feat: actions (#2377)

* feat(actions): begin api * feat(actions): begin api * api and projections * fix: handle multiple statements for a single event in projections * export func type * fix test * update to new reduce interface * flows in login * feat: jwt idp * feat: command side * feat: add tests * actions and flows * fill idp views with jwt idps and return apis * add jwtEndpoint to jwt idp * begin jwt request handling * add feature * merge * merge * handle jwt idp * cleanup * bug fixes * autoregister * get token from specific header name * fix: proto * fixes * i18n * begin tests * fix and log http proxy * remove docker cache * fixes * usergrants in actions api * tests adn cleanup * cleanup * fix add user grant * set login context * i18n Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2025-08-12 04:57:33 +00:00 · 2021-09-27 13:43:49 +02:00
parent 5c32fc9c12
commit ed80a8bb1e
73 changed files with 5197 additions and 64 deletions
--- a/internal/api/grpc/action/action.go
+++ b/internal/api/grpc/action/action.go
@@ -0,0 +1,126 @@
+package action
+
+import (
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/query"
+	action_pb "github.com/caos/zitadel/pkg/grpc/action"
+	"google.golang.org/protobuf/types/known/durationpb"
+)
+
+func FlowTypeToDomain(flowType action_pb.FlowType) domain.FlowType {
+	switch flowType {
+	case action_pb.FlowType_FLOW_TYPE_EXTERNAL_AUTHENTICATION:
+		return domain.FlowTypeExternalAuthentication
+	default:
+		return domain.FlowTypeUnspecified
+	}
+}
+
+func TriggerTypeToDomain(triggerType action_pb.TriggerType) domain.TriggerType {
+	switch triggerType {
+	case action_pb.TriggerType_TRIGGER_TYPE_POST_AUTHENTICATION:
+		return domain.TriggerTypePostAuthentication
+	case action_pb.TriggerType_TRIGGER_TYPE_PRE_CREATION:
+		return domain.TriggerTypePreCreation
+	case action_pb.TriggerType_TRIGGER_TYPE_POST_CREATION:
+		return domain.TriggerTypePostCreation
+	default:
+		return domain.TriggerTypeUnspecified
+	}
+}
+
+func FlowToPb(flow *query.Flow) *action_pb.Flow {
+	return &action_pb.Flow{
+		Type:           FlowTypeToPb(flow.Type),
+		Details:        object_grpc.ChangeToDetailsPb(flow.Sequence, flow.ChangeDate, flow.ResourceOwner),
+		State:          action_pb.FlowState_FLOW_STATE_ACTIVE, //TODO: state in next release
+		TriggerActions: TriggerActionsToPb(flow.TriggerActions),
+	}
+}
+
+func TriggerActionToPb(trigger domain.TriggerType, actions []*query.Action) *action_pb.TriggerAction {
+	return &action_pb.TriggerAction{
+		TriggerType: TriggerTypeToPb(trigger),
+		Actions:     ActionsToPb(actions),
+	}
+}
+
+func FlowTypeToPb(flowType domain.FlowType) action_pb.FlowType {
+	switch flowType {
+	case domain.FlowTypeExternalAuthentication:
+		return action_pb.FlowType_FLOW_TYPE_EXTERNAL_AUTHENTICATION
+	default:
+		return action_pb.FlowType_FLOW_TYPE_UNSPECIFIED
+	}
+}
+
+func TriggerTypeToPb(triggerType domain.TriggerType) action_pb.TriggerType {
+	switch triggerType {
+	case domain.TriggerTypePostAuthentication:
+		return action_pb.TriggerType_TRIGGER_TYPE_POST_AUTHENTICATION
+	case domain.TriggerTypePreCreation:
+		return action_pb.TriggerType_TRIGGER_TYPE_PRE_CREATION
+	case domain.TriggerTypePostCreation:
+		return action_pb.TriggerType_TRIGGER_TYPE_POST_CREATION
+	default:
+		return action_pb.TriggerType_TRIGGER_TYPE_UNSPECIFIED
+	}
+}
+
+func TriggerActionsToPb(triggers map[domain.TriggerType][]*query.Action) []*action_pb.TriggerAction {
+	list := make([]*action_pb.TriggerAction, 0)
+	for trigger, actions := range triggers {
+		list = append(list, TriggerActionToPb(trigger, actions))
+	}
+	return list
+}
+
+func ActionsToPb(actions []*query.Action) []*action_pb.Action {
+	list := make([]*action_pb.Action, len(actions))
+	for i, action := range actions {
+		list[i] = ActionToPb(action)
+	}
+	return list
+}
+
+func ActionToPb(action *query.Action) *action_pb.Action {
+	return &action_pb.Action{
+		Id:            action.ID,
