3754 Commits

Author SHA1 Message Date
Livio Spring
01bbcc1a48
fix(OTEL): reduce high cardinality in traces and metrics (#9286)
# Which Problems Are Solved

There were multiple issues in the OpenTelemetry (OTEL) implementation
and usage for tracing and metrics, which lead to high cardinality and
potential memory leaks:
- wrongly initiated tracing interceptors
- high cardinality in traces:
  - HTTP/1.1 endpoints containing host names
- HTTP/1.1 endpoints containing object IDs like userID (e.g.
`/management/v1/users/2352839823/`)
- high amount of traces from internal processes (spooler)
- high cardinality in metrics endpoint:
  - GRPC entries containing host names
  - notification metrics containing instanceIDs and error messages

# How the Problems Are Solved

- Properly initialize the interceptors once and update them to use the
grpc stats handler (unary interceptors were deprecated).
- Remove host names from HTTP/1.1 span names and use path as default.
- Set / overwrite the uri for spans on the grpc-gateway with the uri
pattern (`/management/v1/users/{user_id}`). This is used for spans in
traces and metric entries.
- Created a new sampler which will only sample spans in the following
cases:
  - remote was already sampled
- remote was not sampled, root span is of kind `Server` and based on
fraction set in the runtime configuration
- This will prevent having a lot of spans from the spooler back ground
jobs if they were not started by a client call querying an object (e.g.
UserByID).
- Filter out host names and alike from OTEL generated metrics (using a
`view`).
- Removed instance and error messages from notification metrics.

# Additional Changes

Fixed the middleware handling for serving Console. Telemetry and
instance selection are only used for the environment.json, but not on
statically served files.

# Additional Context

- closes #8096
- relates to #9074
- back ports to at least 2.66.x, 2.67.x and 2.68.x

(cherry picked from commit 990e1982c712ba2082f3fc6fc4861f3abf85b0cd)
2025-02-04 12:01:45 +01:00
Livio Spring
92e2ba0ea8
Merge branch 'main' into next 2025-02-03 08:38:39 +01:00
Livio Spring
04b9e9b144
fix(console): add posthog to CSP if configured (#9284)
# Which Problems Are Solved

PostHog scripts are currently blocked by content security policy (CSP).

# How the Problems Are Solved

Add `https://*.i.posthog.com` to the CSP according to
https://posthog.com/docs/advanced/content-security-policy#enabling-the-toolbar
(they suggest  `https://*.posthog.com`)

# Additional Changes

None

# Additional Context

relates to https://github.com/zitadel/zitadel/issues/9076
2025-02-03 08:08:01 +01:00
Lars
f65db52247
fix: scim create users dont send init emails (#9283)
# Which Problems Are Solved
- when a scim user is provisioned, a init email could be sent

# How the Problems Are Solved
- no init email should be sent => hard code false for the email init
param

# Additional Context

Related to https://github.com/zitadel/zitadel/issues/8140

Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
2025-01-31 09:36:18 +00:00
Lars
20cff9c70a
fix: scim 2.0 patch ignore op casing (#9282)
# Which Problems Are Solved
- Some SCIM clients send "op" of a patch operation in PascalCase

# How the Problems Are Solved
- Well known "op" values of patch operations are matched
case-insensitive.

# Additional Context
Related to #8140
2025-01-31 09:15:39 +00:00
Lars
563f74640e
fix: scim v2 endpoints enforce user resource owner (#9273)
# Which Problems Are Solved
- If a SCIM endpoint is called with an orgID in the URL that is not the
resource owner, no error is returned, and the action is executed.

# How the Problems Are Solved
- The orgID provided in the SCIM URL path must match the resource owner
of the target user. Otherwise, an error will be returned.

# Additional Context

Part of https://github.com/zitadel/zitadel/issues/8140
2025-01-30 16:43:13 +01:00
Lars
60cfa6cb76
docs: scim v2 interface (#9246)
# Which Problems Are Solved
- Lack of documentation for the SCIM v2 interface

# How the Problems Are Solved
- Introduced a new documentation page detailing the SCIM v2 interface

# Additional Context
Part of #8140

---------

Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
2025-01-30 08:07:28 +00:00
David Skewis
4498f9c8f3
feat: Posthog integration (#9077)
# Which Problems Are Solved

- Adds a service in the console to enable Posthog integration based on
upon user environment variables

