feat: project roles (#843)

* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
2025-08-12 03:37:34 +00:00 · 2020-10-16 07:49:38 +02:00
parent f5a7a0a09f
commit a321d850ae
57 changed files with 10894 additions and 18297 deletions
--- a/internal/api/grpc/management/application_converter.go
+++ b/internal/api/grpc/management/application_converter.go
@@ -44,34 +44,40 @@ func appConfigFromModel(app *proj_model.Application) management.AppConfig {

 func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 	return &management.OIDCConfig{
-		RedirectUris:           config.RedirectUris,
-		ResponseTypes:          oidcResponseTypesFromModel(config.ResponseTypes),
-		GrantTypes:             oidcGrantTypesFromModel(config.GrantTypes),
-		ApplicationType:        oidcApplicationTypeFromModel(config.ApplicationType),
-		ClientId:               config.ClientID,
-		ClientSecret:           config.ClientSecretString,
-		AuthMethodType:         oidcAuthMethodTypeFromModel(config.AuthMethodType),
-		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
-		Version:                oidcVersionFromModel(config.OIDCVersion),
-		NoneCompliant:          config.Compliance.NoneCompliant,
-		ComplianceProblems:     complianceProblemsToLocalizedMessages(config.Compliance.Problems),
-		DevMode:                config.DevMode,
+		RedirectUris:             config.RedirectUris,
+		ResponseTypes:            oidcResponseTypesFromModel(config.ResponseTypes),
+		GrantTypes:               oidcGrantTypesFromModel(config.GrantTypes),
+		ApplicationType:          oidcApplicationTypeFromModel(config.ApplicationType),
+		ClientId:                 config.ClientID,
+		ClientSecret:             config.ClientSecretString,
+		AuthMethodType:           oidcAuthMethodTypeFromModel(config.AuthMethodType),
+		PostLogoutRedirectUris:   config.PostLogoutRedirectUris,
+		Version:                  oidcVersionFromModel(config.OIDCVersion),
+		NoneCompliant:            config.Compliance.NoneCompliant,
+		ComplianceProblems:       complianceProblemsToLocalizedMessages(config.Compliance.Problems),
+		DevMode:                  config.DevMode,
+		AccessTokenType:          oidcTokenTypeFromModel(config.AccessTokenType),
+		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
+		IdTokenRoleAssertion:     config.IDTokenRoleAssertion,
 	}
 }

 func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *management.OIDCConfig {
 	return &management.OIDCConfig{
-		RedirectUris:           app.OIDCRedirectUris,
-		ResponseTypes:          oidcResponseTypesFromModel(app.OIDCResponseTypes),
-		GrantTypes:             oidcGrantTypesFromModel(app.OIDCGrantTypes),
-		ApplicationType:        oidcApplicationTypeFromModel(app.OIDCApplicationType),
-		ClientId:               app.OIDCClientID,
-		AuthMethodType:         oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
-		PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
-		Version:                oidcVersionFromModel(app.OIDCVersion),
-		NoneCompliant:          app.NoneCompliant,
-		ComplianceProblems:     complianceProblemsToLocalizedMessages(app.ComplianceProblems),
-		DevMode:                app.DevMode,
+		RedirectUris:             app.OIDCRedirectUris,
+		ResponseTypes:            oidcResponseTypesFromModel(app.OIDCResponseTypes),
+		GrantTypes:               oidcGrantTypesFromModel(app.OIDCGrantTypes),
+		ApplicationType:          oidcApplicationTypeFromModel(app.OIDCApplicationType),
+		ClientId:                 app.OIDCClientID,
+		AuthMethodType:           oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
+		PostLogoutRedirectUris:   app.OIDCPostLogoutRedirectUris,
+		Version:                  oidcVersionFromModel(app.OIDCVersion),
+		NoneCompliant:            app.NoneCompliant,
+		ComplianceProblems:       complianceProblemsToLocalizedMessages(app.ComplianceProblems),
+		DevMode:                  app.DevMode,
+		AccessTokenType:          oidcTokenTypeFromModel(app.AccessTokenType),
+		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+		IdTokenRoleAssertion:     app.IDTokenRoleAssertion,
 	}
 }

