feat: restrict languages (#6931)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * configure supported languages * fix allowed languages * fix tests * default lang must not be restricted * preferred language must be allowed * change preferred languages * check languages everywhere * lint * test command side * lint * add integration test * add integration test * restrict supported ui locales * lint * lint * cleanup * lint * allow undefined preferred language * fix integration tests * update main * fix env var * ignore linter * ignore linter * improve integration test config * reduce cognitive complexity * compile * check for duplicates * remove useless restriction checks * review * revert restriction renaming * fix language restrictions * lint * generate * allow custom texts for supported langs for now * fix tests * cleanup * cleanup * cleanup * lint * unsupported preferred lang is allowed * fix integration test * finish reverting to old property name * finish reverting to old property name * load languages * refactor(i18n): centralize translators and fs * lint * amplify no validations on preferred languages * fix integration test * lint * fix resetting allowed languages * test unchanged restrictions
2025-08-11 18:33:28 +00:00 · 2023-12-05 12:12:01 +01:00
parent 236930f109
commit dd33538c0a
123 changed files with 4133 additions and 2058 deletions
--- a/internal/i18n/bundle.go
+++ b/internal/i18n/bundle.go
@@ -0,0 +1,60 @@
+package i18n
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/BurntSushi/toml"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"golang.org/x/text/language"
+	"sigs.k8s.io/yaml"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	zitadel_errors "github.com/zitadel/zitadel/internal/errors"
+)
+
+const i18nPath = "/i18n"
+
+func newBundle(dir http.FileSystem, defaultLanguage language.Tag, allowedLanguages []language.Tag) (*i18n.Bundle, error) {
+	bundle := i18n.NewBundle(defaultLanguage)
+	bundle.RegisterUnmarshalFunc("yaml", func(data []byte, v interface{}) error { return yaml.Unmarshal(data, v) })
+	bundle.RegisterUnmarshalFunc("json", json.Unmarshal)
+	bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
+	i18nDir, err := dir.Open(i18nPath)
+	if err != nil {
+		return nil, zitadel_errors.ThrowNotFound(err, "I18N-MnXRie", "path not found")
+	}
+	defer i18nDir.Close()
+	files, err := i18nDir.Readdir(0)
+	if err != nil {
+		return nil, zitadel_errors.ThrowNotFound(err, "I18N-Gew23", "cannot read dir")
+	}
+	for _, file := range files {
+		fileLang, _ := strings.CutSuffix(file.Name(), filepath.Ext(file.Name()))
+		if err = domain.LanguageIsAllowed(false, allowedLanguages, language.Make(fileLang)); err != nil {
+			continue
+		}
+		if err := addFileFromFileSystemToBundle(dir, bundle, file); err != nil {