# How the Problems Are Solved

- A new service has been created in console for posthog
- This is only initiated based upon provided environment variables

# Additional Changes

N/A

# Additional Context

- Closes #[9076](https://github.com/zitadel/zitadel/issues/9076)
- Cannot be merged until this is completed
#[9070](https://github.com/zitadel/zitadel/issues/9070)
2025-01-30 07:57:51 +01:00
Lars
e15094cdea
feat: add scim v2 service provider configuration endpoints (#9258)
# Which Problems Are Solved
* Adds support for the service provider configuration SCIM v2 endpoints

# How the Problems Are Solved
* Adds support for the service provider configuration SCIM v2 endpoints
  * `GET /scim/v2/{orgId}/ServiceProviderConfig`
  * `GET /scim/v2/{orgId}/ResourceTypes`
  * `GET /scim/v2/{orgId}/ResourceTypes/{name}`
  * `GET /scim/v2/{orgId}/Schemas`
  * `GET /scim/v2/{orgId}/Schemas/{id}`

# Additional Context
Part of #8140

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-01-29 18:11:12 +00:00
Tim Möhlmann
b6841251b1
feat(users/v2): return prompt information (#9255)
# Which Problems Are Solved

Add the ability to update the timestamp when MFA initialization was last
skipped.
Get User By ID now also returns the timestamps when MFA setup was last
skipped.

# How the Problems Are Solved

- Add a `HumanMFAInitSkipped` method to the `users/v2` API.
- MFA skipped was already projected in the `auth.users3` table. In this
PR the same column is added to the users projection. Event handling is
kept the same as in the `UserView`:

<details>


62804ca45f/internal/user/repository/view/model/user.go (L243-L377)

</details>

# Additional Changes

- none

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9197
2025-01-29 15:12:31 +00:00
Lars
df8bac8a28
feat: bulk scim v2 endpoint (#9256)
# Which Problems Are Solved
* Adds support for the bulk SCIM v2 endpoint

# How the Problems Are Solved
* Adds support for the bulk SCIM v2 endpoint under `POST
/scim/v2/{orgID}/Bulk`

# Additional Context
Part of #8140

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-01-29 14:23:56 +00:00
Lars
accfb7525a
fix: scim 2 filter: the username should be treated case-insensitive (#9257)
# Which Problems Are Solved
- when listing users via scim v2.0 filters applied to the username are
applied case-sensitive

# How the Problems Are Solved
- when a query filter is appleid on the username it is applied
case-insensitive

# Additional Context
Part of https://github.com/zitadel/zitadel/issues/8140
2025-01-29 15:22:22 +02:00
Silvan
b10428fb56
test(session): load tests for session api (#9212)
# Which Problems Are Solved

We currently are not able to benchmark the performance of the session
api

# How the Problems Are Solved

Load tests were added to
- use sessions in oidc tokens analog
https://zitadel.com/docs/guides/integrate/login-ui/oidc-standard

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/7847
2025-01-29 12:08:20 +00:00
Stefan Benz
679ab58fa1
docs: support docs for SAML session in Custom Login UI (#9144)
# Which Problems Are Solved

SAML session implemented, but no how-to comparable to the OIDC sessions
for custom login available.

# How the Problems Are Solved

Added documentation, which should be also comparable with the OIDC
session for ease-of-use.

# Additional Changes

Added generated SAML API docs.

# Additional Context

Closes #9088 
Follow-up issue #9267

---------

Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-01-29 11:29:48 +00:00
kkrime
5eeff97ffe
feat(session/v2): user password lockout error response (#9233)
# Which Problems Are Solved

Adds `failed attempts` field to the grpc response when a user enters
wrong password when logging in

FYI:

this only covers the senario above; other senarios where this is not
applied are:
SetPasswordWithVerifyCode
setPassword
ChangPassword
setPasswordWithPermission

# How the Problems Are Solved 

Created new grpc message `CredentialsCheckError` -
`proto/zitadel/message.proto` to include `failed_attempts` field.

Had to create a new package -
`github.com/zitadel/zitadel/internal/command/errors` to resolve cycle
dependency between `github.com/zitadel/zitadel/internal/command` and
`github.com/zitadel/zitadel/internal/command`.

