN0=\n-----END RSA PRIVATE KEY-----\n"), + certificate: []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"), + metadata: []byte("\n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n \n urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n \n \n \n"), + options: []ProviderOpts{ + WithLinkingAllowed(), + WithCreationAllowed(), + WithAutoCreation(), + WithAutoUpdate(), + WithBinding(saml.HTTPRedirectBinding), + WithSignedRequest(), + WithCustomRequestTracker(&requesttracker.RequestTracker{}), + WithTransientMappingAttributeName("customAttribute"), + }, + rootURL: "http://localhost:8080/idps/228968792372281708/", + }, + args: args{ + request: httpPostFormRequest(t, + "http://localhost:8080/idps/228968792372281708/saml/acs", + "232881438356144492", + "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9ImlkLTA4ZTA3MTFhYzYwZjE2Mzc2MTdhYjZhNDZkZDk0ZTZkMWQ3MDgzMWQiIEluUmVzcG9uc2VUbz0iaWQtYjIyYzkwZGI4OGJmMDFkODJmZmIwYTdiNmZlMjVhYzlmY2IyYzY3OSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDktMjFUMTM6NDk6MjMuOTM4WiIgRGVzdGluYXRpb249Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9pZHBzLzIyODk2ODc5MjM3MjI4MTcwOC9zYW1sL2FjcyI+PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vbG9jYWxob3N0OjgwMDAvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQtMDhlMDcxMWFjNjBmMTYzNzYxN2FiNmE0NmRkOTRlNmQxZDcwODMxZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+OWF2ektOOWhpazE4ZkFRdnZNZzJBZFoyYm9VPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5VMkFJOFNzMng5TDAwV3RkaVFlbldCSVFCcGJLNnU4ZU9XVGE2WExKR0lWMWg4d3VOdURqM2luVGpMVUhITkNUSHhTdTFXSE9OSW1CL3QwWlE1Z3EvYXlkcVVqaEVkNG50LysyaXBKelZjZHVHUG5nYjlMWjJ5R1Rsd1JiQkcyMzd4eCtlRWhUMUcrTUFGa3BtbnUrei9RN09vUjdQWHVZOWt6NTRCb0tVM1htK1UyWm9GVy9pVjhId01kYTJMajVLT0pjcnppSWVtNHF0dHlIZXBqcjI3NUhPM2hybzgvVW0xMm8wdk10OUhwaHJua0RNVzgzM3Q5c0k2aW5GRndiOUJkdm5ORkVxYkhCZ2RsemR5T0NqaWdreVNlTzZQNzhQQlhUTWlhM3RVaGxEL0dlZ2hmbTJ4NVI1Q2QrOXJ5RktjYlBKLzlUaFhwbTlIYUJ4R1RZNEE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJREJ6Q0NBZStnQXdJQkFnSUpBUHIvTXJsYzhFR2hNQTBHQ1NxR1NJYjNEUUVCQlFVQU1Cb3hHREFXQmdOVkJBTU1EM2QzZHk1bGVHRnRjR3hsTG1OdmJUQWVGdzB4TlRFeU1qZ3hPVEU1TkRWYUZ3MHlOVEV5TWpVeE9URTVORFZhTUJveEdEQVdCZ05WQkFNTUQzZDNkeTVsZUdGdGNHeGxMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkRvV3pMb3M0TFd4VG44R3l1MmxFYmw0V2NlbFViZ0xONXpZbTRyb244QWhzK3J2Y3N1MnprZEQvczZqZEdKSThXcUpLaFlLMnU2MXlnblhnQVpxQzZnZ3RGUG5CcGl6Y0R6amdORDJnK2F1Y1NvVU9ESHQ2N2YwZlF1QW11cE4venA1TVp5c0o2SUhMSm5ZTE5wZkpZazk2bFJ6OU9Ebk8xTXBxdHI5UFd4bStwejduenE1RjB2UmVwa2dwY1J4djZ1ZlFCamxyRnl0Y2N5RVZkWHJ2RnRralhjbmhWVk5TUjRrSHVPT01TNkQ3cGViU0oxbXJDbXNoYkQ1U1gxalhQQktGUEFqb3pZWDZQeHFMeFV4MVk0ZmFGRWY0TUJCVmNJbnlCNG9VUk5CMnM1OWhFRWkyanE5aXpORTdFYkVLNkJZNXNFaG9DUGw5bTMyekU2bGprQ0F3RUFBYU5RTUU0d0hRWURWUjBPQkJZRUZCOVprbEMxT3JrMnpsNTZ6ZzA4ZWk3c3MvK2lNQjhHQTFVZEl3UVlNQmFBRkI5WmtsQzFPcmsyemw1NnpnMDhlaTdzcy8raU1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRkJRQURnZ0VCQUFWb1RTUTVwQWlydzhPUjlGWjFiUlN1VERoWTl1eHpsL09MN2xVbXN2MmNNTmVDQjNCUlpxbTNtRnQrY3dOOEdzSDZmM3V2Tk9OSWhnRnBUR041TEVjWFF6ODl6SkV6QitxYUhxbWJGcEhRbC9zeDJCOGV6TmdULzg4MkgySUgwMGRYRVNFZnkvKzFnSGcycHhqR25oUkJONmVsL2dTYURpeVNJTUtiaWxEcmZmdXZ4aUNmYnBQTjBOUlJpUEpoZDJheTlLdUwvUnhRUmwxZ2w5Y0hhV2lvdVdXYmExYlNCYjJaUGh2MnJQTVVzRm85OG50a0dDT2JEWDZZMVNwa3Ftb1RicnNiR0ZzVEcyREx4bnZyNEdkTjFCU3IwVXUvS1YzYWRqNDdXa1hWUGVNWVF0aS9iUW14UUI4dFJGaHJ3ODBxYWtUTFV6cmVPOTZXemxCQk10WT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9ImlkLTQ1ZTcyMTkyNjU4NmNkZGUzNDQ2NmI0MzQ5NDg4YjA5MDZhNTU3OGIiIElzc3VlSW5zdGFudD0iMjAyMy0wOS0yMVQxMzo0OToyMy45NDFaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cDovL2xvY2FsaG9zdDo4MDAwL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkLTQ1ZTcyMTkyNjU4NmNkZGUzNDQ2NmI0MzQ5NDg4YjA5MDZhNTU3OGIiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmVHeTMzcWpjZjYrT3R4YlVpVm5DUjFNdnlaaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cDBEekU3Q0lTVTVNQjNvclpReGtUWHFsQXJRMjlFb0tXOUZuVWx5aUhYWGtmK2lXNGZ5SW9wYjcrTUk1VUk5TjVTQVdiVzV4U0R3NFJMMWNDaVNxdWJyU29pRi83MXdiM29naWlQOHhyYmJiajY3RHZMcUU3OVJDQXdySDlEU0FlZFlReVBOQ0tFQ0U0L3NvdnFEeUg5OTAwZEI4aTQ3VHdQRkhIclBlWE8wUGVoR0NWNTVEeTZJdC92Ull1VFRqU0tiVTczV014c1A5Mk9yVEdqamN1Smx1bFdSclBxNDk0aEpNMFJxV3gwN2RoWHJEbzlJY1JpK2RCOVhRN3UwbGJicEthQ0p6R2RiUG9JanJ1ZDhaWnh2djdiaDFtV1lEeGFodExvd2I1eGtDWlQrNFMybklrSWgwNEoxUURsZm1WSVdlRWljVW5odXpIcVBkU1RldklnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURCekNDQWUrZ0F3SUJBZ0lKQVByL01ybGM4RUdoTUEwR0NTcUdTSWIzRFFFQkJRVUFNQm94R0RBV0JnTlZCQU1NRDNkM2R5NWxlR0Z0Y0d4bExtTnZiVEFlRncweE5URXlNamd4T1RFNU5EVmFGdzB5TlRFeU1qVXhPVEU1TkRWYU1Cb3hHREFXQmdOVkJBTU1EM2QzZHk1bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5Eb1d6TG9zNExXeFRuOEd5dTJsRWJsNFdjZWxVYmdMTjV6WW00cm9uOEFocytydmNzdTJ6a2REL3M2amRHSkk4V3FKS2hZSzJ1NjF5Z25YZ0FacUM2Z2d0RlBuQnBpemNEempnTkQyZythdWNTb1VPREh0NjdmMGZRdUFtdXBOL3pwNU1aeXNKNklITEpuWUxOcGZKWWs5NmxSejlPRG5PMU1wcXRyOVBXeG0rcHo3bnpxNUYwdlJlcGtncGNSeHY2dWZRQmpsckZ5dGNjeUVWZFhydkZ0a2pYY25oVlZOU1I0a0h1T09NUzZEN3BlYlNKMW1yQ21zaGJENVNYMWpYUEJLRlBBam96WVg2UHhxTHhVeDFZNGZhRkVmNE1CQlZjSW55QjRvVVJOQjJzNTloRUVpMmpxOWl6TkU3RWJFSzZCWTVzRWhvQ1BsOW0zMnpFNmxqa0NBd0VBQWFOUU1FNHdIUVlEVlIwT0JCWUVGQjlaa2xDMU9yazJ6bDU2emcwOGVpN3NzLytpTUI4R0ExVWRJd1FZTUJhQUZCOVprbEMxT3JrMnpsNTZ6ZzA4ZWk3c3MvK2lNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFBVm9UU1E1cEFpcnc4T1I5RloxYlJTdVREaFk5dXh6bC9PTDdsVW1zdjJjTU5lQ0IzQlJacW0zbUZ0K2N3TjhHc0g2ZjN1dk5PTkloZ0ZwVEdONUxFY1hRejg5ekpFekIrcWFIcW1iRnBIUWwvc3gyQjhlek5nVC84ODJIMklIMDBkWEVTRWZ5LysxZ0hnMnB4akduaFJCTjZlbC9nU2FEaXlTSU1LYmlsRHJmZnV2eGlDZmJwUE4wTlJSaVBKaGQyYXk5S3VML1J4UVJsMWdsOWNIYVdpb3VXV2JhMWJTQmIyWlBodjJyUE1Vc0ZvOThudGtHQ09iRFg2WTFTcGtxbW9UYnJzYkdGc1RHMkRMeG52cjRHZE4xQlNyMFV1L0tWM2FkajQ3V2tYVlBlTVlRdGkvYlFteFFCOHRSRmhydzgwcWFrVExVenJlTzk2V3psQkJNdFk9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9tZXRhZGF0YSI+YWxpY2VAZXhhbXBsZS5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBBZGRyZXNzPSJbOjoxXTo1OTMzNCIgSW5SZXNwb25zZVRvPSJpZC1iMjJjOTBkYjg4YmYwMWQ4MmZmYjBhN2I2ZmUyNWFjOWZjYjJjNjc5IiBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDktMjFUMTM6NTA6NTMuOTM4WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMy0wOS0yMVQxMzo0OToxNC4yOThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDktMjFUMTM6NTA6NDQuMjk4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwOi8vbG9jYWxob3N0OjgwODAvaWRwcy8yMjg5Njg3OTIzNzIyODE3MDgvc2FtbC9tZXRhZGF0YTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMDktMjFUMTM6NDc6MzUuMTAzWiIgU2Vzc2lvbkluZGV4PSI0YzM5YjE5NTQyYzdjZTFjMzllOWMwNWJlMTdhNzJhNmQ4OGU1NWE3ZGFiYWRhZWQ3ODYxMDBiOWUzODBmYTA4Ij48c2FtbDpTdWJqZWN0TG9jYWxpdHkgQWRkcmVzcz0iWzo6MV06NTkzMzQiLz48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9InVpZCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+YWxpY2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuNiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFsaWNlQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0ic24iIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNtaXRoPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iZ2l2ZW5OYW1lIiBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+QWxpY2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJjbiIgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+QWxpY2UgU21pdGg8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5BZG1pbmlzdHJhdG9yczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Vc2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", + ), + requestID: "id-b22c90db88bf01d82ffb0a7b6fe25ac9fcb2c679", + }, + want: want{ + err: zerrors.ThrowInvalidArgument(nil, "SAML-swwg2", "Errors.Intent.MissingSingleMappingAttribute"), + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -174,15 +244,9 @@ func TestSession_FetchUser(t *testing.T) { provider, err := New(tt.fields.name, tt.fields.rootURL, tt.fields.metadata, tt.fields.certificate, tt.fields.key, tt.fields.options...) require.NoError(t, err) - sp, err := provider.GetSP() + session, err := NewSession(provider, tt.args.requestID, tt.args.request) require.NoError(t, err) - session := &Session{ - ServiceProvider: sp, - state: tt.args.intentID, - RequestID: tt.args.requestID, - Request: tt.args.request, - } // set to time of response for validation saml.TimeNow = func() time.Time { time, _ := time.Parse(time.RFC3339, "2023-09-21T13:47:40.0Z") diff --git a/internal/integration/client.go b/internal/integration/client.go index 3ebd4fea51..72f50e9988 100644 --- a/internal/integration/client.go +++ b/internal/integration/client.go @@ -150,6 +150,37 @@ func (s *Tester) CreateHumanUser(ctx context.Context) *user.AddHumanUserResponse return resp } +func (s *Tester) CreateHumanUserWithTOTP(ctx context.Context, secret string) *user.AddHumanUserResponse { + resp, err := s.Client.UserV2.AddHumanUser(ctx, &user.AddHumanUserRequest{ + Organization: &object.Organization{ + Org: &object.Organization_OrgId{ + OrgId: s.Organisation.ID, + }, + }, + Profile: &user.SetHumanProfile{ + GivenName: "Mickey", + FamilyName: "Mouse", + PreferredLanguage: gu.Ptr("nl"), + Gender: gu.Ptr(user.Gender_GENDER_MALE), + }, + Email: &user.SetHumanEmail{ + Email: fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()), + Verification: &user.SetHumanEmail_ReturnCode{ + ReturnCode: &user.ReturnEmailVerificationCode{}, + }, + }, + Phone: &user.SetHumanPhone{ + Phone: "+41791234567", + Verification: &user.SetHumanPhone_ReturnCode{ + ReturnCode: &user.ReturnPhoneVerificationCode{}, + }, + }, + TotpSecret: gu.Ptr(secret), + }) + logging.OnError(err).Fatal("create human user") + return resp +} + func (s *Tester) CreateOrganization(ctx context.Context, name, adminEmail string) *org.AddOrganizationResponse { resp, err := s.Client.OrgV2.AddOrganization(ctx, &org.AddOrganizationRequest{ Name: name, @@ -349,12 +380,13 @@ func (s *Tester) AddSAMLProvider(t *testing.T, ctx context.Context) string { return id } -func (s *Tester) AddSAMLRedirectProvider(t *testing.T, ctx context.Context) string { +func (s *Tester) AddSAMLRedirectProvider(t *testing.T, ctx context.Context, transientMappingAttributeName string) string { ctx = authz.WithInstance(ctx, s.Instance) id, _, err := s.Server.Commands.AddInstanceSAMLProvider(ctx, command.SAMLProvider{ - Name: "saml-idp-redirect", - Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", - Metadata: []byte("\n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n \n urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n \n \n"), + Name: "saml-idp-redirect", + Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", + Metadata: []byte("\n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=\n \n \n \n \n \n \n \n urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n \n \n"), + TransientMappingAttributeName: transientMappingAttributeName, IDPOptions: idp.Options{ IsLinkingAllowed: true, IsCreationAllowed: true, @@ -490,8 +522,7 @@ func (s *Tester) CreateVerifiedWebAuthNSessionWithLifetime(t *testing.T, ctx con require.NoError(t, err) updateResp, err := s.Client.SessionV2.SetSession(ctx, &session.SetSessionRequest{ - SessionId: createResp.GetSessionId(), - SessionToken: createResp.GetSessionToken(), + SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ CredentialAssertionData: assertion, diff --git a/internal/integration/oidc.go b/internal/integration/oidc.go index d928c3e004..3ba655c65b 100644 --- a/internal/integration/oidc.go +++ b/internal/integration/oidc.go @@ -299,3 +299,24 @@ func (s *Tester) CreateOIDCCredentialsClient(ctx context.Context) (userID, clien } return user.GetUserId(), secret.GetClientId(), secret.GetClientSecret(), nil } + +func (s *Tester) CreateOIDCJWTProfileClient(ctx context.Context) (userID string, keyData []byte, err error) { + name := gofakeit.Username() + user, err := s.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{ + Name: name, + UserName: name, + AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT, + }) + if err != nil { + return "", nil, err + } + keyResp, err := s.Client.Mgmt.AddMachineKey(ctx, &management.AddMachineKeyRequest{ + UserId: user.GetUserId(), + Type: authn.KeyType_KEY_TYPE_JSON, + ExpirationDate: timestamppb.New(time.Now().Add(time.Hour)), + }) + if err != nil { + return "", nil, err + } + return user.GetUserId(), keyResp.GetKeyDetails(), nil +} diff --git a/internal/notification/static/i18n/fr.yaml b/internal/notification/static/i18n/fr.yaml index 42c4b837eb..a313343ba5 100644 --- a/internal/notification/static/i18n/fr.yaml +++ b/internal/notification/static/i18n/fr.yaml @@ -27,15 +27,15 @@ VerifyPhone: Text: Un nouveau numéro de téléphone a été ajouté. Veuillez utiliser le code suivant pour le vérifier {{.Code}} ButtonText: Vérifier le téléphone VerifyEmailOTP: - Title: ZITADEL - Vérifie le mot de passe à usage unique - PreHeader: Vérifie le mot de passe à usage unique - Subject: Vérifie le mot de passe à usage unique + Title: ZITADEL - Vérifier le mot de passe à usage unique + PreHeader: Vérifier le mot de passe à usage unique + Subject: Vérifier le mot de passe à usage unique Greeting: Bonjour {{.DisplayName}}, - Text: Utilise le bouton 'Authentifier' ou copie le mot de passe à usage unique {{.OTP}} et colle-le à l'écran d'authentification pour t'authentifier sur ZITADEL dans les cinq prochaines minutes. + Text: Utilisez le bouton 'Authentifier' ou copiez le mot de passe à usage unique {{.OTP}} et collez-le à l'écran d'authentification pour vous authentifier sur ZITADEL dans les cinq prochaines minutes. ButtonText: Authentifier VerifySMSOTP: Text: >- - {{.OTP}} est votre mot de passe à usage unique pour {{ .Domain }}. Utilisez-le dans le prochain {{.Expiry}}. + {{.OTP}} est votre mot de passe à usage unique pour {{ .Domain }}. Utilisez-le dans les prochaines {{.Expiry}}. @{{.Domain}} #{{.OTP}} DomainClaimed: diff --git a/internal/query/access_token.go b/internal/query/access_token.go index 2b927cf7b5..40d9b1700a 100644 --- a/internal/query/access_token.go +++ b/internal/query/access_token.go @@ -5,6 +5,8 @@ import ( "strings" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/oidcsession" @@ -24,10 +26,13 @@ type OIDCSessionAccessTokenReadModel struct { Scope []string AuthMethods []domain.UserAuthMethodType AuthTime time.Time + Nonce string State domain.OIDCSessionState AccessTokenID string AccessTokenCreation time.Time AccessTokenExpiration time.Time + PreferredLanguage *language.Tag + UserAgent *domain.UserAgent Reason domain.TokenReason Actor *domain.TokenActor } @@ -79,6 +84,9 @@ func (wm *OIDCSessionAccessTokenReadModel) reduceAdded(e *oidcsession.AddedEvent wm.Scope = e.Scope wm.AuthMethods = e.AuthMethods wm.AuthTime = e.AuthTime + wm.Nonce = e.Nonce + wm.PreferredLanguage = e.PreferredLanguage + wm.UserAgent = e.UserAgent wm.State = domain.OIDCSessionStateActive } @@ -112,7 +120,7 @@ func (q *Queries) ActiveAccessTokenByToken(ctx context.Context, token string) (m if !model.AccessTokenExpiration.After(time.Now()) { return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-SAF3rf", "Errors.OIDCSession.Token.Expired") } - if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.AccessTokenCreation); err != nil { + if err = q.checkSessionNotTerminatedAfter(ctx, model.SessionID, model.UserID, model.AccessTokenCreation, model.UserAgent.GetFingerprintID()); err != nil { return nil, err } return model, nil @@ -132,16 +140,17 @@ func (q *Queries) accessTokenByOIDCSessionAndTokenID(ctx context.Context, oidcSe return model, nil } -// checkSessionNotTerminatedAfter checks if a [session.TerminateType] event occurred after a certain time -// and will return an error if so. -func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, userID string, creation time.Time) (err error) { +// checkSessionNotTerminatedAfter checks if a [session.TerminateType] event (or user events leading to a session termination) +// occurred after a certain time and will return an error if so. +func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, userID string, creation time.Time, fingerprintID string) (err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() model := &sessionTerminatedModel{ - sessionID: sessionID, - creation: creation, - userID: userID, + sessionID: sessionID, + creation: creation, + userID: userID, + fingerPrintID: fingerprintID, } err = q.eventstore.FilterToQueryReducer(ctx, model) if err != nil { @@ -155,9 +164,10 @@ func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, } type sessionTerminatedModel struct { - creation time.Time - sessionID string - userID string + creation time.Time + sessionID string + userID string + fingerPrintID string events int terminated bool @@ -195,5 +205,12 @@ func (s *sessionTerminatedModel) Query() *eventstore.SearchQueryBuilder { user.UserLockedType, user.UserRemovedType, ). + Or(). // for specific logout on v1 sessions from the same user agent + AggregateTypes(user.AggregateType). + AggregateIDs(s.userID). + EventTypes( + user.HumanSignedOutType, + ). + EventData(map[string]interface{}{"userAgentID": s.fingerPrintID}). Builder() } diff --git a/internal/query/authn_key.go b/internal/query/authn_key.go index 99ccca0d97..679f444327 100644 --- a/internal/query/authn_key.go +++ b/internal/query/authn_key.go @@ -209,7 +209,7 @@ func (q *Queries) GetAuthNKeyByID(ctx context.Context, shouldTriggerBulk bool, i return key, err } -func (q *Queries) GetAuthNKeyPublicKeyByIDAndIdentifier(ctx context.Context, id string, identifier string, withOwnerRemoved bool) (key []byte, err error) { +func (q *Queries) GetAuthNKeyPublicKeyByIDAndIdentifier(ctx context.Context, id string, identifier string) (key []byte, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() diff --git a/internal/query/device_auth.go b/internal/query/device_auth.go index 9cef26d2bd..d63bfe0209 100644 --- a/internal/query/device_auth.go +++ b/internal/query/device_auth.go @@ -4,7 +4,6 @@ import ( "context" "database/sql" "errors" - "time" sq "github.com/Masterminds/squirrel" @@ -59,34 +58,6 @@ var ( } ) -type DeviceAuth struct { - ClientID string - DeviceCode string - UserCode string - Expires time.Time - Scopes []string - Audience []string - State domain.DeviceAuthState - Subject string - UserAuthMethods []domain.UserAuthMethodType - AuthTime time.Time -} - -// DeviceAuthByDeviceCode gets the current state of a Device Authorization directly from the eventstore. -func (q *Queries) DeviceAuthByDeviceCode(ctx context.Context, deviceCode string) (deviceAuth *DeviceAuth, err error) { - ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() - - model := NewDeviceAuthReadModel(deviceCode, authz.GetInstance(ctx).InstanceID()) - if err := q.eventstore.FilterToQueryReducer(ctx, model); err != nil { - return nil, err - } - if !model.State.Exists() { - return nil, zerrors.ThrowNotFound(nil, "QUERY-eeR0e", "Errors.DeviceAuth.NotExisting") - } - return &model.DeviceAuth, nil -} - // DeviceAuthRequestByUserCode finds a Device Authorization request by User-Code from the `device_auth_requests` projection. func (q *Queries) DeviceAuthRequestByUserCode(ctx context.Context, userCode string) (authReq *domain.AuthRequestDevice, err error) { ctx, span := tracing.NewSpan(ctx) diff --git a/internal/query/device_auth_model.go b/internal/query/device_auth_model.go deleted file mode 100644 index 91ad06ddfc..0000000000 --- a/internal/query/device_auth_model.go +++ /dev/null @@ -1,59 +0,0 @@ -package query - -import ( - "github.com/zitadel/zitadel/internal/domain" - "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/repository/deviceauth" -) - -type DeviceAuthReadModel struct { - eventstore.ReadModel - DeviceAuth -} - -func NewDeviceAuthReadModel(deviceCode, resourceOwner string) *DeviceAuthReadModel { - return &DeviceAuthReadModel{ - ReadModel: eventstore.ReadModel{ - AggregateID: deviceCode, - ResourceOwner: resourceOwner, - }, - } -} - -func (m *DeviceAuthReadModel) Reduce() error { - for _, event := range m.Events { - switch e := event.(type) { - case *deviceauth.AddedEvent: - m.ClientID = e.ClientID - m.DeviceCode = e.DeviceCode - m.UserCode = e.UserCode - m.Expires = e.Expires - m.Scopes = e.Scopes - m.Audience = e.Audience - m.State = e.State - case *deviceauth.ApprovedEvent: - m.State = domain.DeviceAuthStateApproved - m.Subject = e.Subject - m.UserAuthMethods = e.UserAuthMethods - m.AuthTime = e.AuthTime - case *deviceauth.CanceledEvent: - m.State = e.Reason.State() - } - } - - return m.ReadModel.Reduce() -} - -func (m *DeviceAuthReadModel) Query() *eventstore.SearchQueryBuilder { - return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent). - ResourceOwner(m.ResourceOwner). - AddQuery(). - AggregateTypes(deviceauth.AggregateType). - AggregateIDs(m.AggregateID). - EventTypes( - deviceauth.AddedEventType, - deviceauth.ApprovedEventType, - deviceauth.CanceledEventType, - ). - Builder() -} diff --git a/internal/query/device_auth_test.go b/internal/query/device_auth_test.go index d9773cdc7f..ff6a91e222 100644 --- a/internal/query/device_auth_test.go +++ b/internal/query/device_auth_test.go @@ -6,167 +6,18 @@ import ( "database/sql/driver" "errors" "fmt" - "io" "regexp" "testing" - "time" "github.com/DATA-DOG/go-sqlmock" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/database" db_mock "github.com/zitadel/zitadel/internal/database/mock" "github.com/zitadel/zitadel/internal/domain" - "github.com/zitadel/zitadel/internal/eventstore" - "github.com/zitadel/zitadel/internal/repository/deviceauth" - "github.com/zitadel/zitadel/internal/zerrors" ) -func TestQueries_DeviceAuthByDeviceCode(t *testing.T) { - ctx := authz.NewMockContext("inst1", "org1", "user1") - timestamp := time.Date(2015, 12, 15, 22, 13, 45, 0, time.UTC) - tests := []struct { - name string - eventstore func(t *testing.T) *eventstore.Eventstore - want *DeviceAuth - wantErr error - }{ - { - name: "filter error", - eventstore: expectEventstore( - expectFilterError(io.ErrClosedPipe), - ), - wantErr: io.ErrClosedPipe, - }, - { - name: "not found", - eventstore: expectEventstore( - expectFilter(), - ), - wantErr: zerrors.ThrowNotFound(nil, "QUERY-eeR0e", "Errors.DeviceAuth.NotExisting"), - }, - { - name: "ok, initiated", - eventstore: expectEventstore( - expectFilter( - eventFromEventPusher(deviceauth.NewAddedEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - "client1", "device1", "user-code", timestamp, []string{"foo", "bar"}, - []string{"projectID", "clientID"}, - )), - ), - ), - want: &DeviceAuth{ - ClientID: "client1", - DeviceCode: "device1", - UserCode: "user-code", - Expires: timestamp, - Scopes: []string{"foo", "bar"}, - Audience: []string{"projectID", "clientID"}, - State: domain.DeviceAuthStateInitiated, - }, - }, - { - name: "ok, approved", - eventstore: expectEventstore( - expectFilter( - eventFromEventPusher(deviceauth.NewAddedEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - "client1", "device1", "user-code", timestamp, []string{"foo", "bar"}, - []string{"projectID", "clientID"}, - )), - eventFromEventPusher(deviceauth.NewApprovedEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - "user1", []domain.UserAuthMethodType{domain.UserAuthMethodTypePasswordless}, - timestamp, - )), - ), - ), - want: &DeviceAuth{ - ClientID: "client1", - DeviceCode: "device1", - UserCode: "user-code", - Expires: timestamp, - Scopes: []string{"foo", "bar"}, - Audience: []string{"projectID", "clientID"}, - State: domain.DeviceAuthStateApproved, - Subject: "user1", - UserAuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePasswordless}, - AuthTime: timestamp, - }, - }, - { - name: "ok, denied", - eventstore: expectEventstore( - expectFilter( - eventFromEventPusher(deviceauth.NewAddedEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - "client1", "device1", "user-code", timestamp, []string{"foo", "bar"}, - []string{"projectID", "clientID"}, - )), - eventFromEventPusher(deviceauth.NewCanceledEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - domain.DeviceAuthCanceledDenied, - )), - ), - ), - want: &DeviceAuth{ - ClientID: "client1", - DeviceCode: "device1", - UserCode: "user-code", - Expires: timestamp, - Scopes: []string{"foo", "bar"}, - Audience: []string{"projectID", "clientID"}, - State: domain.DeviceAuthStateDenied, - }, - }, - { - name: "ok, expired", - eventstore: expectEventstore( - expectFilter( - eventFromEventPusher(deviceauth.NewAddedEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - "client1", "device1", "user-code", timestamp, []string{"foo", "bar"}, - []string{"projectID", "clientID"}, - )), - eventFromEventPusher(deviceauth.NewCanceledEvent( - ctx, - deviceauth.NewAggregate("device1", "instance1"), - domain.DeviceAuthCanceledExpired, - )), - ), - ), - want: &DeviceAuth{ - ClientID: "client1", - DeviceCode: "device1", - UserCode: "user-code", - Expires: timestamp, - Scopes: []string{"foo", "bar"}, - Audience: []string{"projectID", "clientID"}, - State: domain.DeviceAuthStateExpired, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - q := &Queries{ - eventstore: tt.eventstore(t), - } - got, err := q.DeviceAuthByDeviceCode(ctx, "device1") - require.ErrorIs(t, err, tt.wantErr) - assert.Equal(t, tt.want, got) - }) - } -} - const ( expectedDeviceAuthQueryC = `SELECT` + ` projections.device_auth_requests2.client_id,` + diff --git a/internal/query/idp_template.go b/internal/query/idp_template.go index 361389f995..2b835f0e69 100644 --- a/internal/query/idp_template.go +++ b/internal/query/idp_template.go @@ -155,12 +155,14 @@ type AppleIDPTemplate struct { } type SAMLIDPTemplate struct { - IDPID string - Metadata []byte - Key *crypto.CryptoValue - Certificate []byte - Binding string - WithSignedRequest bool + IDPID string + Metadata []byte + Key *crypto.CryptoValue + Certificate []byte + Binding string + WithSignedRequest bool + NameIDFormat sql.Null[domain.SAMLNameIDFormat] + TransientMappingAttributeName string } var ( @@ -700,6 +702,14 @@ var ( name: projection.SAMLWithSignedRequestCol, table: samlIdpTemplateTable, } + SAMLNameIDFormatCol = Column{ + name: projection.SAMLNameIDFormatCol, + table: samlIdpTemplateTable, + } + SAMLTransientMappingAttributeNameCol = Column{ + name: projection.SAMLTransientMappingAttributeName, + table: samlIdpTemplateTable, + } ) // IDPTemplateByID searches for the requested id @@ -883,6 +893,8 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se SAMLCertificateCol.identifier(), SAMLBindingCol.identifier(), SAMLWithSignedRequestCol.identifier(), + SAMLNameIDFormatCol.identifier(), + SAMLTransientMappingAttributeNameCol.identifier(), // ldap LDAPIDCol.identifier(), LDAPServersCol.identifier(), @@ -997,6 +1009,8 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se var samlCertificate []byte samlBinding := sql.NullString{} samlWithSignedRequest := sql.NullBool{} + samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{} + samlTransientMappingAttributeName := sql.NullString{} ldapID := sql.NullString{} ldapServers := database.TextArray[string]{} @@ -1109,6 +1123,8 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se &samlCertificate, &samlBinding, &samlWithSignedRequest, + &samlNameIDFormat, + &samlTransientMappingAttributeName, // ldap &ldapID, &ldapServers, @@ -1237,12 +1253,14 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se } if samlID.Valid { idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{ - IDPID: samlID.String, - Metadata: samlMetadata, - Key: samlKey, - Certificate: samlCertificate, - Binding: samlBinding.String, - WithSignedRequest: samlWithSignedRequest.Bool, + IDPID: samlID.String, + Metadata: samlMetadata, + Key: samlKey, + Certificate: samlCertificate, + Binding: samlBinding.String, + WithSignedRequest: samlWithSignedRequest.Bool, + NameIDFormat: samlNameIDFormat, + TransientMappingAttributeName: samlTransientMappingAttributeName.String, } } if ldapID.Valid { @@ -1370,6 +1388,8 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec SAMLCertificateCol.identifier(), SAMLBindingCol.identifier(), SAMLWithSignedRequestCol.identifier(), + SAMLNameIDFormatCol.identifier(), + SAMLTransientMappingAttributeNameCol.identifier(), // ldap LDAPIDCol.identifier(), LDAPServersCol.identifier(), @@ -1489,6 +1509,8 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec var samlCertificate []byte samlBinding := sql.NullString{} samlWithSignedRequest := sql.NullBool{} + samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{} + samlTransientMappingAttributeName := sql.NullString{} ldapID := sql.NullString{} ldapServers := database.TextArray[string]{} @@ -1601,6 +1623,8 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec &samlCertificate, &samlBinding, &samlWithSignedRequest, + &samlNameIDFormat, + &samlTransientMappingAttributeName, // ldap &ldapID, &ldapServers, @@ -1728,12 +1752,14 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec } if samlID.Valid { idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{ - IDPID: samlID.String, - Metadata: samlMetadata, - Key: samlKey, - Certificate: samlCertificate, - Binding: samlBinding.String, - WithSignedRequest: samlWithSignedRequest.Bool, + IDPID: samlID.String, + Metadata: samlMetadata, + Key: samlKey, + Certificate: samlCertificate, + Binding: samlBinding.String, + WithSignedRequest: samlWithSignedRequest.Bool, + NameIDFormat: samlNameIDFormat, + TransientMappingAttributeName: samlTransientMappingAttributeName.String, } } if ldapID.Valid { diff --git a/internal/query/idp_template_test.go b/internal/query/idp_template_test.go index 72e5d9f8c8..c5bee3a000 100644 --- a/internal/query/idp_template_test.go +++ b/internal/query/idp_template_test.go @@ -95,6 +95,8 @@ var ( ` projections.idp_templates6_saml.certificate,` + ` projections.idp_templates6_saml.binding,` + ` projections.idp_templates6_saml.with_signed_request,` + + ` projections.idp_templates6_saml.name_id_format,` + + ` projections.idp_templates6_saml.transient_mapping_attribute_name,` + // ldap ` projections.idp_templates6_ldap2.idp_id,` + ` projections.idp_templates6_ldap2.servers,` + @@ -220,6 +222,8 @@ var ( "certificate", "binding", "with_signed_request", + "name_id_format", + "transient_mapping_attribute_name", // ldap config "idp_id", "servers", @@ -331,6 +335,8 @@ var ( ` projections.idp_templates6_saml.certificate,` + ` projections.idp_templates6_saml.binding,` + ` projections.idp_templates6_saml.with_signed_request,` + + ` projections.idp_templates6_saml.name_id_format,` + + ` projections.idp_templates6_saml.transient_mapping_attribute_name,` + // ldap ` projections.idp_templates6_ldap2.idp_id,` + ` projections.idp_templates6_ldap2.servers,` + @@ -457,6 +463,8 @@ var ( "certificate", "binding", "with_signed_request", + "name_id_format", + "transient_mapping_attribute_name", // ldap config "idp_id", "servers", @@ -608,6 +616,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -756,6 +766,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -902,6 +914,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -1047,6 +1061,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -1191,6 +1207,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -1335,6 +1353,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -1480,6 +1500,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -1624,6 +1646,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, "binding", false, + domain.SAMLNameIDFormatTransient, + "customAttribute", // ldap config nil, nil, @@ -1674,12 +1698,14 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { IsAutoUpdate: true, AutoLinking: domain.AutoLinkingOptionUsername, SAMLIDPTemplate: &SAMLIDPTemplate{ - IDPID: "idp-id", - Metadata: []byte("metadata"), - Key: nil, - Certificate: nil, - Binding: "binding", - WithSignedRequest: false, + IDPID: "idp-id", + Metadata: []byte("metadata"), + Key: nil, + Certificate: nil, + Binding: "binding", + WithSignedRequest: false, + NameIDFormat: sql.Null[domain.SAMLNameIDFormat]{V: domain.SAMLNameIDFormatTransient, Valid: true}, + TransientMappingAttributeName: "customAttribute", }, }, }, @@ -1770,6 +1796,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config "idp-id", database.TextArray[string]{"server"}, @@ -1934,6 +1962,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -2080,6 +2110,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -2254,6 +2286,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config "idp-id", database.TextArray[string]{"server"}, @@ -2427,6 +2461,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -2574,6 +2610,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config "idp-id-ldap", database.TextArray[string]{"server"}, @@ -2686,6 +2724,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, "binding", false, + domain.SAMLNameIDFormatTransient, + "customAttribute", // ldap