+		Details:       object_grpc.ChangeToDetailsPb(action.Sequence, action.ChangeDate, action.ResourceOwner),
+		State:         ActionStateToPb(action.State),
+		Name:          action.Name,
+		Script:        action.Script,
+		Timeout:       durationpb.New(action.Timeout),
+		AllowedToFail: action.AllowedToFail,
+	}
+}
+
+func ActionStateToPb(state domain.ActionState) action_pb.ActionState {
+	switch state {
+	case domain.ActionStateActive:
+		return action_pb.ActionState_ACTION_STATE_ACTIVE
+	case domain.ActionStateInactive:
+		return action_pb.ActionState_ACTION_STATE_INACTIVE
+	default:
+		return action_pb.ActionState_ACTION_STATE_UNSPECIFIED
+	}
+}
+
+func ActionNameQuery(q *action_pb.ActionNameQuery) (query.SearchQuery, error) {
+	return query.NewActionNameSearchQuery(object_grpc.TextMethodToQuery(q.Method), q.Name)
+}
+func ActionStateQuery(q *action_pb.ActionStateQuery) (query.SearchQuery, error) {
+	return query.NewActionStateSearchQuery(ActionStateToDomain(q.State))
+}
+
+func ActionStateToDomain(state action_pb.ActionState) domain.ActionState {
+	switch state {
+	case action_pb.ActionState_ACTION_STATE_ACTIVE:
+		return domain.ActionStateActive
+	case action_pb.ActionState_ACTION_STATE_INACTIVE:
+		return domain.ActionStateInactive
+	default:
+		return domain.ActionStateUnspecified
+	}
+}
--- a/internal/api/grpc/admin/features.go
+++ b/internal/api/grpc/admin/features.go
@@ -79,6 +79,7 @@ func setDefaultFeaturesRequestToDomain(req *admin_pb.SetDefaultFeaturesRequest)
 		CustomTextLogin:          req.CustomTextLogin || req.CustomText,
 		CustomTextMessage:        req.CustomTextMessage,
 		LockoutPolicy:            req.LockoutPolicy,
+		Actions:                  req.Actions,
 	}
 }

@@ -104,5 +105,6 @@ func setOrgFeaturesRequestToDomain(req *admin_pb.SetOrgFeaturesRequest) *domain.
 		CustomTextLogin:          req.CustomTextLogin || req.CustomText,
 		CustomTextMessage:        req.CustomTextMessage,
 		LockoutPolicy:            req.LockoutPolicy,
+		Actions:                  req.Actions,
 	}
 }
--- a/internal/api/grpc/features/features.go
+++ b/internal/api/grpc/features/features.go
@@ -33,6 +33,7 @@ func FeaturesFromModel(features *features_model.FeaturesView) *features_pb.Featu
 		CustomTextLogin:          features.CustomTextLogin,
 		MetadataUser:             features.MetadataUser,
 		LockoutPolicy:            features.LockoutPolicy,
+		Actions:                  features.Actions,
 	}
 }

--- a/internal/api/grpc/management/actions.go
+++ b/internal/api/grpc/management/actions.go
@@ -0,0 +1,94 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	action_grpc "github.com/caos/zitadel/internal/api/grpc/action"
+	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) ListActions(ctx context.Context, req *mgmt_pb.ListActionsRequest) (*mgmt_pb.ListActionsResponse, error) {
+	query, _ := listActionsToQuery(authz.GetCtxData(ctx).OrgID, req)
+	actions, err := s.query.SearchActions(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListActionsResponse{
+		Result: action_grpc.ActionsToPb(actions),
+	}, nil
+}
+
+func (s *Server) GetAction(ctx context.Context, req *mgmt_pb.GetActionRequest) (*mgmt_pb.GetActionResponse, error) {
+	action, err := s.query.GetAction(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetActionResponse{
+		Action: action_grpc.ActionToPb(action),
+	}, nil
+}
+
+func (s *Server) CreateAction(ctx context.Context, req *mgmt_pb.CreateActionRequest) (*mgmt_pb.CreateActionResponse, error) {
+	id, details, err := s.command.AddAction(ctx, createActionRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.CreateActionResponse{
+		Id: id,
+		Details: obj_grpc.AddToDetailsPb(
+			details.Sequence,
+			details.EventDate,
+			details.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateAction(ctx context.Context, req *mgmt_pb.UpdateActionRequest) (*mgmt_pb.UpdateActionResponse, error) {
+	details, err := s.command.ChangeAction(ctx, updateActionRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateActionResponse{
