feat: idps (#1188)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state * add org domain commands * add org status changes and member commands * fixes * policies * login policy * fix iam project event * mapper * label policy * change to command * fix * fix * handle change event differently and lot of fixes * idps * fixes * fixes * fixes * changedEvent handling * fix change events * remove creation date Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 00:47:33 +00:00 · 2021-01-20 11:06:52 +01:00
parent 3eb909c4b4
commit c2e6e782a8
42 changed files with 1070 additions and 348 deletions
--- a/internal/api/grpc/management/idp_config.go
+++ b/internal/api/grpc/management/idp_config.go
@@ -2,8 +2,10 @@ package management

 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -16,48 +18,42 @@ func (s *Server) IdpByID(ctx context.Context, id *management.IdpID) (*management
 }

 func (s *Server) CreateOidcIdp(ctx context.Context, oidcIdpConfig *management.OidcIdpConfigCreate) (*management.Idp, error) {
-	config, err := s.org.AddOIDCIDPConfig(ctx, createOidcIdpToModel(oidcIdpConfig))
+	config, err := s.command.AddIDPConfig(ctx, createOidcIdpToDomain(oidcIdpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }

 func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *management.IdpUpdate) (*management.Idp, error) {
-	config, err := s.org.ChangeIDPConfig(ctx, updateIdpToModel(idpConfig))
+	config, err := s.command.ChangeIDPConfig(ctx, updateIdpToDomain(ctx, idpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }

-func (s *Server) DeactivateIdpConfig(ctx context.Context, id *management.IdpID) (*management.Idp, error) {
-	config, err := s.org.DeactivateIDPConfig(ctx, id.Id)
-	if err != nil {
-		return nil, err
-	}
-	return idpFromModel(config), nil
+func (s *Server) DeactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
+	err := s.command.DeactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
+	return &empty.Empty{}, err
 }

-func (s *Server) ReactivateIdpConfig(ctx context.Context, id *management.IdpID) (*management.Idp, error) {
-	config, err := s.org.ReactivateIDPConfig(ctx, id.Id)
-	if err != nil {
-		return nil, err
-	}
-	return idpFromModel(config), nil
+func (s *Server) ReactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
+	err := s.command.ReactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
+	return &empty.Empty{}, err
 }

 func (s *Server) RemoveIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	err := s.org.RemoveIDPConfig(ctx, id.Id)
+	err := s.command.RemoveIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

 func (s *Server) UpdateOidcIdpConfig(ctx context.Context, request *management.OidcIdpConfigUpdate) (*management.OidcIdpConfig, error) {
-	config, err := s.org.ChangeOIDCIDPConfig(ctx, updateOidcIdpToModel(request))
+	config, err := s.command.ChangeIDPOIDCConfig(ctx, updateOidcIdpToDomain(ctx, request))
 	if err != nil {
 		return nil, err
 	}
-	return oidcIdpConfigFromModel(config), nil
+	return oidcIdpConfigFromDomain(config), nil
 }

 func (s *Server) SearchIdps(ctx context.Context, request *management.IdpSearchRequest) (*management.IdpSearchResponse, error) {
--- a/internal/api/grpc/management/idp_config_converter.go
+++ b/internal/api/grpc/management/idp_config_converter.go
@@ -1,66 +1,72 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
 	caos_errors "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"strconv"
 )

-func createOidcIdpToModel(idp *management.OidcIdpConfigCreate) *iam_model.IDPConfig {
-	return &iam_model.IDPConfig{
+func createOidcIdpToDomain(idp *management.OidcIdpConfigCreate) *domain.IDPConfig {
+	return &domain.IDPConfig{
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
-		Type:        iam_model.IDPConfigTypeOIDC,
-		OIDCConfig: &iam_model.OIDCIDPConfig{
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
+		Type:        domain.IDPConfigTypeOIDC,
+		OIDCConfig: &domain.OIDCIDPConfig{
 			ClientID:              idp.ClientId,
 			ClientSecretString:    idp.ClientSecret,
 			Issuer:                idp.Issuer,
 			Scopes:                idp.Scopes,
-			IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
-			UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+			IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
+			UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 		},
 	}
 }

-func updateIdpToModel(idp *management.IdpUpdate) *iam_model.IDPConfig {
-	return &iam_model.IDPConfig{
+func updateIdpToDomain(ctx context.Context, idp *management.IdpUpdate) *domain.IDPConfig {
+	return &domain.IDPConfig{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID: idp.Id,
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
 	}
 }

-func updateOidcIdpToModel(idp *management.OidcIdpConfigUpdate) *iam_model.OIDCIDPConfig {
-	return &iam_model.OIDCIDPConfig{
+func updateOidcIdpToDomain(ctx context.Context, idp *management.OidcIdpConfigUpdate) *domain.OIDCIDPConfig {
+	return &domain.OIDCIDPConfig{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID:           idp.IdpId,
 		ClientID:              idp.ClientId,
 		ClientSecretString:    idp.ClientSecret,
 		Issuer:                idp.Issuer,
 		Scopes:                idp.Scopes,
-		IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+		IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
+		UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 	}
 }

