Commit Graph

3440 Commits

Author SHA1 Message Date
Stefan Benz
9422766e17
chore: remove some integration test flakiness (#8818)
Remove some integration test flakiness.

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-31 15:34:20 +00:00
Livio Spring
041af26917
feat(OIDC): add back channel logout (#8837)
# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2024-10-31 15:57:17 +01:00
Tim Möhlmann
9cf67f30b8
fix(milestones): offset the type enum (#8849)
# Which Problems Are Solved

Migration of milestones failed on our QA due to the new milestone Type
enum being 0-indexed. The valid range was 0 till 5, inclusive. While on
the previous zitadel version this was 1 till 6, inclusive.

# How the Problems Are Solved

Offset the first constant with `1`.

# Additional Changes

- none

# Additional Context

Introduced in https://github.com/zitadel/zitadel/pull/8788
2024-10-31 12:03:40 +01:00
Max Peintner
692c9b7aa8
fix(login): org register script references (#8842)
Closes #8838 

This fixes a bug of the `/register/org` page where scripts where not
referenced correctly

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-31 10:16:30 +00:00
Fabi
aa211489ee
docs: change recommendation from cockroachDB to postgreSQL (#8844)
Some checks failed
ZITADEL CI/CD / core (push) Failing after 7m28s
ZITADEL CI/CD / core-unit-test (push) Has been skipped
ZITADEL CI/CD / core-integration-test (push) Has been skipped
ZITADEL CI/CD / console (push) Failing after 9m42s
ZITADEL CI/CD / lint (push) Has been skipped
ZITADEL CI/CD / version (push) Successful in 11m8s
ZITADEL CI/CD / compile (push) Has been skipped
ZITADEL CI/CD / container (push) Has been skipped
ZITADEL CI/CD / e2e (push) Has been skipped
ZITADEL CI/CD / release (push) Has been skipped
# Which Problems Are Solved

As we switched to PostgreSQL with our cloud zitadel, we now want to
recommend it instead of CockroachDB.

# How the Problems Are Solved

Replaced the recommend section with postgresql
2024-10-31 10:24:45 +01:00
Stefan Benz
6780c5a07c
fix: add resourceowner to check for project in project grant (#8785)
Some checks failed
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (javascript) (push) Failing after 7m42s
Code Scanning / CodeQL-Build (go) (push) Failing after 15m0s
# Which Problems Are Solved

Resource owner can be different than expected if the provided
x-zitadel-orgid header is provided.

# How the Problems Are Solved

Check that the project is only checked with the correct resource owner
to avoid unexpected situations.

# Additional Changes

None

# Additional Context

Closes #8685

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-30 08:53:00 +00:00
Elio Bischof
cff4fe5dfd
docs: fix and harmonize docker compose files (#8839)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (go) (push) Waiting to run
Code Scanning / CodeQL-Build (javascript) (push) Waiting to run
# Which Problems Are Solved

1. Postgres spams FATAL: role "root" does not exist as mentioned in
https://github.com/zitadel/zitadel/discussions/7832 (even with -U)

2. The compose commands for a ZITADEL deployment with initial service
account key don't work out-of-the box with a non-root user, because
docker creates non-existing directories to bind-mount with root
ownership.


![image](https://github.com/user-attachments/assets/f2fc92d5-2ff4-47a4-bf4d-e9657aa2bb94)

```
time="2024-10-29T09:37:13Z" level=error msg="migration failed" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:68" error="open /machinekey/zitadel-admin-sa.json: permission denied" name=03_default_instance
time="2024-10-29T09:37:13Z" level=fatal msg="migration failed" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:248" error="open /machinekey/zitadel-admin-sa.json: permission denied" name=03_default_instance
```

# How the Problems Are Solved

1. The branch bases on https://github.com/zitadel/zitadel/pull/8826. The
env vars are cleaned up and prettified across compose files.

2. A command is added to the docs that creates the directory with the
current users permission. The ZITADEL container runs with the current
users ID.

