mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:07:31 +00:00
fix: correctly check app state on authentication (#8630)
# Which Problems Are Solved In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. # How the Problems Are Solved - Correctly check the status of the organization and related project. (Corresponding functions have been renamed to `Active...`)
This commit is contained in:
Livio Spring
@@ -256,7 +256,7 @@ func (q *Queries) AppByProjectAndAppID(ctx context.Context, shouldTriggerBulk bo
|
||||
traceSpan.EndWithError(err)
|
||||
}
|
||||
|
||||
stmt, scan := prepareAppQuery(ctx, q.client)
|
||||
stmt, scan := prepareAppQuery(ctx, q.client, false)
|
||||
eq := sq.Eq{
|
||||
AppColumnID.identifier(): appID,
|
||||
AppColumnProjectID.identifier(): projectID,
|
||||
@@ -274,15 +274,20 @@ func (q *Queries) AppByProjectAndAppID(ctx context.Context, shouldTriggerBulk bo
|
||||
return app, err
|
||||
}
|
||||
|
||||
func (q *Queries) AppByID(ctx context.Context, appID string) (app *App, err error) {
|
||||
func (q *Queries) AppByID(ctx context.Context, appID string, activeOnly bool) (app *App, err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
|
||||
stmt, scan := prepareAppQuery(ctx, q.client)
|
||||
stmt, scan := prepareAppQuery(ctx, q.client, activeOnly)
|
||||
eq := sq.Eq{
|
||||
AppColumnID.identifier(): appID,
|
||||
AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
|
||||
}
|
||||
if activeOnly {
|
||||
eq[AppColumnState.identifier()] = domain.AppStateActive
|
||||
eq[ProjectColumnState.identifier()] = domain.ProjectStateActive
|
||||
eq[OrgColumnState.identifier()] = domain.OrgStateActive
|
||||
}
|
||||
query, args, err := stmt.Where(eq).ToSql()
|
||||
if err != nil {
|
||||
return nil, zerrors.ThrowInternal(err, "QUERY-immt9", "Errors.Query.SQLStatement")
|
||||
@@ -295,7 +300,7 @@ func (q *Queries) AppByID(ctx context.Context, appID string) (app *App, err erro
|
||||
return app, err
|
||||
}
|
||||
|
||||
func (q *Queries) AppBySAMLEntityID(ctx context.Context, entityID string) (app *App, err error) {
|
||||
func (q *Queries) ActiveAppBySAMLEntityID(ctx context.Context, entityID string) (app *App, err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
|
||||
@@ -303,6 +308,9 @@ func (q *Queries) AppBySAMLEntityID(ctx context.Context, entityID string) (app *
|
||||
eq := sq.Eq{
|
||||
AppSAMLConfigColumnEntityID.identifier(): entityID,
|
||||
AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
|
||||
AppColumnState.identifier(): domain.AppStateActive,
|
||||
ProjectColumnState.identifier(): domain.ProjectStateActive,
|
||||
OrgColumnState.identifier(): domain.OrgStateActive,
|
||||
}
|
||||
query, args, err := stmt.Where(eq).ToSql()
|
||||
if err != nil {
|
||||
@@ -413,8 +421,13 @@ func (q *Queries) AppByClientID(ctx context.Context, clientID string) (app *App,
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
|
||||
stmt, scan := prepareAppQuery(ctx, q.client)
|
||||
eq := sq.Eq{AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
|
||||
stmt, scan := prepareAppQuery(ctx, q.client, true)
|
||||
eq := sq.Eq{
|
||||
AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
|
||||
AppColumnState.identifier(): domain.AppStateActive,
|
||||
ProjectColumnState.identifier(): domain.ProjectStateActive,
|
||||
OrgColumnState.identifier(): domain.OrgStateActive,
|
||||
}
|
||||
query, args, err := stmt.Where(sq.And{
|
||||
eq,
|
||||
sq.Or{
|
||||