+		Details: obj_grpc.AddToDetailsPb(
+			details.Sequence,
+			details.EventDate,
+			details.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) DeactivateAction(ctx context.Context, req *mgmt_pb.DeactivateActionRequest) (*mgmt_pb.DeactivateActionResponse, error) {
+	details, err := s.command.DeactivateAction(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
+	return &mgmt_pb.DeactivateActionResponse{
+		Details: obj_grpc.AddToDetailsPb(
+			details.Sequence,
+			details.EventDate,
+			details.ResourceOwner,
+		),
+	}, err
+}
+
+func (s *Server) ReactivateAction(ctx context.Context, req *mgmt_pb.ReactivateActionRequest) (*mgmt_pb.ReactivateActionResponse, error) {
+	details, err := s.command.ReactivateAction(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ReactivateActionResponse{
+		Details: obj_grpc.AddToDetailsPb(
+			details.Sequence,
+			details.EventDate,
+			details.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) DeleteAction(ctx context.Context, req *mgmt_pb.DeleteActionRequest) (*mgmt_pb.DeleteActionResponse, error) {
+	flowTypes, err := s.query.GetFlowTypesOfActionID(ctx, req.Id)
+	if err != nil {
+		return nil, err
+	}
+	_, err = s.command.DeleteAction(ctx, req.Id, authz.GetCtxData(ctx).OrgID, flowTypes...)
+	return &mgmt_pb.DeleteActionResponse{}, err
+}
--- a/internal/api/grpc/management/actions_converter.go
+++ b/internal/api/grpc/management/actions_converter.go
@@ -0,0 +1,64 @@
+package management
+
+import (
+	action_grpc "github.com/caos/zitadel/internal/api/grpc/action"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/query"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func createActionRequestToDomain(req *mgmt_pb.CreateActionRequest) *domain.Action {
+	return &domain.Action{
+		Name:          req.Name,
+		Script:        req.Script,
+		Timeout:       req.Timeout.AsDuration(),
+		AllowedToFail: req.AllowedToFail,
+	}
+}
+
+func updateActionRequestToDomain(req *mgmt_pb.UpdateActionRequest) *domain.Action {
+	return &domain.Action{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.Id,
+		},
+		Name:          req.Name,
+		Script:        req.Script,
+		Timeout:       req.Timeout.AsDuration(),
+		AllowedToFail: req.AllowedToFail,
+	}
+}
+
+func listActionsToQuery(id string, req *mgmt_pb.ListActionsRequest) (_ *query.ActionSearchQueries, err error) {
+	offset, limit, asc := object.ListQueryToModel(req.Query)
+	queries := make([]query.SearchQuery, len(req.Queries)+1)
+	queries[0], err = query.NewActionResourceOwnerQuery(id)
+	if err != nil {
+		return nil, err
+	}
+	for i, actionQuery := range req.Queries {
+		queries[i+1], err = ActionQueryToQuery(actionQuery.Query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &query.ActionSearchQueries{
+		SearchRequest: query.SearchRequest{
+			Offset: offset,
+			Limit:  limit,
+			Asc:    asc,
+		},
+		Queries: queries,
+	}, nil
+}
+
+func ActionQueryToQuery(query interface{}) (query.SearchQuery, error) {
+	switch q := query.(type) {
+	case *mgmt_pb.ActionQuery_ActionNameQuery:
+		return action_grpc.ActionNameQuery(q.ActionNameQuery)
+	case *mgmt_pb.ActionQuery_ActionStateQuery:
+		return action_grpc.ActionStateQuery(q.ActionStateQuery)
+	}
+	return nil, nil
+}
--- a/internal/api/grpc/management/auth_checks.go
+++ b/internal/api/grpc/management/auth_checks.go
@@ -0,0 +1,32 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errors "github.com/caos/zitadel/internal/errors"
+)
+
+func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error {
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if authz.HasGlobalPermission(permissions) {
+		return nil
+	}
+	ids := authz.GetAllPermissionCtxIDs(permissions)
+	if grantID != "" && listContainsID(ids, grantID) {
+		return nil
+	}
+	if listContainsID(ids, projectID) {
+		return nil
+	}
+	return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+}
+
+func listContainsID(ids []string, id string) bool {
+	for _, i := range ids {
+		if i == id {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/api/grpc/management/flow.go
