diff --git a/cmd/zitadel/setup.yaml b/cmd/zitadel/setup.yaml index 8eff6e25f4..64d8f055a4 100644 --- a/cmd/zitadel/setup.yaml +++ b/cmd/zitadel/setup.yaml @@ -188,4 +188,8 @@ SetUp: Subject: Domain has been claimed Greeting: Hello {{.FirstName}} {{.LastName}}, Text: The domain {{.Domain}} has been claimed by an organisation. Your current user {{.UserName}} is not part of this organisation. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login. - ButtonText: Login \ No newline at end of file + ButtonText: Login + Step17: + PrivacyPolicy: + TOSLink: https://docs.zitadel.ch/docs/legal/terms-of-service + PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy \ No newline at end of file diff --git a/docs/docs/apis/proto/admin.md b/docs/docs/apis/proto/admin.md index 613a43cd50..d113099d97 100644 --- a/docs/docs/apis/proto/admin.md +++ b/docs/docs/apis/proto/admin.md @@ -528,6 +528,27 @@ it impacts all organisations without a customised policy +### GetPrivacyPolicy + +> **rpc** GetPrivacyPolicy([GetPrivacyPolicyRequest](#getprivacypolicyrequest)) +[GetPrivacyPolicyResponse](#getprivacypolicyresponse) + +Returns the privacy policy defined by the administrators of ZITADEL + + + + +### UpdatePrivacyPolicy + +> **rpc** UpdatePrivacyPolicy([UpdatePrivacyPolicyRequest](#updateprivacypolicyrequest)) +[UpdatePrivacyPolicyResponse](#updateprivacypolicyresponse) + +Updates the default privacy policy of ZITADEL +it impacts all organisations without a customised policy + + + + ### GetDefaultInitMessageText > **rpc** GetDefaultInitMessageText([GetDefaultInitMessageTextRequest](#getdefaultinitmessagetextrequest)) @@ -1304,6 +1325,23 @@ This is an empty request +### GetPrivacyPolicyRequest +This is an empty request + + + + +### GetPrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| policy | zitadel.policy.v1.PrivacyPolicy | - | | + + + + ### HealthzRequest This is an empty request @@ -1868,6 +1906,7 @@ This is an empty request | label_policy_private_label | bool | - | | | label_policy_watermark | bool | - | | | custom_text | bool | - | | +| privacy_policy | bool | - | | @@ -2023,6 +2062,7 @@ This is an empty request | label_policy_private_label | bool | - | | | label_policy_watermark | bool | - | | | custom_text | bool | - | | +| privacy_policy | bool | - | | @@ -2380,6 +2420,29 @@ This is an empty request +### UpdatePrivacyPolicyRequest + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| tos_link | string | - | | +| privacy_link | string | - | | + + + + +### UpdatePrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| details | zitadel.v1.ObjectDetails | - | | + + + + ### View diff --git a/docs/docs/apis/proto/management.md b/docs/docs/apis/proto/management.md index f75bc29ce3..e9b1a9c09e 100644 --- a/docs/docs/apis/proto/management.md +++ b/docs/docs/apis/proto/management.md @@ -1586,6 +1586,61 @@ The password lockout policy is not used at the moment +### GetPrivacyPolicy + +> **rpc** GetPrivacyPolicy([GetPrivacyPolicyRequest](#getprivacypolicyrequest)) +[GetPrivacyPolicyResponse](#getprivacypolicyresponse) + +Returns the privacy policy of the organisation +With this policy privacy relevant things can be configured (e.g. tos link) + + + + +### GetDefaultPrivacyPolicy + +> **rpc** GetDefaultPrivacyPolicy([GetDefaultPrivacyPolicyRequest](#getdefaultprivacypolicyrequest)) +[GetDefaultPrivacyPolicyResponse](#getdefaultprivacypolicyresponse) + +Returns the default privacy policy of the IAM +With this policy the privacy relevant things can be configured (e.g tos link) + + + + +### AddCustomPrivacyPolicy + +> **rpc** AddCustomPrivacyPolicy([AddCustomPrivacyPolicyRequest](#addcustomprivacypolicyrequest)) +[AddCustomPrivacyPolicyResponse](#addcustomprivacypolicyresponse) + +Add a custom privacy policy for the organisation +With this policy privacy relevant things can be configured (e.g. tos link) + + + + +### UpdateCustomPrivacyPolicy + +> **rpc** UpdateCustomPrivacyPolicy([UpdateCustomPrivacyPolicyRequest](#updatecustomprivacypolicyrequest)) +[UpdateCustomPrivacyPolicyResponse](#updatecustomprivacypolicyresponse) + +Update the privacy complexity policy for the organisation +With this policy privacy relevant things can be configured (e.g. tos link) + + + + +### ResetPrivacyPolicyToDefault + +> **rpc** ResetPrivacyPolicyToDefault([ResetPrivacyPolicyToDefaultRequest](#resetprivacypolicytodefaultrequest)) +[ResetPrivacyPolicyToDefaultResponse](#resetprivacypolicytodefaultresponse) + +Removes the privacy policy of the organisation +The default policy of the IAM will trigger after + + + + ### GetLabelPolicy > **rpc** GetLabelPolicy([GetLabelPolicyRequest](#getlabelpolicyrequest)) @@ -2227,6 +2282,29 @@ This is an empty request +### AddCustomPrivacyPolicyRequest + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| tos_link | string | - | | +| privacy_link | string | - | | + + + + +### AddCustomPrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| details | zitadel.v1.ObjectDetails | - | | + + + + ### AddHumanUserRequest @@ -3239,6 +3317,23 @@ This is an empty request +### GetDefaultPrivacyPolicyRequest +This is an empty request + + + + +### GetDefaultPrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| policy | zitadel.policy.v1.PrivacyPolicy | - | | + + + + ### GetDefaultVerifyEmailMessageTextRequest @@ -3637,6 +3732,23 @@ This is an empty request +### GetPrivacyPolicyRequest +This is an empty request + + + + +### GetPrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| policy | zitadel.policy.v1.PrivacyPolicy | - | | + + + + ### GetProjectByIDRequest @@ -5607,6 +5719,23 @@ This is an empty request +### ResetPrivacyPolicyToDefaultRequest +This is an empty request + + + + +### ResetPrivacyPolicyToDefaultResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| details | zitadel.v1.ObjectDetails | - | | + + + + ### SendHumanResetPasswordNotificationRequest @@ -6044,6 +6173,29 @@ This is an empty request +### UpdateCustomPrivacyPolicyRequest + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| tos_link | string | - | | +| privacy_link | string | - | | + + + + +### UpdateCustomPrivacyPolicyResponse + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| details | zitadel.v1.ObjectDetails | - | | + + + + ### UpdateHumanEmailRequest diff --git a/docs/docs/apis/proto/policy.md b/docs/docs/apis/proto/policy.md index e2cef0fd26..056c6784f4 100644 --- a/docs/docs/apis/proto/policy.md +++ b/docs/docs/apis/proto/policy.md @@ -112,6 +112,20 @@ title: zitadel/policy.proto +### PrivacyPolicy + + + +| Field | Type | Description | Validation | +| ----- | ---- | ----------- | ----------- | +| details | zitadel.v1.ObjectDetails | - | | +| tos_link | string | - | | +| privacy_link | string | - | | +| is_default | bool | - | | + + + + ## Enums diff --git a/internal/admin/repository/eventsourcing/eventstore/iam.go b/internal/admin/repository/eventsourcing/eventstore/iam.go index 12be269857..fee3206379 100644 --- a/internal/admin/repository/eventsourcing/eventstore/iam.go +++ b/internal/admin/repository/eventsourcing/eventstore/iam.go @@ -372,6 +372,33 @@ func (repo *IAMRepository) GetDefaultMessageText(ctx context.Context, textType, return iam_es_model.MessageTextViewToModel(text), err } +func (repo *IAMRepository) GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) { + policy, viewErr := repo.View.PrivacyPolicyByAggregateID(repo.SystemDefaults.IamID) + if viewErr != nil && !caos_errs.IsNotFound(viewErr) { + return nil, viewErr + } + if caos_errs.IsNotFound(viewErr) { + policy = new(iam_es_model.PrivacyPolicyView) + } + events, esErr := repo.getIAMEvents(ctx, policy.Sequence) + if caos_errs.IsNotFound(viewErr) && len(events) == 0 { + return nil, caos_errs.ThrowNotFound(nil, "EVENT-84Nfs", "Errors.IAM.PrivacyPolicy.NotFound") + } + if esErr != nil { + logging.Log("EVENT-0p3Fs").WithError(esErr).Debug("error retrieving new events") + return iam_es_model.PrivacyViewToModel(policy), nil + } + policyCopy := *policy + for _, event := range events { + if err := policyCopy.AppendEvent(event); err != nil { + return iam_es_model.PrivacyViewToModel(policy), nil + } + } + result := iam_es_model.PrivacyViewToModel(policy) + result.Default = true + return result, nil +} + func (repo *IAMRepository) getIAMEvents(ctx context.Context, sequence uint64) ([]*models.Event, error) { query, err := iam_view.IAMByIDQuery(domain.IAMID, sequence) if err != nil { diff --git a/internal/admin/repository/eventsourcing/handler/handler.go b/internal/admin/repository/eventsourcing/handler/handler.go index 9695aeb756..62d2d4fe3b 100644 --- a/internal/admin/repository/eventsourcing/handler/handler.go +++ b/internal/admin/repository/eventsourcing/handler/handler.go @@ -66,6 +66,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es handler{view, bulkLimit, configs.cycleDuration("MessageText"), errorCount, es}), newFeatures( handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}), + newPrivacyPolicy( + handler{view, bulkLimit, configs.cycleDuration("PrivacyPolicy"), errorCount, es}), } if static != nil { handlers = append(handlers, newStyling( diff --git a/internal/admin/repository/eventsourcing/handler/privacy_policy.go b/internal/admin/repository/eventsourcing/handler/privacy_policy.go new file mode 100644 index 0000000000..9620de9f41 --- /dev/null +++ b/internal/admin/repository/eventsourcing/handler/privacy_policy.go @@ -0,0 +1,106 @@ +package handler + +import ( + "github.com/caos/logging" + "github.com/caos/zitadel/internal/eventstore/v1" + iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model" + + es_models "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/eventstore/v1/query" + "github.com/caos/zitadel/internal/eventstore/v1/spooler" + iam_model "github.com/caos/zitadel/internal/iam/repository/view/model" + "github.com/caos/zitadel/internal/org/repository/eventsourcing/model" +) + +const ( + privacyPolicyTable = "adminapi.privacy_policies" +) + +type PrivacyPolicy struct { + handler + subscription *v1.Subscription +} + +func newPrivacyPolicy(handler handler) *PrivacyPolicy { + h := &PrivacyPolicy{ + handler: handler, + } + + h.subscribe() + + return h +} + +func (p *PrivacyPolicy) subscribe() { + p.subscription = p.es.Subscribe(p.AggregateTypes()...) + go func() { + for event := range p.subscription.Events { + query.ReduceEvent(p, event) + } + }() +} + +func (p *PrivacyPolicy) ViewModel() string { + return privacyPolicyTable +} + +func (p *PrivacyPolicy) AggregateTypes() []es_models.AggregateType { + return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate} +} + +func (p *PrivacyPolicy) CurrentSequence() (uint64, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return 0, err + } + return sequence.CurrentSequence, nil +} + +func (p *PrivacyPolicy) EventQuery() (*es_models.SearchQuery, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return nil, err + } + return es_models.NewSearchQuery(). + AggregateTypeFilter(p.AggregateTypes()...). + LatestSequenceFilter(sequence.CurrentSequence), nil +} + +func (p *PrivacyPolicy) Reduce(event *es_models.Event) (err error) { + switch event.AggregateType { + case model.OrgAggregate, iam_es_model.IAMAggregate: + err = p.processPrivacyPolicy(event) + } + return err +} + +func (p *PrivacyPolicy) processPrivacyPolicy(event *es_models.Event) (err error) { + policy := new(iam_model.PrivacyPolicyView) + switch event.Type { + case iam_es_model.PrivacyPolicyAdded, model.PrivacyPolicyAdded: + err = policy.AppendEvent(event) + case iam_es_model.PrivacyPolicyChanged, model.PrivacyPolicyChanged: + policy, err = p.view.PrivacyPolicyByAggregateID(event.AggregateID) + if err != nil { + return err + } + err = policy.AppendEvent(event) + case model.PrivacyPolicyRemoved: + return p.view.DeletePrivacyPolicy(event.AggregateID, event) + default: + return p.view.ProcessedPrivacyPolicySequence(event) + } + if err != nil { + return err + } + return p.view.PutPrivacyPolicy(policy, event) +} + +func (p *PrivacyPolicy) OnError(event *es_models.Event, err error) error { + logging.LogWithFields("SPOOL-4N8sw", "id", event.AggregateID).WithError(err).Warn("something went wrong in privacy policy handler") + return spooler.HandleError(event, err, p.view.GetLatestPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicySequence, p.errorCountUntilSkip) +} + +func (p *PrivacyPolicy) OnSuccess() error { + return spooler.HandleSuccess(p.view.UpdatePrivacyPolicySpoolerRunTimestamp) +} diff --git a/internal/admin/repository/eventsourcing/view/privacy_policy.go b/internal/admin/repository/eventsourcing/view/privacy_policy.go new file mode 100644 index 0000000000..8f3eded17f --- /dev/null +++ b/internal/admin/repository/eventsourcing/view/privacy_policy.go @@ -0,0 +1,53 @@ +package view + +import ( + "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/iam/repository/view" + "github.com/caos/zitadel/internal/iam/repository/view/model" + global_view "github.com/caos/zitadel/internal/view/repository" +) + +const ( + privacyPolicyTable = "adminapi.privacy_policies" +) + +func (v *View) PrivacyPolicyByAggregateID(aggregateID string) (*model.PrivacyPolicyView, error) { + return view.GetPrivacyPolicyByAggregateID(v.Db, privacyPolicyTable, aggregateID) +} + +func (v *View) PutPrivacyPolicy(policy *model.PrivacyPolicyView, event *models.Event) error { + err := view.PutPrivacyPolicy(v.Db, privacyPolicyTable, policy) + if err != nil { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) DeletePrivacyPolicy(aggregateID string, event *models.Event) error { + err := view.DeletePrivacyPolicy(v.Db, privacyPolicyTable, aggregateID) + if err != nil && !errors.IsNotFound(err) { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) GetLatestPrivacyPolicySequence() (*global_view.CurrentSequence, error) { + return v.latestSequence(privacyPolicyTable) +} + +func (v *View) ProcessedPrivacyPolicySequence(event *models.Event) error { + return v.saveCurrentSequence(privacyPolicyTable, event) +} + +func (v *View) UpdatePrivacyPolicySpoolerRunTimestamp() error { + return v.updateSpoolerRunSequence(privacyPolicyTable) +} + +func (v *View) GetLatestPrivacyPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) { + return v.latestFailedEvent(privacyPolicyTable, sequence) +} + +func (v *View) ProcessedPrivacyPolicyFailedEvent(failedEvent *global_view.FailedEvent) error { + return v.saveFailedEvent(failedEvent) +} diff --git a/internal/admin/repository/iam.go b/internal/admin/repository/iam.go index 4bf9c0f653..676546dc71 100644 --- a/internal/admin/repository/iam.go +++ b/internal/admin/repository/iam.go @@ -37,5 +37,7 @@ type IAMRepository interface { GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) + GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) + GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) } diff --git a/internal/api/grpc/admin/features.go b/internal/api/grpc/admin/features.go index 21443cdb93..8e3be2a635 100644 --- a/internal/api/grpc/admin/features.go +++ b/internal/api/grpc/admin/features.go @@ -75,6 +75,7 @@ func setDefaultFeaturesRequestToDomain(req *admin_pb.SetDefaultFeaturesRequest) LabelPolicyWatermark: req.LabelPolicyWatermark, CustomDomain: req.CustomDomain, CustomText: req.CustomText, + PrivacyPolicy: req.PrivacyPolicy, } } @@ -96,5 +97,6 @@ func setOrgFeaturesRequestToDomain(req *admin_pb.SetOrgFeaturesRequest) *domain. LabelPolicyWatermark: req.LabelPolicyWatermark, CustomDomain: req.CustomDomain, CustomText: req.CustomText, + PrivacyPolicy: req.PrivacyPolicy, } } diff --git a/internal/api/grpc/admin/privacy_policy.go b/internal/api/grpc/admin/privacy_policy.go new file mode 100644 index 0000000000..95497edf70 --- /dev/null +++ b/internal/api/grpc/admin/privacy_policy.go @@ -0,0 +1,31 @@ +package admin + +import ( + "context" + + "github.com/caos/zitadel/internal/api/grpc/object" + policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy" + admin_pb "github.com/caos/zitadel/pkg/grpc/admin" +) + +func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *admin_pb.GetPrivacyPolicyRequest) (*admin_pb.GetPrivacyPolicyResponse, error) { + policy, err := s.iam.GetDefaultPrivacyPolicy(ctx) + if err != nil { + return nil, err + } + return &admin_pb.GetPrivacyPolicyResponse{Policy: policy_grpc.ModelPrivacyPolicyToPb(policy)}, nil +} + +func (s *Server) UpdatePrivacyPolicy(ctx context.Context, req *admin_pb.UpdatePrivacyPolicyRequest) (*admin_pb.UpdatePrivacyPolicyResponse, error) { + result, err := s.command.ChangeDefaultPrivacyPolicy(ctx, UpdatePrivacyPolicyToDomain(req)) + if err != nil { + return nil, err + } + return &admin_pb.UpdatePrivacyPolicyResponse{ + Details: object.ChangeToDetailsPb( + result.Sequence, + result.ChangeDate, + result.ResourceOwner, + ), + }, nil +} diff --git a/internal/api/grpc/admin/privacy_policy_converter.go b/internal/api/grpc/admin/privacy_policy_converter.go new file mode 100644 index 0000000000..2c2c9fb4cc --- /dev/null +++ b/internal/api/grpc/admin/privacy_policy_converter.go @@ -0,0 +1,13 @@ +package admin + +import ( + "github.com/caos/zitadel/internal/domain" + admin_pb "github.com/caos/zitadel/pkg/grpc/admin" +) + +func UpdatePrivacyPolicyToDomain(req *admin_pb.UpdatePrivacyPolicyRequest) *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + } +} diff --git a/internal/api/grpc/features/features.go b/internal/api/grpc/features/features.go index b2b47f9956..3b9a78dcd5 100644 --- a/internal/api/grpc/features/features.go +++ b/internal/api/grpc/features/features.go @@ -28,6 +28,7 @@ func FeaturesFromModel(features *features_model.FeaturesView) *features_pb.Featu LabelPolicyPrivateLabel: features.LabelPolicyPrivateLabel, LabelPolicyWatermark: features.LabelPolicyWatermark, CustomText: features.CustomText, + PrivacyPolicy: features.PrivacyPolicy, } } diff --git a/internal/api/grpc/management/policy_privacy.go b/internal/api/grpc/management/policy_privacy.go new file mode 100644 index 0000000000..45e0bcb556 --- /dev/null +++ b/internal/api/grpc/management/policy_privacy.go @@ -0,0 +1,64 @@ +package management + +import ( + "context" + + "github.com/caos/zitadel/internal/api/authz" + "github.com/caos/zitadel/internal/api/grpc/object" + policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy" + mgmt_pb "github.com/caos/zitadel/pkg/grpc/management" +) + +func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetPrivacyPolicyRequest) (*mgmt_pb.GetPrivacyPolicyResponse, error) { + policy, err := s.org.GetPrivacyPolicy(ctx) + if err != nil { + return nil, err + } + return &mgmt_pb.GetPrivacyPolicyResponse{Policy: policy_grpc.ModelPrivacyPolicyToPb(policy)}, nil +} + +func (s *Server) GetDefaultPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetDefaultPrivacyPolicyRequest) (*mgmt_pb.GetDefaultPrivacyPolicyResponse, error) { + policy, err := s.org.GetDefaultPrivacyPolicy(ctx) + if err != nil { + return nil, err + } + return &mgmt_pb.GetDefaultPrivacyPolicyResponse{Policy: policy_grpc.ModelPrivacyPolicyToPb(policy)}, nil +} + +func (s *Server) AddCustomPrivacyPolicy(ctx context.Context, req *mgmt_pb.AddCustomPrivacyPolicyRequest) (*mgmt_pb.AddCustomPrivacyPolicyResponse, error) { + result, err := s.command.AddPrivacyPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddPrivacyPolicyToDomain(req)) + if err != nil { + return nil, err + } + return &mgmt_pb.AddCustomPrivacyPolicyResponse{ + Details: object.AddToDetailsPb( + result.Sequence, + result.ChangeDate, + result.ResourceOwner, + ), + }, nil +} + +func (s *Server) UpdateCustomPrivacyPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomPrivacyPolicyRequest) (*mgmt_pb.UpdateCustomPrivacyPolicyResponse, error) { + result, err := s.command.ChangePrivacyPolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdatePrivacyPolicyToDomain(req)) + if err != nil { + return nil, err + } + return &mgmt_pb.UpdateCustomPrivacyPolicyResponse{ + Details: object.ChangeToDetailsPb( + result.Sequence, + result.ChangeDate, + result.ResourceOwner, + ), + }, nil +} + +func (s *Server) ResetPrivacyPolicyToDefault(ctx context.Context, _ *mgmt_pb.ResetPrivacyPolicyToDefaultRequest) (*mgmt_pb.ResetPrivacyPolicyToDefaultResponse, error) { + objectDetails, err := s.command.RemovePrivacyPolicy(ctx, authz.GetCtxData(ctx).OrgID) + if err != nil { + return nil, err + } + return &mgmt_pb.ResetPrivacyPolicyToDefaultResponse{ + Details: object.DomainToChangeDetailsPb(objectDetails), + }, nil +} diff --git a/internal/api/grpc/management/policy_privacy_converter.go b/internal/api/grpc/management/policy_privacy_converter.go new file mode 100644 index 0000000000..f78c5ac12d --- /dev/null +++ b/internal/api/grpc/management/policy_privacy_converter.go @@ -0,0 +1,20 @@ +package management + +import ( + "github.com/caos/zitadel/internal/domain" + mgmt_pb "github.com/caos/zitadel/pkg/grpc/management" +) + +func AddPrivacyPolicyToDomain(req *mgmt_pb.AddCustomPrivacyPolicyRequest) *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + } +} + +func UpdatePrivacyPolicyToDomain(req *mgmt_pb.UpdateCustomPrivacyPolicyRequest) *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + TOSLink: req.TosLink, + PrivacyLink: req.PrivacyLink, + } +} diff --git a/internal/api/grpc/policy/privacy_policy.go b/internal/api/grpc/policy/privacy_policy.go new file mode 100644 index 0000000000..b3816c1bf5 --- /dev/null +++ b/internal/api/grpc/policy/privacy_policy.go @@ -0,0 +1,21 @@ +package policy + +import ( + "github.com/caos/zitadel/internal/api/grpc/object" + "github.com/caos/zitadel/internal/iam/model" + policy_pb "github.com/caos/zitadel/pkg/grpc/policy" +) + +func ModelPrivacyPolicyToPb(policy *model.PrivacyPolicyView) *policy_pb.PrivacyPolicy { + return &policy_pb.PrivacyPolicy{ + IsDefault: policy.Default, + TosLink: policy.TOSLink, + PrivacyLink: policy.PrivacyLink, + Details: object.ToViewDetailsPb( + policy.Sequence, + policy.CreationDate, + policy.ChangeDate, + "", //TODO: resourceowner + ), + } +} diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index 1775e6ce8e..707f7b5e73 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -440,6 +440,11 @@ func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *domai if idpProviders != nil { request.AllowedExternalIDPs = idpProviders } + privacyPolicy, err := repo.getPrivacyPolicy(ctx, orgID) + if err != nil { + return err + } + request.PrivacyPolicy = privacyPolicy labelPolicy, err := repo.getLabelPolicy(ctx, orgID) if err != nil { return err @@ -719,6 +724,21 @@ func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) ( return iam_es_model.LoginPolicyViewToModel(policy), err } +func (repo *AuthRequestRepo) getPrivacyPolicy(ctx context.Context, orgID string) (*domain.PrivacyPolicy, error) { + policy, err := repo.View.PrivacyPolicyByAggregateID(orgID) + if errors.IsNotFound(err) { + policy, err = repo.View.PrivacyPolicyByAggregateID(repo.IAMID) + if err != nil { + return nil, err + } + policy.Default = true + } + if err != nil { + return nil, err + } + return policy.ToDomain(), err +} + func (repo *AuthRequestRepo) getLabelPolicy(ctx context.Context, orgID string) (*domain.LabelPolicy, error) { policy, err := repo.View.LabelPolicyByAggregateIDAndState(orgID, int32(domain.LabelPolicyStateActive)) if errors.IsNotFound(err) { diff --git a/internal/auth/repository/eventsourcing/eventstore/org.go b/internal/auth/repository/eventsourcing/eventstore/org.go index f0c85eb9fc..84692e3042 100644 --- a/internal/auth/repository/eventsourcing/eventstore/org.go +++ b/internal/auth/repository/eventsourcing/eventstore/org.go @@ -115,3 +115,11 @@ func (repo *OrgRepository) GetLabelPolicy(ctx context.Context, orgID string) (*i } return iam_view_model.LabelPolicyViewToModel(orgPolicy), nil } + +func (repo *OrgRepository) GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) { + policy, err := repo.View.PrivacyPolicyByAggregateID(repo.SystemDefaults.IamID) + if err != nil { + return nil, err + } + return iam_view_model.PrivacyViewToModel(policy), nil +} diff --git a/internal/auth/repository/eventsourcing/handler/handler.go b/internal/auth/repository/eventsourcing/handler/handler.go index 0f60096f07..580387da7f 100644 --- a/internal/auth/repository/eventsourcing/handler/handler.go +++ b/internal/auth/repository/eventsourcing/handler/handler.go @@ -70,6 +70,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es newLabelPolicy(handler{view, bulkLimit, configs.cycleDuration("LabelPolicy"), errorCount, es}), newFeatures(handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}), newRefreshToken(handler{view, bulkLimit, configs.cycleDuration("RefreshToken"), errorCount, es}), + newPrivacyPolicy(handler{view, bulkLimit, configs.cycleDuration("PrivacyPolicy"), errorCount, es}), } } diff --git a/internal/auth/repository/eventsourcing/handler/privacy_policy.go b/internal/auth/repository/eventsourcing/handler/privacy_policy.go new file mode 100644 index 0000000000..f79a036dd9 --- /dev/null +++ b/internal/auth/repository/eventsourcing/handler/privacy_policy.go @@ -0,0 +1,106 @@ +package handler + +import ( + "github.com/caos/logging" + "github.com/caos/zitadel/internal/eventstore/v1" + iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model" + + es_models "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/eventstore/v1/query" + "github.com/caos/zitadel/internal/eventstore/v1/spooler" + iam_model "github.com/caos/zitadel/internal/iam/repository/view/model" + "github.com/caos/zitadel/internal/org/repository/eventsourcing/model" +) + +const ( + privacyPolicyTable = "auth.privacy_policies" +) + +type PrivacyPolicy struct { + handler + subscription *v1.Subscription +} + +func newPrivacyPolicy(handler handler) *PrivacyPolicy { + h := &PrivacyPolicy{ + handler: handler, + } + + h.subscribe() + + return h +} + +func (p *PrivacyPolicy) subscribe() { + p.subscription = p.es.Subscribe(p.AggregateTypes()...) + go func() { + for event := range p.subscription.Events { + query.ReduceEvent(p, event) + } + }() +} + +func (p *PrivacyPolicy) ViewModel() string { + return privacyPolicyTable +} + +func (p *PrivacyPolicy) AggregateTypes() []es_models.AggregateType { + return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate} +} + +func (p *PrivacyPolicy) CurrentSequence() (uint64, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return 0, err + } + return sequence.CurrentSequence, nil +} + +func (p *PrivacyPolicy) EventQuery() (*es_models.SearchQuery, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return nil, err + } + return es_models.NewSearchQuery(). + AggregateTypeFilter(p.AggregateTypes()...). + LatestSequenceFilter(sequence.CurrentSequence), nil +} + +func (p *PrivacyPolicy) Reduce(event *es_models.Event) (err error) { + switch event.AggregateType { + case model.OrgAggregate, iam_es_model.IAMAggregate: + err = p.processPrivacyPolicy(event) + } + return err +} + +func (p *PrivacyPolicy) processPrivacyPolicy(event *es_models.Event) (err error) { + policy := new(iam_model.PrivacyPolicyView) + switch event.Type { + case iam_es_model.PrivacyPolicyAdded, model.PrivacyPolicyAdded: + err = policy.AppendEvent(event) + case