Commit Graph

1393 Commits

Author SHA1 Message Date
Livio Spring
7f7fb55f34
fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding (#7341)
fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding
2024-02-05 14:45:15 +00:00
Livio Spring
e000fdd792
fix: handle context correctly in processEvents (#7320) 2024-01-31 11:25:28 +01:00
Silvan
aa407c3c3e
fix(auth): optimise user sessions (#7199)
* fix(auth): start optimise user sessions

* reduce and query user sessions directly without gorm statements

* cleanup

* cleanup

* fix requested changes

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-30 15:17:54 +00:00
Livio Spring
c20204d84d
fix: set userAgentID in password change event if available (#7319) 2024-01-30 15:36:34 +01:00
Tim Möhlmann
df57a64ed7
fix(oidc): ignore public key expiry for ID Token hints (#7293)
* fix(oidc): ignore public key expiry for ID Token hints

This splits the key sets used for access token and ID token hints.
ID Token hints should be able to be verified by with public keys that are already expired.
However, we do not want to change this behavior for Access Tokens,
where an error for an expired public key is still returned.

The public key cache is modified to purge public keys based on last use,
instead of expiry.
The cache is shared between both verifiers.

* resolve review comments

* pin oidc 3.11
2024-01-29 15:11:52 +00:00
Livio Spring
121f9f8da1
feat(actions): add org metadata in complement token and saml response flows (#7263)
* feat(actions): add org metadata in complement token and saml response flows

* document actions
2024-01-26 08:56:10 +00:00
Silvan
17953e9040
fix(setup): init projections (#7194)
Even though this is a feature it's released as fix so that we can back port to earlier revisions.

As reported by multiple users startup of ZITADEL after leaded to downtime and worst case rollbacks to the previously deployed version.

The problem starts rising when there are too many events to process after the start of ZITADEL. The root cause are changes on projections (database tables) which must be recomputed. This PR solves this problem by adding a new step to the setup phase which prefills the projections. The step can be enabled by adding the `--init-projections`-flag to `setup`, `start-from-init` and `start-from-setup`. Setting this flag results in potentially longer duration of the setup phase but reduces the risk of the problems mentioned in the paragraph above.
2024-01-25 17:28:20 +01:00
Miguel Cabrerizo
d590da7c7d
fix(console): display granted org name in authorizations and show user information (#7116)
* fix: add granted org info to user grants query response

* fix: show user info, tests and add columns to user grant

* fix: add check for org membership

* fix: typo in find logic

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-01-24 11:36:04 +01:00
Miguel Cabrerizo
89169b64ff
fix: detect autofill in chrome to enable login buttons (#7056)
* fix: detect autofill in chrome to enable login buttons

* fix: add -webkit-autofill to input scss

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-01-22 10:24:36 +01:00
Livio Spring
8470649ecb
chore: pin crdb version for unit tests (#7260)
* chore: pin crdb version for unit tests

* use latest 23.1 version

* use latest available 23.1 version
2024-01-18 08:16:54 +00:00
Tim Möhlmann
af4e0484d0
fix: uniform oidc errors (#7237)
* fix: uniform oidc errors

sanitize oidc error reporting when passing package boundary towards oidc.

* add should TriggerBulk in get audiences for auth request

* upgrade to oidc 3.10.1

* provisional oidc upgrade to error branch

* pin oidc 3.10.2
2024-01-18 07:10:49 +01:00
Elio Bischof
cdfcdec101
test(integration, user): fix flakiness (#7252)
* test: fix user integration test flakiness

* assert with *assert.CollectT
2024-01-17 16:24:11 +01:00
Elio Bischof
ed0bc39ea4
feat: block instances (#7129)
* docs: fix init description typos

* feat: block instances using limits

* translate

* unit tests

* fix translations

* redirect /ui/login

* fix http interceptor

* cleanup

* fix http interceptor

* fix: delete cookies on gateway 200

* add integration tests

* add command test

* docs

* fix integration tests

* add bulk api and integration test

* optimize bulk set limits

* unit test bulk limits

* fix broken link

* fix assets middleware

* fix broken link

* validate instance id format

* Update internal/eventstore/search_query.go

Co-authored-by: Livio Spring <livio.a@gmail.com>

* remove support for owner bulk limit commands

* project limits to instances

* migrate instances projection

* Revert "migrate instances projection"

This reverts commit 214218732a.