# Additional Changes

- none

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9198

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-01-29 10:29:00 +00:00
Lars
21f00c1e6b
fix: scim use first email or phone if no primary is set (#9236)
# Which Problems Are Solved
- scim v2 only maps the primary phone/email to the zitadel user, this
does not work if no primary is set

# How the Problems Are Solved
- the first phone / email is mapped if no primary is available

# Additional Context
Part of #8140

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-01-29 09:18:00 +00:00
Stefan Benz
a59c6b9f84
fix: change usage from filepath to path (#9260)
# Which Problems Are Solved

Paths for setup steps are joined with "\" when binary is started under
Windows, which results in wrongly joined paths.

# How the Problems Are Solved

Replace the usage of "filepath" with "path" package, which does only
join with "/" and nothing OS specific.

# Additional Changes

None

# Additional Context

Closes #9227
2025-01-29 09:53:27 +01:00
Livio Spring
66a3c814db
fix(notifications): cancel on missing channels and Twilio 4xx errors (#9254)
# Which Problems Are Solved

#9185 changed that if a notification channel was not present,
notification workers would no longer retry to send the notification and
would also cancel in case Twilio would return a 4xx error.
However, this would not affect the "legacy" mode.

# How the Problems Are Solved

- Handle `CancelError` in legacy notifier as not failed (event).

# Additional Changes

None

# Additional Context

- relates to #9185
- requires back port to 2.66.x and 2.67.x

(cherry picked from commit 3fc68e5d60bb105c2ac72ca3d9cac7327f240b9b)
2025-01-28 07:40:32 +01:00
Livio Spring
3fc68e5d60
fix(notifications): cancel on missing channels and Twilio 4xx errors (#9254)
# Which Problems Are Solved

#9185 changed that if a notification channel was not present,
notification workers would no longer retry to send the notification and
would also cancel in case Twilio would return a 4xx error.
However, this would not affect the "legacy" mode.

# How the Problems Are Solved

- Handle `CancelError` in legacy notifier as not failed (event).

# Additional Changes

None

# Additional Context

- relates to #9185 
- requires back port to 2.66.x and 2.67.x
2025-01-28 06:32:09 +00:00
Lars
30a54fc1eb
fix: scim user query endpoint don't allow SortBy custom field (#9235)
# Which Problems Are Solved
- scim list users endpoint (`GET /scim/v2/{orgId}/Users`): handle
unsupported `SortBy` columns correctly

# How the Problems Are Solved
- throw an error if sorting by an unsupported column is requested

# Additional Context
Part of #8140
2025-01-27 17:30:27 +00:00
Lars
b19333726c
fix: allow scim content type wildcards (#9245)
# Which Problems Are Solved
- requests to the scim interface with content type `*/*` are rejected

# How the Problems Are Solved
- `*/*` is accepted as content type

# Additional Context
Part of #8140
2025-01-27 16:10:30 +00:00
Lars
741434806a
fix: unified scim metadata key casing (#9244)
# Which Problems Are Solved
- SCIM user metadata mapping keys have differing case styles.

# How the Problems Are Solved
- key casing style is unified to strict camelCase

# Additional Context
Part of #8140

Although this is technically a breaking change, it is considered
acceptable because the SCIM feature is still in the preview stage and
not fully implemented yet.

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-01-27 13:51:58 +00:00
Lars
189f9770c6
feat: patch user scim v2 endpoint (#9219)
# Which Problems Are Solved
* Adds support for the patch user SCIM v2 endpoint

# How the Problems Are Solved
* Adds support for the patch user SCIM v2 endpoint under `PATCH
/scim/v2/{orgID}/Users/{id}`

# Additional Context
Part of #8140
2025-01-27 13:36:07 +01:00
Tim Möhlmann
934faef717
fix(setup): split membership fields migration (#9230)
# Which Problems Are Solved

The membership fields migration timed out in certain cases. It also
tried to migrate instances which were already removed.

# How the Problems Are Solved

Revert the previous fix that combined the repeatable step for multiple
fill triggers. The membeship migration is now single-run as it might
take a lot of time. It is not worth making it repeatable. Instance IDs
of removed instances are skipped.

# Additional Changes

None

# Additional Context

Introduced in https://github.com/zitadel/zitadel/pull/9199

(cherry picked from commit ec5f18c16899627bdd8ecf90844641a9bdd8ca47)
2025-01-27 06:41:16 +01:00
Livio Spring
1efeb20215
fix(oidc apps): correctly remove last additional origin, redirect uri and post logout redirect uri (#9209)
# Which Problems Are Solved

A customer reached out to support, that the (last) `additional origin`
could not be removed. While testing / implementation it was discovered,
that the same applied to `redirect_uris` and `post_logout_redirect_uris`

# How the Problems Are Solved

- Correctly set the corresponding array to empty in the event so it can
be differentiated to `null` / not set in case of no change.

