TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 04:57:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(login): improve auth handlers (#7969)

Browse Source 
# Which Problems Are Solved

During the implementation of #7486 it was noticed, that projections in
the `auth` database schema could be blocked.
Investigations suggested, that this is due to the use of
[GORM](https://gorm.io/index.html) and it's inability to use an existing
(sql) transaction.
With the improved / simplified handling (see below) there should also be
a minimal improvement in performance, resp. reduced database update
statements.

# How the Problems Are Solved

The handlers in `auth` are exchanged to proper (sql) statements and gorm
usage is removed for any writing part.
To further improve / simplify the handling of the users, a new
`auth.users3` table is created, where only attributes are handled, which
are not yet available from the `projections.users`,
`projections.login_name` and `projections.user_auth_methods` do not
provide. This reduces the events handled in that specific handler by a
lot.

# Additional Changes

None

# Additional Context

relates to #7486
This commit is contained in:
Livio Spring
2024-05-22 17:26:02 +02:00
committed by GitHub
parent cca342187b
commit fb162a7d75
25 changed files with 987 additions and 1279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

503
internal/auth/repository/eventsourcing/handler/user.go
View File

@@ -4,25 +4,20 @@ import (
"context"
"time"
"github.com/zitadel/zitadel/internal/api/authz"
auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
org_model "github.com/zitadel/zitadel/internal/org/model"
org_es_model "github.com/zitadel/zitadel/internal/org/repository/eventsourcing/model"
org_view "github.com/zitadel/zitadel/internal/org/repository/view"
query2 "github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/repository/instance"
"github.com/zitadel/zitadel/internal/repository/org"
user_repo "github.com/zitadel/zitadel/internal/repository/user"
usr_view "github.com/zitadel/zitadel/internal/user/repository/view"
view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
"github.com/zitadel/zitadel/internal/zerrors"
)
const (
userTable = "auth.users2"
userTable = "auth.users3"
)
type User struct {
@@ -58,26 +53,14 @@ func (u *User) Reducers() []handler.AggregateReducer {
{
Aggregate: user_repo.AggregateType,
EventReducers: []handler.EventReducer{
{
Event: user_repo.HumanOTPSMSAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanOTPSMSRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanOTPEmailAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanOTPEmailRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.MachineAddedEventType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanAddedType,
Reduce: u.ProcessUser,
@@ -94,62 +77,14 @@ func (u *User) Reducers() []handler.AggregateReducer {
Event: user_repo.HumanRegisteredType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1ProfileChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1EmailChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1EmailVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1PhoneChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1PhoneVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1PhoneRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1AddressChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserDeactivatedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserReactivatedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserLockedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserUnlockedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1MFAOTPAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1MFAOTPVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1MFAOTPRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserV1MFAInitSkippedType,
Reduce: u.ProcessUser,
@@ -158,86 +93,22 @@ func (u *User) Reducers() []handler.AggregateReducer {