+++ b/internal/api/grpc/management/flow.go
@@ -0,0 +1,50 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	action_grpc "github.com/caos/zitadel/internal/api/grpc/action"
+	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetFlow(ctx context.Context, req *mgmt_pb.GetFlowRequest) (*mgmt_pb.GetFlowResponse, error) {
+	flow, err := s.query.GetFlow(ctx, action_grpc.FlowTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetFlowResponse{
+		Flow: action_grpc.FlowToPb(flow),
+	}, nil
+}
+
+func (s *Server) ClearFlow(ctx context.Context, req *mgmt_pb.ClearFlowRequest) (*mgmt_pb.ClearFlowResponse, error) {
+	details, err := s.command.ClearFlow(ctx, action_grpc.FlowTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ClearFlowResponse{
+		Details: obj_grpc.DomainToChangeDetailsPb(details),
+	}, err
+}
+
+func (s *Server) SetTriggerActions(ctx context.Context, req *mgmt_pb.SetTriggerActionsRequest) (*mgmt_pb.SetTriggerActionsResponse, error) {
+	details, err := s.command.SetTriggerActions(
+		ctx,
+		action_grpc.FlowTypeToDomain(req.FlowType),
+		action_grpc.TriggerTypeToDomain(req.TriggerType),
+		req.ActionIds,
+		authz.GetCtxData(ctx).OrgID,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.SetTriggerActionsResponse{
+		Details: obj_grpc.AddToDetailsPb(
+			details.Sequence,
+			details.EventDate,
+			details.ResourceOwner,
+		),
+	}, nil
+}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -2,6 +2,7 @@ package management

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"
 	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/api/grpc/user"
@@ -37,7 +38,11 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR
 }

 func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
-	grant, err := s.command.AddUserGrant(ctx, AddUserGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	grant := AddUserGrantRequestToDomain(req)
+	if err := checkExplicitProjectPermission(ctx, grant.ProjectGrantID, grant.ProjectID); err != nil {
+		return nil, err
+	}
+	grant, err := s.command.AddUserGrant(ctx, grant, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/object/converter.go
+++ b/internal/api/grpc/object/converter.go
@@ -6,6 +6,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/pkg/grpc/object"
 	object_pb "github.com/caos/zitadel/pkg/grpc/object"
 )
@@ -105,3 +106,26 @@ func ListQueryToModel(query *object_pb.ListQuery) (offset, limit uint64, asc boo
 	}
 	return query.Offset, uint64(query.Limit), query.Asc
 }
+
+func TextMethodToQuery(method object_pb.TextQueryMethod) query.TextComparison {
+	switch method {
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_EQUALS:
+		return query.TextEquals
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE:
+		return query.TextEqualsIgnore
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_STARTS_WITH:
+		return query.TextStartsWith
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE:
+		return query.TextStartsWithIgnore
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_CONTAINS:
+		return query.TextContains
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE:
+		return query.TextContainsIgnore
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_ENDS_WITH:
+		return query.TextEndsWith
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE:
+		return query.TextEndsWithIgnore
+	default:
+		return -1
+	}
+}
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -106,7 +106,7 @@ func (g *GatewayHandler) Serve(ctx context.Context) {
 func createGateway(ctx context.Context, g Gateway, port string, customHeaders ...string) http.Handler {
 	mux := createMux(g, customHeaders...)
 	opts := createDialOptions(g)
-	err := g.RegisterGateway()(ctx, mux, http_util.Endpoint(port), opts)
+	err := g.RegisterGateway()(ctx, mux, "localhost"+http_util.Endpoint(port), opts)
 	logging.Log("SERVE-7B7G0E").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("failed to register grpc gateway")
 	return addInterceptors(mux, g)
 }