# Additional Changes

Replaced `reflect.DeepEqual` with `slices.Equal`

# Additional Context

- Reported to support

(cherry picked from commit c9aa5db2a55ef3c4f6fb62292b69b01973b264e7)
2025-01-27 06:41:16 +01:00
Tim Möhlmann
ec5f18c168
fix(setup): split membership fields migration (#9230)
# Which Problems Are Solved

The membership fields migration timed out in certain cases. It also
tried to migrate instances which were already removed.

# How the Problems Are Solved

Revert the previous fix that combined the repeatable step for multiple
fill triggers. The membeship migration is now single-run as it might
take a lot of time. It is not worth making it repeatable. Instance IDs
of removed instances are skipped.

# Additional Changes

None

# Additional Context

Introduced in https://github.com/zitadel/zitadel/pull/9199
2025-01-24 11:24:35 +01:00
kkrime
73577885bf
docs: small update to docs/docs/concepts/architecture/software.md (#9218)
# Which Problems Are Solved
small update to docs/docs/concepts/architecture/software.md
2025-01-23 13:12:49 +00:00
Zach Hirschtritt
e4bbfcccc8
fix: add aggregate type to subquery to utilize indexes (#9226)
# Which Problems Are Solved

The subquery of the notification requested and retry requested is
missing the aggregate_type filter that would allow it to utilize the
`es_projection` or `active_instances_events` on the eventstore.events2
table.

# How the Problems Are Solved

Add additional filter on subquery. Final query: 
```sql
SELECT <all the fields omitted> FROM eventstore.events2
WHERE
    instance_id = $1
    AND aggregate_type = $2
    AND event_type = $3
    AND created_at > $4
    AND aggregate_id NOT IN (
        SELECT aggregate_id
        FROM eventstore.events2
        WHERE
            aggregate_type = $5 <-- NB: previously missing
            AND event_type = ANY ($6)
            AND instance_id = $7
            AND created_at > $8
    )
ORDER BY "position", in_tx_order
LIMIT $9
FOR UPDATE SKIP LOCKED
```

# Additional Changes

# Additional Context

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-01-22 16:02:37 +00:00
Livio Spring
c9aa5db2a5
fix(oidc apps): correctly remove last additional origin, redirect uri and post logout redirect uri (#9209)
# Which Problems Are Solved

A customer reached out to support, that the (last) `additional origin`
could not be removed. While testing / implementation it was discovered,
that the same applied to `redirect_uris` and `post_logout_redirect_uris`

# How the Problems Are Solved

- Correctly set the corresponding array to empty in the event so it can
be differentiated to `null` / not set in case of no change.

# Additional Changes

Replaced `reflect.DeepEqual` with `slices.Equal`

# Additional Context

- Reported to support
2025-01-22 07:37:37 +00:00
Lars
1915d35605
feat: list users scim v2 endpoint (#9187)
# Which Problems Are Solved
- Adds support for the list users SCIM v2 endpoint

# How the Problems Are Solved
- Adds support for the list users SCIM v2 endpoints under `GET
/scim/v2/{orgID}/Users` and `POST /scim/v2/{orgID}/Users/.search`

# Additional Changes
- adds a new function `SearchUserMetadataForUsers` to the query layer to
query a metadata keyset for given user ids
- adds a new function `NewUserMetadataExistsQuery` to the query layer to
query a given metadata key value pair exists
- adds a new function `CountUsers` to the query layer to count users
without reading any rows
- handle `ErrorAlreadyExists` as scim errors `uniqueness`
- adds `NumberLessOrEqual` and `NumberGreaterOrEqual` query comparison
methods
- adds `BytesQuery` with `BytesEquals` and `BytesNotEquals` query
comparison methods

# Additional Context
Part of #8140
Supported fields for scim filters:
* `meta.created`
* `meta.lastModified`
* `id`
* `username`
* `name.familyName`
* `name.givenName`
* `emails` and `emails.value`
* `active` only eq and ne
* `externalId` only eq and ne
2025-01-21 13:31:54 +01:00
kkrime
926e7169b2
docs: small update to docs/docs/concepts/features/selfservice.md (#9214)
# Which Problems Are Solved
Small update to docs/docs/concepts/features/selfservice.md to fix issue
in grammar