Event: user_repo.UserV1PasswordChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanProfileChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanEmailChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanEmailVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanAvatarAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanAvatarRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPhoneChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPhoneVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPhoneRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanAddressChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanMFAOTPAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanMFAOTPVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanMFAOTPRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanU2FTokenAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanU2FTokenVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanU2FTokenRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPasswordlessTokenAddedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPasswordlessTokenVerifiedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPasswordlessTokenRemovedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanMFAInitSkippedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.MachineChangedEventType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.HumanPasswordChangedType,
Reduce: u.ProcessUser,
@@ -266,14 +137,6 @@ func (u *User) Reducers() []handler.AggregateReducer {
Event: user_repo.HumanPasswordlessInitCodeRequestedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserDomainClaimedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserUserNameChangedType,
Reduce: u.ProcessUser,
},
{
Event: user_repo.UserRemovedType,
Reduce: u.ProcessUser,
@@ -283,30 +146,6 @@ func (u *User) Reducers() []handler.AggregateReducer {
{
Aggregate: org.AggregateType,
EventReducers: []handler.EventReducer{
{
Event: org.OrgDomainVerifiedEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.OrgDomainRemovedEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.DomainPolicyAddedEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.DomainPolicyChangedEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.DomainPolicyRemovedEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.OrgDomainPrimarySetEventType,
Reduce: u.ProcessOrg,
},
{
Event: org.OrgRemovedEventType,
Reduce: u.ProcessOrg,
@@ -327,141 +166,124 @@ func (u *User) Reducers() []handler.AggregateReducer {
//nolint:gocognit
func (u *User) ProcessUser(event eventstore.Event) (_ *handler.Statement, err error) {
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
user := new(view_model.UserView)
switch event.Type() {
case user_repo.UserV1AddedType,
user_repo.MachineAddedEventType,
user_repo.HumanAddedType,
user_repo.UserV1RegisteredType,
user_repo.HumanRegisteredType:
err = user.AppendEvent(event)
if err != nil {
return err
}
err = u.fillLoginNames(user)
case user_repo.UserV1ProfileChangedType,
user_repo.UserV1EmailChangedType,
user_repo.UserV1EmailVerifiedType,
user_repo.UserV1PhoneChangedType,
user_repo.UserV1PhoneVerifiedType,
user_repo.UserV1PhoneRemovedType,
user_repo.UserV1AddressChangedType,
user_repo.UserDeactivatedType,
user_repo.UserReactivatedType,
user_repo.UserLockedType,
user_repo.UserUnlockedType,
user_repo.UserV1MFAOTPAddedType,
user_repo.UserV1MFAOTPVerifiedType,
user_repo.UserV1MFAOTPRemovedType,
user_repo.UserV1MFAInitSkippedType,
user_repo.UserV1PasswordChangedType,
user_repo.HumanProfileChangedType,
user_repo.HumanEmailChangedType,
user_repo.HumanEmailVerifiedType,
user_repo.HumanAvatarAddedType,
user_repo.HumanAvatarRemovedType,
user_repo.HumanPhoneChangedType,
user_repo.HumanPhoneVerifiedType,
user_repo.HumanPhoneRemovedType,
user_repo.HumanAddressChangedType,
user_repo.HumanMFAOTPAddedType,
user_repo.HumanMFAOTPVerifiedType,
user_repo.HumanMFAOTPRemovedType,
user_repo.HumanOTPSMSAddedType,
user_repo.HumanOTPSMSRemovedType,
user_repo.HumanOTPEmailAddedType,
user_repo.HumanOTPEmailRemovedType,
user_repo.HumanU2FTokenAddedType,
user_repo.HumanU2FTokenVerifiedType,
user_repo.HumanU2FTokenRemovedType,
user_repo.HumanPasswordlessTokenAddedType,
user_repo.HumanPasswordlessTokenVerifiedType,
user_repo.HumanPasswordlessTokenRemovedType,
user_repo.HumanMFAInitSkippedType,
user_repo.MachineChangedEventType,
user_repo.HumanPasswordChangedType,
user_repo.HumanInitialCodeAddedType,
user_repo.UserV1InitialCodeAddedType,
user_repo.UserV1InitializedCheckSucceededType,
user_repo.HumanInitializedCheckSucceededType,
user_repo.HumanPasswordlessInitCodeAddedType,
user_repo.HumanPasswordlessInitCodeRequestedType:
user, err = u.view.UserByID(event.Aggregate().ID, event.Aggregate().InstanceID)
if err != nil {
if !zerrors.IsNotFound(err) {
return err
}
user, err = u.userFromEventstore(event.Aggregate(), user.EventTypes())
if err != nil {
return err
}
}
err = user.AppendEvent(event)
case user_repo.UserDomainClaimedType,
user_repo.UserUserNameChangedType:
user, err = u.view.UserByID(event.Aggregate().ID, event.Aggregate().InstanceID)
if err != nil {
if !zerrors.IsNotFound(err) {