iam_es_model.PrivacyPolicyChanged, model.PrivacyPolicyChanged: + policy, err = p.view.PrivacyPolicyByAggregateID(event.AggregateID) + if err != nil { + return err + } + err = policy.AppendEvent(event) + case model.PrivacyPolicyRemoved: + return p.view.DeletePrivacyPolicy(event.AggregateID, event) + default: + return p.view.ProcessedPrivacyPolicySequence(event) + } + if err != nil { + return err + } + return p.view.PutPrivacyPolicy(policy, event) +} + +func (p *PrivacyPolicy) OnError(event *es_models.Event, err error) error { + logging.LogWithFields("SPOOL-4N8sw", "id", event.AggregateID).WithError(err).Warn("something went wrong in privacy policy handler") + return spooler.HandleError(event, err, p.view.GetLatestPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicySequence, p.errorCountUntilSkip) +} + +func (p *PrivacyPolicy) OnSuccess() error { + return spooler.HandleSuccess(p.view.UpdatePrivacyPolicySpoolerRunTimestamp) +} diff --git a/internal/auth/repository/eventsourcing/view/privacy_policy.go b/internal/auth/repository/eventsourcing/view/privacy_policy.go new file mode 100644 index 0000000000..8a2e921273 --- /dev/null +++ b/internal/auth/repository/eventsourcing/view/privacy_policy.go @@ -0,0 +1,53 @@ +package view + +import ( + "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/iam/repository/view" + "github.com/caos/zitadel/internal/iam/repository/view/model" + global_view "github.com/caos/zitadel/internal/view/repository" +) + +const ( + privacyPolicyTable = "auth.privacy_policies" +) + +func (v *View) PrivacyPolicyByAggregateID(aggregateID string) (*model.PrivacyPolicyView, error) { + return view.GetPrivacyPolicyByAggregateID(v.Db, privacyPolicyTable, aggregateID) +} + +func (v *View) PutPrivacyPolicy(policy *model.PrivacyPolicyView, event *models.Event) error { + err := view.PutPrivacyPolicy(v.Db, privacyPolicyTable, policy) + if err != nil { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) DeletePrivacyPolicy(aggregateID string, event *models.Event) error { + err := view.DeletePrivacyPolicy(v.Db, privacyPolicyTable, aggregateID) + if err != nil && !errors.IsNotFound(err) { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) GetLatestPrivacyPolicySequence() (*global_view.CurrentSequence, error) { + return v.latestSequence(privacyPolicyTable) +} + +func (v *View) ProcessedPrivacyPolicySequence(event *models.Event) error { + return v.saveCurrentSequence(privacyPolicyTable, event) +} + +func (v *View) UpdatePrivacyPolicySpoolerRunTimestamp() error { + return v.updateSpoolerRunSequence(privacyPolicyTable) +} + +func (v *View) GetLatestPrivacyPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) { + return v.latestFailedEvent(privacyPolicyTable, sequence) +} + +func (v *View) ProcessedPrivacyPolicyFailedEvent(failedEvent *global_view.FailedEvent) error { + return v.saveFailedEvent(failedEvent) +} diff --git a/internal/auth/repository/org.go b/internal/auth/repository/org.go index c3e2d21393..934c4ef653 100644 --- a/internal/auth/repository/org.go +++ b/internal/auth/repository/org.go @@ -13,4 +13,5 @@ type OrgRepository interface { GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error) GetMyPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) GetLabelPolicy(ctx context.Context, orgID string) (*iam_model.LabelPolicyView, error) + GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) } diff --git a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go index 862e298678..29b8f5bed5 100644 --- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go +++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go @@ -157,6 +157,12 @@ func checkFeatures(features *features_view_model.FeaturesView, requiredFeatures } continue } + if requiredFeature == domain.FeaturePrivacyPolicy { + if !features.PrivacyPolicy { + return MissingFeatureErr(requiredFeature) + } + continue + } return MissingFeatureErr(requiredFeature) } return nil diff --git a/internal/command/features_model.go b/internal/command/features_model.go index 62567a6f2e..5878b6faad 100644 --- a/internal/command/features_model.go +++ b/internal/command/features_model.go @@ -27,6 +27,7 @@ type FeaturesWriteModel struct { LabelPolicyWatermark bool CustomDomain bool CustomText bool + PrivacyPolicy bool } func (wm *FeaturesWriteModel) Reduce() error { diff --git a/internal/command/iam_converter.go b/internal/command/iam_converter.go index f1fcf3111a..cbe41a3c7c 100644 --- a/internal/command/iam_converter.go +++ b/internal/command/iam_converter.go @@ -120,6 +120,14 @@ func writeModelToPasswordLockoutPolicy(wm *PasswordLockoutPolicyWriteModel) *dom } } +func writeModelToPrivacyPolicy(wm *PrivacyPolicyWriteModel) *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + ObjectRoot: writeModelToObjectRoot(wm.WriteModel), + TOSLink: wm.TOSLink, + PrivacyLink: wm.PrivacyLink, + } +} + func writeModelToIDPConfig(wm *IDPConfigWriteModel) *domain.IDPConfig { return &domain.IDPConfig{ ObjectRoot: writeModelToObjectRoot(wm.WriteModel), diff --git a/internal/command/iam_features.go b/internal/command/iam_features.go index c24eebfa96..afdb3fee6e 100644 --- a/internal/command/iam_features.go +++ b/internal/command/iam_features.go @@ -50,6 +50,7 @@ func (c *Commands) setDefaultFeatures(ctx context.Context, existingFeatures *IAM features.LabelPolicyWatermark, features.CustomDomain, features.CustomText, + features.PrivacyPolicy, ) if !hasChanged { return nil, caos_errs.ThrowPreconditionFailed(nil, "Features-GE4h2", "Errors.Features.NotChanged") diff --git a/internal/command/iam_features_model.go b/internal/command/iam_features_model.go index 2a043bc851..11007bfbc1 100644 --- a/internal/command/iam_features_model.go +++ b/internal/command/iam_features_model.go @@ -65,7 +65,8 @@ func (wm *IAMFeaturesWriteModel) NewSetEvent( labelPolicyPrivateLabel, labelPolicyWatermark, customDomain, - customText bool, + customText, + privacyPolicy bool, ) (*iam.FeaturesSetEvent, bool) { changes := make([]features.FeaturesChanges, 0) @@ -115,7 +116,9 @@ func (wm *IAMFeaturesWriteModel) NewSetEvent( if wm.CustomText != customText { changes = append(changes, features.ChangeCustomText(customText)) } - + if wm.PrivacyPolicy != privacyPolicy { + changes = append(changes, features.ChangePrivacyPolicy(privacyPolicy)) + } if len(changes) == 0 { return nil, false } diff --git a/internal/command/iam_policy_privacy.go b/internal/command/iam_policy_privacy.go new file mode 100644 index 0000000000..3b3eb19cc0 --- /dev/null +++ b/internal/command/iam_policy_privacy.go @@ -0,0 +1,92 @@ +package command + +import ( + "context" + "github.com/caos/zitadel/internal/domain" + caos_errs "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore" + iam_repo "github.com/caos/zitadel/internal/repository/iam" + "github.com/caos/zitadel/internal/telemetry/tracing" +) + +func (c *Commands) getDefaultPrivacyPolicy(ctx context.Context) (*domain.PrivacyPolicy, error) { + policyWriteModel := NewIAMPrivacyPolicyWriteModel() + err := c.eventstore.FilterToQueryReducer(ctx, policyWriteModel) + if err != nil { + return nil, err + } + if !policyWriteModel.State.Exists() { + return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-559os", "Errors.IAM.OrgIAMPolicy.NotFound") + } + policy := writeModelToPrivacyPolicy(&policyWriteModel.PrivacyPolicyWriteModel) + policy.Default = true + return policy, nil +} + +func (c *Commands) AddDefaultPrivacyPolicy(ctx context.Context, policy *domain.PrivacyPolicy) (*domain.PrivacyPolicy, error) { + addedPolicy := NewIAMPrivacyPolicyWriteModel() + iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel) + events, err := c.addDefaultPrivacyPolicy(ctx, iamAgg, addedPolicy, policy) + if err != nil { + return nil, err + } + + pushedEvents, err := c.eventstore.PushEvents(ctx, events) + if err != nil { + return nil, err + } + err = AppendAndReduce(addedPolicy, pushedEvents...) + if err != nil { + return nil, err + } + return writeModelToPrivacyPolicy(&addedPolicy.PrivacyPolicyWriteModel), nil +} + +func (c *Commands) addDefaultPrivacyPolicy(ctx context.Context, iamAgg *eventstore.Aggregate, addedPolicy *IAMPrivacyPolicyWriteModel, policy *domain.PrivacyPolicy) (eventstore.EventPusher, error) { + err := c.eventstore.FilterToQueryReducer(ctx, addedPolicy) + if err != nil { + return nil, err + } + if addedPolicy.State == domain.PolicyStateActive { + return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-M00rJ", "Errors.IAM.PrivacyPolicy.AlreadyExists") + } + + return iam_repo.NewPrivacyPolicyAddedEvent(ctx, iamAgg, policy.TOSLink, policy.PrivacyLink), nil +} + +func (c *Commands) ChangeDefaultPrivacyPolicy(ctx context.Context, policy *domain.PrivacyPolicy) (*domain.PrivacyPolicy, error) { + existingPolicy, err := c.defaultPrivacyPolicyWriteModelByID(ctx) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "IAM-0oPew", "Errors.IAM.PasswordAgePolicy.NotFound") + } + + iamAgg := IAMAggregateFromWriteModel(&existingPolicy.PrivacyPolicyWriteModel.WriteModel) + changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, iamAgg, policy.TOSLink, policy.PrivacyLink) + if !hasChanged { + return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9vs", "Errors.IAM.LabelPolicy.NotChanged") + } + pushedEvents, err := c.eventstore.PushEvents(ctx, changedEvent) + if err != nil { + return nil, err + } + err = AppendAndReduce(existingPolicy, pushedEvents...) + if err != nil { + return nil, err + } + return writeModelToPrivacyPolicy(&existingPolicy.PrivacyPolicyWriteModel), nil +} + +func (c *Commands) defaultPrivacyPolicyWriteModelByID(ctx context.Context) (policy *IAMPrivacyPolicyWriteModel, err error) { + ctx, span := tracing.NewSpan(ctx) + defer func() { span.EndWithError(err) }() + + writeModel := NewIAMPrivacyPolicyWriteModel() + err = c.eventstore.FilterToQueryReducer(ctx, writeModel) + if err != nil { + return nil, err + } + return writeModel, nil +} diff --git a/internal/command/iam_policy_privacy_model.go b/internal/command/iam_policy_privacy_model.go new file mode 100644 index 0000000000..ef3daadcbb --- /dev/null +++ b/internal/command/iam_policy_privacy_model.go @@ -0,0 +1,73 @@ +package command + +import ( + "context" + "github.com/caos/zitadel/internal/eventstore" + + "github.com/caos/zitadel/internal/domain" + "github.com/caos/zitadel/internal/repository/iam" + "github.com/caos/zitadel/internal/repository/policy" +) + +type IAMPrivacyPolicyWriteModel struct { + PrivacyPolicyWriteModel +} + +func NewIAMPrivacyPolicyWriteModel() *IAMPrivacyPolicyWriteModel { + return &IAMPrivacyPolicyWriteModel{ + PrivacyPolicyWriteModel{ + WriteModel: eventstore.WriteModel{ + AggregateID: domain.IAMID, + ResourceOwner: domain.IAMID, + }, + }, + } +} + +func (wm *IAMPrivacyPolicyWriteModel) AppendEvents(events ...eventstore.EventReader) { + for _, event := range events { + switch e := event.(type) { + case *iam.PrivacyPolicyAddedEvent: + wm.PrivacyPolicyWriteModel.AppendEvents(&e.PrivacyPolicyAddedEvent) + case *iam.PrivacyPolicyChangedEvent: + wm.PrivacyPolicyWriteModel.AppendEvents(&e.PrivacyPolicyChangedEvent) + } + } +} + +func (wm *IAMPrivacyPolicyWriteModel) Reduce() error { + return wm.PrivacyPolicyWriteModel.Reduce() +} + +func (wm *IAMPrivacyPolicyWriteModel) Query() *eventstore.SearchQueryBuilder { + return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType). + AggregateIDs(wm.PrivacyPolicyWriteModel.AggregateID). + ResourceOwner(wm.ResourceOwner). + EventTypes( + iam.PrivacyPolicyAddedEventType, + iam.PrivacyPolicyChangedEventType) +} + +func (wm *IAMPrivacyPolicyWriteModel) NewChangedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + tosLink, + privacyLink string, +) (*iam.PrivacyPolicyChangedEvent, bool) { + + changes := make([]policy.PrivacyPolicyChanges, 0) + if wm.TOSLink != tosLink { + changes = append(changes, policy.ChangeTOSLink(tosLink)) + } + if wm.PrivacyLink != privacyLink { + changes = append(changes, policy.ChangePrivacyLink(privacyLink)) + } + if len(changes) == 0 { + return nil, false + } + changedEvent, err := iam.NewPrivacyPolicyChangedEvent(ctx, aggregate, changes) + if err != nil { + return nil, false + } + return changedEvent, true +} diff --git a/internal/command/iam_policy_privacy_test.go b/internal/command/iam_policy_privacy_test.go new file mode 100644 index 0000000000..8c0a2eaf5a --- /dev/null +++ b/internal/command/iam_policy_privacy_test.go @@ -0,0 +1,292 @@ +package command + +import ( + "context" + "github.com/caos/zitadel/internal/domain" + caos_errs "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore" + "github.com/caos/zitadel/internal/eventstore/repository" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/repository/iam" + "github.com/caos/zitadel/internal/repository/policy" + "github.com/stretchr/testify/assert" + "testing" +) + +func TestCommandSide_AddDefaultPrivacyPolicy(t *testing.T) { + type fields struct { + eventstore *eventstore.Eventstore + } + type args struct { + ctx context.Context + policy *domain.PrivacyPolicy + } + type res struct { + want *domain.PrivacyPolicy + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "privacy policy already existing, already exists error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsErrorAlreadyExists, + }, + }, + { + name: "add policy,ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + expectPush( + []*repository.Event{ + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "IAM", + ResourceOwner: "IAM", + }, + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + }, + { + name: "add empty policy,ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + expectPush( + []*repository.Event{ + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + "", + "", + ), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "", + PrivacyLink: "", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "IAM", + ResourceOwner: "IAM", + }, + TOSLink: "", + PrivacyLink: "", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore, + } + got, err := r.AddDefaultPrivacyPolicy(tt.args.ctx, tt.args.policy) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.want, got) + } + }) + } +} + +func TestCommandSide_ChangeDefaultPrivacyPolicy(t *testing.T) { + type fields struct { + eventstore *eventstore.Eventstore + } + type args struct { + ctx context.Context + policy *domain.PrivacyPolicy + } + type res struct { + want *domain.PrivacyPolicy + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "privacy policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, + { + name: "no changes, precondition error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsPreconditionFailed, + }, + }, + { + name: "change, ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent(context.Background(), + &iam.NewAggregate().Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + expectPush( + []*repository.Event{ + eventFromEventPusher( + newDefaultPrivacyPolicyChangedEvent(context.Background(), + "TOSLinkChanged", + "PrivacyLinkChanged", + ), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLinkChanged", + PrivacyLink: "PrivacyLinkChanged", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "IAM", + ResourceOwner: "IAM", + }, + TOSLink: "TOSLinkChanged", + PrivacyLink: "PrivacyLinkChanged", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore, + } + got, err := r.ChangeDefaultPrivacyPolicy(tt.args.ctx, tt.args.policy) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.want, got) + } + }) + } +} + +func newDefaultPrivacyPolicyChangedEvent(ctx context.Context, tosLink, privacyLink string) *iam.PrivacyPolicyChangedEvent { + event, _ := iam.NewPrivacyPolicyChangedEvent(ctx, + &iam.NewAggregate().Aggregate, + []policy.PrivacyPolicyChanges{ + policy.ChangeTOSLink(tosLink), + policy.ChangePrivacyLink(privacyLink), + }, + ) + return event +} diff --git a/internal/command/org_converter.go b/internal/command/org_converter.go index 9564df1998..f149d3fee7 100644 --- a/internal/command/org_converter.go +++ b/internal/command/org_converter.go @@ -41,3 +41,11 @@ func orgDomainWriteModelToOrgDomain(wm *OrgDomainWriteModel) *domain.OrgDomain { ValidationCode: wm.ValidationCode, } } + +func orgWriteModelToPrivacyPolicy(wm *OrgPrivacyPolicyWriteModel) *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + ObjectRoot: writeModelToObjectRoot(wm.PrivacyPolicyWriteModel.WriteModel), + TOSLink: wm.TOSLink, + PrivacyLink: wm.PrivacyLink, + } +} diff --git a/internal/command/org_features.go b/internal/command/org_features.go index 85be241c1f..9f57e9d7f5 100644 --- a/internal/command/org_features.go +++ b/internal/command/org_features.go @@ -41,6 +41,7 @@ func (c *Commands) SetOrgFeatures(ctx context.Context, resourceOwner string, fea features.LabelPolicyWatermark, features.CustomDomain, features.CustomText, + features.PrivacyPolicy, ) if !hasChanged { return nil, caos_errs.ThrowPreconditionFailed(nil, "Features-GE4h2", "Errors.Features.NotChanged") @@ -136,6 +137,15 @@ func (c *Commands) ensureOrgSettingsToFeatures(ctx context.Context, orgID string events = append(events, removeCustomTextEvents...) } } + if !features.PrivacyPolicy { + removePrivacyPolicyEvent, err := c.removePrivacyPolicyIfExists(ctx, orgID) + if err != nil { + return nil, err + } + if removePrivacyPolicyEvent != nil { + events = append(events, removePrivacyPolicyEvent) + } + } return events, nil } diff --git a/internal/command/org_features_model.go b/internal/command/org_features_model.go index fc40a496fb..06f9145a0d 100644 --- a/internal/command/org_features_model.go +++ b/internal/command/org_features_model.go @@ -72,7 +72,8 @@ func (wm *OrgFeaturesWriteModel) NewSetEvent( labelPolicyPrivateLabel, labelPolicyWatermark, customDomain, - customText bool, + customText, + privacyPolicy bool, ) (*org.FeaturesSetEvent, bool) { changes := make([]features.FeaturesChanges, 0) @@ -125,6 +126,9 @@ func (wm *OrgFeaturesWriteModel) NewSetEvent( if wm.CustomText != customText { changes = append(changes, features.ChangeCustomText(customText)) } + if wm.PrivacyPolicy != privacyPolicy { + changes = append(changes, features.ChangePrivacyPolicy(privacyPolicy)) + } if len(changes) == 0 { return nil, false diff --git a/internal/command/org_features_test.go b/internal/command/org_features_test.go index f902c1f438..86f845bdbe 100644 --- a/internal/command/org_features_test.go +++ b/internal/command/org_features_test.go @@ -239,6 +239,16 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( @@ -267,6 +277,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { LabelPolicyWatermark: false, CustomDomain: false, CustomText: false, + PrivacyPolicy: false, }, }, res: res{ @@ -399,6 +410,16 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( @@ -572,6 +593,16 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( @@ -755,6 +786,16 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( @@ -993,6 +1034,16 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( @@ -1016,6 +1067,9 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) { eventFromEventPusher( org.NewCustomTextTemplateRemovedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, domain.InitCodeMessageType, language.English), ), + eventFromEventPusher( + org.NewPrivacyPolicyRemovedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate), + ), eventFromEventPusher( newFeaturesSetEvent(context.Background(), "org1", "Test", domain.FeaturesStateActive, time.Hour), ), @@ -1221,6 +1275,16 @@ func TestCommandSide_RemoveOrgFeatures(t *testing.T) { ), ), ), + expectFilter( + eventFromEventPusher( + iam.NewPrivacyPolicyAddedEvent( + context.Background(), + &iam.NewAggregate().Aggregate, + "toslink", + "privacylink", + ), + ), + ), expectPush( []*repository.Event{ eventFromEventPusher( diff --git a/internal/command/org_policy_privacy.go b/internal/command/org_policy_privacy.go new file mode 100644 index 0000000000..bfa75d2c00 --- /dev/null +++ b/internal/command/org_policy_privacy.go @@ -0,0 +1,135 @@ +package command + +import ( + "context" + + "github.com/caos/zitadel/internal/domain" + caos_errs "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/repository/org" +) + +func (c *Commands) getOrgPrivacyPolicy(ctx context.Context, orgID string) (*domain.PrivacyPolicy, error) { + policy, err := c.orgPrivacyPolicyWriteModelByID(ctx, orgID) + if err != nil { + return nil, err + } + if policy.State == domain.PolicyStateActive { + return orgWriteModelToPrivacyPolicy(policy), nil + } + return c.getDefaultPrivacyPolicy(ctx) +} + +func (c *Commands) orgPrivacyPolicyWriteModelByID(ctx context.Context, orgID string) (*OrgPrivacyPolicyWriteModel, error) { + policy := NewOrgPrivacyPolicyWriteModel(orgID) + err := c.eventstore.FilterToQueryReducer(ctx, policy) + if err != nil { + return nil, err + } + return policy, nil +} + +func (c *Commands) AddPrivacyPolicy(ctx context.Context, resourceOwner string, policy *domain.PrivacyPolicy) (*domain.PrivacyPolicy, error) { + if resourceOwner == "" { + return nil, caos_errs.ThrowInvalidArgument(nil, "Org-MMk9fs", "Errors.ResourceOwnerMissing") + } + addedPolicy := NewOrgPrivacyPolicyWriteModel(resourceOwner) + err := c.eventstore.FilterToQueryReducer(ctx, addedPolicy) + if err != nil { + return nil, err + } + if addedPolicy.State == domain.PolicyStateActive { + return nil, caos_errs.ThrowAlreadyExists(nil, "Org-0oLpd", "Errors.Org.PrivacyPolicy.AlreadyExists") + } + + orgAgg := OrgAggregateFromWriteModel(&addedPolicy.WriteModel) + pushedEvents, err := c.eventstore.PushEvents( + ctx, + org.NewPrivacyPolicyAddedEvent( + ctx, + orgAgg, + policy.TOSLink, + policy.PrivacyLink)) + if err != nil { + return nil, err + } + err = AppendAndReduce(addedPolicy, pushedEvents...) + if err != nil { + return nil, err + } + return writeModelToPrivacyPolicy(&addedPolicy.PrivacyPolicyWriteModel), nil +} + +func (c *Commands) ChangePrivacyPolicy(ctx context.Context, resourceOwner string, policy *domain.PrivacyPolicy) (*domain.PrivacyPolicy, error) { + if resourceOwner == "" { + return nil, caos_errs.ThrowInvalidArgument(nil, "Org-22N89f", "Errors.ResourceOwnerMissing") + } + + existingPolicy := NewOrgPrivacyPolicyWriteModel(resourceOwner) + err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "ORG-Ng8sf", "Errors.Org.PrivacyPolicy.NotFound") + } + + orgAgg := OrgAggregateFromWriteModel(&existingPolicy.PrivacyPolicyWriteModel.WriteModel) + changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.TOSLink, policy.PrivacyLink) + if !hasChanged { + return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-4N9fs", "Errors.Org.PrivacyPolicy.NotChanged") + } + + pushedEvents, err := c.eventstore.PushEvents(ctx, changedEvent) + if err != nil { + return nil, err + } + err = AppendAndReduce(existingPolicy, pushedEvents...) + if err != nil { + return nil, err + } + return writeModelToPrivacyPolicy(&existingPolicy.PrivacyPolicyWriteModel), nil +} + +func (c *Commands) RemovePrivacyPolicy(ctx context.Context, orgID string) (*domain.ObjectDetails, error) { + if orgID == "" { + return nil, caos_errs.ThrowInvalidArgument(nil, "Org-Nf9sf", "Errors.ResourceOwnerMissing") + } + existingPolicy := NewOrgPrivacyPolicyWriteModel(orgID) + event, err := c.removePrivacyPolicy(ctx, existingPolicy) + if err != nil { + return nil, err + } + pushedEvents, err := c.eventstore.PushEvents(ctx, event) + if err != nil { + return nil, err + } + err = AppendAndReduce(existingPolicy, pushedEvents...) + if err != nil { + return nil, err + } + return writeModelToObjectDetails(&existingPolicy.PrivacyPolicyWriteModel.WriteModel), nil +} + +func (c *Commands) removePrivacyPolicy(ctx context.Context, existingPolicy *OrgPrivacyPolicyWriteModel) (*org.PrivacyPolicyRemovedEvent, error) { + err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy) + if err != nil { + return nil, err + } + if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved { + return nil, caos_errs.ThrowNotFound(nil, "ORG-Ze9gs", "Errors.Org.PrivacyPolicy.NotFound") + } + orgAgg := OrgAggregateFromWriteModel(&existingPolicy.WriteModel) + return org.NewPrivacyPolicyRemovedEvent(ctx, orgAgg), nil +} + +func (c *Commands) removePrivacyPolicyIfExists(ctx context.Context, orgID string) (*org.PrivacyPolicyRemovedEvent, error) { + existingPolicy, err := c.orgPrivacyPolicyWriteModelByID(ctx, orgID) + if err != nil { + return nil, err + } + if existingPolicy.State != domain.PolicyStateActive { + return nil, nil + } + orgAgg := OrgAggregateFromWriteModel(&existingPolicy.WriteModel) + return org.NewPrivacyPolicyRemovedEvent(ctx, orgAgg), nil +} diff --git a/internal/command/org_policy_privacy_model.go b/internal/command/org_policy_privacy_model.go new file mode 100644 index 0000000000..d4a0384e17 --- /dev/null +++ b/internal/command/org_policy_privacy_model.go @@ -0,0 +1,74 @@ +package command + +import ( + "context" + "github.com/caos/zitadel/internal/eventstore" + + "github.com/caos/zitadel/internal/repository/org" + "github.com/caos/zitadel/internal/repository/policy" +) + +type OrgPrivacyPolicyWriteModel struct { + PrivacyPolicyWriteModel +} + +func NewOrgPrivacyPolicyWriteModel(orgID string) *OrgPrivacyPolicyWriteModel { + return &OrgPrivacyPolicyWriteModel{ + PrivacyPolicyWriteModel{ + WriteModel: eventstore.WriteModel{ + AggregateID: orgID, + ResourceOwner: orgID, + }, + }, + } +} + +func (wm *OrgPrivacyPolicyWriteModel) AppendEvents(events ...eventstore.EventReader) { + for _, event := range events { + switch e := event.