mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-12 11:04:25 +00:00
fix: restrict AllowRegistration check to local registration (#5939)
* fix: restrict AllowRegistration check to local registration
* add comment
* add additional tests
* hide registration fields if no registration allowed
* fix: always allow linking and creation of external idps on users in userV2 and admin import
* chore: exclude console dist and node_module folders from cache
* chore: include node_module folders into cache again
* linting
(cherry picked from commit 66772ad0dd)
This commit is contained in:
Livio Spring
parent
85194666ff
commit
a628f2222e
@ -623,10 +623,9 @@ func (s *Server) importData(ctx context.Context, orgs []*admin_pb.DataOrg) (*adm
|
||||
if org.UserLinks != nil {
|
||||
for _, userLinks := range org.GetUserLinks() {
|
||||
logging.Debugf("import userlink: %s", userLinks.GetUserId()+"_"+userLinks.GetIdpId()+"_"+userLinks.GetProvidedUserId()+"_"+userLinks.GetProvidedUserName())
|
||||
externalIDP := &domain.UserIDPLink{
|
||||
ObjectRoot: models.ObjectRoot{AggregateID: userLinks.UserId},
|
||||
IDPConfigID: userLinks.IdpId,
|
||||
ExternalUserID: userLinks.ProvidedUserId,
|
||||
externalIDP := &command.AddLink{
|
||||
IDPID: userLinks.IdpId,
|
||||
IDPExternalID: userLinks.ProvidedUserId,
|
||||
DisplayName: userLinks.ProvidedUserName,
|
||||
}
|
||||
if _, err := s.command.AddUserIDPLink(ctx, userLinks.UserId, org.GetOrgId(), externalIDP); err != nil {
|
||||
|
||||
@ -116,10 +116,10 @@ func genderToDomain(gender user.Gender) domain.Gender {
|
||||
|
||||
func (s *Server) AddIDPLink(ctx context.Context, req *user.AddIDPLinkRequest) (_ *user.AddIDPLinkResponse, err error) {
|
||||
orgID := authz.GetCtxData(ctx).OrgID
|
||||
details, err := s.command.AddUserIDPLink(ctx, req.UserId, orgID, &domain.UserIDPLink{
|
||||
IDPConfigID: req.GetIdpLink().GetIdpId(),
|
||||
ExternalUserID: req.GetIdpLink().GetUserId(),
|
||||
details, err := s.command.AddUserIDPLink(ctx, req.UserId, orgID, &command.AddLink{
|
||||
IDPID: req.GetIdpLink().GetIdpId(),
|
||||
DisplayName: req.GetIdpLink().GetUserName(),
|
||||
IDPExternalID: req.GetIdpLink().GetUserId(),
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
@ -66,6 +66,7 @@ type externalNotFoundOptionData struct {
|
||||
ExternalEmailVerified bool
|
||||
ExternalPhone domain.PhoneNumber
|
||||
ExternalPhoneVerified bool
|
||||
ProviderName string
|
||||
}
|
||||
|
||||
type externalRegisterFormData struct {
|
||||
@ -503,6 +504,7 @@ func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Requ
|
||||
ShowUsername: orgIAMPolicy.UserLoginMustBeDomain,
|
||||
ShowUsernameSuffix: !labelPolicy.HideLoginNameSuffix,
|
||||
OrgRegister: orgIAMPolicy.UserLoginMustBeDomain,
|
||||
ProviderName: domain.IDPName(idpTemplate.Name, idpTemplate.Type),
|
||||
}
|
||||
if human.Phone != nil {
|
||||
data.Phone = human.PhoneNumber
|
||||
|
||||
@ -1,8 +1,11 @@
|
||||
{{template "main-top" .}}
|
||||
|
||||
<div class="lgn-head">
|
||||
<h1>{{t "ExternalNotFound.Title"}}</h1>
|
||||
<h1>{{.ProviderName}} - {{t "ExternalNotFound.Title"}}</h1>
|
||||
|
||||
{{ if or .IsLinkingAllowed .IsCreationAllowed }}
|
||||
<p>{{t "ExternalNotFound.Description"}}</p>
|
||||
{{ end }}
|
||||
|
||||
</div>
|
||||
|
||||
@ -21,6 +24,7 @@
|
||||
<input type="hidden" id="external-phone-verified" name="external-phone-verified" value="{{ .ExternalPhoneVerified }}" />
|
||||
|
||||
<div class="lgn-register">
|
||||
{{ if or .IsCreationAllowed }}
|
||||
<div class="double-col">
|
||||
<div class="lgn-field">
|
||||
<label class="lgn-label" for="firstname">{{t "ExternalRegistrationUserOverview.FirstnameLabel"}}</label>
|
||||
@ -85,8 +89,9 @@
|
||||
</select>
|
||||
</div>
|
||||
</div>
|
||||
{{end}}
|
||||
|
||||
{{ if or .TOSLink .PrivacyLink }}
|
||||
{{ if and (or .IsLinkingAllowed .IsCreationAllowed) (or .TOSLink .PrivacyLink) }}
|
||||
<div class="lgn-field">
|
||||
<label class="lgn-label">{{t "ExternalNotFound.TosAndPrivacyLabel"}}</label>
|
||||
{{ if .TOSLink }}
|
||||
|
||||
@ -189,6 +189,10 @@ func (wm *OAuthIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encry
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *OAuthIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type OIDCIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -310,7 +314,10 @@ func (wm *OIDCIDPWriteModel) NewChanges(
|
||||
// reduceIDPConfigAddedEvent handles old idpConfig events
|
||||
func (wm *OIDCIDPWriteModel) reduceIDPConfigAddedEvent(e *idpconfig.IDPConfigAddedEvent) {
|
||||
wm.Name = e.Name
|
||||
wm.Options.IsCreationAllowed = true
|
||||
wm.Options.IsLinkingAllowed = true
|
||||
