TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 00:27:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: manage root CA for LDAP IdPs correctly (#9517)

Browse Source 
# Which Problems Are Solved

#9292 did not correctly change the projection table to list IdPs for existing ZITADEL setups.

# How the Problems Are Solved

Fixed the projection table by an explicit setup.

# Additional Changes

To prevent user facing error when using the LDAP with a custom root CA as much as possible, the certificate is parsed when passing it to the API.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9514

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
(cherry picked from commit 11c9be3b8d)
This commit is contained in:
Iraq
2025-03-18 15:23:12 +00:00
committed by Livio Spring
parent 9c6394c164
commit 9f0da00cd5
11 changed files with 265 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
internal/command/org_idp_test.go
View File

@@ -4324,6 +4324,35 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
},
},
},
{
"invalid rootCA",
fields{
eventstore: expectEventstore(),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "id1"),
},
args{
ctx: context.Background(),
resourceOwner: "org1",
provider: LDAPProvider{
Name: "name",
Servers: []string{"server"},
StartTLS: false,
BaseDN: "baseDN",
BindDN: "dn",
BindPassword: "password",
UserBase: "user",
UserObjectClasses: []string{"object"},
UserFilters: []string{"filter"},
Timeout: time.Second * 30,
RootCA: []byte("certificate"),
},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "INST-cwqVVdBwKt", "Errors.Invalid.Argument"))
},
},
},
{
name: "ok",
fields: fields{
@@ -4400,7 +4429,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
[]string{"object"},
[]string{"filter"},
time.Second*30,
[]byte("certificate"),
validLDAPRootCA,
idp.LDAPAttributes{
IDAttribute: "id",
FirstNameAttribute: "firstName",
@@ -4442,7 +4471,7 @@ func TestCommandSide_AddOrgLDAPIDP(t *testing.T) {
UserObjectClasses: []string{"object"},
UserFilters: []string{"filter"},
Timeout: time.Second * 30,
RootCA: []byte("certificate"),
RootCA: validLDAPRootCA,
LDAPAttributes: idp.LDAPAttributes{
IDAttribute: "id",
FirstNameAttribute: "firstName",
@@ -4677,6 +4706,31 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
},
},
},
{
"invalid rootCA",
fields{
eventstore: expectEventstore(),
},
args{
ctx: context.Background(),
resourceOwner: "org1",
id: "id1",
provider: LDAPProvider{
Name: "name",
Servers: []string{"server"},
BaseDN: "baseDN",
BindDN: "bindDN",
UserBase: "user",
UserObjectClasses: []string{"object"},
RootCA: []byte("certificate"),
},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "ORG-aBx901n", ""))
},
},
},
{
name: "not found",
fields: fields{
@@ -4728,7 +4782,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
[]string{"object"},
[]string{"filter"},
time.Second*30,
[]byte("certificate"),
validLDAPRootCA,
idp.LDAPAttributes{},
idp.Options{},
)),
@@ -4748,7 +4802,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
UserFilters: []string{"filter"},
UserBase: "user",
Timeout: time.Second * 30,
RootCA: []byte("certificate"),
RootCA: validLDAPRootCA,
},
},
res: res{
@@ -4778,7 +4832,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
[]string{"object"},
[]string{"filter"},
time.Second*30,
[]byte("certificate"),
nil,
idp.LDAPAttributes{},
idp.Options{},
)),
@@ -4825,6 +4879,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
IsAutoCreation: &t,
IsAutoUpdate: &t,
}),
idp.ChangeLDAPRootCA(validLDAPRootCA),
},
)
return event
@@ -4848,7 +4903,7 @@ func TestCommandSide_UpdateOrgLDAPIDP(t *testing.T) {
UserObjectClasses: []string{"new object"},
UserFilters: []string{"new filter"},
Timeout: time.Second * 20,
RootCA: []byte("certificate"),
RootCA: validLDAPRootCA,
LDAPAttributes: idp.LDAPAttributes{
IDAttribute: "new id",
FirstNameAttribute: "new firstName",