feat(idp): provide auto only options (#8420)

# Which Problems Are Solved As of now, **automatic creation** and **automatic linking options** were only considered if the corresponding **allowed option** (account creation / linking allowed) was enabled. With this PR, this is no longer needed and allows administrators to address cases, where only an **automatic creation** is allowed, but users themselves should not be allowed to **manually** create new accounts using an identity provider or edit the information during the process. Also, allowing users to only link to the proposed existing account is now possible with an enabled **automatic linking option**, while disabling **account linking allowed**. # How the Problems Are Solved - Check for **automatic** options without the corresponding **allowed** option. - added technical advisory to notify about the possible behavior change # Additional Changes - display the error message on the IdP linking step in the login UI (in case there is one) - display an error in case no option is possible - exchanged deprecated `eventstoreExpect` with `expectEventstore` in touched test files # Additional Context closes https://github.com/zitadel/zitadel/issues/7393 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 21:17:32 +00:00 · 2024-08-14 15:04:26 +02:00
parent d32e22734f
commit e2e1100124
41 changed files with 776 additions and 180 deletions
--- a/internal/command/user_idp_link_test.go
+++ b/internal/command/user_idp_link_test.go
@@ -20,7 +20,7 @@ import (

 func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx           context.Context
@@ -40,9 +40,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "missing userid, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -62,9 +60,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "no external idps, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -78,8 +74,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "userID doesnt match aggregate id, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -120,8 +115,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "invalid external idp, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -162,8 +156,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "config not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -203,10 +196,9 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 			},
 		},
 		{
-			name: "linking not allowed, precondition error",
+			name: "no linking not allowed, precondition failed",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -307,11 +299,236 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sfee2", "Errors.ExternalIDP.LinkingNotAllowed"),
 			},
 		},
+		{
+			name: "auto linking not allowed (manual linking allowed), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(
+								context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"userName",
+								"firstName",
+								"lastName",
+								"nickName",
+								"displayName",
+								language.German,
+								domain.GenderFemale,
+								"email@Address.ch",
+								false,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"config1",
+								"name",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeUnspecified,
+								true,
+							),
+						),
+						eventFromEventPusher(
+							org.NewIDPOIDCConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"clientID",
+								"config1",
+								"issuer",
+								"authEndpoint",
+								"tokenEndpoint",
+								nil,
+								domain.OIDCMappingFieldUnspecified,
+								domain.OIDCMappingFieldUnspecified,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"config1",
+								"name",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeUnspecified,
+								true,
+							),
+						),
+						eventFromEventPusher(
+							org.NewIDPOIDCConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"clientID",
+								"config1",
+								"issuer",
+								"authEndpoint",
+								"tokenEndpoint",
+								nil,
+								domain.OIDCMappingFieldUnspecified,
+								domain.OIDCMappingFieldUnspecified,
+							),
+						),
+						eventFromEventPusher(
+							func() eventstore.Command {
+								e, _ := org.NewOIDCIDPChangedEvent(context.Background(),
+									&org.NewAggregate("org1").Aggregate,
+									"config1",
+									[]idp.OIDCIDPChanges{
+										idp.ChangeOIDCOptions(idp.OptionChanges{
+											IsLinkingAllowed:  gu.Ptr(true),
+											AutoLinkingOption: gu.Ptr(domain.AutoLinkingOptionUnspecified),
+										}),
+									},
+								)
+								return e
+							}(),
+						),
+					),
+					expectPush(
+						user.NewUserIDPLinkAddedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							"config1",
+							"name",
+							"externaluser1",
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				links: []*domain.UserIDPLink{
+					{
+						ObjectRoot: models.ObjectRoot{
+							AggregateID: "user1",
+						},
+						IDPConfigID:    "config1",
+						DisplayName:    "name",
+						ExternalUserID: "externaluser1",
+					},
+				},
+			},
+			res: res{},
+		},
+		{
+			name: "manual linking not allowed (auto linking allowed), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(
+								context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"userName",
+								"firstName",
+								"lastName",
+								"nickName",
+								"displayName",
+								language.German,
+								domain.GenderFemale,
+								"email@Address.ch",
+								false,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"config1",
+								"name",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeUnspecified,
+								true,
+							),
+						),
+						eventFromEventPusher(
+							org.NewIDPOIDCConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"clientID",
+								"config1",
+								"issuer",
+								"authEndpoint",
+								"tokenEndpoint",
+								nil,
+								domain.OIDCMappingFieldUnspecified,
+								domain.OIDCMappingFieldUnspecified,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"config1",
+								"name",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeUnspecified,
+								true,
+							),
+						),
+						eventFromEventPusher(
+							org.NewIDPOIDCConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"clientID",
+								"config1",
+								"issuer",
+								"authEndpoint",
+								"tokenEndpoint",
+								nil,
+								domain.OIDCMappingFieldUnspecified,
+								domain.OIDCMappingFieldUnspecified,
+							),
+						),
+						eventFromEventPusher(
+							func() eventstore.Command {
+								e, _ := org.NewOIDCIDPChangedEvent(context.Background(),
+									&org.NewAggregate("org1").Aggregate,
+									"config1",
+									[]idp.OIDCIDPChanges{
+										idp.ChangeOIDCOptions(idp.OptionChanges{
+											IsLinkingAllowed:  gu.Ptr(false),
+											AutoLinkingOption: gu.Ptr(domain.AutoLinkingOptionEmail),
+										}),
+									},
+								)
+								return e
+							}(),
+						),
+					),
+					expectPush(
+						user.NewUserIDPLinkAddedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							"config1",
+							"name",
+							"externaluser1",
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				links: []*domain.UserIDPLink{
+					{
+						ObjectRoot: models.ObjectRoot{
+							AggregateID: "user1",
+						},
+						IDPConfigID:    "config1",
+						DisplayName:    "name",
+						ExternalUserID: "externaluser1",
+					},
+				},
+			},
+			res: res{},
+		},
 		{
 			name: "add external idp org config, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -409,8 +626,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 		{
 			name: "add external idp iam config, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(
@@ -509,7 +725,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			err := r.BulkAddedUserIDPLinks(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.links)
 			assert.ErrorIs(t, err, tt.res.err)
@@ -519,7 +735,7 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {

 func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -539,9 +755,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "invalid idp, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore:      expectEventstore(),
 				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
@@ -561,9 +775,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "aggregate id missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore:      expectEventstore(),
 				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
@@ -580,8 +792,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "user removed, not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(),
@@ -620,8 +831,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "external idp not existing, not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
@@ -643,8 +853,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "remove external idp, permission error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(),
@@ -675,8 +884,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 		{
 			name: "remove external idp, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(),
@@ -717,7 +925,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.RemoveUserIDPLink(tt.args.ctx, tt.args.link)
@@ -736,7 +944,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {

 func TestCommandSide_ExternalLoginCheck(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx         context.Context
@@ -756,9 +964,7 @@ func TestCommandSide_ExternalLoginCheck(t *testing.T) {
 		{
 			name: "userid missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -772,8 +978,7 @@ func TestCommandSide_ExternalLoginCheck(t *testing.T) {
 		{
 			name: "user removed, not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(),
@@ -806,8 +1011,7 @@ func TestCommandSide_ExternalLoginCheck(t *testing.T) {
 		{
 			name: "external login check, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -852,7 +1056,7 @@ func TestCommandSide_ExternalLoginCheck(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			err := r.UserIDPLoginChecked(tt.args.ctx, tt.args.orgID, tt.args.userID, tt.args.authRequest)
 			if tt.res.err == nil {