* join limits, remove owner

* remove todo

* use optional bool

* normally validate instance ids

* use 302

* cleanup

* cleanup

* Update internal/api/grpc/system/limits_converter.go

Co-authored-by: Livio Spring <livio.a@gmail.com>

* remove owner

* remove owner from reset

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-17 10:16:48 +00:00
Stefan Benz
d9d376a275
feat: user v2 service query (#7095)
* feat: add query endpoints for user v2 api

* fix: correct integration tests

* fix: correct linting

* fix: correct linting

* fix: comment out permission check on user get and list

* fix: permission check on user v2 query

* fix: merge back origin/main

* fix: add search query in user emails

* fix: reset count for SearchUser if users are removed due to permissions

* fix: reset count for SearchUser if users are removed due to permissions

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-01-17 10:00:10 +01:00
Livio Spring
96d0291848
fix: enable iframe use on http://localhost (#7152)
* fix: enable iframe use on http://localhost

* docs(iframe): add info about cookies

* improve comments
2024-01-16 11:28:56 +01:00
Tim Möhlmann
c0b355e24a
fix: pass configured slog to oidc server (#7229) 2024-01-16 06:37:36 +00:00
Elio Bischof
29b386005d
fix(origin): fall back to ExternalSecure (#7228)
* fix(origin): fall back to ExternalSecure

* avoid middleware.Middleware

* avoid else

* lint
2024-01-15 16:44:35 +00:00
Silvan
3c5fc31372
fix(handler): handle trigger err correctly (#7205) 2024-01-11 17:55:50 +00:00
Stefan Benz
3d3264eb8f
fix: add RollbackUnlessCommitted for gorm transactions (#7197) 2024-01-10 23:02:50 +00:00
Livio Spring
7c592ce638
fix(idp): provide id_token for tenant id based azure ad (#7188)
* fix(idp): provide id_token for tenant based azure ad

* comments

* remove unintentional changes
2024-01-10 15:02:17 +00:00
Silvan
43f1d59649
fix(auth): efficient user session projection (#7187)
* fix(auth): cache users during session projection

* fix(auth.user_sessions): add index for more efficient by user search
2024-01-09 18:36:46 +00:00
Tim Möhlmann
62cb29aba9
fix(query): separate login policy queries (#7174)
This change moves IDPLoginPolicyLinks out of the scan function Login Policy queries in order to prevent potential deadlocks.
2024-01-08 21:13:46 +00:00
Miguel Cabrerizo
17153b694e
feat: search users by list of emails (users/_search) (#6983)
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-01-08 18:45:54 +01:00
Stefan Benz
e769b163ef
perf: user grant owner removed (#6962)
* fix: change logic for usergrants projection with no selects

* fix: change logic for usergrants projection with one select

* fix: move resource owner select to single function

* fix: move resource owner select to single function

* fix: changes after merge

* fix: changes after merge

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-01-08 15:26:30 +00:00
Miguel Cabrerizo
93c3763a1c
fix: add back button to password reset done (#7119)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-08 11:56:40 +00:00
Miguel Cabrerizo
3f4aea1a75
fix: replace password back button with arrow (#7120)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-08 11:23:34 +00:00
Silvan
1f30776fc2
fix(login): correct rendering of idps (#7151) 2024-01-05 14:35:51 +00:00
Silvan
a5d4b08a99
fix(cleanup): cleanup all stuck states (#7145)
* fix(setup): unmarshal of failed step

* fix(cleanup): cleanup all stuck states

* use lastRun for repeatable steps

* typo

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-05 09:01:48 +00:00
Silvan
41215bdc0a
fix(setup): unmarshal of failed step (#7144) 2024-01-05 06:29:57 +00:00
Silvan
aa2d642e97
fix(handler): updated failed events (#7146) 2024-01-04 21:36:08 +00:00
Silvan
b7d027e2fd
fix(db): always use begin tx (#7142)
* fix(db): always use begin tx

* fix(handler): timeout for begin
2024-01-04 16:12:20 +00:00
Livio Spring
c0cef4983a
fix: correctly respect maxFailureCount (#7143) 2024-01-04 15:46:25 +00:00
Silvan
8bc56f6fe7
fix(query): escape wildcards in text search (#7131) (#7135)
* fix(query): escape like wildcards

* test: search query wildcards

* add do nothing
2024-01-02 16:27:36 +01:00
Silvan
9892fd92b6
refactor: cleanup unused code (#7130)
* refactor: drop unused code