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-01-21 09:05:13 +01:00
Livio Spring
a53fc5f5fa
Merge branch 'main' into next
# Conflicts:
#	cmd/setup/config.go
#	cmd/setup/setup.go
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go
2025-01-20 14:22:24 +01:00
Tim Möhlmann
94cbf97534
fix(permissions_v2): add membership fields migration (#9199)
# Which Problems Are Solved

Memberships did not have a fields table fill migration.

# How the Problems Are Solved

Add filling of membership fields to the repeatable steps.

# Additional Changes

- Use the same repeatable step for multiple fill fields handlers.
- Fix an error for PostgreSQL 15 where a subquery in a `FROM` clause
needs an alias ing the `permitted_orgs` function.

# Additional Context

- Part of https://github.com/zitadel/zitadel/issues/9188
- Introduced in https://github.com/zitadel/zitadel/pull/9152
2025-01-17 16:16:26 +01:00
Silvan
0719d9d939
fix(eventstore): correct sql push function (#9201)
# Which Problems Are Solved

https://github.com/zitadel/zitadel/pull/9186 introduced the new `push`
sql function for cockroachdb. The function used the wrong database
function to generate the position of the event and would therefore
insert events at a position before events created with an old Zitadel
version.

# How the Problems Are Solved

Instead of `EXTRACT(EPOCH FROM NOW())`, `cluster_logical_timestamp()` is
used to calculate the position of an event.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9186
- Affected versions:
https://github.com/zitadel/zitadel/releases/tag/v2.67.3
2025-01-17 15:35:04 +01:00
Silvan
9532c9bea5
fix(eventstore): correct sql push function (#9201)
# Which Problems Are Solved

https://github.com/zitadel/zitadel/pull/9186 introduced the new `push`
sql function for cockroachdb. The function used the wrong database
function to generate the position of the event and would therefore
insert events at a position before events created with an old Zitadel
version.

# How the Problems Are Solved

Instead of `EXTRACT(EPOCH FROM NOW())`, `cluster_logical_timestamp()` is
used to calculate the position of an event.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9186
- Affected versions:
https://github.com/zitadel/zitadel/releases/tag/v2.67.3
2025-01-17 15:32:05 +01:00
Livio Spring
96380b977a
fix: cancel notifications on missing channels and configurable (twilio) error codes (#9185)
# Which Problems Are Solved

If a notification channel was not present, notification workers would
retry to the max attempts. This leads to unnecessary load.
Additionally, a client noticed  bad actors trying to abuse SMS MFA.

# How the Problems Are Solved

- Directly cancel the notification on:
  - a missing channel and stop retries.
  - any `4xx` errors from Twilio Verify

# Additional Changes

None

# Additional Context

reported by customer

(cherry picked from commit 60857c8d3e0108437a8a8eb5cc4efae5e440af85)
2025-01-17 09:31:10 +01:00
Silvan
35948e9ebb
perf(eventstore): fast push on crdb (#9186)
# Which Problems Are Solved

The performance of the initial push function can further be increased

# How the Problems Are Solved

`eventstore.push`- and `eventstore.commands_to_events`-functions were
rewritten

# Additional Changes

none

# Additional Context

same optimizations as for postgres:
https://github.com/zitadel/zitadel/pull/9092

(cherry picked from commit 690147b30e51322ead9fd1c099141aac17b7d6bc)
2025-01-17 09:31:05 +01:00
Livio Spring
60857c8d3e
fix: cancel notifications on missing channels and configurable (twilio) error codes (#9185)
# Which Problems Are Solved

If a notification channel was not present, notification workers would
retry to the max attempts. This leads to unnecessary load.
Additionally, a client noticed  bad actors trying to abuse SMS MFA. 

# How the Problems Are Solved

- Directly cancel the notification on:
  - a missing channel and stop retries.
  - any `4xx` errors from Twilio Verify

# Additional Changes

None

# Additional Context

reported by customer
2025-01-17 07:42:14 +00:00
Stefan Benz
3159e38842
fix: case changes on org domain (#9196)
# Which Problems Are Solved

Organization name change results in domain events even if the domain
itself doesn't change.