(type) { + case *org.PrivacyPolicyAddedEvent: + wm.PrivacyPolicyWriteModel.AppendEvents(&e.PrivacyPolicyAddedEvent) + case *org.PrivacyPolicyChangedEvent: + wm.PrivacyPolicyWriteModel.AppendEvents(&e.PrivacyPolicyChangedEvent) + case *org.PrivacyPolicyRemovedEvent: + wm.PrivacyPolicyWriteModel.AppendEvents(&e.PrivacyPolicyRemovedEvent) + } + } +} + +func (wm *OrgPrivacyPolicyWriteModel) Reduce() error { + return wm.PrivacyPolicyWriteModel.Reduce() +} + +func (wm *OrgPrivacyPolicyWriteModel) Query() *eventstore.SearchQueryBuilder { + return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType). + AggregateIDs(wm.PrivacyPolicyWriteModel.AggregateID). + ResourceOwner(wm.ResourceOwner). + EventTypes(org.PrivacyPolicyAddedEventType, + org.PrivacyPolicyChangedEventType, + org.PrivacyPolicyRemovedEventType) +} + +func (wm *OrgPrivacyPolicyWriteModel) NewChangedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + tosLink, + privacyLink string, +) (*org.PrivacyPolicyChangedEvent, bool) { + + changes := make([]policy.PrivacyPolicyChanges, 0) + if wm.TOSLink != tosLink { + changes = append(changes, policy.ChangeTOSLink(tosLink)) + } + if wm.PrivacyLink != privacyLink { + changes = append(changes, policy.ChangePrivacyLink(privacyLink)) + } + if len(changes) == 0 { + return nil, false + } + changedEvent, err := org.NewPrivacyPolicyChangedEvent(ctx, aggregate, changes) + if err != nil { + return nil, false + } + return changedEvent, true +} diff --git a/internal/command/org_policy_privacy_test.go b/internal/command/org_policy_privacy_test.go new file mode 100644 index 0000000000..ba762371cb --- /dev/null +++ b/internal/command/org_policy_privacy_test.go @@ -0,0 +1,479 @@ +package command + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/caos/zitadel/internal/domain" + caos_errs "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore" + "github.com/caos/zitadel/internal/eventstore/repository" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/repository/org" + "github.com/caos/zitadel/internal/repository/policy" +) + +func TestCommandSide_AddPrivacyPolicy(t *testing.T) { + type fields struct { + eventstore *eventstore.Eventstore + } + type args struct { + ctx context.Context + orgID string + policy *domain.PrivacyPolicy + } + type res struct { + want *domain.PrivacyPolicy + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "org id missing, invalid argument error", + fields: fields{ + eventstore: eventstoreExpect( + t, + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsErrorInvalidArgument, + }, + }, + { + name: "policy already existing, already exists error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsErrorAlreadyExists, + }, + }, + { + name: "add policy,ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + expectPush( + []*repository.Event{ + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "org1", + ResourceOwner: "org1", + }, + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + }, + { + name: "add policy empty links, ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + expectPush( + []*repository.Event{ + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "", + "", + ), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "", + PrivacyLink: "", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "org1", + ResourceOwner: "org1", + }, + TOSLink: "", + PrivacyLink: "", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore, + } + got, err := r.AddPrivacyPolicy(tt.args.ctx, tt.args.orgID, tt.args.policy) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.want, got) + } + }) + } +} + +func TestCommandSide_ChangePrivacyPolicy(t *testing.T) { + type fields struct { + eventstore *eventstore.Eventstore + } + type args struct { + ctx context.Context + orgID string + policy *domain.PrivacyPolicy + } + type res struct { + want *domain.PrivacyPolicy + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "org id missing, invalid argument error", + fields: fields{ + eventstore: eventstoreExpect( + t, + ), + }, + args: args{ + ctx: context.Background(), + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsErrorInvalidArgument, + }, + }, + { + name: "policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, + { + name: "no changes, precondition error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLink", + PrivacyLink: "PrivacyLink", + }, + }, + res: res{ + err: caos_errs.IsPreconditionFailed, + }, + }, + { + name: "change, ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + expectPush( + []*repository.Event{ + eventFromEventPusher( + newPrivacyPolicyChangedEvent(context.Background(), "org1", "TOSLinkChange", "PrivacyLinkChange"), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "TOSLinkChange", + PrivacyLink: "PrivacyLinkChange", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "org1", + ResourceOwner: "org1", + }, + TOSLink: "TOSLinkChange", + PrivacyLink: "PrivacyLinkChange", + }, + }, + }, + { + name: "change to empty links, ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + expectPush( + []*repository.Event{ + eventFromEventPusher( + newPrivacyPolicyChangedEvent(context.Background(), "org1", "", ""), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + policy: &domain.PrivacyPolicy{ + TOSLink: "", + PrivacyLink: "", + }, + }, + res: res{ + want: &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "org1", + ResourceOwner: "org1", + }, + TOSLink: "", + PrivacyLink: "", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore, + } + got, err := r.ChangePrivacyPolicy(tt.args.ctx, tt.args.orgID, tt.args.policy) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.want, got) + } + }) + } +} + +func TestCommandSide_RemovePrivacyPolicy(t *testing.T) { + type fields struct { + eventstore *eventstore.Eventstore + } + type args struct { + ctx context.Context + orgID string + } + type res struct { + want *domain.ObjectDetails + err func(error) bool + } + tests := []struct { + name string + fields fields + args args + res res + }{ + { + name: "org id missing, invalid argument error", + fields: fields{ + eventstore: eventstoreExpect( + t, + ), + }, + args: args{ + ctx: context.Background(), + }, + res: res{ + err: caos_errs.IsErrorInvalidArgument, + }, + }, + { + name: "policy not existing, not found error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter(), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + }, + res: res{ + err: caos_errs.IsNotFound, + }, + }, + { + name: "remove, ok", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + org.NewPrivacyPolicyAddedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate, + "TOSLink", + "PrivacyLink", + ), + ), + ), + expectPush( + []*repository.Event{ + eventFromEventPusher( + org.NewPrivacyPolicyRemovedEvent(context.Background(), + &org.NewAggregate("org1", "org1").Aggregate), + ), + }, + ), + ), + }, + args: args{ + ctx: context.Background(), + orgID: "org1", + }, + res: res{ + want: &domain.ObjectDetails{ + ResourceOwner: "org1", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Commands{ + eventstore: tt.fields.eventstore, + } + got, err := r.RemovePrivacyPolicy(tt.args.ctx, tt.args.orgID) + if tt.res.err == nil { + assert.NoError(t, err) + } + if tt.res.err != nil && !tt.res.err(err) { + t.Errorf("got wrong err: %v ", err) + } + if tt.res.err == nil { + assert.Equal(t, tt.res.want, got) + } + }) + } +} + +func newPrivacyPolicyChangedEvent(ctx context.Context, orgID string, tosLink, privacyLink string) *org.PrivacyPolicyChangedEvent { + event, _ := org.NewPrivacyPolicyChangedEvent(ctx, + &org.NewAggregate(orgID, orgID).Aggregate, + []policy.PrivacyPolicyChanges{ + policy.ChangeTOSLink(tosLink), + policy.ChangePrivacyLink(privacyLink), + }, + ) + return event +} diff --git a/internal/command/policy_privacy_model.go b/internal/command/policy_privacy_model.go new file mode 100644 index 0000000000..07e489f447 --- /dev/null +++ b/internal/command/policy_privacy_model.go @@ -0,0 +1,36 @@ +package command + +import ( + "github.com/caos/zitadel/internal/domain" + "github.com/caos/zitadel/internal/eventstore" + "github.com/caos/zitadel/internal/repository/policy" +) + +type PrivacyPolicyWriteModel struct { + eventstore.WriteModel + + TOSLink string + PrivacyLink string + State domain.PolicyState +} + +func (wm *PrivacyPolicyWriteModel) Reduce() error { + for _, event := range wm.Events { + switch e := event.(type) { + case *policy.PrivacyPolicyAddedEvent: + wm.TOSLink = e.TOSLink + wm.PrivacyLink = e.PrivacyLink + wm.State = domain.PolicyStateActive + case *policy.PrivacyPolicyChangedEvent: + if e.PrivacyLink != nil { + wm.PrivacyLink = *e.PrivacyLink + } + if e.TOSLink != nil { + wm.TOSLink = *e.TOSLink + } + case *policy.PrivacyPolicyRemovedEvent: + wm.State = domain.PolicyStateRemoved + } + } + return wm.WriteModel.Reduce() +} diff --git a/internal/command/setup_step17.go b/internal/command/setup_step17.go new file mode 100644 index 0000000000..63d3e3d9e3 --- /dev/null +++ b/internal/command/setup_step17.go @@ -0,0 +1,35 @@ +package command + +import ( + "context" + "github.com/caos/logging" + "github.com/caos/zitadel/internal/domain" + "github.com/caos/zitadel/internal/eventstore" +) + +type Step17 struct { + PrivacyPolicy domain.PrivacyPolicy +} + +func (s *Step17) Step() domain.Step { + return domain.Step17 +} + +func (s *Step17) execute(ctx context.Context, commandSide *Commands) error { + return commandSide.SetupStep17(ctx, s) +} + +func (c *Commands) SetupStep17(ctx context.Context, step *Step17) error { + fn := func(iam *IAMWriteModel) ([]eventstore.EventPusher, error) { + iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel) + addedPolicy := NewIAMPrivacyPolicyWriteModel() + events, err := c.addDefaultPrivacyPolicy(ctx, iamAgg, addedPolicy, &step.PrivacyPolicy) + if err != nil { + return nil, err + } + + logging.Log("SETUP-N9sq2").Info("default privacy policy set up") + return []eventstore.EventPusher{events}, nil + } + return c.setup(ctx, step, fn) +} diff --git a/internal/domain/auth_request.go b/internal/domain/auth_request.go index 21ea1aba18..f2c4eb923c 100644 --- a/internal/domain/auth_request.go +++ b/internal/domain/auth_request.go @@ -47,6 +47,7 @@ type AuthRequest struct { LoginPolicy *LoginPolicy AllowedExternalIDPs []*IDPProvider LabelPolicy *LabelPolicy + PrivacyPolicy *PrivacyPolicy } type ExternalUser struct { diff --git a/internal/domain/features.go b/internal/domain/features.go index ff49486e19..b07f35dfe6 100644 --- a/internal/domain/features.go +++ b/internal/domain/features.go @@ -20,6 +20,7 @@ const ( FeatureLabelPolicyWatermark = FeatureLabelPolicy + ".watermark" FeatureCustomText = "custom_text" FeatureCustomDomain = "custom_domain" + FeaturePrivacyPolicy = "privacy_policy" ) type Features struct { @@ -43,6 +44,7 @@ type Features struct { LabelPolicyWatermark bool CustomDomain bool CustomText bool + PrivacyPolicy bool } type FeaturesState int32 diff --git a/internal/domain/policy_privacy.go b/internal/domain/policy_privacy.go new file mode 100644 index 0000000000..9eb58f3897 --- /dev/null +++ b/internal/domain/policy_privacy.go @@ -0,0 +1,15 @@ +package domain + +import ( + "github.com/caos/zitadel/internal/eventstore/v1/models" +) + +type PrivacyPolicy struct { + models.ObjectRoot + + State PolicyState + Default bool + + TOSLink string + PrivacyLink string +} diff --git a/internal/domain/step.go b/internal/domain/step.go index f93642cf8f..9ea39ca770 100644 --- a/internal/domain/step.go +++ b/internal/domain/step.go @@ -19,6 +19,7 @@ const ( Step14 Step15 Step16 + Step17 //StepCount marks the the length of possible steps (StepCount-1 == last possible step) StepCount ) diff --git a/internal/features/model/features_view.go b/internal/features/model/features_view.go index d2fdf24c3e..4cf7519a2b 100644 --- a/internal/features/model/features_view.go +++ b/internal/features/model/features_view.go @@ -29,6 +29,7 @@ type FeaturesView struct { LabelPolicyWatermark bool CustomDomain bool CustomText bool + PrivacyPolicy bool } func (f *FeaturesView) FeatureList() []string { @@ -66,6 +67,9 @@ func (f *FeaturesView) FeatureList() []string { if f.CustomText { list = append(list, domain.FeatureCustomText) } + if f.PrivacyPolicy { + list = append(list, domain.FeaturePrivacyPolicy) + } return list } diff --git a/internal/features/repository/view/model/features.go b/internal/features/repository/view/model/features.go index ca8dc1af38..b8fe4819ff 100644 --- a/internal/features/repository/view/model/features.go +++ b/internal/features/repository/view/model/features.go @@ -43,6 +43,7 @@ type FeaturesView struct { LabelPolicyWatermark bool `json:"labelPolicyWatermark" gorm:"column:label_policy_watermark"` CustomDomain bool `json:"customDomain" gorm:"column:custom_domain"` CustomText bool `json:"customText" gorm:"column:custom_text"` + PrivacyPolicy bool `json:"privacyPolicy" gorm:"column:privacy_policy"` } func FeaturesToModel(features *FeaturesView) *features_model.FeaturesView { @@ -68,6 +69,7 @@ func FeaturesToModel(features *FeaturesView) *features_model.FeaturesView { LabelPolicyWatermark: features.LabelPolicyWatermark, CustomDomain: features.CustomDomain, CustomText: features.CustomText, + PrivacyPolicy: features.PrivacyPolicy, } } diff --git a/internal/iam/model/privacy_policy_view.go b/internal/iam/model/privacy_policy_view.go new file mode 100644 index 0000000000..d0bcce3b1c --- /dev/null +++ b/internal/iam/model/privacy_policy_view.go @@ -0,0 +1,48 @@ +package model + +import ( + "time" + + "github.com/caos/zitadel/internal/domain" +) + +type PrivacyPolicyView struct { + AggregateID string + TOSLink string + PrivacyLink string + Default bool + + CreationDate time.Time + ChangeDate time.Time + Sequence uint64 +} + +type PrivacyPolicySearchRequest struct { + Offset uint64 + Limit uint64 + SortingColumn PrivacyPolicySearchKey + Asc bool + Queries []*PrivacyPolicySearchQuery +} + +type PrivacyPolicySearchKey int32 + +const ( + PrivacyPolicySearchKeyUnspecified PrivacyPolicySearchKey = iota + PrivacyPolicySearchKeyAggregateID +) + +type PrivacyPolicySearchQuery struct { + Key PrivacyPolicySearchKey + Method domain.SearchMethod + Value interface{} +} + +type PrivacyPolicySearchResponse struct { + Offset uint64 + Limit uint64 + TotalResult uint64 + Result []*PrivacyPolicyView + Sequence uint64 + Timestamp time.Time +} diff --git a/internal/iam/repository/eventsourcing/model/types.go b/internal/iam/repository/eventsourcing/model/types.go index d538aaed52..2f7d431cb7 100644 --- a/internal/iam/repository/eventsourcing/model/types.go +++ b/internal/iam/repository/eventsourcing/model/types.go @@ -67,6 +67,9 @@ const ( PasswordLockoutPolicyAdded models.EventType = "iam.policy.password.lockout.added" PasswordLockoutPolicyChanged models.EventType = "iam.policy.password.lockout.changed" + PrivacyPolicyAdded models.EventType = "iam.policy.privacy.added" + PrivacyPolicyChanged models.EventType = "iam.policy.privacy.changed" + OrgIAMPolicyAdded models.EventType = "iam.policy.org.iam.added" OrgIAMPolicyChanged models.EventType = "iam.policy.org.iam.changed" ) diff --git a/internal/iam/repository/view/model/privacy_policy.go b/internal/iam/repository/view/model/privacy_policy.go new file mode 100644 index 0000000000..d66f0af276 --- /dev/null +++ b/internal/iam/repository/view/model/privacy_policy.go @@ -0,0 +1,98 @@ +package model + +import ( + "encoding/json" + "time" + + "github.com/caos/zitadel/internal/domain" + org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model" + + es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model" + + "github.com/caos/logging" + + caos_errs "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/iam/model" +) + +const ( + PrivacyKeyAggregateID = "aggregate_id" +) + +type PrivacyPolicyView struct { + AggregateID string `json:"-" gorm:"column:aggregate_id;primary_key"` + CreationDate time.Time `json:"-" gorm:"column:creation_date"` + ChangeDate time.Time `json:"-" gorm:"column:change_date"` + State int32 `json:"-" gorm:"column:state"` + + TOSLink string `json:"tosLink" gorm:"column:tos_link"` + PrivacyLink string `json:"privacyLink" gorm:"column:privacy_link"` + Default bool `json:"-" gorm:"-"` + + Sequence uint64 `json:"-" gorm:"column:sequence"` +} + +func PrivacyViewFromModel(policy *model.PrivacyPolicyView) *PrivacyPolicyView { + return &PrivacyPolicyView{ + AggregateID: policy.AggregateID, + Sequence: policy.Sequence, + CreationDate: policy.CreationDate, + ChangeDate: policy.ChangeDate, + TOSLink: policy.TOSLink, + PrivacyLink: policy.PrivacyLink, + Default: policy.Default, + } +} + +func PrivacyViewToModel(policy *PrivacyPolicyView) *model.PrivacyPolicyView { + return &model.PrivacyPolicyView{ + AggregateID: policy.AggregateID, + Sequence: policy.Sequence, + CreationDate: policy.CreationDate, + ChangeDate: policy.ChangeDate, + TOSLink: policy.TOSLink, + PrivacyLink: policy.PrivacyLink, + Default: policy.Default, + } +} + +func (p *PrivacyPolicyView) ToDomain() *domain.PrivacyPolicy { + return &domain.PrivacyPolicy{ + ObjectRoot: models.ObjectRoot{ + AggregateID: p.AggregateID, + CreationDate: p.CreationDate, + ChangeDate: p.ChangeDate, + Sequence: p.Sequence, + }, + Default: p.Default, + TOSLink: p.TOSLink, + PrivacyLink: p.PrivacyLink, + } +} + +func (i *PrivacyPolicyView) AppendEvent(event *models.Event) (err error) { + i.Sequence = event.Sequence + i.ChangeDate = event.CreationDate + switch event.Type { + case es_model.PrivacyPolicyAdded, org_es_model.PrivacyPolicyAdded: + i.setRootData(event) + i.CreationDate = event.CreationDate + err = i.SetData(event) + case es_model.PrivacyPolicyChanged, org_es_model.PrivacyPolicyChanged: + err = i.SetData(event) + } + return err +} + +func (r *PrivacyPolicyView) setRootData(event *models.Event) { + r.AggregateID = event.AggregateID +} + +func (r *PrivacyPolicyView) SetData(event *models.Event) error { + if err := json.Unmarshal(event.Data, r); err != nil { + logging.Log("EVEN-gHls0").WithError(err).Error("could not unmarshal event data") + return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data") + } + return nil +} diff --git a/internal/iam/repository/view/model/privacy_policy_query.go b/internal/iam/repository/view/model/privacy_policy_query.go new file mode 100644 index 0000000000..b8daf2e93b --- /dev/null +++ b/internal/iam/repository/view/model/privacy_policy_query.go @@ -0,0 +1,59 @@ +package model + +import ( + "github.com/caos/zitadel/internal/domain" + iam_model "github.com/caos/zitadel/internal/iam/model" + "github.com/caos/zitadel/internal/view/repository" +) + +type PrivacyPolicySearchRequest iam_model.PrivacyPolicySearchRequest +type PrivacyPolicySearchQuery iam_model.PrivacyPolicySearchQuery +type PrivacyPolicySearchKey iam_model.PrivacyPolicySearchKey + +func (req PrivacyPolicySearchRequest) GetLimit() uint64 { + return req.Limit +} + +func (req PrivacyPolicySearchRequest) GetOffset() uint64 { + return req.Offset +} + +func (req PrivacyPolicySearchRequest) GetSortingColumn() repository.ColumnKey { + if req.SortingColumn == iam_model.PrivacyPolicySearchKeyUnspecified { + return nil + } + return PrivacyPolicySearchKey(req.SortingColumn) +} + +func (req PrivacyPolicySearchRequest) GetAsc() bool { + return req.Asc +} + +func (req PrivacyPolicySearchRequest) GetQueries() []repository.SearchQuery { + result := make([]repository.SearchQuery, len(req.Queries)) + for i, q := range req.Queries { + result[i] = PrivacyPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method} + } + return result +} + +func (req PrivacyPolicySearchQuery) GetKey() repository.ColumnKey { + return PrivacyPolicySearchKey(req.Key) +} + +func (req PrivacyPolicySearchQuery) GetMethod() domain.SearchMethod { + return req.Method +} + +func (req PrivacyPolicySearchQuery) GetValue() interface{} { + return req.Value +} + +func (key PrivacyPolicySearchKey) ToColumnName() string { + switch iam_model.PrivacyPolicySearchKey(key) { + case iam_model.PrivacyPolicySearchKeyAggregateID: + return PrivacyKeyAggregateID + default: + return "" + } +} diff --git a/internal/iam/repository/view/privacy_policy_view.go b/internal/iam/repository/view/privacy_policy_view.go new file mode 100644 index 0000000000..e53eea9ee6 --- /dev/null +++ b/internal/iam/repository/view/privacy_policy_view.go @@ -0,0 +1,32 @@ +package view + +import ( + "github.com/caos/zitadel/internal/domain" + caos_errs "github.com/caos/zitadel/internal/errors" + iam_model "github.com/caos/zitadel/internal/iam/model" + "github.com/caos/zitadel/internal/iam/repository/view/model" + "github.com/caos/zitadel/internal/view/repository" + "github.com/jinzhu/gorm" +) + +func GetPrivacyPolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.PrivacyPolicyView, error) { + policy := new(model.PrivacyPolicyView) + aggregateIDQuery := &model.PrivacyPolicySearchQuery{Key: iam_model.PrivacyPolicySearchKeyAggregateID, Value: aggregateID, Method: domain.SearchMethodEquals} + query := repository.PrepareGetByQuery(table, aggregateIDQuery) + err := query(db, policy) + if caos_errs.IsNotFound(err) { + return nil, caos_errs.ThrowNotFound(nil, "VIEW-2N9fs", "Errors.IAM.PrivacyPolicy.NotExisting") + } + return policy, err +} + +func PutPrivacyPolicy(db *gorm.DB, table string, policy *model.PrivacyPolicyView) error { + save := repository.PrepareSave(table) + return save(db, policy) +} + +func DeletePrivacyPolicy(db *gorm.DB, table, aggregateID string) error { + delete := repository.PrepareDeleteByKey(table, model.PrivacyPolicySearchKey(iam_model.PrivacyPolicySearchKeyAggregateID), aggregateID) + + return delete(db) +} diff --git a/internal/management/repository/eventsourcing/eventstore/org.go b/internal/management/repository/eventsourcing/eventstore/org.go index fa65372211..a1eba7a215 100644 --- a/internal/management/repository/eventsourcing/eventstore/org.go +++ b/internal/management/repository/eventsourcing/eventstore/org.go @@ -526,6 +526,23 @@ func (repo *OrgRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) return iam_es_model.PasswordLockoutViewToModel(policy), nil } +func (repo *OrgRepository) GetPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) { + policy, err := repo.View.PrivacyPolicyByAggregateID(authz.GetCtxData(ctx).OrgID) + if errors.IsNotFound(err) { + return repo.GetDefaultPrivacyPolicy(ctx) + } + return iam_es_model.PrivacyViewToModel(policy), nil +} + +func (repo *OrgRepository) GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) { + policy, err := repo.View.PrivacyPolicyByAggregateID(repo.SystemDefaults.IamID) + if err != nil { + return nil, err + } + policy.Default = true + return iam_es_model.PrivacyViewToModel(policy), nil +} + func (repo *OrgRepository) GetDefaultMailTemplate(ctx context.Context) (*iam_model.MailTemplateView, error) { template, err := repo.View.MailTemplateByAggregateID(repo.SystemDefaults.IamID) if err != nil { diff --git a/internal/management/repository/eventsourcing/handler/handler.go b/internal/management/repository/eventsourcing/handler/handler.go index 1610db3d36..8e7bc46168 100644 --- a/internal/management/repository/eventsourcing/handler/handler.go +++ b/internal/management/repository/eventsourcing/handler/handler.go @@ -81,6 +81,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es handler{view, bulkLimit, configs.cycleDuration("MessageText"), errorCount, es}), newFeatures( handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}), + newPrivacyPolicy( + handler{view, bulkLimit, configs.cycleDuration("PrivacyPolicy"), errorCount, es}), } } diff --git a/internal/management/repository/eventsourcing/handler/privacy_policy.go b/internal/management/repository/eventsourcing/handler/privacy_policy.go new file mode 100644 index 0000000000..39a8fd6bdb --- /dev/null +++ b/internal/management/repository/eventsourcing/handler/privacy_policy.go @@ -0,0 +1,106 @@ +package handler + +import ( + "github.com/caos/logging" + "github.com/caos/zitadel/internal/eventstore/v1" + iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model" + + es_models "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/eventstore/v1/query" + "github.com/caos/zitadel/internal/eventstore/v1/spooler" + iam_model "github.com/caos/zitadel/internal/iam/repository/view/model" + "github.com/caos/zitadel/internal/org/repository/eventsourcing/model" +) + +const ( + privacyPolicyTable = "management.privacy_policies" +) + +type PrivacyPolicy struct { + handler + subscription *v1.Subscription +} + +func newPrivacyPolicy(handler handler) *PrivacyPolicy { + h := &PrivacyPolicy{ + handler: handler, + } + + h.subscribe() + + return h +} + +func (p *PrivacyPolicy) subscribe() { + p.subscription = p.es.Subscribe(p.AggregateTypes()...) + go func() { + for event := range p.subscription.Events { + query.ReduceEvent(p, event) + } + }() +} + +func (p *PrivacyPolicy) ViewModel() string { + return privacyPolicyTable +} + +func (p *PrivacyPolicy) AggregateTypes() []es_models.AggregateType { + return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate} +} + +func (p *PrivacyPolicy) CurrentSequence() (uint64, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return 0, err + } + return sequence.CurrentSequence, nil +} + +func (p *PrivacyPolicy) EventQuery() (*es_models.SearchQuery, error) { + sequence, err := p.view.GetLatestPrivacyPolicySequence() + if err != nil { + return nil, err + } + return es_models.NewSearchQuery(). + AggregateTypeFilter(p.AggregateTypes()...). + LatestSequenceFilter(sequence.CurrentSequence), nil +} + +func (p *PrivacyPolicy) Reduce(event *es_models.Event) (err error) { + switch event.AggregateType { + case model.OrgAggregate, iam_es_model.IAMAggregate: + err = p.processPrivacyPolicy(event) + } + return err +} + +func (p *PrivacyPolicy) processPrivacyPolicy(event *es_models.Event) (err error) { + policy := new(iam_model.PrivacyPolicyView) + switch event.Type { + case iam_es_model.PrivacyPolicyAdded, model.PrivacyPolicyAdded: + err = policy.AppendEvent(event) + case iam_es_model.PrivacyPolicyChanged, model.PrivacyPolicyChanged: + policy, err = p.view.PrivacyPolicyByAggregateID(event.AggregateID) + if err != nil { + return err + } + err = policy.AppendEvent(event) + case model.PrivacyPolicyRemoved: + return p.view.DeletePrivacyPolicy(event.AggregateID, event) + default: + return p.view.ProcessedPrivacyPolicySequence(event) + } + if err != nil { + return err + } + return p.view.PutPrivacyPolicy(policy, event) +} + +func (p *PrivacyPolicy) OnError(event *es_models.Event, err error) error { + logging.LogWithFields("SPOOL-4N8sw", "id", event.AggregateID).WithError(err).Warn("something went wrong in privacy policy handler") + return spooler.HandleError(event, err, p.view.GetLatestPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicyFailedEvent, p.view.ProcessedPrivacyPolicySequence, p.errorCountUntilSkip) +} + +func (p *PrivacyPolicy) OnSuccess() error { + return spooler.HandleSuccess(p.view.UpdatePrivacyPolicySpoolerRunTimestamp) +} diff --git a/internal/management/repository/eventsourcing/view/privacy_policy.go b/internal/management/repository/eventsourcing/view/privacy_policy.go new file mode 100644 index 0000000000..5ca5d81707 --- /dev/null +++ b/internal/management/repository/eventsourcing/view/privacy_policy.go @@ -0,0 +1,53 @@ +package view + +import ( + "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore/v1/models" + "github.com/caos/zitadel/internal/iam/repository/view" + "github.com/caos/zitadel/internal/iam/repository/view/model" + global_view "github.com/caos/zitadel/internal/view/repository" +) + +const ( + privacyPolicyTable = "management.privacy_policies" +) + +func (v *View) PrivacyPolicyByAggregateID(aggregateID string) (*model.PrivacyPolicyView, error) { + return view.GetPrivacyPolicyByAggregateID(v.Db, privacyPolicyTable, aggregateID) +} + +func (v *View) PutPrivacyPolicy(policy *model.PrivacyPolicyView, event *models.Event) error { + err := view.PutPrivacyPolicy(v.Db, privacyPolicyTable, policy) + if err != nil { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) DeletePrivacyPolicy(aggregateID string, event *models.Event) error { + err := view.DeletePrivacyPolicy(v.Db, privacyPolicyTable, aggregateID) + if err != nil && !errors.IsNotFound(err) { + return err + } + return v.ProcessedPrivacyPolicySequence(event) +} + +func (v *View) GetLatestPrivacyPolicySequence() (*global_view.CurrentSequence, error) { + return v.latestSequence(privacyPolicyTable) +} + +func (v *View) ProcessedPrivacyPolicySequence(event *models.Event) error { + return v.saveCurrentSequence(privacyPolicyTable, event) +} + +func (v *View) UpdatePrivacyPolicySpoolerRunTimestamp() error { + return v.updateSpoolerRunSequence(privacyPolicyTable) +} + +func (v *View) GetLatestPrivacyPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) { + return v.latestFailedEvent(privacyPolicyTable, sequence) +} + +func (v *View) ProcessedPrivacyPolicyFailedEvent(failedEvent *global_view.FailedEvent) error { + return v.saveFailedEvent(failedEvent) +} diff --git a/internal/management/repository/org.go b/internal/management/repository/org.go index a0e3c5a22a..6dd1091b21 100644 --- a/internal/management/repository/org.go +++ b/internal/management/repository/org.go @@ -41,6 +41,9 @@ type OrgRepository interface { GetPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) + GetPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) + GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) + GetDefaultMailTemplate(ctx context.Context) (*iam_model.MailTemplateView, error) GetMailTemplate(ctx context.Context) (*iam_model.MailTemplateView, error) diff --git a/internal/org/repository/eventsourcing/model/types.go b/internal/org/repository/eventsourcing/model/types.go index 17eda9952f..5863aa70bf 100644 --- a/internal/org/repository/eventsourcing/model/types.go +++ b/internal/org/repository/eventsourcing/model/types.go @@ -92,4 +92,8 @@ const ( PasswordLockoutPolicyAdded models.EventType = "org.policy.password.lockout.added" PasswordLockoutPolicyChanged models.EventType = "org.policy.password.lockout.changed" PasswordLockoutPolicyRemoved models.EventType = "org.policy.password.lockout.removed" + + PrivacyPolicyAdded models.EventType = "org.policy.privacy.added" + PrivacyPolicyChanged models.EventType = "org.policy.privacy.changed" + PrivacyPolicyRemoved models.EventType = "org.policy.privacy.removed" ) diff --git a/internal/repository/features/features.go b/internal/repository/features/features.go index d714209e0d..fa89f0ac75 100644 --- a/internal/repository/features/features.go +++ b/internal/repository/features/features.go @@ -36,6 +36,7 @@ type FeaturesSetEvent struct { LabelPolicyWatermark *bool `json:"labelPolicyWatermark,omitempty"` CustomDomain *bool `json:"customDomain,omitempty"` CustomText *bool `json:"customText,omitempty"` + PrivacyPolicy *bool `json:"privacyPolicy,omitempty"` } func (e *FeaturesSetEvent) Data() interface{} { @@ -159,6 +160,13 @@ func ChangeCustomText(customText bool) func(event *FeaturesSetEvent) { e.CustomText = &customText } } + +func ChangePrivacyPolicy(privacyPolicy bool) func(event *FeaturesSetEvent) { + return func(e *FeaturesSetEvent) { + e.PrivacyPolicy = &privacyPolicy + } +} + func FeaturesSetEventMapper(event *repository.Event) (eventstore.EventReader, error) { e := &FeaturesSetEvent{ BaseEvent: *eventstore.BaseEventFromRepo(event), diff --git a/internal/repository/iam/eventstore.go b/internal/repository/iam/eventstore.go index bcfc96f563..be1401a7e0 100644 --- a/internal/repository/iam/eventstore.go +++ b/internal/repository/iam/eventstore.go @@ -34,6 +34,8 @@ func RegisterEventMappers(es *eventstore.Eventstore) { RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper). RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper). RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper). + RegisterFilterEventMapper(PrivacyPolicyAddedEventType, PrivacyPolicyAddedEventMapper). + RegisterFilterEventMapper(PrivacyPolicyChangedEventType, PrivacyPolicyChangedEventMapper). RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper). RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper). RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper). diff --git a/internal/repository/iam/policy_privacy.go b/internal/repository/iam/policy_privacy.go new file mode 100644 index 0000000000..1fecf393cb --- /dev/null +++ b/internal/repository/iam/policy_privacy.go @@ -0,0 +1,75 @@ +package iam + +import ( + "context" + "github.com/caos/zitadel/internal/eventstore" + + "github.com/caos/zitadel/internal/eventstore/repository" + "github.com/caos/zitadel/internal/repository/policy" +) + +const ( + PrivacyPolicyAddedEventType = iamEventTypePrefix + policy.PrivacyPolicyAddedEventType + PrivacyPolicyChangedEventType = iamEventTypePrefix + policy.PrivacyPolicyChangedEventType +) + +type PrivacyPolicyAddedEvent struct { + policy.PrivacyPolicyAddedEvent +} + +func NewPrivacyPolicyAddedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + tosLink, + privacyLink string, +) *PrivacyPolicyAddedEvent { + return &PrivacyPolicyAddedEvent{ + PrivacyPolicyAddedEvent: *policy.NewPrivacyPolicyAddedEvent( + eventstore.NewBaseEventForPush( + ctx, + aggregate, + PrivacyPolicyAddedEventType), + tosLink, + privacyLink), + } +} + +func PrivacyPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e, err := policy.PrivacyPolicyAddedEventMapper(event) + if err != nil { + return nil, err + } + + return &PrivacyPolicyAddedEvent{PrivacyPolicyAddedEvent: *e.(*policy.PrivacyPolicyAddedEvent)}, nil +} + +type PrivacyPolicyChangedEvent struct { + policy.PrivacyPolicyChangedEvent +} + +func NewPrivacyPolicyChangedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + changes []policy.PrivacyPolicyChanges, +) (*PrivacyPolicyChangedEvent, error) { + changedEvent, err := policy.NewPrivacyPolicyChangedEvent( + eventstore.NewBaseEventForPush( + ctx, + aggregate, + PrivacyPolicyChangedEventType), + changes, + ) + if err != nil { + return nil, err + } + return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *changedEvent}, nil +} + +func PrivacyPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e, err := policy.PrivacyPolicyChangedEventMapper(event) + if err != nil { + return nil, err + } + + return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *e.(*policy.PrivacyPolicyChangedEvent)}, nil +} diff --git a/internal/repository/org/eventstore.go b/internal/repository/org/eventstore.go index 7602ad9e58..cc62e3187b 100644 --- a/internal/repository/org/eventstore.go +++ b/internal/repository/org/eventstore.go @@ -56,6 +56,9 @@ func RegisterEventMappers(es *eventstore.Eventstore) { RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper). RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper). RegisterFilterEventMapper(PasswordLockoutPolicyRemovedEventType, PasswordLockoutPolicyRemovedEventMapper). + RegisterFilterEventMapper(PrivacyPolicyAddedEventType, PrivacyPolicyAddedEventMapper). + RegisterFilterEventMapper(PrivacyPolicyChangedEventType, PrivacyPolicyChangedEventMapper). + RegisterFilterEventMapper(PrivacyPolicyRemovedEventType, PrivacyPolicyRemovedEventMapper). RegisterFilterEventMapper(MailTemplateAddedEventType, MailTemplateAddedEventMapper). RegisterFilterEventMapper(MailTemplateChangedEventType, MailTemplateChangedEventMapper). RegisterFilterEventMapper(MailTemplateRemovedEventType, MailTemplateRemovedEventMapper). diff --git a/internal/repository/org/policy_privacy.go b/internal/repository/org/policy_privacy.go new file mode 100644 index 0000000000..133b44c07e --- /dev/null +++ b/internal/repository/org/policy_privacy.go @@ -0,0 +1,103 @@ +package org + +import ( + "context" + "github.com/caos/zitadel/internal/eventstore" + + "github.com/caos/zitadel/internal/eventstore/repository" + "github.com/caos/zitadel/internal/repository/policy" +) + +var ( + PrivacyPolicyAddedEventType = orgEventTypePrefix + policy.PrivacyPolicyAddedEventType + PrivacyPolicyChangedEventType = orgEventTypePrefix + policy.PrivacyPolicyChangedEventType + PrivacyPolicyRemovedEventType = orgEventTypePrefix + policy.PrivacyPolicyRemovedEventType +) + +type PrivacyPolicyAddedEvent struct { + policy.PrivacyPolicyAddedEvent +} + +func NewPrivacyPolicyAddedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + tosLink, + privacyLink string, +) *PrivacyPolicyAddedEvent { + return &PrivacyPolicyAddedEvent{ + PrivacyPolicyAddedEvent: *policy.NewPrivacyPolicyAddedEvent( + eventstore.NewBaseEventForPush( + ctx, + aggregate, + PrivacyPolicyAddedEventType), + tosLink, + privacyLink), + } +} + +func PrivacyPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e, err := policy.PrivacyPolicyAddedEventMapper(event) + if err != nil { + return nil, err + } + + return &PrivacyPolicyAddedEvent{PrivacyPolicyAddedEvent: *e.(*policy.PrivacyPolicyAddedEvent)}, nil +} + +type PrivacyPolicyChangedEvent struct { + policy.PrivacyPolicyChangedEvent +} + +func NewPrivacyPolicyChangedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, + changes []policy.PrivacyPolicyChanges, +) (*PrivacyPolicyChangedEvent, error) { + changedEvent, err := policy.NewPrivacyPolicyChangedEvent( + eventstore.NewBaseEventForPush( + ctx, + aggregate, + PrivacyPolicyChangedEventType), + changes, + ) + if err != nil { + return nil, err + } + return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *changedEvent}, nil +} + +func PrivacyPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e, err := policy.PrivacyPolicyChangedEventMapper(event) + if err != nil { + return nil, err + } + + return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *e.(*policy.PrivacyPolicyChangedEvent)}, nil +} + +type PrivacyPolicyRemovedEvent struct { + policy.PrivacyPolicyRemovedEvent +} + +func NewPrivacyPolicyRemovedEvent( + ctx context.Context, + aggregate *eventstore.Aggregate, +) *PrivacyPolicyRemovedEvent { + return &PrivacyPolicyRemovedEvent{ + PrivacyPolicyRemovedEvent: *policy.NewPrivacyPolicyRemovedEvent( + eventstore.NewBaseEventForPush( + ctx, + aggregate, + PrivacyPolicyRemovedEventType), + ), + } +} + +func PrivacyPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e, err := policy.PrivacyPolicyRemovedEventMapper(event) + if err != nil { + return nil, err + } + + return &PrivacyPolicyRemovedEvent{PrivacyPolicyRemovedEvent: *e.(*policy.PrivacyPolicyRemovedEvent)}, nil +} diff --git a/internal/repository/policy/policy_privacy.go b/internal/repository/policy/policy_privacy.go new file mode 100644 index 0000000000..32b3a65267 --- /dev/null +++ b/internal/repository/policy/policy_privacy.go @@ -0,0 +1,136 @@ +package policy + +import ( + "encoding/json" + "github.com/caos/zitadel/internal/eventstore" + + "github.com/caos/zitadel/internal/errors" + "github.com/caos/zitadel/internal/eventstore/repository" +) + +const ( + PrivacyPolicyAddedEventType = "policy.privacy.added" + PrivacyPolicyChangedEventType = "policy.privacy.changed" + PrivacyPolicyRemovedEventType = "policy.privacy.removed" +) + +type PrivacyPolicyAddedEvent struct { + eventstore.BaseEvent `json:"-"` + + TOSLink string `json:"tosLink,omitempty"` + PrivacyLink string `json:"privacyLink,omitempty"` +} + +func (e *PrivacyPolicyAddedEvent) Data() interface{} { + return e +} + +func (e *PrivacyPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint { + return nil +} + +func NewPrivacyPolicyAddedEvent( + base *eventstore.BaseEvent, + tosLink, + privacyLink string, +) *PrivacyPolicyAddedEvent { + return &PrivacyPolicyAddedEvent{ + BaseEvent: *base, + TOSLink: tosLink, + PrivacyLink: privacyLink, + } +} + +func PrivacyPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e := &PrivacyPolicyAddedEvent{ + BaseEvent: *eventstore.BaseEventFromRepo(event), + } + err := json.Unmarshal(event.Data, e) + if err != nil { + return nil, errors.ThrowInternal(err, "POLIC-2k0fs", "unable to unmarshal policy") + } + + return e, nil +} + +type PrivacyPolicyChangedEvent struct { + eventstore.BaseEvent `json:"-"` + + TOSLink *string `json:"tosLink,omitempty"` + PrivacyLink *string `json:"privacyLink,omitempty"` +} + +func (e *PrivacyPolicyChangedEvent) Data() interface{} { + return e +} + +func (e *PrivacyPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint { + return nil +} + +func NewPrivacyPolicyChangedEvent( + base *eventstore.BaseEvent, + changes []PrivacyPolicyChanges, +) (*PrivacyPolicyChangedEvent, error) { + if len(changes) == 0 { + return nil, errors.ThrowPreconditionFailed(nil, "POLICY-PPo0s", "Errors.NoChangesFound") + } + changeEvent := &PrivacyPolicyChangedEvent{ + BaseEvent: *base, + } + for _, change := range changes { + change(changeEvent) + } + return changeEvent, nil +} + +type PrivacyPolicyChanges func(*PrivacyPolicyChangedEvent) + +func ChangeTOSLink(tosLink string) func(*PrivacyPolicyChangedEvent) { + return func(e *PrivacyPolicyChangedEvent) { + e.TOSLink = &tosLink + } +} + +func ChangePrivacyLink(privacyLink string) func(*PrivacyPolicyChangedEvent) { + return func(e *PrivacyPolicyChangedEvent) { + e.PrivacyLink = &privacyLink + } +} + +func PrivacyPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + e := &PrivacyPolicyChangedEvent{ + BaseEvent: *eventstore.BaseEventFromRepo(event), + } + + err := json.Unmarshal(event.Data, e) + if err != nil { + return nil, errors.ThrowInternal(err, "POLIC-22nf9", "unable to unmarshal policy") + } + + return e, nil +} + +type PrivacyPolicyRemovedEvent struct { + eventstore.BaseEvent `json:"-"` +} + +func (e *PrivacyPolicyRemovedEvent) Data() interface{} { + return nil +} + +func (e *PrivacyPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint { + return nil +} + +func NewPrivacyPolicyRemovedEvent(base *eventstore.BaseEvent) *PrivacyPolicyRemovedEvent { + return &PrivacyPolicyRemovedEvent{ + BaseEvent: *base, + } +} + +func PrivacyPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) { + return &PrivacyPolicyRemovedEvent{ + BaseEvent: *eventstore.BaseEventFromRepo(event), + }, nil +} diff --git a/internal/setup/config.go b/internal/setup/config.go index 8f8b44ab21..6a5d4df7c0 100644 --- a/internal/setup/config.go +++ b/internal/setup/config.go @@ -22,6 +22,7 @@ type IAMSetUp struct { Step14 *command.Step14 Step15 *command.Step15 Step16 *command.Step16 + Step17 *command.Step17 } func (setup *IAMSetUp) Steps(currentDone domain.Step) ([]command.Step, error) { @@ -44,6 +45,7 @@ func (setup *IAMSetUp) Steps(currentDone