-func idpFromModel(idp *iam_model.IDPConfig) *management.Idp {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
+func idpFromDomain(idp *domain.IDPConfig) *management.Idp {
 	return &management.Idp{
-		Id:           idp.IDPConfigID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Sequence:     idp.Sequence,
-		Name:         idp.Name,
-		StylingType:  idpConfigStylingTypeFromModel(idp.StylingType),
-		State:        idpConfigStateFromModel(idp.State),
-		IdpConfig:    idpConfigFromModel(idp),
+		Id:          idp.IDPConfigID,
+		ChangeDate:  timestamppb.New(idp.ChangeDate),
+		Sequence:    idp.Sequence,
+		Name:        idp.Name,
+		StylingType: idpConfigStylingTypeFromDomain(idp.StylingType),
+		State:       idpConfigStateFromDomain(idp.State),
+		IdpConfig:   idpConfigFromDomain(idp),
 	}
 }

@@ -84,6 +90,15 @@ func idpViewFromModel(idp *iam_model.IDPConfigView) *management.IdpView {
 	}
 }

+func idpConfigFromDomain(idp *domain.IDPConfig) *management.Idp_OidcConfig {
+	if idp.Type == domain.IDPConfigTypeOIDC {
+		return &management.Idp_OidcConfig{
+			OidcConfig: oidcIdpConfigFromDomain(idp.OIDCConfig),
+		}
+	}
+	return nil
+}
+
 func idpConfigFromModel(idp *iam_model.IDPConfig) *management.Idp_OidcConfig {
 	if idp.Type == iam_model.IDPConfigTypeOIDC {
 		return &management.Idp_OidcConfig{
@@ -93,6 +108,16 @@ func idpConfigFromModel(idp *iam_model.IDPConfig) *management.Idp_OidcConfig {
 	return nil
 }

+func oidcIdpConfigFromDomain(idp *domain.OIDCIDPConfig) *management.OidcIdpConfig {
+	return &management.OidcIdpConfig{
+		ClientId:              idp.ClientID,
+		Issuer:                idp.Issuer,
+		Scopes:                idp.Scopes,
+		IdpDisplayNameMapping: oidcMappingFieldFromDomain(idp.IDPDisplayNameMapping),
+		UsernameMapping:       oidcMappingFieldFromDomain(idp.UsernameMapping),
+	}
+}
+
 func oidcIdpConfigFromModel(idp *iam_model.OIDCIDPConfig) *management.OidcIdpConfig {
 	return &management.OidcIdpConfig{
 		ClientId:              idp.ClientID,
@@ -122,6 +147,17 @@ func oidcIdpConfigViewFromModel(idp *iam_model.IDPConfigView) *management.OidcId
 	}
 }

+func idpConfigStateFromDomain(state domain.IDPConfigState) management.IdpState {
+	switch state {
+	case domain.IDPConfigStateActive:
+		return management.IdpState_IDPCONFIGSTATE_ACTIVE
+	case domain.IDPConfigStateInactive:
+		return management.IdpState_IDPCONFIGSTATE_INACTIVE
+	default:
+		return management.IdpState_IDPCONFIGSTATE_UNSPECIFIED
+	}
+}
+
 func idpConfigStateFromModel(state iam_model.IDPConfigState) management.IdpState {
 	switch state {
 	case iam_model.IDPConfigStateActive:
@@ -210,6 +246,17 @@ func idpConfigsFromView(viewIdps []*iam_model.IDPConfigView) []*management.IdpVi
 	return idps
 }

+func oidcMappingFieldFromDomain(field domain.OIDCMappingField) management.OIDCMappingField {
+	switch field {
+	case domain.OIDCMappingFieldPreferredLoginName:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
+	case domain.OIDCMappingFieldEmail:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
+	default:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
+	}
+}
+
 func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) management.OIDCMappingField {
 	switch field {
 	case iam_model.OIDCMappingFieldPreferredLoginName:
@@ -221,6 +268,17 @@ func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) management.OIDC
 	}
 }

+func oidcMappingFieldToDomain(field management.OIDCMappingField) domain.OIDCMappingField {
+	switch field {
+	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
+		return domain.OIDCMappingFieldPreferredLoginName
+	case management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
+		return domain.OIDCMappingFieldEmail
+	default:
+		return domain.OIDCMappingFieldUnspecified
+	}
+}
+
 func oidcMappingFieldToModel(field management.OIDCMappingField) iam_model.OIDCMappingField {
 	switch field {
 	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
@@ -232,6 +290,15 @@ func oidcMappingFieldToModel(field management.OIDCMappingField) iam_model.OIDCMa
 	}
 }

+func idpConfigStylingTypeFromDomain(stylingType domain.IDPConfigStylingType) management.IdpStylingType {
+	switch stylingType {
+	case domain.IDPConfigStylingTypeGoogle:
+		return management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
+	default:
+		return management.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
+	}
+}
+
 func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) management.IdpStylingType {
 	switch stylingType {
 	case iam_model.IDPStylingTypeGoogle:
@@ -241,12 +308,12 @@ func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) managem
 	}
 }

