feat: new projects (#1207)

* fix: project events

* fix: project events

* fix: project events

* fix: eventmapper

* fix: project commands

* fix: project role commands

* fix: project command side

* fix: oidc application

* fix: oidc application

* fix: reduce

* fix: reduce

* fix: project member

* fix: project grant command side

* fix: application command side

* fix: project grant member remove

* Update internal/v2/command/project.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/project.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/project_application.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/project_application.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/project_application.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: oidc application string pw

* fix: project events

* fix: project grant member

* feat: change application to interface

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/v2/domain/application.go

@@ -1,17 +1,9 @@
 package domain
 
-import (
-	"github.com/caos/zitadel/internal/eventstore/models"
-)
-
-type Application struct {
-	models.ObjectRoot
-
-	AppID      string
-	State      AppState
-	Name       string
-	Type       AppType
-	OIDCConfig *OIDCConfig
+type Application interface {
+	GetAppID() string
+	GetApplicationName() string
+	GetState() AppState
 }
 
 type AppState int32
@@ -23,27 +15,20 @@ const (
 	AppStateRemoved
 )
 
-type AppType int32
-
-const (
-	AppTypeUnspecified AppType = iota
-	AppTypeOIDC
-	AppTypeSAML
-)
-
-func NewApplication(projectID, appID string) *Application {
-	return &Application{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, AppID: appID, State: AppStateActive}
+type ChangeApp struct {
+	AppID   string
+	AppName string
+	State   AppState
 }
 
-func (a *Application) IsValid(includeConfig bool) bool {
-	if a.Name == "" || a.AggregateID == "" {
-		return false
-	}
-	if !includeConfig {
-		return true
-	}
-	if a.Type == AppTypeOIDC && !a.OIDCConfig.IsValid() {
-		return false
-	}
-	return true
+func (a *ChangeApp) GetAppID() string {
+	return a.AppID
+}
+
+func (a *ChangeApp) GetApplicationName() string {
+	return a.AppName
+}
+
+func (a *ChangeApp) GetState() AppState {
+	return a.State
 }