# Additional Context

- Replaces https://github.com/zitadel/zitadel/pull/8826
- Discussion https://github.com/zitadel/zitadel/discussions/7832
- Closes https://github.com/zitadel/zitadel/issues/7725

---------

Co-authored-by: m4tu4g <71326926+m4tu4g@users.noreply.github.com>
2024-10-29 20:02:04 +01:00
ChandanChainani
1426823d40
fix(mac): date command options not found #8757 (#8758)
Some checks failed
ZITADEL CI/CD / core (push) Has been cancelled
ZITADEL CI/CD / console (push) Has been cancelled
ZITADEL CI/CD / version (push) Has been cancelled
Code Scanning / CodeQL-Build (go) (push) Has been cancelled
Code Scanning / CodeQL-Build (javascript) (push) Has been cancelled
ZITADEL CI/CD / compile (push) Has been cancelled
ZITADEL CI/CD / core-unit-test (push) Has been cancelled
ZITADEL CI/CD / core-integration-test (push) Has been cancelled
ZITADEL CI/CD / lint (push) Has been cancelled
ZITADEL CI/CD / container (push) Has been cancelled
ZITADEL CI/CD / e2e (push) Has been cancelled
ZITADEL CI/CD / release (push) Has been cancelled
# Which Problems Are Solved
Closes: #8757 

Problem:
```sh
➜  ~ date --rfc-3339=seconds | sed 's/ /T/'
date: illegal option -- -
usage: date [-jnRu] [-I[date|hours|minutes|seconds]] [-f input_fmt]
            [-r filename|seconds] [-v[+|-]val[y|m|w|d|H|M|S]]
            [[[[mm]dd]HH]MM[[cc]yy][.SS] | new_date] [+output_fmt]
```

# How the Problems Are Solved
```sh
➜  date "+%Y-%m-%dT%T%z" | sed -E 's/.([0-9]{2})([0-9]{2})$/-\1:\2/'
2024-10-10T19:09:53-05:30
➜  TZ=America/Los_Angeles date "+%Y-%m-%dT%T%z" | sed -E 's/.([0-9]{2})([0-9]{2})$/-\1:\2/'
2024-10-10T06:39:41-07:00
```

- `Mac` support while compiling the source code locally

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-28 13:36:57 +01:00
Tim Möhlmann
32bad3feb3
perf(milestones): refactor (#8788)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (go) (push) Waiting to run
Code Scanning / CodeQL-Build (javascript) (push) Waiting to run
# Which Problems Are Solved

Milestones used existing events from a number of aggregates. OIDC
session is one of them. We noticed in load-tests that the reduction of
the oidc_session.added event into the milestone projection is a costly
business with payload based conditionals. A milestone is reached once,
but even then we remain subscribed to the OIDC events. This requires the
projections.current_states to be updated continuously.


# How the Problems Are Solved

The milestone creation is refactored to use dedicated events instead.
The command side decides when a milestone is reached and creates the
reached event once for each milestone when required.

# Additional Changes

In order to prevent reached milestones being created twice, a migration
script is provided. When the old `projections.milestones` table exist,
the state is read from there and `v2` milestone aggregate events are
created, with the original reached and pushed dates.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/8800
2024-10-28 08:29:34 +00:00
dependabot[bot]
54f1c0bc50
chore(deps): bump http-proxy-middleware from 2.0.6 to 2.0.7 in /docs (#8821)
Some checks failed
ZITADEL CI/CD / core (push) Has been cancelled
ZITADEL CI/CD / console (push) Has been cancelled
ZITADEL CI/CD / version (push) Has been cancelled
Code Scanning / CodeQL-Build (go) (push) Has been cancelled
Code Scanning / CodeQL-Build (javascript) (push) Has been cancelled
ZITADEL CI/CD / compile (push) Has been cancelled
ZITADEL CI/CD / core-unit-test (push) Has been cancelled
ZITADEL CI/CD / core-integration-test (push) Has been cancelled
ZITADEL CI/CD / lint (push) Has been cancelled
ZITADEL CI/CD / container (push) Has been cancelled
ZITADEL CI/CD / e2e (push) Has been cancelled
ZITADEL CI/CD / release (push) Has been cancelled
Bumps
[http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware)
from 2.0.6 to 2.0.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/chimurai/http-proxy-middleware/releases">http-proxy-middleware's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.7</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chimurai/http-proxy-middleware/compare/v2.0.6...v2.0.7">https://github.com/chimurai/http-proxy-middleware/compare/v2.0.6...v2.0.7</a></p>
<h2>v2.0.7-beta.1</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chimurai/http-proxy-middleware/compare/v2.0.7-beta.0...v2.0.7-beta.1">https://github.com/chimurai/http-proxy-middleware/compare/v2.0.7-beta.0...v2.0.7-beta.1</a></p>
<h2>v2.0.7-beta.0</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chimurai/http-proxy-middleware/compare/v2.0.6...v2.0.7-beta.0">https://github.com/chimurai/http-proxy-middleware/compare/v2.0.6...v2.0.7-beta.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/chimurai/http-proxy-middleware/blob/v2.0.7/CHANGELOG.md">http-proxy-middleware's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.7">v2.0.7</a></h2>
<ul>
<li>ci(github actions): add publish.yml</li>
<li>fix(filter): handle errors</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1e92339098"><code>1e92339</code></a>
ci(github-actions): fix npm tag</li>
<li><a
href="90afb7c9a6"><code>90afb7c</code></a>
chore(package): v2.0.7</li>
<li><a
href="0b4274e8cc"><code>0b4274e</code></a>
fix(filter): handle errors</li>
<li><a
href="1bd6dd578b"><code>1bd6dd5</code></a>
ci(github actions): add publish.yml</li>
<li>See full diff in <a
href="https://github.com/chimurai/http-proxy-middleware/compare/v2.0.6...v2.0.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=http-proxy-middleware&package-manager=npm_and_yarn&previous-version=2.0.6&new-version=2.0.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@zitadel.com>
2024-10-25 20:12:27 +00:00
Livio Spring
0b5079c11f
fix: correctly search for verified domain (#8820)
# Which Problems Are Solved

