feat: idp and login policy configurations (#619)

* feat: oidc config * fix: oidc configurations * feat: oidc idp config * feat: add oidc config test * fix: tests * fix: tests * feat: translate new events * feat: idp eventstore * feat: idp eventstore * fix: tests * feat: command side idp * feat: query side idp * feat: idp config on org * fix: tests * feat: authz idp on org * feat: org idps * feat: login policy * feat: login policy * feat: login policy * feat: add idp func on login policy * feat: add validation to loginpolicy and idp provider * feat: add default login policy * feat: login policy on org * feat: login policy on org * fix: id config handlers * fix: id config handlers * fix: create idp on org * fix: create idp on org * fix: not existing idp config * fix: default login policy * fix: add login policy on org * fix: idp provider search on org * fix: test * fix: remove idp on org * fix: test * fix: test * fix: remove admin idp * fix: logo src as byte * fix: migration * fix: tests * Update internal/iam/repository/eventsourcing/iam.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/iam_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/iam_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/org/repository/eventsourcing/org_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/iam/repository/eventsourcing/model/login_policy_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: pr comments * fix: tests * Update types.go * fix: merge request changes * fix: reduce optimization Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-11-15 04:23:49 +00:00 · 2020-08-26 09:56:23 +02:00
parent f05c5bae24
commit db1d8f4efe
157 changed files with 37510 additions and 15698 deletions
--- a/pkg/grpc/admin/proto/admin.proto
+++ b/pkg/grpc/admin/proto/admin.proto
@@ -234,6 +234,146 @@ service AdminService {
            permission: "iam.write"
        };
    }
+
+    rpc IdpByID(IdpID) returns (IdpView) {
+        option (google.api.http) = {
+            get: "/idps/{id}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
+        option (google.api.http) = {
+            post: "/idps/oidc"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
+        option (google.api.http) = {
+            put: "/idps/{id}"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc DeactivateIdpConfig(IdpID) returns (Idp) {
+        option (google.api.http) = {
+            put: "/idps/{id}/_deactivate"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc ReactivateIdpConfig(IdpID) returns (Idp) {
+        option (google.api.http) = {
+            put: "/idps/{id}/_reactivate"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            delete: "/idps/{id}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}/oidcconfig"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
+        option (google.api.http) = {
+            post: "/idps/_search"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (DefaultLoginPolicyView) {
+        option (google.api.http) = {
+            get: "/policies/login"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdateDefaultLoginPolicy(DefaultLoginPolicy) returns (DefaultLoginPolicy) {
+        option (google.api.http) = {
+            put: "/policies/login"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetDefaultLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idpproviders/_search"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddIdpProviderToDefaultLoginPolicy(IdpProviderID) returns (IdpProviderID) {
+        option (google.api.http) = {
+            post: "/policies/login/idpproviders"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveIdpProviderFromDefaultLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            post: "/policies/login/idpproviders/{idp_config_id}"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
 }

 message OrgID {
@@ -511,4 +651,146 @@ message View {
    google.protobuf.Timestamp view_timestamp = 4;
 }

+message IdpID {
+    string id = 1;
+}

+message Idp {
+    string id = 1;
+    IdpState state = 2;
+    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 4;
+    string name = 5;
+    bytes logo_src = 6;
+    oneof idp_config {
+        OidcIdpConfig oidc_config = 7;
+    }
+    uint64 sequence = 8;
+}
+
+message IdpUpdate {
+    string id = 1;
+    string name = 2;
+    bytes logo_src = 3;
+}
+
+message OidcIdpConfig {
+    string client_id = 1;
+    string client_secret = 2;
+    string issuer = 3;
+    repeated string scopes = 4;
+}
+enum IdpState {
+    IDPCONFIGSTATE_UNSPECIFIED = 0;
+    IDPCONFIGSTATE_ACTIVE = 1;
+    IDPCONFIGSTATE_INACTIVE = 2;
+}
+
+message OidcIdpConfigCreate {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bytes logo_src = 2;
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 6;
+}
+
+message OidcIdpConfigUpdate {
+    string idp_id = 1;
+    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 3;
+    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 5;
+}
+
+message IdpSearchResponse {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    uint64 total_result = 3;
+    repeated IdpView result = 4;
+    uint64 processed_sequence = 5;
+    google.protobuf.Timestamp view_timestamp = 6;
+}
+
+message IdpView {
+    string id = 1;
+    IdpState state = 2;
+    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 4;
+    string name = 5;
+    bytes logo_src = 6;
+    oneof idp_config_view {
+        OidcIdpConfigView oidc_config = 7;
+    }
+    uint64 sequence = 8;
+}
+
+message OidcIdpConfigView {
+    string client_id = 1;
+    string issuer = 2;
+    repeated string scopes = 3;
+}
+
+message IdpSearchRequest {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    repeated IdpSearchQuery queries = 3;
+}
+
+message IdpSearchQuery {
+    IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
+    SearchMethod method = 2;
+    string value = 3;
+}
+
+enum IdpSearchKey {
+    IDPSEARCHKEY_UNSPECIFIED = 0;
+    IDPSEARCHKEY_IDP_CONFIG_ID = 1;
+    IDPSEARCHKEY_NAME = 2;
+}
+
+message DefaultLoginPolicy {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+}
+
+message IdpProviderID {
+    string idp_config_id = 1;
+}
+
+message DefaultLoginPolicyView {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+}
+
+message IdpProviderViews {
+    repeated IdpProviderView providers = 1;
+}
+
+message IdpProviderView {
+    string idp_config_id = 1;
+    string name = 2;
+    IdpType type = 3;
+}
+
+enum IdpType {
+    IDPTYPE_UNSPECIFIED = 0;
+    IDPTYPE_OIDC = 1;
+    IDPTYPE_SAML = 2;
+}
+
+message IdpProviderSearchResponse {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    uint64 total_result = 3;
+    repeated IdpProviderView result = 4;
+    uint64 processed_sequence = 5;
+    google.protobuf.Timestamp view_timestamp = 6;
+}
+
+message IdpProviderSearchRequest {
+    uint64 offset = 1;
+    uint64 limit = 2;
+}