return err
}
user, err = u.userFromEventstore(event.Aggregate(), user.EventTypes())
if err != nil {
return err
}
}
err = user.AppendEvent(event)
if err != nil {
return err
}
err = u.fillLoginNames(user)
case user_repo.UserRemovedType:
return u.view.DeleteUser(event.Aggregate().ID, event.Aggregate().InstanceID, event)
default:
return nil
// in case anything needs to be change here check if appendEvent function needs the change as well
switch event.Type() {
case user_repo.UserV1AddedType,
user_repo.HumanAddedType:
e, ok := event.(*user_repo.HumanAddedEvent)
if !ok {
return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-SDAGF", "reduce.wrong.event.type %s", user_repo.HumanAddedType)
}
if err != nil {
return err
return u.setPasswordData(event, e.Secret, e.EncodedHash), nil
case user_repo.UserV1RegisteredType,
user_repo.HumanRegisteredType:
e, ok := event.(*user_repo.HumanRegisteredEvent)
if !ok {
return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-AS1hz", "reduce.wrong.event.type %s", user_repo.HumanRegisteredType)
}
return u.view.PutUser(user, event)
}), nil
return u.setPasswordData(event, e.Secret, e.EncodedHash), nil
case user_repo.UserV1PasswordChangedType,
user_repo.HumanPasswordChangedType:
e, ok := event.(*user_repo.HumanPasswordChangedEvent)
if !ok {
return nil, zerrors.ThrowInvalidArgumentf(nil, "MODEL-Gd31w", "reduce.wrong.event.type %s", user_repo.HumanPasswordChangedType)
}
return u.setPasswordData(event, e.Secret, e.EncodedHash), nil
case user_repo.UserV1PhoneRemovedType,
user_repo.HumanPhoneRemovedType,
user_repo.UserV1MFAOTPVerifiedType,
user_repo.HumanMFAOTPVerifiedType,
user_repo.HumanOTPSMSRemovedType,
user_repo.HumanOTPEmailRemovedType,
user_repo.HumanU2FTokenVerifiedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol(view_model.UserKeyMFAInitSkipped, time.Time{}),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
},
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
}), nil
case user_repo.UserV1MFAInitSkippedType,
user_repo.HumanMFAInitSkippedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol(view_model.UserKeyMFAInitSkipped, event.CreatedAt()),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
},
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
}), nil
case user_repo.UserV1InitialCodeAddedType,
user_repo.HumanInitialCodeAddedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol(view_model.UserKeyInitRequired, true),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
},
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
}), nil
case user_repo.UserV1InitializedCheckSucceededType,
user_repo.HumanInitializedCheckSucceededType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol(view_model.UserKeyInitRequired, false),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
},
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
}), nil
case user_repo.HumanPasswordlessInitCodeAddedType,
user_repo.HumanPasswordlessInitCodeRequestedType:
return handler.NewUpdateStatement(event,
[]handler.Column{
handler.NewCol(view_model.UserKeyPasswordlessInitRequired, true),
handler.NewCol(view_model.UserKeyPasswordInitRequired, false),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
},
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
handler.NewCond(view_model.UserKeyPasswordSet, false),
}), nil
case user_repo.UserRemovedType:
return handler.NewDeleteStatement(event,
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyUserID, event.Aggregate().ID),
}), nil
default:
return handler.NewNoOpStatement(event), nil
}
}
func (u *User) fillLoginNames(user *view_model.UserView) (err error) {
userLoginMustBeDomain, primaryDomain, domains, err := u.loginNameInformation(context.Background(), user.ResourceOwner, user.InstanceID)
if err != nil {
return err
func (u *User) setPasswordData(event eventstore.Event, secret *crypto.CryptoValue, hash string) *handler.Statement {
set := secret != nil || hash != ""
columns := []handler.Column{
handler.NewCol(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCol(view_model.UserKeyUserID, event.Aggregate().ID),
handler.NewCol(view_model.UserKeyResourceOwner, event.Aggregate().ResourceOwner),
handler.NewCol(view_model.UserKeyChangeDate, event.CreatedAt()),
handler.NewCol(view_model.UserKeyPasswordSet, set),
handler.NewCol(view_model.UserKeyPasswordInitRequired, !set),
handler.NewCol(view_model.UserKeyPasswordChange, event.CreatedAt()),
}
user.SetLoginNames(userLoginMustBeDomain, domains)
user.PreferredLoginName = user.GenerateLoginName(primaryDomain, userLoginMustBeDomain)
return nil