config nil, nil, @@ -2798,6 +2838,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -2910,6 +2952,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -3022,6 +3066,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -3134,6 +3180,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { nil, nil, nil, + nil, + nil, // ldap config nil, nil, @@ -3232,12 +3280,14 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) { IsAutoUpdate: true, AutoLinking: domain.AutoLinkingOptionUsername, SAMLIDPTemplate: &SAMLIDPTemplate{ - IDPID: "idp-id-saml", - Metadata: []byte("metadata"), - Key: nil, - Certificate: nil, - Binding: "binding", - WithSignedRequest: false, + IDPID: "idp-id-saml", + Metadata: []byte("metadata"), + Key: nil, + Certificate: nil, + Binding: "binding", + WithSignedRequest: false, + NameIDFormat: sql.Null[domain.SAMLNameIDFormat]{V: domain.SAMLNameIDFormatTransient, Valid: true}, + TransientMappingAttributeName: "customAttribute", }, }, { diff --git a/internal/query/instance_features.go b/internal/query/instance_features.go index a362b6a5ad..12d8e0d80d 100644 --- a/internal/query/instance_features.go +++ b/internal/query/instance_features.go @@ -4,6 +4,7 @@ import ( "context" "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/feature" ) type InstanceFeatures struct { @@ -14,6 +15,7 @@ type InstanceFeatures struct { UserSchema FeatureSource[bool] TokenExchange FeatureSource[bool] Actions FeatureSource[bool] + ImprovedPerformance FeatureSource[[]feature.ImprovedPerformanceType] } func (q *Queries) GetInstanceFeatures(ctx context.Context, cascade bool) (_ *InstanceFeatures, err error) { diff --git a/internal/query/instance_features_model.go b/internal/query/instance_features_model.go index 068e56a23c..215442c911 100644 --- a/internal/query/instance_features_model.go +++ b/internal/query/instance_features_model.go @@ -36,11 +36,14 @@ func (m *InstanceFeaturesReadModel) Reduce() (err error) { case *feature_v2.ResetEvent: m.reduceReset() case *feature_v1.SetEvent[feature_v1.Boolean]: - err = m.reduceBoolFeature( + err = reduceInstanceFeatureSet( + m.instance, feature_v1.DefaultLoginInstanceEventToV2(e), ) case *feature_v2.SetEvent[bool]: - err = m.reduceBoolFeature(e) + err = reduceInstanceFeatureSet(m.instance, e) + case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]: + err = reduceInstanceFeatureSet(m.instance, e) } if err != nil { return err @@ -63,6 +66,7 @@ func (m *InstanceFeaturesReadModel) Query() *eventstore.SearchQueryBuilder { feature_v2.InstanceUserSchemaEventType, feature_v2.InstanceTokenExchangeEventType, feature_v2.InstanceActionsEventType, + feature_v2.InstanceImprovedPerformanceEventType, ). Builder().ResourceOwner(m.ResourceOwner) } @@ -71,12 +75,8 @@ func (m *InstanceFeaturesReadModel) reduceReset() { if m.populateFromSystem() { return } - m.instance.LoginDefaultOrg = FeatureSource[bool]{} - m.instance.TriggerIntrospectionProjections = FeatureSource[bool]{} - m.instance.LegacyIntrospection = FeatureSource[bool]{} - m.instance.UserSchema = FeatureSource[bool]{} - m.instance.TokenExchange = FeatureSource[bool]{} - m.instance.Actions = FeatureSource[bool]{} + m.instance = nil + m.instance = new(InstanceFeatures) } func (m *InstanceFeaturesReadModel) populateFromSystem() bool { @@ -89,35 +89,32 @@ func (m *InstanceFeaturesReadModel) populateFromSystem() bool { m.instance.UserSchema = m.system.UserSchema m.instance.TokenExchange = m.system.TokenExchange m.instance.Actions = m.system.Actions + m.instance.ImprovedPerformance = m.system.ImprovedPerformance return true } -func (m *InstanceFeaturesReadModel) reduceBoolFeature(event *feature_v2.SetEvent[bool]) error { +func reduceInstanceFeatureSet[T any](features *InstanceFeatures, event *feature_v2.SetEvent[T]) error { level, key, err := event.FeatureInfo() if err != nil { return err } - var dst *FeatureSource[bool] - switch key { case feature.KeyUnspecified: return nil case feature.KeyLoginDefaultOrg: - dst = &m.instance.LoginDefaultOrg + features.LoginDefaultOrg.set(level, event.Value) case feature.KeyTriggerIntrospectionProjections: - dst = &m.instance.TriggerIntrospectionProjections + features.TriggerIntrospectionProjections.set(level, event.Value) case feature.KeyLegacyIntrospection: - dst = &m.instance.LegacyIntrospection + features.LegacyIntrospection.set(level, event.Value) case feature.KeyUserSchema: - dst = &m.instance.UserSchema + features.UserSchema.set(level, event.Value) case feature.KeyTokenExchange: - dst = &m.instance.TokenExchange + features.TokenExchange.set(level, event.Value) case feature.KeyActions: - dst = &m.instance.Actions - } - *dst = FeatureSource[bool]{ - Level: level, - Value: event.Value, + features.Actions.set(level, event.Value) + case feature.KeyImprovedPerformance: + features.ImprovedPerformance.set(level, event.Value) } return nil } diff --git a/internal/query/org.go b/internal/query/org.go index eaeaf6eb29..27bdfada76 100644 --- a/internal/query/org.go +++ b/internal/query/org.go @@ -13,8 +13,11 @@ import ( "github.com/zitadel/zitadel/internal/api/call" domain_pkg "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore/handler/v2" + "github.com/zitadel/zitadel/internal/feature" "github.com/zitadel/zitadel/internal/query/projection" "github.com/zitadel/zitadel/internal/telemetry/tracing" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/readmodel" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -52,8 +55,9 @@ var ( table: orgsTable, } OrgColumnName = Column{ - name: projection.OrgColumnName, - table: orgsTable, + name: projection.OrgColumnName, + table: orgsTable, + isOrderByLower: true, } OrgColumnDomain = Column{ name: projection.OrgColumnDomain, @@ -91,7 +95,44 @@ func (q *OrgSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder { return query } -func (q *Queries) OrgByID(ctx context.Context, shouldTriggerBulk bool, id string) (org *Org, err error) { +func (q *Queries) OrgByID(ctx context.Context, shouldTriggerBulk bool, id string) (_ *Org, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + if !authz.GetInstance(ctx).Features().ShouldUseImprovedPerformance(feature.ImprovedPerformanceTypeOrgByID) { + return q.oldOrgByID(ctx, shouldTriggerBulk, id) + } + + foundOrg := readmodel.NewOrg(id) + eventCount, err := q.eventStoreV4.Query( + ctx, + eventstore.NewQuery( + authz.GetInstance(ctx).InstanceID(), + foundOrg, + eventstore.AppendFilters(foundOrg.Filter()...), + ), + ) + if err != nil { + return nil, zerrors.ThrowInternal(err, "QUERY-AWx52", "Errors.Query.SQLStatement") + } + + if eventCount == 0 { + return nil, zerrors.ThrowNotFound(nil, "QUERY-leq5Q", "Errors.Org.NotFound") + } + + return &Org{ + ID: foundOrg.ID, + CreationDate: foundOrg.CreationDate, + ChangeDate: foundOrg.ChangeDate, + ResourceOwner: foundOrg.Owner, + State: domain_pkg.OrgState(foundOrg.State.State), + Sequence: uint64(foundOrg.Sequence), + Name: foundOrg.Name, + Domain: foundOrg.PrimaryDomain.Domain, + }, nil +} + +func (q *Queries) oldOrgByID(ctx context.Context, shouldTriggerBulk bool, id string) (org *Org, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() diff --git a/internal/query/privacy_policy.go b/internal/query/privacy_policy.go index 5540c34f5f..59394e92b1 100644 --- a/internal/query/privacy_policy.go +++ b/internal/query/privacy_policy.go @@ -26,10 +26,13 @@ type PrivacyPolicy struct { ResourceOwner string State domain.PolicyState - TOSLink string - PrivacyLink string - HelpLink string - SupportEmail domain.EmailAddress + TOSLink string + PrivacyLink string + HelpLink string + SupportEmail domain.EmailAddress + DocsLink string + CustomLink string + CustomLinkText string IsDefault bool } @@ -91,6 +94,18 @@ var ( name: projection.PrivacyPolicyOwnerRemovedCol, table: privacyTable, } + PrivacyColDocsLink = Column{ + name: projection.PrivacyPolicyDocsLinkCol, + table: privacyTable, + } + PrivacyColCustomLink = Column{ + name: projection.PrivacyPolicyCustomLinkCol, + table: privacyTable, + } + PrivacyColCustomLinkText = Column{ + name: projection.PrivacyPolicyCustomLinkTextCol, + table: privacyTable, + } ) func (q *Queries) PrivacyPolicyByOrg(ctx context.Context, shouldTriggerBulk bool, orgID string, withOwnerRemoved bool) (policy *PrivacyPolicy, err error) { @@ -168,6 +183,9 @@ func preparePrivacyPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sele PrivacyColTOSLink.identifier(), PrivacyColHelpLink.identifier(), PrivacyColSupportEmail.identifier(), + PrivacyColDocsLink.identifier(), + PrivacyColCustomLink.identifier(), + PrivacyColCustomLinkText.identifier(), PrivacyColIsDefault.identifier(), PrivacyColState.identifier(), ). @@ -185,6 +203,9 @@ func preparePrivacyPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sele &policy.TOSLink, &policy.HelpLink, &policy.SupportEmail, + &policy.DocsLink, + &policy.CustomLink, + &policy.CustomLinkText, &policy.IsDefault, &policy.State, ) @@ -200,10 +221,13 @@ func preparePrivacyPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sele func (p *PrivacyPolicy) ToDomain() *domain.PrivacyPolicy { return &domain.PrivacyPolicy{ - TOSLink: p.TOSLink, - PrivacyLink: p.PrivacyLink, - HelpLink: p.HelpLink, - SupportEmail: p.SupportEmail, - Default: p.IsDefault, + TOSLink: p.TOSLink, + PrivacyLink: p.PrivacyLink, + HelpLink: p.HelpLink, + SupportEmail: p.SupportEmail, + Default: p.IsDefault, + DocsLink: p.DocsLink, + CustomLink: p.CustomLink, + CustomLinkText: p.CustomLinkText, } } diff --git a/internal/query/privacy_policy_test.go b/internal/query/privacy_policy_test.go index 55671eef6d..ade541d0cc 100644 --- a/internal/query/privacy_policy_test.go +++ b/internal/query/privacy_policy_test.go @@ -13,18 +13,21 @@ import ( ) var ( - preparePrivacyPolicyStmt = `SELECT projections.privacy_policies3.id,` + - ` projections.privacy_policies3.sequence,` + - ` projections.privacy_policies3.creation_date,` + - ` projections.privacy_policies3.change_date,` + - ` projections.privacy_policies3.resource_owner,` + - ` projections.privacy_policies3.privacy_link,` + - ` projections.privacy_policies3.tos_link,` + - ` projections.privacy_policies3.help_link,` + - ` projections.privacy_policies3.support_email,` + - ` projections.privacy_policies3.is_default,` + - ` projections.privacy_policies3.state` + - ` FROM projections.privacy_policies3` + + preparePrivacyPolicyStmt = `SELECT projections.privacy_policies4.id,` + + ` projections.privacy_policies4.sequence,` + + ` projections.privacy_policies4.creation_date,` + + ` projections.privacy_policies4.change_date,` + + ` projections.privacy_policies4.resource_owner,` + + ` projections.privacy_policies4.privacy_link,` + + ` projections.privacy_policies4.tos_link,` + + ` projections.privacy_policies4.help_link,` + + ` projections.privacy_policies4.support_email,` + + ` projections.privacy_policies4.docs_link,` + + ` projections.privacy_policies4.custom_link,` + + ` projections.privacy_policies4.custom_link_text,` + + ` projections.privacy_policies4.is_default,` + + ` projections.privacy_policies4.state` + + ` FROM projections.privacy_policies4` + ` AS OF SYSTEM TIME '-1 ms'` preparePrivacyPolicyCols = []string{ "id", @@ -36,6 +39,9 @@ var ( "tos_link", "help_link", "support_email", + "docs_link", + "custom_link", + "custom_link_text", "is_default", "state", } @@ -87,23 +93,29 @@ func Test_PrivacyPolicyPrepares(t *testing.T) { "tos.ch", "help.ch", "support@example.com", + "zitadel.com/docs", + "zitadel.com", + "Zitadel", true, domain.PolicyStateActive, }, ), }, object: &PrivacyPolicy{ - ID: "pol-id", - CreationDate: testNow, - ChangeDate: testNow, - Sequence: 20211109, - ResourceOwner: "ro", - State: domain.PolicyStateActive, - PrivacyLink: "privacy.ch", - TOSLink: "tos.ch", - HelpLink: "help.ch", - SupportEmail: "support@example.com", - IsDefault: true, + ID: "pol-id", + CreationDate: testNow, + ChangeDate: testNow, + Sequence: 20211109, + ResourceOwner: "ro", + State: domain.PolicyStateActive, + PrivacyLink: "privacy.ch", + TOSLink: "tos.ch", + HelpLink: "help.ch", + SupportEmail: "support@example.com", + DocsLink: "zitadel.com/docs", + CustomLink: "zitadel.com", + CustomLinkText: "Zitadel", + IsDefault: true, }, }, { diff --git a/internal/query/projection/device_auth.go b/internal/query/projection/device_auth.go index 4fd3be5510..5a620ab93b 100644 --- a/internal/query/projection/device_auth.go +++ b/internal/query/projection/device_auth.go @@ -74,6 +74,10 @@ func (p *deviceAuthRequestProjection) Reducers() []handler.AggregateReducer { Event: deviceauth.CanceledEventType, Reduce: p.reduceDoneEvents, }, + { + Event: deviceauth.DoneEventType, + Reduce: p.reduceDoneEvents, + }, }, }, } @@ -103,7 +107,7 @@ func (p *deviceAuthRequestProjection) reduceAdded(event eventstore.Event) (*hand // reduceDoneEvents removes the device auth request from the projection. func (p *deviceAuthRequestProjection) reduceDoneEvents(event eventstore.Event) (*handler.Statement, error) { switch event.(type) { - case *deviceauth.ApprovedEvent, *deviceauth.CanceledEvent: + case *deviceauth.ApprovedEvent, *deviceauth.CanceledEvent, *deviceauth.DoneEvent: return handler.NewDeleteStatement(event, []handler.Condition{ handler.NewCond(DeviceAuthRequestColumnInstanceID, event.Aggregate().InstanceID), diff --git a/internal/query/projection/idp_template.go b/internal/query/projection/idp_template.go index 1ecd9d654f..a9d38cfebb 100644 --- a/internal/query/projection/idp_template.go +++ b/internal/query/projection/idp_template.go @@ -161,13 +161,15 @@ const ( ApplePrivateKeyCol = "private_key" AppleScopesCol = "scopes" - SAMLIDCol = "idp_id" - SAMLInstanceIDCol = "instance_id" - SAMLMetadataCol = "metadata" - SAMLKeyCol = "key" - SAMLCertificateCol = "certificate" - SAMLBindingCol = "binding" - SAMLWithSignedRequestCol = "with_signed_request" + SAMLIDCol = "idp_id" + SAMLInstanceIDCol = "instance_id" + SAMLMetadataCol = "metadata" + SAMLKeyCol = "key" + SAMLCertificateCol = "certificate" + SAMLBindingCol = "binding" + SAMLWithSignedRequestCol = "with_signed_request" + SAMLNameIDFormatCol = "name_id_format" + SAMLTransientMappingAttributeName = "transient_mapping_attribute_name" ) type idpTemplateProjection struct{} @@ -367,6 +369,8 @@ func (*idpTemplateProjection) Init() *old_handler.Check { handler.NewColumn(SAMLCertificateCol, handler.ColumnTypeBytes), handler.NewColumn(SAMLBindingCol, handler.ColumnTypeText, handler.Nullable()), handler.NewColumn(SAMLWithSignedRequestCol, handler.ColumnTypeBool, handler.Nullable()), + handler.NewColumn(SAMLNameIDFormatCol, handler.ColumnTypeEnum, handler.Nullable()), + handler.NewColumn(SAMLTransientMappingAttributeName, handler.ColumnTypeText, handler.Nullable()), }, handler.NewPrimaryKey(SAMLInstanceIDCol, SAMLIDCol), IDPTemplateSAMLSuffix, @@ -1967,6 +1971,20 @@ func (p *idpTemplateProjection) reduceSAMLIDPAdded(event eventstore.Event) (*han return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-9s02m1", "reduce.wrong.event.type %v", []eventstore.EventType{org.SAMLIDPAddedEventType, instance.SAMLIDPAddedEventType}) } + columns := []handler.Column{ + handler.NewCol(SAMLIDCol, idpEvent.ID), + handler.NewCol(SAMLInstanceIDCol, idpEvent.Aggregate().InstanceID), + handler.NewCol(SAMLMetadataCol, idpEvent.Metadata), + handler.NewCol(SAMLKeyCol, idpEvent.Key), + handler.NewCol(SAMLCertificateCol, idpEvent.Certificate), + handler.NewCol(SAMLBindingCol, idpEvent.Binding), + handler.NewCol(SAMLWithSignedRequestCol, idpEvent.WithSignedRequest), + handler.NewCol(SAMLTransientMappingAttributeName, idpEvent.TransientMappingAttributeName), + } + if idpEvent.NameIDFormat != nil { + columns = append(columns, handler.NewCol(SAMLNameIDFormatCol, *idpEvent.NameIDFormat)) + } + return handler.NewMultiStatement( &idpEvent, handler.AddCreateStatement( @@ -1989,15 +2007,7 @@ func (p *idpTemplateProjection) reduceSAMLIDPAdded(event eventstore.Event) (*han }, ), handler.AddCreateStatement( - []handler.Column{ - handler.NewCol(SAMLIDCol, idpEvent.ID), - handler.NewCol(SAMLInstanceIDCol, idpEvent.Aggregate().InstanceID), - handler.NewCol(SAMLMetadataCol, idpEvent.Metadata), - handler.NewCol(SAMLKeyCol, idpEvent.Key), - handler.NewCol(SAMLCertificateCol, idpEvent.Certificate), - handler.NewCol(SAMLBindingCol, idpEvent.Binding), - handler.NewCol(SAMLWithSignedRequestCol, idpEvent.WithSignedRequest), - }, + columns, handler.WithTableSuffix(IDPTemplateSAMLSuffix), ), ), nil @@ -2490,5 +2500,11 @@ func reduceSAMLIDPChangedColumns(idpEvent idp.SAMLIDPChangedEvent) []handler.Col if idpEvent.WithSignedRequest != nil { SAMLCols = append(SAMLCols, handler.NewCol(SAMLWithSignedRequestCol, *idpEvent.WithSignedRequest)) } + if idpEvent.NameIDFormat != nil { + SAMLCols = append(SAMLCols, handler.NewCol(SAMLNameIDFormatCol, *idpEvent.NameIDFormat)) + } + if idpEvent.TransientMappingAttributeName != nil { + SAMLCols = append(SAMLCols, handler.NewCol(SAMLTransientMappingAttributeName, *idpEvent.TransientMappingAttributeName)) + } return SAMLCols } diff --git a/internal/query/projection/idp_template_test.go b/internal/query/projection/idp_template_test.go index d463054af7..6f096a94ce 100644 --- a/internal/query/projection/idp_template_test.go +++ b/internal/query/projection/idp_template_test.go @@ -2774,6 +2774,8 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { }, "certificate": `+stringToJSONByte("certificate")+`, "binding": "binding", + "nameIDFormat": 3, + "transientMappingAttributeName": "customAttribute", "withSignedRequest": true, "isCreationAllowed": true, "isLinkingAllowed": true, @@ -2810,7 +2812,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { }, }, { - expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request) VALUES ($1, $2, $3, $4, $5, $6, $7)", + expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, transient_mapping_attribute_name, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)", expectedArgs: []interface{}{ "idp-id", "instance-id", @@ -2819,6 +2821,8 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { anyArg{}, "binding", true, + "customAttribute", + domain.SAMLNameIDFormatTransient, }, }, }, @@ -2842,6 +2846,8 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { }, "certificate": `+stringToJSONByte("certificate")+`, "binding": "binding", + "nameIDFormat": 3, + "transientMappingAttributeName": "customAttribute", "withSignedRequest": true, "isCreationAllowed": true, "isLinkingAllowed": true, @@ -2878,7 +2884,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { }, }, { - expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request) VALUES ($1, $2, $3, $4, $5, $6, $7)", + expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, transient_mapping_attribute_name, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)", expectedArgs: []interface{}{ "idp-id", "instance-id", @@ -2887,6 +2893,8 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) { anyArg{}, "binding", true, + "customAttribute", + domain.SAMLNameIDFormatTransient, }, }, }, diff --git a/internal/query/projection/instance_features.go b/internal/query/projection/instance_features.go index ebb388da89..06090a2f5d 100644 --- a/internal/query/projection/instance_features.go +++ b/internal/query/projection/instance_features.go @@ -6,6 +6,7 @@ import ( "github.com/zitadel/zitadel/internal/eventstore" old_handler "github.com/zitadel/zitadel/internal/eventstore/handler" "github.com/zitadel/zitadel/internal/eventstore/handler/v2" + "github.com/zitadel/zitadel/internal/feature" feature_v1 "github.com/zitadel/zitadel/internal/repository/feature" "github.com/zitadel/zitadel/internal/repository/feature/feature_v2" "github.com/zitadel/zitadel/internal/repository/instance" @@ -83,6 +84,10 @@ func (*instanceFeatureProjection) Reducers() []handler.AggregateReducer { Event: feature_v2.InstanceActionsEventType, Reduce: reduceInstanceSetFeature[bool], }, + { + Event: feature_v2.InstanceImprovedPerformanceEventType, + Reduce: reduceInstanceSetFeature[[]feature.ImprovedPerformanceType], + }, { Event: instance.InstanceRemovedEventType, Reduce: reduceInstanceRemovedHelper(InstanceDomainInstanceIDCol), diff --git a/internal/query/projection/privacy_policy.go b/internal/query/projection/privacy_policy.go index 2bec8fea18..1fb4c4acb8 100644 --- a/internal/query/projection/privacy_policy.go +++ b/internal/query/projection/privacy_policy.go @@ -14,21 +14,24 @@ import ( ) const ( - PrivacyPolicyTable = "projections.privacy_policies3" + PrivacyPolicyTable = "projections.privacy_policies4" - PrivacyPolicyIDCol = "id" - PrivacyPolicyCreationDateCol = "creation_date" - PrivacyPolicyChangeDateCol = "change_date" - PrivacyPolicySequenceCol = "sequence" - PrivacyPolicyStateCol = "state" - PrivacyPolicyIsDefaultCol = "is_default" - PrivacyPolicyResourceOwnerCol = "resource_owner" - PrivacyPolicyInstanceIDCol = "instance_id" - PrivacyPolicyPrivacyLinkCol = "privacy_link" - PrivacyPolicyTOSLinkCol = "tos_link" - PrivacyPolicyHelpLinkCol = "help_link" - PrivacyPolicySupportEmailCol = "support_email" - PrivacyPolicyOwnerRemovedCol = "owner_removed" + PrivacyPolicyIDCol = "id" + PrivacyPolicyCreationDateCol = "creation_date" + PrivacyPolicyChangeDateCol = "change_date" + PrivacyPolicySequenceCol = "sequence" + PrivacyPolicyStateCol = "state" + PrivacyPolicyIsDefaultCol = "is_default" + PrivacyPolicyResourceOwnerCol = "resource_owner" + PrivacyPolicyInstanceIDCol = "instance_id" + PrivacyPolicyPrivacyLinkCol = "privacy_link" + PrivacyPolicyTOSLinkCol = "tos_link" + PrivacyPolicyHelpLinkCol = "help_link" + PrivacyPolicySupportEmailCol = "support_email" + PrivacyPolicyDocsLinkCol = "docs_link" + PrivacyPolicyCustomLinkCol = "custom_link" + PrivacyPolicyCustomLinkTextCol = "custom_link_text" + PrivacyPolicyOwnerRemovedCol = "owner_removed" ) type privacyPolicyProjection struct{} @@ -56,6 +59,9 @@ func (*privacyPolicyProjection) Init() *old_handler.Check { handler.NewColumn(PrivacyPolicyTOSLinkCol, handler.ColumnTypeText), handler.NewColumn(PrivacyPolicyHelpLinkCol, handler.ColumnTypeText), handler.NewColumn(PrivacyPolicySupportEmailCol, handler.ColumnTypeText), + handler.NewColumn(PrivacyPolicyDocsLinkCol, handler.ColumnTypeText, handler.Default("https://zitadel.com/docs")), + handler.NewColumn(PrivacyPolicyCustomLinkCol, handler.ColumnTypeText), + handler.NewColumn(PrivacyPolicyCustomLinkTextCol, handler.ColumnTypeText), handler.NewColumn(PrivacyPolicyOwnerRemovedCol, handler.ColumnTypeBool, handler.Default(false)), }, handler.NewPrimaryKey(PrivacyPolicyInstanceIDCol, PrivacyPolicyIDCol), @@ -132,6 +138,9 @@ func (p *privacyPolicyProjection) reduceAdded(event eventstore.Event) (*handler. handler.NewCol(PrivacyPolicyTOSLinkCol, policyEvent.TOSLink), handler.NewCol(PrivacyPolicyHelpLinkCol, policyEvent.HelpLink), handler.NewCol(PrivacyPolicySupportEmailCol, policyEvent.SupportEmail), + handler.NewCol(PrivacyPolicyDocsLinkCol, policyEvent.DocsLink), + handler.NewCol(PrivacyPolicyCustomLinkCol, policyEvent.CustomLink), + handler.NewCol(PrivacyPolicyCustomLinkTextCol, policyEvent.CustomLinkText), handler.NewCol(PrivacyPolicyIsDefaultCol, isDefault), handler.NewCol(PrivacyPolicyResourceOwnerCol, policyEvent.Aggregate().ResourceOwner), handler.NewCol(PrivacyPolicyInstanceIDCol, policyEvent.Aggregate().InstanceID), @@ -164,6 +173,15 @@ func (p *privacyPolicyProjection) reduceChanged(event eventstore.Event) (*handle if policyEvent.SupportEmail != nil { cols = append(cols, handler.NewCol(PrivacyPolicySupportEmailCol, *policyEvent.SupportEmail)) } + if policyEvent.DocsLink != nil { + cols = append(cols, handler.NewCol(PrivacyPolicyDocsLinkCol, *policyEvent.DocsLink)) + } + if policyEvent.CustomLink != nil { + cols = append(cols, handler.NewCol(PrivacyPolicyCustomLinkCol, *policyEvent.CustomLink)) + } + if policyEvent.CustomLinkText != nil { + cols = append(cols, handler.NewCol(PrivacyPolicyCustomLinkTextCol, *policyEvent.CustomLinkText)) + } return handler.NewUpdateStatement( &policyEvent, cols, diff --git a/internal/query/projection/privacy_policy_test.go b/internal/query/projection/privacy_policy_test.go index 2d768f7e4b..fadd121e73 100644 --- a/internal/query/projection/privacy_policy_test.go +++ b/internal/query/projection/privacy_policy_test.go @@ -32,6 +32,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "tosLink": "http://tos.link", "privacyLink": "http://privacy.link", "helpLink": "http://help.link", + "docsLink": "http://docs.link", + "customLink": "http://custom.link", + "customLinkText": "Custom Link", "supportEmail": "support@example.com"}`), ), org.PrivacyPolicyAddedEventMapper), }, @@ -42,7 +45,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "INSERT INTO projections.privacy_policies3 (creation_date, change_date, sequence, id, state, privacy_link, tos_link, help_link, support_email, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)", + expectedStmt: "INSERT INTO projections.privacy_policies4 (creation_date, change_date, sequence, id, state, privacy_link, tos_link, help_link, support_email, docs_link, custom_link, custom_link_text, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)", expectedArgs: []interface{}{ anyArg{}, anyArg{}, @@ -53,6 +56,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "http://tos.link", "http://help.link", domain.EmailAddress("support@example.com"), + "http://docs.link", + "http://custom.link", + "Custom Link", false, "ro-id", "instance-id", @@ -74,6 +80,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "tosLink": "http://tos.link", "privacyLink": "http://privacy.link", "helpLink": "http://help.link", + "docsLink": "http://docs.link", + "customLink": "http://custom.link", + "customLinkText": "Custom Link", "supportEmail": "support@example.com"}`), ), org.PrivacyPolicyChangedEventMapper), }, @@ -83,7 +92,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "UPDATE projections.privacy_policies3 SET (change_date, sequence, privacy_link, tos_link, help_link, support_email) = ($1, $2, $3, $4, $5, $6) WHERE (id = $7) AND (instance_id = $8)", + expectedStmt: "UPDATE projections.privacy_policies4 SET (change_date, sequence, privacy_link, tos_link, help_link, support_email, docs_link, custom_link, custom_link_text) = ($1, $2, $3, $4, $5, $6, $7, $8, $9) WHERE (id = $10) AND (instance_id = $11)", expectedArgs: []interface{}{ anyArg{}, uint64(15), @@ -91,6 +100,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "http://tos.link", "http://help.link", domain.EmailAddress("support@example.com"), + "http://docs.link", + "http://custom.link", + "Custom Link", "agg-id", "instance-id", }, @@ -116,7 +128,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "DELETE FROM projections.privacy_policies3 WHERE (id = $1) AND (instance_id = $2)", + expectedStmt: "DELETE FROM projections.privacy_policies4 WHERE (id = $1) AND (instance_id = $2)", expectedArgs: []interface{}{ "agg-id", "instance-id", @@ -142,7 +154,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "DELETE FROM projections.privacy_policies3 WHERE (instance_id = $1)", + expectedStmt: "DELETE FROM projections.privacy_policies4 WHERE (instance_id = $1)", expectedArgs: []interface{}{ "agg-id", }, @@ -163,6 +175,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "tosLink": "http://tos.link", "privacyLink": "http://privacy.link", "helpLink": "http://help.link", + "docsLink": "http://docs.link", + "customLink": "http://custom.link", + "customLinkText": "Custom Link", "supportEmail": "support@example.com"}`), ), instance.PrivacyPolicyAddedEventMapper), }, @@ -172,7 +187,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "INSERT INTO projections.privacy_policies3 (creation_date, change_date, sequence, id, state, privacy_link, tos_link, help_link, support_email, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)", + expectedStmt: "INSERT INTO projections.privacy_policies4 (creation_date, change_date, sequence, id, state, privacy_link, tos_link, help_link, support_email, docs_link, custom_link, custom_link_text, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)", expectedArgs: []interface{}{ anyArg{}, anyArg{}, @@ -183,6 +198,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "http://tos.link", "http://help.link", domain.EmailAddress("support@example.com"), + "http://docs.link", + "http://custom.link", + "Custom Link", true, "ro-id", "instance-id", @@ -204,6 +222,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "tosLink": "http://tos.link", "privacyLink": "http://privacy.link", "helpLink": "http://help.link", + "docsLink": "http://docs.link", + "customLink": "http://custom.link", + "customLinkText": "Custom Link", "supportEmail": "support@example.com"}`), ), instance.PrivacyPolicyChangedEventMapper), }, @@ -213,7 +234,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "UPDATE projections.privacy_policies3 SET (change_date, sequence, privacy_link, tos_link, help_link, support_email) = ($1, $2, $3, $4, $5, $6) WHERE (id = $7) AND (instance_id = $8)", + expectedStmt: "UPDATE projections.privacy_policies4 SET (change_date, sequence, privacy_link, tos_link, help_link, support_email, docs_link, custom_link, custom_link_text) = ($1, $2, $3, $4, $5, $6, $7, $8, $9) WHERE (id = $10) AND (instance_id = $11)", expectedArgs: []interface{}{ anyArg{}, uint64(15), @@ -221,6 +242,9 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { "http://tos.link", "http://help.link", domain.EmailAddress("support@example.com"), + "http://docs.link", + "http://custom.link", + "Custom Link", "agg-id", "instance-id", }, @@ -246,7 +270,7 @@ func TestPrivacyPolicyProjection_reduces(t *testing.T) { executer: &testExecuter{ executions: []execution{ { - expectedStmt: "DELETE FROM projections.privacy_policies3 WHERE (instance_id = $1) AND (resource_owner = $2)", + expectedStmt: "DELETE FROM projections.privacy_policies4 WHERE (instance_id = $1) AND (resource_owner = $2)", expectedArgs: []interface{}{ "instance-id", "agg-id", diff --git a/internal/query/projection/system_features.go b/internal/query/projection/system_features.go index 94c6282c49..158da7a616 100644 --- a/internal/query/projection/system_features.go +++ b/internal/query/projection/system_features.go @@ -6,6 +6,7 @@ import ( "github.com/zitadel/zitadel/internal/eventstore" old_handler "github.com/zitadel/zitadel/internal/eventstore/handler" "github.com/zitadel/zitadel/internal/eventstore/handler/v2" + "github.com/zitadel/zitadel/internal/feature" "github.com/zitadel/zitadel/internal/repository/feature/feature_v2" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -75,6 +76,10 @@ func (*systemFeatureProjection) Reducers() []handler.AggregateReducer { Event: feature_v2.SystemActionsEventType, Reduce: reduceSystemSetFeature[bool], }, + { + Event: feature_v2.SystemImprovedPerformanceEventType, + Reduce: reduceSystemSetFeature[[]feature.ImprovedPerformanceType], + }, }, }} } diff --git a/internal/query/query.go b/internal/query/query.go index 6bae5f924e..8b8313625e 100644 --- a/internal/query/query.go +++ b/internal/query/query.go @@ -19,11 +19,14 @@ import ( "github.com/zitadel/zitadel/internal/eventstore/handler/v2" "github.com/zitadel/zitadel/internal/query/projection" "github.com/zitadel/zitadel/internal/telemetry/tracing" + es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/eventstore/postgres" ) type Queries struct { - eventstore *eventstore.Eventstore - client *database.DB + eventstore *eventstore.Eventstore + eventStoreV4 es_v4.Querier + client *database.DB keyEncryptionAlgorithm crypto.EncryptionAlgorithm idpConfigEncryption crypto.EncryptionAlgorithm @@ -56,6 +59,7 @@ func StartQueries( ) (repo *Queries, err error) { repo = &Queries{ eventstore: es, + eventStoreV4: postgres.New(querySqlClient), client: querySqlClient, DefaultLanguage: language.Und, LoginTranslationFileContents: make(map[string][]byte), diff --git a/internal/query/system_features.go b/internal/query/system_features.go index 65087e92dc..33e5f14b3a 100644 --- a/internal/query/system_features.go +++ b/internal/query/system_features.go @@ -12,6 +12,11 @@ type FeatureSource[T any] struct { Value T } +func (f *FeatureSource[T]) set(level feature.Level, value any) { + f.Level = level + f.Value = value.