mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 07:57:32 +00:00
feat: project roles (#843)
* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
This commit is contained in:
Livio Amstutz
@@ -321,7 +321,7 @@ func (es *ProjectEventstore) AddProjectRoles(ctx context.Context, roles ...*proj
|
||||
}
|
||||
for _, role := range roles {
|
||||
if !role.IsValid() {
|
||||
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-idue3", "Errors.Project.MemberInvalid")
|
||||
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-iduG4", "Errors.Project.RoleInvalid")
|
||||
}
|
||||
}
|
||||
existingProject, err := es.ProjectByID(ctx, roles[0].AggregateID)
|
||||
|
||||
@@ -2,26 +2,31 @@ package model
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"reflect"
|
||||
|
||||
"github.com/caos/logging"
|
||||
|
||||
"github.com/caos/zitadel/internal/crypto"
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/models"
|
||||
"github.com/caos/zitadel/internal/project/model"
|
||||
"reflect"
|
||||
)
|
||||
|
||||
type OIDCConfig struct {
|
||||
es_models.ObjectRoot
|
||||
Version int32 `json:"oidcVersion,omitempty"`
|
||||
AppID string `json:"appId"`
|
||||
ClientID string `json:"clientId,omitempty"`
|
||||
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
||||
RedirectUris []string `json:"redirectUris,omitempty"`
|
||||
ResponseTypes []int32 `json:"responseTypes,omitempty"`
|
||||
GrantTypes []int32 `json:"grantTypes,omitempty"`
|
||||
ApplicationType int32 `json:"applicationType,omitempty"`
|
||||
AuthMethodType int32 `json:"authMethodType,omitempty"`
|
||||
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
|
||||
DevMode bool `json:"devMode,omitempty"`
|
||||
Version int32 `json:"oidcVersion,omitempty"`
|
||||
AppID string `json:"appId"`
|
||||
ClientID string `json:"clientId,omitempty"`
|
||||
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
||||
RedirectUris []string `json:"redirectUris,omitempty"`
|
||||
ResponseTypes []int32 `json:"responseTypes,omitempty"`
|
||||
GrantTypes []int32 `json:"grantTypes,omitempty"`
|
||||
ApplicationType int32 `json:"applicationType,omitempty"`
|
||||
AuthMethodType int32 `json:"authMethodType,omitempty"`
|
||||
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
|
||||
DevMode bool `json:"devMode,omitempty"`
|
||||
AccessTokenType int32 `json:"accessTokenType,omitempty"`
|
||||
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"`
|
||||
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"`
|
||||
}
|
||||
|
||||
func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
|
||||
@@ -51,6 +56,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
|
||||
if c.DevMode != changed.DevMode {
|
||||
changes["devMode"] = changed.DevMode
|
||||
}
|
||||
if c.AccessTokenType != changed.AccessTokenType {
|
||||
changes["accessTokenType"] = changed.AccessTokenType
|
||||
}
|
||||
if c.AccessTokenRoleAssertion != changed.AccessTokenRoleAssertion {
|
||||
changes["accessTokenRoleAssertion"] = changed.AccessTokenRoleAssertion
|
||||
}
|
||||
if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
|
||||
changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
|
||||
}
|
||||
return changes
|
||||
}
|
||||
|
||||
@@ -64,18 +78,21 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
|
||||
grantTypes[i] = int32(rt)
|
||||
}
|
||||
return &OIDCConfig{
|
||||
ObjectRoot: config.ObjectRoot,
|
||||
AppID: config.AppID,
|
||||
Version: int32(config.OIDCVersion),
|
||||
ClientID: config.ClientID,
|
||||
ClientSecret: config.ClientSecret,
|
||||
RedirectUris: config.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
ApplicationType: int32(config.ApplicationType),
|
||||
AuthMethodType: int32(config.AuthMethodType),
|
||||
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
|
||||
DevMode: config.DevMode,
|
||||
ObjectRoot: config.ObjectRoot,
|
||||
AppID: config.AppID,
|
||||
Version: int32(config.OIDCVersion),
|
||||
ClientID: config.ClientID,
|
||||
ClientSecret: config.ClientSecret,
|
||||
RedirectUris: config.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
ApplicationType: int32(config.ApplicationType),
|
||||
AuthMethodType: int32(config.AuthMethodType),
|
||||
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
|
||||
DevMode: config.DevMode,
|
||||
AccessTokenType: int32(config.AccessTokenType),
|
||||
AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
|
||||
IDTokenRoleAssertion: config.IDTokenRoleAssertion,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -89,18 +106,21 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
