feat: restrict languages (#6931)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * configure supported languages * fix allowed languages * fix tests * default lang must not be restricted * preferred language must be allowed * change preferred languages * check languages everywhere * lint * test command side * lint * add integration test * add integration test * restrict supported ui locales * lint * lint * cleanup * lint * allow undefined preferred language * fix integration tests * update main * fix env var * ignore linter * ignore linter * improve integration test config * reduce cognitive complexity * compile * check for duplicates * remove useless restriction checks * review * revert restriction renaming * fix language restrictions * lint * generate * allow custom texts for supported langs for now * fix tests * cleanup * cleanup * cleanup * lint * unsupported preferred lang is allowed * fix integration test * finish reverting to old property name * finish reverting to old property name * load languages * refactor(i18n): centralize translators and fs * lint * amplify no validations on preferred languages * fix integration test * lint * fix resetting allowed languages * test unchanged restrictions
2025-08-12 04:57:33 +00:00 · 2023-12-05 12:12:01 +01:00
parent 236930f109
commit dd33538c0a
123 changed files with 4133 additions and 2058 deletions
--- a/internal/query/custom_text.go
+++ b/internal/query/custom_text.go
@@ -17,6 +17,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/internal/i18n"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )
@@ -217,9 +218,9 @@ func (q *Queries) readLoginTranslationFile(ctx context.Context, lang string) ([]
 	contents, ok := q.LoginTranslationFileContents[lang]
 	var err error
 	if !ok {
-		contents, err = q.readTranslationFile(q.LoginDir, fmt.Sprintf("/i18n/%s.yaml", lang))
+		contents, err = q.readTranslationFile(i18n.LOGIN, fmt.Sprintf("/i18n/%s.yaml", lang))
 		if errors.IsNotFound(err) {
-			contents, err = q.readTranslationFile(q.LoginDir, fmt.Sprintf("/i18n/%s.yaml", authz.GetInstance(ctx).DefaultLanguage().String()))
+			contents, err = q.readTranslationFile(i18n.LOGIN, fmt.Sprintf("/i18n/%s.yaml", authz.GetInstance(ctx).DefaultLanguage().String()))
 		}
 		if err != nil {
 			return nil, err
--- a/internal/query/languages.go
+++ b/internal/query/languages.go
@@ -1,22 +0,0 @@
-package query
-
-import (
-	"context"
-
-	"github.com/zitadel/logging"
-	"golang.org/x/text/language"
-
-	"github.com/zitadel/zitadel/internal/i18n"
-)
-
-func (q *Queries) Languages(ctx context.Context) ([]language.Tag, error) {
-	if len(q.supportedLangs) == 0 {
-		langs, err := i18n.SupportedLanguages(q.LoginDir)
-		if err != nil {
-			logging.Log("ADMIN-tiMWs").WithError(err).Debug("unable to parse language")
-			return nil, err
-		}
-		q.supportedLangs = langs
-	}
-	return q.supportedLangs, nil
-}
--- a/internal/query/message_text.go
+++ b/internal/query/message_text.go
@@ -7,7 +7,6 @@ import (
 	errs "errors"
 	"fmt"
 	"io/ioutil"
-	"net/http"
 	"os"
 	"time"

@@ -19,6 +18,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/call"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/i18n"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )
@@ -236,9 +236,9 @@ func (q *Queries) readNotificationTextMessages(ctx context.Context, language str
 	var err error
 	contents, ok := q.NotificationTranslationFileContents[language]
 	if !ok {
-		contents, err = q.readTranslationFile(q.NotificationDir, fmt.Sprintf("/i18n/%s.yaml", language))
+		contents, err = q.readTranslationFile(i18n.NOTIFICATION, fmt.Sprintf("/i18n/%s.yaml", language))
 		if errors.IsNotFound(err) {
-			contents, err = q.readTranslationFile(q.NotificationDir, fmt.Sprintf("/i18n/%s.yaml", authz.GetInstance(ctx).DefaultLanguage().String()))
+			contents, err = q.readTranslationFile(i18n.NOTIFICATION, fmt.Sprintf("/i18n/%s.yaml", authz.GetInstance(ctx).DefaultLanguage().String()))
 		}
 		if err != nil {
 			return nil, err
@@ -311,8 +311,8 @@ func prepareMessageTextQuery(ctx context.Context, db prepareDatabase) (sq.Select
 		}
 }

