feat: setup (#1166)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 19:17:32 +00:00 · 2021-01-12 12:59:51 +01:00
parent ff87264f95
commit e5731b0d3b
97 changed files with 1664 additions and 698 deletions
--- a/internal/v2/domain/application.go
+++ b/internal/v2/domain/application.go
@@ -0,0 +1,49 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type Application struct {
+	models.ObjectRoot
+
+	AppID      string
+	State      AppState
+	Name       string
+	Type       AppType
+	OIDCConfig *OIDCConfig
+}
+
+type AppState int32
+
+const (
+	AppStateUnspecified AppState = iota
+	AppStateActive
+	AppStateInactive
+	AppStateRemoved
+)
+
+type AppType int32
+
+const (
+	AppTypeUnspecified AppType = iota
+	AppTypeOIDC
+	AppTypeSAML
+)
+
+func NewApplication(projectID, appID string) *Application {
+	return &Application{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, AppID: appID, State: AppStateActive}
+}
+
+func (a *Application) IsValid(includeConfig bool) bool {
+	if a.Name == "" || a.AggregateID == "" {
+		return false
+	}
+	if !includeConfig {
+		return true
+	}
+	if a.Type == AppTypeOIDC && !a.OIDCConfig.IsValid() {
+		return false
+	}
+	return true
+}
--- a/internal/v2/domain/iam.go
+++ b/internal/v2/domain/iam.go
@@ -4,6 +4,10 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 )

+const (
+	IAMID = "IAM"
+)
+
 type IAM struct {
 	models.ObjectRoot

--- a/internal/v2/domain/oidc_config.go
+++ b/internal/v2/domain/oidc_config.go
@@ -0,0 +1,152 @@
+package domain
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/id"
+)
+
+type OIDCConfig struct {
+	models.ObjectRoot
+
+	AppID                    string
+	ClientID                 string
+	ClientSecret             *crypto.CryptoValue
+	ClientSecretString       string
+	RedirectUris             []string
+	ResponseTypes            []OIDCResponseType
+	GrantTypes               []OIDCGrantType
+	ApplicationType          OIDCApplicationType
+	AuthMethodType           OIDCAuthMethodType
+	PostLogoutRedirectUris   []string
+	OIDCVersion              OIDCVersion
+	Compliance               *Compliance
+	DevMode                  bool
+	AccessTokenType          OIDCTokenType
+	AccessTokenRoleAssertion bool
+	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
+}
+
+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
+type OIDCResponseType int32
+
+const (
+	OIDCResponseTypeCode OIDCResponseType = iota
+	OIDCResponseTypeIDToken
+	OIDCResponseTypeIDTokenToken
+)
+
+type OIDCGrantType int32
+
+const (
+	OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
+	OIDCGrantTypeImplicit
+	OIDCGrantTypeRefreshToken
+)
+
+type OIDCApplicationType int32
+
+const (
+	OIDCApplicationTypeWeb OIDCApplicationType = iota
+	OIDCApplicationTypeUserAgent
+	OIDCApplicationTypeNative
+)
+
+type OIDCAuthMethodType int32
+
+const (
+	OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
+	OIDCAuthMethodTypePost
+	OIDCAuthMethodTypeNone
+)
+
+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
+type OIDCTokenType int32
+
+const (
+	OIDCTokenTypeBearer OIDCTokenType = iota
+	OIDCTokenTypeJWT
+)
+
+func (c *OIDCConfig) IsValid() bool {
+	grantTypes := c.getRequiredGrantTypes()
+	for _, grantType := range grantTypes {
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
+		if !ok {
+			return false
+		}
+	}
+	return true
+}
+
+//ClientID random_number@projectname (eg. 495894098234@zitadel)
+func (c *OIDCConfig) GenerateNewClientID(idGenerator id.Generator, project *Project) error {
+	rndID, err := idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	c.ClientID = fmt.Sprintf("%v@%v", rndID, strings.ReplaceAll(strings.ToLower(project.Name), " ", "_"))
+	return nil
+}
+
+func (c *OIDCConfig) GenerateClientSecretIfNeeded(generator crypto.Generator) (string, error) {
+	if c.AuthMethodType == OIDCAuthMethodTypeNone {
+		return "", nil
+	}
+	return c.GenerateNewClientSecret(generator)
+}
+
+func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string, error) {
+	cryptoValue, stringSecret, err := crypto.NewCode(generator)
+	if err != nil {
+		logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
+		return "", errors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	c.ClientSecret = cryptoValue
+	return stringSecret, nil
+}
+
+func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
+	grantTypes := make([]OIDCGrantType, 0)
+	implicit := false
+	for _, r := range c.ResponseTypes {
+		switch r {
+		case OIDCResponseTypeCode:
+			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
+		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
+			if !implicit {
+				implicit = true
+				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
+			}
+		}
+	}
+	return grantTypes
+}
+
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/v2/domain/project.go
+++ b/internal/v2/domain/project.go
@@ -0,0 +1,31 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type Project struct {
+	models.ObjectRoot
+
+	State   ProjectState
+	Name    string
+	Members []*Member
+	Roles   []*ProjectRole
+	//Applications         []*Application
+	//Grants               []*ProjectGrant
+	ProjectRoleAssertion bool
+	ProjectRoleCheck     bool
+}
+
+type ProjectState int32
+
+const (
+	ProjectStateUnspecified ProjectState = iota
+	ProjectStateActive
+	ProjectStateInactive
+	ProjectStateRemoved
+)
+
+func (o *Project) IsValid() bool {
+	return o.Name != ""
+}
--- a/internal/v2/domain/project_role.go
+++ b/internal/v2/domain/project_role.go
@@ -0,0 +1,21 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type ProjectRole struct {
+	models.ObjectRoot
+
+	Key         string
+	DisplayName string
+	Group       string
+}
+
+func NewProjectRole(projectID, key string) *ProjectRole {
+	return &ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, Key: key}
+}
+
+func (p *ProjectRole) IsValid() bool {
+	return p.AggregateID != "" && p.Key != ""
+}
--- a/internal/v2/domain/roles.go
+++ b/internal/v2/domain/roles.go
@@ -1,5 +1,8 @@
 package domain

 const (
-	OrgOwnerRole = "ORG_OWNER"
+	RoleOrgOwner           = "ORG_OWNER"
+	RoleIAMOwner           = "IAM_OWNER"
+	RoleProjectOwner       = "PROJECT_OWNER"
+	RoleProjectOwnerGlobal = "PROJECT_OWNER_GLOBAL"
 )