Searching orgs by domain currently only looked for the primary domain,
but should be possible with all verified domains (as documented)

# How the Problems Are Solved

- fixed the search query

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8749
2024-10-25 17:51:44 +02:00
Mostafa Galal
4eeb2be36a
fix: Negative values allowed by spinners of Login Lifetimes inputs (#8694)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (go) (push) Waiting to run
Code Scanning / CodeQL-Build (javascript) (push) Waiting to run
# Which Problems Are Solved

Previously, the login lifetime input fields allowed negative values and,
in some cases, zero values, which were not valid according to the
business rules.

# How the Problems Are Solved

The issue was resolved by adding min and step properties to the relevant
HTML input fields. This ensures that only valid values are entered,
adhering to the specific requirements for each field.

Co-authored-by: Max Peintner <max@caos.ch>
2024-10-25 10:44:15 +02:00
Stefan Benz
32d958ea43
chore: add await for project to oidc integration tests (#8809)
Some checks failed
ZITADEL CI/CD / core (push) Has been cancelled
ZITADEL CI/CD / console (push) Has been cancelled
ZITADEL CI/CD / version (push) Has been cancelled
Code Scanning / CodeQL-Build (go) (push) Has been cancelled
Code Scanning / CodeQL-Build (javascript) (push) Has been cancelled
ZITADEL CI/CD / compile (push) Has been cancelled
ZITADEL CI/CD / core-unit-test (push) Has been cancelled
ZITADEL CI/CD / core-integration-test (push) Has been cancelled
ZITADEL CI/CD / lint (push) Has been cancelled
ZITADEL CI/CD / container (push) Has been cancelled
ZITADEL CI/CD / e2e (push) Has been cancelled
ZITADEL CI/CD / release (push) Has been cancelled
# Which Problems Are Solved

In integration tests there is waiting for the application, but the
project is also included if the token can be created.

# How the Problems Are Solved

Wait for project not only for the application in the integration tests.

# Additional Changes

Some more corrections in integration tests.

# Additional Context

None

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-23 07:36:50 +00:00
karatekaneen
d696d15a1c
docs: update logger example for action modules (#8813)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
# Which Problems Are Solved

Updated the example to fit with the actual logger signature. Solves
#8811.
2024-10-23 07:40:43 +02:00
Mark Stosberg
70449caafb
docs: standardize multi-factor spelling and related string updates (#8752)
Some checks are pending
Code Scanning / CodeQL-Build (javascript) (push) Waiting to run
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (go) (push) Waiting to run
- **docs: s/Secondfactor/Second factor/**
- **docs: s/IDP/IdP/**
- **docs: s/Hardwaretokens/Hardware tokens/**
- **docs: standardize multi-factor vs multi factor vs multifactor**

# Which Problems Are Solved

 - English strings are improved

# How the Problems Are Solved

 - With better strings

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-22 14:59:16 +00:00
Livio Spring
79fb4cc1cc
fix: correctly check denied domains and ips for actions (#8810)
# Which Problems Are Solved

System administrators can block hosts and IPs for HTTP calls in actions.
Using DNS, blocked IPs could be bypassed.

# How the Problems Are Solved

- Hosts are resolved (DNS lookup) to check whether their corresponding
IP is blocked.