# How the Problems Are Solved

Check if the domain itself really changes, and if not, don't create the
events.

# Additional Changes

Unittest for this specific case.

# Additional Context

None

(cherry picked from commit 69372e52091634d6654130fd99fabdd9d8f0b61d)
2025-01-17 07:44:24 +01:00
Livio Spring
0c0babf010
fix: correctly get x-forwarded-for for browser info in events (#9149)
# Which Problems Are Solved

Events like "password check succeeded" store some information about the
caller including their IP.
The `X-Forwarded-For` was not correctly logged, but instead the
RemoteAddress.

# How the Problems Are Solved

- Correctly get the `X-Forwarded-For` in canonical form.

# Additional Changes

None

# Additional Context

closes [#9106](https://github.com/zitadel/zitadel/issues/9106)

(cherry picked from commit c966446f803aacfc03fbc0c152e11dbe34e9d64e)
2025-01-17 07:43:49 +01:00
Tim Möhlmann
5f7dd9aa3d
fix(oidc): ignore algorithm for legacy signer (#9148)
# Which Problems Are Solved

It was possible to set a diffent algorithm for the legacy signer. This
is not supported howerver and breaks the token endpoint.

# How the Problems Are Solved

Remove the OIDC.SigningKeyAlgorithm config option and hard-code RS256
for the legacy signer.

# Additional Changes

- none

# Additional Context

Only RS256 is supported by the legacy signer. It was mentioned in the
comment of the config not to use it and use the webkeys resource
instead.

- closes #9121

(cherry picked from commit db8d794794eba191d1b1f3a79ea5b4ec2c90a821)
2025-01-17 07:43:48 +01:00
Alexey Morozov
fd8e5f8cbd
fix(i18n): typo in Russian login description (#9100)
# Which Problems Are Solved

Typo in RU localization on login page.

# How the Problems Are Solved

Fixed typo by replacing to correct text.

# Additional Changes

n/a

# Additional Context

n/a

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
(cherry picked from commit 42cc6dce79bb0659956d358d142a5ecf2cac59f3)
2025-01-17 07:43:30 +01:00
Stefan Benz
1129d7d7c3
fix: only allowed idps in login step (#9136)
# Which Problems Are Solved

If a not allowed IDP is selected or now not allowed IDP was selected
before at login, the login will still try to use it as fallback.
The same goes for the linked IDPs which are not necessarily active
anymore, or disallowed through policies.

# How the Problems Are Solved

Check all possible or configured IDPs if they can be used.

# Additional Changes

None

# Additional Context

Addition to #6466

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 8d8f38fb4ca6e767f266ceffa07244c9c55448c2)
2025-01-17 07:43:18 +01:00
Stefan Benz
69372e5209
fix: case changes on org domain (#9196)
# Which Problems Are Solved

Organization name change results in domain events even if the domain
itself doesn't change.

# How the Problems Are Solved

Check if the domain itself really changes, and if not, don't create the
events.

# Additional Changes

Unittest for this specific case.

# Additional Context

None
2025-01-16 16:05:55 +01:00
Silvan
4645045987
refactor: consolidate database pools (#9105)
# Which Problems Are Solved

Zitadel currently uses 3 database pool, 1 for queries, 1 for pushing
events and 1 for scheduled projection updates. This defeats the purpose
of a connection pool which already handles multiple connections.

During load tests we found that the current structure of connection
pools consumes a lot of database resources. The resource usage dropped
after we reduced the amount of database pools to 1 because existing
connections can be used more efficiently.

# How the Problems Are Solved

Removed logic to handle multiple connection pools and use a single one.

# Additional Changes

none

# Additional Context

part of https://github.com/zitadel/zitadel/issues/8352
2025-01-16 11:07:18 +00:00
Lars
07f74730ac
fix: include tzdata to validate timezones in scim (#9195)
# Which Problems Are Solved
- include tzdata in the binary to correctly validate time zones in the
scim layer if the os doesn't have timezone data available.

# How the Problems Are Solved
- by importing the go pkg `"time/tzdata"`

# Additional Context
Part of https://github.com/zitadel/zitadel/issues/8140
2025-01-16 10:34:52 +00:00
Tim Möhlmann
3f6ea78c87
perf: role permissions in database (#9152)
# Which Problems Are Solved

Currently ZITADEL defines organization and instance member roles and
permissions in defaults.yaml. The permission check is done on API call
level. For example: "is this user allowed to make this call on this
org". This makes sense on the V1 API where the API is permission-level
shaped. For example, a search for users always happens in the context of
the organization. (Either the organization the calling user belongs to,
or through member ship and the x-zitadel-orgid header.

