feat: v2alpha user service idp endpoints (#5879)

* feat: v2alpha user service idp endpoints * feat: v2alpha user service intent endpoints * begin idp intents (callback) * some cleanup * runnable idp authentication * cleanup * proto cleanup * retrieve idp info * improve success and failure handling * some unit tests * grpc unit tests * add permission check AddUserIDPLink * feat: v2alpha intent writemodel refactoring * feat: v2alpha intent writemodel refactoring * feat: v2alpha intent writemodel refactoring * provider from write model * fix idp type model and add integration tests * proto cleanup * fix integration test * add missing import * add more integration tests * auth url test * feat: v2alpha intent writemodel refactoring * remove unused functions * check token on RetrieveIdentityProviderInformation * feat: v2alpha intent writemodel refactoring * fix TestServer_RetrieveIdentityProviderInformation * fix test * i18n and linting * feat: v2alpha intent review changes --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-12 05:17:33 +00:00 · 2023-05-24 20:29:58 +02:00
parent 767b3d7e65
commit fa8f191812
35 changed files with 3560 additions and 19 deletions
--- a/internal/api/idp/idp.go
+++ b/internal/api/idp/idp.go
@@ -0,0 +1,246 @@
+package idp
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	http_utils "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	z_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/form"
+	"github.com/zitadel/zitadel/internal/idp"
+	"github.com/zitadel/zitadel/internal/idp/providers/azuread"
+	"github.com/zitadel/zitadel/internal/idp/providers/github"
+	"github.com/zitadel/zitadel/internal/idp/providers/gitlab"
+	"github.com/zitadel/zitadel/internal/idp/providers/google"
+	"github.com/zitadel/zitadel/internal/idp/providers/jwt"
+	"github.com/zitadel/zitadel/internal/idp/providers/ldap"
+	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
+	openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+const (
+	HandlerPrefix = "/idps"
+	callbackPath  = "/callback"
+
+	paramIntentID         = "id"
+	paramToken            = "token"
+	paramUserID           = "user"
+	paramError            = "error"
+	paramErrorDescription = "error_description"
+)
+
+type Handler struct {
+	commands            *command.Commands
+	queries             *query.Queries
+	parser              *form.Parser
+	encryptionAlgorithm crypto.EncryptionAlgorithm
+	callbackURL         func(ctx context.Context) string
+}
+
+type externalIDPCallbackData struct {
+	State            string `schema:"state"`
+	Code             string `schema:"code"`
+	Error            string `schema:"error"`
+	ErrorDescription string `schema:"error_description"`
+}
+
+// CallbackURL generates the instance specific URL to the IDP callback handler
+func CallbackURL(externalSecure bool) func(ctx context.Context) string {
+	return func(ctx context.Context) string {
+		return http_utils.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), externalSecure) + HandlerPrefix + callbackPath
+	}
+}
+
+func NewHandler(
+	commands *command.Commands,
+	queries *query.Queries,
+	encryptionAlgorithm crypto.EncryptionAlgorithm,
+	externalSecure bool,
+	instanceInterceptor func(next http.Handler) http.Handler,
+) http.Handler {
+	h := &Handler{
+		commands:            commands,
+		queries:             queries,
+		parser:              form.NewParser(),
+		encryptionAlgorithm: encryptionAlgorithm,
+		callbackURL:         CallbackURL(externalSecure),
+	}
+
+	router := mux.NewRouter()
+	router.Use(instanceInterceptor)
+	router.HandleFunc(callbackPath, h.handleCallback)
+	return router
+}
+
+func (h *Handler) handleCallback(w http.ResponseWriter, r *http.Request) {
+	data, err := h.parseCallbackRequest(r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	intent := h.getActiveIntent(w, r, data.State)
+	if intent == nil {
+		// if we didn't get an active intent the error was already handled (either redirected or display directly)
+		return
+	}
+
+	ctx := r.Context()
+	// the provider might have returned an error
+	if data.Error != "" {
+		cmdErr := h.commands.FailIDPIntent(ctx, intent, reason(data.Error, data.ErrorDescription))
+		logging.WithFields("intent", intent.AggregateID).OnError(cmdErr).Error("failed to push failed event on idp intent")
+		redirectToFailureURL(w, r, intent, data.Error, data.ErrorDescription)
+		return
+	}
+
+	provider, err := h.commands.GetProvider(ctx, intent.IDPID, h.callbackURL(ctx))
+	if err != nil {
+		cmdErr := h.commands.FailIDPIntent(ctx, intent, err.Error())
+		logging.WithFields("intent", intent.AggregateID).OnError(cmdErr).Error("failed to push failed event on idp intent")
+		redirectToFailureURLErr(w, r, intent, err)
+		return
+	}
+
+	idpUser, idpSession, err := h.fetchIDPUser(ctx, provider, data.Code)