# Additional Changes

- Added complete lookup ip address range and "unspecified" address to
the default `DenyList`
2024-10-22 16:16:44 +02:00
Stefan Benz
fca6b28a97
chore: correct require usage to assert for eventual consistency (#8795)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
Code Scanning / CodeQL-Build (go) (push) Waiting to run
Code Scanning / CodeQL-Build (javascript) (push) Waiting to run
# Which Problems Are Solved

Eventual consistency is handled wrongly in the newly improved
integration tests.

# How the Problems Are Solved

Correct the usage of the require package with the assert package where
necessary, to remove the panics where the EventuallyWithT functions can
rerun.

# Additional Changes

Modify the timeout values for some EventuallyWithT which can vary when a
instance is freshly setup.

# Additional Context

None
2024-10-21 19:15:02 +00:00
Laust Rud Jacobsen
11782cf422
docs: typo repair (#8796)
Some checks are pending
ZITADEL CI/CD / core (push) Waiting to run
ZITADEL CI/CD / console (push) Waiting to run
ZITADEL CI/CD / version (push) Waiting to run
ZITADEL CI/CD / compile (push) Blocked by required conditions
ZITADEL CI/CD / core-unit-test (push) Blocked by required conditions
ZITADEL CI/CD / core-integration-test (push) Blocked by required conditions
ZITADEL CI/CD / lint (push) Blocked by required conditions
ZITADEL CI/CD / container (push) Blocked by required conditions
ZITADEL CI/CD / e2e (push) Blocked by required conditions
ZITADEL CI/CD / release (push) Blocked by required conditions
# Which Problems Are Solved

Saw a typo, fixed it.
2024-10-21 12:34:09 +02:00
Fabi
0de2f92d2e
docs: fix wrong examples and links (#8780)
# Which Problems Are Solved

- The addorgmember request shows a wrong example in the api
documentation
- Broken Links on actions feature description

# How the Problems Are Solved

- Change example of AddOrgMember API Docs
- Point towards correct links

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-10-18 11:12:23 +03:00
Stefan Benz
8d97363642
chore: improve integration tests (#8727)
Improve integration tests:
- spliting the tests in TokenExchange to isolated instances and in
parallel
- corrected some test structure so that the check for Details is no done
anymore if the test already failed
- replace required-calls with assert-calls to not stop the testing
- add gofakeit for application, project and usernames(emails)
- add eventually checks for testing in actions v2, so the request only
get called when the execution is defined
- check for length of results in list/search endpoints to avoid index
errors
2024-10-17 21:20:57 +00:00
Silvan
cc8d4fe17c
chore(load-test): add csv output (#8783)
# Which Problems Are Solved

Load tests currently do not output details about the data messured.

# How the Problems Are Solved

Added the `--out` flag to all load tests
2024-10-17 22:15:55 +03:00
Stefan Benz
c21e171519
fix: add allowRegister check for register handling in login (#8782)
# Which Problems Are Solved

There is currently the possibility that you can jump to the register
path, even if register is disallowed through the settings.

# How the Problems Are Solved

Check before handling the HTTP requests if register is allowed.

# Additional Changes

Function to determine the resourceowner for all register related
functionality in the login.

# Additional Context

closes #8123
2024-10-16 13:09:32 +00:00
Tim Möhlmann
4ebc23aa1f
fix(load-test): correct k6 command (#8760) 2024-10-15 14:26:16 +02:00
Fabi
3c4a92a981
chore(github): add type to issue templates (#8775)
# Which Problems Are Solved

Github introduced the new issue types, which we want to add to our
issues. Starting point is to change the templates, so we can add the
right types.
2024-10-15 09:42:16 +00:00
Shubham Singh Sugara
7eb54e4c7b
fix: Update Defaults.yaml (#8731)
# Which Problems Are Solved
The primary issue addressed in this PR is that the defaults.yaml file
contains escaped characters (like `&lt;` for < and `&gt;` for >) in
message texts, which prevents valid HTML rendering in certain parts of
the Zitadel platform.
These escaped characters are used in user-facing content (e.g., email
templates or notifications), resulting in improperly displayed text,
where the HTML elements like line breaks or bold text don't render
correctly.

# How the Problems Are Solved
The solution involves replacing the escaped characters with their
corresponding HTML tags in the defaults.yaml file, ensuring that the
HTML renders correctly in the emails or user interfaces where these
messages are displayed.
This update ensures that:
- The HTML in these message templates is rendered properly, improving
the user experience.
- The content looks professional and adheres to web standards for
displaying HTML content.
    