wm.Options.IsAutoCreation = e.AutoRegister
|
||||
wm.Options.IsAutoUpdate = false
|
||||
wm.State = domain.IDPStateActive
|
||||
}
|
||||
|
||||
@ -382,6 +389,10 @@ func (wm *OIDCIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encryp
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *OIDCIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type JWTIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -483,7 +494,10 @@ func (wm *JWTIDPWriteModel) NewChanges(
|
||||
// reduceIDPConfigAddedEvent handles old idpConfig events
|
||||
func (wm *JWTIDPWriteModel) reduceIDPConfigAddedEvent(e *idpconfig.IDPConfigAddedEvent) {
|
||||
wm.Name = e.Name
|
||||
wm.Options.IsCreationAllowed = true
|
||||
wm.Options.IsLinkingAllowed = true
|
||||
wm.Options.IsAutoCreation = e.AutoRegister
|
||||
wm.Options.IsAutoUpdate = false
|
||||
wm.State = domain.IDPStateActive
|
||||
}
|
||||
|
||||
@ -546,6 +560,10 @@ func (wm *JWTIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encrypt
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *JWTIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type AzureADIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -690,6 +708,10 @@ func (wm *AzureADIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Enc
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *AzureADIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type GitHubIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -803,6 +825,10 @@ func (wm *GitHubIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encr
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *GitHubIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type GitHubEnterpriseIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -947,6 +973,10 @@ func (wm *GitHubEnterpriseIDPWriteModel) ToProvider(callbackURL string, idpAlg c
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *GitHubEnterpriseIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type GitLabIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -1061,6 +1091,10 @@ func (wm *GitLabIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encr
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *GitLabIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type GitLabSelfHostedIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -1185,6 +1219,10 @@ func (wm *GitLabSelfHostedIDPWriteModel) ToProvider(callbackURL string, idpAlg c
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *GitLabSelfHostedIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type GoogleIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -1306,6 +1344,10 @@ func (wm *GoogleIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encr
|
||||
)
|
||||
}
|
||||
|
||||
func (wm *GoogleIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type LDAPIDPWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -1541,6 +1583,10 @@ func (wm *LDAPIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encryp
|
||||
), nil
|
||||
}
|
||||
|
||||
func (wm *LDAPIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.Options
|
||||
}
|
||||
|
||||
type IDPRemoveWriteModel struct {
|
||||
eventstore.WriteModel
|
||||
|
||||
@ -1771,6 +1817,7 @@ func (wm *IDPTypeWriteModel) Query() *eventstore.SearchQueryBuilder {
|
||||
type IDP interface {
|
||||
eventstore.QueryReducer
|
||||
ToProvider(string, crypto.EncryptionAlgorithm) (providers.Provider, error)
|
||||
GetProviderOptions() idp.Options
|
||||
}
|
||||
|
||||
type AllIDPWriteModel struct {
|
||||
@ -1863,3 +1910,7 @@ func (wm *AllIDPWriteModel) AppendEvents(events ...eventstore.Event) {
|
||||
func (wm *AllIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.EncryptionAlgorithm) (providers.Provider, error) {
|
||||
return wm.model.ToProvider(callbackURL, idpAlg)
|
||||
}
|
||||
|
||||
func (wm *AllIDPWriteModel) GetProviderOptions() idp.Options {
|
||||
return wm.model.GetProviderOptions()
|
||||
}
|
||||
|
||||
@ -475,7 +475,8 @@ func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domai
|
||||
if err != nil {
|
||||
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-Dfg3g", "Errors.Org.LoginPolicy.NotFound")
|
||||
}
|
||||
if !loginPolicy.AllowRegister {
|
||||
// check only if local registration is allowed, the idp will be checked separately
|
||||
if !loginPolicy.AllowRegister && link == nil {
|
||||
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-SAbr3", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
|
||||
}
|
||||
userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, link, domainPolicy, pwPolicy, initCodeGenerator, emailCodeGenerator, phoneCodeGenerator)
|
||||
@ -605,7 +606,7 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.
