feat: idp and login policy configurations (#619)

* feat: oidc config * fix: oidc configurations * feat: oidc idp config * feat: add oidc config test * fix: tests * fix: tests * feat: translate new events * feat: idp eventstore * feat: idp eventstore * fix: tests * feat: command side idp * feat: query side idp * feat: idp config on org * fix: tests * feat: authz idp on org * feat: org idps * feat: login policy * feat: login policy * feat: login policy * feat: add idp func on login policy * feat: add validation to loginpolicy and idp provider * feat: add default login policy * feat: login policy on org * feat: login policy on org * fix: id config handlers * fix: id config handlers * fix: create idp on org * fix: create idp on org * fix: not existing idp config * fix: default login policy * fix: add login policy on org * fix: idp provider search on org * fix: test * fix: remove idp on org * fix: test * fix: test * fix: remove admin idp * fix: logo src as byte * fix: migration * fix: tests * Update internal/iam/repository/eventsourcing/iam.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/iam_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/iam_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/org/repository/eventsourcing/org_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: pr comments * fix: tests * Update types.go * fix: merge request changes * fix: reduce optimization Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2020-08-26 09:56:23 +02:00
parent f05c5bae24
commit db1d8f4efe
157 changed files with 37510 additions and 15698 deletions
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@@ -1,6 +1,8 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	"time"

 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/view"
@@ -26,13 +28,17 @@ type handler struct {

 type EventstoreRepos struct {
 	UserEvents *usr_event.UserEventstore
+	IamEvents  *iam_event.IAMEventstore
 	OrgEvents  *org_event.OrgEventstore
 }

-func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, eventstore eventstore.Eventstore, repos EventstoreRepos) []query.Handler {
+func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, eventstore eventstore.Eventstore, repos EventstoreRepos, defaults systemdefaults.SystemDefaults) []query.Handler {
 	return []query.Handler{
 		&Org{handler: handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount}},
 		&IamMember{handler: handler{view, bulkLimit, configs.cycleDuration("IamMember"), errorCount}, userEvents: repos.UserEvents},
+		&IDPConfig{handler: handler{view, bulkLimit, configs.cycleDuration("IDPConfig"), errorCount}},
+		&LoginPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount}},
+		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount}, systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
 		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount}, eventstore: eventstore, orgEvents: repos.OrgEvents},
 	}
 }
--- a/internal/admin/repository/eventsourcing/handler/iam_member.go
+++ b/internal/admin/repository/eventsourcing/handler/iam_member.go
@@ -29,18 +29,18 @@ func (m *IamMember) ViewModel() string {
 }

 func (m *IamMember) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := m.view.GetLatestIamMemberSequence()
+	sequence, err := m.view.GetLatestIAMMemberSequence()
 	if err != nil {
 		return nil, err
 	}
 	return es_models.NewSearchQuery().
-		AggregateTypeFilter(model.IamAggregate, usr_es_model.UserAggregate).
+		AggregateTypeFilter(model.IAMAggregate, usr_es_model.UserAggregate).
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }

 func (m *IamMember) Reduce(event *models.Event) (err error) {
 	switch event.AggregateType {
-	case model.IamAggregate:
+	case model.IAMAggregate:
 		err = m.processIamMember(event)
 	case usr_es_model.UserAggregate:
 		err = m.processUser(event)
@@ -49,46 +49,46 @@ func (m *IamMember) Reduce(event *models.Event) (err error) {
 }