# Additional Changes
N/A

# Additional Context
N/A

- Closes #8531

Co-authored-by: Max Peintner <max@caos.ch>
2024-10-14 07:42:08 +00:00
TrueQAP
c455b8b1eb
feat(i18n): Add Hungarian language support to ZITADEL (#8645)
- Fully translated all UI elements, documentation, and error messages
- Added Hungarian as a new supported language option
- Updated language selection menus and related configuration files
- Ensured consistency across all translated content

# Which Problems Are Solved

- ZITADEL was not accessible for Hungarian-speaking users due to lack of
language support
- Hungarian users had to rely on English or other languages to use the
platform
- Potential user base was limited due to language barrier

# How the Problems Are Solved

- Translated all user interface elements, including console and login
interfaces
- Translated all documentation files to Hungarian
- Added Hungarian translations for all error messages and notifications
- Implemented Hungarian as a selectable language option in the system

# Additional Changes

- Updated language selection menus to include Hungarian
- Modified configuration files to support Hungarian language
- Ensured consistent terminology and style across all translated content
- Added Hungarian language option to relevant dropdown menus and
settings

# Additional Context

- Relates to the ongoing internationalization efforts of ZITADEL
- Enhances accessibility for Hungarian-speaking developers and users
- Expands ZITADEL's potential user base in Hungary and
Hungarian-speaking regions

---------

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-11 09:00:50 +00:00
Elio Bischof
464ca0bd00
fix: always create SAML with metadata (#8696)
# Which Problems Are Solved

Adding a SAML IDPs with an empty metadata XML and URL leads to failed
projection events. The main IDP template projection succeeds, but the
subtable projection for SAML template fails, because the metadata field
is not nullable in that table. The SAML IDP shows up in list queries,
because the list method only queries the main template projection.
However, getting a SAML IDP created without metadata by ID misses the
SAML specific IDP data.

# How the Problems Are Solved

- The command for adding a SAML IDP properly ensures that non-empty
metadata is either given by XML or resolved by URL.
- The console doesn't send requests with empty metadata anymore. This
works by explicitly setting a single oneof option for either XML or URL
and emptying the other one.

# Additional Context

Closes #8443
2024-10-11 08:09:51 +00:00
Stuart Douglas
81920e599b
fix(SAML): log underlying error if SAML response validation fails (#8721)
# Which Problems Are Solved

If SAML response validation in crewjam/saml fails, a generic
"Authentication failed" error is thrown. This makes it challenging to
determine the actual cause, since there are a variety of reasons
response validation may fail.

# How the Problems Are Solved

Add a log statement if we receive a response validation error from
crewjam/saml that logs the internal `InvalidResponseError.PrivateErr`
error from crewjam/saml to stdout. We continue to return a generic error
message to the client to prevent leaking data.

Verified by running `go test -v ./internal/idp/providers/saml` in
verbose mode, which output the following line for the "response_invalid"
test case:
```
time="2024-10-03T14:53:10+01:00" level=info msg="invalid SAML response details" caller="/Users/sdouglas/Documents/thirdparty-repos/zitadel/internal/idp/providers/saml/session.go:72" error="cannot parse base64: illegal base64 data at input byte 2"
```

# Additional Changes

None

# Additional Context

- closes #8717

---------

Co-authored-by: Stuart Douglas <sdouglas@hopper.com>
2024-10-11 07:04:15 +00:00
Stefan Benz
4d593dace2
fix: add domain as attribute to list user auth methods (#8718)
# Which Problems Are Solved

There is no option to only query auth methods related to specific
domains.

# How the Problems Are Solved

Add domain as attribute to the ListAuthenticationMethodTypes request.

# Additional Changes

OwnerRemoved column removed from the projection.

# Additional Context

Closes #8615

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-10 16:50:53 +00:00
Livio Spring
df2033253d
fix: only allow domain discovery if no organization was preselected (#8748)
# Which Problems Are Solved

If an organization was preselected using an orgID or primaryDomain
scope, users could still switch to another organization, if the latter
allowed domain discovery and the entered username / or login_hint
included the corresponding domain suffix.

# How the Problems Are Solved

Domain discovery will only be done in case no org was preselected.