|
||||
}
|
||||
|
||||
for _, link := range links {
|
||||
event, err := c.addUserIDPLink(ctx, userAgg, link)
|
||||
event, err := c.addUserIDPLink(ctx, userAgg, link, false)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@ import (
|
||||
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/zitadel/zitadel/internal/id"
|
||||
id_mock "github.com/zitadel/zitadel/internal/id/mock"
|
||||
"github.com/zitadel/zitadel/internal/repository/idp"
|
||||
"github.com/zitadel/zitadel/internal/repository/org"
|
||||
"github.com/zitadel/zitadel/internal/repository/user"
|
||||
)
|
||||
@ -2000,6 +2001,31 @@ func TestCommandSide_ImportHuman(t *testing.T) {
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"idpID",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
false,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"idpID",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
@ -2102,6 +2128,146 @@ func TestCommandSide_ImportHuman(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "add human (with idp, creation not allowed), precondition error",
|
||||
fields: fields{
|
||||
eventstore: eventstoreExpect(
|
||||
t,
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewDomainPolicyAddedEvent(context.Background(),
|
||||
&user.NewAggregate("user1", "org1").Aggregate,
|
||||
true,
|
||||
true,
|
||||
true,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
|
||||
&user.NewAggregate("user1", "org1").Aggregate,
|
||||
1,
|
||||
false,
|
||||
false,
|
||||
false,
|
||||
false,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"idpID",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
false,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"idpID",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
func() eventstore.Command {
|
||||
e, _ := org.NewOIDCIDPChangedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
[]idp.OIDCIDPChanges{
|
||||
idp.ChangeOIDCOptions(idp.OptionChanges{IsCreationAllowed: gu.Ptr(false)}),
|
||||
},
|
||||
)
|
||||
return e
|
||||
}(),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"idpID",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
false,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"idpID",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
func() eventstore.Command {
|
||||
e, _ := org.NewOIDCIDPChangedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
[]idp.OIDCIDPChanges{
|
||||
idp.ChangeOIDCOptions(idp.OptionChanges{IsCreationAllowed: gu.Ptr(false)}),
|
||||
},
|
||||
)
|
||||
return e
|
||||
}(),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIdentityProviderAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"idpID",
|
||||
domain.IdentityProviderTypeOrg,
|
||||
),
|
||||
),
|
||||
),
|
||||
),
|
||||
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
|
||||
userPasswordHasher: mockPasswordHasher("x"),
|
||||
},
|
||||
args: args{
|
||||
ctx: context.Background(),
|
||||
orgID: "org1",
|
||||
human: &domain.Human{
|
||||
Username: "username",
|
||||
Profile: &domain.Profile{
|
||||
FirstName: "firstname",
|
||||
LastName: "lastname",
|
||||
PreferredLanguage: language.English,
|
||||
},
|
||||
Email: &domain.Email{
|
||||
EmailAddress: "email@test.ch",
|
||||
IsEmailVerified: true,
|
||||
},
|
||||
},
|
||||
links: []*domain.UserIDPLink{
|
||||
{
|
||||
IDPConfigID: "idpID",
|
||||
ExternalUserID: "externalID",
|
||||
DisplayName: "name",
|
||||
},
|
||||
},
|
||||
secretGenerator: GetMockSecretGenerator(t),
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsPreconditionFailed,
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
@ -3333,6 +3499,31 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"idpID",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
false,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"idpID",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectPush(
|
||||
[]*repository.Event{
|
||||
eventFromEventPusher(
|
||||
|
||||
@ -11,7 +11,7 @@ import (
|
||||
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
||||
)
|
||||
|
||||
func (c *Commands) AddUserIDPLink(ctx context.Context, userID, resourceOwner string, link *domain.UserIDPLink) (_ *domain.ObjectDetails, err error) {
|
||||
func (c *Commands) AddUserIDPLink(ctx context.Context, userID, resourceOwner string, link *AddLink) (_ *domain.ObjectDetails, err error) {
|
||||
if userID == "" {
|
||||
return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-03j8f", "Errors.IDMissing")
|
||||
}
|
||||
