fix: manage root CA for LDAP IdPs correctly (#9517)

# Which Problems Are Solved #9292 did not correctly change the projection table to list IdPs for existing ZITADEL setups. # How the Problems Are Solved Fixed the projection table by an explicit setup. # Additional Changes To prevent user facing error when using the LDAP with a custom root CA as much as possible, the certificate is parsed when passing it to the API. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9514 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com> (cherry picked from commit 11c9be3b8d)
2025-08-12 04:57:33 +00:00 · 2025-03-18 15:23:12 +00:00
parent 9c6394c164
commit 9f0da00cd5
11 changed files with 265 additions and 75 deletions
--- a/internal/command/org_idp.go
+++ b/internal/command/org_idp.go
@@ -1516,6 +1516,11 @@ func (c *Commands) prepareAddOrgLDAPProvider(a *org.Aggregate, writeModel *OrgLD
 		if len(provider.UserFilters) == 0 {
 			return nil, zerrors.ThrowInvalidArgument(nil, "ORG-aAx9x1n", "Errors.Invalid.Argument")
 		}
+		if len(provider.RootCA) > 0 {
+			if err := validateRootCA(provider.RootCA); err != nil {
+				return nil, err
+			}
+		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			events, err := filter(ctx, writeModel.Query())
 			if err != nil {
@@ -1579,6 +1584,11 @@ func (c *Commands) prepareUpdateOrgLDAPProvider(a *org.Aggregate, writeModel *Or
 		if len(provider.UserFilters) == 0 {
 			return nil, zerrors.ThrowInvalidArgument(nil, "ORG-aBx901n", "Errors.Invalid.Argument")
 		}
+		if len(provider.RootCA) > 0 {
+			if err := validateRootCA(provider.RootCA); err != nil {
+				return nil, err
+			}
+		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			events, err := filter(ctx, writeModel.Query())
 			if err != nil {