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8464
- closes https://github.com/zitadel/zitadel/issues/8588
2024-10-10 15:29:53 +00:00
Livio Spring
16171ce3b9
fix: pass sessionID to OTP email link (#8745)
# Which Problems Are Solved

OTP Email links currently could not use / include the sessionID they
belong to. This prevents an easy use for redirecting and handling OTP
via email through the session API.

# How the Problems Are Solved

Added the sessionID as placeholder for the OTP Email link template.

# Additional Changes

List all available placeholders in the url_templates of V2 endpoints.

# Additional Context

- discussed in a customer meeting
2024-10-10 13:53:32 +00:00
Fabi
222915ca3d
chore: test issue type (#8750)
# Which Problems Are Solved

We want to use the new issue types of github
2024-10-09 14:03:40 +02:00
Livio Spring
94f267d475
fix: respect PrivateLabelingSetting on project for login texts (#8744)
# Which Problems Are Solved

Admins can set the branding to be used from the project's organization.
Until now, only the branding (colors) were respected, but texts were
still loaded from the user's organization.

# How the Problems Are Solved

Respect the setting when loading the texts for the login pages.

# Additional Changes

None

# Additional Context

- closes #8502
2024-10-09 09:02:28 +00:00
Tim Möhlmann
17303d1524
perf(milestones): remove legacy token event reducer (#8747)
# Which Problems Are Solved

Since the optiimzation of the token endpoint, we longer push the
`user.token.added` event. However, the milestone projection keeps
quering for it, including a payload query.

This incured a static waste of DB resources.

# How the Problems Are Solved

Remove the `user.token.added` event reducer from the milestone
projection

# Additional Changes

- none

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8742. Other
changes ommitted so this PR can be backported to stable.
2024-10-09 08:00:07 +00:00
Stefan Benz
911cb42d70
fix: check if project has resourceOwner and ownerID (#8725)
# Which Problems Are Solved

There is no check that the creation of a project also has a resource
owner.

# How the Problems Are Solved

Check if resource owner and the ID of the owner are provided on command
side.

# Additional Changes

None

# Additional Context

Closes #7794
2024-10-08 15:07:27 +00:00
dependabot[bot]
34195157ce
chore(deps-dev): bump webpack from 5.89.0 to 5.95.0 in /load-test (#8726)
Bumps [webpack](https://github.com/webpack/webpack) from 5.89.0 to
5.95.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack/releases">webpack's
releases</a>.</em></p>
<blockquote>
<h2>v5.95.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Fixed hanging when attempting to read a symlink-like file that it
can't read</li>
<li>Handle <code>default</code> for import context element
dependency</li>
<li>Merge duplicate chunks call after split chunks</li>
<li>Generate correctly code for dynamically importing the same file
twice and destructuring</li>
<li>Use content hash as [base] and [name] for extracted DataURI's</li>
<li>Distinguish <code>module</code> and <code>import</code> in
<code>module-import</code> for externals <code>import</code>'s</li>
<li>[Types] Make <code>EnvironmentPlugin</code> default values types
less strict</li>
<li>[Types] Typescript 5.6 compatibility</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Add new <code>optimization.avoidEntryIife</code> option
(<code>true</code> by default for the <code>production</code> mode)</li>
<li>Pass output.hash* options to loader context</li>
</ul>
<h2>Performance</h2>
<ul>
<li>Avoid unneeded re-visit in build chunk graph</li>
</ul>
<h2>v5.94.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Added runtime condition for harmony reexport checked</li>
<li>Handle properly
<code>data</code>/<code>http</code>/<code>https</code> protocols in
source maps</li>
<li>Make <code>bigint</code> optimistic when browserslist not found</li>
<li>Move <code>@​types/eslint-scope</code> to dev deps</li>
<li>Related in asset stats is now always an array when no related
found</li>
<li>Handle ASI for export declarations</li>
<li>Mangle destruction incorrect with export named default properly</li>
<li>Fixed unexpected asi generation with sequence expression</li>
<li>Fixed a lot of types</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Added new external type &quot;module-import&quot;</li>
<li>Support <code>webpackIgnore</code> for <code>new URL()</code>
construction</li>
<li>[CSS] <code>@import</code> pathinfo support</li>
</ul>
<h2>Security</h2>
<ul>
<li>Fixed DOM clobbering in auto public path</li>
</ul>
<h2>v5.93.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Generate correct relative path to runtime chunks</li>
<li>Makes <code>DefinePlugin</code> quieter under default log level</li>
<li>Fixed mangle destructuring default in namespace import</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e20fd634fd"><code>e20fd63</code></a>
chore(release): 5.95.0</li>
<li><a
href="4866b0daf1"><code>4866b0d</code></a>
feat: added new <code>optimization.entryIife</code> option</li>
<li><a
href="d90f6920f0"><code>d90f692</code></a>
fix: merge duplicate chunks after split chunks</li>
<li><a
href="90dec30ff4"><code>90dec30</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="c1a0a4666e"><code>c1a0a46</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="14d8fa8dd5"><code>14d8fa8</code></a>
fix: all tests cases</li>
<li><a
href="dae16ad11e"><code>dae16ad</code></a>
feat: pass output.hash* options to loader context</li>
<li><a
href="75d185d27e"><code>75d185d</code></a>
feat: pass <code>output.hash*</code> options to loader context</li>
<li><a
href="46e0b9cc05"><code>46e0b9c</code></a>
test: update</li>
<li><a
href="8e62f9f36b"><code>8e62f9f</code></a>
test</li>
<li>Additional commits viewable in <a
href="https://github.com/webpack/webpack/compare/v5.89.0...v5.95.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack&package-manager=npm_and_yarn&previous-version=5.89.0&new-version=5.95.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-10-08 14:33:15 +02:00
Livio Spring
91b2d67325
fix: correctly compute user state (#8740)
# Which Problems Are Solved