(T) +} + type SystemFeatures struct { Details *domain.ObjectDetails @@ -21,6 +26,7 @@ type SystemFeatures struct { UserSchema FeatureSource[bool] TokenExchange FeatureSource[bool] Actions FeatureSource[bool] + ImprovedPerformance FeatureSource[[]feature.ImprovedPerformanceType] } func (q *Queries) GetSystemFeatures(ctx context.Context) (_ *SystemFeatures, err error) { diff --git a/internal/query/system_features_model.go b/internal/query/system_features_model.go index 243dc4e6c4..9b185c3e8f 100644 --- a/internal/query/system_features_model.go +++ b/internal/query/system_features_model.go @@ -28,7 +28,12 @@ func (m *SystemFeaturesReadModel) Reduce() error { case *feature_v2.ResetEvent: m.reduceReset() case *feature_v2.SetEvent[bool]: - err := m.reduceBoolFeature(e) + err := reduceSystemFeatureSet(m.system, e) + if err != nil { + return err + } + case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]: + err := reduceSystemFeatureSet(m.system, e) if err != nil { return err } @@ -51,41 +56,38 @@ func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder { feature_v2.SystemUserSchemaEventType, feature_v2.SystemTokenExchangeEventType, feature_v2.SystemActionsEventType, + feature_v2.SystemImprovedPerformanceEventType, ). Builder().ResourceOwner(m.ResourceOwner) } func (m *SystemFeaturesReadModel) reduceReset() { + m.system = nil m.system = new(SystemFeatures) } -func (m *SystemFeaturesReadModel) reduceBoolFeature(event *feature_v2.SetEvent[bool]) error { +func reduceSystemFeatureSet[T any](features *SystemFeatures, event *feature_v2.SetEvent[T]) error { level, key, err := event.FeatureInfo() if err != nil { return err } - var dst *FeatureSource[bool] - switch key { case feature.KeyUnspecified: return nil case feature.KeyLoginDefaultOrg: - dst = &m.system.LoginDefaultOrg + features.LoginDefaultOrg.set(level, event.Value) case feature.KeyTriggerIntrospectionProjections: - dst = &m.system.TriggerIntrospectionProjections + features.TriggerIntrospectionProjections.set(level, event.Value) case feature.KeyLegacyIntrospection: - dst = &m.system.LegacyIntrospection + features.LegacyIntrospection.set(level, event.Value) case feature.KeyUserSchema: - dst = &m.system.UserSchema + features.UserSchema.set(level, event.Value) case feature.KeyTokenExchange: - dst = &m.system.TokenExchange + features.TokenExchange.set(level, event.Value) case feature.KeyActions: - dst = &m.system.Actions - } - - *dst = FeatureSource[bool]{ - Level: level, - Value: event.Value, + features.Actions.set(level, event.Value) + case feature.KeyImprovedPerformance: + features.ImprovedPerformance.set(level, event.Value) } return nil } diff --git a/internal/query/targets_by_execution_id.sql b/internal/query/targets_by_execution_id.sql index 6b564104e5..f8248479b0 100644 --- a/internal/query/targets_by_execution_id.sql +++ b/internal/query/targets_by_execution_id.sql @@ -1,4 +1,18 @@ WITH RECURSIVE + matched AS (SELECT * + FROM projections.executions1 + WHERE instance_id = $1 + AND id = ANY($2) + ORDER BY id DESC + LIMIT 1), + matched_targets_and_includes AS (SELECT pos.* + FROM matched m + JOIN + projections.executions1_targets pos + ON m.id = pos.execution_id + AND m.instance_id = pos.instance_id + ORDER BY execution_id, + position), dissolved_execution_targets(execution_id, instance_id, position, "include", "target_id") AS (SELECT execution_id , instance_id @@ -16,21 +30,7 @@ WITH RECURSIVE JOIN projections.executions1_targets p ON e.instance_id = p.instance_id AND e.include IS NOT NULL - AND e.include = p.execution_id), - matched AS (SELECT * - FROM projections.executions1 - WHERE instance_id = $1 - AND id = ANY($2) - ORDER BY id DESC - LIMIT 1), - matched_targets_and_includes AS (SELECT pos.* - FROM matched m - JOIN - projections.executions1_targets pos - ON m.id = pos.execution_id - AND m.instance_id = pos.instance_id - ORDER BY execution_id, - position) + AND e.include = p.execution_id) select e.execution_id, e.instance_id, e.target_id, t.target_type, t.endpoint, t.timeout, t.interrupt_on_error FROM dissolved_execution_targets e JOIN projections.targets1 t diff --git a/internal/query/targets_by_execution_ids.sql b/internal/query/targets_by_execution_ids.sql index c1361d9320..749d9387b2 100644 --- a/internal/query/targets_by_execution_ids.sql +++ b/internal/query/targets_by_execution_ids.sql @@ -1,22 +1,4 @@ WITH RECURSIVE - dissolved_execution_targets(execution_id, instance_id, position, "include", "target_id") - AS (SELECT execution_id - , instance_id - , ARRAY [position] - , "include" - , "target_id" - FROM matched_targets_and_includes - UNION ALL - SELECT e.execution_id - , p.instance_id - , e.position || p.position - , p."include" - , p."target_id" - FROM dissolved_execution_targets e - JOIN projections.executions1_targets p - ON e.instance_id = p.instance_id - AND e.include IS NOT NULL - AND e.include = p.execution_id), matched AS ((SELECT * FROM projections.executions1 WHERE instance_id = $1 @@ -37,7 +19,25 @@ WITH RECURSIVE ON m.id = pos.execution_id AND m.instance_id = pos.instance_id ORDER BY execution_id, - position) + position), + dissolved_execution_targets(execution_id, instance_id, position, "include", "target_id") + AS (SELECT execution_id + , instance_id + , ARRAY [position] + , "include" + , "target_id" + FROM matched_targets_and_includes + UNION ALL + SELECT e.execution_id + , p.instance_id + , e.position || p.position + , p."include" + , p."target_id" + FROM dissolved_execution_targets e + JOIN projections.executions1_targets p + ON e.instance_id = p.instance_id + AND e.include IS NOT NULL + AND e.include = p.execution_id) select e.execution_id, e.instance_id, e.target_id, t.target_type, t.endpoint, t.timeout, t.interrupt_on_error FROM dissolved_execution_targets e JOIN projections.targets1 t diff --git a/internal/query/user_auth_method.go b/internal/query/user_auth_method.go index e39fb2a8e9..a350d75360 100644 --- a/internal/query/user_auth_method.go +++ b/internal/query/user_auth_method.go @@ -3,6 +3,7 @@ package query import ( "context" "database/sql" + "errors" "time" sq "github.com/Masterminds/squirrel" @@ -10,6 +11,7 @@ import ( "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/api/call" + "github.com/zitadel/zitadel/internal/database" "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/query/projection" "github.com/zitadel/zitadel/internal/telemetry/tracing" @@ -69,8 +71,12 @@ var ( authMethodTypeTable = userAuthMethodTable.setAlias("auth_method_types") authMethodTypeUserID = UserAuthMethodColumnUserID.setTable(authMethodTypeTable) authMethodTypeInstanceID = UserAuthMethodColumnInstanceID.setTable(authMethodTypeTable) - authMethodTypeTypes = UserAuthMethodColumnMethodType.setTable(authMethodTypeTable) - authMethodTypeState = UserAuthMethodColumnState.setTable(authMethodTypeTable) + authMethodTypeType = UserAuthMethodColumnMethodType.setTable(authMethodTypeTable) + authMethodTypeTypes = Column{ + name: "method_types", + table: authMethodTypeTable, + } + authMethodTypeState = UserAuthMethodColumnState.setTable(authMethodTypeTable) userIDPsCountTable = idpUserLinkTable.setAlias("user_idps_count") userIDPsCountUserID = IDPUserLinkUserIDCol.setTable(userIDPsCountTable) @@ -172,11 +178,18 @@ func (q *Queries) ListActiveUserAuthMethodTypes(ctx context.Context, userID stri return userAuthMethodTypes, err } -func (q *Queries) ListUserAuthMethodTypesRequired(ctx context.Context, userID string) (userAuthMethodTypes []domain.UserAuthMethodType, forceMFA, forceMFALocalOnly bool, err error) { +type UserAuthMethodRequirements struct { + UserType domain.UserType + AuthMethods []domain.UserAuthMethodType + ForceMFA bool + ForceMFALocalOnly bool +} + +func (q *Queries) ListUserAuthMethodTypesRequired(ctx context.Context, userID string) (requirements *UserAuthMethodRequirements, err error) { ctxData := authz.GetCtxData(ctx) if ctxData.UserID != userID { if err := q.checkPermission(ctx, domain.PermissionUserRead, ctxData.OrgID, userID); err != nil { - return nil, false, false, err + return nil, err } } ctx, span := tracing.NewSpan(ctx) @@ -189,17 +202,17 @@ func (q *Queries) ListUserAuthMethodTypesRequired(ctx context.Context, userID st } stmt, args, err := query.Where(eq).ToSql() if err != nil { - return nil, false, false, zerrors.ThrowInvalidArgument(err, "QUERY-E5ut4", "Errors.Query.InvalidRequest") + return nil, zerrors.ThrowInvalidArgument(err, "QUERY-E5ut4", "Errors.Query.InvalidRequest") } - err = q.client.QueryContext(ctx, func(rows *sql.Rows) error { - userAuthMethodTypes, forceMFA, forceMFALocalOnly, err = scan(rows) + err = q.client.QueryRowContext(ctx, func(row *sql.Row) error { + requirements, err = scan(row) return err }, stmt, args...) if err != nil { - return nil, false, false, zerrors.ThrowInternal(err, "QUERY-Dun75", "Errors.Internal") + return nil, zerrors.ThrowInternal(err, "QUERY-Dun75", "Errors.Internal") } - return userAuthMethodTypes, forceMFA, forceMFALocalOnly, nil + return requirements, nil } func NewUserAuthMethodUserIDSearchQuery(value string) (SearchQuery, error) { @@ -353,7 +366,7 @@ func prepareActiveUserAuthMethodTypesQuery(ctx context.Context, db prepareDataba } return sq.Select( NotifyPasswordSetCol.identifier(), - authMethodTypeTypes.identifier(), + authMethodTypeType.identifier(), userIDPsCountCount.identifier()). From(userTable.identifier()). LeftJoin(join(NotifyUserIDCol, UserIDCol)). @@ -404,12 +417,12 @@ func prepareActiveUserAuthMethodTypesQuery(ctx context.Context, db prepareDataba } } -func prepareUserAuthMethodTypesRequiredQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (_ []domain.UserAuthMethodType, forceMFA, forceMFALocalOnly bool, err error)) { +func prepareUserAuthMethodTypesRequiredQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*UserAuthMethodRequirements, error)) { loginPolicyQuery, err := prepareAuthMethodsForceMFAQuery() if err != nil { return sq.SelectBuilder{}, nil } - authMethodsQuery, authMethodsArgs, err := prepareAuthMethodQuery() + authMethodsQuery, authMethodsArgs, err := prepareAggAuthMethodsQuery() if err != nil { return sq.SelectBuilder{}, nil } @@ -421,6 +434,7 @@ func prepareUserAuthMethodTypesRequiredQuery(ctx context.Context, db prepareData NotifyPasswordSetCol.identifier(), authMethodTypeTypes.identifier(), userIDPsCountCount.identifier(), + UserTypeCol.identifier(), forceMFAForce.identifier(), forceMFAForceLocalOnly.identifier()). From(userTable.identifier()). @@ -434,43 +448,44 @@ func prepareUserAuthMethodTypesRequiredQuery(ctx context.Context, db prepareData userIDPsCountInstanceID.identifier() + " = " + UserInstanceIDCol.identifier()). LeftJoin("(" + loginPolicyQuery + ") AS " + forceMFATable.alias + " ON " + "(" + forceMFAOrgID.identifier() + " = " + UserInstanceIDCol.identifier() + " OR " + forceMFAOrgID.identifier() + " = " + UserResourceOwnerCol.identifier() + ") AND " + - forceMFAInstanceID.identifier() + " = " + UserInstanceIDCol.identifier() + db.Timetravel(call.Took(ctx))). + forceMFAInstanceID.identifier() + " = " + UserInstanceIDCol.identifier()). + OrderBy(forceMFAIsDefault.identifier()). + Limit(1). PlaceholderFormat(sq.Dollar), - func(rows *sql.Rows) ([]domain.UserAuthMethodType, bool, bool, error) { - userAuthMethodTypes := make([]domain.UserAuthMethodType, 0) + func(row *sql.Row) (*UserAuthMethodRequirements, error) { var passwordSet sql.NullBool + var authMethodTypes database.NumberArray[domain.UserAuthMethodType] var idp sql.NullInt64 + var userType sql.NullInt32 var forceMFA sql.NullBool var forceMFALocalOnly sql.NullBool - for rows.Next() { - var authMethodType sql.NullInt16 - err := rows.Scan( - &passwordSet, - &authMethodType, - &idp, - &forceMFA, - &forceMFALocalOnly, - ) - if err != nil { - return nil, false, false, err - } - if authMethodType.Valid { - userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodType(authMethodType.Int16)) + err := row.Scan( + &passwordSet, + &authMethodTypes, + &idp, + &userType, + &forceMFA, + &forceMFALocalOnly, + ) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil, zerrors.ThrowNotFound(err, "QUERY-SF3h2", "Errors.Internal") } + return nil, zerrors.ThrowInternal(err, "QUERY-Sf3rt", "Errors.Internal") } if passwordSet.Valid && passwordSet.Bool { - userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodTypePassword) + authMethodTypes = append(authMethodTypes, domain.UserAuthMethodTypePassword) } if idp.Valid && idp.Int64 > 0 { - logging.Error("IDP", idp.Int64) - userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodTypeIDP) + authMethodTypes = append(authMethodTypes, domain.UserAuthMethodTypeIDP) } - if err := rows.Close(); err != nil { - return nil, false, false, zerrors.ThrowInternal(err, "QUERY-W4zje", "Errors.Query.CloseRows") - } - - return userAuthMethodTypes, forceMFA.Bool, forceMFALocalOnly.Bool, nil + return &UserAuthMethodRequirements{ + UserType: domain.UserType(userType.Int32), + AuthMethods: authMethodTypes, + ForceMFA: forceMFA.Bool, + ForceMFALocalOnly: forceMFALocalOnly.Bool, + }, nil } } @@ -490,7 +505,7 @@ func prepareAuthMethodsIDPsQuery() (string, error) { func prepareAuthMethodQuery() (string, []interface{}, error) { return sq.Select( - "DISTINCT("+authMethodTypeTypes.identifier()+")", + "DISTINCT("+authMethodTypeType.identifier()+")", authMethodTypeUserID.identifier(), authMethodTypeInstanceID.identifier()). From(authMethodTypeTable.identifier()). @@ -498,15 +513,26 @@ func prepareAuthMethodQuery() (string, []interface{}, error) { ToSql() } +func prepareAggAuthMethodsQuery() (string, []interface{}, error) { + return sq.Select( + "array_agg(DISTINCT("+authMethodTypeType.identifier()+")) as method_types", + authMethodTypeUserID.identifier(), + authMethodTypeInstanceID.identifier()). + From(authMethodTypeTable.identifier()). + Where(sq.Eq{authMethodTypeState.identifier(): domain.MFAStateReady}). + GroupBy(authMethodTypeInstanceID.identifier(), authMethodTypeUserID.identifier()). + ToSql() +} + func prepareAuthMethodsForceMFAQuery() (string, error) { loginPolicyQuery, _, err := sq.Select( forceMFAForce.identifier(), forceMFAForceLocalOnly.identifier(), forceMFAInstanceID.identifier(), forceMFAOrgID.identifier(), + forceMFAIsDefault.identifier(), ). From(forceMFATable.identifier()). - OrderBy(forceMFAIsDefault.identifier()). ToSql() return loginPolicyQuery, err } diff --git a/internal/query/user_auth_method_test.go b/internal/query/user_auth_method_test.go index a4a66cac04..698667d990 100644 --- a/internal/query/user_auth_method_test.go +++ b/internal/query/user_auth_method_test.go @@ -11,7 +11,9 @@ import ( sq "github.com/Masterminds/squirrel" + "github.com/zitadel/zitadel/internal/database" "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/zerrors" ) var ( @@ -57,25 +59,27 @@ var ( "idps_count", } prepareAuthMethodTypesRequiredStmt = `SELECT projections.users12_notifications.password_set,` + - ` auth_method_types.method_type,` + + ` auth_method_types.method_types,` + ` user_idps_count.count,` + + ` projections.users12.type,` + ` auth_methods_force_mfa.force_mfa,` + ` auth_methods_force_mfa.force_mfa_local_only` + ` FROM projections.users12` + ` LEFT JOIN projections.users12_notifications ON projections.users12.id = projections.users12_notifications.user_id AND projections.users12.instance_id = projections.users12_notifications.instance_id` + - ` LEFT JOIN (SELECT DISTINCT(auth_method_types.method_type), auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` + - ` WHERE auth_method_types.state = $1) AS auth_method_types` + + ` LEFT JOIN (SELECT array_agg(DISTINCT(auth_method_types.method_type)) as method_types, auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` + + ` WHERE auth_method_types.state = $1 GROUP BY auth_method_types.instance_id, auth_method_types.user_id) AS auth_method_types` + ` ON auth_method_types.user_id = projections.users12.id AND auth_method_types.instance_id = projections.users12.instance_id` + ` LEFT JOIN (SELECT user_idps_count.user_id, user_idps_count.instance_id, COUNT(user_idps_count.user_id) AS count FROM projections.idp_user_links3 AS user_idps_count` + ` GROUP BY user_idps_count.user_id, user_idps_count.instance_id) AS user_idps_count` + ` ON user_idps_count.user_id = projections.users12.id AND user_idps_count.instance_id = projections.users12.instance_id` + - ` LEFT JOIN (SELECT auth_methods_force_mfa.force_mfa, auth_methods_force_mfa.force_mfa_local_only, auth_methods_force_mfa.instance_id, auth_methods_force_mfa.aggregate_id FROM projections.login_policies5 AS auth_methods_force_mfa ORDER BY auth_methods_force_mfa.is_default) AS auth_methods_force_mfa` + + ` LEFT JOIN (SELECT auth_methods_force_mfa.force_mfa, auth_methods_force_mfa.force_mfa_local_only, auth_methods_force_mfa.instance_id, auth_methods_force_mfa.aggregate_id, auth_methods_force_mfa.is_default FROM projections.login_policies5 AS auth_methods_force_mfa) AS auth_methods_force_mfa` + ` ON (auth_methods_force_mfa.aggregate_id = projections.users12.instance_id OR auth_methods_force_mfa.aggregate_id = projections.users12.resource_owner) AND auth_methods_force_mfa.instance_id = projections.users12.instance_id` + - ` AS OF SYSTEM TIME '-1 ms + ` ORDER BY auth_methods_force_mfa.is_default LIMIT 1 ` prepareAuthMethodTypesRequiredCols = []string{ "password_set", - "method_type", + "type", + "method_types", "idps_count", "force_mfa", "force_mfa_local_only", @@ -317,35 +321,33 @@ func Test_UserAuthMethodPrepares(t *testing.T) { }, { name: "prepareUserAuthMethodTypesRequiredQuery no result", - prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) { + prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*UserAuthMethodRequirements, error)) { builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db) - return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) { - authMethods, forceMFA, forceMFALocalOnly, err := scan(rows) - if err != nil { - return nil, err - } - return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil + return builder, func(row *sql.Row) (*UserAuthMethodRequirements, error) { + return scan(row) } }, want: want{ - sqlExpectations: mockQueries( + sqlExpectations: mockQueriesScanErr( regexp.QuoteMeta(prepareAuthMethodTypesRequiredStmt), nil, nil, ), + err: func(err error) (error, bool) { + if !zerrors.IsNotFound(err) { + return fmt.Errorf("err should be zitadel.NotFoundError got: %w", err), false + } + return nil, true + }, }, - object: &testUserAuthMethodTypesRequired{authMethods: []domain.UserAuthMethodType{}, forceMFA: false}, + object: (*UserAuthMethodRequirements)(nil), }, { name: "prepareUserAuthMethodTypesRequiredQuery one second factor", - prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) { + prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*UserAuthMethodRequirements, error)) { builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db) - return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) { - authMethods, forceMFA, forceMFALocalOnly, err := scan(rows) - if err != nil { - return nil, err - } - return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil + return builder, func(row *sql.Row) (*UserAuthMethodRequirements, error) { + return scan(row) } }, want: want{ @@ -355,34 +357,32 @@ func Test_UserAuthMethodPrepares(t *testing.T) { [][]driver.Value{ { true, - domain.UserAuthMethodTypePasswordless, + database.NumberArray[domain.UserAuthMethodType]{domain.UserAuthMethodTypePasswordless}, 1, + domain.UserTypeHuman, true, true, }, }, ), }, - object: &testUserAuthMethodTypesRequired{ - authMethods: []domain.UserAuthMethodType{ + object: &UserAuthMethodRequirements{ + UserType: domain.UserTypeHuman, + AuthMethods: []domain.UserAuthMethodType{ domain.UserAuthMethodTypePasswordless, domain.UserAuthMethodTypePassword, domain.UserAuthMethodTypeIDP, }, - forceMFA: true, - forceMFALocalOnly: true, + ForceMFA: true, + ForceMFALocalOnly: true, }, }, { name: "prepareUserAuthMethodTypesRequiredQuery multiple second factors", - prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) { + prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*UserAuthMethodRequirements, error)) { builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db) - return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) { - authMethods, forceMFA, forceMFALocalOnly, err := scan(rows) - if err != nil { - return nil, err - } - return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil + return builder, func(row *sql.Row) (*UserAuthMethodRequirements, error) { + return scan(row) } }, want: want{ @@ -392,15 +392,9 @@ func Test_UserAuthMethodPrepares(t *testing.T) { [][]driver.Value{ { true, - domain.UserAuthMethodTypePasswordless, - 1, - true, - true, - }, - { - true, - domain.UserAuthMethodTypeTOTP, + database.NumberArray[domain.UserAuthMethodType]{domain.UserAuthMethodTypePasswordless, domain.UserAuthMethodTypeTOTP}, 1, + domain.UserTypeHuman, true, true, }, @@ -408,27 +402,24 @@ func Test_UserAuthMethodPrepares(t *testing.T) { ), }, - object: &testUserAuthMethodTypesRequired{ - authMethods: []domain.UserAuthMethodType{ + object: &UserAuthMethodRequirements{ + UserType: domain.UserTypeHuman, + AuthMethods: []domain.UserAuthMethodType{ domain.UserAuthMethodTypePasswordless, domain.UserAuthMethodTypeTOTP, domain.UserAuthMethodTypePassword, domain.UserAuthMethodTypeIDP, }, - forceMFA: true, - forceMFALocalOnly: true, + ForceMFA: true, + ForceMFALocalOnly: true, }, }, { name: "prepareUserAuthMethodTypesRequiredQuery sql err", - prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) { + prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*UserAuthMethodRequirements, error)) { builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db) - return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) { - authMethods, forceMFA, forceMFALocalOnly, err := scan(rows) - if err != nil { - return nil, err - } - return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil + return builder, func(row *sql.Row) (*UserAuthMethodRequirements, error) { + return scan(row) } }, want: want{ @@ -452,10 +443,3 @@ func Test_UserAuthMethodPrepares(t *testing.T) { }) } } - -// testUserAuthMethodTypesRequired is required as assetPrepare is only able to return a single object from scan -type testUserAuthMethodTypesRequired struct { - authMethods []domain.UserAuthMethodType - forceMFA bool - forceMFALocalOnly bool -} diff --git a/internal/repository/authrequest/auth_request.go b/internal/repository/authrequest/auth_request.go index 5e9f1ad390..0492c541f8 100644 --- a/internal/repository/authrequest/auth_request.go +++ b/internal/repository/authrequest/auth_request.go @@ -22,20 +22,21 @@ const ( type AddedEvent struct { eventstore.BaseEvent `json:"-"` - LoginClient string `json:"login_client"` - ClientID string `json:"client_id"` - RedirectURI string `json:"redirect_uri"` - State string `json:"state,omitempty"` - Nonce string `json:"nonce,omitempty"` - Scope []string `json:"scope,omitempty"` - Audience []string `json:"audience,omitempty"` - ResponseType domain.OIDCResponseType `json:"response_type,omitempty"` - CodeChallenge *domain.OIDCCodeChallenge `json:"code_challenge,omitempty"` - Prompt []domain.Prompt `json:"prompt,omitempty"` - UILocales []string `json:"ui_locales,omitempty"` - MaxAge *time.Duration `json:"max_age,omitempty"` - LoginHint *string `json:"login_hint,omitempty"` - HintUserID *string `json:"hint_user_id,omitempty"` + LoginClient string `json:"login_client"` + ClientID string `json:"client_id"` + RedirectURI string `json:"redirect_uri"` + State string `json:"state,omitempty"` + Nonce string `json:"nonce,omitempty"` + Scope []string `json:"scope,omitempty"` + Audience []string `json:"audience,omitempty"` + ResponseType domain.OIDCResponseType `json:"response_type,omitempty"` + CodeChallenge *domain.OIDCCodeChallenge `json:"code_challenge,omitempty"` + Prompt []domain.Prompt `json:"prompt,omitempty"` + UILocales []string `json:"ui_locales,omitempty"` + MaxAge *time.Duration `json:"max_age,omitempty"` + LoginHint *string `json:"login_hint,omitempty"` + HintUserID *string `json:"hint_user_id,omitempty"` + NeedRefreshToken bool `json:"need_refresh_token,omitempty"` } func (e *AddedEvent) Payload() interface{} { @@ -62,6 +63,7 @@ func NewAddedEvent(ctx context.Context, maxAge *time.Duration, loginHint, hintUserID *string, + needRefreshToken bool, ) *AddedEvent { return &AddedEvent{ BaseEvent: *eventstore.NewBaseEventForPush( @@ -69,20 +71,21 @@ func NewAddedEvent(ctx context.Context, aggregate, AddedType, ), - LoginClient: loginClient, - ClientID: clientID, - RedirectURI: redirectURI, - State: state, - Nonce: nonce, - Scope: scope, - Audience: audience, - ResponseType: responseType, - CodeChallenge: codeChallenge, - Prompt: prompt, - UILocales: uiLocales, - MaxAge: maxAge, - LoginHint: loginHint, - HintUserID: hintUserID, + LoginClient: loginClient, + ClientID: clientID, + RedirectURI: redirectURI, + State: state, + Nonce: nonce, + Scope: scope, + Audience: audience, + ResponseType: responseType, + CodeChallenge: codeChallenge, + Prompt: prompt, + UILocales: uiLocales, + MaxAge: maxAge, + LoginHint: loginHint, + HintUserID: hintUserID, + NeedRefreshToken: needRefreshToken, } } diff --git a/internal/repository/deviceauth/device_auth.go b/internal/repository/deviceauth/device_auth.go index 4822c0b332..d2f6886693 100644 --- a/internal/repository/deviceauth/device_auth.go +++ b/internal/repository/deviceauth/device_auth.go @@ -4,6 +4,8 @@ import ( "context" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" ) @@ -13,18 +15,20 @@ const ( AddedEventType = eventTypePrefix + "added" ApprovedEventType = eventTypePrefix + "approved" CanceledEventType = eventTypePrefix + "canceled" + DoneEventType = eventTypePrefix + "done" ) type AddedEvent struct { *eventstore.BaseEvent `json:"-"` - ClientID string - DeviceCode string - UserCode string - Expires time.Time - Scopes []string - Audience []string - State domain.DeviceAuthState + ClientID string + DeviceCode string + UserCode string + Expires time.Time + Scopes []string + Audience []string + State domain.DeviceAuthState + NeedRefreshToken bool } func (e *AddedEvent) SetBaseEvent(b *eventstore.BaseEvent) { @@ -48,20 +52,26 @@ func NewAddedEvent( expires time.Time, scopes []string, audience []string, + needRefreshToken bool, ) *AddedEvent { return &AddedEvent{ eventstore.NewBaseEventForPush( ctx, aggregate, AddedEventType, ), - clientID, deviceCode, userCode, expires, scopes, audience, domain.DeviceAuthStateInitiated} + clientID, deviceCode, userCode, expires, scopes, audience, + domain.DeviceAuthStateInitiated, needRefreshToken, + } } type ApprovedEvent struct { *eventstore.BaseEvent `json:"-"` - Subject string - UserAuthMethods []domain.UserAuthMethodType - AuthTime time.Time + UserID string + UserOrgID string + UserAuthMethods []domain.UserAuthMethodType + AuthTime time.Time + PreferredLanguage *language.Tag + UserAgent *domain.UserAgent } func (e *ApprovedEvent) SetBaseEvent(b *eventstore.BaseEvent) { @@ -79,17 +89,23 @@ func (e *ApprovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint { func NewApprovedEvent( ctx context.Context, aggregate *eventstore.Aggregate, - subject string, + userID, + userOrgID string, userAuthMethods []domain.UserAuthMethodType, authTime time.Time, + preferredLanguage *language.Tag, + userAgent *domain.UserAgent, ) *ApprovedEvent { return &ApprovedEvent{ eventstore.NewBaseEventForPush( ctx, aggregate, ApprovedEventType, ), - subject, + userID, + userOrgID, userAuthMethods, authTime, + preferredLanguage, + userAgent, } } @@ -114,3 +130,23 @@ func (e *CanceledEvent) UniqueConstraints() []*eventstore.UniqueConstraint { func NewCanceledEvent(ctx context.Context, aggregate *eventstore.Aggregate, reason domain.DeviceAuthCanceled) *CanceledEvent { return &CanceledEvent{eventstore.NewBaseEventForPush(ctx, aggregate, CanceledEventType), reason} } + +type DoneEvent struct { + *eventstore.BaseEvent `json:"-"` +} + +func (e *DoneEvent) SetBaseEvent(b *eventstore.BaseEvent) { + e.BaseEvent = b +} + +func (e *DoneEvent) Payload() any { + return e +} + +func (e *DoneEvent) UniqueConstraints() []*eventstore.UniqueConstraint { + return nil +} + +func NewDoneEvent(ctx context.Context, aggregate *eventstore.Aggregate) *DoneEvent { + return &DoneEvent{eventstore.NewBaseEventForPush(ctx, aggregate, DoneEventType)} +} diff --git a/internal/repository/deviceauth/eventstore.go b/internal/repository/deviceauth/eventstore.go index 75ce37c9e5..8e7d2d7124 100644 --- a/internal/repository/deviceauth/eventstore.go +++ b/internal/repository/deviceauth/eventstore.go @@ -6,4 +6,5 @@ func init() { eventstore.RegisterFilterEventMapper(AggregateType, AddedEventType, eventstore.GenericEventMapper[AddedEvent]) eventstore.RegisterFilterEventMapper(AggregateType, ApprovedEventType, eventstore.GenericEventMapper[ApprovedEvent]) eventstore.RegisterFilterEventMapper(AggregateType, CanceledEventType, eventstore.GenericEventMapper[CanceledEvent]) + eventstore.RegisterFilterEventMapper(AggregateType, DoneEventType, eventstore.GenericEventMapper[DoneEvent]) } diff --git a/internal/repository/feature/feature_v2/eventstore.go b/internal/repository/feature/feature_v2/eventstore.go index 26f33661fe..bd8b22eec8 100644 --- a/internal/repository/feature/feature_v2/eventstore.go +++ b/internal/repository/feature/feature_v2/eventstore.go @@ -2,6 +2,7 @@ package feature_v2 import ( "github.com/zitadel/zitadel/internal/eventstore" + "github.com/zitadel/zitadel/internal/feature" ) func init() { @@ -12,6 +13,8 @@ func init() { eventstore.RegisterFilterEventMapper(AggregateType, SystemUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]]) eventstore.RegisterFilterEventMapper(AggregateType, SystemTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]]) eventstore.RegisterFilterEventMapper(AggregateType, SystemActionsEventType, eventstore.GenericEventMapper[SetEvent[bool]]) + eventstore.RegisterFilterEventMapper(AggregateType, SystemImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]]) + eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent]) eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]]) eventstore.RegisterFilterEventMapper(AggregateType, InstanceTriggerIntrospectionProjectionsEventType, eventstore.GenericEventMapper[SetEvent[bool]]) @@ -19,4 +22,5 @@ func init() { eventstore.RegisterFilterEventMapper(AggregateType, InstanceUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]]) eventstore.RegisterFilterEventMapper(AggregateType, InstanceTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]]) eventstore.RegisterFilterEventMapper(AggregateType, InstanceActionsEventType, eventstore.GenericEventMapper[SetEvent[bool]]) + eventstore.RegisterFilterEventMapper(AggregateType, InstanceImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]]) } diff --git a/internal/repository/feature/feature_v2/feature.go b/internal/repository/feature/feature_v2/feature.go index c1f9add2d7..d5beea8bf4 100644 --- a/internal/repository/feature/feature_v2/feature.go +++ b/internal/repository/feature/feature_v2/feature.go @@ -18,6 +18,7 @@ var ( SystemUserSchemaEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyUserSchema) SystemTokenExchangeEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyTokenExchange) SystemActionsEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyActions) + SystemImprovedPerformanceEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyImprovedPerformance) InstanceResetEventType = resetEventTypeFromFeature(feature.LevelInstance) InstanceLoginDefaultOrgEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg) @@ -26,6 +27,7 @@ var ( InstanceUserSchemaEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyUserSchema) InstanceTokenExchangeEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyTokenExchange) InstanceActionsEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyActions) + InstanceImprovedPerformanceEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyImprovedPerformance) ) const ( diff --git a/internal/repository/idp/saml.go b/internal/repository/idp/saml.go index 37534da203..da6a52b1be 100644 --- a/internal/repository/idp/saml.go +++ b/internal/repository/idp/saml.go @@ -2,6 +2,7 @@ package idp import ( "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -9,13 +10,15 @@ import ( type SAMLIDPAddedEvent struct { eventstore.BaseEvent `json:"-"` - ID string `json:"id"` - Name string `json:"name,omitempty"` - Metadata []byte `json:"metadata,omitempty"` - Key *crypto.CryptoValue `json:"key,omitempty"` - Certificate []byte `json:"certificate,omitempty"` - Binding string `json:"binding,omitempty"` - WithSignedRequest bool `json:"withSignedRequest,omitempty"` + ID string `json:"id"` + Name string `json:"name,omitempty"` + Metadata []byte `json:"metadata,omitempty"` + Key *crypto.CryptoValue `json:"key,omitempty"` + Certificate []byte `json:"certificate,omitempty"` + Binding string `json:"binding,omitempty"` + WithSignedRequest bool `json:"withSignedRequest,omitempty"` + NameIDFormat *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"` + TransientMappingAttributeName string `json:"transientMappingAttributeName,omitempty"` Options } @@ -28,18 +31,22 @@ func NewSAMLIDPAddedEvent( certificate []byte, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options Options, ) *SAMLIDPAddedEvent { return &SAMLIDPAddedEvent{ - BaseEvent: *base, - ID: id, - Name: name, - Metadata: metadata, - Key: key, - Certificate: certificate, - Binding: binding, - WithSignedRequest: withSignedRequest, - Options: options, + BaseEvent: *base, + ID: id, + Name: name, + Metadata: metadata, + Key: key, + Certificate: certificate, + Binding: binding, + WithSignedRequest: withSignedRequest, + NameIDFormat: nameIDFormat, + TransientMappingAttributeName: transientMappingAttributeName, + Options: options, } } @@ -67,13 +74,15 @@ func SAMLIDPAddedEventMapper(event eventstore.Event) (eventstore.Event, error) { type SAMLIDPChangedEvent struct { eventstore.BaseEvent `json:"-"` - ID string `json:"id"` - Name *string `json:"name,omitempty"` - Metadata []byte `json:"metadata,omitempty"` - Key *crypto.CryptoValue `json:"key,omitempty"` - Certificate []byte `json:"certificate,omitempty"` - Binding *string `json:"binding,omitempty"` - WithSignedRequest *bool `json:"withSignedRequest,omitempty"` + ID string `json:"id"` + Name *string `json:"name,omitempty"` + Metadata []byte `json:"metadata,omitempty"` + Key *crypto.CryptoValue `json:"key,omitempty"` + Certificate []byte `json:"certificate,omitempty"` + Binding *string `json:"binding,omitempty"` + WithSignedRequest *bool `json:"withSignedRequest,omitempty"` + NameIDFormat *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"` + TransientMappingAttributeName *string `json:"transientMappingAttributeName,omitempty"` OptionChanges } @@ -133,6 +142,18 @@ func ChangeSAMLWithSignedRequest(withSignedRequest bool) func(*SAMLIDPChangedEve } } +func ChangeSAMLNameIDFormat(nameIDFormat *domain.SAMLNameIDFormat) func(*SAMLIDPChangedEvent) { + return func(e *SAMLIDPChangedEvent) { + e.NameIDFormat = nameIDFormat + } +} + +func ChangeSAMLTransientMappingAttributeName(name string) func(*SAMLIDPChangedEvent) { + return func(e *SAMLIDPChangedEvent) { + e.TransientMappingAttributeName = &name + } +} + func ChangeSAMLOptions(options OptionChanges) func(*SAMLIDPChangedEvent) { return func(e *SAMLIDPChangedEvent) { e.OptionChanges = options diff --git a/internal/repository/instance/idp.go b/internal/repository/instance/idp.go index 3bda1542d0..d2f90ab4eb 100644 --- a/internal/repository/instance/idp.go +++ b/internal/repository/instance/idp.go @@ -5,6 +5,7 @@ import ( "time" "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/idp" ) @@ -1016,6 +1017,8 @@ func NewSAMLIDPAddedEvent( certificate []byte, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options idp.Options, ) *SAMLIDPAddedEvent { return &SAMLIDPAddedEvent{ @@ -1032,6 +1035,8 @@ func NewSAMLIDPAddedEvent( certificate, binding, withSignedRequest, + nameIDFormat, + transientMappingAttributeName, options, ), } diff --git a/internal/repository/instance/policy_privacy.go b/internal/repository/instance/policy_privacy.go index ec374583b7..ff1ed75be3 100644 --- a/internal/repository/instance/policy_privacy.go +++ b/internal/repository/instance/policy_privacy.go @@ -24,6 +24,7 @@ func NewPrivacyPolicyAddedEvent( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) *PrivacyPolicyAddedEvent { return &PrivacyPolicyAddedEvent{ PrivacyPolicyAddedEvent: *policy.NewPrivacyPolicyAddedEvent( @@ -34,7 +35,10 @@ func NewPrivacyPolicyAddedEvent( tosLink, privacyLink, helpLink, - supportEmail), + supportEmail, + docsLink, + customLink, + customLinkText), } } diff --git a/internal/repository/oidcsession/oidc_session.go b/internal/repository/oidcsession/oidc_session.go index ff127b3696..55316635b3 100644 --- a/internal/repository/oidcsession/oidc_session.go +++ b/internal/repository/oidcsession/oidc_session.go @@ -4,6 +4,8 @@ import ( "context" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" ) @@ -21,13 +23,17 @@ const ( type AddedEvent struct { eventstore.BaseEvent `json:"-"` - UserID string `json:"userID"` - SessionID string `json:"sessionID"` - ClientID string `json:"clientID"` - Audience []string `json:"audience"` - Scope []string `json:"scope"` - AuthMethods []domain.UserAuthMethodType `json:"authMethods"` - AuthTime time.Time `json:"authTime"` + UserID string `json:"userID"` + UserResourceOwner string `json:"userResourceOwner"` + SessionID string `json:"sessionID"` + ClientID string `json:"clientID"` + Audience []string `json:"audience"` + Scope []string `json:"scope"` + AuthMethods []domain.UserAuthMethodType `json:"authMethods"` + AuthTime time.Time `json:"authTime"` + Nonce string `json:"nonce,omitempty"` + PreferredLanguage *language.Tag `json:"preferredLanguage,omitempty"` + UserAgent *domain.UserAgent `json:"userAgent,omitempty"` } func (e *AddedEvent) Payload() interface{} { @@ -45,12 +51,16 @@ func (e *AddedEvent) SetBaseEvent(event *eventstore.BaseEvent) { func NewAddedEvent(ctx context.Context, aggregate *eventstore.Aggregate, userID, + userResourceOwner, sessionID, clientID string, audience, scope []string, authMethods []domain.UserAuthMethodType, authTime time.Time, + nonce string, + preferredLanguage *language.Tag, + userAgent *domain.UserAgent, ) *AddedEvent { return &AddedEvent{ BaseEvent: *eventstore.NewBaseEventForPush( @@ -58,13 +68,17 @@ func NewAddedEvent(ctx context.Context, aggregate, AddedType, ), - UserID: userID, - SessionID: sessionID, - ClientID: clientID, - Audience: audience, - Scope: scope, - AuthMethods: authMethods, - AuthTime: authTime, + UserID: userID, + UserResourceOwner: userResourceOwner, + SessionID: sessionID, + ClientID: clientID, + Audience: audience, + Scope: scope, + AuthMethods: authMethods, + AuthTime: authTime, + Nonce: nonce, + PreferredLanguage: preferredLanguage, + UserAgent: userAgent, } } diff --git a/internal/repository/org/idp.go b/internal/repository/org/idp.go index 5f28d44811..a2bc5c7abd 100644 --- a/internal/repository/org/idp.go +++ b/internal/repository/org/idp.go @@ -5,6 +5,7 @@ import ( "time" "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/eventstore" "github.com/zitadel/zitadel/internal/repository/idp" ) @@ -1017,6 +1018,8 @@ func NewSAMLIDPAddedEvent( certificate []byte, binding string, withSignedRequest bool, + nameIDFormat *domain.SAMLNameIDFormat, + transientMappingAttributeName string, options idp.Options, ) *SAMLIDPAddedEvent { @@ -1034,6 +1037,8 @@ func NewSAMLIDPAddedEvent( certificate, binding, withSignedRequest, + nameIDFormat, + transientMappingAttributeName, options, ), } diff --git a/internal/repository/org/policy_privacy.go b/internal/repository/org/policy_privacy.go index 98916b1124..aad53b79c2 100644 --- a/internal/repository/org/policy_privacy.go +++ b/internal/repository/org/policy_privacy.go @@ -25,6 +25,7 @@ func NewPrivacyPolicyAddedEvent( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) *PrivacyPolicyAddedEvent { return &PrivacyPolicyAddedEvent{ PrivacyPolicyAddedEvent: *policy.NewPrivacyPolicyAddedEvent( @@ -35,7 +36,10 @@ func NewPrivacyPolicyAddedEvent( tosLink, privacyLink, helpLink, - supportEmail), + supportEmail, + docsLink, + customLink, + customLinkText), } } diff --git a/internal/repository/policy/policy_privacy.go b/internal/repository/policy/policy_privacy.go index 0b674fff64..8b140026b6 100644 --- a/internal/repository/policy/policy_privacy.go +++ b/internal/repository/policy/policy_privacy.go @@ -15,10 +15,13 @@ const ( type PrivacyPolicyAddedEvent struct { eventstore.BaseEvent `json:"-"` - TOSLink string `json:"tosLink,omitempty"` - PrivacyLink string `json:"privacyLink,omitempty"` - HelpLink string `json:"helpLink,omitempty"` - SupportEmail domain.EmailAddress `json:"supportEmail,omitempty"` + TOSLink string `json:"tosLink,omitempty"` + PrivacyLink string `json:"privacyLink,omitempty"` + HelpLink string `json:"helpLink,omitempty"` + SupportEmail domain.EmailAddress `json:"supportEmail,omitempty"` + DocsLink string `json:"docsLink,omitempty"` + CustomLink string `json:"customLink,omitempty"` + CustomLinkText string `json:"customLinkText,omitempty"` } func (e *PrivacyPolicyAddedEvent) Payload() interface{} { @@ -35,13 +38,17 @@ func NewPrivacyPolicyAddedEvent( privacyLink, helpLink string, supportEmail domain.EmailAddress, + docsLink, customLink, customLinkText string, ) *PrivacyPolicyAddedEvent { return &PrivacyPolicyAddedEvent{ - BaseEvent: *base, - TOSLink: tosLink, - PrivacyLink: privacyLink, - HelpLink: helpLink, - SupportEmail: supportEmail, + BaseEvent: *base, + TOSLink: tosLink, + PrivacyLink: privacyLink, + HelpLink: helpLink, + SupportEmail: supportEmail, + DocsLink: docsLink, + CustomLink: customLink, + CustomLinkText: customLinkText, } } @@ -60,10 +67,13 @@ func PrivacyPolicyAddedEventMapper(event eventstore.Event) (eventstore.Event, er type PrivacyPolicyChangedEvent struct { eventstore.BaseEvent `json:"-"` - TOSLink *string `json:"tosLink,omitempty"` - PrivacyLink *string `json:"privacyLink,omitempty"` - HelpLink *string `json:"helpLink,omitempty"` - SupportEmail *domain.EmailAddress `json:"supportEmail,omitempty"` + TOSLink *string `json:"tosLink,omitempty"` + PrivacyLink *string `json:"privacyLink,omitempty"` + HelpLink *string `json:"helpLink,omitempty"` + SupportEmail *domain.EmailAddress `json:"supportEmail,omitempty"` + DocsLink *string `json:"docsLink,omitempty"` + CustomLink *string `json:"customLink,omitempty"` + CustomLinkText *string `json:"customLinkText,omitempty"` } func (e *PrivacyPolicyChangedEvent) Payload() interface{} { @@ -116,6 +126,24 @@ func ChangeSupportEmail(supportEmail domain.EmailAddress) func(*PrivacyPolicyCha } } +func ChangeDocsLink(docsLink string) func(*PrivacyPolicyChangedEvent) { + return func(e *PrivacyPolicyChangedEvent) { + e.DocsLink = &docsLink + } +} + +func ChangeCustomLink(customLink string) func(*PrivacyPolicyChangedEvent) { + return func(e *PrivacyPolicyChangedEvent) { + e.CustomLink = &customLink + } +} + +func ChangeCustomLinkText(customLinkText string) func(*PrivacyPolicyChangedEvent) { + return func(e *PrivacyPolicyChangedEvent) { + e.CustomLinkText = &customLinkText + } +} + func PrivacyPolicyChangedEventMapper(event eventstore.Event) (eventstore.Event, error) { e := &PrivacyPolicyChangedEvent{ BaseEvent: *eventstore.BaseEventFromRepo(event), diff --git a/internal/repository/session/session.go b/internal/repository/session/session.go index 116d85a186..b8768c6396 100644 --- a/internal/repository/session/session.go +++ b/internal/repository/session/session.go @@ -4,6 +4,8 @@ import ( "context" "time" + "golang.org/x/text/language" + "github.com/zitadel/zitadel/internal/api/http" "github.com/zitadel/zitadel/internal/crypto" "github.com/zitadel/zitadel/internal/domain" @@ -75,9 +77,10 @@ func AddedEventMapper(event eventstore.Event) (eventstore.Event, error) { type UserCheckedEvent struct { eventstore.BaseEvent `json:"-"` - UserID string `json:"userID"` - UserResourceOwner string `json:"userResourceOwner"` - CheckedAt time.Time `json:"checkedAt"` + UserID string `json:"userID"` + UserResourceOwner string `json:"userResourceOwner"` + CheckedAt time.Time `json:"checkedAt"` + PreferredLanguage *language.Tag `json:"preferredLanguage,omitempty"` } func (e *UserCheckedEvent) Payload() interface{} { @@ -94,6 +97,7 @@ func NewUserCheckedEvent( userID, userResourceOwner string, checkedAt time.Time, + preferredLanguage *language.Tag, ) *UserCheckedEvent { return &UserCheckedEvent{ BaseEvent: *eventstore.NewBaseEventForPush( @@ -104,6 +108,7 @@ func NewUserCheckedEvent( UserID: userID, UserResourceOwner: userResourceOwner, CheckedAt: checkedAt, + PreferredLanguage: preferredLanguage, } } diff --git a/internal/repository/user/eventstore.go b/internal/repository/user/eventstore.go index 02df90f369..e04754e54a 100644 --- a/internal/repository/user/eventstore.go +++ b/internal/repository/user/eventstore.go @@ -42,6 +42,7 @@ func init() { eventstore.RegisterFilterEventMapper(AggregateType, UserReactivatedType, UserReactivatedEventMapper) eventstore.RegisterFilterEventMapper(AggregateType, UserRemovedType, UserRemovedEventMapper) eventstore.RegisterFilterEventMapper(AggregateType, UserTokenAddedType, UserTokenAddedEventMapper) + eventstore.RegisterFilterEventMapper(AggregateType, UserTokenV2AddedType, eventstore.GenericEventMapper[UserTokenV2AddedEvent]) eventstore.RegisterFilterEventMapper(AggregateType, UserImpersonatedType, eventstore.GenericEventMapper[UserImpersonatedEvent]) eventstore.RegisterFilterEventMapper(AggregateType, UserTokenRemovedType, UserTokenRemovedEventMapper) eventstore.RegisterFilterEventMapper(AggregateType, UserDomainClaimedType, DomainClaimedEventMapper) diff --git a/internal/repository/user/user.go b/internal/repository/user/user.go index bb64609cd8..a736cb4d2a 100644 --- a/internal/repository/user/user.go +++ b/internal/repository/user/user.go @@ -19,6 +19,7 @@ const ( UserReactivatedType = userEventTypePrefix + "reactivated" UserRemovedType = userEventTypePrefix + "removed" UserTokenAddedType = userEventTypePrefix + "token.added" + UserTokenV2AddedType = userEventTypePrefix + "token.v2.added" UserTokenRemovedType = userEventTypePrefix + "token.removed" UserImpersonatedType = userEventTypePrefix + "impersonated" UserDomainClaimedType = userEventTypePrefix + "domain.claimed" @@ -279,6 +280,39 @@ func UserTokenAddedEventMapper(event eventstore.Event) (eventstore.Event, error) return tokenAdded, nil } +type UserTokenV2AddedEvent struct { + *eventstore.BaseEvent `json:"-"` + + TokenID string `json:"tokenId,omitempty"` +} + +func (e *UserTokenV2AddedEvent) Payload() interface{} { + return e +} + +func (e *UserTokenV2AddedEvent) SetBaseEvent(b *eventstore.BaseEvent) { + e.BaseEvent = b +} + +func (e *UserTokenV2AddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint { + return nil +} + +func NewUserTokenV2AddedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + tokenID string, +) *UserTokenV2AddedEvent { + return &UserTokenV2AddedEvent{ + BaseEvent: eventstore.NewBaseEventForPush( + ctx, + aggregate, + UserTokenV2AddedType, + ), + TokenID: tokenID, + } +} + type UserImpersonatedEvent struct { eventstore.BaseEvent `json:"-"` diff --git a/internal/static/i18n/bg.yaml b/internal/static/i18n/bg.yaml index 879c4a3a9c..5c29f0fb7d 100644 --- a/internal/static/i18n/bg.yaml +++ b/internal/static/i18n/bg.yaml @@ -535,6 +535,7 @@ Errors: IDPMissing: IDP липсва в заявката IDPInvalid: IDP невалиден за заявката ResponseInvalid: Отговорът на IDP е невалиден + MissingSingleMappingAttribute: Не съдържа атрибута за съпоставяне или има повече от една стойност SuccessURLMissing: В заявката липсва URL адрес за успех FailureURLMissing: В заявката липсва URL адрес за грешка StateMissing: В заявката липсва параметър състояние @@ -632,6 +633,7 @@ EventTypes: failed: Проверката на инициализацията е неуспешна token: added: Токенът за достъп е създаден + v2.added: Токенът за достъп е създаден removed: Токенът за достъп е премахнат impersonated: Имитиран потребител username: diff --git a/internal/static/i18n/cs.yaml b/internal/static/i18n/cs.yaml index ac79d10565..8fedd7757a 100644 --- a/internal/static/i18n/cs.yaml +++ b/internal/static/i18n/cs.yaml @@ -515,6 +515,7 @@ Errors: IDPMissing: V požadavku chybí IDP ID IDPInvalid: IDP je pro požadavek neplatné ResponseInvalid: Odpověď IDP je neplatná + MissingSingleMappingAttribute: Neobsahuje atribut mapování nebo má více než jednu hodnotu SuccessURLMissing: V požadavku chybí úspěšná URL FailureURLMissing: V požadavku chybí URL selhání StateMissing: V požadavku chybí parametr stavu @@ -613,6 +614,7 @@ EventTypes: failed: Kontrola inicializace selhala token: added: Přístupový token vytvořen + v2.added: Přístupový token vytvořen removed: Přístupový token odstraněn impersonated: Usuario suplantado username: diff --git a/internal/static/i18n/de.yaml b/internal/static/i18n/de.yaml index b0a58884c6..af6790efb8 100644 --- a/internal/static/i18n/de.yaml +++ b/internal/static/i18n/de.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: IDP ID fehlt im Request IDPInvalid: IDP ungültig für die Anfrage ResponseInvalid: IDP-Antwort ist ungültig + MissingSingleMappingAttribute: Enthält das Zuordnungsattribut nicht oder hat mehr als einen Wert SuccessURLMissing: Success URL fehlt im Request FailureURLMissing: Failure URL fehlt im Request StateMissing: State parameter fehlt im Request @@ -615,6 +616,7 @@ EventTypes: failed: Benutzerinitialisierung fehlgeschlagen token: added: Access Token ausgestellt + v2.added: Access Token ausgestellt removed: Access Token gelöscht impersonated: Benutzer hat sich als Benutzer ausgegeben username: diff --git a/internal/static/i18n/en.yaml b/internal/static/i18n/en.yaml index c2ec0f0fff..5644471cb3 100644 --- a/internal/static/i18n/en.yaml +++ b/internal/static/i18n/en.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: IDP ID is missing in the request IDPInvalid: IDP invalid for the request ResponseInvalid: IDP response is invalid + MissingSingleMappingAttribute: IDP response does not contain the mapping attribute or has more than one value SuccessURLMissing: Success URL is missing in the request FailureURLMissing: Failure URL is missing in the request StateMissing: State parameter is missing in the request @@ -615,6 +616,7 @@ EventTypes: failed: Initialization check failed token: added: Access Token created + v2.added: Access Token created removed: Access Token removed impersonated: User impersonated username: diff --git a/internal/static/i18n/es.yaml b/internal/static/i18n/es.yaml index d8194d921b..d07d410ba3 100644 --- a/internal/static/i18n/es.yaml +++ b/internal/static/i18n/es.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: Falta IDP en la solicitud IDPInvalid: IDP no válido para la solicitud ResponseInvalid: La respuesta del IDP no es válida + MissingSingleMappingAttribute: No contiene el atributo de asignación o tiene más de un valor SuccessURLMissing: Falta la URL de éxito en la solicitud FailureURLMissing: Falta la URL de error en la solicitud StateMissing: Falta un parámetro de estado en la solicitud @@ -615,6 +616,7 @@ EventTypes: failed: La comprobación de inicialización falló token: added: Token de acceso creado + v2.added: Token de acceso creado removed: Token de acceso eliminado impersonated: Usuario suplantado username: diff --git a/internal/static/i18n/fr.yaml b/internal/static/i18n/fr.yaml index 4b278c92b4..b3cda958cc 100644 --- a/internal/static/i18n/fr.yaml +++ b/internal/static/i18n/fr.yaml @@ -66,9 +66,9 @@ Errors: NotFoundOnOrg: L'utilisateur n'a pas été trouvé dans l'organisation choisie NotAllowedOrg: L'utilisateur n'est pas membre de l'organisation requise UserIDMissing: L'ID de l'utilisateur est manquant - UserIDWrong: "L'utilisateur de la demande n'est pas égal à l'utilisateur authentifié" + UserIDWrong: L'utilisateur de la demande n'est pas égal à l'utilisateur authentifié DomainPolicyNil: La politique de l'organisation est vide - EmailAsUsernameNotAllowed: L'email n'est pas autorisé comme nom d'utilisateur + EmailAsUsernameNotAllowed: L'e-mail n'est pas autorisé comme nom d'utilisateur Invalid: Les données de l'utilisateur ne sont pas valides DomainNotAllowedAsUsername: Le domaine est déjà réservé et ne peut être utilisé. AlreadyInactive: L'utilisateur est déjà inactif @@ -90,12 +90,12 @@ Errors: LastNameEmpty: Le nom de famille dans le profil est vide IDMissing: Profil ID manquant Email: - NotFound: Email non trouvé - Invalid: L'email n'est pas valide + NotFound: E-mail non trouvé + Invalid: L'e-mail n'est pas valide AlreadyVerified: L'adresse électronique est déjà vérifiée NotChanged: L'adresse électronique n'a pas changé - Empty: Email est vide - IDMissing: Email ID manquant + Empty: L'e-mail est vide + IDMissing: E-mail ID manquant Phone: Notfound: Téléphone non trouvé Invalid: Le téléphone n'est pas valide @@ -517,6 +517,7 @@ Errors: IDPMissing: IDP manquant dans la requête IDPInvalid: IDP non valide pour la demande ResponseInvalid: La réponse de l'IDP n'est pas valide + MissingSingleMappingAttribute: Ne contient pas l'attribut de mappage ou a plus d'une valeur SuccessURLMissing: Success URL absent de la requête FailureURLMissing: Failure URL absent de la requête StateMissing: Paramètre d'état manquant dans la requête @@ -615,13 +616,14 @@ EventTypes: failed: La vérification de l'initialisation a échoué token: added: Jeton d'accès créé + v2.added: Jeton d'accès créé impersonated: Utilisateur usurpé l'identité username: reserved: Nom d'utilisateur réservé released: Nom d'utilisateur libéré email: reserved: Adresse e-mail réservée - released: Adresse email libérée + released: Adresse e-mail libérée changed: Adresse e-mail modifiée verified: Adresse e-mail vérifiée verification: diff --git a/internal/static/i18n/it.yaml b/internal/static/i18n/it.yaml index 3474d914f8..ff072dd966 100644 --- a/internal/static/i18n/it.yaml +++ b/internal/static/i18n/it.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: IDP mancante nella richiesta IDPInvalid: IDP non valido per la richiesta ResponseInvalid: La risposta dell'IDP non è valida + MissingSingleMappingAttribute: Non contiene l'attributo di mapping o ha più di un valore SuccessURLMissing: URL di successo mancante nella richiesta FailureURLMissing: URL di errore mancante nella richiesta StateMissing: parametro di stato mancante nella richiesta @@ -615,6 +616,7 @@ EventTypes: failed: Controllo dell'inizializzazione fallito token: added: Access Token creato + v2.added: Access Token creato impersonated: Utente impersonificato username: reserved: Nome utente riservato diff --git a/internal/static/i18n/ja.yaml b/internal/static/i18n/ja.yaml index d19f16053c..98d6c08161 100644 --- a/internal/static/i18n/ja.yaml +++ b/internal/static/i18n/ja.yaml @@ -506,6 +506,7 @@ Errors: IDPMissing: リクエストにIDP IDが含まれていません IDPInvalid: リクエストのIDPが無効 ResponseInvalid: IDPの回答は無効 + MissingSingleMappingAttribute: マッピング属性が含まれていない、または複数の値がある SuccessURLMissing: リクエストに成功時の URL がありません FailureURLMissing: リクエストに失敗の URL がありません StateMissing: リクエストに State パラメータがありません @@ -604,6 +605,7 @@ EventTypes: failed: 初期化チェックの失敗 token: added: アクセストークンの作成 + v2.added: アクセストークンの作成 removed: アクセストークンの削除 impersonated: ユーザーがなりすました username: diff --git a/internal/static/i18n/mk.yaml b/internal/static/i18n/mk.yaml index 11b64d3ede..9c0ad13aa7 100644 --- a/internal/static/i18n/mk.yaml +++ b/internal/static/i18n/mk.yaml @@ -516,6 +516,7 @@ Errors: IDPMissing: ID на IDP недостасува во барањето6bg IDPInvalid: ВРЛ неважечки за барањето ResponseInvalid: Одговорот на ВРЛ е неважечки + MissingSingleMappingAttribute: не го содржи атрибутот за мапирање или има повеќе од една вредност SuccessURLMissing: URL за успех недостасува во барањето FailureURLMissing: URL за неуспех недостасува во барањето StateMissing: Параметарот State недостасува во барањето @@ -614,6 +615,7 @@ EventTypes: failed: Проверката на иницијализацијата е неуспешна token: added: Креиран е токен за пристап + v2.added: Креиран е токен за пристап removed: Токенот за пристап е отстранет impersonated: Корисникот имитиран username: diff --git a/internal/static/i18n/nl.yaml b/internal/static/i18n/nl.yaml index ad5b6561df..2b516fdd87 100644 --- a/internal/static/i18n/nl.yaml +++ b/internal/static/i18n/nl.yaml @@ -516,6 +516,7 @@ Errors: IDPMissing: IDP ID ontbreekt in het verzoek IDPInvalid: IDP ongeldig voor het verzoek ResponseInvalid: IDP respons is ongeldig + MissingSingleMappingAttribute: Bevat kenmerk toewijzing niet of heeft meer dan één waarde SuccessURLMissing: Success URL ontbreekt in het verzoek FailureURLMissing: Failure URL ontbreekt in het verzoek StateMissing: Staat parameter ontbreekt in het verzoek @@ -614,6 +615,7 @@ EventTypes: failed: Initialisatiecontrole mislukt token: added: Toegangstoken aangemaakt + v2.added: Toegangstoken aangemaakt removed: Toegangstoken verwijderd impersonated: Gebruiker nagebootst username: diff --git a/internal/static/i18n/pl.yaml b/internal/static/i18n/pl.yaml index 129f0ea073..8dbcc8aa5b 100644 --- a/internal/static/i18n/pl.yaml +++ b/internal/static/i18n/pl.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: Brak identyfikatora IDP w żądaniu IDPInvalid: IDP nieprawidłowe dla żądania ResponseInvalid: Odpowiedź IDP jest nieprawidłowa + MissingSingleMappingAttribute: Nie zawiera atrybutu mapowania lub ma więcej niż jedną wartość SuccessURLMissing: Brak adresu URL powodzenia w żądaniu FailureURLMissing: Brak adresu URL niepowodzenia w żądaniu StateMissing: Brak parametru stanu w żądaniu @@ -615,6 +616,7 @@ EventTypes: failed: Sprawdzenie inicjujące nie powiodło się token: added: Token dostępu utworzony + v2.added: Token dostępu utworzony removed: Token dostępu usunięty impersonated: Użytkownik podszywał się pod użytkownika username: diff --git a/internal/static/i18n/pt.yaml b/internal/static/i18n/pt.yaml index e7f8858f20..c0c408fe7c 100644 --- a/internal/static/i18n/pt.yaml +++ b/internal/static/i18n/pt.yaml @@ -516,6 +516,7 @@ Errors: IDPMissing: O ID do IDP está faltando na solicitação IDPInvalid: IDP inválido para o pedido ResponseInvalid: A resposta da PDI é inválida + MissingSingleMappingAttribute: Não contém o atributo de mapeamento ou tem mais de um valor SuccessURLMissing: A URL de sucesso está faltando na solicitação FailureURLMissing: A URL de falha está faltando na solicitação StateMissing: O parâmetro de estado está faltando na solicitação @@ -610,6 +611,7 @@ EventTypes: failed: Verificação de inicialização falhou token: added: Token de acesso criado + v2.added: Token de acesso criado removed: Token de acesso removido impersonated: Usuário personificado username: diff --git a/internal/static/i18n/ru.yaml b/internal/static/i18n/ru.yaml index 7e530ce8b7..d67875e4c3 100644 --- a/internal/static/i18n/ru.yaml +++ b/internal/static/i18n/ru.yaml @@ -506,6 +506,7 @@ Errors: NoChallenge: Сеанс без вызова WebAuthN Intent: IDPMissing: В запросе отсутствует идентификатор IDP + MissingSingleMappingAttribute: Не содержит атрибут сопоставления или имеет более одного значения SuccessURLMissing: В запросе отсутствует URL-адрес успешного выполнения FailureURLMissing: В запросе отсутствует URL-адрес ошибки StateMissing: В запросе отсутствует параметр State @@ -604,6 +605,7 @@ EventTypes: failed: Проверка инициализации не удалась token: added: Токен доступа создан + v2.added: Токен доступа создан removed: Токен доступа удалён impersonated: Пользователь олицетворяет себя username: diff --git a/internal/static/i18n/zh.yaml b/internal/static/i18n/zh.yaml index 0fae191b67..8c0f5343c6 100644 --- a/internal/static/i18n/zh.yaml +++ b/internal/static/i18n/zh.yaml @@ -517,6 +517,7 @@ Errors: IDPMissing: 请求中缺少IDP ID IDPInvalid: 请求的 IDP 无效 ResponseInvalid: IDP 响应无效 + MissingSingleMappingAttribute: 不包含映射属性或具有多个值 SuccessURLMissing: 请求中缺少成功URL FailureURLMissing: 请求中缺少失败的URL StateMissing: 请求中缺少状态参数 @@ -615,6 +616,7 @@ EventTypes: failed: 初始化检查失败 token: added: 已创建访问令牌 + v2.added: 已创建访问令牌 impersonated: 用户冒充 username: reserved: 保留用户名 diff --git a/internal/user/repository/view/model/refresh_token.go b/internal/user/repository/view/model/refresh_token.go index 06b4463623..23766c7b33 100644 --- a/internal/user/repository/view/model/refresh_token.go +++ b/internal/user/repository/view/model/refresh_token.go @@ -13,13 +13,24 @@ import ( ) const ( - RefreshTokenKeyTokenID = "id" - RefreshTokenKeyUserID = "user_id" - RefreshTokenKeyApplicationID = "application_id" - RefreshTokenKeyUserAgentID = "user_agent_id" - RefreshTokenKeyExpiration = "expiration" - RefreshTokenKeyResourceOwner = "resource_owner" - RefreshTokenKeyInstanceID = "instance_id" + RefreshTokenKeyTokenID = "id" + RefreshTokenKeyUserID = "user_id" + RefreshTokenKeyApplicationID = "application_id" + RefreshTokenKeyUserAgentID = "user_agent_id" + RefreshTokenKeyExpiration = "expiration" + RefreshTokenKeyResourceOwner = "resource_owner" + RefreshTokenKeyInstanceID = "instance_id" + RefreshTokenKeyCreationDate = "creation_date" + RefreshTokenKeyChangeDate = "change_date" + RefreshTokenKeySequence = "sequence" + RefreshTokenKeyActor = "actor" + RefreshTokenKeyAMR = "amr" + RefreshTokenKeyAuthTime = "auth_time" + RefreshTokenKeyAudience = "audience" + RefreshTokenKeyClientID = "client_id" + RefreshTokenKeyIdleExpiration = "idle_expiration" + RefreshTokenKeyScopes = "scopes" + RefreshTokenKeyToken = "token" ) type RefreshTokenView struct { @@ -72,6 +83,7 @@ func RefreshTokenViewToModel(token *RefreshTokenView) *usr_model.RefreshTokenVie } func (t *RefreshTokenView) AppendEventIfMyRefreshToken(event eventstore.Event) (err error) { + // in case anything needs to be change here check if the Reduce function needs the change as well view := new(RefreshTokenView) switch event.Type() { case user_repo.HumanRefreshTokenAddedType: @@ -101,6 +113,7 @@ func (t *RefreshTokenView) AppendEventIfMyRefreshToken(event eventstore.Event) ( } func (t *RefreshTokenView) AppendEvent(event eventstore.Event) error { + // in case anything needs to be change here check if the Reduce function needs the change as well t.ChangeDate = event.CreatedAt() t.Sequence = event.Sequence() switch event.Type() { @@ -123,7 +136,7 @@ func (t *RefreshTokenView) setRootData(event eventstore.Event) { func (t *RefreshTokenView) appendAddedEvent(event eventstore.Event) error { e := new(user_repo.HumanRefreshTokenAddedEvent) if err := event.Unmarshal(e); err != nil { - logging.Log("EVEN-Dbb31").WithError(err).Error("could not unmarshal event data") + logging.WithError(err).Error("could not unmarshal event data") return zerrors.ThrowInternal(err, "MODEL-Bbr42", "could not unmarshal event") } t.ID = e.TokenID @@ -144,7 +157,7 @@ func (t *RefreshTokenView) appendAddedEvent(event eventstore.Event) error { func (t *RefreshTokenView) appendRenewedEvent(event eventstore.Event) error { e := new(user_repo.HumanRefreshTokenRenewedEvent) if err := event.Unmarshal(e); err != nil { - logging.Log("EVEN-Vbbn2").WithError(err).Error("could not unmarshal event data") + logging.WithError(err).Error("could not unmarshal event data") return zerrors.ThrowInternal(err, "MODEL-Bbrn4", "could not unmarshal event") } t.ID = e.TokenID diff --git a/internal/user/repository/view/model/token.go b/internal/user/repository/view/model/token.go index ebe1564738..a780e7e167 100644 --- a/internal/user/repository/view/model/token.go +++ b/internal/user/repository/view/model/token.go @@ -16,14 +16,23 @@ import ( ) const ( - TokenKeyTokenID = "id" - TokenKeyUserID = "user_id" - TokenKeyRefreshTokenID = "refresh_token_id" - TokenKeyApplicationID = "application_id" - TokenKeyUserAgentID = "user_agent_id" - TokenKeyExpiration = "expiration" - TokenKeyResourceOwner = "resource_owner" - TokenKeyInstanceID = "instance_id" + TokenKeyTokenID = "id" + TokenKeyUserID = "user_id" + TokenKeyRefreshTokenID = "refresh_token_id" + TokenKeyApplicationID = "application_id" + TokenKeyUserAgentID = "user_agent_id" + TokenKeyExpiration = "expiration" + TokenKeyResourceOwner = "resource_owner" + TokenKeyInstanceID = "instance_id" + TokenKeyCreationDate = "creation_date" + TokenKeyChangeDate = "change_date" + TokenKeySequence = "sequence" + TokenKeyActor = "actor" + TokenKeyID = "id" + TokenKeyAudience = "audience" + TokenKeyPreferredLanguage = "preferred_language" + TokenKeyScopes = "scopes" + TokenKeyIsPat = "is_pat" ) type TokenView struct { @@ -100,6 +109,7 @@ func TokenViewToModel(token *TokenView) *usr_model.TokenView { } func (t *TokenView) AppendEventIfMyToken(event eventstore.Event) (err error) { + // in case anything needs to be change here check if the Reduce function needs the change as well view := new(TokenView) switch event.Type() { case user_repo.UserTokenAddedType, @@ -112,7 +122,7 @@ func (t *TokenView) AppendEventIfMyToken(event eventstore.Event) (err error) { return t.appendRefreshTokenRemoved(event) case user_repo.UserV1SignedOutType, user_repo.HumanSignedOutType: - id, err := agentIDFromSession(event) + id, err := UserAgentIDFromEvent(event) if err != nil { return err } @@ -146,6 +156,7 @@ func (t *TokenView) AppendEventIfMyToken(event eventstore.Event) (err error) { } func (t *TokenView) AppendEvent(event eventstore.Event) error { + // in case anything needs to be change here check if the Reduce function needs the change as well t.ChangeDate = event.CreatedAt() t.Sequence = event.Sequence() switch event.Type() { @@ -170,49 +181,40 @@ func (t *TokenView) setRootData(event eventstore.Event) { func (t *TokenView) setData(event eventstore.Event) error { if err := event.Unmarshal(t); err != nil { - logging.Log("EVEN-3Gm9s").WithError(err).Error("could not unmarshal event data") + logging.WithError(err).Error("could not unmarshal event data") return zerrors.ThrowInternal(err, "MODEL-5Gms9", "could not unmarshal event") } return nil } -func agentIDFromSession(event eventstore.Event) (string, error) { - session := make(map[string]interface{}) - if err := event.Unmarshal(&session); err != nil { - logging.Log("EVEN-Ghgt3").WithError(err).Error("could not unmarshal event data") - return "", zerrors.ThrowInternal(nil, "MODEL-GBf32", "could not unmarshal data") - } - return session["userAgentID"].