domain.Step) ([]command.Step, error) { setup.Step14, setup.Step15, setup.Step16, + setup.Step17, } { if step.Step() <= currentDone { continue diff --git a/internal/ui/login/handler/privacy_policy_handler.go b/internal/ui/login/handler/privacy_policy_handler.go new file mode 100644 index 0000000000..8f8289cc2e --- /dev/null +++ b/internal/ui/login/handler/privacy_policy_handler.go @@ -0,0 +1,15 @@ +package handler + +import ( + "net/http" + + iam_model "github.com/caos/zitadel/internal/iam/model" +) + +func (l *Login) getDefaultPrivacyPolicy(r *http.Request) (*iam_model.PrivacyPolicyView, error) { + policy, err := l.authRepo.GetDefaultPrivacyPolicy(r.Context()) + if err != nil { + return nil, err + } + return policy, nil +} diff --git a/internal/ui/login/handler/renderer.go b/internal/ui/login/handler/renderer.go index c26d652e23..b9411c9911 100644 --- a/internal/ui/login/handler/renderer.go +++ b/internal/ui/login/handler/renderer.go @@ -321,8 +321,19 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title baseData.LoginPolicy = authReq.LoginPolicy baseData.LabelPolicy = authReq.LabelPolicy baseData.IDPProviders = authReq.AllowedExternalIDPs + if authReq.PrivacyPolicy != nil { + baseData.TOSLink = authReq.PrivacyPolicy.TOSLink + baseData.PrivacyLink = authReq.PrivacyPolicy.PrivacyLink + } } else { - //TODO: How to handle LabelPolicy if no auth req (eg Register) + privacyPolicy, err := l.getDefaultPrivacyPolicy(r) + if err != nil { + return baseData + } + if privacyPolicy != nil { + baseData.TOSLink = privacyPolicy.TOSLink + baseData.PrivacyLink = privacyPolicy.PrivacyLink + } } return baseData } @@ -405,7 +416,6 @@ func (l *Login) isDisplayLoginNameSuffix(authReq *domain.AuthRequest) bool { } return authReq.LabelPolicy != nil && !authReq.LabelPolicy.HideLoginNameSuffix } - func getRequestID(authReq *domain.AuthRequest, r *http.Request) string { if authReq != nil { return authReq.ID @@ -437,6 +447,8 @@ type baseData struct { OrgName string PrimaryDomain string DisplayLoginNameSuffix bool + TOSLink string + PrivacyLink string AuthReqID string CSRF template.HTML Nonce string diff --git a/internal/ui/login/static/i18n/de.yaml b/internal/ui/login/static/i18n/de.yaml index de7bc4f23f..c4962b9d8a 100644 --- a/internal/ui/login/static/i18n/de.yaml +++ b/internal/ui/login/static/i18n/de.yaml @@ -160,9 +160,7 @@ Registration: TosConfirm: Ich akzeptiere die TosLinkText: AGBs TosConfirmAnd: und die - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service PrivacyLinkText: Datenschutzerklärung - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy ExternalLogin: oder registriere dich mit einem externen Benutzer RegistrationOrg: @@ -187,9 +185,7 @@ RegistrationOrg: TosConfirm: Ich akzeptiere die TosLinkText: AGBs TosConfirmAnd: und die - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service PrivacyLinkText: Datenschutzerklärung - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy LinkingUsersDone: Title: Benutzerlinking @@ -228,9 +224,7 @@ Actions: Footer: PoweredBy: Powered By Tos: AGB - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service Privacy: Datenschutzerklärung - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy Help: Hilfe Errors: diff --git a/internal/ui/login/static/i18n/en.yaml b/internal/ui/login/static/i18n/en.yaml index 5197876fe9..ee8fc6be21 100644 --- a/internal/ui/login/static/i18n/en.yaml +++ b/internal/ui/login/static/i18n/en.yaml @@ -160,9 +160,7 @@ Registration: TosConfirm: I accept the TosLinkText: TOS TosConfirmAnd: and the - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service PrivacyLinkText: privacy policy - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy ExternalLogin: or register with an external user RegistrationOrg: @@ -187,9 +185,7 @@ RegistrationOrg: TosConfirm: I accept the TosLinkText: TOS TosConfirmAnd: and the - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service PrivacyLinkText: privacy policy - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy LoginSuccess: Title: Login successful @@ -228,9 +224,7 @@ Actions: Footer: PoweredBy: Powered By Tos: TOS - TosLink: https://docs.zitadel.ch/docs/legal/terms-of-service Privacy: Privacy policy - PrivacyLink: https://docs.zitadel.ch/docs/legal/privacy-policy Help: Help Errors: diff --git a/internal/ui/login/static/templates/footer.html b/internal/ui/login/static/templates/footer.html index 5cb89cc72a..8a08764156 100644 --- a/internal/ui/login/static/templates/footer.html +++ b/internal/ui/login/static/templates/footer.html @@ -1,3 +1,4 @@ + {{define "footer"}} {{end}} diff --git a/internal/ui/login/static/templates/register.html b/internal/ui/login/static/templates/register.html index 10c674c347..814fbf3e22 100644 --- a/internal/ui/login/static/templates/register.html +++ b/internal/ui/login/static/templates/register.html @@ -91,23 +91,31 @@ {{ .PasswordPolicyDescription }} + {{ if or .TOSLink .PrivacyLink }}
+ {{ end }} {{template "error-message" .}} diff --git a/internal/ui/login/static/templates/register_org.html b/internal/ui/login/static/templates/register_org.html index 217f91b230..7473666574 100644 --- a/internal/ui/login/static/templates/register_org.html +++ b/internal/ui/login/static/templates/register_org.html @@ -67,21 +67,32 @@ {{ .PasswordPolicyDescription }} + {{ if or .TOSLink .PrivacyLink }}
+ {{ end }} {{template "error-message" .}} diff --git a/migrations/cockroach/V1.50__privacy_policy.sql b/migrations/cockroach/V1.50__privacy_policy.sql new file mode 100644 index 0000000000..6ecec46135 --- /dev/null +++ b/migrations/cockroach/V1.50__privacy_policy.sql @@ -0,0 +1,46 @@ +ALTER TABLE adminapi.features ADD COLUMN privacy_policy BOOLEAN; +ALTER TABLE auth.features ADD COLUMN privacy_policy BOOLEAN; +ALTER TABLE authz.features ADD COLUMN privacy_policy BOOLEAN; +ALTER TABLE management.features ADD COLUMN privacy_policy BOOLEAN; + +CREATE TABLE auth.privacy_policies ( + aggregate_id TEXT, + + creation_date TIMESTAMPTZ, + change_date TIMESTAMPTZ, + state SMALLINT, + sequence BIGINT, + + tos_link STRING, + privacy_link STRING, + + PRIMARY KEY (aggregate_id) +); + +CREATE TABLE adminapi.privacy_policies ( + aggregate_id TEXT, + + creation_date TIMESTAMPTZ, + change_date TIMESTAMPTZ, + state SMALLINT, + sequence BIGINT, + + tos_link STRING, + privacy_link STRING, + + PRIMARY KEY (aggregate_id) +); + +CREATE TABLE management.privacy_policies ( + aggregate_id TEXT, + + creation_date TIMESTAMPTZ, + change_date TIMESTAMPTZ, + state SMALLINT, + sequence BIGINT, + + tos_link STRING, + privacy_link STRING, + + PRIMARY KEY (aggregate_id) +); \ No newline at end of file diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto index 3a539032a8..82e86ad30f 100644 --- a/proto/zitadel/admin.proto +++ b/proto/zitadel/admin.proto @@ -1450,6 +1450,65 @@ service AdminService { }; } + //Returns the privacy policy defined by the administrators of ZITADEL + rpc GetPrivacyPolicy(GetPrivacyPolicyRequest) returns (GetPrivacyPolicyResponse) { + option (google.api.http) = { + get: "/policies/privacy"; + }; + + option (zitadel.v1.auth_option) = { + permission: "iam.policy.read"; + }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "policy"; + tags: "privacy policy"; + tags: "privacy"; + responses: { + key: "200"; + value: { + description: "default privacy policy"; + }; + }; + }; + } + + //Updates the default privacy policy of ZITADEL + // it impacts all organisations without a customised policy + rpc UpdatePrivacyPolicy(UpdatePrivacyPolicyRequest) returns (UpdatePrivacyPolicyResponse) { + option (google.api.http) = { + put: "/policies/privacy"; + body: "*"; + }; + + option (zitadel.v1.auth_option) = { + permission: "iam.policy.write"; + }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "policy"; + tags: "privacy policy"; + tags: "privacy"; + responses: { + key: "200"; + value: { + description: "default privacy policy updated"; + }; + }; + responses: { + key: "400"; + value: { + description: "invalid argument"; + schema: { + json_schema: { + ref: "#/definitions/rpcStatus"; + }; + }; + }; + }; + }; + } + //Returns the custom text for initial message rpc GetDefaultInitMessageText(GetDefaultInitMessageTextRequest) returns (GetDefaultInitMessageTextResponse) { option (google.api.http) = { @@ -2397,6 +2456,7 @@ message SetDefaultFeaturesRequest { bool label_policy_private_label = 15; bool label_policy_watermark = 16; bool custom_text = 17; + bool privacy_policy = 18; } message SetDefaultFeaturesResponse { @@ -2431,6 +2491,7 @@ message SetOrgFeaturesRequest { bool label_policy_private_label = 16; bool label_policy_watermark = 17; bool custom_text = 18; + bool privacy_policy = 19; } message SetOrgFeaturesResponse { @@ -2891,6 +2952,22 @@ message UpdatePasswordLockoutPolicyResponse { zitadel.v1.ObjectDetails details = 1; } +//This is an empty request +message GetPrivacyPolicyRequest {} + +message GetPrivacyPolicyResponse { + zitadel.policy.v1.PrivacyPolicy policy = 1; +} + +message UpdatePrivacyPolicyRequest { + string tos_link = 1; + string privacy_link = 2; +} + +message UpdatePrivacyPolicyResponse { + zitadel.v1.ObjectDetails details = 1; +} + message GetDefaultInitMessageTextRequest { string language = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } diff --git a/proto/zitadel/features.proto b/proto/zitadel/features.proto index 346f5dde13..93e1937917 100644 --- a/proto/zitadel/features.proto +++ b/proto/zitadel/features.proto @@ -25,6 +25,7 @@ message Features { bool label_policy_private_label = 14; bool label_policy_watermark = 15; bool custom_text = 16; + bool privacy_policy = 17; } message FeatureTier { diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto index f360bac9b5..d0a9a1c0d4 100644 --- a/proto/zitadel/management.proto +++ b/proto/zitadel/management.proto @@ -1927,6 +1927,70 @@ service ManagementService { }; } + // Returns the privacy policy of the organisation + // With this policy privacy relevant things can be configured (e.g. tos link) + rpc GetPrivacyPolicy(GetPrivacyPolicyRequest) returns (GetPrivacyPolicyResponse) { + option (google.api.http) = { + get: "/policies/privacy" + }; + + option (zitadel.v1.auth_option) = { + permission: "policy.read" + }; + } + + // Returns the default privacy policy of the IAM + // With this policy the privacy relevant things can be configured (e.g tos link) + rpc GetDefaultPrivacyPolicy(GetDefaultPrivacyPolicyRequest) returns (GetDefaultPrivacyPolicyResponse) { + option (google.api.http) = { + get: "/policies/default/privacy" + }; + + option (zitadel.v1.auth_option) = { + permission: "policy.read" + }; + } + + // Add a custom privacy policy for the organisation + // With this policy privacy relevant things can be configured (e.g. tos link) + rpc AddCustomPrivacyPolicy(AddCustomPrivacyPolicyRequest) returns (AddCustomPrivacyPolicyResponse) { + option (google.api.http) = { + post: "/policies/privacy" + body: "*" + }; + + option (zitadel.v1.auth_option) = { + permission: "policy.write" + feature: "privacy_policy" + }; + } + + // Update the privacy complexity policy for the organisation + // With this policy privacy relevant things can be configured (e.g. tos link) + rpc UpdateCustomPrivacyPolicy(UpdateCustomPrivacyPolicyRequest) returns (UpdateCustomPrivacyPolicyResponse) { + option (google.api.http) = { + put: "/policies/privacy" + body: "*" + }; + + option (zitadel.v1.auth_option) = { + permission: "policy.write" + feature: "privacy_policy" + }; + } + + // Removes the privacy policy of the organisation + // The default policy of the IAM will trigger after + rpc ResetPrivacyPolicyToDefault(ResetPrivacyPolicyToDefaultRequest) returns (ResetPrivacyPolicyToDefaultResponse) { + option (google.api.http) = { + delete: "/policies/privacy" + }; + + option (zitadel.v1.auth_option) = { + permission: "policy.delete" + }; + } + // Returns the active label policy of the organisation // With this policy the private labeling can be configured (colors, etc.) rpc GetLabelPolicy(GetLabelPolicyRequest) returns (GetLabelPolicyResponse) { @@ -3973,6 +4037,45 @@ message ResetPasswordLockoutPolicyToDefaultResponse { zitadel.v1.ObjectDetails details = 1; } +//This is an empty request +message GetPrivacyPolicyRequest {} + +message GetPrivacyPolicyResponse { + zitadel.policy.v1.PrivacyPolicy policy = 1; +} + +//This is an empty request +message GetDefaultPrivacyPolicyRequest {} + +message GetDefaultPrivacyPolicyResponse { + zitadel.policy.v1.PrivacyPolicy policy = 1; +} + +message AddCustomPrivacyPolicyRequest { + string tos_link = 1; + string privacy_link = 2; +} + +message AddCustomPrivacyPolicyResponse { + zitadel.v1.ObjectDetails details = 1; +} + +message UpdateCustomPrivacyPolicyRequest { + string tos_link = 1; + string privacy_link = 2; +} + +message UpdateCustomPrivacyPolicyResponse { + zitadel.v1.ObjectDetails details = 1; +} + +//This is an empty request +message ResetPrivacyPolicyToDefaultRequest {} + +message ResetPrivacyPolicyToDefaultResponse { + zitadel.v1.ObjectDetails details = 1; +} + //This is an empty request message GetLabelPolicyRequest {} diff --git a/proto/zitadel/policy.proto b/proto/zitadel/policy.proto index e831411da8..4a648d3667 100644 --- a/proto/zitadel/policy.proto +++ b/proto/zitadel/policy.proto @@ -220,4 +220,11 @@ message PasswordLockoutPolicy { description: "defines if the organisation's admin changed the policy" } ]; +} + +message PrivacyPolicy { + zitadel.v1.ObjectDetails details = 1; + string tos_link = 2; + string privacy_link = 3; + bool is_default = 4; } \ No newline at end of file