@ -23,11 +23,7 @@ func (c *Commands) AddUserIDPLink(ctx context.Context, userID, resourceOwner str
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
linkWriteModel := NewUserIDPLinkWriteModel(userID, link.IDPConfigID, link.ExternalUserID, resourceOwner)
|
||||
userAgg := UserAggregateFromWriteModel(&linkWriteModel.WriteModel)
|
||||
|
||||
event, err := c.addUserIDPLink(ctx, userAgg, link)
|
||||
event, err := addLink(ctx, c.eventstore.Filter, user.NewAggregate(userID, resourceOwner), link)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -60,7 +56,7 @@ func (c *Commands) BulkAddedUserIDPLinks(ctx context.Context, userID, resourceOw
|
||||
linkWriteModel := NewUserIDPLinkWriteModel(userID, link.IDPConfigID, link.ExternalUserID, resourceOwner)
|
||||
userAgg := UserAggregateFromWriteModel(&linkWriteModel.WriteModel)
|
||||
|
||||
events[i], err = c.addUserIDPLink(ctx, userAgg, link)
|
||||
events[i], err = c.addUserIDPLink(ctx, userAgg, link, true)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -70,18 +66,25 @@ func (c *Commands) BulkAddedUserIDPLinks(ctx context.Context, userID, resourceOw
|
||||
return err
|
||||
}
|
||||
|
||||
func (c *Commands) addUserIDPLink(ctx context.Context, human *eventstore.Aggregate, link *domain.UserIDPLink) (eventstore.Command, error) {
|
||||
func (c *Commands) addUserIDPLink(ctx context.Context, human *eventstore.Aggregate, link *domain.UserIDPLink, linkToExistingUser bool) (eventstore.Command, error) {
|
||||
if link.AggregateID != "" && human.ID != link.AggregateID {
|
||||
return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-33M0g", "Errors.IDMissing")
|
||||
}
|
||||
if !link.IsValid() {
|
||||
return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-6m9Kd", "Errors.User.ExternalIDP.Invalid")
|
||||
}
|
||||
|
||||
exists, err := ExistsIDP(ctx, c.eventstore.Filter, link.IDPConfigID, human.ResourceOwner)
|
||||
if !exists || err != nil {
|
||||
idpWriteModel, err := IDPProviderWriteModel(ctx, c.eventstore.Filter, link.IDPConfigID)
|
||||
if err != nil {
|
||||
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-39nfs", "Errors.IDPConfig.NotExisting")
|
||||
}
|
||||
// IDP user will either be linked or created on a new user
|
||||
// Therefore we need to either check if linking is allowed or creation:
|
||||
if linkToExistingUser && !idpWriteModel.GetProviderOptions().IsLinkingAllowed {
|
||||
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-Sfee2", "Errors.ExternalIDP.LinkingNotAllowed")
|
||||
}
|
||||
if !linkToExistingUser && !idpWriteModel.GetProviderOptions().IsCreationAllowed {
|
||||
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-SJI3g", "Errors.ExternalIDP.CreationNotAllowed")
|
||||
}
|
||||
return user.NewUserIDPLinkAddedEvent(ctx, human, link.IDPConfigID, link.DisplayName, link.ExternalUserID), nil
|
||||
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@ import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/muhlemmer/gu"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/text/language"
|
||||
|
||||
@ -12,6 +13,7 @@ import (
|
||||
"github.com/zitadel/zitadel/internal/eventstore"
|
||||
"github.com/zitadel/zitadel/internal/eventstore/repository"
|
||||
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/zitadel/zitadel/internal/repository/idp"
|
||||
"github.com/zitadel/zitadel/internal/repository/instance"
|
||||
"github.com/zitadel/zitadel/internal/repository/org"
|
||||
"github.com/zitadel/zitadel/internal/repository/user"
|
||||
@ -28,7 +30,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
links []*domain.UserIDPLink
|
||||
}
|
||||
type res struct {
|
||||
err func(error) bool
|
||||
err error
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
@ -55,7 +57,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
resourceOwner: "org1",
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsErrorInvalidArgument,
|
||||
err: caos_errs.ThrowInvalidArgument(nil, "COMMAND-03j8f", "Errors.IDMissing"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -71,7 +73,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
resourceOwner: "org1",
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsErrorInvalidArgument,
|
||||
err: caos_errs.ThrowInvalidArgument(nil, "COMMAND-Ek9s", "Errors.User.ExternalIDP.MinimumExternalIDPNeeded"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -113,7 +115,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
},
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsErrorInvalidArgument,
|
||||