@@ -92,14 +98,17 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 		Name: app.Name,
 		Type: proj_model.AppTypeOIDC,
 		OIDCConfig: &proj_model.OIDCConfig{
-			OIDCVersion:            oidcVersionToModel(app.Version),
-			RedirectUris:           app.RedirectUris,
-			ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
-			GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
-			ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
-			AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
-			PostLogoutRedirectUris: app.PostLogoutRedirectUris,
-			DevMode:                app.DevMode,
+			OIDCVersion:              oidcVersionToModel(app.Version),
+			RedirectUris:             app.RedirectUris,
+			ResponseTypes:            oidcResponseTypesToModel(app.ResponseTypes),
+			GrantTypes:               oidcGrantTypesToModel(app.GrantTypes),
+			ApplicationType:          oidcApplicationTypeToModel(app.ApplicationType),
+			AuthMethodType:           oidcAuthMethodTypeToModel(app.AuthMethodType),
+			PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
+			DevMode:                  app.DevMode,
+			AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
+			AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+			IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
 		},
 	}
 }
@@ -119,14 +128,17 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
 		},
-		AppID:                  app.ApplicationId,
-		RedirectUris:           app.RedirectUris,
-		ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
-		GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
-		ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
-		AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
-		PostLogoutRedirectUris: app.PostLogoutRedirectUris,
-		DevMode:                app.DevMode,
+		AppID:                    app.ApplicationId,
+		RedirectUris:             app.RedirectUris,
+		ResponseTypes:            oidcResponseTypesToModel(app.ResponseTypes),
+		GrantTypes:               oidcGrantTypesToModel(app.GrantTypes),
+		ApplicationType:          oidcApplicationTypeToModel(app.ApplicationType),
+		AuthMethodType:           oidcAuthMethodTypeToModel(app.AuthMethodType),
+		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
+		DevMode:                  app.DevMode,
+		AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
+		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
 	}
 }

@@ -351,6 +363,28 @@ func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) managem
 	}
 }

+func oidcTokenTypeToModel(tokenType management.OIDCTokenType) proj_model.OIDCTokenType {
+	switch tokenType {
+	case management.OIDCTokenType_OIDCTokenType_Bearer:
+		return proj_model.OIDCTokenTypeBearer
+	case management.OIDCTokenType_OIDCTokenType_JWT:
+		return proj_model.OIDCTokenTypeJWT
+	default:
+		return proj_model.OIDCTokenTypeBearer
+	}
+}
+
+func oidcTokenTypeFromModel(tokenType proj_model.OIDCTokenType) management.OIDCTokenType {
+	switch tokenType {
+	case proj_model.OIDCTokenTypeBearer:
+		return management.OIDCTokenType_OIDCTokenType_Bearer
+	case proj_model.OIDCTokenTypeJWT:
+		return management.OIDCTokenType_OIDCTokenType_JWT
+	default:
+		return management.OIDCTokenType_OIDCTokenType_Bearer
+	}
+}
+
 func oidcVersionFromModel(version proj_model.OIDCVersion) management.OIDCVersion {
 	switch version {
 	case proj_model.OIDCVersionV1:
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@@ -12,7 +12,7 @@ import (
 )

 func (s *Server) CreateProject(ctx context.Context, in *management.ProjectCreateRequest) (*management.Project, error) {
-	project, err := s.project.CreateProject(ctx, in.Name)
+	project, err := s.project.CreateProject(ctx, projectCreateToModel(in))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_converter.go
+++ b/internal/api/grpc/management/project_converter.go
@@ -22,12 +22,14 @@ func projectFromModel(project *proj_model.Project) *management.Project {
 	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")

 	return &management.Project{
-		Id:           project.AggregateID,
-		State:        projectStateFromModel(project.State),
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Name:         project.Name,
-		Sequence:     project.Sequence,
+		Id:                   project.AggregateID,
+		State:                projectStateFromModel(project.State),
+		CreationDate:         creationDate,
+		ChangeDate:           changeDate,
+		Name:                 project.Name,
+		Sequence:             project.Sequence,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
 	}
 }

@@ -60,13 +62,15 @@ func projectViewFromModel(project *proj_model.ProjectView) *management.ProjectVi
 	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")

 	return &management.ProjectView{
-		ProjectId:     project.ProjectID,
-		State:         projectStateFromModel(project.State),
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Name:          project.Name,
-		Sequence:      project.Sequence,
-		ResourceOwner: project.ResourceOwner,
+		ProjectId:            project.ProjectID,
+		State:                projectStateFromModel(project.State),
+		CreationDate:         creationDate,
+		ChangeDate:           changeDate,
+		Name:                 project.Name,
+		Sequence:             project.Sequence,
+		ResourceOwner:        project.ResourceOwner,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
 	}
 }

@@ -117,12 +121,22 @@ func projectStateFromModel(state proj_model.ProjectState) management.ProjectStat
 	}
 }

+func projectCreateToModel(project *management.ProjectCreateRequest) *proj_model.Project {
+	return &proj_model.Project{
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+	}
+}
+
 func projectUpdateToModel(project *management.ProjectUpdateRequest) *proj_model.Project {
 	return &proj_model.Project{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: project.Id,
 		},
-		Name: project.Name,
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
 	}
 }

--- a/internal/api/grpc/management/user_grant_converter.go
+++ b/internal/api/grpc/management/user_grant_converter.go
@@ -135,7 +135,7 @@ func userGrantViewFromModel(grant *grant_model.UserGrantView) *management.UserGr
 		Email:         grant.Email,
 		ProjectName:   grant.ProjectName,
 		OrgName:       grant.OrgName,
-		OrgDomain:     grant.OrgDomain,
+		OrgDomain:     grant.OrgPrimaryDomain,
 		RoleKeys:      grant.RoleKeys,
 		UserId:        grant.UserID,
 		ProjectId:     grant.ProjectID,