+	if err != nil {
+		cmdErr := h.commands.FailIDPIntent(ctx, intent, err.Error())
+		logging.WithFields("intent", intent.AggregateID).OnError(cmdErr).Error("failed to push failed event on idp intent")
+		redirectToFailureURLErr(w, r, intent, err)
+		return
+	}
+	userID, err := h.checkExternalUser(ctx, intent.IDPID, idpUser.GetID())
+	logging.WithFields("intent", intent.AggregateID).OnError(err).Error("could not check if idp user already exists")
+
+	token, err := h.commands.SucceedIDPIntent(ctx, intent, idpUser, idpSession, userID)
+	if err != nil {
+		redirectToFailureURLErr(w, r, intent, z_errs.ThrowInternal(err, "IDP-JdD3g", "Errors.Intent.TokenCreationFailed"))
+		return
+	}
+	redirectToSuccessURL(w, r, intent, token, userID)
+}
+
+func (h *Handler) parseCallbackRequest(r *http.Request) (*externalIDPCallbackData, error) {
+	data := new(externalIDPCallbackData)
+	err := h.parser.Parse(r, data)
+	if err != nil {
+		return nil, err
+	}
+	if data.State == "" {
+		return nil, z_errs.ThrowInvalidArgument(nil, "IDP-Hk38e", "Errors.Intent.StateMissing")
+	}
+	return data, nil
+}
+
+func (h *Handler) getActiveIntent(w http.ResponseWriter, r *http.Request, state string) *command.IDPIntentWriteModel {
+	intent, err := h.commands.GetIntentWriteModel(r.Context(), state, "")
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return nil
+	}
+	if intent.State == domain.IDPIntentStateUnspecified {
+		http.Error(w, reason("IDP-Hk38e", "Errors.Intent.NotStarted"), http.StatusBadRequest)
+		return nil
+	}
+	if intent.State != domain.IDPIntentStateStarted {
+		redirectToFailureURL(w, r, intent, "IDP-Sfrgs", "Errors.Intent.NotStarted")
+		return nil
+	}
+	return intent
+}
+
+func redirectToSuccessURL(w http.ResponseWriter, r *http.Request, intent *command.IDPIntentWriteModel, token, userID string) {
+	queries := intent.SuccessURL.Query()
+	queries.Set(paramIntentID, intent.AggregateID)
+	queries.Set(paramToken, token)
+	if userID != "" {
+		queries.Set(paramUserID, userID)
+	}
+	intent.SuccessURL.RawQuery = queries.Encode()
+	http.Redirect(w, r, intent.SuccessURL.String(), http.StatusFound)
+}
+
+func redirectToFailureURLErr(w http.ResponseWriter, r *http.Request, i *command.IDPIntentWriteModel, err error) {
+	msg := err.Error()
+	var description string
+	zErr := new(z_errs.CaosError)
+	if errors.As(err, &zErr) {
+		msg = zErr.GetID()
+		description = zErr.GetMessage() // TODO: i18n?
+	}
+	redirectToFailureURL(w, r, i, msg, description)
+}
+
+func redirectToFailureURL(w http.ResponseWriter, r *http.Request, i *command.IDPIntentWriteModel, err, description string) {
+	queries := i.FailureURL.Query()
+	queries.Set(paramIntentID, i.AggregateID)
+	queries.Set(paramError, err)
+	queries.Set(paramErrorDescription, description)
+	i.FailureURL.RawQuery = queries.Encode()
+	http.Redirect(w, r, i.FailureURL.String(), http.StatusFound)
+}
+
+func (h *Handler) fetchIDPUser(ctx context.Context, identityProvider idp.Provider, code string) (user idp.User, idpTokens idp.Session, err error) {
+	var session idp.Session
+	switch provider := identityProvider.(type) {
+	case *oauth.Provider:
+		session = &oauth.Session{Provider: provider, Code: code}
+	case *openid.Provider:
+		session = &openid.Session{Provider: provider, Code: code}
+	case *azuread.Provider:
+		session = &oauth.Session{Provider: provider.Provider, Code: code}
+	case *github.Provider:
+		session = &oauth.Session{Provider: provider.Provider, Code: code}
+	case *gitlab.Provider:
+		session = &openid.Session{Provider: provider.Provider, Code: code}
+	case *google.Provider:
+		session = &openid.Session{Provider: provider.Provider, Code: code}
+	case *jwt.Provider, *ldap.Provider:
+		return nil, nil, z_errs.ThrowInvalidArgument(nil, "IDP-52jmn", "Errors.ExternalIDP.IDPTypeNotImplemented")
+	default:
+		return nil, nil, z_errs.ThrowUnimplemented(nil, "IDP-SSDg", "Errors.ExternalIDP.IDPTypeNotImplemented")
+	}
+
+	user, err = session.FetchUser(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	return user, session, nil
+}
+
+func (h *Handler) checkExternalUser(ctx context.Context, idpID, externalUserID string) (userID string, err error) {
+	idQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(idpID)
+	if err != nil {
+		return "", err
+	}
+	externalIDQuery, err := query.NewIDPUserLinksExternalIDSearchQuery(externalUserID)
+	if err != nil {
+		return "", err
+	}
+	queries := []query.SearchQuery{
+		idQuery, externalIDQuery,
+	}
+	links, err := h.queries.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: queries}, false)
+	if err != nil {
+		return "", err
+	}
+	if len(links.Links) != 1 {
+		return "", nil
+	}
+	return links.Links[0].UserID, nil
+}
+
+func reason(err, description string) string {