err: caos_errs.ThrowInvalidArgument(nil, "COMMAND-33M0g", "Errors.IDMissing"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -155,7 +157,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
},
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsErrorInvalidArgument,
|
||||
err: caos_errs.ThrowInvalidArgument(nil, "COMMAND-6m9Kd", "Errors.User.ExternalIDP.Invalid"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -181,7 +183,6 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
),
|
||||
),
|
||||
expectFilter(),
|
||||
expectFilter(),
|
||||
),
|
||||
},
|
||||
args: args{
|
||||
@ -199,7 +200,112 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
},
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.IsPreconditionFailed,
|
||||
err: caos_errs.ThrowPreconditionFailed(nil, "COMMAND-as02jin", "Errors.IDPConfig.NotExisting"),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "linking not allowed, precondition error",
|
||||
fields: fields{
|
||||
eventstore: eventstoreExpect(
|
||||
t,
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
user.NewHumanAddedEvent(
|
||||
context.Background(),
|
||||
&user.NewAggregate("user1", "org1").Aggregate,
|
||||
"userName",
|
||||
"firstName",
|
||||
"lastName",
|
||||
"nickName",
|
||||
"displayName",
|
||||
language.German,
|
||||
domain.GenderFemale,
|
||||
"email@Address.ch",
|
||||
false,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
func() eventstore.Command {
|
||||
e, _ := org.NewOIDCIDPChangedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
[]idp.OIDCIDPChanges{
|
||||
idp.ChangeOIDCOptions(idp.OptionChanges{IsLinkingAllowed: gu.Ptr(false)}),
|
||||
},
|
||||
)
|
||||
return e
|
||||
}(),
|
||||
),
|
||||
),
|
||||
),
|
||||
},
|
||||
args: args{
|
||||
ctx: context.Background(),
|
||||
userID: "user1",
|
||||
resourceOwner: "org1",
|
||||
links: []*domain.UserIDPLink{
|
||||
{
|
||||
ObjectRoot: models.ObjectRoot{
|
||||
AggregateID: "user1",
|
||||
},
|
||||
IDPConfigID: "config1",
|
||||
DisplayName: "name",
|
||||
ExternalUserID: "externaluser1",
|
||||
},
|
||||
},
|
||||
},
|
||||
res: res{
|
||||
err: caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Sfee2", "Errors.ExternalIDP.LinkingNotAllowed"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -235,6 +341,44 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
org.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"config1",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusher(
|
||||
org.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectPush(
|
||||
[]*repository.Event{
|
||||
@ -290,11 +434,10 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(),
|
||||
expectFilter(
|
||||
eventFromEventPusher(
|
||||
eventFromEventPusherWithInstanceID("instance1",
|
||||
instance.NewIDPConfigAddedEvent(context.Background(),
|
||||
&org.NewAggregate("org1").Aggregate,
|
||||
&instance.NewAggregate("instance1").Aggregate,
|
||||
"config1",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
@ -302,6 +445,44 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusherWithInstanceID("instance1",
|
||||
instance.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&instance.NewAggregate("instance1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectFilter(
|
||||
eventFromEventPusherWithInstanceID("instance1",
|
||||
instance.NewIDPConfigAddedEvent(context.Background(),
|
||||
&instance.NewAggregate("instance1").Aggregate,
|
||||
"config1",
|
||||
"name",
|
||||
domain.IDPConfigTypeOIDC,
|
||||
domain.IDPConfigStylingTypeUnspecified,
|
||||
true,
|
||||
),
|
||||
),
|
||||
eventFromEventPusherWithInstanceID("instance1",
|
||||
instance.NewIDPOIDCConfigAddedEvent(context.Background(),
|
||||
&instance.NewAggregate("instance1").Aggregate,
|
||||
"clientID",
|
||||
"config1",
|
||||
"issuer",
|
||||
"authEndpoint",
|
||||
"tokenEndpoint",
|
||||
nil,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
domain.OIDCMappingFieldUnspecified,
|
||||
),
|
||||
),
|
||||
),
|
||||
expectPush(
|
||||
[]*repository.Event{
|
||||
@ -342,12 +523,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
|
||||
eventstore: tt.fields.eventstore,
|
||||
}
|
||||
err := r.BulkAddedUserIDPLinks(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.links)
|
||||
if tt.res.err == nil {
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
if tt.res.err != nil && !tt.res.err(err) {
|
||||
t.Errorf("got wrong err: %v ", err)
|
||||
}
|
||||
assert.ErrorIs(t, err, tt.res.err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user