Commit Graph

3318 Commits

Author SHA1 Message Date
Livio Spring
74624018c2
feat(actions): allow getting metadata of organizations from user grants (#7782)
* feat(actions): allow getting metadata of (other) organizations from user grants

* docs add action example
2024-04-22 11:34:23 +00:00
Livio Spring
9d754d84b3
chore: update stable to v2.45.6 (#7818) 2024-04-22 11:05:01 +00:00
Silvan
13b566e0d9
fix(query): reduce app query overhead (#7817)
* fix(query): reduce app query overhead
2024-04-22 11:30:56 +02:00
Florian Forster
cca4b715c0
chore: typo in api docs (#7803) 2024-04-19 11:46:05 +02:00
mffap
a63dceb9bc
chore: Update readme with new features and links (#7798)
Update readme with new features and links
2024-04-18 19:48:29 +00:00
Elio Bischof
4823e47977
docs: fix knative docs (#7752)
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-04-18 13:45:15 +00:00
Tim Möhlmann
029a6d393a
fix(crdb): obtain latest sequences when the tx is retried (#7795) 2024-04-18 13:07:05 +00:00
Silvan
d337668599
chore: init load tests (#7635)
* init load tests

* add machine pat

* setup app

* add introspect

* use xk6-modules repo

* logging

* add teardown

* add manipulate user

* add manipulate user

* remove logs

* convert tests to ts

* add readme

* zitadel

* review comments
2024-04-18 12:21:07 +03:00
Tim Möhlmann
dbb824a73f
chore(oidc): add refresh token error integration test (#7766)
We are trying to reproduce a few 500 responses we observe on zitadel cloud's token endpoint.
As in the past these were caused by wrongly encoded or encrypted refresh tokens, I created a integration test which tries to reproduce 500 errors by sending invalid refresh tokens.

The added test does not reproduce 500s, all returned errors are in the 400 range as they should. However, as the test is already written, we might as well include them.

Related to #7765

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-17 08:38:03 +00:00
Tim Möhlmann
9ccbbe05bc
fix(oidc): roles in userinfo for client credentials token (#7763)
* fix(oidc): roles in userinfo for client credentials token

When tokens were obtained using the client credentials grant,
with audience and role scopes, userinfo would not return the role claims. This had multiple causes:

1. There is no auth request flow, so for legacy userinfo project data was never attached to the token
2. For optimized userinfo, there is no client ID that maps to an application. The client ID for client credentials is the machine user's name. There we can't obtain a project ID. When the project ID remained empty, we always ignored the roleAudience.

This PR fixes situation 2, by always taking the roleAudience into account, even when the projectID is empty. The code responsible for the bug is also refactored to be more readable and understandable, including additional godoc.

The fix only applies to the optimized userinfo code introduced in #7706 and released in v2.50 (currently in RC). Therefore it can't be back-ported to earlier versions.

Fixes #6662

* chore(deps): update all go deps (#7764)

This change updates all go modules, including oidc, a major version of go-jose and the go 1.22 release.

* Revert "chore(deps): update all go deps" (#7772)

Revert "chore(deps): update all go deps (#7764)"

This reverts commit 6893e7d060.

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-16 13:02:38 +00:00
Silvan
9bcfa12be2
fix(middleware): init translation messages (#7778)
* fix(middleware): init translation messages

* revert change

* refactor: split loop in separate function

* add imports to ensure init of fs
2024-04-16 12:08:18 +00:00
Silvan
386addc718
chore: remove bloating span (#7780)
* fix(query): query event editors only once per call

* remove span
2024-04-16 11:19:17 +00:00
Silvan
f412687427
fix(query): query event editors only once per call (#7776)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-16 10:42:31 +00:00
Tim Möhlmann
be00e3861a
fix(oidc): make device auth audience and scope nullable (#7777)
This fixes the projection of events that have a null audience or scope.
As audience was added in v2.50, legacy events do not have an audience, this made replay of the old events not possible after an upgrade.
2024-04-16 10:34:38 +02:00
mffap
48d7307d0e
docs(features): external user grant (#7771)
* docs(features): external user grant

