Merge branch 'main' into rc

2025-08-11 21:17:32 +00:00 · 2023-05-25 08:31:04 +02:00
parent 4982af898a 8828c04e27
commit c20cfd5a2c
178 changed files with 10803 additions and 3303 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -735,6 +735,7 @@ InternalAuthZ:
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
+        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
@@ -811,6 +812,7 @@ InternalAuthZ:
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
+        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
@@ -847,6 +849,7 @@ InternalAuthZ:
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
+        - "user.passkey.write"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
@@ -882,6 +885,7 @@ InternalAuthZ:
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
+        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
--- a/cmd/setup/10.go
+++ b/cmd/setup/10.go
@@ -13,11 +13,11 @@ import (
 )

 var (
-	//go:embed 10_create_temp_table.sql
+	//go:embed 10/10_create_temp_table.sql
 	correctCreationDate10CreateTable string
-	//go:embed 10_fill_table.sql
+	//go:embed 10/10_fill_table.sql
 	correctCreationDate10FillTable string
-	//go:embed 10_update.sql
+	//go:embed 10/10_update.sql
 	correctCreationDate10Update string
 )

--- a/cmd/setup/10/10_create_temp_table.sql
+++ b/cmd/setup/10/10_create_temp_table.sql
--- a/cmd/setup/10/10_fill_table.sql
+++ b/cmd/setup/10/10_fill_table.sql
--- a/cmd/setup/10/10_update.sql
+++ b/cmd/setup/10/10_update.sql
--- a/cmd/setup/11.go
+++ b/cmd/setup/11.go
@@ -0,0 +1,32 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+var (
+	//go:embed 11.sql
+	addEventCreatedAt string
+)
+
+type AddEventCreatedAt struct {
+	step10   *CorrectCreationDate
+	dbClient *database.DB
+}
+
+func (mig *AddEventCreatedAt) Execute(ctx context.Context) error {
+	// execute step 10 again because events created after the first execution of step 10
+	// could still have the wrong ordering of sequences and creation date
+	if err := mig.step10.Execute(ctx); err != nil {
+		return err
+	}
+	_, err := mig.dbClient.ExecContext(ctx, addEventCreatedAt)
+	return err
+}
+
+func (mig *AddEventCreatedAt) String() string {
+	return "11_event_created_at"
+}
--- a/cmd/setup/11.sql
+++ b/cmd/setup/11.sql
@@ -0,0 +1,15 @@
+BEGIN;
+-- create table with empty created_at
+ALTER TABLE eventstore.events ADD COLUMN created_at TIMESTAMPTZ DEFAULT NULL;
+COMMIT;
+
+BEGIN;
+-- backfill created_at
+UPDATE eventstore.events SET created_at = creation_date WHERE created_at IS NULL;
+COMMIT;
+
+BEGIN;
+-- set column rules
+ALTER TABLE eventstore.events ALTER COLUMN created_at SET DEFAULT clock_timestamp();
+ALTER TABLE eventstore.events ALTER COLUMN created_at SET NOT NULL;
+COMMIT;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -66,6 +66,7 @@ type Steps struct {
 	s8AuthTokens         *AuthTokenIndexes
 	s9EventstoreIndexes2 *EventstoreIndexesNew
 	CorrectCreationDate  *CorrectCreationDate
+	s11AddEventCreatedAt *AddEventCreatedAt
 }

 type encryptionKeyConfig struct {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -91,6 +91,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.s8AuthTokens = &AuthTokenIndexes{dbClient: dbClient}
 	steps.s9EventstoreIndexes2 = New09(dbClient)
 	steps.CorrectCreationDate.dbClient = dbClient
+	steps.s11AddEventCreatedAt = &AddEventCreatedAt{dbClient: dbClient, step10: steps.CorrectCreationDate}

 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -128,6 +129,8 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	logging.OnError(err).Fatal("unable to migrate step 9")
 	err = migration.Migrate(ctx, eventstoreClient, steps.CorrectCreationDate)
 	logging.OnError(err).Fatal("unable to migrate step 10")
+	err = migration.Migrate(ctx, eventstoreClient, steps.s11AddEventCreatedAt)
+	logging.OnError(err).Fatal("unable to migrate step 11")

 	for _, repeatableStep := range repeatableSteps {
 		err = migration.Migrate(ctx, eventstoreClient, repeatableStep)
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -38,6 +38,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/user/v2"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/api/idp"
 	"github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/api/robots_txt"
 	"github.com/zitadel/zitadel/internal/api/saml"
@@ -306,9 +307,8 @@ func startAPIs(
 		http_util.WithNonHttpOnly(),
 		http_util.WithMaxAge(int(math.Floor(config.Quotas.Access.ExhaustedCookieMaxAge.Seconds()))),
 	)
-	limitingAccessInterceptor := middleware.NewAccessInterceptor(accessSvc, exhaustedCookieHandler, config.Quotas.Access, false)
-	nonLimitingAccessInterceptor := middleware.NewAccessInterceptor(accessSvc, nil, config.Quotas.Access, true)
-	apis, err := api.New(ctx, config.Port, router, queries, verifier, config.InternalAuthZ, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader, accessSvc, exhaustedCookieHandler, config.Quotas.Access)
+	limitingAccessInterceptor := middleware.NewAccessInterceptor(accessSvc, exhaustedCookieHandler, config.Quotas.Access)
+	apis, err := api.New(ctx, config.Port, router, queries, verifier, config.InternalAuthZ, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader, limitingAccessInterceptor)
 	if err != nil {
 		return fmt.Errorf("error creating api %w", err)
 	}
@@ -332,7 +332,7 @@ func startAPIs(
 	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
 		return err
 	}
-	if err := apis.RegisterService(ctx, user.CreateServer(commands, queries, keys.User)); err != nil {
+	if err := apis.RegisterService(ctx, user.CreateServer(commands, queries, keys.User, keys.IDPConfig, idp.CallbackURL(config.ExternalSecure))); err != nil {
 		return err
 	}
 	if err := apis.RegisterService(ctx, session.CreateServer(commands, queries, permissionCheck)); err != nil {
@@ -345,6 +345,8 @@ func startAPIs(
 	assetsCache := middleware.AssetsCacheInterceptor(config.AssetStorage.Cache.MaxAge, config.AssetStorage.Cache.SharedMaxAge)
 	apis.RegisterHandlerOnPrefix(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator(), store, queries, middleware.CallDurationHandler, instanceInterceptor.Handler, assetsCache.Handler, limitingAccessInterceptor.Handle))

+	apis.RegisterHandlerOnPrefix(idp.HandlerPrefix, idp.NewHandler(commands, queries, keys.IDPConfig, config.ExternalSecure, instanceInterceptor.Handler))
+
 	userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, keys.UserAgentCookieKey, id.SonyFlakeGenerator(), config.ExternalSecure, login.EndpointResources)
 	if err != nil {
 		return err
@@ -376,7 +378,7 @@ func startAPIs(
 	}
 	apis.RegisterHandlerOnPrefix(saml.HandlerPrefix, samlProvider.HttpHandler())

-	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, middleware.CallDurationHandler, instanceInterceptor.Handler, nonLimitingAccessInterceptor.Handle, config.CustomerPortal)
+	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, middleware.CallDurationHandler, instanceInterceptor.Handler, limitingAccessInterceptor, config.CustomerPortal)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
 	}