(string), nil -} - func (t *TokenView) appendTokenRemoved(event eventstore.Event) error { - token, err := eventToMap(event) + tokenID, err := tokenIDFromEvent(event) if err != nil { return err } - if token["tokenId"] == t.ID { + if tokenID == t.ID { t.Deactivated = true } return nil } func (t *TokenView) appendRefreshTokenRemoved(event eventstore.Event) error { - refreshToken, err := eventToMap(event) + tokenID, err := tokenIDFromEvent(event) if err != nil { return err } - if refreshToken["tokenId"] == t.RefreshTokenID { + if tokenID == t.RefreshTokenID { t.Deactivated = true } return nil } func (t *TokenView) appendPATRemoved(event eventstore.Event) error { - pat, err := eventToMap(event) + tokenID, err := tokenIDFromEvent(event) if err != nil { return err } - if pat["tokenId"] == t.ID && t.IsPAT { + if tokenID == t.ID && t.IsPAT { t.Deactivated = true } return nil @@ -235,11 +237,15 @@ func (t *TokenView) GetRelevantEventTypes() []eventstore.EventType { } } -func eventToMap(event eventstore.Event) (map[string]interface{}, error) { - m := make(map[string]interface{}) - if err := event.Unmarshal(&m); err != nil { - logging.Log("EVEN-Dbffe").WithError(err).Error("could not unmarshal event data") - return nil, zerrors.ThrowInternal(nil, "MODEL-SDAfw", "could not unmarshal data") - } - return m, nil +type tokenIDPayload struct { + ID string `json:"tokenId"` +} + +func tokenIDFromEvent(event eventstore.Event) (string, error) { + m := new(tokenIDPayload) + if err := event.Unmarshal(&m); err != nil { + logging.WithError(err).Error("could not unmarshal event data") + return "", zerrors.ThrowInternal(nil, "MODEL-SDAfw", "could not unmarshal data") + } + return m.ID, nil } diff --git a/internal/user/repository/view/model/user.go b/internal/user/repository/view/model/user.go index 1beb4b323d..62c64edc0c 100644 --- a/internal/user/repository/view/model/user.go +++ b/internal/user/repository/view/model/user.go @@ -18,27 +18,27 @@ import ( ) const ( - UserKeyUserID = "id" - UserKeyUserName = "user_name" - UserKeyFirstName = "first_name" - UserKeyLastName = "last_name" - UserKeyNickName = "nick_name" - UserKeyDisplayName = "display_name" - UserKeyEmail = "email" - UserKeyState = "user_state" - UserKeyResourceOwner = "resource_owner" - UserKeyLoginNames = "login_names" - UserKeyPreferredLoginName = "preferred_login_name" - UserKeyType = "user_type" - UserKeyInstanceID = "instance_id" - UserKeyOwnerRemoved = "owner_removed" -) - -type userType string - -const ( - userTypeHuman = "human" - userTypeMachine = "machine" + UserKeyUserID = "id" + UserKeyUserName = "user_name" + UserKeyFirstName = "first_name" + UserKeyLastName = "last_name" + UserKeyNickName = "nick_name" + UserKeyDisplayName = "display_name" + UserKeyEmail = "email" + UserKeyState = "user_state" + UserKeyResourceOwner = "resource_owner" + UserKeyLoginNames = "login_names" + UserKeyPreferredLoginName = "preferred_login_name" + UserKeyType = "user_type" + UserKeyInstanceID = "instance_id" + UserKeyOwnerRemoved = "owner_removed" + UserKeyPasswordSet = "password_set" + UserKeyPasswordInitRequired = "password_init_required" + UserKeyPasswordChange = "password_change" + UserKeyInitRequired = "init_required" + UserKeyPasswordlessInitRequired = "passwordless_init_required" + UserKeyMFAInitSkipped = "mfa_init_skipped" + UserKeyChangeDate = "change_date" ) type UserView struct { @@ -51,7 +51,6 @@ type UserView struct { LoginNames database.TextArray[string] `json:"-" gorm:"column:login_names"` PreferredLoginName string `json:"-" gorm:"column:preferred_login_name"` Sequence uint64 `json:"-" gorm:"column:sequence"` - Type userType `json:"-" gorm:"column:user_type"` UserName string `json:"userName" gorm:"column:user_name"` InstanceID string `json:"instanceID" gorm:"column:instance_id;primary_key"` *MachineView @@ -236,13 +235,13 @@ func (u *UserView) SetLoginNames(userLoginMustBeDomain bool, domains []*org_mode } func (u *UserView) AppendEvent(event eventstore.Event) (err error) { + // in case anything needs to be change here check if the Reduce function needs the change as well u.ChangeDate = event.CreatedAt() u.Sequence = event.Sequence() switch event.Type() { case user.MachineAddedEventType: u.CreationDate = event.CreatedAt() u.setRootData(event) - u.Type = userTypeMachine err = u.setData(event) if err != nil { return err @@ -253,7 +252,6 @@ func (u *UserView) AppendEvent(event eventstore.Event) (err error) { user.HumanAddedType: u.CreationDate = event.CreatedAt() u.setRootData(event) - u.Type = userTypeHuman err = u.setData(event) if err != nil { return err @@ -396,7 +394,7 @@ func (u *UserView) setData(event eventstore.Event) error { func (u *UserView) setPasswordData(event eventstore.Event) error { password := new(es_model.Password) if err := event.Unmarshal(password); err != nil { - logging.Log("MODEL-sdw4r").WithError(err).Error("could not unmarshal event data") + logging.WithError(err).Error("could not unmarshal event data") return zerrors.ThrowInternal(nil, "MODEL-6jhsw", "could not unmarshal data") } u.PasswordSet = password.Secret != nil || password.EncodedHash != "" diff --git a/internal/user/repository/view/model/user_session.go b/internal/user/repository/view/model/user_session.go index f4f4b98621..d761592551 100644 --- a/internal/user/repository/view/model/user_session.go +++ b/internal/user/repository/view/model/user_session.go @@ -1,6 +1,7 @@ package model import ( + "database/sql" "time" "github.com/zitadel/logging" @@ -14,48 +15,63 @@ import ( ) const ( - UserSessionKeyUserAgentID = "user_agent_id" - UserSessionKeyUserID = "user_id" - UserSessionKeyState = "state" - UserSessionKeyResourceOwner = "resource_owner" - UserSessionKeyInstanceID = "instance_id" - UserSessionKeyOwnerRemoved = "owner_removed" + UserSessionKeyUserAgentID = "user_agent_id" + UserSessionKeyUserID = "user_id" + UserSessionKeyState = "state" + UserSessionKeyResourceOwner = "resource_owner" + UserSessionKeyInstanceID = "instance_id" + UserSessionKeyOwnerRemoved = "owner_removed" + UserSessionKeyCreationDate = "creation_date" + UserSessionKeyChangeDate = "change_date" + UserSessionKeySequence = "sequence" + UserSessionKeyPasswordVerification = "password_verification" + UserSessionKeySecondFactorVerification = "second_factor_verification" + UserSessionKeySecondFactorVerificationType = "second_factor_verification_type" + UserSessionKeyMultiFactorVerification = "multi_factor_verification" + UserSessionKeyMultiFactorVerificationType = "multi_factor_verification_type" + UserSessionKeyPasswordlessVerification = "passwordless_verification" + UserSessionKeyExternalLoginVerification = "external_login_verification" + UserSessionKeySelectedIDPConfigID = "selected_idp_config_id" ) type UserSessionView struct { - CreationDate time.Time `json:"-" gorm:"column:creation_date"` - ChangeDate time.Time `json:"-" gorm:"column:change_date"` - ResourceOwner string `json:"-" gorm:"column:resource_owner"` - State int32 `json:"-" gorm:"column:state"` - UserAgentID string `json:"userAgentID" gorm:"column:user_agent_id;primary_key"` - UserID string `json:"userID" gorm:"column:user_id;primary_key"` + CreationDate time.Time `json:"-" gorm:"column:creation_date"` + ChangeDate time.Time `json:"-" gorm:"column:change_date"` + ResourceOwner string `json:"-" gorm:"column:resource_owner"` + State sql.Null[domain.UserSessionState] `json:"-" gorm:"column:state"` + UserAgentID string `json:"userAgentID" gorm:"column:user_agent_id;primary_key"` + UserID string `json:"userID" gorm:"column:user_id;primary_key"` // As of https://github.com/zitadel/zitadel/pull/7199 the following 4 attributes // are not projected in the user session handler anymore // and are therefore annotated with a `gorm:"-"`. // They will be read from the corresponding projection directly. - UserName string `json:"-" gorm:"-"` - LoginName string `json:"-" gorm:"-"` - DisplayName string `json:"-" gorm:"-"` - AvatarKey string `json:"-" gorm:"-"` - SelectedIDPConfigID string `json:"selectedIDPConfigID" gorm:"column:selected_idp_config_id"` - PasswordVerification time.Time `json:"-" gorm:"column:password_verification"` - PasswordlessVerification time.Time `json:"-" gorm:"column:passwordless_verification"` - ExternalLoginVerification time.Time `json:"-" gorm:"column:external_login_verification"` - SecondFactorVerification time.Time `json:"-" gorm:"column:second_factor_verification"` - SecondFactorVerificationType int32 `json:"-" gorm:"column:second_factor_verification_type"` - MultiFactorVerification time.Time `json:"-" gorm:"column:multi_factor_verification"` - MultiFactorVerificationType int32 `json:"-" gorm:"column:multi_factor_verification_type"` - Sequence uint64 `json:"-" gorm:"column:sequence"` - InstanceID string `json:"instanceID" gorm:"column:instance_id;primary_key"` + UserName sql.NullString `json:"-" gorm:"-"` + LoginName sql.NullString `json:"-" gorm:"-"` + DisplayName sql.NullString `json:"-" gorm:"-"` + AvatarKey sql.NullString `json:"-" gorm:"-"` + SelectedIDPConfigID sql.NullString `json:"selectedIDPConfigID" gorm:"column:selected_idp_config_id"` + PasswordVerification sql.NullTime `json:"-" gorm:"column:password_verification"` + PasswordlessVerification sql.NullTime `json:"-" gorm:"column:passwordless_verification"` + ExternalLoginVerification sql.NullTime `json:"-" gorm:"column:external_login_verification"` + SecondFactorVerification sql.NullTime `json:"-" gorm:"column:second_factor_verification"` + SecondFactorVerificationType sql.NullInt32 `json:"-" gorm:"column:second_factor_verification_type"` + MultiFactorVerification sql.NullTime `json:"-" gorm:"column:multi_factor_verification"` + MultiFactorVerificationType sql.NullInt32 `json:"-" gorm:"column:multi_factor_verification_type"` + Sequence uint64 `json:"-" gorm:"column:sequence"` + InstanceID string `json:"instanceID" gorm:"column:instance_id;primary_key"` } -func UserSessionFromEvent(event eventstore.Event) (*UserSessionView, error) { - v := new(UserSessionView) - if err := event.Unmarshal(v); err != nil { - logging.Log("EVEN-lso9e").WithError(err).Error("could not unmarshal event data") - return nil, zerrors.ThrowInternal(nil, "MODEL-sd325", "could not unmarshal data") +type userAgentIDPayload struct { + ID string `json:"userAgentID"` +} + +func UserAgentIDFromEvent(event eventstore.Event) (string, error) { + payload := new(userAgentIDPayload) + if err := event.Unmarshal(payload); err != nil { + logging.WithError(err).Error("could not unmarshal event data") + return "", zerrors.ThrowInternal(nil, "MODEL-HJwk9", "could not unmarshal data") } - return v, nil + return payload.ID, nil } func UserSessionToModel(userSession *UserSessionView) *model.UserSessionView { @@ -63,21 +79,21 @@ func UserSessionToModel(userSession *UserSessionView) *model.UserSessionView { ChangeDate: userSession.ChangeDate, CreationDate: userSession.CreationDate, ResourceOwner: userSession.ResourceOwner, - State: domain.UserSessionState(userSession.State), + State: userSession.State.V, UserAgentID: userSession.UserAgentID, UserID: userSession.UserID, - UserName: userSession.UserName, - LoginName: userSession.LoginName, - DisplayName: userSession.DisplayName, - AvatarKey: userSession.AvatarKey, - SelectedIDPConfigID: userSession.SelectedIDPConfigID, - PasswordVerification: userSession.PasswordVerification, - PasswordlessVerification: userSession.PasswordlessVerification, - ExternalLoginVerification: userSession.ExternalLoginVerification, - SecondFactorVerification: userSession.SecondFactorVerification, - SecondFactorVerificationType: domain.MFAType(userSession.SecondFactorVerificationType), - MultiFactorVerification: userSession.MultiFactorVerification, - MultiFactorVerificationType: domain.MFAType(userSession.MultiFactorVerificationType), + UserName: userSession.UserName.String, + LoginName: userSession.LoginName.String, + DisplayName: userSession.DisplayName.String, + AvatarKey: userSession.AvatarKey.String, + SelectedIDPConfigID: userSession.SelectedIDPConfigID.String, + PasswordVerification: userSession.PasswordVerification.Time, + PasswordlessVerification: userSession.PasswordlessVerification.Time, + ExternalLoginVerification: userSession.ExternalLoginVerification.Time, + SecondFactorVerification: userSession.SecondFactorVerification.Time, + SecondFactorVerificationType: domain.MFAType(userSession.SecondFactorVerificationType.Int32), + MultiFactorVerification: userSession.MultiFactorVerification.Time, + MultiFactorVerificationType: domain.MFAType(userSession.MultiFactorVerificationType.Int32), Sequence: userSession.Sequence, } } @@ -91,34 +107,35 @@ func UserSessionsToModel(userSessions []*UserSessionView) []*model.UserSessionVi } func (v *UserSessionView) AppendEvent(event eventstore.Event) error { + // in case anything needs to be change here check if the Reduce function needs the change as well v.Sequence = event.Sequence() v.ChangeDate = event.CreatedAt() switch event.Type() { case user.UserV1PasswordCheckSucceededType, user.HumanPasswordCheckSucceededType: - v.PasswordVerification = event.CreatedAt() - v.State = int32(domain.UserSessionStateActive) + v.PasswordVerification = sql.NullTime{Time: event.CreatedAt(), Valid: true} + v.State.V = domain.UserSessionStateActive case user.UserIDPLoginCheckSucceededType: data := new(es_model.AuthRequest) err := data.SetData(event) if err != nil { return err } - v.ExternalLoginVerification = event.CreatedAt() - v.SelectedIDPConfigID = data.SelectedIDPConfigID - v.State = int32(domain.UserSessionStateActive) + v.ExternalLoginVerification = sql.NullTime{Time: event.CreatedAt(), Valid: true} + v.SelectedIDPConfigID = sql.NullString{String: data.SelectedIDPConfigID, Valid: true} + v.State.V = domain.UserSessionStateActive case user.HumanPasswordlessTokenCheckSucceededType: - v.PasswordlessVerification = event.CreatedAt() - v.MultiFactorVerification = event.CreatedAt() - v.MultiFactorVerificationType = int32(domain.MFATypeU2FUserVerification) - v.State = int32(domain.UserSessionStateActive) + v.PasswordlessVerification = sql.NullTime{Time: event.CreatedAt(), Valid: true} + v.MultiFactorVerification = sql.NullTime{Time: event.CreatedAt(), Valid: true} + v.MultiFactorVerificationType = sql.NullInt32{Int32: int32(domain.MFATypeU2FUserVerification)} + v.State.V = domain.UserSessionStateActive case user.HumanPasswordlessTokenCheckFailedType, user.HumanPasswordlessTokenRemovedType: - v.PasswordlessVerification = time.Time{} - v.MultiFactorVerification = time.Time{} + v.PasswordlessVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.MultiFactorVerification = sql.NullTime{Time: time.Time{}, Valid: true} case user.UserV1PasswordCheckFailedType, user.HumanPasswordCheckFailedType: - v.PasswordVerification = time.Time{} + v.PasswordVerification = sql.NullTime{Time: time.Time{}, Valid: true} case user.UserV1PasswordChangedType, user.HumanPasswordChangedType: data := new(es_model.PasswordChange) @@ -127,7 +144,7 @@ func (v *UserSessionView) AppendEvent(event eventstore.Event) error { return err } if v.UserAgentID != data.UserAgentID { - v.PasswordVerification = time.Time{} + v.PasswordVerification = sql.NullTime{Time: time.Time{}, Valid: true} } case user.HumanMFAOTPVerifiedType: data := new(es_model.OTPVerified) @@ -167,7 +184,7 @@ func (v *UserSessionView) AppendEvent(event eventstore.Event) error { user.HumanU2FTokenRemovedType, user.HumanOTPSMSCheckFailedType, user.HumanOTPEmailCheckFailedType: - v.SecondFactorVerification = time.Time{} + v.SecondFactorVerification = sql.NullTime{Time: time.Time{}, Valid: true} case user.HumanU2FTokenVerifiedType: data := new(es_model.WebAuthNVerify) err := data.SetData(event) @@ -183,25 +200,25 @@ func (v *UserSessionView) AppendEvent(event eventstore.Event) error { user.HumanSignedOutType, user.UserLockedType, user.UserDeactivatedType: - v.PasswordlessVerification = time.Time{} - v.PasswordVerification = time.Time{} - v.SecondFactorVerification = time.Time{} - v.SecondFactorVerificationType = int32(domain.MFALevelNotSetUp) - v.MultiFactorVerification = time.Time{} - v.MultiFactorVerificationType = int32(domain.MFALevelNotSetUp) - v.ExternalLoginVerification = time.Time{} - v.State = int32(domain.UserSessionStateTerminated) + v.PasswordlessVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.PasswordVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.SecondFactorVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.SecondFactorVerificationType = sql.NullInt32{Int32: int32(domain.MFALevelNotSetUp)} + v.MultiFactorVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.MultiFactorVerificationType = sql.NullInt32{Int32: int32(domain.MFALevelNotSetUp)} + v.ExternalLoginVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.State.V = domain.UserSessionStateTerminated case user.UserIDPLinkRemovedType, user.UserIDPLinkCascadeRemovedType: - v.ExternalLoginVerification = time.Time{} - v.SelectedIDPConfigID = "" + v.ExternalLoginVerification = sql.NullTime{Time: time.Time{}, Valid: true} + v.SelectedIDPConfigID = sql.NullString{String: "", Valid: true} } return nil } func (v *UserSessionView) setSecondFactorVerification(verificationTime time.Time, mfaType domain.MFAType) { - v.SecondFactorVerification = verificationTime - v.SecondFactorVerificationType = int32(mfaType) - v.State = int32(domain.UserSessionStateActive) + v.SecondFactorVerification = sql.NullTime{Time: verificationTime, Valid: true} + v.SecondFactorVerificationType = sql.NullInt32{Int32: int32(mfaType)} + v.State.V = domain.UserSessionStateActive } func (v *UserSessionView) EventTypes() []eventstore.EventType { diff --git a/internal/user/repository/view/model/user_session_test.go b/internal/user/repository/view/model/user_session_test.go index 8f3157f989..3e832ae1fd 100644 --- a/internal/user/repository/view/model/user_session_test.go +++ b/internal/user/repository/view/model/user_session_test.go @@ -1,6 +1,7 @@ package model import ( + "database/sql" "encoding/json" "testing" "time" @@ -8,6 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models" "github.com/zitadel/zitadel/internal/repository/user" es_model "github.com/zitadel/zitadel/internal/user/repository/eventsourcing/model" @@ -33,7 +35,7 @@ func TestAppendEvent(t *testing.T) { event: &es_models.Event{CreationDate: now(), Typ: user.UserV1PasswordCheckSucceededType}, userView: &UserSessionView{}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: now()}, + result: &UserSessionView{ChangeDate: now(), PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append human password check succeeded event", @@ -41,23 +43,23 @@ func TestAppendEvent(t *testing.T) { event: &es_models.Event{CreationDate: now(), Typ: user.HumanPasswordCheckSucceededType}, userView: &UserSessionView{}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: now()}, + result: &UserSessionView{ChangeDate: now(), PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append user password check failed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.UserV1PasswordCheckFailedType}, - userView: &UserSessionView{PasswordVerification: now()}, + userView: &UserSessionView{PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append human password check failed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.HumanPasswordCheckFailedType}, - userView: &UserSessionView{PasswordVerification: now()}, + userView: &UserSessionView{PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append user password changed event", @@ -72,9 +74,9 @@ func TestAppendEvent(t *testing.T) { return d }(), }, - userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()}, + userView: &UserSessionView{UserAgentID: "id", PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: time.Time{}}, + result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append human password changed event", @@ -91,9 +93,9 @@ func TestAppendEvent(t *testing.T) { return d }(), }, - userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()}, + userView: &UserSessionView{UserAgentID: "id", PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: time.Time{}}, + result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append human password changed event same user agent", @@ -111,9 +113,9 @@ func TestAppendEvent(t *testing.T) { return d }(), }, - userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()}, + userView: &UserSessionView{UserAgentID: "id", PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: now()}, + result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append user otp verified event", @@ -142,7 +144,7 @@ func TestAppendEvent(t *testing.T) { }, userView: &UserSessionView{UserAgentID: "id"}, }, - result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), SecondFactorVerification: now()}, + result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append user otp check succeeded event", @@ -150,7 +152,7 @@ func TestAppendEvent(t *testing.T) { event: &es_models.Event{CreationDate: now(), Typ: user.UserV1MFAOTPCheckSucceededType}, userView: &UserSessionView{}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: now()}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append human otp check succeeded event", @@ -158,55 +160,77 @@ func TestAppendEvent(t *testing.T) { event: &es_models.Event{CreationDate: now(), Typ: user.HumanMFAOTPCheckSucceededType}, userView: &UserSessionView{}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: now()}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, { name: "append user otp check failed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.UserV1MFAOTPCheckFailedType}, - userView: &UserSessionView{SecondFactorVerification: now()}, + userView: &UserSessionView{SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append human otp check failed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.HumanMFAOTPCheckFailedType}, - userView: &UserSessionView{SecondFactorVerification: now()}, + userView: &UserSessionView{SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append user otp removed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.UserV1MFAOTPRemovedType}, - userView: &UserSessionView{SecondFactorVerification: now()}, + userView: &UserSessionView{SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append human otp removed event", args: args{ event: &es_models.Event{CreationDate: now(), Typ: user.HumanMFAOTPRemovedType}, - userView: &UserSessionView{SecondFactorVerification: now()}, + userView: &UserSessionView{SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}}, }, - result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: time.Time{}}, + result: &UserSessionView{ChangeDate: now(), SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}}, }, { name: "append user signed out event", args: args{ - event: &es_models.Event{CreationDate: now(), Typ: user.UserV1SignedOutType}, - userView: &UserSessionView{PasswordVerification: now(), SecondFactorVerification: now()}, + event: &es_models.Event{CreationDate: now(), Typ: user.UserV1SignedOutType}, + userView: &UserSessionView{ + PasswordVerification: sql.NullTime{Time: now(), Valid: true}, + SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}, + }, + }, + result: &UserSessionView{ + ChangeDate: now(), + PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + ExternalLoginVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + PasswordlessVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + MultiFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + State: sql.Null[domain.UserSessionState]{V: domain.UserSessionStateTerminated}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}, SecondFactorVerification: time.Time{}, State: 1}, }, { name: "append human signed out event", args: args{ - event: &es_models.Event{CreationDate: now(), Typ: user.HumanSignedOutType}, - userView: &UserSessionView{PasswordVerification: now(), SecondFactorVerification: now()}, + event: &es_models.Event{CreationDate: now(), Typ: user.HumanSignedOutType}, + userView: &UserSessionView{ + PasswordVerification: sql.NullTime{Time: now(), Valid: true}, + SecondFactorVerification: sql.NullTime{Time: now(), Valid: true}, + }, + }, + result: &UserSessionView{ + ChangeDate: now(), + PasswordVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + SecondFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + ExternalLoginVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + PasswordlessVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + MultiFactorVerification: sql.NullTime{Time: time.Time{}, Valid: true}, + State: sql.Null[domain.UserSessionState]{V: domain.UserSessionStateTerminated}, }, - result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}, SecondFactorVerification: time.Time{}, State: 1}, }, } for _, tt := range tests { diff --git a/internal/user/repository/view/refresh_token_view.go b/internal/user/repository/view/refresh_token_view.go index 642dfc1016..bc8c8b79a1 100644 --- a/internal/user/repository/view/refresh_token_view.go +++ b/internal/user/repository/view/refresh_token_view.go @@ -42,74 +42,9 @@ func RefreshTokensByUserID(db *gorm.DB, table, userID, instanceID string) ([]*us return tokens, err } -func PutRefreshToken(db *gorm.DB, table string, token *usr_model.RefreshTokenView) error { - save := repository.PrepareSaveOnConflict(table, - []string{"client_id", "user_agent_id", "user_id"}, - []string{"id", "creation_date", "change_date", "token", "auth_time", "idle_expiration", "expiration", "sequence", "scopes", "audience", "amr"}, - ) - return save(db, token) -} - -func PutRefreshTokens(db *gorm.DB, table string, tokens ...*usr_model.RefreshTokenView) error { - save := repository.PrepareBulkSave(table) - t := make([]interface{}, len(tokens)) - for i, token := range tokens { - t[i] = token - } - return save(db, t...) -} - func SearchRefreshTokens(db *gorm.DB, table string, req *model.RefreshTokenSearchRequest) ([]*usr_model.RefreshTokenView, uint64, error) { tokens := make([]*usr_model.RefreshTokenView, 0) query := repository.PrepareSearchQuery(table, usr_model.RefreshTokenSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries}) count, err := query(db, &tokens) return tokens, count, err } - -func DeleteRefreshToken(db *gorm.DB, table, tokenID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyRefreshTokenID), tokenID}, - repository.Key{usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyInstanceID), instanceID}, - ) - return delete(db) -} - -func DeleteSessionRefreshTokens(db *gorm.DB, table, agentID, userID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserAgentID), Value: agentID}, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserID), Value: userID}, - ) - return delete(db) -} - -func DeleteUserRefreshTokens(db *gorm.DB, table, userID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyUserID), userID}, - repository.Key{usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyInstanceID), instanceID}, - ) - return delete(db) -} - -func DeleteApplicationRefreshTokens(db *gorm.DB, table string, instanceID string, appIDs []string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyInstanceID), Value: instanceID}, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyApplicationID), Value: appIDs}, - ) - return delete(db) -} - -func DeleteOrgRefreshTokens(db *gorm.DB, table string, instanceID, orgID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyInstanceID), Value: instanceID}, - repository.Key{Key: usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyResourceOwner), Value: orgID}, - ) - return delete(db) -} - -func DeleteInstanceRefreshTokens(db *gorm.DB, table string, instanceID string) error { - delete := repository.PrepareDeleteByKey(table, - usr_model.RefreshTokenSearchKey(model.RefreshTokenSearchKeyInstanceID), - instanceID, - ) - return delete(db) -} diff --git a/internal/user/repository/view/token_view.go b/internal/user/repository/view/token_view.go index 72a0d164a4..9c681c1f67 100644 --- a/internal/user/repository/view/token_view.go +++ b/internal/user/repository/view/token_view.go @@ -47,74 +47,3 @@ func TokensByUserID(db *gorm.DB, table, userID, instanceID string) ([]*usr_model _, err := query(db, &tokens) return tokens, err } - -func PutToken(db *gorm.DB, table string, token *usr_model.TokenView) error { - save := repository.PrepareSave(table) - return save(db, token) -} - -func PutTokens(db *gorm.DB, table string, tokens ...