mirror of
https://github.com/zitadel/zitadel.git
synced 2025-03-03 23:35:12 +00:00
Merge remote-tracking branch 'origin/next' into next-rc
This commit is contained in:
Stefan Benz
commit
b9025474ab
@ -525,12 +525,7 @@ func (l *Login) autoLinkUser(w http.ResponseWriter, r *http.Request, authReq *do
|
|||||||
// - creation by user
|
// - creation by user
|
||||||
// - linking to existing user
|
// - linking to existing user
|
||||||
func (l *Login) externalUserNotExisting(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, provider *query.IDPTemplate, externalUser *domain.ExternalUser, changed bool) {
|
func (l *Login) externalUserNotExisting(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, provider *query.IDPTemplate, externalUser *domain.ExternalUser, changed bool) {
|
||||||
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
|
resourceOwner := determineResourceOwner(r.Context(), authReq)
|
||||||
|
|
||||||
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
|
|
||||||
resourceOwner = authReq.RequestedOrgID
|
|
||||||
}
|
|
||||||
|
|
||||||
orgIAMPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
|
orgIAMPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
|
l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
|
||||||
@ -587,35 +582,21 @@ func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Requ
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
errID, errMessage = l.getErrorMessage(r, err)
|
errID, errMessage = l.getErrorMessage(r, err)
|
||||||
}
|
}
|
||||||
|
resourceOwner := determineResourceOwner(r.Context(), authReq)
|
||||||
if orgIAMPolicy == nil {
|
if orgIAMPolicy == nil {
|
||||||
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
|
|
||||||
|
|
||||||
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
|
|
||||||
resourceOwner = authReq.RequestedOrgID
|
|
||||||
}
|
|
||||||
|
|
||||||
orgIAMPolicy, err = l.getOrgDomainPolicy(r, resourceOwner)
|
orgIAMPolicy, err = l.getOrgDomainPolicy(r, resourceOwner)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.renderError(w, r, authReq, err)
|
l.renderError(w, r, authReq, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if human == nil || idpLink == nil {
|
if human == nil || idpLink == nil {
|
||||||
|
|
||||||
// TODO (LS): how do we get multiple and why do we use the last of them (taken as is)?
|
// TODO (LS): how do we get multiple and why do we use the last of them (taken as is)?
|
||||||
linkingUser := authReq.LinkingUsers[len(authReq.LinkingUsers)-1]
|
linkingUser := authReq.LinkingUsers[len(authReq.LinkingUsers)-1]
|
||||||
human, idpLink, _ = mapExternalUserToLoginUser(linkingUser, orgIAMPolicy.UserLoginMustBeDomain)
|
human, idpLink, _ = mapExternalUserToLoginUser(linkingUser, orgIAMPolicy.UserLoginMustBeDomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
var resourceOwner string
|
|
||||||
if authReq != nil {
|
|
||||||
resourceOwner = authReq.RequestedOrgID
|
|
||||||
}
|
|
||||||
if resourceOwner == "" {
|
|
||||||
resourceOwner = authz.GetInstance(r.Context()).DefaultOrganisationID()
|
|
||||||
}
|
|
||||||
labelPolicy, err := l.getLabelPolicy(r, resourceOwner)
|
labelPolicy, err := l.getLabelPolicy(r, resourceOwner)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.renderError(w, r, authReq, err)
|
l.renderError(w, r, authReq, err)
|
||||||
@ -718,11 +699,7 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
|
|||||||
//
|
//
|
||||||
// it is called from either the [autoCreateExternalUser] or [handleExternalNotFoundOptionCheck]
|
// it is called from either the [autoCreateExternalUser] or [handleExternalNotFoundOptionCheck]
|
||||||
func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, externalUser *domain.ExternalUser) {
|
func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, externalUser *domain.ExternalUser) {
|
||||||
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
|
resourceOwner := determineResourceOwner(r.Context(), authReq)
|
||||||
|
|
||||||
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
|
|
||||||
resourceOwner = authReq.RequestedOrgID
|
|
||||||
}
|
|
||||||
|
|
||||||
orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
|
orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
package login
|
package login
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"golang.org/x/text/language"
|
"golang.org/x/text/language"
|
||||||
@ -40,6 +41,13 @@ type registerData struct {
|
|||||||
OrgRegister bool
|
OrgRegister bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func determineResourceOwner(ctx context.Context, authRequest *domain.AuthRequest) string {
|
||||||
|
if authRequest != nil && authRequest.RequestedOrgID != "" {