@@ -491,107 +504,121 @@ func NewAppProjectIDSearchQuery(id string) (SearchQuery, error) {
|
||||
return NewTextQuery(AppColumnProjectID, id, TextEquals)
|
||||
}
|
||||
|
||||
func prepareAppQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
|
||||
return sq.Select(
|
||||
AppColumnID.identifier(),
|
||||
AppColumnName.identifier(),
|
||||
AppColumnProjectID.identifier(),
|
||||
AppColumnCreationDate.identifier(),
|
||||
AppColumnChangeDate.identifier(),
|
||||
AppColumnResourceOwner.identifier(),
|
||||
AppColumnState.identifier(),
|
||||
AppColumnSequence.identifier(),
|
||||
func prepareAppQuery(ctx context.Context, db prepareDatabase, activeOnly bool) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
|
||||
query := sq.Select(
|
||||
AppColumnID.identifier(),
|
||||
AppColumnName.identifier(),
|
||||
AppColumnProjectID.identifier(),
|
||||
AppColumnCreationDate.identifier(),
|
||||
AppColumnChangeDate.identifier(),
|
||||
AppColumnResourceOwner.identifier(),
|
||||
AppColumnState.identifier(),
|
||||
AppColumnSequence.identifier(),
|
||||
|
||||
AppAPIConfigColumnAppID.identifier(),
|
||||
AppAPIConfigColumnClientID.identifier(),
|
||||
AppAPIConfigColumnAuthMethod.identifier(),
|
||||
AppAPIConfigColumnAppID.identifier(),
|
||||
AppAPIConfigColumnClientID.identifier(),
|
||||
AppAPIConfigColumnAuthMethod.identifier(),
|
||||
|
||||
AppOIDCConfigColumnAppID.identifier(),
|
||||
AppOIDCConfigColumnVersion.identifier(),
|
||||
AppOIDCConfigColumnClientID.identifier(),
|
||||
AppOIDCConfigColumnRedirectUris.identifier(),
|
||||
AppOIDCConfigColumnResponseTypes.identifier(),
|
||||
AppOIDCConfigColumnGrantTypes.identifier(),
|
||||
AppOIDCConfigColumnApplicationType.identifier(),
|
||||
AppOIDCConfigColumnAuthMethodType.identifier(),
|
||||
AppOIDCConfigColumnPostLogoutRedirectUris.identifier(),
|
||||
AppOIDCConfigColumnDevMode.identifier(),
|
||||
AppOIDCConfigColumnAccessTokenType.identifier(),
|
||||
AppOIDCConfigColumnAccessTokenRoleAssertion.identifier(),
|
||||
AppOIDCConfigColumnIDTokenRoleAssertion.identifier(),
|
||||
AppOIDCConfigColumnIDTokenUserinfoAssertion.identifier(),
|
||||
AppOIDCConfigColumnClockSkew.identifier(),
|
||||
AppOIDCConfigColumnAdditionalOrigins.identifier(),
|
||||
AppOIDCConfigColumnSkipNativeAppSuccessPage.identifier(),
|
||||
AppOIDCConfigColumnAppID.identifier(),
|
||||
AppOIDCConfigColumnVersion.identifier(),
|
||||
AppOIDCConfigColumnClientID.identifier(),
|
||||
AppOIDCConfigColumnRedirectUris.identifier(),
|
||||
AppOIDCConfigColumnResponseTypes.identifier(),
|
||||
AppOIDCConfigColumnGrantTypes.identifier(),
|
||||
AppOIDCConfigColumnApplicationType.identifier(),
|
||||
AppOIDCConfigColumnAuthMethodType.identifier(),
|
||||
AppOIDCConfigColumnPostLogoutRedirectUris.identifier(),
|
||||
AppOIDCConfigColumnDevMode.identifier(),
|
||||
AppOIDCConfigColumnAccessTokenType.identifier(),
|
||||
AppOIDCConfigColumnAccessTokenRoleAssertion.identifier(),
|
||||
AppOIDCConfigColumnIDTokenRoleAssertion.identifier(),
|
||||
AppOIDCConfigColumnIDTokenUserinfoAssertion.identifier(),
|
||||
AppOIDCConfigColumnClockSkew.identifier(),
|
||||
AppOIDCConfigColumnAdditionalOrigins.identifier(),
|
||||
AppOIDCConfigColumnSkipNativeAppSuccessPage.identifier(),
|
||||
|
||||
AppSAMLConfigColumnAppID.identifier(),
|
||||
AppSAMLConfigColumnEntityID.identifier(),
|
||||
AppSAMLConfigColumnMetadata.identifier(),
|
||||
AppSAMLConfigColumnMetadataURL.identifier(),
|
||||
).From(appsTable.identifier()).