*usr_model.TokenView) error { - save := repository.PrepareBulkSave(table) - t := make([]interface{}, len(tokens)) - for i, token := range tokens { - t[i] = token - } - return save(db, t...) -} - -func DeleteToken(db *gorm.DB, table, tokenID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyTokenID), Value: tokenID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteSessionTokens(db *gorm.DB, table, agentID, userID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserAgentID), Value: agentID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserID), Value: userID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteUserTokens(db *gorm.DB, table, userID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyUserID), Value: userID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteTokensFromRefreshToken(db *gorm.DB, table, refreshTokenID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyRefreshTokenID), Value: refreshTokenID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteApplicationTokens(db *gorm.DB, table, instanceID string, appIDs []string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyApplicationID), Value: appIDs}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteInstanceTokens(db *gorm.DB, table, instanceID string) error { - delete := repository.PrepareDeleteByKey(table, - usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), - instanceID, - ) - return delete(db) -} - -func DeleteOrgTokens(db *gorm.DB, table, instanceID, orgID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyResourceOwner), Value: orgID}, - repository.Key{Key: usr_model.TokenSearchKey(model.TokenSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} diff --git a/internal/user/repository/view/user_by_id.sql b/internal/user/repository/view/user_by_id.sql new file mode 100644 index 0000000000..fa85fc43f4 --- /dev/null +++ b/internal/user/repository/view/user_by_id.sql @@ -0,0 +1,93 @@ +WITH auth_methods AS ( + SELECT + user_id + , method_type + , token_id + , state + , instance_id + , name + FROM + projections.user_auth_methods4 + WHERE + instance_id = $1 + AND user_id = $2 +), +verified_auth_methods AS ( + SELECT + method_type + FROM + auth_methods + WHERE state = 2 +) +SELECT + u.id + , u.creation_date + , LEAST(u.change_date, au.change_date) AS change_date + , u.resource_owner + , u.state AS user_state + , au.password_set + , h.password_change_required + , au.password_change + , au.last_login + , u.username AS user_name + , (SELECT array_agg(ll.login_name) login_names FROM projections.login_names3 ll + WHERE u.instance_id = ll.instance_id AND u.id = ll.user_id + GROUP BY ll.user_id, ll.instance_id) AS login_names + , l.login_name + , h.first_name + , h.last_name + , h.nick_name + , h.display_name + , h.preferred_language + , h.gender + , h.email + , h.is_email_verified + , h.phone + , h.is_phone_verified + , (SELECT COALESCE((SELECT state FROM auth_methods WHERE method_type = 1), 0)) AS otp_state + , CASE + WHEN EXISTS (SELECT true FROM verified_auth_methods WHERE method_type = 3) THEN 2 + WHEN EXISTS (SELECT true FROM verified_auth_methods WHERE method_type = 2) THEN 1 + ELSE 0 + END AS mfa_max_set_up + , au.mfa_init_skipped + , u.sequence + , au.init_required + , au.username_change_required + , m.name AS machine_name + , m.description AS machine_description + , u.type AS user_type + , (SELECT + JSONB_AGG(json_build_object('webAuthNTokenId', token_id, 'webAuthNTokenName', name, 'state', state)) + FROM auth_methods + WHERE method_type = 2 + ) AS u2f_tokens + , (SELECT + JSONB_AGG(json_build_object('webAuthNTokenId', token_id, 'webAuthNTokenName', name, 'state', state)) + FROM auth_methods + WHERE method_type = 3 + ) AS passwordless_tokens + , h.avatar_key + , au.passwordless_init_required + , au.password_init_required + , u.instance_id + , (SELECT EXISTS (SELECT true FROM verified_auth_methods WHERE method_type = 6)) AS otp_sms_added + , (SELECT EXISTS (SELECT true FROM verified_auth_methods WHERE method_type = 7)) AS otp_email_added +FROM projections.users12 u + LEFT JOIN projections.users12_humans h + ON u.instance_id = h.instance_id + AND u.id = h.user_id + LEFT JOIN projections.login_names3 l + ON u.instance_id = l.instance_id + AND u.id = l.user_id + AND l.is_primary = true + LEFT JOIN projections.users12_machines m + ON u.instance_id = m.instance_id + AND u.id = m.user_id + LEFT JOIN auth.users3 au + ON u.instance_id = au.instance_id + AND u.id = au.id +WHERE + u.instance_id = $1 + AND u.id = $2 +LIMIT 1; \ No newline at end of file diff --git a/internal/user/repository/view/user_session_view.go b/internal/user/repository/view/user_session_view.go index 3afd3c16b2..2de6233797 100644 --- a/internal/user/repository/view/user_session_view.go +++ b/internal/user/repository/view/user_session_view.go @@ -5,12 +5,8 @@ import ( _ "embed" "errors" - "github.com/jinzhu/gorm" - "github.com/zitadel/zitadel/internal/database" - usr_model "github.com/zitadel/zitadel/internal/user/model" "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/view/repository" "github.com/zitadel/zitadel/internal/zerrors" ) @@ -46,38 +42,8 @@ func UserSessionsByAgentID(db *database.DB, agentID, instanceID string) (userSes return userSessions, err } -func PutUserSession(db *gorm.DB, table string, session *model.UserSessionView) error { - save := repository.PrepareSave(table) - return save(db, session) -} - -func DeleteUserSessions(db *gorm.DB, table, userID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: model.UserSessionSearchKey(usr_model.UserSessionSearchKeyUserID), Value: userID}, - repository.Key{Key: model.UserSessionSearchKey(usr_model.UserSessionSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - -func DeleteInstanceUserSessions(db *gorm.DB, table, instanceID string) error { - delete := repository.PrepareDeleteByKey(table, - model.UserSessionSearchKey(usr_model.UserSessionSearchKeyInstanceID), - instanceID, - ) - return delete(db) -} - -func DeleteOrgUserSessions(db *gorm.DB, table, instanceID, orgID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{Key: model.UserSessionSearchKey(usr_model.UserSessionSearchKeyResourceOwner), Value: orgID}, - repository.Key{Key: model.UserSessionSearchKey(usr_model.UserSessionSearchKeyInstanceID), Value: instanceID}, - ) - return delete(db) -} - func scanUserSession(row *sql.Row) (*model.UserSessionView, error) { session := new(model.UserSessionView) - var userName, loginName, displayName, avatarKey sql.NullString err := row.Scan( &session.CreationDate, &session.ChangeDate, @@ -85,10 +51,10 @@ func scanUserSession(row *sql.Row) (*model.UserSessionView, error) { &session.State, &session.UserAgentID, &session.UserID, - &userName, - &loginName, - &displayName, - &avatarKey, + &session.UserName, + &session.LoginName, + &session.DisplayName, + &session.AvatarKey, &session.SelectedIDPConfigID, &session.PasswordVerification, &session.PasswordlessVerification, @@ -103,10 +69,6 @@ func scanUserSession(row *sql.Row) (*model.UserSessionView, error) { if errors.Is(err, sql.ErrNoRows) { return nil, zerrors.ThrowNotFound(nil, "VIEW-NGBs1", "Errors.UserSession.NotFound") } - session.UserName = userName.String - session.LoginName = loginName.String - session.DisplayName = displayName.String - session.AvatarKey = avatarKey.String return session, err } @@ -114,7 +76,6 @@ func scanUserSessions(rows *sql.Rows) ([]*model.UserSessionView, error) { sessions := make([]*model.UserSessionView, 0) for rows.Next() { session := new(model.UserSessionView) - var userName, loginName, displayName, avatarKey sql.NullString err := rows.Scan( &session.CreationDate, &session.ChangeDate, @@ -122,10 +83,10 @@ func scanUserSessions(rows *sql.Rows) ([]*model.UserSessionView, error) { &session.State, &session.UserAgentID, &session.UserID, - &userName, - &loginName, - &displayName, - &avatarKey, + &session.UserName, + &session.LoginName, + &session.DisplayName, + &session.AvatarKey, &session.SelectedIDPConfigID, &session.PasswordVerification, &session.PasswordlessVerification, @@ -140,10 +101,6 @@ func scanUserSessions(rows *sql.Rows) ([]*model.UserSessionView, error) { if err != nil { return nil, err } - session.UserName = userName.String - session.LoginName = loginName.String - session.DisplayName = displayName.String - session.AvatarKey = avatarKey.String sessions = append(sessions, session) } diff --git a/internal/user/repository/view/user_view.go b/internal/user/repository/view/user_view.go index 0b0aeba47d..98b23f4661 100644 --- a/internal/user/repository/view/user_view.go +++ b/internal/user/repository/view/user_view.go @@ -1,98 +1,42 @@ package view import ( - "github.com/jinzhu/gorm" + "context" + "database/sql" + _ "embed" + "errors" + + "github.com/jinzhu/gorm" + "github.com/zitadel/logging" - "github.com/zitadel/zitadel/internal/domain" - usr_model "github.com/zitadel/zitadel/internal/user/model" "github.com/zitadel/zitadel/internal/user/repository/view/model" - "github.com/zitadel/zitadel/internal/view/repository" "github.com/zitadel/zitadel/internal/zerrors" ) +//go:embed user_by_id.sql +var userByIDQuery string + func UserByID(db *gorm.DB, table, userID, instanceID string) (*model.UserView, error) { user := new(model.UserView) - userIDQuery := &model.UserSearchQuery{ - Key: usr_model.UserSearchKeyUserID, - Method: domain.SearchMethodEquals, - Value: userID, - } - instanceIDQuery := &model.UserSearchQuery{ - Key: usr_model.UserSearchKeyInstanceID, - Method: domain.SearchMethodEquals, - Value: instanceID, - } - ownerRemovedQuery := &model.UserSearchQuery{ - Key: usr_model.UserSearchOwnerRemoved, - Method: domain.SearchMethodEquals, - Value: false, - } - query := repository.PrepareGetByQuery(table, userIDQuery, instanceIDQuery, ownerRemovedQuery) - err := query(db, user) - if zerrors.IsNotFound(err) { - return nil, zerrors.ThrowNotFound(nil, "VIEW-sj8Sw", "Errors.User.NotFound") - } - user.SetEmptyUserType() - return user, err -} -func UsersByOrgID(db *gorm.DB, table, orgID, instanceID string) ([]*model.UserView, error) { - users := make([]*model.UserView, 0) - orgIDQuery := &usr_model.UserSearchQuery{ - Key: usr_model.UserSearchKeyResourceOwner, - Method: domain.SearchMethodEquals, - Value: orgID, + query := db.Raw(userByIDQuery, instanceID, userID) + + tx := query.BeginTx(context.Background(), &sql.TxOptions{ReadOnly: true}) + defer func() { + if err := tx.Commit().Error; err != nil { + logging.OnError(err).Info("commit failed") + } + tx.RollbackUnlessCommitted() + }() + + err := tx.Scan(user).Error + if err == nil { + user.SetEmptyUserType() + return user, nil } - instanceIDQuery := &usr_model.UserSearchQuery{ - Key: usr_model.UserSearchKeyInstanceID, - Method: domain.SearchMethodEquals, - Value: instanceID, + if errors.Is(err, gorm.ErrRecordNotFound) { + return nil, zerrors.ThrowNotFound(err, "VIEW-hodc6", "object not found") } - ownerRemovedQuery := &usr_model.UserSearchQuery{ - Key: usr_model.UserSearchOwnerRemoved, - Method: domain.SearchMethodEquals, - Value: false, - } - query := repository.PrepareSearchQuery(table, model.UserSearchRequest{ - Queries: []*usr_model.UserSearchQuery{orgIDQuery, instanceIDQuery, ownerRemovedQuery}, - }) - _, err := query(db, &users) - return users, err -} - -func PutUsers(db *gorm.DB, table string, users ...*model.UserView) error { - save := repository.PrepareBulkSave(table) - u := make([]interface{}, len(users)) - for i, user := range users { - u[i] = user - } - return save(db, u...) -} - -func PutUser(db *gorm.DB, table string, user *model.UserView) error { - save := repository.PrepareSave(table) - return save(db, user) -} - -func DeleteUser(db *gorm.DB, table, userID, instanceID string) error { - delete := repository.PrepareDeleteByKeys(table, - repository.Key{model.UserSearchKey(usr_model.UserSearchKeyUserID), userID}, - repository.Key{model.UserSearchKey(usr_model.UserSearchKeyInstanceID), instanceID}, - ) - return delete(db) -} - -func DeleteInstanceUsers(db *gorm.DB, table, instanceID string) error { - delete := repository.PrepareDeleteByKey(table, model.UserSearchKey(usr_model.UserSearchKeyInstanceID), instanceID) - return delete(db) -} - -func UpdateOrgOwnerRemovedUsers(db *gorm.DB, table, instanceID, aggID string) error { - update := repository.PrepareUpdateByKeys(table, - model.UserSearchKey(usr_model.UserSearchOwnerRemoved), - true, - repository.Key{Key: model.UserSearchKey(usr_model.UserSearchKeyInstanceID), Value: instanceID}, - repository.Key{Key: model.UserSearchKey(usr_model.UserSearchKeyResourceOwner), Value: aggID}, - ) - return update(db) + logging.WithFields("table ", table).WithError(err).Warn("get from cache error") + return nil, zerrors.ThrowInternal(err, "VIEW-qJBg9", "cache error") } diff --git a/internal/v2/avatar/added.go b/internal/v2/avatar/added.go new file mode 100644 index 0000000000..5a083a10e3 --- /dev/null +++ b/internal/v2/avatar/added.go @@ -0,0 +1,7 @@ +package avatar + +const AvatarAddedTypeSuffix = ".avatar.added" + +type AddedPayload struct { + StoreKey string `json:"storeKey"` +} diff --git a/internal/v2/avatar/removed.go b/internal/v2/avatar/removed.go new file mode 100644 index 0000000000..44cd5b63db --- /dev/null +++ b/internal/v2/avatar/removed.go @@ -0,0 +1,7 @@ +package avatar + +const AvatarRemovedTypeSuffix = ".avatar.removed" + +type RemovedPayload struct { + StoreKey string `json:"storeKey"` +} diff --git a/internal/v2/database/mock/sql_mock.go b/internal/v2/database/mock/sql_mock.go index c693671d6f..6fe282d1c4 100644 --- a/internal/v2/database/mock/sql_mock.go +++ b/internal/v2/database/mock/sql_mock.go @@ -137,3 +137,11 @@ type AnyType[T interface{}] struct{} func (a AnyType[T]) Match(v driver.Value) bool { return reflect.TypeOf(new(T)).Elem().Kind().String() == reflect.TypeOf(v).Kind().String() } + +var NilArg nilArgument + +type nilArgument struct{} + +func (a nilArgument) Match(v driver.Value) bool { + return reflect.ValueOf(v).IsNil() +} diff --git a/internal/v2/domain/added.go b/internal/v2/domain/added.go new file mode 100644 index 0000000000..4d6f873869 --- /dev/null +++ b/internal/v2/domain/added.go @@ -0,0 +1,7 @@ +package domain + +const AddedTypeSuffix = "domain.added" + +type AddedPayload struct { + Name string `json:"domain"` +} diff --git a/internal/v2/domain/primary_set.go b/internal/v2/domain/primary_set.go new file mode 100644 index 0000000000..4155656b35 --- /dev/null +++ b/internal/v2/domain/primary_set.go @@ -0,0 +1,7 @@ +package domain + +const PrimarySetTypeSuffix = "domain.primary.set" + +type PrimarySetPayload struct { + Name string `json:"domain"` +} diff --git a/internal/v2/domain/removed.go b/internal/v2/domain/removed.go new file mode 100644 index 0000000000..8041abb6df --- /dev/null +++ b/internal/v2/domain/removed.go @@ -0,0 +1,7 @@ +package domain + +const RemovedTypeSuffix = "domain.removed" + +type RemovedPayload struct { + Name string `json:"domain"` +} diff --git a/internal/v2/domain/verfied.go b/internal/v2/domain/verfied.go new file mode 100644 index 0000000000..835274bf9a --- /dev/null +++ b/internal/v2/domain/verfied.go @@ -0,0 +1,7 @@ +package domain + +const VerifiedTypeSuffix = "domain.verified" + +type VerifiedPayload struct { + Name string `json:"domain"` +} diff --git a/internal/v2/eventstore/event.go b/internal/v2/eventstore/event.go index b452093305..2117177587 100644 --- a/internal/v2/eventstore/event.go +++ b/internal/v2/eventstore/event.go @@ -1,36 +1,66 @@ package eventstore -import "time" +import ( + "time" +) + +type Unmarshal func(ptr any) error + +type Payload interface { + Unmarshal | any +} + +type Action[P Payload] struct { + Creator string + Type string + Revision uint16 + Payload P +} + +type Command struct { + Action[any] + UniqueConstraints []*UniqueConstraint +} + +type StorageEvent struct { + Action[Unmarshal] -type Event[P any] struct { Aggregate Aggregate CreatedAt time.Time - Creator string Position GlobalPosition - Revision uint16 Sequence uint32 - Type string - Payload P } -type StoragePayload interface { - Unmarshal(ptr any) error +type Event[P any] struct { + *StorageEvent + Payload P } -func EventFromStorage[E Event[P], P any](event *Event[StoragePayload]) (*E, error) { +func UnmarshalPayload[P any](unmarshal Unmarshal) (P, error) { var payload P - - if err := event.Payload.Unmarshal(&payload); err != nil { - return nil, err - } - return &E{ - Aggregate: event.Aggregate, - CreatedAt: event.CreatedAt, - Creator: event.Creator, - Position: event.Position, - Revision: event.Revision, - Sequence: event.Sequence, - Type: event.Type, - Payload: payload, - }, nil + err := unmarshal(&payload) + return payload, err +} + +type EmptyPayload struct{} + +type TypeChecker interface { + ActionType() string +} + +func Type[T TypeChecker]() string { + var t T + return t.ActionType() +} + +func IsType[T TypeChecker](types ...string) bool { + gotten := Type[T]() + + for _, typ := range types { + if gotten == typ { + return true + } + } + + return false } diff --git a/internal/v2/eventstore/event_store.go b/internal/v2/eventstore/event_store.go index fe70bb36a3..cc447c5e15 100644 --- a/internal/v2/eventstore/event_store.go +++ b/internal/v2/eventstore/event_store.go @@ -34,8 +34,12 @@ type GlobalPosition struct { InPositionOrder uint32 } -type Reducer interface { - Reduce(events ...*Event[StoragePayload]) error +func (gp GlobalPosition) IsLess(other GlobalPosition) bool { + return gp.Position < other.Position || (gp.Position == other.Position && gp.InPositionOrder < other.InPositionOrder) } -type Reduce func(events ...*Event[StoragePayload]) error +type Reducer interface { + Reduce(events ...*StorageEvent) error +} + +type Reduce func(events ...*StorageEvent) error diff --git a/internal/v2/eventstore/postgres/event.go b/internal/v2/eventstore/postgres/event.go index 9970dd14ea..18d86c5751 100644 --- a/internal/v2/eventstore/postgres/event.go +++ b/internal/v2/eventstore/postgres/event.go @@ -2,8 +2,8 @@ package postgres import ( "encoding/json" - - "github.com/zitadel/logging" + "reflect" + "time" "github.com/zitadel/zitadel/internal/v2/eventstore" "github.com/zitadel/zitadel/internal/zerrors" @@ -13,52 +13,52 @@ func intentToCommands(intent *intent) (commands []*command, err error) { commands = make([]*command, len(intent.Commands())) for i, cmd := range intent.Commands() { - var payload unmarshalPayload - if cmd.Payload() != nil { - payload, err = json.Marshal(cmd.Payload()) - if err != nil { - logging.WithError(err).Warn("marshal payload failed") - return nil, zerrors.ThrowInternal(err, "POSTG-MInPK", "Errors.Internal") - } + payload, err := marshalPayload(cmd.Payload) + if err != nil { + return nil, zerrors.ThrowInternal(err, "POSTG-MInPK", "Errors.Internal") } - commands[i] = &command{ - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *intent.Aggregate(), - Creator: cmd.Creator(), - Revision: cmd.Revision(), - Type: cmd.Type(), - // always add at least 1 to the currently stored sequence - Sequence: intent.sequence + uint32(i) + 1, - Payload: payload, - }, - intent: intent, - uniqueConstraints: cmd.UniqueConstraints(), + Command: cmd, + intent: intent, + sequence: intent.nextSequence(), + payload: payload, } } return commands, nil } +func marshalPayload(payload any) ([]byte, error) { + if reflect.ValueOf(payload).IsZero() { + return nil, nil + } + return json.Marshal(payload) +} + type command struct { - *eventstore.Event[eventstore.StoragePayload] + eventstore.Command - intent *intent - uniqueConstraints []*eventstore.UniqueConstraint + intent *intent + + payload []byte + position eventstore.GlobalPosition + createdAt time.Time + sequence uint32 } -var _ eventstore.StoragePayload = (unmarshalPayload)(nil) - -type unmarshalPayload []byte - -// Unmarshal implements eventstore.StoragePayload. -func (p unmarshalPayload) Unmarshal(ptr any) error { - if len(p) == 0 { - return nil +func (cmd *command) toEvent() *eventstore.StorageEvent { + return &eventstore.StorageEvent{ + Action: eventstore.Action[eventstore.Unmarshal]{ + Creator: cmd.Creator, + Type: cmd.Type, + Revision: cmd.Revision, + Payload: func(ptr any) error { + return json.Unmarshal(cmd.payload, ptr) + }, + }, + Aggregate: *cmd.intent.Aggregate(), + Sequence: cmd.intent.sequence, + Position: cmd.position, + CreatedAt: cmd.createdAt, } - if err := json.Unmarshal(p, ptr); err != nil { - return zerrors.ThrowInternal(err, "POSTG-u8qVo", "Errors.Internal") - } - - return nil } diff --git a/internal/v2/eventstore/postgres/intent.go b/internal/v2/eventstore/postgres/intent.go index 9ab259ada8..34b7860e35 100644 --- a/internal/v2/eventstore/postgres/intent.go +++ b/internal/v2/eventstore/postgres/intent.go @@ -12,6 +12,11 @@ type intent struct { sequence uint32 } +func (i *intent) nextSequence() uint32 { + i.sequence++ + return i.sequence +} + func makeIntents(pushIntent *eventstore.PushIntent) []*intent { res := make([]*intent, len(pushIntent.Aggregates())) diff --git a/internal/v2/eventstore/postgres/push.go b/internal/v2/eventstore/postgres/push.go index 7ae64fd41d..269d22cdef 100644 --- a/internal/v2/eventstore/postgres/push.go +++ b/internal/v2/eventstore/postgres/push.go @@ -140,19 +140,19 @@ func push(ctx context.Context, tx *sql.Tx, reducer eventstore.Reducer, commands stmt.WriteString(", ") } - cmd.Position.InPositionOrder = uint32(i) + cmd.position.InPositionOrder = uint32(i) stmt.WriteString(`(`) stmt.WriteArgs( - cmd.Aggregate.Instance, - cmd.Aggregate.Owner, - cmd.Aggregate.Type, - cmd.Aggregate.ID, + cmd.intent.Aggregate().Instance, + cmd.intent.Aggregate().Owner, + cmd.intent.Aggregate().Type, + cmd.intent.Aggregate().ID, cmd.Revision, cmd.Creator, cmd.Type, - cmd.Payload, - cmd.Sequence, - i, + cmd.payload, + cmd.sequence, + cmd.position.InPositionOrder, ) stmt.WriteString(", statement_timestamp(), EXTRACT(EPOCH FROM clock_timestamp())") stmt.WriteString(`)`) @@ -171,13 +171,13 @@ func push(ctx context.Context, tx *sql.Tx, reducer eventstore.Reducer, commands defer func() { i++ }() err := scan( - &commands[i].CreatedAt, - &commands[i].Position.Position, + &commands[i].createdAt, + &commands[i].position.Position, ) if err != nil { return err } - return reducer.Reduce(commands[i].Event) + return reducer.Reduce(commands[i].toEvent()) }) } @@ -188,12 +188,13 @@ func uniqueConstraints(ctx context.Context, tx *sql.Tx, commands []*command) (er var stmt database.Statement for _, cmd := range commands { - if len(cmd.uniqueConstraints) == 0 { + if len(cmd.UniqueConstraints) == 0 { continue } - for _, constraint := range cmd.uniqueConstraints { + for _, constraint := range cmd.UniqueConstraints { stmt.Reset() - instance := cmd.Aggregate.Instance + + instance := cmd.intent.PushAggregate.Aggregate().Instance if constraint.IsGlobal { instance = "" } diff --git a/internal/v2/eventstore/postgres/push_test.go b/internal/v2/eventstore/postgres/push_test.go index 819add334f..b81b3a1517 100644 --- a/internal/v2/eventstore/postgres/push_test.go +++ b/internal/v2/eventstore/postgres/push_test.go @@ -47,13 +47,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id", "error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id", "error"), + }, }, }, }, @@ -72,13 +75,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddGlobalUniqueConstraint("test", "id", "error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddGlobalUniqueConstraint("test", "id", "error"), + }, }, }, }, @@ -97,14 +103,17 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id", "error"), - eventstore.NewAddEventUniqueConstraint("test", "id2", "error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id", "error"), + eventstore.NewAddEventUniqueConstraint("test", "id2", "error"), + }, }, }, }, @@ -128,23 +137,29 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id", "error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id", "error"), + }, }, }, { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id2", "error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id2", "error"), + }, }, }, }, @@ -168,13 +183,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveInstanceUniqueConstraints(), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveInstanceUniqueConstraints(), + }, }, }, }, @@ -193,23 +211,29 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveInstanceUniqueConstraints(), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveInstanceUniqueConstraints(), + }, }, }, { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveInstanceUniqueConstraints(), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveInstanceUniqueConstraints(), + }, }, }, }, @@ -233,13 +257,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveUniqueConstraint("test", "id"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveUniqueConstraint("test", "id"), + }, }, }, }, @@ -258,13 +285,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveGlobalUniqueConstraint("test", "id"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveGlobalUniqueConstraint("test", "id"), + }, }, }, }, @@ -283,14 +313,17 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveUniqueConstraint("test", "id"), - eventstore.NewRemoveUniqueConstraint("test", "id2"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveUniqueConstraint("test", "id"), + eventstore.NewRemoveUniqueConstraint("test", "id2"), + }, }, }, }, @@ -314,23 +347,29 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveUniqueConstraint("test", "id"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveUniqueConstraint("test", "id"), + }, }, }, { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewRemoveUniqueConstraint("test", "id2"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewRemoveUniqueConstraint("test", "id2"), + }, }, }, }, @@ -354,13 +393,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id", ""), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id", ""), + }, }, }, }, @@ -385,13 +427,16 @@ func Test_uniqueConstraints(t *testing.T) { args: args{ commands: []*command{ { - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - Instance: "instance", - }, + intent: &intent{ + PushAggregate: eventstore.NewPushIntent( + "instance", + eventstore.AppendAggregate("", "", ""), + ).Aggregates()[0], }, - uniqueConstraints: []*eventstore.UniqueConstraint{ - eventstore.NewAddEventUniqueConstraint("test", "id", "My.Error"), + Command: eventstore.Command{ + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint("test", "id", "My.Error"), + }, }, }, }, @@ -741,16 +786,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, }, expectations: []mock.Expectation{ @@ -764,9 +807,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -798,16 +841,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, { intent: &intent{ @@ -816,16 +857,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type2", - Sequence: 2, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type2", + }, }, + sequence: 2, }, }, expectations: []mock.Expectation{ @@ -839,9 +878,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), "instance", "owner", "testType", @@ -849,9 +888,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type2", - nil, + mock.NilArg, uint32(2), - 1, + uint32(1), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -887,36 +926,30 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, { intent: &intent{ PushAggregate: eventstore.NewPushIntent( "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), + eventstore.AppendAggregate("owner", "type2", "id2"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: eventstore.Aggregate{ - ID: "id2", - Type: "type2", - Instance: "instance", - Owner: "owner", + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type2", }, - Creator: "gigi", - Revision: 1, - Type: "test.type2", - Sequence: 10, }, + sequence: 10, }, }, expectations: []mock.Expectation{ @@ -930,9 +963,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), "instance", "owner", "type2", @@ -940,9 +973,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type2", - nil, + mock.NilArg, uint32(10), - 1, + uint32(1), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -978,17 +1011,15 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, - Payload: unmarshalPayload(`{"name": "gigi"}`), + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, + payload: []byte(`{"name": "gigi"}`), }, }, expectations: []mock.Expectation{ @@ -1002,9 +1033,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - unmarshalPayload(`{"name": "gigi"}`), + []byte(`{"name": "gigi"}`), uint32(1), - 0, + uint32(0), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -1036,16 +1067,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, }, expectations: []mock.Expectation{ @@ -1059,9 +1088,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -1094,16 +1123,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, { intent: &intent{ @@ -1112,16 +1139,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type2", - Sequence: 2, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type2", + }, }, + sequence: 2, }, }, expectations: []mock.Expectation{ @@ -1135,9 +1160,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), "instance", "owner", "testType", @@ -1145,9 +1170,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type2", - nil, + mock.NilArg, uint32(2), - 1, + uint32(1), ), mock.WithQueryResult( []string{"created_at", "position"}, @@ -1189,16 +1214,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type", - Sequence: 1, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type", + }, }, + sequence: 1, }, { intent: &intent{ @@ -1207,16 +1230,14 @@ func Test_push(t *testing.T) { eventstore.AppendAggregate("owner", "testType", "testID"), ).Aggregates()[0], }, - Event: &eventstore.Event[eventstore.StoragePayload]{ - Aggregate: *eventstore.NewPushIntent( - "instance", - eventstore.AppendAggregate("owner", "testType", "testID"), - ).Aggregates()[0].Aggregate(), - Creator: "gigi", - Revision: 1, - Type: "test.type2", - Sequence: 2, + Command: eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: "gigi", + Revision: 1, + Type: "test.type2", + }, }, + sequence: 2, }, }, expectations: []mock.Expectation{ @@ -1230,9 +1251,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type", - nil, + mock.NilArg, uint32(1), - 0, + uint32(0), "instance", "owner", "testType", @@ -1240,9 +1261,9 @@ func Test_push(t *testing.T) { uint16(1), "gigi", "test.type2", - nil, + mock.NilArg, uint32(2), - 1, + uint32(1), ), mock.WithQueryResult( []string{"created_at", "position"}, diff --git a/internal/v2/eventstore/postgres/query.go b/internal/v2/eventstore/postgres/query.go index 608b31e533..ca7a081c75 100644 --- a/internal/v2/eventstore/postgres/query.go +++ b/internal/v2/eventstore/postgres/query.go @@ -3,6 +3,7 @@ package postgres import ( "context" "database/sql" + "encoding/json" "slices" "github.com/zitadel/logging" @@ -38,7 +39,7 @@ func executeQuery(ctx context.Context, tx database.Querier, stmt *database.State } err = database.MapRowsToObject(rows, func(scan func(dest ...any) error) error { - e := new(eventstore.Event[eventstore.StoragePayload]) + e := new(eventstore.StorageEvent) var payload sql.Null[[]byte] @@ -59,7 +60,12 @@ func executeQuery(ctx context.Context, tx database.Querier, stmt *database.State if err != nil { return err } - e.Payload = unmarshalPayload(payload.V) + e.Payload = func(ptr any) error { + if len(payload.V) == 0 { + return nil + } + return json.Unmarshal(payload.V, ptr) + } eventCount++ return reducer.Reduce(e) diff --git a/internal/v2/eventstore/postgres/query_test.go b/internal/v2/eventstore/postgres/query_test.go index c6e2c6f8a3..f73d7341f2 100644 --- a/internal/v2/eventstore/postgres/query_test.go +++ b/internal/v2/eventstore/postgres/query_test.go @@ -1143,7 +1143,7 @@ type testReducer struct { } // Reduce implements eventstore.Reducer. -func (r *testReducer) Reduce(events ...*eventstore.Event[eventstore.StoragePayload]) error { +func (r *testReducer) Reduce(events ...*eventstore.StorageEvent) error { if r == nil { return nil } diff --git a/internal/v2/eventstore/push.go b/internal/v2/eventstore/push.go index 6260315b82..b426078b8e 100644 --- a/internal/v2/eventstore/push.go +++ b/internal/v2/eventstore/push.go @@ -36,7 +36,7 @@ func (pi *PushIntent) Instance() string { return pi.instance } -func (pi *PushIntent) Reduce(events ...*Event[StoragePayload]) error { +func (pi *PushIntent) Reduce(events ...*StorageEvent) error { if pi.reducer == nil { return nil } @@ -170,21 +170,3 @@ func AppendCommands(commands ...Command) PushAggregateOpt { pa.commands = append(pa.commands, commands...) } } - -type Command interface { - // Creator is the id of the user which created the action - Creator() string - // Type describes the action it's in the past (e.g. user.created) - Type() string - // Revision of the action - Revision() uint16 - // Payload returns the payload of the event. It represent the changed fields by the event - // valid types are: - // * nil: no payload - // * struct: which can be marshalled to json - // * pointer to struct: which can be marshalled to json - // * []byte: json marshalled data - Payload() any - // UniqueConstraints should be added for unique attributes of an event, if nil constraints will not be checked - UniqueConstraints() []*UniqueConstraint -} diff --git a/internal/v2/eventstore/query.go b/internal/v2/eventstore/query.go index 0dd23ea898..eddb1aedde 100644 --- a/internal/v2/eventstore/query.go +++ b/internal/v2/eventstore/query.go @@ -41,7 +41,7 @@ func (q *Query) Pagination() *Pagination { return q.pagination } -func (q *Query) Reduce(events ...*Event[StoragePayload]) error { +func (q *Query) Reduce(events ...