-func idpConfigStylingTypeToModel(stylingType management.IdpStylingType) iam_model.IDPStylingType {
+func idpConfigStylingTypeToDomain(stylingType management.IdpStylingType) domain.IDPConfigStylingType {
 	switch stylingType {
 	case management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE:
-		return iam_model.IDPStylingTypeGoogle
+		return domain.IDPConfigStylingTypeGoogle
 	default:
-		return iam_model.IDPStylingTypeUnspecified
+		return domain.IDPConfigStylingTypeUnspecified
 	}
 }

--- a/internal/api/grpc/management/login_policy_converter.go
+++ b/internal/api/grpc/management/login_policy_converter.go
@@ -32,7 +32,6 @@ func loginPolicyFromDomain(policy *domain.LoginPolicy) *management.LoginPolicy {
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
-		CreationDate:          timestamppb.New(policy.CreationDate),
 		ChangeDate:            timestamppb.New(policy.ChangeDate),
 		ForceMfa:              policy.ForceMFA,
 		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
--- a/internal/api/grpc/management/org_converter.go
+++ b/internal/api/grpc/management/org_converter.go
@@ -23,11 +23,10 @@ import (

 func orgFromDomain(org *domain.Org) *management.Org {
 	return &management.Org{
-		ChangeDate:   timestamppb.New(org.ChangeDate),
-		CreationDate: timestamppb.New(org.CreationDate),
-		Id:           org.AggregateID,
-		Name:         org.Name,
-		State:        orgStateFromDomain(org.State),
+		ChangeDate: timestamppb.New(org.ChangeDate),
+		Id:         org.AggregateID,
+		Name:       org.Name,
+		State:      orgStateFromDomain(org.State),
 	}
 }

@@ -139,12 +138,11 @@ func removeOrgDomainToDomain(ctx context.Context, ordDomain *management.RemoveOr

 func orgDomainFromDomain(orgDomain *domain.OrgDomain) *management.OrgDomain {
 	return &management.OrgDomain{
-		ChangeDate:   timestamppb.New(orgDomain.ChangeDate),
-		CreationDate: timestamppb.New(orgDomain.CreationDate),
-		OrgId:        orgDomain.AggregateID,
-		Domain:       orgDomain.Domain,
-		Verified:     orgDomain.Verified,
-		Primary:      orgDomain.Primary,
+		ChangeDate: timestamppb.New(orgDomain.ChangeDate),
+		OrgId:      orgDomain.AggregateID,
+		Domain:     orgDomain.Domain,
+		Verified:   orgDomain.Verified,
+		Primary:    orgDomain.Primary,
 	}
 }

--- a/internal/api/grpc/management/org_member_converter.go
+++ b/internal/api/grpc/management/org_member_converter.go
@@ -24,11 +24,10 @@ func changeOrgMemberToModel(ctx context.Context, member *management.ChangeOrgMem

 func orgMemberFromDomain(member *domain.Member) *management.OrgMember {
 	return &management.OrgMember{
-		UserId:       member.UserID,
-		CreationDate: timestamppb.New(member.CreationDate),
-		ChangeDate:   timestamppb.New(member.ChangeDate),
-		Roles:        member.Roles,
-		Sequence:     member.Sequence,
+		UserId:     member.UserID,
+		ChangeDate: timestamppb.New(member.ChangeDate),
+		Roles:      member.Roles,
+		Sequence:   member.Sequence,
 	}
 }

--- a/internal/api/grpc/management/password_age_policy_converter.go
+++ b/internal/api/grpc/management/password_age_policy_converter.go
@@ -27,7 +27,6 @@ func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *management.P
 	return &management.PasswordAgePolicy{
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
-		CreationDate:   timestamppb.New(policy.CreationDate),
 		ChangeDate:     timestamppb.New(policy.ChangeDate),
 	}
 }
--- a/internal/api/grpc/management/password_complexity_policy_converter.go
+++ b/internal/api/grpc/management/password_complexity_policy_converter.go
@@ -33,7 +33,6 @@ func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy)
 		HasUppercase: policy.HasUppercase,
 		HasSymbol:    policy.HasSymbol,
 		HasNumber:    policy.HasNumber,
-		CreationDate: timestamppb.New(policy.CreationDate),
 		ChangeDate:   timestamppb.New(policy.ChangeDate),
 	}
 }
--- a/internal/api/grpc/management/password_lockout_policy_converter.go
+++ b/internal/api/grpc/management/password_lockout_policy_converter.go
@@ -27,7 +27,6 @@ func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *mana
 	return &management.PasswordLockoutPolicy{
 		MaxAttempts:        policy.MaxAttempts,
 		ShowLockoutFailure: policy.ShowLockOutFailures,
-		CreationDate:       timestamppb.New(policy.CreationDate),
 		ChangeDate:         timestamppb.New(policy.ChangeDate),
 	}
 }