feat: features (#1427)

* features * features * features * fix json tags * add features handler to auth * mocks for tests * add setup step * fixes * add featurelist to auth api * grandfather state and typos * typo * merge new-eventstore * fix login policy tests * label policy in features * audit log retention
2025-08-12 05:07:31 +00:00 · 2021-03-25 17:26:21 +01:00
parent c9b3839f3d
commit a4763b1e4c
97 changed files with 3335 additions and 109 deletions
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -2,26 +2,26 @@ package eventstore

 import (
 	"context"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1"
-	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
-	iam_view "github.com/caos/zitadel/internal/iam/repository/view"
-	"k8s.io/apimachinery/pkg/api/errors"
 	"strings"
 	"time"

-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	usr_view "github.com/caos/zitadel/internal/user/repository/view"
-
 	"github.com/caos/logging"
+	"k8s.io/apimachinery/pkg/api/errors"

 	"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
 	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v1"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
+	features_view_model "github.com/caos/zitadel/internal/features/repository/view/model"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_view "github.com/caos/zitadel/internal/iam/repository/view"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
+	usr_view "github.com/caos/zitadel/internal/user/repository/view"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
 )

@@ -111,6 +111,68 @@ func (repo *TokenVerifierRepo) ExistsOrg(ctx context.Context, orgID string) erro
 	return err
 }