internal/v2/domain/application_oidc.go

@@ -0,0 +1,327 @@
+package domain
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/id"
+)
+
+const (
+	http           = "http://"
+	httpLocalhost  = "http://localhost:"
+	httpLocalhost2 = "http://localhost/"
+	https          = "https://"
+)
+
+type OIDCApp struct {
+	models.ObjectRoot
+
+	AppID                    string
+	AppName                  string
+	ClientID                 string
+	ClientSecret             *crypto.CryptoValue
+	ClientSecretString       string
+	RedirectUris             []string
+	ResponseTypes            []OIDCResponseType
+	GrantTypes               []OIDCGrantType
+	ApplicationType          OIDCApplicationType
+	AuthMethodType           OIDCAuthMethodType
+	PostLogoutRedirectUris   []string
+	OIDCVersion              OIDCVersion
+	Compliance               *Compliance
+	DevMode                  bool
+	AccessTokenType          OIDCTokenType
+	AccessTokenRoleAssertion bool
+	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
+
+	State AppState
+}
+
+func (h OIDCApp) GetUsername() string {
+	return h.AppName
+}
+
+func (h OIDCApp) GetState() AppState {
+	return h.State
+}
+
+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
+type OIDCResponseType int32
+
+const (
+	OIDCResponseTypeCode OIDCResponseType = iota
+	OIDCResponseTypeIDToken
+	OIDCResponseTypeIDTokenToken
+)
+
+type OIDCGrantType int32
+
+const (
+	OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
+	OIDCGrantTypeImplicit
+	OIDCGrantTypeRefreshToken
+)
+
+type OIDCApplicationType int32
+
+const (
+	OIDCApplicationTypeWeb OIDCApplicationType = iota
+	OIDCApplicationTypeUserAgent
+	OIDCApplicationTypeNative
+)
+
+type OIDCAuthMethodType int32
+
+const (
+	OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
+	OIDCAuthMethodTypePost
+	OIDCAuthMethodTypeNone
+)
+
+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
+type OIDCTokenType int32
+
+const (
+	OIDCTokenTypeBearer OIDCTokenType = iota
+	OIDCTokenTypeJWT
+)
+
+func (c *OIDCApp) IsValid() bool {
+	grantTypes := c.getRequiredGrantTypes()
+	for _, grantType := range grantTypes {
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
+		if !ok {
+			return false
+		}
+	}
+	return true
+}
+
+//ClientID random_number@projectname (eg. 495894098234@zitadel)
+func (c *OIDCApp) GenerateNewClientID(idGenerator id.Generator, project *Project) error {
+	rndID, err := idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	c.ClientID = fmt.Sprintf("%v@%v", rndID, strings.ReplaceAll(strings.ToLower(project.Name), " ", "_"))
+	return nil
+}
+
+func (c *OIDCApp) GenerateClientSecretIfNeeded(generator crypto.Generator) (string, error) {
+	if c.AuthMethodType == OIDCAuthMethodTypeNone {
+		return "", nil
+	}
+	return c.GenerateNewClientSecret(generator)
+}
+
+func (c *OIDCApp) GenerateNewClientSecret(generator crypto.Generator) (string, error) {
+	cryptoValue, stringSecret, err := NewClientSecret(generator)
+	if err != nil {
+		return "", err
+	}
+	c.ClientSecret = cryptoValue
+	return stringSecret, nil
+}
+
+func NewClientSecret(generator crypto.Generator) (*crypto.CryptoValue, string, error) {
+	cryptoValue, stringSecret, err := crypto.NewCode(generator)
+	if err != nil {
+		logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
+		return nil, "", errors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	return cryptoValue, stringSecret, nil
+}
+
+func (c *OIDCApp) getRequiredGrantTypes() []OIDCGrantType {
+	grantTypes := make([]OIDCGrantType, 0)
+	implicit := false
+	for _, r := range c.ResponseTypes {
+		switch r {
+		case OIDCResponseTypeCode:
+			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
+		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
+			if !implicit {
+				implicit = true
+				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
+			}
+		}
+	}
+	return grantTypes
+}
+
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *OIDCApp) FillCompliance() {
+	c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
+}
+
+func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	switch version {
+	case OIDCVersionV1:
+		return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
+	}
+	return nil
+}
+
+func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	compliance := &Compliance{NoneCompliant: false}
+	if redirectUris == nil || len(redirectUris) == 0 {
+		compliance.NoneCompliant = true
+		compliance.Problems = append([]string{"Application.OIDC.V1.NoRedirectUris"}, compliance.Problems...)
+	}
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
+	} else {
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
+			CheckRedirectUrisImplicit(compliance, appType, redirectUris)
+		}
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+			CheckRedirectUrisCode(compliance, appType, redirectUris)
+		}
+	}
+
+	switch appType {
+	case OIDCApplicationTypeNative:
+		GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
+	case OIDCApplicationTypeUserAgent:
+		GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
+	}
+	if compliance.NoneCompliant {
+		compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
+	}
+	return compliance
+}
+
+func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
+	}
+}
+
+func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
+	}
+}
+
+func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
+	}
+}
+
+func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeNative {
+			if !onlyLocalhostIsHttp(redirectUris) {
+				compliance.NoneCompliant = true
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			}
+			return
+		}
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
+	}
+}
+
+func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
+	}
+	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if !compliance.NoneCompliant {
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
+	}
+}
+
+func urlsAreHttps(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, https) {
+			return false
+		}
+	}
+	return true
+}
+
+func urlContainsPrefix(uris []string, prefix string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func containsCustom(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
+			return true
+		}
+	}
+	return false
+}
+
+func onlyLocalhostIsHttp(uris []string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, http) {
+			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
+				return false
+			}
+		}
+	}
+	return true
+}