|
||||
grantTypes[i] = model.OIDCGrantType(rt)
|
||||
}
|
||||
oidcConfig := &model.OIDCConfig{
|
||||
ObjectRoot: config.ObjectRoot,
|
||||
AppID: config.AppID,
|
||||
OIDCVersion: model.OIDCVersion(config.Version),
|
||||
ClientID: config.ClientID,
|
||||
ClientSecret: config.ClientSecret,
|
||||
RedirectUris: config.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
ApplicationType: model.OIDCApplicationType(config.ApplicationType),
|
||||
AuthMethodType: model.OIDCAuthMethodType(config.AuthMethodType),
|
||||
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
|
||||
DevMode: config.DevMode,
|
||||
ObjectRoot: config.ObjectRoot,
|
||||
AppID: config.AppID,
|
||||
OIDCVersion: model.OIDCVersion(config.Version),
|
||||
ClientID: config.ClientID,
|
||||
ClientSecret: config.ClientSecret,
|
||||
RedirectUris: config.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
ApplicationType: model.OIDCApplicationType(config.ApplicationType),
|
||||
AuthMethodType: model.OIDCAuthMethodType(config.AuthMethodType),
|
||||
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
|
||||
DevMode: config.DevMode,
|
||||
AccessTokenType: model.OIDCTokenType(config.AccessTokenType),
|
||||
AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
|
||||
IDTokenRoleAssertion: config.IDTokenRoleAssertion,
|
||||
}
|
||||
oidcConfig.FillCompliance()
|
||||
return oidcConfig
|
||||
|
||||
@@ -2,7 +2,9 @@ package model
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
||||
"github.com/caos/logging"
|
||||
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/models"
|
||||
"github.com/caos/zitadel/internal/project/model"
|
||||
)
|
||||
@@ -13,12 +15,14 @@ const (
|
||||
|
||||
type Project struct {
|
||||
es_models.ObjectRoot
|
||||
Name string `json:"name,omitempty"`
|
||||
State int32 `json:"-"`
|
||||
Members []*ProjectMember `json:"-"`
|
||||
Roles []*ProjectRole `json:"-"`
|
||||
Applications []*Application `json:"-"`
|
||||
Grants []*ProjectGrant `json:"-"`
|
||||
Name string `json:"name,omitempty"`
|
||||
ProjectRoleAssertion bool `json:"projectRoleAssertion,omitempty"`
|
||||
ProjectRoleCheck bool `json:"projectRoleCheck,omitempty"`
|
||||
State int32 `json:"-"`
|
||||
Members []*ProjectMember `json:"-"`
|
||||
Roles []*ProjectRole `json:"-"`
|
||||
Applications []*Application `json:"-"`
|
||||
Grants []*ProjectGrant `json:"-"`
|
||||
}
|
||||
|
||||
func GetProject(projects []*Project, id string) (int, *Project) {
|
||||
@@ -35,6 +39,12 @@ func (p *Project) Changes(changed *Project) map[string]interface{} {
|
||||
if changed.Name != "" && p.Name != changed.Name {
|
||||
changes["name"] = changed.Name
|
||||
}
|
||||
if p.ProjectRoleAssertion != changed.ProjectRoleAssertion {
|
||||
changes["projectRoleAssertion"] = changed.ProjectRoleAssertion
|
||||
}
|
||||
if p.ProjectRoleCheck != changed.ProjectRoleCheck {
|
||||
changes["projectRoleCheck"] = changed.ProjectRoleCheck
|
||||
}
|
||||
return changes
|
||||
}
|
||||
|
||||
@@ -44,13 +54,15 @@ func ProjectFromModel(project *model.Project) *Project {
|
||||
apps := AppsFromModel(project.Applications)
|
||||
grants := GrantsFromModel(project.Grants)
|
||||
return &Project{
|
||||
ObjectRoot: project.ObjectRoot,
|
||||
Name: project.Name,
|
||||
State: int32(project.State),
|
||||
Members: members,
|
||||
Roles: roles,
|
||||
Applications: apps,
|
||||
Grants: grants,
|
||||
ObjectRoot: project.ObjectRoot,
|
||||
Name: project.Name,
|
||||
ProjectRoleAssertion: project.ProjectRoleAssertion,
|
||||
ProjectRoleCheck: project.ProjectRoleCheck,
|
||||
State: int32(project.State),
|
||||
Members: members,
|
||||
Roles: roles,
|
||||
Applications: apps,
|
||||
Grants: grants,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -60,13 +72,15 @@ func ProjectToModel(project *Project) *model.Project {
|
||||
apps := AppsToModel(project.Applications)
|
||||
grants := GrantsToModel(project.Grants)
|
||||
return &model.Project{
|
||||
ObjectRoot: project.ObjectRoot,
|
||||
Name: project.Name,
|
||||
State: model.ProjectState(project.State),
|
||||
Members: members,
|
||||
Roles: roles,
|
||||
Applications: apps,
|
||||
Grants: grants,
|
||||
ObjectRoot: project.ObjectRoot,
|
||||
Name: project.Name,
|
||||
ProjectRoleAssertion: project.ProjectRoleAssertion,
|
||||
ProjectRoleCheck: project.ProjectRoleCheck,
|
||||
State: model.ProjectState(project.State),
|
||||
Members: members,
|
||||
Roles: roles,
|
||||
Applications: apps,
|
||||
Grants: grants,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user