+			return nil, zitadel_errors.ThrowNotFoundf(err, "I18N-ZS2AW", "cannot append file %s to Bundle", file.Name())
+		}
+	}
+	return bundle, nil
+}
+
+func addFileFromFileSystemToBundle(dir http.FileSystem, bundle *i18n.Bundle, file os.FileInfo) error {
+	f, err := dir.Open("/i18n/" + file.Name())
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	content, err := io.ReadAll(f)
+	if err != nil {
+		return err
+	}
+	_, err = bundle.ParseMessageFileBytes(content, file.Name())
+	return err
+}
--- a/internal/i18n/fs.go
+++ b/internal/i18n/fs.go
@@ -0,0 +1,48 @@
+package i18n
+
+import (
+	"net/http"
+
+	"github.com/rakyll/statik/fs"
+	"github.com/zitadel/logging"
+)
+
+var zitadelFS, loginFS, notificationFS http.FileSystem
+
+type Namespace string
+
+const (
+	ZITADEL      Namespace = "zitadel"
+	LOGIN        Namespace = "login"
+	NOTIFICATION Namespace = "notification"
+)
+
+func LoadFilesystem(ns Namespace) http.FileSystem {
+	var err error
+	defer func() {
+		if err != nil {
+			logging.WithFields("namespace", ns).OnError(err).Panic("unable to get namespace")
+		}
+	}()
+	switch ns {
+	case ZITADEL:
+		if zitadelFS != nil {
+			return zitadelFS
+		}
+		zitadelFS, err = fs.NewWithNamespace(string(ns))
+		return zitadelFS
+	case LOGIN:
+		if loginFS != nil {
+			return loginFS
+		}
+		loginFS, err = fs.NewWithNamespace(string(ns))
+		return loginFS
+	case NOTIFICATION:
+		if notificationFS != nil {
+			return notificationFS
+		}
+		notificationFS, err = fs.NewWithNamespace(string(ns))
+		return notificationFS
+	}
+	return nil
+}
--- a/internal/i18n/languages.go
+++ b/internal/i18n/languages.go
@@ -0,0 +1,51 @@
+package i18n
+
+import (
+	"errors"
+	"strings"
+
+	"golang.org/x/text/language"
+)
+
+var supportedLanguages []language.Tag
+
+func SupportedLanguages() []language.Tag {
+	if supportedLanguages == nil {
+		panic("supported languages not loaded")
+	}
+	return supportedLanguages
+}
+
+func SupportLanguages(languages ...language.Tag) {
+	supportedLanguages = languages
+}
+
+func MustLoadSupportedLanguagesFromDir() {
+	var err error
+	defer func() {
+		if err != nil {
+			panic("failed to load supported languages: " + err.Error())
+		}
+	}()
+	if supportedLanguages != nil {
+		return
+	}
+	i18nDir, err := LoadFilesystem(LOGIN).Open(i18nPath)
+	if err != nil {
+		return
+	}
+	defer func() {
+		err = errors.Join(err, i18nDir.Close())
+	}()
+	files, err := i18nDir.Readdir(0)
+	if err != nil {
+		return
+	}
+	supportedLanguages = make([]language.Tag, 0, len(files))
+	for _, file := range files {
+		lang := language.Make(strings.TrimSuffix(file.Name(), ".yaml"))
+		if lang != language.Und {
+			supportedLanguages = append(supportedLanguages, lang)
+		}
+	}
+}
--- a/internal/i18n/translator.go
+++ b/internal/i18n/translator.go
@@ -2,26 +2,15 @@ package i18n