|
||||
AppSAMLConfigColumnAppID.identifier(),
|
||||
AppSAMLConfigColumnEntityID.identifier(),
|
||||
AppSAMLConfigColumnMetadata.identifier(),
|
||||
AppSAMLConfigColumnMetadataURL.identifier(),
|
||||
).From(appsTable.identifier()).
|
||||
PlaceholderFormat(sq.Dollar)
|
||||
|
||||
if activeOnly {
|
||||
return query.
|
||||
LeftJoin(join(AppAPIConfigColumnAppID, AppColumnID)).
|
||||
LeftJoin(join(AppOIDCConfigColumnAppID, AppColumnID)).
|
||||
LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID)).
|
||||
LeftJoin(join(ProjectColumnID, AppColumnProjectID)).
|
||||
LeftJoin(join(OrgColumnID, AppColumnResourceOwner) + db.Timetravel(call.Took(ctx))),
|
||||
scanApp
|
||||
}
|
||||
return query.
|
||||
LeftJoin(join(AppAPIConfigColumnAppID, AppColumnID)).
|
||||
LeftJoin(join(AppOIDCConfigColumnAppID, AppColumnID)).
|
||||
LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID) + db.Timetravel(call.Took(ctx))).
|
||||
PlaceholderFormat(sq.Dollar), func(row *sql.Row) (*App, error) {
|
||||
app := new(App)
|
||||
LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID) + db.Timetravel(call.Took(ctx))),
|
||||
scanApp
|
||||
}
|
||||
|
||||
var (
|
||||
apiConfig = sqlAPIConfig{}
|
||||
oidcConfig = sqlOIDCConfig{}
|
||||
samlConfig = sqlSAMLConfig{}
|
||||
)
|
||||
func scanApp(row *sql.Row) (*App, error) {
|
||||
app := new(App)
|
||||
|
||||
err := row.Scan(
|
||||
&app.ID,
|
||||
&app.Name,
|
||||
&app.ProjectID,
|
||||
&app.CreationDate,
|
||||
&app.ChangeDate,
|
||||
&app.ResourceOwner,
|
||||
&app.State,
|
||||
&app.Sequence,
|
||||
var (
|
||||
apiConfig = sqlAPIConfig{}
|
||||
oidcConfig = sqlOIDCConfig{}
|
||||
samlConfig = sqlSAMLConfig{}
|
||||
)
|
||||
|
||||
&apiConfig.appID,
|
||||
&apiConfig.clientID,
|
||||
&apiConfig.authMethod,
|
||||
err := row.Scan(
|
||||
&app.ID,
|
||||
&app.Name,
|
||||
&app.ProjectID,
|
||||
&app.CreationDate,
|
||||
&app.ChangeDate,
|
||||
&app.ResourceOwner,
|
||||
&app.State,
|
||||
&app.Sequence,
|
||||
|
||||
&oidcConfig.appID,
|
||||
&oidcConfig.version,
|
||||
&oidcConfig.clientID,
|
||||
&oidcConfig.redirectUris,
|
||||
&oidcConfig.responseTypes,
|
||||
&oidcConfig.grantTypes,
|
||||
&oidcConfig.applicationType,
|
||||
&oidcConfig.authMethodType,
|
||||
&oidcConfig.postLogoutRedirectUris,
|
||||
&oidcConfig.devMode,
|
||||
&oidcConfig.accessTokenType,
|
||||
&oidcConfig.accessTokenRoleAssertion,
|
||||
&oidcConfig.iDTokenRoleAssertion,