return handler.NewUpsertStatement(event, columns[0:2], columns)
}
func (u *User) ProcessOrg(event eventstore.Event) (_ *handler.Statement, err error) {
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
switch event.Type() {
case org.OrgDomainVerifiedEventType,
org.OrgDomainRemovedEventType,
org.DomainPolicyAddedEventType,
org.DomainPolicyChangedEventType,
org.DomainPolicyRemovedEventType:
return u.fillLoginNamesOnOrgUsers(event)
case org.OrgDomainPrimarySetEventType:
return u.fillPreferredLoginNamesOnOrgUsers(event)
case org.OrgRemovedEventType:
return u.view.UpdateOrgOwnerRemovedUsers(event)
default:
return nil
}
}), nil
}
func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, err error) {
// in case anything needs to be change here check if appendEvent function needs the change as well
switch event.Type() {
case instance.InstanceRemovedEventType:
return handler.NewStatement(event,
func(ex handler.Executer, projectionName string) error {
return u.view.DeleteInstanceUsers(event)
case org.OrgRemovedEventType:
return handler.NewDeleteStatement(event,
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
handler.NewCond(view_model.UserKeyResourceOwner, event.Aggregate().ID),
},
), nil
default:
@@ -469,97 +291,16 @@ func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, er
}
}
func (u *User) fillLoginNamesOnOrgUsers(event eventstore.Event) error {
userLoginMustBeDomain, _, domains, err := u.loginNameInformation(context.Background(), event.Aggregate().ResourceOwner, event.Aggregate().InstanceID)
if err != nil {
return err
func (u *User) ProcessInstance(event eventstore.Event) (_ *handler.Statement, err error) {
// in case anything needs to be change here check if appendEvent function needs the change as well
switch event.Type() {
case instance.InstanceRemovedEventType:
return handler.NewDeleteStatement(event,
[]handler.Condition{
handler.NewCond(view_model.UserKeyInstanceID, event.Aggregate().InstanceID),
},
), nil
default:
return handler.NewNoOpStatement(event), nil
}
users, err := u.view.UsersByOrgID(event.Aggregate().ID, event.Aggregate().InstanceID)
if err != nil {
return err
}
for _, user := range users {
user.SetLoginNames(userLoginMustBeDomain, domains)
}
return u.view.PutUsers(users, event)
}
func (u *User) fillPreferredLoginNamesOnOrgUsers(event eventstore.Event) error {
userLoginMustBeDomain, primaryDomain, _, err := u.loginNameInformation(context.Background(), event.Aggregate().ResourceOwner, event.Aggregate().InstanceID)
if err != nil {
return err
}
if !userLoginMustBeDomain {
return nil
}
users, err := u.view.UsersByOrgID(event.Aggregate().ID, event.Aggregate().InstanceID)
if err != nil {
return err
}
for _, user := range users {
user.PreferredLoginName = user.GenerateLoginName(primaryDomain, userLoginMustBeDomain)
}
return u.view.PutUsers(users, event)
}
func (u *User) getOrgByID(ctx context.Context, orgID, instanceID string) (*org_model.Org, error) {
query, err := org_view.OrgByIDQuery(orgID, instanceID, 0)
if err != nil {
return nil, err
}
esOrg := &org_es_model.Org{
ObjectRoot: es_models.ObjectRoot{
AggregateID: orgID,
},
}
events, err := u.es.Filter(ctx, query)
if err != nil {
return nil, err
}
if err = esOrg.AppendEvents(events...); err != nil {
return nil, err
}
if esOrg.Sequence == 0 {
return nil, zerrors.ThrowNotFound(nil, "EVENT-3m9vs", "Errors.Org.NotFound")
}
return org_es_model.OrgToModel(esOrg), nil
}
func (u *User) loginNameInformation(ctx context.Context, orgID string, instanceID string) (userLoginMustBeDomain bool, primaryDomain string, domains []*org_model.OrgDomain, err error) {
org, err := u.getOrgByID(ctx, orgID, instanceID)
if err != nil {
return false, "", nil, err
}
primaryDomain, err = org.GetPrimaryDomain()
if err != nil {
return false, "", nil, err
}
if org.DomainPolicy != nil {
return org.DomainPolicy.UserLoginMustBeDomain, primaryDomain, org.Domains, nil
}
policy, err := u.queries.DefaultDomainPolicy(authz.WithInstanceID(ctx, org.InstanceID))
if err != nil {
return false, "", nil, err
}
return policy.UserLoginMustBeDomain, primaryDomain, org.Domains, nil
}
func (u *User) userFromEventstore(agg *eventstore.Aggregate, eventTypes []eventstore.EventType) (*view_model.UserView, error) {
query, err := usr_view.UserByIDQuery(agg.ID, agg.InstanceID, time.Time{}, eventTypes)
if err != nil {
return nil, err
}
events, err := u.es.Filter(context.Background(), query)
if err != nil {
return nil, err
}
user := &view_model.UserView{}
for _, e := range events {
if err = user.AppendEvent(e); err != nil {
return nil, err
}
}
return user, nil
}