feat: block instances (#7129)

* docs: fix init description typos * feat: block instances using limits * translate * unit tests * fix translations * redirect /ui/login * fix http interceptor * cleanup * fix http interceptor * fix: delete cookies on gateway 200 * add integration tests * add command test * docs * fix integration tests * add bulk api and integration test * optimize bulk set limits * unit test bulk limits * fix broken link * fix assets middleware * fix broken link * validate instance id format * Update internal/eventstore/search_query.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove support for owner bulk limit commands * project limits to instances * migrate instances projection * Revert "migrate instances projection" This reverts commit 214218732a. * join limits, remove owner * remove todo * use optional bool * normally validate instance ids * use 302 * cleanup * cleanup * Update internal/api/grpc/system/limits_converter.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove owner * remove owner from reset --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-26 14:08:54 +00:00 · 2024-01-17 11:16:48 +01:00
parent d9d376a275
commit ed0bc39ea4
80 changed files with 1609 additions and 438 deletions
--- a/internal/api/grpc/system/limits_integration_block_test.go
+++ b/internal/api/grpc/system/limits_integration_block_test.go
@@ -0,0 +1,287 @@
+//go:build integration
+
+package system_test
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/pkg/grpc/admin"
+	"github.com/zitadel/zitadel/pkg/grpc/system"
+)
+
+func TestServer_Limits_Block(t *testing.T) {
+	domain, instanceID, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	tests := []*test{
+		publicAPIBlockingTest(domain),
+		{
+			name: "mutating API",
+			testGrpc: func(tt assert.TestingT, expectBlocked bool) {
+				randomGrpcIdpName := randomString("idp-grpc", 5)
+				_, err := Tester.Client.Admin.AddGitHubProvider(iamOwnerCtx, &admin.AddGitHubProviderRequest{
+					Name:         randomGrpcIdpName,
+					ClientId:     "client-id",
+					ClientSecret: "client-secret",
+				})
+				assertGrpcError(tt, err, expectBlocked)
+				//nolint:contextcheck
+				idpExists := idpExistsCondition(tt, instanceID, randomGrpcIdpName)
+				if expectBlocked {
+					// We ensure that the idp really is not created
+					assert.Neverf(tt, idpExists, 5*time.Second, 1*time.Second, "idp should never be created")
+				} else {
+					assert.Eventuallyf(tt, idpExists, 5*time.Second, 1*time.Second, "idp should be created")
+				}
+			},
+			testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+				randomHttpIdpName := randomString("idp-http", 5)
+				req, err := http.NewRequestWithContext(
+					CTX,
+					"POST",
+					fmt.Sprintf("http://%s/admin/v1/idps/github", net.JoinHostPort(domain, "8080")),
+					strings.NewReader(`{
+	"name": "`+randomHttpIdpName+`",
+	"clientId": "client-id",
+	"clientSecret": "client-secret"
+}`),
+				)
+				if err != nil {
+					return nil, err, nil
+				}
+				req.Header.Set("Authorization", Tester.BearerToken(iamOwnerCtx))
+				return req, nil, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+					assertLimitResponse(ttt, response, expectBlocked)
+					assertSetLimitingCookie(ttt, response, expectBlocked)
+				}
+			},
+		}, {
+			name: "discovery",
+			testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+				req, err := http.NewRequestWithContext(
+					CTX,
+					"GET",
+					fmt.Sprintf("http://%s/.well-known/openid-configuration", net.JoinHostPort(domain, "8080")),
+					nil,
+				)
+				return req, err, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+					assertLimitResponse(ttt, response, expectBlocked)
+					assertSetLimitingCookie(ttt, response, expectBlocked)
+				}
+			},
+		}, {
+			name: "login",
+			testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+				req, err := http.NewRequestWithContext(
+					CTX,
+					"GET",
+					fmt.Sprintf("http://%s/ui/login/login/externalidp/callback", net.JoinHostPort(domain, "8080")),
+					nil,
+				)
+				return req, err, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+					// the login paths should return a redirect if the instance is blocked
+					if expectBlocked {
+						assert.Equal(ttt, http.StatusFound, response.StatusCode)
+					} else {
+						assertLimitResponse(ttt, response, false)
+					}
+					assertSetLimitingCookie(ttt, response, expectBlocked)
+				}
+			},
+		}, {
+			name: "console",
+			testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+				req, err := http.NewRequestWithContext(
+					CTX,
+					"GET",
+					fmt.Sprintf("http://%s/ui/console/", net.JoinHostPort(domain, "8080")),
+					nil,
+				)
+				return req, err, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+					// the console is not blocked so we can render a link to an instance management portal.
+					// A CDN can cache these assets easily
+					// We also don't care about a cookie because the environment.json already takes care of that.