+func (repo *TokenVerifierRepo) CheckOrgFeatures(ctx context.Context, orgID string, requiredFeatures ...string) error {
+	features, err := repo.View.FeaturesByAggregateID(orgID)
+	if caos_errs.IsNotFound(err) {
+		return repo.checkDefaultFeatures(ctx, requiredFeatures...)
+	}
+	if err != nil {
+		return err
+	}
+	return checkFeatures(features, requiredFeatures...)
+}
+
+func checkFeatures(features *features_view_model.FeaturesView, requiredFeatures ...string) error {
+	for _, requiredFeature := range requiredFeatures {
+		if strings.HasPrefix(requiredFeature, domain.FeatureLoginPolicy) {
+			if err := checkLoginPolicyFeatures(features, requiredFeature); err != nil {
+				return err
+			}
+		}
+		if requiredFeature == domain.FeaturePasswordComplexityPolicy && !features.PasswordComplexityPolicy {
+			return MissingFeatureErr(requiredFeature)
+		}
+		if requiredFeature == domain.FeatureLabelPolicy && !features.PasswordComplexityPolicy {
+			return MissingFeatureErr(requiredFeature)
+		}
+	}
+	return nil
+}
+
+func checkLoginPolicyFeatures(features *features_view_model.FeaturesView, requiredFeature string) error {
+	switch requiredFeature {
+	case domain.FeatureLoginPolicyFactors:
+		if !features.LoginPolicyFactors {
+			return MissingFeatureErr(requiredFeature)
+		}
+	case domain.FeatureLoginPolicyIDP:
+		if !features.LoginPolicyIDP {
+			return MissingFeatureErr(requiredFeature)
+		}
+	case domain.FeatureLoginPolicyPasswordless:
+		if !features.LoginPolicyPasswordless {
+			return MissingFeatureErr(requiredFeature)
+		}
+	case domain.FeatureLoginPolicyRegistration:
+		if !features.LoginPolicyRegistration {
+			return MissingFeatureErr(requiredFeature)
+		}
+	case domain.FeatureLoginPolicyUsernameLogin:
+		if !features.LoginPolicyUsernameLogin {
+			return MissingFeatureErr(requiredFeature)
+		}
+	default:
+		if !features.LoginPolicyFactors && !features.LoginPolicyIDP && !features.LoginPolicyPasswordless && !features.LoginPolicyRegistration && !features.LoginPolicyUsernameLogin {
+			return MissingFeatureErr(requiredFeature)
+		}
+	}
+	return nil
+}
+
+func MissingFeatureErr(feature string) error {
+	return caos_errs.ThrowPermissionDeniedf(nil, "AUTH-Dvgsf", "missing feature %v", feature)
+}
+
 func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (_ string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
@@ -150,3 +212,36 @@ func (u *TokenVerifierRepo) getIAMByID(ctx context.Context) (*iam_model.IAM, err
 	}
 	return iam_es_model.IAMToModel(iam), nil
 }
+
+func (repo *TokenVerifierRepo) checkDefaultFeatures(ctx context.Context, requiredFeatures ...string) error {
+	features, viewErr := repo.View.FeaturesByAggregateID(domain.IAMID)
+	if viewErr != nil && !errors.IsNotFound(viewErr) {
+		return viewErr
+	}
+	if errors.IsNotFound(viewErr) {
+		features = new(features_view_model.FeaturesView)
+	}
+	events, esErr := repo.getIAMEvents(ctx, features.Sequence)
+	if errors.IsNotFound(viewErr) && len(events) == 0 {
+		return checkFeatures(features, requiredFeatures...)
+	}
+	if esErr != nil {
+		logging.Log("EVENT-PSoc3").WithError(esErr).Debug("error retrieving new events")
+		return esErr
+	}
+	featuresCopy := *features
+	for _, event := range events {
+		if err := featuresCopy.AppendEvent(event); err != nil {
+			return checkFeatures(features, requiredFeatures...)
+		}
+	}
+	return checkFeatures(&featuresCopy, requiredFeatures...)
+}
+
+func (repo *TokenVerifierRepo) getIAMEvents(ctx context.Context, sequence uint64) ([]*models.Event, error) {
+	query, err := iam_view.IAMByIDQuery(domain.IAMID, sequence)
+	if err != nil {
+		return nil, err
+	}
+	return repo.Eventstore.FilterEvents(ctx, query)
+}
--- a/internal/authz/repository/eventsourcing/handler/features.go
+++ b/internal/authz/repository/eventsourcing/handler/features.go
@@ -0,0 +1,165 @@
+package handler
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/domain"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v1"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/eventstore/v1/query"
+	"github.com/caos/zitadel/internal/eventstore/v1/spooler"
+	"github.com/caos/zitadel/internal/features/repository/view/model"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	iam_repo "github.com/caos/zitadel/internal/repository/iam"
+	org_repo "github.com/caos/zitadel/internal/repository/org"
+)
+
+const (
+	featuresTable = "authz.features"
+)
+
+type Features struct {
+	handler
+	subscription *v1.Subscription
+}
+
+func newFeatures(handler handler) *Features {
+	h := &Features{
+		handler: handler,
+	}
+
+	h.subscribe()
+
+	return h
+}
+
+func (p *Features) subscribe() {
+	p.subscription = p.es.Subscribe(p.AggregateTypes()...)
+	go func() {
+		for event := range p.subscription.Events {
+			query.ReduceEvent(p, event)
+		}
+	}()
+}
+
+func (p *Features) ViewModel() string {
+	return featuresTable
+}
+
+func (p *Features) AggregateTypes() []es_models.AggregateType {
+	return []es_models.AggregateType{iam_es_model.IAMAggregate, org_es_model.OrgAggregate}
+}
+
+func (p *Features) EventQuery() (*es_models.SearchQuery, error) {
+	sequence, err := p.view.GetLatestFeaturesSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(p.AggregateTypes()...).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (p *Features) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestFeaturesSequence()
+	if err != nil {
+		return 0, err
+	}
+	return sequence.CurrentSequence, nil
+}
+
+func (p *Features) Reduce(event *es_models.Event) (err error) {
+	switch event.AggregateType {
+	case org_es_model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = p.processFeatures(event)
+	}
+	return err
+}
+
+func (p *Features) processFeatures(event *es_models.Event) (err error) {
+	features := new(model.FeaturesView)
+	switch string(event.Type) {
+	case string(org_es_model.OrgAdded):
+		features, err = p.getDefaultFeatures()
+		if err != nil {
+			return err
+		}
+		features.AggregateID = event.AggregateID
+		features.Default = true
+	case string(iam_repo.FeaturesSetEventType):
+		defaultFeatures, err := p.view.AllDefaultFeatures()
+		if err != nil {
+			return err
+		}
+		for _, features := range defaultFeatures {
+			err = features.AppendEvent(event)
+			if err != nil {
+				return err
+			}
+		}
+		return p.view.PutFeaturesList(defaultFeatures, event)
+	case string(org_repo.FeaturesSetEventType):
+		features, err = p.view.FeaturesByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = features.AppendEvent(event)
+	case string(org_repo.FeaturesRemovedEventType):
+		features, err = p.getDefaultFeatures()
+		if err != nil {
+			return err
+		}
+		features.AggregateID = event.AggregateID
+		features.Default = true
+	default:
+		return p.view.ProcessedFeaturesSequence(event)
+	}
+	if err != nil {
+		return err
+	}
+	return p.view.PutFeatures(features, event)
+}
+
+func (p *Features) OnError(event *es_models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Wj8sf", "id", event.AggregateID).WithError(err).Warn("something went wrong in login features handler")
+	return spooler.HandleError(event, err, p.view.GetLatestFeaturesFailedEvent, p.view.ProcessedFeaturesFailedEvent, p.view.ProcessedFeaturesSequence, p.errorCountUntilSkip)
+}
+
+func (p *Features) OnSuccess() error {
+	return spooler.HandleSuccess(p.view.UpdateFeaturesSpoolerRunTimestamp)
+}
+
+func (p *Features) getDefaultFeatures() (*model.FeaturesView, error) {
+	features, featuresErr := p.view.FeaturesByAggregateID(domain.IAMID)
+	if featuresErr != nil && !caos_errs.IsNotFound(featuresErr) {
+		return nil, featuresErr
+	}
+	if features == nil {
+		features = &model.FeaturesView{}
+	}
+	events, err := p.getIAMEvents(features.Sequence)
+	if err != nil {
+		return features, featuresErr
+	}
+	featuresCopy := *features
+	for _, event := range events {
+		if err := featuresCopy.AppendEvent(event); err != nil {
+			return features, nil
+		}
+	}
+	return &featuresCopy, nil
+}
+
+func (p *Features) getIAMEvents(sequence uint64) ([]*es_models.Event, error) {
+	query, err := eventsourcing.IAMByIDQuery(domain.IAMID, sequence)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.es.FilterEvents(context.Background(), query)
+}
--- a/internal/authz/repository/eventsourcing/handler/handler.go
+++ b/internal/authz/repository/eventsourcing/handler/handler.go
@@ -1,9 +1,10 @@
 package handler