|
||||||
|
return authRequest.RequestedOrgID
|
||||||
|
}
|
||||||
|
return authz.GetInstance(ctx).DefaultOrganisationID()
|
||||||
|
}
|
||||||
|
|
||||||
func (l *Login) handleRegister(w http.ResponseWriter, r *http.Request) {
|
func (l *Login) handleRegister(w http.ResponseWriter, r *http.Request) {
|
||||||
data := new(registerFormData)
|
data := new(registerFormData)
|
||||||
authRequest, err := l.getAuthRequestAndParseData(r, data)
|
authRequest, err := l.getAuthRequestAndParseData(r, data)
|
||||||
@ -47,9 +55,30 @@ func (l *Login) handleRegister(w http.ResponseWriter, r *http.Request) {
|
|||||||
l.renderError(w, r, authRequest, err)
|
l.renderError(w, r, authRequest, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if err := l.checkRegistrationAllowed(r, determineResourceOwner(r.Context(), authRequest), authRequest); err != nil {
|
||||||
|
l.renderError(w, r, authRequest, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
l.renderRegister(w, r, authRequest, data, nil)
|
l.renderRegister(w, r, authRequest, data, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (l *Login) checkRegistrationAllowed(r *http.Request, orgID string, authReq *domain.AuthRequest) error {
|
||||||
|
if authReq != nil {
|
||||||
|
if registrationAllowed(authReq) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return zerrors.ThrowPreconditionFailed(nil, "VIEW-RRGRXz4kGw", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
|
||||||
|
}
|
||||||
|
loginPolicy, err := l.getLoginPolicy(r, orgID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if loginPolicy.AllowRegister && loginPolicy.AllowUsernamePassword {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return zerrors.ThrowPreconditionFailed(nil, "VIEW-Vq3bduAacD", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
|
||||||
|
}
|
||||||
|
|
||||||
func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
|
func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
|
||||||
data := new(registerFormData)
|
data := new(registerFormData)
|
||||||
authRequest, err := l.getAuthRequestAndParseData(r, data)
|
authRequest, err := l.getAuthRequestAndParseData(r, data)
|
||||||
@ -57,17 +86,16 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
|
|||||||
l.renderError(w, r, authRequest, err)
|
l.renderError(w, r, authRequest, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
resourceOwner := determineResourceOwner(r.Context(), authRequest)
|
||||||
|
if err := l.checkRegistrationAllowed(r, resourceOwner, authRequest); err != nil {
|
||||||
|
l.renderError(w, r, authRequest, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
if data.Password != data.Password2 {
|
if data.Password != data.Password2 {
|
||||||
err := zerrors.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
|
err := zerrors.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
|
||||||
l.renderRegister(w, r, authRequest, data, err)
|
l.renderRegister(w, r, authRequest, data, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
|
|
||||||
|
|
||||||
if authRequest != nil && authRequest.RequestedOrgID != "" && authRequest.RequestedOrgID != resourceOwner {
|
|
||||||
resourceOwner = authRequest.RequestedOrgID
|
|
||||||
}
|
|
||||||
// For consistency with the external authentication flow,
|
// For consistency with the external authentication flow,
|
||||||
// the setMetadata() function is provided on the pre creation hook, for now,
|
// the setMetadata() function is provided on the pre creation hook, for now,
|
||||||
// like for the ExternalAuthentication flow.
|
// like for the ExternalAuthentication flow.
|
||||||
@ -126,15 +154,7 @@ func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authReque
|
|||||||
formData.Language = l.renderer.ReqLang(translator, r).String()
|
formData.Language = l.renderer.ReqLang(translator, r).String()
|
||||||
}
|
}
|
||||||
|
|
||||||
var resourceOwner string
|
resourceOwner := determineResourceOwner(r.Context(), authRequest)
|
||||||
if authRequest != nil {
|
|
||||||
resourceOwner = authRequest.RequestedOrgID
|
|
||||||
}
|
|
||||||
|
|
||||||
if resourceOwner == "" {
|
|
||||||
resourceOwner = authz.GetInstance(r.Context()).DefaultOrganisationID()
|
|
||||||
}
|
|
||||||
|
|
||||||
data := registerData{
|
data := registerData{
|
||||||
baseData: l.getBaseData(r, authRequest, translator, "RegistrationUser.Title", "RegistrationUser.Description", errID, errMessage),
|
baseData: l.getBaseData(r, authRequest, translator, "RegistrationUser.Title", "RegistrationUser.Description", errID, errMessage),
|
||||||
registerFormData: *formData,
|
registerFormData: *formData,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user