 func (m *IamMember) processIamMember(event *models.Event) (err error) {
-	member := new(iam_model.IamMemberView)
+	member := new(iam_model.IAMMemberView)
 	switch event.Type {
-	case model.IamMemberAdded:
+	case model.IAMMemberAdded:
 		member.AppendEvent(event)
 		m.fillData(member)
-	case model.IamMemberChanged:
+	case model.IAMMemberChanged:
 		err := member.SetData(event)
 		if err != nil {
 			return err
 		}
-		member, err = m.view.IamMemberByIDs(event.AggregateID, member.UserID)
+		member, err = m.view.IAMMemberByIDs(event.AggregateID, member.UserID)
 		if err != nil {
 			return err
 		}
 		member.AppendEvent(event)
-	case model.IamMemberRemoved:
+	case model.IAMMemberRemoved:
 		err := member.SetData(event)
 		if err != nil {
 			return err
 		}
-		return m.view.DeleteIamMember(event.AggregateID, member.UserID, event.Sequence)
+		return m.view.DeleteIAMMember(event.AggregateID, member.UserID, event.Sequence)
 	default:
-		return m.view.ProcessedIamMemberSequence(event.Sequence)
+		return m.view.ProcessedIAMMemberSequence(event.Sequence)
 	}
 	if err != nil {
 		return err
 	}
-	return m.view.PutIamMember(member, member.Sequence)
+	return m.view.PutIAMMember(member, member.Sequence)
 }

 func (m *IamMember) processUser(event *models.Event) (err error) {
 	switch event.Type {
 	case usr_es_model.UserProfileChanged,
 		usr_es_model.UserEmailChanged:
-		members, err := m.view.IamMembersByUserID(event.AggregateID)
+		members, err := m.view.IAMMembersByUserID(event.AggregateID)
 		if err != nil {
 			return err
 		}
 		if len(members) == 0 {
-			return m.view.ProcessedIamMemberSequence(event.Sequence)
+			return m.view.ProcessedIAMMemberSequence(event.Sequence)
 		}
 		user, err := m.userEvents.UserByID(context.Background(), event.AggregateID)
 		if err != nil {
@@ -96,18 +96,18 @@ func (m *IamMember) processUser(event *models.Event) (err error) {
 		}
 		for _, member := range members {
 			m.fillUserData(member, user)
-			err = m.view.PutIamMember(member, event.Sequence)
+			err = m.view.PutIAMMember(member, event.Sequence)
 			if err != nil {
 				return err
 			}
 		}
 	default:
-		return m.view.ProcessedIamMemberSequence(event.Sequence)
+		return m.view.ProcessedIAMMemberSequence(event.Sequence)
 	}
 	return nil
 }

-func (m *IamMember) fillData(member *iam_model.IamMemberView) (err error) {
+func (m *IamMember) fillData(member *iam_model.IAMMemberView) (err error) {
 	user, err := m.userEvents.UserByID(context.Background(), member.UserID)
 	if err != nil {
 		return err
@@ -116,7 +116,7 @@ func (m *IamMember) fillData(member *iam_model.IamMemberView) (err error) {
 	return nil
 }

