feat: support client_credentials for service users (#5134)

Request an access_token for service users with OAuth 2.0 Client Credentials Grant. Added functionality to generate and remove a secret on service users.

internal/repository/user/eventstore.go

@@ -114,5 +114,9 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(AggregateType, MachineKeyAddedEventType, MachineKeyAddedEventMapper).
 		RegisterFilterEventMapper(AggregateType, MachineKeyRemovedEventType, MachineKeyRemovedEventMapper).
 		RegisterFilterEventMapper(AggregateType, PersonalAccessTokenAddedType, PersonalAccessTokenAddedEventMapper).
-		RegisterFilterEventMapper(AggregateType, PersonalAccessTokenRemovedType, PersonalAccessTokenRemovedEventMapper)
+		RegisterFilterEventMapper(AggregateType, PersonalAccessTokenRemovedType, PersonalAccessTokenRemovedEventMapper).
+		RegisterFilterEventMapper(AggregateType, MachineSecretSetType, MachineSecretSetEventMapper).
+		RegisterFilterEventMapper(AggregateType, MachineSecretRemovedType, MachineSecretRemovedEventMapper).
+		RegisterFilterEventMapper(AggregateType, MachineSecretCheckSucceededType, MachineSecretCheckSucceededEventMapper).
+		RegisterFilterEventMapper(AggregateType, MachineSecretCheckFailedType, MachineSecretCheckFailedEventMapper)
 }

internal/repository/user/machine_secret.go

@@ -0,0 +1,171 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	machineSecretPrefix             = machineEventPrefix + "secret."
+	MachineSecretSetType            = machineSecretPrefix + "set"
+	MachineSecretRemovedType        = machineSecretPrefix + "removed"
+	MachineSecretCheckSucceededType = machineSecretPrefix + "check.succeeded"
+	MachineSecretCheckFailedType    = machineSecretPrefix + "check.failed"
+)
+
+type MachineSecretSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+}
+
+func (e *MachineSecretSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineSecretSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineSecretSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientSecret *crypto.CryptoValue,
+) *MachineSecretSetEvent {
+	return &MachineSecretSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretSetType,
+		),
+		ClientSecret: clientSecret,
+	}
+}
+
+func MachineSecretSetEventMapper(event *repository.Event) (eventstore.Event, error) {
+	credentialsSet := &MachineSecretSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, credentialsSet)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-lopbqu", "unable to unmarshal machine secret set")
+	}
+
+	return credentialsSet, nil
+}
+
+type MachineSecretRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *MachineSecretRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineSecretRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineSecretRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *MachineSecretRemovedEvent {
+	return &MachineSecretRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretRemovedType,
+		),
+	}
+}
+
+func MachineSecretRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	credentialsRemoved := &MachineSecretRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, credentialsRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-quox9j2", "unable to unmarshal machine secret removed")
+	}
+
+	return credentialsRemoved, nil
+}
+
+type MachineSecretCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *MachineSecretCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineSecretCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineSecretCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *MachineSecretCheckSucceededEvent {
+	return &MachineSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretCheckSucceededType,
+		),
+	}
+}
+
+func MachineSecretCheckSucceededEventMapper(event *repository.Event) (eventstore.Event, error) {
+	check := &MachineSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, check)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-x002n1p", "unable to unmarshal machine secret check succeeded")
+	}
+
+	return check, nil
+}
+
+type MachineSecretCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *MachineSecretCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineSecretCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineSecretCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *MachineSecretCheckFailedEvent {
+	return &MachineSecretCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretCheckFailedType,
+		),
+	}
+}
+
+func MachineSecretCheckFailedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	check := &MachineSecretCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, check)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-x7901b1l", "unable to unmarshal machine secret check failed")
+	}
+
+	return check, nil
+}