 import (
 	"context"
-	"encoding/json"
-	"io/ioutil"
 	"net/http"
-	"os"
-	"strings"

-	"github.com/BurntSushi/toml"
 	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
 	"github.com/zitadel/logging"
 	"golang.org/x/text/language"
-	"sigs.k8s.io/yaml"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
-	"github.com/zitadel/zitadel/internal/errors"
-)
-
-const (
-	i18nPath = "/i18n"
 )

 type Translator struct {
@@ -29,6 +18,7 @@ type Translator struct {
 	cookieName         string
 	cookieHandler      *http_util.CookieHandler
 	preferredLanguages []string
+	allowedLanguages   []language.Tag
 }

 type TranslatorConfig struct {
@@ -41,10 +31,27 @@ type Message struct {
 	Text string
 }

-func NewTranslator(dir http.FileSystem, defaultLanguage language.Tag, cookieName string) (*Translator, error) {
+// NewZitadelTranslator translates to all supported languages, as the ZITADEL texts are not customizable.
+func NewZitadelTranslator(defaultLanguage language.Tag) (*Translator, error) {
+	return newTranslator(ZITADEL, defaultLanguage, SupportedLanguages(), "")
+}
+
+func NewNotificationTranslator(defaultLanguage language.Tag, allowedLanguages []language.Tag) (*Translator, error) {
+	return newTranslator(NOTIFICATION, defaultLanguage, allowedLanguages, "")
+}
+
+func NewLoginTranslator(defaultLanguage language.Tag, allowedLanguages []language.Tag, cookieName string) (*Translator, error) {
+	return newTranslator(LOGIN, defaultLanguage, allowedLanguages, cookieName)
+}
+
+func newTranslator(ns Namespace, defaultLanguage language.Tag, allowedLanguages []language.Tag, cookieName string) (*Translator, error) {
 	t := new(Translator)
 	var err error
-	t.bundle, err = newBundle(dir, defaultLanguage)
+	t.allowedLanguages = allowedLanguages
+	if len(t.allowedLanguages) == 0 {
+		t.allowedLanguages = SupportedLanguages()
+	}
+	t.bundle, err = newBundle(LoadFilesystem(ns), defaultLanguage, t.allowedLanguages)
 	if err != nil {
 		return nil, err
 	}
@@ -53,64 +60,8 @@ func NewTranslator(dir http.FileSystem, defaultLanguage language.Tag, cookieName
 	return t, nil
 }

-func newBundle(dir http.FileSystem, defaultLanguage language.Tag) (*i18n.Bundle, error) {
-	bundle := i18n.NewBundle(defaultLanguage)
-	bundle.RegisterUnmarshalFunc("yaml", func(data []byte, v interface{}) error { return yaml.Unmarshal(data, v) })
-	bundle.RegisterUnmarshalFunc("json", json.Unmarshal)
-	bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
-	i18nDir, err := dir.Open(i18nPath)
-	if err != nil {
-		return nil, errors.ThrowNotFound(err, "I18N-MnXRie", "path not found")
-	}
-	defer i18nDir.Close()
-	files, err := i18nDir.Readdir(0)
-	if err != nil {
-		return nil, errors.ThrowNotFound(err, "I18N-Gew23", "cannot read dir")
-	}
-	for _, file := range files {
-		if err := addFileFromFileSystemToBundle(dir, bundle, file); err != nil {
-			return nil, errors.ThrowNotFoundf(err, "I18N-ZS2AW", "cannot append file %s to Bundle", file.Name())
-		}
-	}
-	return bundle, nil
-}
-
-func addFileFromFileSystemToBundle(dir http.FileSystem, bundle *i18n.Bundle, file os.FileInfo) error {
-	f, err := dir.Open("/i18n/" + file.Name())
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	content, err := ioutil.ReadAll(f)
-	if err != nil {
-		return err
-	}
-	_, err = bundle.ParseMessageFileBytes(content, file.Name())
-	return err
-}
-
-func SupportedLanguages(dir http.FileSystem) ([]language.Tag, error) {
-	i18nDir, err := dir.Open("/i18n")
-	if err != nil {
-		return nil, errors.ThrowNotFound(err, "I18N-Dbt42", "cannot open dir")
-	}
-	defer i18nDir.Close()
-	files, err := i18nDir.Readdir(0)
-	if err != nil {
-		return nil, errors.ThrowNotFound(err, "I18N-Gh4zk", "cannot read dir")
-	}
-	languages := make([]language.Tag, 0, len(files))
-	for _, file := range files {
-		lang := language.Make(strings.TrimSuffix(file.Name(), ".yaml"))
-		if lang != language.Und {
-			languages = append(languages, lang)
-		}
-	}
-	return languages, nil
-}
-
 func (t *Translator) SupportedLanguages() []language.Tag {
-	return t.bundle.LanguageTags()
+	return t.allowedLanguages
 }

 func (t *Translator) AddMessages(tag language.Tag, messages ...Message) error {
@@ -144,7 +95,7 @@ func (t *Translator) LocalizeWithoutArgs(id string, langs ...string) string {
 }

 func (t *Translator) Lang(r *http.Request) language.Tag {
-	matcher := language.NewMatcher(t.bundle.LanguageTags())
+	matcher := language.NewMatcher(t.allowedLanguages)
 	tag, _ := language.MatchStrings(matcher, t.langsFromRequest(r)...)
 	return tag
 }