internal/v2/domain/oidc_config.go

@@ -1,152 +0,0 @@
-package domain
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/caos/logging"
-
-	"github.com/caos/zitadel/internal/crypto"
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/id"
-)
-
-type OIDCConfig struct {
-	models.ObjectRoot
-
-	AppID                    string
-	ClientID                 string
-	ClientSecret             *crypto.CryptoValue
-	ClientSecretString       string
-	RedirectUris             []string
-	ResponseTypes            []OIDCResponseType
-	GrantTypes               []OIDCGrantType
-	ApplicationType          OIDCApplicationType
-	AuthMethodType           OIDCAuthMethodType
-	PostLogoutRedirectUris   []string
-	OIDCVersion              OIDCVersion
-	Compliance               *Compliance
-	DevMode                  bool
-	AccessTokenType          OIDCTokenType
-	AccessTokenRoleAssertion bool
-	IDTokenRoleAssertion     bool
-	IDTokenUserinfoAssertion bool
-	ClockSkew                time.Duration
-}
-
-type OIDCVersion int32
-
-const (
-	OIDCVersionV1 OIDCVersion = iota
-)
-
-type OIDCResponseType int32
-
-const (
-	OIDCResponseTypeCode OIDCResponseType = iota
-	OIDCResponseTypeIDToken
-	OIDCResponseTypeIDTokenToken
-)
-
-type OIDCGrantType int32
-
-const (
-	OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
-	OIDCGrantTypeImplicit
-	OIDCGrantTypeRefreshToken
-)
-
-type OIDCApplicationType int32
-
-const (
-	OIDCApplicationTypeWeb OIDCApplicationType = iota
-	OIDCApplicationTypeUserAgent
-	OIDCApplicationTypeNative
-)
-
-type OIDCAuthMethodType int32
-
-const (
-	OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
-	OIDCAuthMethodTypePost
-	OIDCAuthMethodTypeNone
-)
-
-type Compliance struct {
-	NoneCompliant bool
-	Problems      []string
-}
-
-type OIDCTokenType int32
-
-const (
-	OIDCTokenTypeBearer OIDCTokenType = iota
-	OIDCTokenTypeJWT
-)
-
-func (c *OIDCConfig) IsValid() bool {
-	grantTypes := c.getRequiredGrantTypes()
-	for _, grantType := range grantTypes {
-		ok := containsOIDCGrantType(c.GrantTypes, grantType)
-		if !ok {
-			return false
-		}
-	}
-	return true
-}
-
-//ClientID random_number@projectname (eg. 495894098234@zitadel)
-func (c *OIDCConfig) GenerateNewClientID(idGenerator id.Generator, project *Project) error {
-	rndID, err := idGenerator.Next()
-	if err != nil {
-		return err
-	}
-
-	c.ClientID = fmt.Sprintf("%v@%v", rndID, strings.ReplaceAll(strings.ToLower(project.Name), " ", "_"))
-	return nil
-}
-
-func (c *OIDCConfig) GenerateClientSecretIfNeeded(generator crypto.Generator) (string, error) {
-	if c.AuthMethodType == OIDCAuthMethodTypeNone {
-		return "", nil
-	}
-	return c.GenerateNewClientSecret(generator)
-}
-
-func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string, error) {
-	cryptoValue, stringSecret, err := crypto.NewCode(generator)
-	if err != nil {
-		logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
-		return "", errors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
-	}
-	c.ClientSecret = cryptoValue
-	return stringSecret, nil
-}
-
-func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
-	grantTypes := make([]OIDCGrantType, 0)
-	implicit := false
-	for _, r := range c.ResponseTypes {
-		switch r {
-		case OIDCResponseTypeCode:
-			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
-		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
-			if !implicit {
-				implicit = true
-				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
-			}
-		}
-	}
-	return grantTypes
-}
-
-func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
-	for _, gt := range grantTypes {
-		if gt == grantType {
-			return true
-		}
-	}
-	return false
-}

internal/v2/domain/project_grant.go

@@ -0,0 +1,30 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type ProjectGrant struct {
+	es_models.ObjectRoot
+
+	GrantID      string
+	GrantedOrgID string
+	State        ProjectGrantState
+	RoleKeys     []string
+}
+
+type ProjectGrantIDs struct {
+	ProjectID string
+	GrantID   string
+}
+
+type ProjectGrantState int32
+
+const (
+	ProjectGrantStateUnspecified ProjectGrantState = iota
+	ProjectGrantStateActive
+	ProjectGrantStateInactive
+	ProjectGrantStateRemoved
+)
+
+func (p *ProjectGrant) IsValid() bool {
+	return p.GrantedOrgID != ""
+}

internal/v2/domain/project_grant_member.go

@@ -0,0 +1,28 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type ProjectGrantMember struct {
+	es_models.ObjectRoot
+
+	GrantID string
+	UserID  string
+	Roles   []string
+}
+
+func NewProjectGrantMember(aggregateID, userID, grantID string, roles ...string) *ProjectGrantMember {
+	return &ProjectGrantMember{
+		ObjectRoot: es_models.ObjectRoot{
+			AggregateID: aggregateID,
+		},
+		GrantID: grantID,
+		UserID:  userID,
+		Roles:   roles,
+	}
+}
+
+func (i *ProjectGrantMember) IsValid() bool {
+	return i.AggregateID != "" && i.GrantID != "" && i.UserID != "" && len(i.Roles) != 0
+}

internal/v2/domain/project_role.go

@@ -12,6 +12,14 @@ type ProjectRole struct {
 	Group       string
 }
 
+type ProjectRoleState int32
+
+const (
+	ProjectRoleStateUnspecified ProjectRoleState = iota
+	ProjectRoleStateActive
+	ProjectRoleStateRemoved
+)
+
 func NewProjectRole(projectID, key string) *ProjectRole {
 	return &ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, Key: key}
 }