-func (m *IamMember) fillUserData(member *iam_model.IamMemberView, user *usr_model.User) {
+func (m *IamMember) fillUserData(member *iam_model.IAMMemberView, user *usr_model.User) {
 	member.UserName = user.UserName
 	member.FirstName = user.FirstName
 	member.LastName = user.LastName
@@ -125,5 +125,5 @@ func (m *IamMember) fillUserData(member *iam_model.IamMemberView, user *usr_mode
 }
 func (m *IamMember) OnError(event *models.Event, err error) error {
 	logging.LogWithFields("SPOOL-Ld9ow", "id", event.AggregateID).WithError(err).Warn("something went wrong in iammember handler")
-	return spooler.HandleError(event, err, m.view.GetLatestIamMemberFailedEvent, m.view.ProcessedIamMemberFailedEvent, m.view.ProcessedIamMemberSequence, m.errorCountUntilSkip)
+	return spooler.HandleError(event, err, m.view.GetLatestIAMMemberFailedEvent, m.view.ProcessedIAMMemberFailedEvent, m.view.ProcessedIAMMemberSequence, m.errorCountUntilSkip)
 }
--- a/internal/admin/repository/eventsourcing/handler/idp_config.go
+++ b/internal/admin/repository/eventsourcing/handler/idp_config.go
@@ -0,0 +1,79 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type IDPConfig struct {
+	handler
+}
+
+const (
+	idpConfigTable = "adminapi.idp_configs"
+)
+
+func (m *IDPConfig) ViewModel() string {
+	return idpConfigTable
+}
+
+func (m *IDPConfig) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestIDPConfigSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *IDPConfig) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate:
+		err = m.processIDPConfig(event)
+	}
+	return err
+}
+
+func (m *IDPConfig) processIDPConfig(event *models.Event) (err error) {
+	idp := new(iam_view_model.IDPConfigView)
+	switch event.Type {
+	case model.IDPConfigAdded:
+		err = idp.AppendEvent(iam_model.IDPProviderTypeSystem, event)
+	case model.IDPConfigChanged,
+		model.OIDCIDPConfigAdded,
+		model.OIDCIDPConfigChanged:
+		err = idp.SetData(event)
+		if err != nil {
+			return err
+		}
+		idp, err = m.view.IDPConfigByID(idp.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		err = idp.AppendEvent(iam_model.IDPProviderTypeSystem, event)
+	case model.IDPConfigRemoved:
+		err = idp.SetData(event)
+		if err != nil {
+			return err
+		}
+		return m.view.DeleteIDPConfig(idp.IDPConfigID, event.Sequence)
+	default:
+		return m.view.ProcessedIDPConfigSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutIDPConfig(idp, idp.Sequence)
+}
+
+func (m *IDPConfig) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Mslo9", "id", event.AggregateID).WithError(err).Warn("something went wrong in idp config handler")
+	return spooler.HandleError(event, err, m.view.GetLatestIDPConfigFailedEvent, m.view.ProcessedIDPConfigFailedEvent, m.view.ProcessedIDPConfigSequence, m.errorCountUntilSkip)
+}
--- a/internal/admin/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/admin/repository/eventsourcing/handler/idp_providers.go
@@ -0,0 +1,114 @@
+package handler
+
+import (
+	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing"
+	org_events "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type IDPProvider struct {
+	handler
+	systemDefaults systemdefaults.SystemDefaults
+	iamEvents      *eventsourcing.IAMEventstore
+	orgEvents      *org_events.OrgEventstore
+}
+
+const (
+	idpProviderTable = "adminapi.idp_providers"
+)
+
+func (m *IDPProvider) ViewModel() string {
+	return idpProviderTable
+}
+
+func (m *IDPProvider) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestIDPProviderSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate, org_es_model.OrgAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *IDPProvider) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate, org_es_model.OrgAggregate:
+		err = m.processIdpProvider(event)
+	}
+	return err
+}
+
+func (m *IDPProvider) processIdpProvider(event *models.Event) (err error) {
+	provider := new(iam_view_model.IDPProviderView)
+	switch event.Type {
+	case model.LoginPolicyIDPProviderAdded, org_es_model.LoginPolicyIDPProviderAdded:
+		err = provider.AppendEvent(event)
+		if err != nil {
+			return err
+		}
+		err = m.fillData(provider)
+	case model.LoginPolicyIDPProviderRemoved, model.LoginPolicyIDPProviderCascadeRemoved,
+		org_es_model.LoginPolicyIDPProviderRemoved, org_es_model.LoginPolicyIDPProviderCascadeRemoved:
+		err = provider.SetData(event)
+		if err != nil {
+			return err
+		}
+		return m.view.DeleteIDPProvider(event.AggregateID, provider.IDPConfigID, event.Sequence)
+	case model.IDPConfigChanged, org_es_model.IDPConfigChanged:
+		config := new(iam_model.IDPConfig)