* cross link

* add image

* fix link to blog

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@zitadel.com>

---------

Co-authored-by: Florian Forster <florian@zitadel.com>
2024-04-15 12:13:05 +00:00
dependabot[bot]
6f16561f4d
chore(deps): bump actions/add-to-project from 0.6.1 to 1.0.1 (#7767)
Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.6.1 to 1.0.1.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](https://github.com/actions/add-to-project/compare/v0.6.1...v1.0.1)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-15 10:36:23 +00:00
dependabot[bot]
6a1ec149d3
chore(deps): bump actions/github-script from 6 to 7 (#7768)
Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-15 10:13:19 +00:00
dependabot[bot]
e613ad6453
chore(deps): bump codecov/codecov-action from 4.1.0 to 4.3.0 (#7747)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.0 to 4.3.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v4.1.0...v4.3.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-15 09:50:47 +00:00
Tim Möhlmann
fe9bb49caa
chore(deps): update all go deps (#7773)
This change updates all go modules, including oidc, a major version of go-jose and the go 1.22 release.
2024-04-15 09:17:36 +00:00
Livio Spring
6e5e8d06b4
chore(stable): update to 2.44.7 (#7770) 2024-04-15 09:56:22 +02:00
Elio Bischof
5b34aabbdd
fix(setup): decode role mappings (#7760) 2024-04-14 12:55:54 +03:00
Max Peintner
9865425a0c
docs: update state of typescript repository (#7754)
Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-04-11 09:02:31 +00:00
Elio Bischof
2de66dcf95
fix(console): keep default idps active (#7663)
* fix(console): keep default idps active

* rename var

* rename var

* use Promise.all()

* lint

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-04-11 08:29:25 +00:00
Miguel Cabrerizo
d229da6af7
feat: SMTP Templates (#6932)
* feat: smtp templates poc

* feat: add isActive & ProviderType to SMTP backend

* feat: change providertype to uint32 and fix tests

* feat: minimal smtp provider component

* feat: woking on diiferent providers

* feat: keep working on providers

* feat: initial stepper for new provider

* fix: settings list and working on stepper

* feat: step 1 and 2 form inputs

* feat: starter for smtp test step

* fix: misspelled SMPT

* fix: remove tests for now

* feat: add tls toggle remove old google provider

* feat: working on add smtp and table

* fix: duplicated identifiers

* fix: settings list

* fix: add missing smtp config properties

* fix: add configID to smtp config table

* fix: working on listproviders

* feat: working in listSMTPConfigs

* fix: add count to listsmtpconfigs

* fix: getting empty results from listSMTPConfigs

* feat: table now shows real data

* fix: remaining styles for smtp-table

* fix: remove old notification-smtp-provider-component

* feat: delete smtp configuration

* feat: deactivate smtp config

* feat: replace isActive with state for smtp config

* feat: activate smtp config

* fix: remaining errors after main merge

* fix: list smtp providers panic and material mdc

* feat: refactor to only one provider component

* feat: current provider details view

* fix: refactor AddSMTPConfig and ChangeSMTPConfig

* fix: smtp config reduce issue

* fix: recover domain in NewIAMSMTPConfigWriteModel

* fix: add code needed by SetUpInstance

* fix: go tests and warn about passing context to InstanceAggregateFromWriteModel

* fix: i18n and add missing trans for fr, it, zh

* fix: add e2e tests

* docs: add smtp templates

* fix: remove provider_type, add description

* fix: remaining error from merge main

* fix: add @stebenz change for primary key

* fix: inactive placed after removed to prevent deleted configs to show as inactive

* fix: smtp provider id can be empty (migrated)