*StorageEvent) error { return q.reducer.Reduce(events...) } diff --git a/internal/v2/instance/aggregate.go b/internal/v2/instance/aggregate.go new file mode 100644 index 0000000000..aa4182b244 --- /dev/null +++ b/internal/v2/instance/aggregate.go @@ -0,0 +1,8 @@ +package instance + +import "github.com/zitadel/zitadel/internal/repository/instance" + +const ( + AggregateType = string(instance.AggregateType) + eventTypePrefix = AggregateType + "." +) diff --git a/internal/v2/instance/domain_policy.go b/internal/v2/instance/domain_policy.go new file mode 100644 index 0000000000..8746328ee1 --- /dev/null +++ b/internal/v2/instance/domain_policy.go @@ -0,0 +1,65 @@ +package instance + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/policy" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const DomainPolicyAddedType = eventTypePrefix + policy.DomainPolicyAddedTypeSuffix + +type DomainPolicyAddedPayload policy.DomainPolicyAddedPayload + +type DomainPolicyAddedEvent eventstore.Event[DomainPolicyAddedPayload] + +var _ eventstore.TypeChecker = (*DomainPolicyAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPolicyAddedEvent) ActionType() string { + return DomainPolicyAddedType +} + +func DomainPolicyAddedEventFromStorage(event *eventstore.StorageEvent) (e *DomainPolicyAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-z1a7D", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPolicyAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPolicyAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainPolicyChangedType = eventTypePrefix + policy.DomainPolicyChangedTypeSuffix + +type DomainPolicyChangedPayload policy.DomainPolicyChangedPayload + +type DomainPolicyChangedEvent eventstore.Event[DomainPolicyChangedPayload] + +var _ eventstore.TypeChecker = (*DomainPolicyChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPolicyChangedEvent) ActionType() string { + return DomainPolicyChangedType +} + +func DomainPolicyChangedEventFromStorage(event *eventstore.StorageEvent) (e *DomainPolicyChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-BTLhd", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPolicyChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPolicyChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/instance/removed.go b/internal/v2/instance/removed.go new file mode 100644 index 0000000000..fe2e814893 --- /dev/null +++ b/internal/v2/instance/removed.go @@ -0,0 +1,27 @@ +package instance + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const RemovedType = eventTypePrefix + "removed" + +type RemovedEvent eventstore.Event[eventstore.EmptyPayload] + +var _ eventstore.TypeChecker = (*RemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *RemovedEvent) ActionType() string { + return RemovedType +} + +func RemovedEventFromStorage(event *eventstore.StorageEvent) (e *RemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-xppIg", "Errors.Invalid.Event.Type") + } + + return &RemovedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/org/added.go b/internal/v2/org/added.go new file mode 100644 index 0000000000..3d8cb62078 --- /dev/null +++ b/internal/v2/org/added.go @@ -0,0 +1,62 @@ +package org + +import ( + "context" + "strings" + + "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const AddedType = eventTypePrefix + "added" + +type addedPayload struct { + Name string `json:"name"` +} + +type AddedEvent eventstore.Event[addedPayload] + +var _ eventstore.TypeChecker = (*AddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *AddedEvent) ActionType() string { + return AddedType +} + +func AddedEventFromStorage(event *eventstore.StorageEvent) (e *AddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-Nf3tr", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[addedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &AddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const uniqueOrgName = "org_name" + +func NewAddedCommand(ctx context.Context, name string) (*eventstore.Command, error) { + if name = strings.TrimSpace(name); name == "" { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument") + } + return &eventstore.Command{ + Action: eventstore.Action[any]{ + Creator: authz.GetCtxData(ctx).UserID, + Type: AddedType, + Revision: 1, + Payload: addedPayload{ + Name: name, + }, + }, + UniqueConstraints: []*eventstore.UniqueConstraint{ + eventstore.NewAddEventUniqueConstraint(uniqueOrgName, name, "Errors.Org.AlreadyExists"), + }, + }, nil +} diff --git a/internal/v2/org/aggregate.go b/internal/v2/org/aggregate.go new file mode 100644 index 0000000000..5ea881b755 --- /dev/null +++ b/internal/v2/org/aggregate.go @@ -0,0 +1,22 @@ +package org + +import ( + "context" + + "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/v2/eventstore" +) + +const ( + AggregateType = "org" + eventTypePrefix = AggregateType + "." +) + +func NewAggregate(ctx context.Context, id string) *eventstore.Aggregate { + return &eventstore.Aggregate{ + ID: id, + Type: AggregateType, + Instance: authz.GetInstance(ctx).InstanceID(), + Owner: authz.GetCtxData(ctx).OrgID, + } +} diff --git a/internal/v2/org/changed.go b/internal/v2/org/changed.go new file mode 100644 index 0000000000..eb85fba9b0 --- /dev/null +++ b/internal/v2/org/changed.go @@ -0,0 +1,37 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const ChangedType = eventTypePrefix + "changed" + +type changedPayload struct { + Name string `json:"name"` +} + +type ChangedEvent eventstore.Event[changedPayload] + +var _ eventstore.TypeChecker = (*ChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *ChangedEvent) ActionType() string { + return ChangedType +} + +func ChangedEventFromStorage(event *eventstore.StorageEvent) (e *ChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-pzOfP", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[changedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &ChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/org/deactivated.go b/internal/v2/org/deactivated.go new file mode 100644 index 0000000000..454b8586fa --- /dev/null +++ b/internal/v2/org/deactivated.go @@ -0,0 +1,27 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const DeactivatedType = eventTypePrefix + "deactivated" + +type DeactivatedEvent eventstore.Event[eventstore.EmptyPayload] + +var _ eventstore.TypeChecker = (*DeactivatedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DeactivatedEvent) ActionType() string { + return DeactivatedType +} + +func DeactivatedEventFromStorage(event *eventstore.StorageEvent) (e *DeactivatedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-4zeWH", "Errors.Invalid.Event.Type") + } + + return &DeactivatedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/org/domain.go b/internal/v2/org/domain.go new file mode 100644 index 0000000000..b978997b49 --- /dev/null +++ b/internal/v2/org/domain.go @@ -0,0 +1,123 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const DomainAddedType = "org." + domain.AddedTypeSuffix + +type DomainAddedPayload domain.AddedPayload + +type DomainAddedEvent eventstore.Event[DomainAddedPayload] + +var _ eventstore.TypeChecker = (*DomainAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainAddedEvent) ActionType() string { + return DomainAddedType +} + +func DomainAddedEventFromStorage(event *eventstore.StorageEvent) (e *DomainAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-CXVe3", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainVerifiedType = "org." + domain.VerifiedTypeSuffix + +type DomainVerifiedPayload domain.VerifiedPayload + +type DomainVerifiedEvent eventstore.Event[DomainVerifiedPayload] + +var _ eventstore.TypeChecker = (*DomainVerifiedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainVerifiedEvent) ActionType() string { + return DomainVerifiedType +} + +func DomainVerifiedEventFromStorage(event *eventstore.StorageEvent) (e *DomainVerifiedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-RAwdb", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainVerifiedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainVerifiedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainPrimarySetType = "org." + domain.PrimarySetTypeSuffix + +type DomainPrimarySetPayload domain.PrimarySetPayload + +type DomainPrimarySetEvent eventstore.Event[DomainPrimarySetPayload] + +var _ eventstore.TypeChecker = (*DomainPrimarySetEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPrimarySetEvent) ActionType() string { + return DomainPrimarySetType +} + +func DomainPrimarySetEventFromStorage(event *eventstore.StorageEvent) (e *DomainPrimarySetEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-7P3Iz", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPrimarySetPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPrimarySetEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainRemovedType = "org." + domain.RemovedTypeSuffix + +type DomainRemovedPayload domain.RemovedPayload + +type DomainRemovedEvent eventstore.Event[DomainRemovedPayload] + +var _ eventstore.TypeChecker = (*DomainRemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainRemovedEvent) ActionType() string { + return DomainRemovedType +} + +func DomainRemovedEventFromStorage(event *eventstore.StorageEvent) (e *DomainRemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-ndpL2", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainRemovedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainRemovedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/org/domain_policy.go b/internal/v2/org/domain_policy.go new file mode 100644 index 0000000000..ad37be0327 --- /dev/null +++ b/internal/v2/org/domain_policy.go @@ -0,0 +1,94 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/policy" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const DomainPolicyAddedType = eventTypePrefix + policy.DomainPolicyAddedTypeSuffix + +type DomainPolicyAddedPayload policy.DomainPolicyAddedPayload + +type DomainPolicyAddedEvent eventstore.Event[DomainPolicyAddedPayload] + +var _ eventstore.TypeChecker = (*DomainPolicyAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPolicyAddedEvent) ActionType() string { + return DomainPolicyAddedType +} + +func DomainPolicyAddedEventFromStorage(event *eventstore.StorageEvent) (e *DomainPolicyAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-asiSN", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPolicyAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPolicyAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainPolicyChangedType = eventTypePrefix + policy.DomainPolicyChangedTypeSuffix + +type DomainPolicyChangedPayload policy.DomainPolicyChangedPayload + +type DomainPolicyChangedEvent eventstore.Event[DomainPolicyChangedPayload] + +var _ eventstore.TypeChecker = (*DomainPolicyChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPolicyChangedEvent) ActionType() string { + return DomainPolicyChangedType +} + +func DomainPolicyChangedEventFromStorage(event *eventstore.StorageEvent) (e *DomainPolicyChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-BmN6K", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPolicyChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPolicyChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +const DomainPolicyRemovedType = eventTypePrefix + policy.DomainPolicyRemovedTypeSuffix + +type DomainPolicyRemovedPayload policy.DomainPolicyRemovedPayload + +type DomainPolicyRemovedEvent eventstore.Event[DomainPolicyRemovedPayload] + +var _ eventstore.TypeChecker = (*DomainPolicyRemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainPolicyRemovedEvent) ActionType() string { + return DomainPolicyRemovedType +} + +func DomainPolicyRemovedEventFromStorage(event *eventstore.StorageEvent) (e *DomainPolicyRemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-nHy4z", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[DomainPolicyRemovedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainPolicyRemovedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/org/reactivated.go b/internal/v2/org/reactivated.go new file mode 100644 index 0000000000..5b3da8fdd6 --- /dev/null +++ b/internal/v2/org/reactivated.go @@ -0,0 +1,27 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const ReactivatedType = eventTypePrefix + "reactivated" + +type ReactivatedEvent eventstore.Event[eventstore.EmptyPayload] + +var _ eventstore.TypeChecker = (*ReactivatedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *ReactivatedEvent) ActionType() string { + return ReactivatedType +} + +func ReactivatedEventFromStorage(event *eventstore.StorageEvent) (e *ReactivatedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-cPWZw", "Errors.Invalid.Event.Type") + } + + return &ReactivatedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/org/removed.go b/internal/v2/org/removed.go new file mode 100644 index 0000000000..571c1c0113 --- /dev/null +++ b/internal/v2/org/removed.go @@ -0,0 +1,27 @@ +package org + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const RemovedType = eventTypePrefix + "removed" + +type RemovedEvent eventstore.Event[eventstore.EmptyPayload] + +var _ eventstore.TypeChecker = (*RemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *RemovedEvent) ActionType() string { + return RemovedType +} + +func RemovedEventFromStorage(event *eventstore.StorageEvent) (e *RemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "ORG-RSPYk", "Errors.Invalid.Event.Type") + } + + return &RemovedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/org/state.go b/internal/v2/org/state.go new file mode 100644 index 0000000000..428bdf82a5 --- /dev/null +++ b/internal/v2/org/state.go @@ -0,0 +1,36 @@ +package org + +type State uint8 + +const ( + UndefinedState State = iota + ActiveState + InactiveState + RemovedState + maxState +) + +func (s State) IsValid() bool { + return s != UndefinedState || + s < maxState +} + +func (s State) Is(state State) bool { + return s == state +} + +func (s State) IsValidState(state State) bool { + return s.IsValid() && s.Is(state) +} + +func (s State) IsValidStates(states ...State) bool { + if !s.IsValid() { + return false + } + for _, state := range states { + if s.Is(state) { + return true + } + } + return false +} diff --git a/internal/v2/policy/domain.go b/internal/v2/policy/domain.go new file mode 100644 index 0000000000..759caa254a --- /dev/null +++ b/internal/v2/policy/domain.go @@ -0,0 +1,23 @@ +package policy + +import "github.com/zitadel/zitadel/internal/v2/eventstore" + +const DomainPolicyAddedTypeSuffix = "policy.domain.added" + +type DomainPolicyAddedPayload struct { + UserLoginMustBeDomain bool `json:"userLoginMustBeDomain,omitempty"` + ValidateOrgDomains bool `json:"validateOrgDomains,omitempty"` + SMTPSenderAddressMatchesInstanceDomain bool `json:"smtpSenderAddressMatchesInstanceDomain,omitempty"` +} + +const DomainPolicyChangedTypeSuffix = "policy.domain.changed" + +type DomainPolicyChangedPayload struct { + UserLoginMustBeDomain *bool `json:"userLoginMustBeDomain,omitempty"` + ValidateOrgDomains *bool `json:"validateOrgDomains,omitempty"` + SMTPSenderAddressMatchesInstanceDomain *bool `json:"smtpSenderAddressMatchesInstanceDomain,omitempty"` +} + +const DomainPolicyRemovedTypeSuffix = "policy.domain.removed" + +type DomainPolicyRemovedPayload eventstore.EmptyPayload diff --git a/internal/v2/projection/org_primary_domain.go b/internal/v2/projection/org_primary_domain.go new file mode 100644 index 0000000000..3c83cd3152 --- /dev/null +++ b/internal/v2/projection/org_primary_domain.go @@ -0,0 +1,57 @@ +package projection + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/org" +) + +type OrgPrimaryDomain struct { + projection + + id string + + Domain string +} + +func NewOrgPrimaryDomain(id string) *OrgPrimaryDomain { + return &OrgPrimaryDomain{ + id: id, + } +} + +func (p *OrgPrimaryDomain) Filter() []*eventstore.Filter { + return []*eventstore.Filter{ + eventstore.NewFilter( + eventstore.FilterPagination( + eventstore.GlobalPositionGreater(&p.position), + ), + eventstore.AppendAggregateFilter( + org.AggregateType, + eventstore.AggregateIDs(p.id), + eventstore.AppendEvent( + eventstore.SetEventTypes(org.DomainPrimarySetType), + ), + ), + ), + } +} + +func (p *OrgPrimaryDomain) Reduce(events ...*eventstore.StorageEvent) error { + for _, event := range events { + if !p.shouldReduce(event) { + continue + } + if event.Type != org.DomainPrimarySetType { + continue + } + e, err := org.DomainPrimarySetEventFromStorage(event) + if err != nil { + return err + } + + p.Domain = e.Payload.Name + p.projection.reduce(event) + } + + return nil +} diff --git a/internal/v2/projection/org_state.go b/internal/v2/projection/org_state.go new file mode 100644 index 0000000000..f67b51060a --- /dev/null +++ b/internal/v2/projection/org_state.go @@ -0,0 +1,67 @@ +package projection + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/org" +) + +type OrgState struct { + projection + + id string + + org.State +} + +func NewStateProjection(id string) *OrgState { + // TODO: check buffer for id and return from buffer if exists + return &OrgState{ + id: id, + } +} + +func (p *OrgState) Filter() []*eventstore.Filter { + return []*eventstore.Filter{ + eventstore.NewFilter( + eventstore.FilterPagination( + eventstore.Descending(), + eventstore.GlobalPositionGreater(&p.position), + ), + eventstore.AppendAggregateFilter( + org.AggregateType, + eventstore.AggregateIDs(p.id), + eventstore.AppendEvent( + eventstore.SetEventTypes( + org.AddedType, + org.DeactivatedType, + org.ReactivatedType, + org.RemovedType, + ), + ), + ), + ), + } +} + +func (p *OrgState) Reduce(events ...*eventstore.StorageEvent) error { + for _, event := range events { + if !p.shouldReduce(event) { + continue + } + + switch event.Type { + case org.AddedType: + p.State = org.ActiveState + case org.DeactivatedType: + p.State = org.InactiveState + case org.ReactivatedType: + p.State = org.ActiveState + case org.RemovedType: + p.State = org.RemovedState + default: + continue + } + p.position = event.Position + } + return nil +} diff --git a/internal/v2/projection/projection.go b/internal/v2/projection/projection.go new file mode 100644 index 0000000000..980eaecc74 --- /dev/null +++ b/internal/v2/projection/projection.go @@ -0,0 +1,20 @@ +package projection + +import "github.com/zitadel/zitadel/internal/v2/eventstore" + +type projection struct { + instance string + position eventstore.GlobalPosition +} + +func (p *projection) reduce(event *eventstore.StorageEvent) { + if p.instance == "" { + p.instance = event.Aggregate.Instance + } + p.position = event.Position +} + +func (p *projection) shouldReduce(event *eventstore.StorageEvent) bool { + shouldReduce := p.instance == "" || p.instance == event.Aggregate.Instance + return shouldReduce && p.position.IsLess(event.Position) +} diff --git a/internal/v2/readmodel/org.go b/internal/v2/readmodel/org.go new file mode 100644 index 0000000000..94bcb21537 --- /dev/null +++ b/internal/v2/readmodel/org.go @@ -0,0 +1,68 @@ +package readmodel + +import ( + "time" + + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/v2/org" + "github.com/zitadel/zitadel/internal/v2/projection" +) + +type Org struct { + ID string + Name string + PrimaryDomain *projection.OrgPrimaryDomain + State *projection.OrgState + + Sequence uint32 + CreationDate time.Time + ChangeDate time.Time + Owner string +} + +func NewOrg(id string) *Org { + return &Org{ + ID: id, + State: projection.NewStateProjection(id), + PrimaryDomain: projection.NewOrgPrimaryDomain(id), + } +} + +func (rm *Org) Filter() []*eventstore.Filter { + return []*eventstore.Filter{ + // we don't need the filters of the projections as we filter all events of the read model + eventstore.NewFilter( + eventstore.AppendAggregateFilter( + org.AggregateType, + eventstore.SetAggregateID(rm.ID), + ), + ), + } +} + +func (rm *Org) Reduce(events ...*eventstore.StorageEvent) error { + for _, event := range events { + switch event.Type { + case org.AddedType: + added, err := org.AddedEventFromStorage(event) + if err != nil { + return err + } + rm.Name = added.Payload.Name + rm.Owner = event.Aggregate.Owner + rm.CreationDate = event.CreatedAt + case org.ChangedType: + changed, err := org.ChangedEventFromStorage(event) + if err != nil { + return err + } + rm.Name = changed.Payload.Name + } + rm.Sequence = event.Sequence + rm.ChangeDate = event.CreatedAt + } + if err := rm.State.Reduce(events...); err != nil { + return err + } + return rm.PrimaryDomain.Reduce(events...) +} diff --git a/internal/v2/readmodel/query.go b/internal/v2/readmodel/query.go new file mode 100644 index 0000000000..73ca7cd415 --- /dev/null +++ b/internal/v2/readmodel/query.go @@ -0,0 +1,15 @@ +package readmodel + +import ( + "database/sql" + + "github.com/zitadel/zitadel/internal/v2/eventstore" +) + +type QueryOpt func(opts []eventstore.QueryOpt) []eventstore.QueryOpt + +func WithTx(tx *sql.Tx) QueryOpt { + return func(opts []eventstore.QueryOpt) []eventstore.QueryOpt { + return append(opts, eventstore.SetQueryTx(tx)) + } +} diff --git a/internal/v2/user/aggregate.go b/internal/v2/user/aggregate.go new file mode 100644 index 0000000000..291daa9af2 --- /dev/null +++ b/internal/v2/user/aggregate.go @@ -0,0 +1,23 @@ +package user + +import ( + "context" + + "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/v2/eventstore" +) + +const ( + AggregateType = "user" + humanPrefix = AggregateType + ".human" + machinePrefix = AggregateType + ".machine" +) + +func NewAggregate(ctx context.Context, id string) *eventstore.Aggregate { + return &eventstore.Aggregate{ + ID: id, + Type: AggregateType, + Instance: authz.GetInstance(ctx).InstanceID(), + Owner: authz.GetCtxData(ctx).OrgID, + } +} diff --git a/internal/v2/user/domain_claimed.go b/internal/v2/user/domain_claimed.go new file mode 100644 index 0000000000..18960bb41f --- /dev/null +++ b/internal/v2/user/domain_claimed.go @@ -0,0 +1,38 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type domainClaimedPayload struct { + Username string `json:"userName"` + TriggeredAtOrigin string `json:"triggerOrigin,omitempty"` +} + +type DomainClaimedEvent eventstore.Event[domainClaimedPayload] + +const DomainClaimedType = AggregateType + ".domain.claimed.sent" + +var _ eventstore.TypeChecker = (*DomainClaimedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DomainClaimedEvent) ActionType() string { + return DomainClaimedType +} + +func DomainClaimedEventFromStorage(event *eventstore.StorageEvent) (e *DomainClaimedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-x8O4o", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[domainClaimedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &DomainClaimedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_added.go b/internal/v2/user/human_added.go new file mode 100644 index 0000000000..527e14f4db --- /dev/null +++ b/internal/v2/user/human_added.go @@ -0,0 +1,57 @@ +package user + +import ( + "golang.org/x/text/language" + + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +const HumanAddedType = AggregateType + ".human.added" + +type humanAddedPayload struct { + Username string `json:"userName"` + + FirstName string `json:"firstName,omitempty"` + LastName string `json:"lastName,omitempty"` + NickName string `json:"nickName,omitempty"` + DisplayName string `json:"displayName,omitempty"` + PreferredLanguage language.Tag `json:"preferredLanguage,omitempty"` + Gender domain.Gender `json:"gender,omitempty"` + + EmailAddress domain.EmailAddress `json:"email,omitempty"` + PhoneNumber domain.PhoneNumber `json:"phone,omitempty"` + + // New events only use EncodedHash. However, the secret field + // is preserved to handle events older than the switch to Passwap. + Secret *crypto.CryptoValue `json:"secret,omitempty"` + EncodedHash string `json:"encodedHash,omitempty"` + PasswordChangeRequired bool `json:"changeRequired,omitempty"` +} + +type HumanAddedEvent eventstore.Event[humanAddedPayload] + +var _ eventstore.TypeChecker = (*HumanAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanAddedEvent) ActionType() string { + return HumanAddedType +} + +func HumanAddedEventFromStorage(event *eventstore.StorageEvent) (e *HumanAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-MRZ3p", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_avatar.go b/internal/v2/user/human_avatar.go new file mode 100644 index 0000000000..9b684ce02b --- /dev/null +++ b/internal/v2/user/human_avatar.go @@ -0,0 +1,61 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/avatar" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type HumanAvatarAddedEvent eventstore.Event[avatar.AddedPayload] + +const HumanAvatarAddedType = humanPrefix + avatar.AvatarAddedTypeSuffix + +var _ eventstore.TypeChecker = (*HumanAvatarAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanAvatarAddedEvent) ActionType() string { + return HumanAvatarAddedType +} + +func HumanAvatarAddedEventFromStorage(event *eventstore.StorageEvent) (e *HumanAvatarAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-ddQaI", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[avatar.AddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanAvatarAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} + +type HumanAvatarRemovedEvent eventstore.Event[avatar.RemovedPayload] + +const HumanAvatarRemovedType = humanPrefix + avatar.AvatarRemovedTypeSuffix + +var _ eventstore.TypeChecker = (*HumanAvatarRemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanAvatarRemovedEvent) ActionType() string { + return HumanAvatarRemovedType +} + +func HumanAvatarRemovedEventFromStorage(event *eventstore.StorageEvent) (e *HumanAvatarRemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-j2CkY", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[avatar.RemovedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanAvatarRemovedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_email_changed.go b/internal/v2/user/human_email_changed.go new file mode 100644 index 0000000000..88a7903afb --- /dev/null +++ b/internal/v2/user/human_email_changed.go @@ -0,0 +1,38 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanEmailChangedPayload struct { + Address domain.EmailAddress `json:"email,omitempty"` +} + +type HumanEmailChangedEvent eventstore.Event[humanEmailChangedPayload] + +const HumanEmailChangedType = humanPrefix + ".email.changed" + +var _ eventstore.TypeChecker = (*HumanEmailChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanEmailChangedEvent) ActionType() string { + return HumanEmailChangedType +} + +func HumanEmailChangedEventFromStorage(event *eventstore.StorageEvent) (e *HumanEmailChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-Wr2lR", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanEmailChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanEmailChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_email_verified.go b/internal/v2/user/human_email_verified.go new file mode 100644 index 0000000000..65c4a9b391 --- /dev/null +++ b/internal/v2/user/human_email_verified.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type HumanEmailVerifiedEvent eventstore.Event[eventstore.EmptyPayload] + +const HumanEmailVerifiedType = humanPrefix + ".email.verified" + +var _ eventstore.TypeChecker = (*HumanEmailVerifiedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanEmailVerifiedEvent) ActionType() string { + return HumanEmailVerifiedType +} + +func HumanEmailVerifiedEventFromStorage(event *eventstore.StorageEvent) (e *HumanEmailVerifiedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-X3esB", "Errors.Invalid.Event.Type") + } + + return &HumanEmailVerifiedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/human_init_code_added.go b/internal/v2/user/human_init_code_added.go new file mode 100644 index 0000000000..37938e000a --- /dev/null +++ b/internal/v2/user/human_init_code_added.go @@ -0,0 +1,43 @@ +package user + +import ( + "time" + + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanInitCodeAddedPayload struct { + Code *crypto.CryptoValue `json:"code,omitempty"` + Expiry time.Duration `json:"expiry,omitempty"` + TriggeredAtOrigin string `json:"triggerOrigin,omitempty"` + AuthRequestID string `json:"authRequestID,omitempty"` +} + +type HumanInitCodeAddedEvent eventstore.Event[humanInitCodeAddedPayload] + +const HumanInitCodeAddedType = humanPrefix + ".initialization.code.added" + +var _ eventstore.TypeChecker = (*HumanInitCodeAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanInitCodeAddedEvent) ActionType() string { + return HumanInitCodeAddedType +} + +func HumanInitCodeAddedEventFromStorage(event *eventstore.StorageEvent) (e *HumanInitCodeAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-XaGf6", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanInitCodeAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanInitCodeAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_init_code_succeeded.go b/internal/v2/user/human_init_code_succeeded.go new file mode 100644 index 0000000000..33e3d9a347 --- /dev/null +++ b/internal/v2/user/human_init_code_succeeded.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type HumanInitCodeSucceededEvent eventstore.Event[eventstore.EmptyPayload] + +const HumanInitCodeSucceededType = humanPrefix + ".initialization.check.succeeded" + +var _ eventstore.TypeChecker = (*HumanInitCodeSucceededEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanInitCodeSucceededEvent) ActionType() string { + return HumanInitCodeSucceededType +} + +func HumanInitCodeSucceededEventFromStorage(event *eventstore.StorageEvent) (e *HumanInitCodeSucceededEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-12A5m", "Errors.Invalid.Event.Type") + } + + return &HumanInitCodeSucceededEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/human_password_changed.go b/internal/v2/user/human_password_changed.go new file mode 100644 index 0000000000..fcdc589b31 --- /dev/null +++ b/internal/v2/user/human_password_changed.go @@ -0,0 +1,44 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanPasswordChangedPayload struct { + // New events only use EncodedHash. However, the secret field + // is preserved to handle events older than the switch to Passwap. + Secret *crypto.CryptoValue `json:"secret,omitempty"` + EncodedHash string `json:"encodedHash,omitempty"` + ChangeRequired bool `json:"changeRequired"` + UserAgentID string `json:"userAgentID,omitempty"` + TriggeredAtOrigin string `json:"triggerOrigin,omitempty"` +} + +type HumanPasswordChangedEvent eventstore.Event[humanPasswordChangedPayload] + +const HumanPasswordChangedType = humanPrefix + ".password.changed" + +var _ eventstore.TypeChecker = (*HumanPasswordChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanPasswordChangedEvent) ActionType() string { + return HumanPasswordChangedType +} + +func HumanPasswordChangedEventFromStorage(event *eventstore.StorageEvent) (e *HumanPasswordChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-Fx5tr", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanPasswordChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanPasswordChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_phone_changed.go b/internal/v2/user/human_phone_changed.go new file mode 100644 index 0000000000..964259e3bd --- /dev/null +++ b/internal/v2/user/human_phone_changed.go @@ -0,0 +1,38 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanPhoneChangedPayload struct { + PhoneNumber domain.PhoneNumber `json:"phone,omitempty"` +} + +type HumanPhoneChangedEvent eventstore.Event[humanPhoneChangedPayload] + +const HumanPhoneChangedType = humanPrefix + ".phone.changed" + +var _ eventstore.TypeChecker = (*HumanPhoneChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanPhoneChangedEvent) ActionType() string { + return HumanPhoneChangedType +} + +func HumanPhoneChangedEventFromStorage(event *eventstore.StorageEvent) (e *HumanPhoneChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-d6hGS", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanPhoneChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanPhoneChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_phone_removed.go b/internal/v2/user/human_phone_removed.go new file mode 100644 index 0000000000..11d3dcbb0c --- /dev/null +++ b/internal/v2/user/human_phone_removed.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type HumanPhoneRemovedEvent eventstore.Event[eventstore.EmptyPayload] + +const HumanPhoneRemovedType = humanPrefix + ".phone.removed" + +var _ eventstore.TypeChecker = (*HumanPhoneRemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanPhoneRemovedEvent) ActionType() string { + return HumanPhoneRemovedType +} + +func HumanPhoneRemovedEventFromStorage(event *eventstore.StorageEvent) (e *HumanPhoneRemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-vaD75", "Errors.Invalid.Event.Type") + } + + return &HumanPhoneRemovedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/human_phone_verified.go b/internal/v2/user/human_phone_verified.go new file mode 100644 index 0000000000..bfe7888425 --- /dev/null +++ b/internal/v2/user/human_phone_verified.