 import (
-	"github.com/caos/zitadel/internal/eventstore/v1"
 	"time"

+	"github.com/caos/zitadel/internal/eventstore/v1"
+
 	"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/config/types"
@@ -40,6 +41,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount, es}),
 		newOrg(
 			handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount, es}),
+		newFeatures(
+			handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}),
 	}
 }

--- a/internal/authz/repository/eventsourcing/view/features.go
+++ b/internal/authz/repository/eventsourcing/view/features.go
@@ -0,0 +1,56 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/features/repository/view"
+	"github.com/caos/zitadel/internal/features/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	featuresTable = "authz.features"
+)
+
+func (v *View) AllDefaultFeatures() ([]*model.FeaturesView, error) {
+	return view.GetDefaultFeatures(v.Db, featuresTable)
+}
+
+func (v *View) FeaturesByAggregateID(aggregateID string) (*model.FeaturesView, error) {
+	return view.GetFeaturesByAggregateID(v.Db, featuresTable, aggregateID)
+}
+
+func (v *View) PutFeatures(features *model.FeaturesView, event *models.Event) error {
+	err := view.PutFeatures(v.Db, featuresTable, features)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedFeaturesSequence(event)
+}
+
+func (v *View) PutFeaturesList(features []*model.FeaturesView, event *models.Event) error {
+	err := view.PutFeaturesList(v.Db, featuresTable, features...)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedFeaturesSequence(event)
+}
+
+func (v *View) GetLatestFeaturesSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(featuresTable)
+}
+
+func (v *View) ProcessedFeaturesSequence(event *models.Event) error {
+	return v.saveCurrentSequence(featuresTable, event)
+}
+
+func (v *View) UpdateFeaturesSpoolerRunTimestamp() error {
+	return v.updateSpoolerRunSequence(featuresTable)
+}
+
+func (v *View) GetLatestFeaturesFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(featuresTable, sequence)
+}
+
+func (v *View) ProcessedFeaturesFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}