* feat: add mailchimp transactional template

* feat: add Brevo (Sendinblue) template

* feat: change brevo logo, add color to tls icon

* fix: queries use resourceowner, id must not be empty

* fix: deal with old smtp settings and tests

* fix: resourceOwner is the instanceID

* fix: remove aggregate_id, rename SMTPConfigByAggregateID with SMTPConfigActive

* fix: add tests for multiple configs with different IDs

* fix: conflict

* fix: remove notification-smtp-provider

* fix: add @peintnermax suggestions, rename module and fix e2e tests

* fix: remove material legacy modules

* fix: remove ctx as parameter for  InstanceAggregateFromWriteModel

* fix: add Id to SMTPConfigToPb

* fix:  change InstanceAggregateFromWriteModel to avoid linter errors

* fix import

* rm unused package-lock

* update yarn lock

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-04-11 09:16:10 +02:00
Max Peintner
e2f0cd034a
fix: overflow of aggregates filter in console, add missing aggregates translations, update yarn lock (#7712)
* fix: overflow of aggregates filter, missing aggregates translations

* rm duplicate line

* missing i18n

* reset account card
2024-04-10 17:07:59 +00:00
Max Peintner
2061d1acdc
feat(console): feature settings (#7713)
* feature settings

* feature component, i18n

* i18n, save settings

* i18n

* reset button, state if system inherited, i18n

* iam.restrictions.read

* refetch feature after reset

* use toggles instead of checkboxes

* i18n

* rm logs

* fix i18n

* show unspecified as inherited

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-04-10 16:30:58 +00:00
Livio Spring
dcfa2f7955
feat(idp): provide option to auto link user (#7734)
* init auto linking

* prompt handling

* working

* translations

* console

* fixes

* unify

* custom texts

* fix tests

* linting

* fix check of existing user

* fix bg translation

* set unspecified as default in the form
2024-04-10 15:46:30 +00:00
Tim Möhlmann
b3e3239d76
chore(oidc): add additional spans to userinfo code paths (#7749) 2024-04-10 17:05:13 +02:00
Elio Bischof
0267415126
chore: avoid latest on maintenance releases (#7702)
* chore: avoid latest on maintenance releases

* update semantic

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-10 11:56:05 +00:00
Livio Spring
3711130d42
fix(idp): use persistent nameid-format in saml request (#7745) 2024-04-10 10:05:07 +00:00
Livio Spring
a282ac09a1
feat: provide option to limit (T)OTP checks (#7693)
* feat: provide option to limit (T)OTP checks

* fix requests in console

* update errors pkg

* cleanup

* cleanup

* improve naming of existing config
2024-04-10 09:15:25 +00:00
Livio Spring
153df2e12f
feat: provide option to limit (T)OTP checks (#7693)
* feat: provide option to limit (T)OTP checks

* fix requests in console

* update errors pkg

* cleanup

* cleanup

* improve naming of existing config
2024-04-10 09:14:55 +00:00
Livio Spring
e3f10f7e23
fix: correctly check user by loginname (#7740) 2024-04-10 07:18:57 +00:00
Livio Spring
2566f33aa2
docs(actions): describe user grant list (#7687) 2024-04-10 09:02:13 +02:00
Elio Bischof
e8601de8e6
fix: check idp existence by org id (#7667)
* fix: search idp by org

* fix unit test

* remove unused method

* test(e2e): await input enabled

* test: policy with org idp
2024-04-09 19:32:00 +00:00
Stefan Benz
6dcdef0268
fix: add action v2 execution to features (#7597)
* fix: add action v2 execution to features

* fix: add action v2 execution to features

* fix: add action v2 execution to features

* fix: update internal/command/instance_features_model.go

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* fix: merge back main

* fix: merge back main

* fix: rename feature and service

* fix: rename feature and service

* fix: review changes

* fix: review changes

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-04-09 20:21:21 +03:00
Tim Möhlmann
6a51c4b0f5
feat(oidc): optimize the userinfo endpoint (#7706)
* feat(oidc): optimize the userinfo endpoint

* store project ID in the access token

* query for projectID if not in token

* add scope based tests

* Revert "store project ID in the access token"

This reverts commit 5f0262f239.