|
||||
&oidcConfig.iDTokenUserinfoAssertion,
|
||||
&oidcConfig.clockSkew,
|
||||
&oidcConfig.additionalOrigins,
|
||||
&oidcConfig.skipNativeAppSuccessPage,
|
||||
&apiConfig.appID,
|
||||
&apiConfig.clientID,
|
||||
&apiConfig.authMethod,
|
||||
|
||||
&samlConfig.appID,
|
||||
&samlConfig.entityID,
|
||||
&samlConfig.metadata,
|
||||
&samlConfig.metadataURL,
|
||||
)
|
||||
&oidcConfig.appID,
|
||||
&oidcConfig.version,
|
||||
&oidcConfig.clientID,
|
||||
&oidcConfig.redirectUris,
|
||||
&oidcConfig.responseTypes,
|
||||
&oidcConfig.grantTypes,
|
||||
&oidcConfig.applicationType,
|
||||
&oidcConfig.authMethodType,
|
||||
&oidcConfig.postLogoutRedirectUris,
|
||||
&oidcConfig.devMode,
|
||||
&oidcConfig.accessTokenType,
|
||||
&oidcConfig.accessTokenRoleAssertion,
|
||||
&oidcConfig.iDTokenRoleAssertion,
|
||||
&oidcConfig.iDTokenUserinfoAssertion,
|
||||
&oidcConfig.clockSkew,
|
||||
&oidcConfig.additionalOrigins,
|
||||
&oidcConfig.skipNativeAppSuccessPage,
|
||||
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, zerrors.ThrowNotFound(err, "QUERY-pCP8P", "Errors.App.NotExisting")
|
||||
}
|
||||
return nil, zerrors.ThrowInternal(err, "QUERY-4SJlx", "Errors.Internal")
|
||||
}
|
||||
&samlConfig.appID,
|
||||
&samlConfig.entityID,
|
||||
&samlConfig.metadata,
|
||||
&samlConfig.metadataURL,
|
||||
)
|
||||
|
||||
apiConfig.set(app)
|
||||
oidcConfig.set(app)
|
||||
samlConfig.set(app)
|
||||
|
||||
return app, nil
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, zerrors.ThrowNotFound(err, "QUERY-pCP8P", "Errors.App.NotExisting")
|
||||
}
|
||||
return nil, zerrors.ThrowInternal(err, "QUERY-4SJlx", "Errors.Internal")
|
||||
}
|
||||
|
||||
apiConfig.set(app)
|
||||
oidcConfig.set(app)
|
||||
samlConfig.set(app)
|
||||
|
||||
return app, nil
|
||||
}
|
||||
|
||||
func prepareOIDCAppQuery() (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
|
||||
@@ -690,6 +717,8 @@ func prepareSAMLAppQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil
|
||||
AppSAMLConfigColumnMetadataURL.identifier(),
|
||||
).From(appsTable.identifier()).
|
||||
Join(join(AppSAMLConfigColumnAppID, AppColumnID)).
|
||||
Join(join(ProjectColumnID, AppColumnProjectID)).
|
||||
Join(join(OrgColumnID, AppColumnResourceOwner)).
|
||||
PlaceholderFormat(sq.Dollar), func(row *sql.Row) (*App, error) {
|
||||
|
||||
app := new(App)
|
||||
|
||||
Reference in New Issue
Block a user