-func (q *Queries) readTranslationFile(dir http.FileSystem, filename string) ([]byte, error) {
-	r, err := dir.Open(filename)
+func (q *Queries) readTranslationFile(namespace i18n.Namespace, filename string) ([]byte, error) {
+	r, err := i18n.LoadFilesystem(namespace).Open(filename)
 	if os.IsNotExist(err) {
 		return nil, errors.ThrowNotFound(err, "QUERY-sN9wg", "Errors.TranslationFile.NotFound")
 	}
--- a/internal/query/projection/restrictions.go
+++ b/internal/query/projection/restrictions.go
@@ -3,6 +3,7 @@ package projection
 import (
 	"context"

+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
@@ -21,6 +22,7 @@ const (
 	RestrictionsColumnSequence      = "sequence"

 	RestrictionsColumnDisallowPublicOrgRegistration = "disallow_public_org_registration"
+	RestrictionsColumnAllowedLanguages              = "allowed_languages"
 )

 type restrictionsProjection struct{}
@@ -42,7 +44,8 @@ func (*restrictionsProjection) Init() *old_handler.Check {
 			handler.NewColumn(RestrictionsColumnResourceOwner, handler.ColumnTypeText),
 			handler.NewColumn(RestrictionsColumnInstanceID, handler.ColumnTypeText),
 			handler.NewColumn(RestrictionsColumnSequence, handler.ColumnTypeInt64),
-			handler.NewColumn(RestrictionsColumnDisallowPublicOrgRegistration, handler.ColumnTypeBool),
+			handler.NewColumn(RestrictionsColumnDisallowPublicOrgRegistration, handler.ColumnTypeBool, handler.Nullable()),
+			handler.NewColumn(RestrictionsColumnAllowedLanguages, handler.ColumnTypeTextArray, handler.Nullable()),
 		},
 			handler.NewPrimaryKey(RestrictionsColumnInstanceID, RestrictionsColumnResourceOwner),
 		),
@@ -89,8 +92,11 @@ func (p *restrictionsProjection) reduceRestrictionsSet(event eventstore.Event) (
 		handler.NewCol(RestrictionsColumnSequence, e.Sequence()),
 		handler.NewCol(RestrictionsColumnAggregateID, e.Aggregate().ID),
 	}
-	if e.DisallowPublicOrgRegistrations != nil {
-		updateCols = append(updateCols, handler.NewCol(RestrictionsColumnDisallowPublicOrgRegistration, *e.DisallowPublicOrgRegistrations))
+	if e.DisallowPublicOrgRegistration != nil {
+		updateCols = append(updateCols, handler.NewCol(RestrictionsColumnDisallowPublicOrgRegistration, *e.DisallowPublicOrgRegistration))
+	}
+	if e.AllowedLanguages != nil {
+		updateCols = append(updateCols, handler.NewCol(RestrictionsColumnAllowedLanguages, domain.LanguagesToStrings(*e.AllowedLanguages)))
 	}
 	return handler.NewUpsertStatement(e, conflictCols, updateCols), nil
 }
--- a/internal/query/projection/restrictions_test.go
+++ b/internal/query/projection/restrictions_test.go
@@ -25,7 +25,7 @@ func TestRestrictionsProjection_reduces(t *testing.T) {
 				event: getEvent(testEvent(
 					restrictions.SetEventType,
 					restrictions.AggregateType,
-					[]byte(`{ "disallowPublicOrgRegistrations": true }`),
+					[]byte(`{ "disallowPublicOrgRegistration": true }`),
 				), restrictions.SetEventMapper),
 			},
 			reduce: (&restrictionsProjection{}).reduceRestrictionsSet,
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -3,12 +3,10 @@ package query
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"regexp"
 	"sync"
 	"time"

-	"github.com/rakyll/statik/fs"
 	"github.com/zitadel/logging"
 	"golang.org/x/text/language"

@@ -47,8 +45,6 @@ type Queries struct {
 	checkPermission        domain.PermissionCheck

 	DefaultLanguage                     language.Tag
-	LoginDir                            http.FileSystem
-	NotificationDir                     http.FileSystem
 	mutex                               sync.Mutex
 	LoginTranslationFileContents        map[string][]byte
 	NotificationTranslationFileContents map[string][]byte
@@ -71,22 +67,10 @@ func StartQueries(
 	defaultAuditLogRetention time.Duration,
 	systemAPIUsers map[string]*authz.SystemAPIUser,
 ) (repo *Queries, err error) {
-	statikLoginFS, err := fs.NewWithNamespace("login")
-	if err != nil {
-		return nil, fmt.Errorf("unable to start login statik dir")
-	}
-
-	statikNotificationFS, err := fs.NewWithNamespace("notification")
-	if err != nil {
-		return nil, fmt.Errorf("unable to start notification statik dir")
-	}
-
 	repo = &Queries{
 		eventstore:                          es,
 		client:                              sqlClient,
 		DefaultLanguage:                     language.Und,
-		LoginDir:                            statikLoginFS,
-		NotificationDir:                     statikNotificationFS,
 		LoginTranslationFileContents:        make(map[string][]byte),
 		NotificationTranslationFileContents: make(map[string][]byte),
 		zitadelRoles:                        zitadelRoles,
--- a/internal/query/restrictions.go
+++ b/internal/query/restrictions.go
@@ -7,9 +7,12 @@ import (
 	"time"