+		config.AppendEvent(event)
+		providers, err := m.view.IDPProvidersByIdpConfigID(config.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		config, err = m.iamEvents.GetIDPConfig(context.Background(), provider.AggregateID, config.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		for _, provider := range providers {
+			m.fillConfigData(provider, config)
+		}
+		return m.view.PutIDPProviders(event.Sequence, providers...)
+	default:
+		return m.view.ProcessedIDPProviderSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutIDPProvider(provider, provider.Sequence)
+}
+
+func (m *IDPProvider) fillData(provider *iam_view_model.IDPProviderView) (err error) {
+	var config *iam_model.IDPConfig
+	if provider.IDPProviderType == int32(iam_model.IDPProviderTypeSystem) {
+		config, err = m.iamEvents.GetIDPConfig(context.Background(), m.systemDefaults.IamID, provider.IDPConfigID)
+	} else {
+		config, err = m.orgEvents.GetIDPConfig(context.Background(), provider.AggregateID, provider.IDPConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	m.fillConfigData(provider, config)
+	return nil
+}
+
+func (m *IDPProvider) fillConfigData(provider *iam_view_model.IDPProviderView, config *iam_model.IDPConfig) {
+	provider.Name = config.Name
+	provider.IDPConfigType = int32(config.Type)
+}
+
+func (m *IDPProvider) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Msj8c", "id", event.AggregateID).WithError(err).Warn("something went wrong in idp provider handler")
+	return spooler.HandleError(event, err, m.view.GetLatestIDPProviderFailedEvent, m.view.ProcessedIDPProviderFailedEvent, m.view.ProcessedIDPProviderSequence, m.errorCountUntilSkip)
+}
--- a/internal/admin/repository/eventsourcing/handler/login_policy.go
+++ b/internal/admin/repository/eventsourcing/handler/login_policy.go
@@ -0,0 +1,66 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type LoginPolicy struct {
+	handler
+}
+
+const (
+	loginPolicyTable = "adminapi.login_policies"
+)
+
+func (m *LoginPolicy) ViewModel() string {
+	return loginPolicyTable
+}
+
+func (m *LoginPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestLoginPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *LoginPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate:
+		err = m.processLoginPolicy(event)
+	}
+	return err
+}
+
+func (m *LoginPolicy) processLoginPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.LoginPolicyView)
+	switch event.Type {
+	case model.LoginPolicyAdded:
+		err = policy.AppendEvent(event)
+	case model.LoginPolicyChanged:
+		policy, err = m.view.LoginPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	default:
+		return m.view.ProcessedLoginPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutLoginPolicy(policy, policy.Sequence)
+}
+
+func (m *LoginPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Wj8sf", "id", event.AggregateID).WithError(err).Warn("something went wrong in login policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestLoginPolicyFailedEvent, m.view.ProcessedLoginPolicyFailedEvent, m.view.ProcessedLoginPolicySequence, m.errorCountUntilSkip)
+}
--- a/internal/admin/repository/eventsourcing/handler/user.go
+++ b/internal/admin/repository/eventsourcing/handler/user.go
@@ -105,9 +105,9 @@ func (u *User) ProcessOrg(event *models.Event) (err error) {
 	switch event.Type {
 	case org_es_model.OrgDomainVerified,
 		org_es_model.OrgDomainRemoved,
-		org_es_model.OrgIamPolicyAdded,
-		org_es_model.OrgIamPolicyChanged,
-		org_es_model.OrgIamPolicyRemoved:
+		org_es_model.OrgIAMPolicyAdded,
+		org_es_model.OrgIAMPolicyChanged,
+		org_es_model.OrgIAMPolicyRemoved:
 		return u.fillLoginNamesOnOrgUsers(event)
 	case org_es_model.OrgDomainPrimarySet:
 		return u.fillPreferredLoginNamesOnOrgUsers(event)
@@ -121,7 +121,7 @@ func (u *User) fillLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIamPolicy(context.Background(), event.ResourceOwner)
+	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
 	if err != nil {
 		return err
 	}
@@ -140,7 +140,7 @@ func (u *User) fillPreferredLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIamPolicy(context.Background(), event.ResourceOwner)
+	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
 	if err != nil {
 		return err
 	}
@@ -162,7 +162,7 @@ func (u *User) fillLoginNames(user *view_model.UserView) (err error) {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIamPolicy(context.Background(), user.ResourceOwner)
+	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), user.ResourceOwner)
 	if err != nil {
 		return err
 	}