chore: move the go code into a subfolder

apps/api/internal/idp/providers/gitlab/gitlab.go

@@ -0,0 +1,45 @@
+package gitlab
+
+import (
+	openid "github.com/zitadel/oidc/v3/pkg/oidc"
+
+	"github.com/zitadel/zitadel/internal/idp"
+	"github.com/zitadel/zitadel/internal/idp/providers/oidc"
+)
+
+const (
+	issuer = "https://gitlab.com"
+	name   = "GitLab"
+)
+
+var _ idp.Provider = (*Provider)(nil)
+
+// Provider is the [idp.Provider] implementation for Gitlab
+type Provider struct {
+	*oidc.Provider
+}
+
+// New creates a GitLab.com provider using the [oidc.Provider] (OIDC generic provider)
+func New(clientID, clientSecret, redirectURI string, scopes []string, options ...oidc.ProviderOpts) (*Provider, error) {
+	return NewCustomIssuer(name, issuer, clientID, clientSecret, redirectURI, scopes, options...)
+}
+
+// NewCustomIssuer creates a GitLab provider using the [oidc.Provider] (OIDC generic provider)
+// with a custom issuer for self-managed instances
+func NewCustomIssuer(name, issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...oidc.ProviderOpts) (*Provider, error) {
+	if len(scopes) == 0 {
+		// the OIDC provider would set `openid profile email phone` as default scope,
+		// but since gitlab does not handle unknown scopes correctly (phone) and returns an error,
+		// we will just set a separate default list
+		scopes = []string{openid.ScopeOpenID, openid.ScopeProfile, openid.ScopeEmail}
+	}
+	// gitlab is currently not able to handle the prompt `select_account`:
+	// https://gitlab.com/gitlab-org/gitlab/-/issues/377368
+	rp, err := oidc.New(name, issuer, clientID, clientSecret, redirectURI, scopes, oidc.DefaultMapper, options...)
+	if err != nil {
+		return nil, err
+	}
+	return &Provider{
+		Provider: rp,
+	}, nil
+}

apps/api/internal/idp/providers/gitlab/gitlab_test.go

@@ -0,0 +1,68 @@
+package gitlab
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/idp"
+	"github.com/zitadel/zitadel/internal/idp/providers/oidc"
+)
+
+func TestProvider_BeginAuth(t *testing.T) {
+	type fields struct {
+		clientID     string
+		clientSecret string
+		redirectURI  string
+		scopes       []string
+		opts         []oidc.ProviderOpts
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   idp.Session
+	}{
+		{
+			name: "successful auth",
+			fields: fields{
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+				scopes:       []string{"openid"},
+			},
+			want: &oidc.Session{
+				AuthURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+			},
+		},
+		{
+			name: "successful auth default scopes",
+			fields: fields{
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+			},
+			want: &oidc.Session{
+				AuthURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email&state=testState",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := assert.New(t)
+			r := require.New(t)
+
+			provider, err := New(tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.opts...)
+			r.NoError(err)
+			ctx := context.Background()
+			session, err := provider.BeginAuth(ctx, "testState")
+			r.NoError(err)
+
+			wantAuth, wantErr := tt.want.GetAuth(ctx)
+			gotAuth, gotErr := session.GetAuth(ctx)
+			a.Equal(wantAuth, gotAuth)
+			a.ErrorIs(gotErr, wantErr)
+		})
+	}
+}

