fix: manage root CA for LDAP IdPs correctly (#9517)

# Which Problems Are Solved #9292 did not correctly change the projection table to list IdPs for existing ZITADEL setups. # How the Problems Are Solved Fixed the projection table by an explicit setup. # Additional Changes To prevent user facing error when using the LDAP with a custom root CA as much as possible, the certificate is parsed when passing it to the API. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9514 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com> (cherry picked from commit 11c9be3b8d)
2025-08-12 04:07:31 +00:00 · 2025-03-18 15:23:12 +00:00
parent 9c6394c164
commit 9f0da00cd5
11 changed files with 265 additions and 75 deletions
--- a/cmd/setup/51.go
+++ b/cmd/setup/51.go
@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 51.sql
+	addRootCA string
+)
+
+type IDPTemplate6RootCA struct {
+	dbClient *database.DB
+}
+
+func (mig *IDPTemplate6RootCA) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, addRootCA)
+	return err
+}
+
+func (mig *IDPTemplate6RootCA) String() string {
+	return "51_idp_templates6_add_root_ca"
+}
--- a/cmd/setup/51.sql
+++ b/cmd/setup/51.sql
@@ -0,0 +1 @@
+ALTER TABLE IF EXISTS projections.idp_templates6_ldap2 ADD COLUMN IF NOT EXISTS root_ca BYTEA;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -139,6 +139,7 @@ type Steps struct {
 	s48Apps7SAMLConfigsLoginVersion         *Apps7SAMLConfigsLoginVersion
 	s49InitPermittedOrgsFunction            *InitPermittedOrgsFunction
 	s50IDPTemplate6UsePKCE                  *IDPTemplate6UsePKCE
+	s51IDPTemplate6RootCA                   *IDPTemplate6RootCA
 }

 func MustNewSteps(v *viper.Viper) *Steps {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -177,6 +177,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s48Apps7SAMLConfigsLoginVersion = &Apps7SAMLConfigsLoginVersion{dbClient: dbClient}
 	steps.s49InitPermittedOrgsFunction = &InitPermittedOrgsFunction{eventstoreClient: dbClient}
 	steps.s50IDPTemplate6UsePKCE = &IDPTemplate6UsePKCE{dbClient: dbClient}
+	steps.s51IDPTemplate6RootCA = &IDPTemplate6RootCA{dbClient: dbClient}

 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -216,6 +217,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s47FillMembershipFields,
 		steps.s49InitPermittedOrgsFunction,
 		steps.s50IDPTemplate6UsePKCE,
+		steps.s51IDPTemplate6RootCA,
 	} {
 		mustExecuteMigration(ctx, eventstoreClient, step, "migration failed")
 	}
				`@@ -0,0 +1 @@`
				`ALTER TABLE IF EXISTS projections.idp_templates6_ldap2 ADD COLUMN IF NOT EXISTS root_ca BYTEA;`