+					assertLimitResponse(ttt, response, false)
+				}
+			},
+		}, {
+			name: "environment.json",
+			testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+				req, err := http.NewRequestWithContext(
+					CTX,
+					"GET",
+					fmt.Sprintf("http://%s/ui/console/assets/environment.json", net.JoinHostPort(domain, "8080")),
+					nil,
+				)
+				return req, err, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+					// the environment.json should always return successfully
+					assertLimitResponse(ttt, response, false)
+					assertSetLimitingCookie(ttt, response, expectBlocked)
+					body, err := io.ReadAll(response.Body)
+					assert.NoError(ttt, err)
+					var compFunc assert.ComparisonAssertionFunc = assert.NotContains
+					if expectBlocked {
+						compFunc = assert.Contains
+					}
+					compFunc(ttt, string(body), `"exhausted":true`)
+				}
+			},
+		}}
+	_, err := Tester.Client.System.SetLimits(SystemCTX, &system.SetLimitsRequest{
+		InstanceId: instanceID,
+		Block:      gu.Ptr(true),
+	})
+	require.NoError(t, err)
+	// The following call ensures that an undefined bool is not deserialized to false
+	_, err = Tester.Client.System.SetLimits(SystemCTX, &system.SetLimitsRequest{
+		InstanceId:        instanceID,
+		AuditLogRetention: durationpb.New(time.Hour),
+	})
+	require.NoError(t, err)
+	for _, tt := range tests {
+		var isFirst bool
+		t.Run(tt.name+" with blocking", func(t *testing.T) {
+			isFirst = isFirst || !t.Skipped()
+			testBlockingAPI(t, tt, true, isFirst)
+		})
+	}
+	_, err = Tester.Client.System.SetLimits(SystemCTX, &system.SetLimitsRequest{
+		InstanceId: instanceID,
+		Block:      gu.Ptr(false),
+	})
+	require.NoError(t, err)
+	for _, tt := range tests {
+		var isFirst bool
+		t.Run(tt.name+" without blocking", func(t *testing.T) {
+			isFirst = isFirst || !t.Skipped()
+			testBlockingAPI(t, tt, false, isFirst)
+		})
+	}
+}
+
+type test struct {
+	name     string
+	testHttp func(t assert.TestingT) (req *http.Request, err error, assertResponse func(t assert.TestingT, response *http.Response, expectBlocked bool))
+	testGrpc func(t assert.TestingT, expectBlocked bool)
+}
+
+func testBlockingAPI(t *testing.T, tt *test, expectBlocked bool, isFirst bool) {
+	req, err, assertResponse := tt.testHttp(t)
+	require.NoError(t, err)
+	testHTTP := func(tt assert.TestingT) {
+		resp, err := (&http.Client{
+			// Don't follow redirects
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}).Do(req)
+		defer func() {
+			require.NoError(t, resp.Body.Close())
+		}()
+		require.NoError(t, err)
+		assertResponse(t, resp, expectBlocked)
+	}
+	if isFirst {
+		// limits are eventually consistent, so we need to wait for the blocking to be set on the first test
+		assert.EventuallyWithT(t, func(c *assert.CollectT) {
+			testHTTP(c)
+		}, 15*time.Second, time.Second, "wait for blocking to be set")
+	} else {
+		testHTTP(t)
+	}
+	if tt.testGrpc != nil {
+		tt.testGrpc(t, expectBlocked)
+	}
+}
+
+func publicAPIBlockingTest(domain string) *test {
+	return &test{
+		name: "public API",
+		testGrpc: func(tt assert.TestingT, expectBlocked bool) {
+			conn, err := grpc.DialContext(CTX, net.JoinHostPort(domain, "8080"),
+				grpc.WithBlock(),
+				grpc.WithTransportCredentials(insecure.NewCredentials()),
+			)
+			assert.NoError(tt, err)
+			_, err = admin.NewAdminServiceClient(conn).Healthz(CTX, &admin.HealthzRequest{})
+			assertGrpcError(tt, err, expectBlocked)
+		},
+		testHttp: func(tt assert.TestingT) (*http.Request, error, func(assert.TestingT, *http.Response, bool)) {
+			req, err := http.NewRequestWithContext(
+				CTX,
+				"GET",
+				fmt.Sprintf("http://%s/admin/v1/healthz", net.JoinHostPort(domain, "8080")),
+				nil,
+			)
+			return req, err, func(ttt assert.TestingT, response *http.Response, expectBlocked bool) {
+				assertLimitResponse(ttt, response, expectBlocked)
+				assertSetLimitingCookie(ttt, response, expectBlocked)
+			}
+		},
+	}
+}
+
+// If expectSet is true, we expect the cookie to be set
+// If expectSet is false, we expect the cookie to be deleted
+func assertSetLimitingCookie(t assert.TestingT, response *http.Response, expectSet bool) {
+	for _, cookie := range response.Cookies() {
+		if cookie.Name == "zitadel.quota.exhausted" {
+			if expectSet {
+				assert.Greater(t, cookie.MaxAge, 0)
+			} else {
+				assert.LessOrEqual(t, cookie.MaxAge, 0)
+			}
+			return
+		}
+	}
+	assert.FailNow(t, "cookie not found")
+}
+
+func assertGrpcError(t assert.TestingT, err error, expectBlocked bool) {
+	if expectBlocked {
+		assert.Equal(t, codes.ResourceExhausted, status.Convert(err).Code())
+		return
+	}
+	assert.NoError(t, err)
+}
+
+func assertLimitResponse(t assert.TestingT, response *http.Response, expectBlocked bool) {
+	if expectBlocked {
+		assert.Equal(t, http.StatusTooManyRequests, response.StatusCode)
+		return
+	}
+	assert.GreaterOrEqual(t, response.StatusCode, 200)
+	assert.Less(t, response.StatusCode, 300)
+}
+
+func idpExistsCondition(t assert.TestingT, instanceID, idpName string) func() bool {
+	return func() bool {
+		nameQuery, err := query.NewIDPTemplateNameSearchQuery(query.TextEquals, idpName)
+		assert.NoError(t, err)
+		instanceQuery, err := query.NewIDPTemplateResourceOwnerSearchQuery(instanceID)
+		assert.NoError(t, err)
+		idps, err := Tester.Queries.IDPTemplates(authz.WithInstanceID(CTX, instanceID), &query.IDPTemplateSearchQueries{
+			Queries: []query.SearchQuery{
+				instanceQuery,
+				nameQuery,
+			},
+		}, false)
+		assert.NoError(t, err)
+		return len(idps.Templates) > 0
+	}
+}