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type HumanPhoneVerifiedEvent eventstore.Event[eventstore.EmptyPayload] + +const HumanPhoneVerifiedType = humanPrefix + ".phone.removed" + +var _ eventstore.TypeChecker = (*HumanPhoneVerifiedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanPhoneVerifiedEvent) ActionType() string { + return HumanPhoneVerifiedType +} + +func HumanPhoneVerifiedEventFromStorage(event *eventstore.StorageEvent) (e *HumanPhoneVerifiedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-ycRBi", "Errors.Invalid.Event.Type") + } + + return &HumanPhoneVerifiedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/human_profile_changed.go b/internal/v2/user/human_profile_changed.go new file mode 100644 index 0000000000..8124d3b993 --- /dev/null +++ b/internal/v2/user/human_profile_changed.go @@ -0,0 +1,45 @@ +package user + +import ( + "golang.org/x/text/language" + + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanProfileChangedPayload struct { + FirstName string `json:"firstName,omitempty"` + LastName string `json:"lastName,omitempty"` + NickName *string `json:"nickName,omitempty"` + DisplayName *string `json:"displayName,omitempty"` + PreferredLanguage *language.Tag `json:"preferredLanguage,omitempty"` + Gender *domain.Gender `json:"gender,omitempty"` +} + +type HumanProfileChangedEvent eventstore.Event[humanProfileChangedPayload] + +const HumanProfileChangedType = humanPrefix + ".profile.changed" + +var _ eventstore.TypeChecker = (*HumanProfileChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanProfileChangedEvent) ActionType() string { + return HumanProfileChangedType +} + +func HumanProfileChangedEventFromStorage(event *eventstore.StorageEvent) (e *HumanProfileChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-Z1aFH", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanProfileChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanProfileChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/human_registered.go b/internal/v2/user/human_registered.go new file mode 100644 index 0000000000..c1908da377 --- /dev/null +++ b/internal/v2/user/human_registered.go @@ -0,0 +1,55 @@ +package user + +import ( + "golang.org/x/text/language" + + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type humanRegisteredPayload struct { + Username string `json:"userName"` + FirstName string `json:"firstName,omitempty"` + LastName string `json:"lastName,omitempty"` + NickName string `json:"nickName,omitempty"` + DisplayName string `json:"displayName,omitempty"` + PreferredLanguage language.Tag `json:"preferredLanguage,omitempty"` + Gender domain.Gender `json:"gender,omitempty"` + EmailAddress domain.EmailAddress `json:"email,omitempty"` + PhoneNumber domain.PhoneNumber `json:"phone,omitempty"` + + // New events only use EncodedHash. However, the secret field + // is preserved to handle events older than the switch to Passwap. + Secret *crypto.CryptoValue `json:"secret,omitempty"` // legacy + EncodedHash string `json:"encodedHash,omitempty"` + PasswordChangeRequired bool `json:"changeRequired,omitempty"` +} + +type HumanRegisteredEvent eventstore.Event[humanRegisteredPayload] + +const HumanRegisteredType = humanPrefix + ".selfregistered" + +var _ eventstore.TypeChecker = (*HumanRegisteredEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *HumanRegisteredEvent) ActionType() string { + return HumanRegisteredType +} + +func HumanRegisteredEventFromStorage(event *eventstore.StorageEvent) (e *HumanRegisteredEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-8HvGi", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[humanRegisteredPayload](event.Payload) + if err != nil { + return nil, err + } + + return &HumanRegisteredEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/machine_added.go b/internal/v2/user/machine_added.go new file mode 100644 index 0000000000..57659db9a8 --- /dev/null +++ b/internal/v2/user/machine_added.go @@ -0,0 +1,41 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type machineAddedPayload struct { + Username string `json:"userName"` + Name string `json:"name,omitempty"` + Description string `json:"description,omitempty"` + AccessTokenType domain.OIDCTokenType `json:"accessTokenType,omitempty"` +} + +type MachineAddedEvent eventstore.Event[machineAddedPayload] + +const MachineAddedType = machinePrefix + ".added" + +var _ eventstore.TypeChecker = (*MachineAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *MachineAddedEvent) ActionType() string { + return MachineAddedType +} + +func MachineAddedEventFromStorage(event *eventstore.StorageEvent) (e *MachineAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-WLLoW", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[machineAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &MachineAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/machine_changed.go b/internal/v2/user/machine_changed.go new file mode 100644 index 0000000000..bdd721b131 --- /dev/null +++ b/internal/v2/user/machine_changed.go @@ -0,0 +1,40 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type machineChangedPayload struct { + Name *string `json:"name,omitempty"` + Description *string `json:"description,omitempty"` + AccessTokenType *domain.OIDCTokenType `json:"accessTokenType,omitempty"` +} + +type MachineChangedEvent eventstore.Event[machineChangedPayload] + +const MachineChangedType = machinePrefix + ".changed" + +var _ eventstore.TypeChecker = (*MachineChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *MachineChangedEvent) ActionType() string { + return MachineChangedType +} + +func MachineChangedEventFromStorage(event *eventstore.StorageEvent) (e *MachineChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-JHwNs", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[machineChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &MachineChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/machine_secret_hash_updated.go b/internal/v2/user/machine_secret_hash_updated.go new file mode 100644 index 0000000000..87d60a4305 --- /dev/null +++ b/internal/v2/user/machine_secret_hash_updated.go @@ -0,0 +1,37 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type machineSecretHashUpdatedPayload struct { + HashedSecret string `json:"hashedSecret,omitempty"` +} + +type MachineSecretHashUpdatedEvent eventstore.Event[machineSecretHashUpdatedPayload] + +const MachineSecretHashUpdatedType = machinePrefix + ".secret.updated" + +var _ eventstore.TypeChecker = (*MachineSecretHashUpdatedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *MachineSecretHashUpdatedEvent) ActionType() string { + return MachineSecretHashUpdatedType +} + +func MachineSecretHashUpdatedEventFromStorage(event *eventstore.StorageEvent) (e *MachineSecretHashUpdatedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-y41RK", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[machineSecretHashUpdatedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &MachineSecretHashUpdatedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/machine_secret_removed.go b/internal/v2/user/machine_secret_removed.go new file mode 100644 index 0000000000..a05da5f796 --- /dev/null +++ b/internal/v2/user/machine_secret_removed.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type MachineSecretRemovedEvent eventstore.Event[eventstore.EmptyPayload] + +const MachineSecretRemovedType = machinePrefix + ".secret.removed" + +var _ eventstore.TypeChecker = (*MachineSecretRemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *MachineSecretRemovedEvent) ActionType() string { + return MachineSecretRemovedType +} + +func MachineSecretRemovedEventFromStorage(event *eventstore.StorageEvent) (e *MachineSecretRemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-SMtct", "Errors.Invalid.Event.Type") + } + + return &MachineSecretRemovedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/machine_secret_set.go b/internal/v2/user/machine_secret_set.go new file mode 100644 index 0000000000..a2a9ffa557 --- /dev/null +++ b/internal/v2/user/machine_secret_set.go @@ -0,0 +1,41 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/crypto" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type machineSecretSetPayload struct { + // New events only use EncodedHash. However, the ClientSecret field + // is preserved to handle events older than the switch to Passwap. + ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"` + HashedSecret string `json:"hashedSecret,omitempty"` +} + +type MachineSecretHashSetEvent eventstore.Event[machineSecretSetPayload] + +const MachineSecretHashSetType = machinePrefix + ".secret.set" + +var _ eventstore.TypeChecker = (*MachineSecretHashSetEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *MachineSecretHashSetEvent) ActionType() string { + return MachineSecretHashSetType +} + +func MachineSecretHashSetEventFromStorage(event *eventstore.StorageEvent) (e *MachineSecretHashSetEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-DzycT", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[machineSecretSetPayload](event.Payload) + if err != nil { + return nil, err + } + + return &MachineSecretHashSetEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/token_added.go b/internal/v2/user/token_added.go new file mode 100644 index 0000000000..682dc219d3 --- /dev/null +++ b/internal/v2/user/token_added.go @@ -0,0 +1,51 @@ +package user + +import ( + "time" + + "github.com/zitadel/zitadel/internal/domain" + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type tokenAddedPayload struct { + TokenID string `json:"tokenId,omitempty"` + ApplicationID string `json:"applicationId,omitempty"` + UserAgentID string `json:"userAgentId,omitempty"` + RefreshTokenID string `json:"refreshTokenID,omitempty"` + Audience []string `json:"audience,omitempty"` + Scopes []string `json:"scopes,omitempty"` + AuthMethodsReferences []string `json:"authMethodsReferences,omitempty"` + AuthTime time.Time `json:"authTime,omitempty"` + Expiration time.Time `json:"expiration,omitempty"` + PreferredLanguage string `json:"preferredLanguage,omitempty"` + Reason domain.TokenReason `json:"reason,omitempty"` + Actor *domain.TokenActor `json:"actor,omitempty"` +} + +type TokenAddedEvent eventstore.Event[tokenAddedPayload] + +const TokenAddedType = AggregateType + ".token.added" + +var _ eventstore.TypeChecker = (*TokenAddedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *TokenAddedEvent) ActionType() string { + return TokenAddedType +} + +func TokenAddedEventFromStorage(event *eventstore.StorageEvent) (e *TokenAddedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-0YSt4", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[tokenAddedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &TokenAddedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/internal/v2/user/user_deactivated.go b/internal/v2/user/user_deactivated.go new file mode 100644 index 0000000000..9d01a9e713 --- /dev/null +++ b/internal/v2/user/user_deactivated.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type DeactivatedEvent eventstore.Event[eventstore.EmptyPayload] + +const DeactivatedType = AggregateType + ".deactivated" + +var _ eventstore.TypeChecker = (*DeactivatedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *DeactivatedEvent) ActionType() string { + return DeactivatedType +} + +func DeactivatedEventFromStorage(event *eventstore.StorageEvent) (e *DeactivatedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-SBLu2", "Errors.Invalid.Event.Type") + } + + return &DeactivatedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/user_locked.go b/internal/v2/user/user_locked.go new file mode 100644 index 0000000000..a0702cdbc2 --- /dev/null +++ b/internal/v2/user/user_locked.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type LockedEvent eventstore.Event[eventstore.EmptyPayload] + +const LockedType = AggregateType + ".locked" + +var _ eventstore.TypeChecker = (*LockedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *LockedEvent) ActionType() string { + return LockedType +} + +func LockedEventFromStorage(event *eventstore.StorageEvent) (e *LockedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-48jjE", "Errors.Invalid.Event.Type") + } + + return &LockedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/user_reactivated.go b/internal/v2/user/user_reactivated.go new file mode 100644 index 0000000000..005392ce23 --- /dev/null +++ b/internal/v2/user/user_reactivated.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type ReactivatedEvent eventstore.Event[eventstore.EmptyPayload] + +const ReactivatedType = AggregateType + ".reactivated" + +var _ eventstore.TypeChecker = (*ReactivatedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *ReactivatedEvent) ActionType() string { + return ReactivatedType +} + +func ReactivatedEventFromStorage(event *eventstore.StorageEvent) (e *ReactivatedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-B3fcY", "Errors.Invalid.Event.Type") + } + + return &ReactivatedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/user_removed.go b/internal/v2/user/user_removed.go new file mode 100644 index 0000000000..b5ad827f05 --- /dev/null +++ b/internal/v2/user/user_removed.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type RemovedEvent eventstore.Event[eventstore.EmptyPayload] + +const RemovedType = AggregateType + ".removed" + +var _ eventstore.TypeChecker = (*RemovedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *RemovedEvent) ActionType() string { + return RemovedType +} + +func RemovedEventFromStorage(event *eventstore.StorageEvent) (e *RemovedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-UN6Xa", "Errors.Invalid.Event.Type") + } + + return &RemovedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/user_unlocked.go b/internal/v2/user/user_unlocked.go new file mode 100644 index 0000000000..97340619ce --- /dev/null +++ b/internal/v2/user/user_unlocked.go @@ -0,0 +1,27 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type UnlockedEvent eventstore.Event[eventstore.EmptyPayload] + +const UnlockedType = AggregateType + ".unlocked" + +var _ eventstore.TypeChecker = (*UnlockedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *UnlockedEvent) ActionType() string { + return UnlockedType +} + +func UnlockedEventFromStorage(event *eventstore.StorageEvent) (e *UnlockedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-HB0wi", "Errors.Invalid.Event.Type") + } + + return &UnlockedEvent{ + StorageEvent: event, + }, nil +} diff --git a/internal/v2/user/username_changed.go b/internal/v2/user/username_changed.go new file mode 100644 index 0000000000..5c0c8afdbc --- /dev/null +++ b/internal/v2/user/username_changed.go @@ -0,0 +1,37 @@ +package user + +import ( + "github.com/zitadel/zitadel/internal/v2/eventstore" + "github.com/zitadel/zitadel/internal/zerrors" +) + +type usernameChangedPayload struct { + Username string `json:"userName"` +} + +type UsernameChangedEvent eventstore.Event[usernameChangedPayload] + +const UsernameChangedType = AggregateType + ".username.changed" + +var _ eventstore.TypeChecker = (*UsernameChangedEvent)(nil) + +// ActionType implements eventstore.Typer. +func (c *UsernameChangedEvent) ActionType() string { + return UsernameChangedType +} + +func UsernameChangedEventFromStorage(event *eventstore.StorageEvent) (e *UsernameChangedEvent, _ error) { + if event.Type != e.ActionType() { + return nil, zerrors.ThrowInvalidArgument(nil, "USER-hCGsh", "Errors.Invalid.Event.Type") + } + + payload, err := eventstore.UnmarshalPayload[usernameChangedPayload](event.Payload) + if err != nil { + return nil, err + } + + return &UsernameChangedEvent{ + StorageEvent: event, + Payload: payload, + }, nil +} diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto index 27e222589f..e05d74b435 100644 --- a/proto/zitadel/admin.proto +++ b/proto/zitadel/admin.proto @@ -6028,31 +6028,28 @@ message AddSAMLProviderRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; oneof metadata { option (validate.required) = true; + // Metadata of the SAML identity provider. bytes metadata_xml = 2 [ - (validate.rules).bytes.max_len = 500000, - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Metadata of the SAML identity provider"; - } + (validate.rules).bytes.max_len = 500000 ]; + // Url to the metadata of the SAML identity provider. string metadata_url = 3 [ (validate.rules).string.max_len = 200, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "\"https://test.com/saml/metadata\"" - description: "Url to the metadata of the SAML identity provider"; } ]; } - zitadel.idp.v1.SAMLBinding binding = 4 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Binding which defines the type of communication with the identity provider"; - } - ]; - bool with_signed_request = 5 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Boolean which defines if the authentication requests are signed"; - } - ]; + // Binding which defines the type of communication with the identity provider. + zitadel.idp.v1.SAMLBinding binding = 4; + // Boolean which defines if the authentication requests are signed. + bool with_signed_request = 5; zitadel.idp.v1.Options provider_options = 6; + // Optionally specify the `nameid-format` requested. + optional zitadel.idp.v1.SAMLNameIDFormat name_id_format = 7; + // Optionally specify the name of the attribute, which will be used to map the user + // in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. + optional string transient_mapping_attribute_name = 8; } message AddSAMLProviderResponse { @@ -6063,33 +6060,30 @@ message AddSAMLProviderResponse { message UpdateSAMLProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata of the SAML identity provider. oneof metadata { option (validate.required) = true; bytes metadata_xml = 3 [ - (validate.rules).bytes.max_len = 500000, - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Metadata of the SAML identity provider"; - } + (validate.rules).bytes.max_len = 500000 ]; + // Url to the metadata of the SAML identity provider string metadata_url = 4 [ (validate.rules).string.max_len = 200, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "\"https://test.com/saml/metadata\"" - description: "Url to the metadata of the SAML identity provider"; } ]; } - zitadel.idp.v1.SAMLBinding binding = 5 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Binding which defines the type of communication with the identity provider"; - } - ]; - bool with_signed_request = 6 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Boolean which defines if the authentication requests are signed"; - } - ]; + // Binding which defines the type of communication with the identity provider. + zitadel.idp.v1.SAMLBinding binding = 5; + // Boolean which defines if the authentication requests are signed + bool with_signed_request = 6; zitadel.idp.v1.Options provider_options = 7; + // Optionally specify the `nameid-format` requested. + optional zitadel.idp.v1.SAMLNameIDFormat name_id_format = 8; + // Optionally specify the name of the attribute, which will be used to map the user + // in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. + optional string transient_mapping_attribute_name = 9; } message UpdateSAMLProviderResponse { @@ -6817,6 +6811,23 @@ message UpdatePrivacyPolicyRequest { description: "help / support email address." } ]; + string docs_link = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://zitadel.com/docs\""; + } + ]; + string custom_link = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to an external resource that will be available to users in the console."; + example: "\"https://external.link\""; + } + ]; + string custom_link_text = 7 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The button text that would be shown in console pointing to custom link."; + example: "\"External\""; + } + ]; } message UpdatePrivacyPolicyResponse { diff --git a/proto/zitadel/auth.proto b/proto/zitadel/auth.proto index 58767f9fe9..5e5dcd6fb9 100644 --- a/proto/zitadel/auth.proto +++ b/proto/zitadel/auth.proto @@ -1569,6 +1569,8 @@ message ListMyProjectOrgsRequest { zitadel.v1.ListQuery query = 1; //criteria the client is looking for repeated zitadel.org.v1.OrgQuery queries = 2; + // States by which field the results are sorted. + zitadel.org.v1.OrgFieldName sorting_column = 3; } message ListMyProjectOrgsResponse { diff --git a/proto/zitadel/feature/v2beta/feature.proto b/proto/zitadel/feature/v2beta/feature.proto index 484bb667fc..082159b95b 100644 --- a/proto/zitadel/feature/v2beta/feature.proto +++ b/proto/zitadel/feature/v2beta/feature.proto @@ -33,3 +33,25 @@ message FeatureFlag { } ]; } + +message ImprovedPerformanceFeatureFlag { + repeated ImprovedPerformance execution_paths = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[1]"; + description: "Which of the performance improvements is enabled"; + } + ]; + + Source source = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The source where the setting of the feature was defined. The source may be the resource itself or a resource owner through inheritance."; + } + ]; +} + +enum ImprovedPerformance { + IMPROVED_PERFORMANCE_UNSPECIFIED = 0; + // Uses the eventstore to query the org by id + // instead of the sql table. + IMPROVED_PERFORMANCE_ORG_BY_ID = 1; +} \ No newline at end of file diff --git a/proto/zitadel/feature/v2beta/instance.proto b/proto/zitadel/feature/v2beta/instance.proto index 3cfc2c4506..292fcc5101 100644 --- a/proto/zitadel/feature/v2beta/instance.proto +++ b/proto/zitadel/feature/v2beta/instance.proto @@ -49,6 +49,15 @@ message SetInstanceFeaturesRequest{ description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage."; } ]; + + repeated ImprovedPerformance improved_performance = 7 [ + (validate.rules).repeated.unique = true, + (validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[1]"; + description: "Improves performance of specified execution paths."; + } + ]; } message SetInstanceFeaturesResponse { @@ -113,4 +122,11 @@ message GetInstanceFeaturesResponse { description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage."; } ]; + + ImprovedPerformanceFeatureFlag improved_performance = 8 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[1]"; + description: "Improves performance of specified execution paths."; + } + ]; } diff --git a/proto/zitadel/feature/v2beta/system.proto b/proto/zitadel/feature/v2beta/system.proto index 8f98eb0625..048f25391f 100644 --- a/proto/zitadel/feature/v2beta/system.proto +++ b/proto/zitadel/feature/v2beta/system.proto @@ -46,13 +46,21 @@ message SetSystemFeaturesRequest{ } ]; - optional bool actions = 6 [ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "true"; description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage."; } ]; + + repeated ImprovedPerformance improved_performance = 7 [ + (validate.rules).repeated.unique = true, + (validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[1]"; + description: "Improves performance of specified execution paths."; + } + ]; } message SetSystemFeaturesResponse { @@ -110,4 +118,11 @@ message GetSystemFeaturesResponse { description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage."; } ]; + + ImprovedPerformanceFeatureFlag improved_performance = 8 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[1]"; + description: "Improves performance of specified execution paths."; + } + ]; } diff --git a/proto/zitadel/idp.proto b/proto/zitadel/idp.proto index 1beab90a5f..2f434f50cc 100644 --- a/proto/zitadel/idp.proto +++ b/proto/zitadel/idp.proto @@ -276,6 +276,13 @@ enum SAMLBinding { SAML_BINDING_ARTIFACT = 3; } +enum SAMLNameIDFormat { + SAML_NAME_ID_FORMAT_UNSPECIFIED = 0; + SAML_NAME_ID_FORMAT_EMAIL_ADDRESS = 1; + SAML_NAME_ID_FORMAT_PERSISTENT = 2; + SAML_NAME_ID_FORMAT_TRANSIENT = 3; +} + message ProviderConfig { Options options = 1; oneof config { @@ -452,21 +459,17 @@ message LDAPConfig { } message SAMLConfig { - bytes metadata_xml = 1 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Metadata of the SAML identity provider"; - } - ]; - zitadel.idp.v1.SAMLBinding binding = 2 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Binding which defines the type of communication with the identity provider"; - } - ]; - bool with_signed_request = 3 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Boolean which defines if the authentication requests are signed"; - } - ]; + // Metadata of the SAML identity provider. + bytes metadata_xml = 1; + // Binding which defines the type of communication with the identity provider. + zitadel.idp.v1.SAMLBinding binding = 2; + // Boolean which defines if the authentication requests are signed. + bool with_signed_request = 3; + // `nameid-format` for the SAML Request. + zitadel.idp.v1.SAMLNameIDFormat name_id_format = 4; + // Optional name of the attribute, which will be used to map the user + // in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. + optional string transient_mapping_attribute_name = 5; } message AzureADConfig { diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto index d5b102b7e3..560b37a09d 100644 --- a/proto/zitadel/management.proto +++ b/proto/zitadel/management.proto @@ -10495,6 +10495,24 @@ message AddCustomPrivacyPolicyRequest { description: "help / support email address." } ]; + string docs_link = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to documentation to be shown in the console."; + example: "\"https://zitadel.com/docs\""; + } + ]; + string custom_link = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to an external resource that will be available to users in the console."; + example: "\"https://external.link\""; + } + ]; + string custom_link_text = 7 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The button text that would be shown in console pointing to custom link."; + example: "\"External\""; + } + ]; } message AddCustomPrivacyPolicyResponse { @@ -10527,6 +10545,24 @@ message UpdateCustomPrivacyPolicyRequest { description: "help / support email address." } ]; + string docs_link = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to documentation to be shown in the console."; + example: "\"https://zitadel.com/docs\""; + } + ]; + string custom_link = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to an external resource that will be available to users in the console."; + example: "\"https://external.link\""; + } + ]; + string custom_link_text = 7 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The button text that would be shown in console pointing to custom link."; + example: "\"External\""; + } + ]; } message UpdateCustomPrivacyPolicyResponse { @@ -12731,31 +12767,28 @@ message AddSAMLProviderRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; oneof metadata { option (validate.required) = true; + // Metadata of the SAML identity provider. bytes metadata_xml = 2 [ - (validate.rules).bytes.max_len = 500000, - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Metadata of the SAML identity provider"; - } + (validate.rules).bytes.max_len = 500000 ]; + // Url to the metadata of the SAML identity provider. string metadata_url = 3 [ (validate.rules).string.max_len = 200, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "\"https://test.com/saml/metadata\"" - description: "Url to the metadata of the SAML identity provider"; } ]; } - zitadel.idp.v1.SAMLBinding binding = 4 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Binding which defines the type of communication with the identity provider"; - } - ]; - bool with_signed_request = 5 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Boolean which defines if the authentication requests are signed"; - } - ]; + // Binding which defines the type of communication with the identity provider. + zitadel.idp.v1.SAMLBinding binding = 4; + // Boolean which defines if the authentication requests are signed. + bool with_signed_request = 5; zitadel.idp.v1.Options provider_options = 6; + // Optionally specify the `nameid-format` requested. + optional zitadel.idp.v1.SAMLNameIDFormat name_id_format = 7; + // Optionally specify the name of the attribute, which will be used to map the user + // in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. + optional string transient_mapping_attribute_name = 8; } message AddSAMLProviderResponse { @@ -12766,33 +12799,30 @@ message AddSAMLProviderResponse { message UpdateSAMLProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata of the SAML identity provider. oneof metadata { option (validate.required) = true; bytes metadata_xml = 3 [ - (validate.rules).bytes.max_len = 500000, - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Metadata of the SAML identity provider"; - } + (validate.rules).bytes.max_len = 500000 ]; + // Url to the metadata of the SAML identity provider. string metadata_url = 4 [ (validate.rules).string.max_len = 200, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "\"https://test.com/saml/metadata\"" - description: "Url to the metadata of the SAML identity provider"; } ]; } - zitadel.idp.v1.SAMLBinding binding = 5 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Binding which defines the type of communication with the identity provider"; - } - ]; - bool with_signed_request = 6 [ - (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "Boolean which defines if the authentication requests are signed"; - } - ]; + // Binding which defines the type of communication with the identity provider. + zitadel.idp.v1.SAMLBinding binding = 5; + // Boolean which defines if the authentication requests are signed. + bool with_signed_request = 6; zitadel.idp.v1.Options provider_options = 7; + // Optionally specify the `nameid-format` requested. + optional zitadel.idp.v1.SAMLNameIDFormat name_id_format = 8; + // Optionally specify the name of the attribute, which will be used to map the user + // in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. + optional string transient_mapping_attribute_name = 9; } message UpdateSAMLProviderResponse { diff --git a/proto/zitadel/policy.proto b/proto/zitadel/policy.proto index 75d8472103..02b7e453f3 100644 --- a/proto/zitadel/policy.proto +++ b/proto/zitadel/policy.proto @@ -375,6 +375,25 @@ message PrivacyPolicy { description: "help / support email address." } ]; + string docs_link = 7 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to documentation to be shown in the console."; + example: "\"https://zitadel.com/docs\""; + } + ]; + string custom_link = 8 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to an external resource that will be available to users in the console."; + example: "\"https://external.link\""; + } + ]; + string custom_link_text = 9 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The button text that would be shown in console pointing to custom link."; + example: "\"External\""; + } + ]; + } message NotificationPolicy { diff --git a/proto/zitadel/session/v2beta/session_service.proto b/proto/zitadel/session/v2beta/session_service.proto index 94efe5a7c7..6a2e731a94 100644 --- a/proto/zitadel/session/v2beta/session_service.proto +++ b/proto/zitadel/session/v2beta/session_service.proto @@ -296,7 +296,7 @@ message CreateSessionResponse{ ]; string session_token = 3 [ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "\"The current token of the session, which is required for further updates of the session or the request other resources.\""; + description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\""; } ]; Challenges challenges = 4; @@ -313,11 +313,11 @@ message SetSessionRequest{ } ]; string session_token = 2 [ - (validate.rules).string = {min_len: 1, max_len: 200}, + (validate.rules).string = {min_len: 0, max_len: 200}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { min_length: 1; max_length: 200; - description: "\"The current token of the session, previously returned on the create / update request.\""; + description: "\"DEPRECATED: this field is ignored.\""; } ]; Checks checks = 3[ @@ -344,7 +344,7 @@ message SetSessionResponse{ zitadel.object.v2beta.Details details = 1; string session_token = 2 [ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { - description: "\"The current token of the session, which is required for further updates of the session or to request other resources.\""; + description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\""; } ]; Challenges challenges = 3; diff --git a/proto/zitadel/settings/v2beta/legal_settings.proto b/proto/zitadel/settings/v2beta/legal_settings.proto index b170d5f894..882a99cdba 100644 --- a/proto/zitadel/settings/v2beta/legal_settings.proto +++ b/proto/zitadel/settings/v2beta/legal_settings.proto @@ -37,4 +37,22 @@ message LegalAndSupportSettings { description: "resource_owner_type returns if the setting is managed on the organization or on the instance"; } ]; + string docs_link = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to documentation to be shown in the console."; + example: "\"https://zitadel.com/docs\""; + } +]; +string custom_link = 7 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Link to an external resource that will be available to users in the console."; + example: "\"https://external.link\""; + } +]; +string custom_link_text = 8 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "The button text that would be shown in console pointing to custom link."; + example: "\"External\""; + } +]; } diff --git a/proto/zitadel/user/v2beta/user_service.proto b/proto/zitadel/user/v2beta/user_service.proto index cbf20d6790..f3d8de747c 100644 --- a/proto/zitadel/user/v2beta/user_service.proto +++ b/proto/zitadel/user/v2beta/user_service.proto @@ -931,6 +931,17 @@ message AddHumanUserRequest{ HashedPassword hashed_password = 8; } repeated IDPLink idp_links = 9; + + // An Implementation of RFC 6238 is used, with HMAC-SHA-1 and time-step of 30 seconds. + // Currently no other options are supported, and if anything different is used the validation will fail. + optional string totp_secret = 12 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + min_length: 1; + max_length: 200; + example: "\"TJOPWSDYILLHXFV4MLKNNJOWFG7VSDCK\""; + } + ]; } message AddHumanUserResponse { diff --git a/release-channels.yaml b/release-channels.yaml index d8b29a5ab7..873825b841 100644 --- a/release-channels.yaml +++ b/release-channels.yaml @@ -1 +1 @@ -stable: "v2.46.7" +stable: "v2.48.5"