fix: show clientid on api clients (#1379)

* fix: show clientid * Update system-defaults.yaml * fix: field name for clientId app key json * fix: mfa verify otp * fix: mfa verify otp (show error correctly) * fix: nil pointer in login.html * fix: check clientID clientSecret for apis correctly (and add missing i18n) * update oidc pkg Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-10-21 11:21:38 +00:00 · 2021-03-05 09:01:47 +01:00
parent 20c191c289
commit e163ea75cd
18 changed files with 98 additions and 45 deletions
--- a/internal/project/repository/eventsourcing/eventstore.go
+++ b/internal/project/repository/eventsourcing/eventstore.go
@@ -879,7 +879,7 @@ func (es *ProjectEventstore) ChangeAPIConfigSecret(ctx context.Context, projectI
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-HBfju", "Errors.Internal")
 }

-func (es *ProjectEventstore) VerifyOIDCClientSecret(ctx context.Context, projectID, appID string, secret string) (err error) {
+func (es *ProjectEventstore) VerifyClientSecret(ctx context.Context, projectID, appID string, secret string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	if appID == "" {
@@ -893,12 +893,18 @@ func (es *ProjectEventstore) VerifyOIDCClientSecret(ctx context.Context, project
 	if _, app = existingProject.GetApp(appID); app == nil {
 		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-D6hba", "Errors.Project.AppNoExisting")
 	}
-	if app.Type != proj_model.AppTypeOIDC {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-huywq", "Errors.Project.AppIsNotOIDC")
+	if app.Type == proj_model.AppTypeAPI {
+		return es.verifyAPIClientSecret(ctx, app, secret)
 	}
+	if app.Type == proj_model.AppTypeOIDC {
+		return es.verifyOIDCClientSecret(ctx, app, existingProject, secret)
+	}
+	return caos_errs.ThrowPreconditionFailed(nil, "EVENT-huywq", "Errors.Project.AppIsNotOIDC")
+}

+func (es *ProjectEventstore) verifyOIDCClientSecret(ctx context.Context, app *proj_model.Application, existingProject *proj_model.Project, secret string) error {
 	ctx, spanHash := tracing.NewSpan(ctx)
-	err = crypto.CompareHash(app.OIDCConfig.ClientSecret, []byte(secret), es.passwordAlg)
+	err := crypto.CompareHash(app.OIDCConfig.ClientSecret, []byte(secret), es.passwordAlg)
 	spanHash.EndWithError(err)
 	if err == nil {
 		err = es.setOIDCClientSecretCheckResult(ctx, existingProject, app.AppID, OIDCClientSecretCheckSucceededAggregate)
@@ -907,7 +913,18 @@ func (es *ProjectEventstore) VerifyOIDCClientSecret(ctx context.Context, project
 	}
 	err = es.setOIDCClientSecretCheckResult(ctx, existingProject, app.AppID, OIDCClientSecretCheckFailedAggregate)
 	logging.Log("EVENT-GD1gh").OnError(err).Warn("could not push event OIDCClientSecretCheckFailed")
-	return caos_errs.ThrowInvalidArgument(nil, "EVENT-wg24q", "Errors.Project.OIDCSecretInvalid")
+	return caos_errs.ThrowInvalidArgument(nil, "EVENT-wg24q", "Errors.Project.ClientSecretInvalid")
+}
+
+func (es *ProjectEventstore) verifyAPIClientSecret(ctx context.Context, app *proj_model.Application, secret string) error {
+	ctx, spanHash := tracing.NewSpan(ctx)
+	err := crypto.CompareHash(app.APIConfig.ClientSecret, []byte(secret), es.passwordAlg)
+	spanHash.EndWithError(err)
+	if err == nil {
+		return nil
+	}
+	logging.LogWithFields("EVENT-sfsb4", "app id", app.AppID, "clientID", app.APIConfig.ClientID).Warn("API client secret invalid")
+	return caos_errs.ThrowInvalidArgument(nil, "EVENT-AEdt6", "Errors.Project.ClientSecretInvalid")
 }

 func (es *ProjectEventstore) setOIDCClientSecretCheckResult(ctx context.Context, project *proj_model.Project, appID string, check func(*es_models.AggregateCreator, *model.Project, string) es_sdk.AggregateFunc) error {