 	sq "github.com/Masterminds/squirrel"
+	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/call"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	zitade_errors "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -44,10 +47,14 @@ var (
 		name:  projection.RestrictionsColumnSequence,
 		table: restrictionsTable,
 	}
-	RestrictionsColumnDisallowPublicOrgRegistrations = Column{
+	RestrictionsColumnDisallowPublicOrgRegistration = Column{
 		name:  projection.RestrictionsColumnDisallowPublicOrgRegistration,
 		table: restrictionsTable,
 	}
+	RestrictionsColumnAllowedLanguages = Column{
+		name:  projection.RestrictionsColumnAllowedLanguages,
+		table: restrictionsTable,
+	}
 )

 type Restrictions struct {
@@ -58,6 +65,7 @@ type Restrictions struct {
 	Sequence      uint64

 	DisallowPublicOrgRegistration bool
+	AllowedLanguages              []language.Tag
 }

 func (q *Queries) GetInstanceRestrictions(ctx context.Context) (restrictions Restrictions, err error) {
@@ -91,18 +99,25 @@ func prepareRestrictionsQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			RestrictionsColumnChangeDate.identifier(),
 			RestrictionsColumnResourceOwner.identifier(),
 			RestrictionsColumnSequence.identifier(),
-			RestrictionsColumnDisallowPublicOrgRegistrations.identifier(),
+			RestrictionsColumnDisallowPublicOrgRegistration.identifier(),
+			RestrictionsColumnAllowedLanguages.identifier(),
 		).
 			From(restrictionsTable.identifier() + db.Timetravel(call.Took(ctx))).
 			PlaceholderFormat(sq.Dollar),
 		func(row *sql.Row) (restrictions Restrictions, err error) {
-			return restrictions, row.Scan(
+			allowedLanguages := database.TextArray[string](make([]string, 0))
+			disallowPublicOrgRegistration := sql.NullBool{}
+			err = row.Scan(
 				&restrictions.AggregateID,
 				&restrictions.CreationDate,
 				&restrictions.ChangeDate,
 				&restrictions.ResourceOwner,
 				&restrictions.Sequence,
-				&restrictions.DisallowPublicOrgRegistration,
+				&disallowPublicOrgRegistration,
+				&allowedLanguages,
 			)
+			restrictions.DisallowPublicOrgRegistration = disallowPublicOrgRegistration.Bool
+			restrictions.AllowedLanguages = domain.StringsToLanguages(allowedLanguages)
+			return restrictions, err
 		}
 }
--- a/internal/query/restrictions_test.go
+++ b/internal/query/restrictions_test.go
@@ -7,6 +7,10 @@ import (
 	"fmt"
 	"regexp"
 	"testing"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/database"
 )

 var (
@@ -15,7 +19,8 @@ var (
 		" projections.restrictions.change_date," +
 		" projections.restrictions.resource_owner," +
 		" projections.restrictions.sequence," +
-		" projections.restrictions.disallow_public_org_registration" +
+		" projections.restrictions.disallow_public_org_registration," +
+		" projections.restrictions.allowed_languages" +
 		" FROM projections.restrictions" +
 		" AS OF SYSTEM TIME '-1 ms'",
 	)
@@ -27,6 +32,7 @@ var (
 		"resource_owner",
 		"sequence",
 		"disallow_public_org_registration",
+		"allowed_languages",
 	}
 )

@@ -56,7 +62,9 @@ func Test_RestrictionsPrepare(t *testing.T) {
 					}
 					return nil, true
 				},
-				object: Restrictions{},
+				object: Restrictions{
+					AllowedLanguages: make([]language.Tag, 0),
+				},
 			},
 		},
 		{
@@ -73,6 +81,7 @@ func Test_RestrictionsPrepare(t *testing.T) {
 						"instance1",
 						0,
 						true,
+						database.TextArray[string]([]string{"en", "de", "ru"}),
 					},
 				),
 				object: Restrictions{
@@ -82,6 +91,7 @@ func Test_RestrictionsPrepare(t *testing.T) {
 					ResourceOwner:                 "instance1",
 					Sequence:                      0,
 					DisallowPublicOrgRegistration: true,
+					AllowedLanguages:              []language.Tag{language.Make("en"), language.Make("de"), language.Make("ru")},
 				},
 			},
 		},