* query project role assertion

* use project role assertion setting to return roles

* workaround eventual consistency and handle PAT

* do not append empty project id
2024-04-09 15:15:35 +02:00
Tim Möhlmann
c8e0b30e17
fix(oidc): return bad request for base64 errors (#7730)
* fix(oidc): return bad request for base64 errors

We've recently noticed an increased amount of 500: internal server error status returns on zitadel cloud.
The source of these errors appear to be erroneous input in fields that are supposed to be bas64 formatted.

```
time=2024-04-08T14:05:47.600Z level=ERROR msg="request error" oidc_error.parent="ID=OIDC-AhX2u Message=Errors.Internal Parent=(illegal base64 data at input byte 8)" oidc_error.description=Errors.Internal oidc_error.type=server_error status_code=500
```

Within the possible code paths of the token endpoint there are a couple of uses of base64.Encoding.DecodeString of which a returned error was not properly wrapped, but returned as-is.
This causes the oidc error handler to return a 500 with the `OIDC-AhX2u` ID.
We were not able to pinpoint the exact errors that are happening to any one call of `DecodeString`.

This fix wraps all errors from `DecodeString` so that proper 400: bad request is returned with information about the error. Each wrapper now has an unique error ID, so that logs will contain the source of the error as well.

This bug was reported internally by the ops team.

* catch op.ErrInvalidRefreshToken
2024-04-09 08:42:59 +02:00
thariton
3bbf38acc5
docs: postgres healthcheck failing (#7692) 2024-04-08 14:08:06 +00:00
wanshuangcheng
a096b7e5d4
chore: fix function names in comment (#7723)
Signed-off-by: wanshuangcheng <wanshuangcheng@outlook.com>
2024-04-08 08:15:44 +00:00
mffap
b0e515243d
docs(legal): add responsibilities in service description (#7711) 2024-04-05 11:23:21 +00:00
Elio Bischof
f5608246d0
fix(console): enable metadata by url (#7704)
Co-authored-by: Max Peintner <max@caos.ch>
2024-04-05 10:11:29 +00:00
Tim Möhlmann
2089992d75
feat(crypto): use passwap for machine and app secrets (#7657)
* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-05 09:35:49 +00:00
Livio Spring
5931fb8f28
chore: update stable to 2.43.11 (#7705) 2024-04-04 18:06:36 +00:00
Livio Spring
29ad51b0e3
fix(oidc): correctly return new refresh token on refresh token grant (#7707)
* fix(oidc): correctly return new refresh token on refresh token grant

* fix import
2024-04-04 15:58:40 +00:00
Vignesh Sankar Iyer
a988b9cc05
fix: Update url to redirect to name change url (#7683)
* update url to redirect to name change url

* Update register_option.html

* Update register_option.html

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-04 06:16:58 +00:00
Tim Möhlmann
9b3f3e4cd9
fix(idp): do not call userinfo when mapping from ID token is configured (#7696)
* fix(idp): do not call userinfo when mapping from ID token is configured

This change prevents the call of the Userinfo endpoint of a OIDC IDP if the IDP is configured to use the ID token for user information instead.
A unit test has been added to confirm the corrected behavior.

Closes #7373

* video for e2e

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-04-04 05:41:44 +00:00
Livio Spring
f862e43ede
chore(workflow): run e2e on non standard runners (#7698)
Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-04-03 22:15:00 +00:00
Alex Rimlin
fa9635eb93
docs(guides/integrate/service-users/private-key-jwt): (#7677)
* docs(guides/integrate/service-users/private-key-jwt): adjust incomplete, outdated and incorrect parts of the python example.

* wrong variable name for kid in the header

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-04-03 15:51:13 +00:00
Tim Möhlmann
25ef3da9d5
refactor(fmt): run gci on complete project (#7557)
chore(fmt): run gci on complete project

Fix global import formatting in go code by running the `gci` command. This allows us to just use the command directly, instead of fixing the import order manually for the linter, on each PR.

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-04-03 10:43:43 +00:00