perf(oidc): optimize client verification (#6999)

* fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2025-08-11 18:07:31 +00:00 · 2023-12-05 19:01:03 +02:00
parent 51cfb9564a
commit ec03340b67
46 changed files with 1666 additions and 781 deletions
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -3,6 +3,8 @@ package database
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
+	"errors"
 	"reflect"

 	"github.com/mitchellh/mapstructure"
@@ -11,7 +13,7 @@ import (
 	_ "github.com/zitadel/zitadel/internal/database/cockroach"
 	"github.com/zitadel/zitadel/internal/database/dialect"
 	_ "github.com/zitadel/zitadel/internal/database/postgres"
-	"github.com/zitadel/zitadel/internal/errors"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
 )

 type Config struct {
@@ -89,6 +91,24 @@ func (db *DB) QueryRowContext(ctx context.Context, scan func(row *sql.Row) error
 	return row.Err()
 }

+func QueryJSONObject[T any](ctx context.Context, db *DB, query string, args ...any) (*T, error) {
+	var data []byte
+	err := db.QueryRowContext(ctx, func(row *sql.Row) error {
+		return row.Scan(&data)
+	}, query, args...)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, err
+	}
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "DATAB-Oath6", "Errors.Internal")
+	}
+	obj := new(T)
+	if err = json.Unmarshal(data, obj); err != nil {
+		return nil, zerrors.ThrowInternal(err, "DATAB-Vohs6", "Errors.Internal")
+	}
+	return obj, nil
+}
+
 const (
 	zitadelAppName          = "zitadel"
 	EventstorePusherAppName = "zitadel_es_pusher"
@@ -106,7 +126,7 @@ func Connect(config Config, useAdmin, isEventPusher bool) (*DB, error) {
 	}

 	if err := client.Ping(); err != nil {
-		return nil, errors.ThrowPreconditionFailed(err, "DATAB-0pIWD", "Errors.Database.Connection.Failed")
+		return nil, zerrors.ThrowPreconditionFailed(err, "DATAB-0pIWD", "Errors.Database.Connection.Failed")
 	}

 	return &DB{
--- a/internal/database/database_test.go
+++ b/internal/database/database_test.go
@@ -0,0 +1,92 @@
+package database
+
+import (
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/database/mock"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
+)
+
+func TestQueryJSONObject(t *testing.T) {
+	type dst struct {
+		A int `json:"a,omitempty"`
+	}
+	const (
+		query = `select $1;`
+		arg   = 1
+	)
+
+	tests := []struct {
+		name    string
+		mock    func(*testing.T) *mock.SQLMock
+		want    *dst
+		wantErr error
+	}{
+		{
+			name: "tx error",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t, mock.ExpectBegin(sql.ErrConnDone))
+			},
+			wantErr: zerrors.ThrowInternal(sql.ErrConnDone, "DATAB-Oath6", "Errors.Internal"),
+		},
+		{
+			name: "no rows",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectBegin(nil),
+					mock.ExpectQuery(query,
+						mock.WithQueryArgs(arg),
+						mock.WithQueryResult([]string{"json"}, [][]driver.Value{}),
+					),
+				)
+			},
+			wantErr: sql.ErrNoRows,
+		},
+		{
+			name: "unmarshal error",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectBegin(nil),
+					mock.ExpectQuery(query,
+						mock.WithQueryArgs(arg),
+						mock.WithQueryResult([]string{"json"}, [][]driver.Value{{`~~~`}}),
+					),
+					mock.ExpectCommit(nil),
+				)
+			},
+			wantErr: zerrors.ThrowInternal(nil, "DATAB-Vohs6", "Errors.Internal"),
+		},
+		{
+			name: "success",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectBegin(nil),
+					mock.ExpectQuery(query,
+						mock.WithQueryArgs(arg),
+						mock.WithQueryResult([]string{"json"}, [][]driver.Value{{`{"a":1}`}}),
+					),
+					mock.ExpectCommit(nil),
+				)
+			},
+			want: &dst{A: 1},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mock := tt.mock(t)
+			defer mock.Assert(t)
+			db := &DB{
+				DB: mock.DB,
+			}
+			got, err := QueryJSONObject[dst](context.Background(), db, query, arg)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/internal/database/mock/sql_mock.go
+++ b/internal/database/mock/sql_mock.go
@@ -53,6 +53,15 @@ func ExpectBegin(err error) expectation {
 	}
 }

+func ExpectCommit(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		e := m.ExpectCommit()
+		if err != nil {
+			e.WillReturnError(err)
+		}
+	}
+}
+
 type ExecOpt func(e *sqlmock.ExpectedExec) *sqlmock.ExpectedExec

 func WithExecArgs(args ...driver.Value) ExecOpt {