A customer reported, that after a created user (in initial state) got
(manually) locked and a new initial code would be created, the user
could not be locked again.

# How the Problems Are Solved

Query for the initial code added event

# Additional Changes

None

# Additional Context

- reported by a customer
2024-10-07 16:50:17 +02:00
Tim Möhlmann
a84b259e8c
perf(oidc): nest position clause for session terminated query (#8738)
# Which Problems Are Solved

Optimize the query that checks for terminated sessions in the access
token verifier. The verifier is used in auth middleware, userinfo and
introspection.


# How the Problems Are Solved

The previous implementation built a query for certain events and then
appended a single `PositionAfter` clause. This caused the postgreSQL
planner to use indexes only for the instance ID, aggregate IDs,
aggregate types and event types. Followed by an expensive sequential
scan for the position. This resulting in internal over-fetching of rows
before the final filter was applied.


![Screenshot_20241007_105803](https://github.com/user-attachments/assets/f2d91976-be87-428b-b604-a211399b821c)

Furthermore, the query was searching for events which are not always
applicable. For example, there was always a session ID search and if
there was a user ID, we would also search for a browser fingerprint in
event payload (expensive). Even if those argument string would be empty.

This PR changes:

1. Nest the position query, so that a full `instance_id, aggregate_id,
aggregate_type, event_type, "position"` index can be matched.
2. Redefine the `es_wm` index to include the `position` column.
3. Only search for events for the IDs that actually have a value. Do not
search (noop) if none of session ID, user ID or fingerpint ID are set.

New query plan:


![Screenshot_20241007_110648](https://github.com/user-attachments/assets/c3234c33-1b76-4b33-a4a9-796f69f3d775)


# Additional Changes

- cleanup how we load multi-statement migrations and make that a bit
more reusable.

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/7639
2024-10-07 12:49:55 +00:00
Hidde Wieringa
2bd3f44094
docs: remove duplicate from API path prefixes (#8739)
# Which Problems Are Solved

The `/oauth/v1` path prefix is duplicated, which is an error in most
proxies.


# How the Problems Are Solved

Remove the duplicate path prefix from the docs.

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-07 13:53:05 +02:00
Stefan Benz
d03ad62edd
fix: add default organization as query for org v2 list (#8719)
# Which Problems Are Solved

To get the default organization we have no direct solution.

# How the Problems Are Solved

Add default organization as query to the org v2 List.

# Additional Changes

None

# Additional Context

Closes #8616

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-07 09:28:39 +00:00
Livio Spring
f653589609
fix: twilio code generation and verification (#8728)
# Which Problems Are Solved

The recently added possibility to generate and verify codes through
Twilio verification service did failed on checking OTP SMS code through
the session API. Additionally, password codes generated by the V2 API
and sent through phone would always use the internal generator and
verification mechanism rather than the configured.

# How the Problems Are Solved

- Correctly set the verifier for OTP SMS for the session API
  - Always use the internal verifier for OTP Email (for now)
- Select the generator / verifier based on the configuration for
password codes with notification type SMS for V2 APIs

# Additional Changes

None

# Additional Context

- relates to #8678 
- reported by customer

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-07 07:12:44 +02:00
Tim Möhlmann
25dc7bfe72
perf(cache): pgx pool connector (#8703)
# Which Problems Are Solved

Cache implementation using a PGX connection pool.

