TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-04-16 11:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent custom urn:zitadel:iam claims (#7647)

Browse Source 
(cherry picked from commit 1121ebfdb81bd7e199a094150acb3f2087d6e899)
This commit is contained in:
Livio Spring 2024-03-27 08:26:14 +01:00
parent 5929575df8
commit ad0589d21d
No known key found for this signature in database
GPG Key ID: 26BB1C2FA5952CF0
3 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/docs/apis/actions/complement-token.md
View File

@ -31,9 +31,11 @@ The trigger is represented by the following Ids in the API: `4`
This function is deprecated, please use `api.v1.claims` This function is deprecated, please use `api.v1.claims`
- `setClaim(string, Any)` - `setClaim(string, Any)`
Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log`
Note that keys with prefix `urn:zitadel:iam` will be ignored.
- `claims` - `claims`
- `setClaim(string, Any)` - `setClaim(string, Any)`
Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log`
Note that keys with prefix `urn:zitadel:iam` will be ignored.
- `user` - `user`
- `setMetadata(string, Any)` - `setMetadata(string, Any)`
Key of the metadata and any value Key of the metadata and any value
@ -62,6 +64,7 @@ The trigger is represented by the following Ids in the API: `5`
- `claims` - `claims`
- `setClaim(string, Any)` - `setClaim(string, Any)`
Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log`
Note that keys with prefix `urn:zitadel:iam` will be ignored.
- `appendLogIntoClaims(string)` - `appendLogIntoClaims(string)`
Appends the entry into the claim `urn:zitadel:action:{action.name}:log` the value of the claim is an Array of *string* Appends the entry into the claim `urn:zitadel:action:{action.name}:log` the value of the claim is an Array of *string*
- `user` - `user`

10
internal/api/oidc/client.go
View File

@ -27,6 +27,7 @@ import (
) )
const ( const (
ClaimPrefix = "urn:zitadel:iam"
ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:" ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:"
ScopeProjectsRoles = "urn:zitadel:iam:org:projects:roles" ScopeProjectsRoles = "urn:zitadel:iam:org:projects:roles"
ClaimProjectRoles = "urn:zitadel:iam:org:project:roles" ClaimProjectRoles = "urn:zitadel:iam:org:project:roles"
@ -520,6 +521,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
actions.SetFields("v1", actions.SetFields("v1",
actions.SetFields("userinfo", actions.SetFields("userinfo",
actions.SetFields("setClaim", func(key string, value interface{}) { actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil { if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value) userInfo.AppendClaims(key, value)
return return
@ -532,6 +536,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
), ),
actions.SetFields("claims", actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) { actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil { if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value) userInfo.AppendClaims(key, value)
return return
@ -737,6 +744,9 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG
actions.SetFields("v1", actions.SetFields("v1",
actions.SetFields("claims", actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) { actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if _, ok := claims[key]; !ok { if _, ok := claims[key]; !ok {
claims = appendClaim(claims, key, value) claims = appendClaim(claims, key, value)
return return

6
internal/api/oidc/userinfo.go
View File

@ -223,6 +223,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
actions.SetFields("v1", actions.SetFields("v1",
actions.SetFields("userinfo", actions.SetFields("userinfo",
actions.SetFields("setClaim", func(key string, value interface{}) { actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil { if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value) userInfo.AppendClaims(key, value)
return return
@ -235,6 +238,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
), ),
actions.SetFields("claims", actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) { actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil { if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value) userInfo.AppendClaims(key, value)
return return