* refactor: drop unused code
2024-01-02 14:26:31 +00:00
Silvan
a8b8c89f73
perf(query): increase speed of user queries (#7126) (#7128)
* perf(query): increase speed of user queries
2024-01-02 14:41:46 +01:00
Silvan
cc2dd8b20b
fix(eventstore): increase performance on push (#7125) 2023-12-31 15:30:25 +01:00
Silvan
6d3ce8d5ab
fix(projection): correct type cast of user grant reactivated (#7123)
* fix(projection): correct type cast of user grant reactivated

* test: correct mapper
2023-12-31 14:03:23 +01:00
Tim Möhlmann
45ccdcfa99
fix(oidc): nil check for client secret (#7115)
This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.
2023-12-28 13:31:41 +00:00
Yordis Prieto
9d5d1cf3ea
feat: allow glob redirects (#7091)
fixes #5110
2023-12-28 11:25:18 +02:00
Tim Möhlmann
85eb2eda0b
fix(oidc): refresh token for device authorization (#7104)
fix(oidc); refresh token for device authorization

Due to a mis-alignment of OIDC interface and concrete implementations in zitadel, requesting a refresh token for device authorization would fail.
This change adds the possibility to to use the op.IDTokenRequest directly.
Also, the UserAgentID is dropped as required parameter, as devices do not have a user agent.
2023-12-21 13:57:33 +00:00
Silvan
5ce542b959
fix(handler): allow uint32 offset for migration scenarios (#7103) 2023-12-21 10:40:51 +00:00
Stefan Benz
a0a82b59e1
feat: user service v2 create, update and remove (#6996)
* feat: user service v2 remove user

* feat: user service v2 add user human

* feat: user service v2 change user human

* feat: user service v2 change user human unit tests

* feat: user service v2 reactivate, deactivate, lock, unlock user

* feat: user service v2 integration tests

* fix: merge back origin/main

* lint: linter corrections

* fix: move permission check for isVerfied and password change

* fix: add deprecated notices and other review comments

* fix: consistent naming in proto

* fix: errors package renaming

* fix: remove / delete user renaming in integration test

* fix: machine user status changes through user v2 api

* fix: linting changes

* fix: linting changes

* fix: changes from review

* fix: changes from review

* fix: changes from review

* fix: changes from review

* fix: changes from review

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-12-21 10:03:37 +01:00
Tim Möhlmann
fe1337536f
fix(db): add additional connection pool for projection spooling (#7094)
* fix(db): add additional connection pool for projection spooling

* use correct connection pool for projections

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-12-20 16:13:04 +00:00
Tim Möhlmann
e22689c125
feat(oidc): id token for device authorization (#7088)
* cleanup todo

* pass id token details to oidc

* feat(oidc): id token for device authorization

This changes updates to the newest oidc version,
so the Device Authorization grant can return ID tokens when
the scope `openid` is set.
There is also some refactoring done, so that the eventstore can be
queried directly when polling for state.
The projection is cleaned up to a minimum with only data required for the login UI.

* try to be explicit wit hthe timezone to fix github

* pin oidc v3.8.0

* remove TBD entry
2023-12-20 13:21:08 +01:00
Livio Spring
edaa41903e
fix(projections): handle every instance by default and randomize start (#7093) 2023-12-19 13:32:08 +02:00
Elio Bischof
c3e6257d68
fix: keep user idp links (#7079)
* login

* auth methods

* NewIDPUserLinksActiveQuery

* use has_login_policy projection

* fix unit tests

* docs

* keep old user links projection

* fix tests

* cleanup

* cleanup comments

* test idp links are not removed

* idempotent auth method test

* idempotent auth method test
2023-12-19 10:25:50 +00:00
Tim Möhlmann
1adfca9d28
fix(crypto): allow parsing of cost int from env string (#7061)
fic(crypto): allow parsing of cost int from env string
2023-12-15 11:16:05 +00:00
Livio Spring
19d9b8ad41
fix: reduce eventual consistency (#7075)
* fix: reduce eventual consistency

* fix tests

* fix linting
2023-12-14 11:07:47 +01:00
Livio Spring
831bb88ec4
fix: correctly delete sessions created before 2.42 (#7050)
* fix: correctly delete sessions created before 2.42

* fix test

* fix linting

* fixes requested from review
2023-12-09 08:59:51 +00:00
Livio Spring
aa3c352ae7
fix: update external username on idp if auto update is enabled (#7048)
* fix: update external username on idp if auto update is enabled

* update errors package
2023-12-08 18:22:07 +01:00