apps/api/internal/idp/providers/gitlab/session_test.go

@@ -0,0 +1,225 @@
+package gitlab
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/h2non/gock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	openid "github.com/zitadel/oidc/v3/pkg/oidc"
+	"golang.org/x/oauth2"
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/idp/providers/oidc"
+)
+
+func TestProvider_FetchUser(t *testing.T) {
+	type fields struct {
+		clientID     string
+		clientSecret string
+		redirectURI  string
+		scopes       []string
+		httpMock     func()
+		authURL      string
+		code         string
+		tokens       *openid.Tokens[*openid.IDTokenClaims]
+		options      []oidc.ProviderOpts
+	}
+	type want struct {
+		err               error
+		id                string
+		firstName         string
+		lastName          string
+		displayName       string
+		nickName          string
+		preferredUsername string
+		email             string
+		isEmailVerified   bool
+		phone             string
+		isPhoneVerified   bool
+		preferredLanguage language.Tag
+		avatarURL         string
+		profile           string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   want
+	}{
+		{
+			name: "unauthenticated session, error",
+			fields: fields{
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+				scopes:       []string{"openid"},
+				httpMock: func() {
+					gock.New("https://gitlab.com/oauth").
+						Get("/userinfo").
+						Reply(200).
+						JSON(userinfo())
+				},
+				authURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+				tokens:  nil,
+			},
+			want: want{
+				err: oidc.ErrCodeMissing,
+			},
+		},
+		{
+			name: "userinfo error",
+			fields: fields{
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+				scopes:       []string{"openid"},
+				httpMock: func() {
+					gock.New("https://gitlab.com/oauth").
+						Get("/userinfo").
+						Reply(200).
+						JSON(userinfo())
+				},
+				authURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+				tokens: &openid.Tokens[*openid.IDTokenClaims]{
+					Token: &oauth2.Token{
+						AccessToken: "accessToken",
+						TokenType:   openid.BearerToken,
+					},
+					IDTokenClaims: openid.NewIDTokenClaims(
+						issuer,
+						"sub2",
+						[]string{"clientID"},
+						time.Now().Add(1*time.Hour),
+						time.Now().Add(-1*time.Second),
+						"nonce",
+						"",
+						nil,
+						"clientID",
+						0,
+					),
+				},
+			},
+			want: want{
+				err: rp.ErrUserInfoSubNotMatching,
+			},
+		},
+		{
+			name: "successful fetch",
+			fields: fields{
+				clientID:     "clientID",
+				clientSecret: "clientSecret",
+				redirectURI:  "redirectURI",
+				scopes:       []string{"openid"},
+				httpMock: func() {
+					gock.New("https://gitlab.com/oauth").
+						Get("/userinfo").
+						Reply(200).
+						JSON(userinfo())
+				},
+				authURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+				tokens: &openid.Tokens[*openid.IDTokenClaims]{
+					Token: &oauth2.Token{
+						AccessToken: "accessToken",
+						TokenType:   openid.BearerToken,
+					},
+					IDTokenClaims: openid.NewIDTokenClaims(
+						issuer,
+						"sub",
+						[]string{"clientID"},
+						time.Now().Add(1*time.Hour),
+						time.Now().Add(-1*time.Second),
+						"nonce",
+						"",
+						nil,
+						"clientID",
+						0,
+					),
+				},
+			},
+			want: want{
+				id:                "sub",
+				firstName:         "firstname",
+				lastName:          "lastname",
+				displayName:       "firstname lastname",
+				nickName:          "nickname",
+				preferredUsername: "username",
+				email:             "email",
+				isEmailVerified:   true,
+				phone:             "phone",
+				isPhoneVerified:   true,
+				preferredLanguage: language.English,
+				avatarURL:         "picture",
+				profile:           "profile",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer gock.Off()
+			tt.fields.httpMock()
+			a := assert.New(t)
+
+			// call the real discovery endpoint
+			gock.New(issuer).Get(openid.DiscoveryEndpoint).EnableNetworking()
+			provider, err := New(tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.options...)
+			require.NoError(t, err)
+
+			session := &oidc.Session{
+				Provider: provider.Provider,
+				AuthURL:  tt.fields.authURL,
+				Code:     tt.fields.code,
+				Tokens:   tt.fields.tokens,
+			}
+
+			user, err := session.FetchUser(context.Background())
+			if tt.want.err != nil && !errors.Is(err, tt.want.err) {
+				a.Fail("invalid error", "expected %v, got %v", tt.want.err, err)
+			}
+			if tt.want.err == nil {
+				a.NoError(err)
+				a.Equal(tt.want.id, user.GetID())
+				a.Equal(tt.want.firstName, user.GetFirstName())
+				a.Equal(tt.want.lastName, user.GetLastName())
+				a.Equal(tt.want.displayName, user.GetDisplayName())
+				a.Equal(tt.want.nickName, user.GetNickname())
+				a.Equal(tt.want.preferredUsername, user.GetPreferredUsername())
+				a.Equal(domain.EmailAddress(tt.want.email), user.GetEmail())
+				a.Equal(tt.want.isEmailVerified, user.IsEmailVerified())
+				a.Equal(domain.PhoneNumber(tt.want.phone), user.GetPhone())
+				a.Equal(tt.want.isPhoneVerified, user.IsPhoneVerified())
+				a.Equal(tt.want.preferredLanguage, user.GetPreferredLanguage())
+				a.Equal(tt.want.avatarURL, user.GetAvatarURL())
+				a.Equal(tt.want.profile, user.GetProfile())
+			}
+		})
+	}
+}
+
+func userinfo() *openid.UserInfo {
+	return &openid.UserInfo{
+		Subject: "sub",
+		UserInfoProfile: openid.UserInfoProfile{
+			GivenName:         "firstname",
+			FamilyName:        "lastname",
+			Name:              "firstname lastname",
+			Nickname:          "nickname",
+			PreferredUsername: "username",
+			Locale:            openid.NewLocale(language.English),
+			Picture:           "picture",
+			Profile:           "profile",
+		},
+		UserInfoEmail: openid.UserInfoEmail{
+			Email:         "email",
+			EmailVerified: openid.Bool(true),
+		},
+		UserInfoPhone: openid.UserInfoPhone{
+			PhoneNumber:         "phone",
+			PhoneNumberVerified: true,
+		},
+	}
+}