TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: manage root CA for LDAP IdPs correctly (#9517)

Browse Source 
# Which Problems Are Solved

#9292 did not correctly change the projection table to list IdPs for existing ZITADEL setups.

# How the Problems Are Solved

Fixed the projection table by an explicit setup.

# Additional Changes

To prevent user facing error when using the LDAP with a custom root CA as much as possible, the certificate is parsed when passing it to the API.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9514

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
(cherry picked from commit 11c9be3b8d)
This commit is contained in:
Iraq
2025-03-18 15:23:12 +00:00
committed by Livio Spring
parent 9c6394c164
commit 9f0da00cd5
11 changed files with 265 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/command/instance_idp.go
View File

@@ -2,6 +2,7 @@ package command
import (
"context"
"crypto/x509"
"strings"
"github.com/zitadel/saml/pkg/provider/xml"
@@ -1532,6 +1533,12 @@ func (c *Commands) prepareAddInstanceLDAPProvider(a *instance.Aggregate, writeMo
if len(provider.UserFilters) == 0 {
return nil, zerrors.ThrowInvalidArgument(nil, "INST-aAx905n", "Errors.Invalid.Argument")
}
if len(provider.RootCA) > 0 {
if err := validateRootCA(provider.RootCA); err != nil {
return nil, err
}
}
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
events, err := filter(ctx, writeModel.Query())
if err != nil {
@@ -1569,6 +1576,14 @@ func (c *Commands) prepareAddInstanceLDAPProvider(a *instance.Aggregate, writeMo
}
}
func validateRootCA(pemCerts []byte) error {
rootCAs := x509.NewCertPool()
if ok := rootCAs.AppendCertsFromPEM(pemCerts); !ok {
return zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument")
}
return nil
}
func (c *Commands) prepareUpdateInstanceLDAPProvider(a *instance.Aggregate, writeModel *InstanceLDAPIDPWriteModel, provider LDAPProvider) preparation.Validation {
return func() (preparation.CreateCommands, error) {
if writeModel.ID = strings.TrimSpace(writeModel.ID); writeModel.ID == "" {
@@ -1595,6 +1610,11 @@ func (c *Commands) prepareUpdateInstanceLDAPProvider(a *instance.Aggregate, writ
if len(provider.UserFilters) == 0 {
return nil, zerrors.ThrowInvalidArgument(nil, "INST-aAx901n", "Errors.Invalid.Argument")
}
if len(provider.RootCA) > 0 {
if err := validateRootCA(provider.RootCA); err != nil {
return nil, err
}
}
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
events, err := filter(ctx, writeModel.Query())
if err != nil {