# How the Problems Are Solved

Defines a new schema `cache` in the zitadel database.
A table for string keys and a table for objects is defined.
For postgreSQL, tables are unlogged and partitioned by cache name for
performance.

Cockroach does not have unlogged tables and partitioning is an
enterprise feature that uses alternative syntax combined with sharding.
Regular tables are used here.

# Additional Changes

- `postgres.Config` can return a pxg pool. See following discussion

# Additional Context

- Part of https://github.com/zitadel/zitadel/issues/8648
- Closes https://github.com/zitadel/zitadel/issues/8647

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-10-04 13:15:41 +00:00
Livio Spring
bee0744d46
fix: update logging to allow slog field overwrite (#8720)
# Which Problems Are Solved

When using slog (e.g. in OIDC) the logs field name can not be
overwritten.
This is necessary for example to change log level to severity.

# How the Problems Are Solved

- Update logging library

# Additional Changes

None

# Additional Context

None
2024-10-04 12:48:00 +00:00
alfa-alex
78b19c32ac
docs: add required parameter for authorization code grant (#8506) (#8709)
# Which Problems Are Solved

The current docs of the Authorization code grant do not mention that for
the authentication method type "None (PKCE)", you need to additionally
provide a `client_id` parameter.

# How the Problems Are Solved

Missing parameter is added to the docs.

# Additional Context

- Closes #8506
2024-10-04 12:15:15 +00:00
Stefan Benz
0bcf136f6f
fix: correctly create SMTP provider list (#8724)
# Which Problems Are Solved

https://github.com/zitadel/zitadel/pull/8545 incorrectly created the
list of current smtp providers, if an SMTP provider was changed, that
was created before https://github.com/zitadel/zitadel/pull/6932 /
[v2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)).
This led to problems when trying to send emails to users (email
verification and OTP email).

# How the Problems Are Solved

Correctly handle events of old SMTP configurations, which do not have an
id set.

# Additional Changes

None

# Additional Context

- relates to #8545
- support requests from cloud customers
2024-10-04 09:34:44 +00:00
Elio Bischof
fb481256ec
docs: reorganize actions v3 docs (#8712)
# Which Problems Are Solved

The actions v2 docs have broken links. Also, actions docs are
distributed and the navigation feels messy.

# How the Problems Are Solved

- The two actions v2 docs pages are integrated into the more accurate
actions v3 API section. Redirects are added to the Vercel config.


![image](https://github.com/user-attachments/assets/0b3b2255-4b90-45b3-be1d-ee875dd86f03)

![image](https://github.com/user-attachments/assets/a35314d7-11fb-446e-ae47-9d3e65adeccd)

- The broken links are fixed.

# Additional Changes

A text is added to the actions v3 section describing the changes coming
with v3.


![image](https://github.com/user-attachments/assets/bba0c9a2-36af-4820-aa84-a823b8801d79)

# Additional Context

- Replaces #8688
- Broken links reported in
https://discord.com/channels/927474939156643850/1275551972283646055
- Broken links reported in
https://discord.com/channels/927474939156643850/1168451861515354133/1280394234679136267

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-03 16:26:05 +00:00
Stefan Benz
5e57d3bebb
fix: correct error messages for policy queries (#8722)
# Which Problems Are Solved

Errors messages are mixed up for some policies

# How the Problems Are Solved

Define new error IDs and correct the messages.

# Additional Changes

None

# Additional Context

None
2024-10-03 17:53:03 +02:00
Elio Bischof
c0615e95e2
fix: update dependencies (#8713)
# Which Problems Are Solved

NPM dependencies are outdated.

# How the Problems Are Solved

```bash
cd console
yarn upgrade 
yarn add typescript@5.1
```

```bash
cd load-test
npm update
```
2024-10-03 11:03:44 +00:00
Livio Spring
18499274dd
fix(SAML): check on empty nameID (#8714)
# Which Problems Are Solved

If a SAML IdP did not send a `NameID` (even though required by the
specification), ZITADEL would crash.

# How the Problems Are Solved

- Check specifically if the `Subject` and its `NameID` is passed

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8654
2024-10-03 08:17:33 +00:00
Elio Bischof
be53caafea
docs(linux, macos): default postgres admin password (#8687) 2024-10-02 17:03:11 +00:00