However, for resource based APIs we must be able to resolve permissions
by object. For example, an IAM_OWNER listing users should be able to get
all users in an instance based on the query filters. Alternatively a
user may have user.read permissions on one or more orgs. They should be
able to read just those users.

# How the Problems Are Solved

## Role permission mapping

The role permission mappings defined from `defaults.yaml` or local
config override are synchronized to the database on every run of
`zitadel setup`:

- A single query per **aggregate** builds a list of `add` and `remove`
actions needed to reach the desired state or role permission mappings
from the config.
- The required events based on the actions are pushed to the event
store.
- Events define search fields so that permission checking can use the
indices and is strongly consistent for both query and command sides.

The migration is split in the following aggregates:

- System aggregate for for roles prefixed with `SYSTEM`
- Each instance for roles not prefixed with `SYSTEM`. This is in
anticipation of instance level management over the API.

## Membership

Current instance / org / project membership events now have field table
definitions. Like the role permissions this ensures strong consistency
while still being able to use the indices of the fields table. A
migration is provided to fill the membership fields.

## Permission check

I aimed keeping the mental overhead to the developer to a minimal. The
provided implementation only provides a permission check for list
queries for org level resources, for example users. In the `query`
package there is a simple helper function `wherePermittedOrgs` which
makes sure the underlying database function is called as part of the
`SELECT` query and the permitted organizations are part of the `WHERE`
clause. This makes sure results from non-permitted organizations are
omitted. Under the hood:

- A Pg/PlSQL function searches for a list of organization IDs the passed
user has the passed permission.
- When the user has the permission on instance level, it returns early
with all organizations.
- The functions uses a number of views. The views help mapping the
fields entries into relational data and simplify the code use for the
function. The views provide some pre-filters which allow proper index
usage once the final `WHERE` clauses are set by the function.

# Additional Changes



# Additional Context

Closes #9032
Closes https://github.com/zitadel/zitadel/issues/9014

https://github.com/zitadel/zitadel/issues/9188 defines follow-ups for
the new permission framework based on this concept.
2025-01-16 10:09:15 +00:00
Silvan
690147b30e
perf(eventstore): fast push on crdb (#9186)
# Which Problems Are Solved

The performance of the initial push function can further be increased

# How the Problems Are Solved

`eventstore.push`- and `eventstore.commands_to_events`-functions were
rewritten

# Additional Changes

none

# Additional Context

same optimizations as for postgres:
https://github.com/zitadel/zitadel/pull/9092
2025-01-15 14:55:48 +00:00
Fabienne Bühler
75f0ad42e6
docs: Login v2 docs (#9159)
# Which Problems Are Solved

As we are going into the Beta testing phase of our new typescript login
(login V2), we need to have a documentation about the capabilities, how
to test, and what the current limitations are.

# How the Problems Are Solved

Added new section for the Login V2

---------

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-01-15 13:29:13 +00:00
Livio Spring
40082745f4
fix(login): allow fallback to local auth in case of IdP errors (#9178)
# Which Problems Are Solved

The current login will always prefer external authentication (through an
IdP) over local authentication. So as soon as either the user had
connected to an IdP or even when the login policy was just set up to
have an IdP allowed, users would be redirected to that IdP for
(re)authentication.
This could lead to problems, where the IdP was not available or any
other error occurred in the process (such as secret expired for
EntraID).
Even when local authentication (passkeys or password) was allowed for
the corresponding user, they would always be redirected to the IdP
again, preventing any authentication. If admins were affected, they
might not even be able to update the client secret of the IdP.

# How the Problems Are Solved

Errors during the external IdP flow are handled in an
`externalAuthFailed` function, which will check if the organisation
allows local authentication and if the user has set up such.
If either password or passkeys is set up, the corresponding login page
will be presented to the user. As already with local auth passkeys is
preferred over password authentication.
The user is informed that the external login failed and fail back to
local auth as an error on the corresponding page in a focused mode. Any
interaction or after 5 second the focus mode is disabled.

# Additional Changes

None.

# Additional Context

closes #6466
2025-01-15 10:39:28 +00:00