+	if description == "" {
+		return err
+	}
+	return err + ": " + description
+}
--- a/internal/api/idp/idp_test.go
+++ b/internal/api/idp/idp_test.go
@@ -0,0 +1,220 @@
+package idp
+
+import (
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/zitadel/zitadel/internal/command"
+	z_errors "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/form"
+)
+
+func Test_redirectToSuccessURL(t *testing.T) {
+	type args struct {
+		id         string
+		userID     string
+		token      string
+		failureURL string
+		successURL string
+	}
+	type res struct {
+		want string
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"redirect",
+			args{
+				id:         "id",
+				token:      "token",
+				failureURL: "https://example.com/failure",
+				successURL: "https://example.com/success",
+			},
+			res{
+				"https://example.com/success?id=id&token=token",
+			},
+		},
+		{
+			"redirect with userID",
+			args{
+				id:         "id",
+				userID:     "user",
+				token:      "token",
+				failureURL: "https://example.com/failure",
+				successURL: "https://example.com/success",
+			},
+			res{
+				"https://example.com/success?id=id&token=token&user=user",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "http://example.com", nil)
+			resp := httptest.NewRecorder()
+
+			wm := command.NewIDPIntentWriteModel(tt.args.id, tt.args.id)
+			wm.FailureURL, _ = url.Parse(tt.args.failureURL)
+			wm.SuccessURL, _ = url.Parse(tt.args.successURL)
+
+			redirectToSuccessURL(resp, req, wm, tt.args.token, tt.args.userID)
+			assert.Equal(t, tt.res.want, resp.Header().Get("Location"))
+		})
+	}
+}
+
+func Test_redirectToFailureURL(t *testing.T) {
+	type args struct {
+		id         string
+		failureURL string
+		successURL string
+		err        string
+		desc       string
+	}
+	type res struct {
+		want string
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"redirect",
+			args{
+				id:         "id",
+				failureURL: "https://example.com/failure",
+				successURL: "https://example.com/success",
+			},
+			res{
+				"https://example.com/failure?error=&error_description=&id=id",
+			},
+		},
+		{
+			"redirect with error",
+			args{
+				id:         "id",
+				failureURL: "https://example.com/failure",
+				successURL: "https://example.com/success",
+				err:        "test",
+				desc:       "testdesc",
+			},
+			res{
+				"https://example.com/failure?error=test&error_description=testdesc&id=id",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "http://example.com", nil)
+			resp := httptest.NewRecorder()
+
+			wm := command.NewIDPIntentWriteModel(tt.args.id, tt.args.id)
+			wm.FailureURL, _ = url.Parse(tt.args.failureURL)
+			wm.SuccessURL, _ = url.Parse(tt.args.successURL)
+
+			redirectToFailureURL(resp, req, wm, tt.args.err, tt.args.desc)
+			assert.Equal(t, tt.res.want, resp.Header().Get("Location"))
+		})
+	}
+}
+
+func Test_redirectToFailureURLErr(t *testing.T) {
+	type args struct {
+		id         string
+		failureURL string
+		successURL string
+		err        error
+	}
+	type res struct {
+		want string
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"redirect with error",
+			args{
+				id:         "id",
+				failureURL: "https://example.com/failure",
+				successURL: "https://example.com/success",
+				err:        z_errors.ThrowError(nil, "test", "testdesc"),
+			},
+			res{
+				"https://example.com/failure?error=test&error_description=testdesc&id=id",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "http://example.com", nil)
+			resp := httptest.NewRecorder()
+
+			wm := command.NewIDPIntentWriteModel(tt.args.id, tt.args.id)
+			wm.FailureURL, _ = url.Parse(tt.args.failureURL)
+			wm.SuccessURL, _ = url.Parse(tt.args.successURL)
+
+			redirectToFailureURLErr(resp, req, wm, tt.args.err)
+			assert.Equal(t, tt.res.want, resp.Header().Get("Location"))
+		})
+	}
+}
+
+func Test_parseCallbackRequest(t *testing.T) {
+	type args struct {
+		url string
+	}
+	type res struct {
+		want *externalIDPCallbackData
+		err  bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no state",
+			args{
+				url: "https://example.com?state=&code=code&error=error&error_description=desc",
+			},
+			res{
+				err: true,
+			},
+		},
+		{
+			"parse",
+			args{
+				url: "https://example.com?state=state&code=code&error=error&error_description=desc",
+			},
+			res{
+				want: &externalIDPCallbackData{
+					State:            "state",
+					Code:             "code",
+					Error:            "error",
+					ErrorDescription: "desc",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", tt.args.url, nil)
+			handler := Handler{parser: form.NewParser()}
+
+			data, err := handler.parseCallbackRequest(req)
+			if tt.res.err {
+				assert.Error(t, err)
+			}
+			assert.Equal(t, tt.res.want, data)
+		})
+	}
+}