Commit Graph

1634 Commits

Author SHA1 Message Date
Silvan
b15857821b fix(fields): await running queries during trigger (#8391)
# Which Problems Are Solved

During triggering of the fields table WriteTooOld errors can occure when
using cockroachdb.

# How the Problems Are Solved

The statements exclusively lock the projection before they start to
insert data by using `FOR UPDATE`.
2024-08-06 13:59:06 +02:00
Tim Möhlmann
3759ed9f08 fix(crypto): reject decrypted strings with non-UTF8 characters. (#8374)
# Which Problems Are Solved

We noticed logging where 500: Internal Server errors were returned from
the token endpoint, mostly for the `refresh_token` grant. The error was
thrown by the database as it received non-UTF8 strings for token IDs

Zitadel uses symmetric encryption for opaque tokens, including refresh
tokens. Encrypted values are base64 encoded. It appeared to be possible
to send garbage base64 to the token endpoint, which will pass decryption
and string-splitting. In those cases the resulting ID is not a valid
UTF-8 string.

Invalid non-UTF8 strings are now rejected during token decryption.

# How the Problems Are Solved

- `AESCrypto.DecryptString()` checks if the decrypted bytes only contain
valid UTF-8 characters before converting them into a string.
- `AESCrypto.Decrypt()` is unmodified and still allows decryption on
non-UTF8 byte strings.
- `FromRefreshToken` now uses `DecryptString` instead of `Decrypt`

# Additional Changes

- Unit tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`.
- Fuzz tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`. This was to pinpoint the problem
- Testdata with values that resulted in invalid strings are committed.
In the pipeline this results in the Fuzz tests to execute as regular
unit-test cases. As we don't use the `-fuzz` flag in the pipeline no
further fuzzing is performed.

# Additional Context

- Closes #7765
- https://go.dev/doc/tutorial/fuzz
2024-08-06 13:58:53 +02:00
Livio Spring
b0e71a81ef
fix: prevent error reason leakage in case of IgnoreUnknownUsernames (#8372)
# Which Problems Are Solved

ZITADEL administrators can enable a setting called "Ignoring unknown
usernames" which helps mitigate attacks that try to guess/enumerate
usernames. If enabled, ZITADEL will show the password prompt even if the
user doesn't exist and report "Username or Password invalid".
Due to a implementation change to prevent deadlocks calling the
database, the flag would not be correctly respected in all cases and an
attacker would gain information if an account exist within ZITADEL,
since the error message shows "object not found" instead of the generic
error message.

# How the Problems Are Solved

- Proper check of the error using an error function / type and
`errors.Is`

# Additional Changes

None.

# Additional Context

- raised in a support request

Co-authored-by: Silvan <silvan.reusser@gmail.com>
(cherry picked from commit a1d24353db)
2024-07-31 14:34:10 +02:00
Livio Spring
f846616a3f
fix: sanitize output for email (#8373)
# Which Problems Are Solved

ZITADEL uses HTML for emails and renders certain information such as
usernames dynamically. That information can be entered by users or
administrators. Due to a missing output sanitization, these emails could
include malicious code.
This may potentially lead to a threat where an attacker, without
privileges, could send out altered notifications that are part of the
registration processes. An attacker could create a malicious link, where
the injected code would be rendered as part of the email.

During investigation of this issue a related issue was found and
mitigated, where on the user's detail page the username was not
sanitized and would also render HTML, giving an attacker the same
vulnerability.

While it was possible to inject HTML including javascript, the execution
of such scripts would be prevented by most email clients and the Content
Security Policy in Console UI.

# How the Problems Are Solved

- All arguments used for email are sanitized (`html.EscapeString`)
- The email text no longer `html.UnescapeString` (HTML in custom text is
still possible)
- Console no longer uses `[innerHtml]` to render the username

# Additional Changes

None

# Additional Context

- raised via email

---------

Co-authored-by: peintnermax <max@caos.ch>
(cherry picked from commit 189505c80f)
2024-07-31 14:34:07 +02:00
Stefan Benz
ce29a78d1b
feat: api v2beta to api v2 (#8283)
# Which Problems Are Solved

The v2beta services are stable but not GA.

# How the Problems Are Solved

The v2beta services are copied to v2. The corresponding v1 and v2beta
services are deprecated.

# Additional Context

Closes #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
(cherry picked from commit 7d2d85f57c)
2024-07-29 12:50:41 +02:00
Livio Spring
24ab096e13
Merge branch 'refs/heads/main' into next 2024-07-24 15:47:02 +02:00
Joey Biscoglia
f34897a8c8
feat: add delete phone endpoint to v2 api (#8321)
# Which Problems Are Solved

- Adds delete phone endpoint to v2 api

# How the Problems Are Solved

- Adds new endpoint with DELETE method to /v2beta/users/:userId/phone
which removes currently set phone number

# Additional Changes

- Added integration test for new endpoint.

# Additional Context

- Solves
https://discord.com/channels/927474939156643850/1255557862286032996
2024-07-24 13:46:07 +00:00
Livio Spring
8d13247413
revert: "feat(IDP): use single callback endpoint"
This reverts commit e126ccc9aa.

# Which Problems Are Solved

#8295 introduced the possibility to handle idps on a single callback,
but broke current setups.

# How the Problems Are Solved

- Revert the change until a proper solution is found. Revert is needed
as docs were also changed.

# Additional Changes

None.

# Additional Context

- relates to #8295
2024-07-24 12:29:05 +00:00
Livio Spring
0e99c8356a
fix: correctly check user auth methods and enable button (#8342)
# Which Problems Are Solved

#8291 added backwards compatibilty for users who were created through
the user V2 API and want to sign in to the login UI.
There were however to issues, where users might be prompted to set a
password even if they already had one set or they would not be able to
submit the email verification code.

# How the Problems Are Solved

- Replaced `SearchUserAuthMethods `with `ListUserAuthMethodTypes` to
check for set up auth methods.
- Fixed page / javascript to disable submit button.

# Additional Changes

- Changed `ListActiveUserAuthMethodTypes ` to `ListUserAuthMethodTypes`
and a `activeOnly` boolean parameter

# Additional Context

- relates to #8291
- noticed internally on QA
2024-07-22 14:46:27 +02:00
Zach H
6a97be7bde
fix: always use pgxpool config if MaxOpenConns isn't set (#8328)
# Which Problems Are Solved

- `pgxpool -> pgx` dependency throws "MaxSize must be >= 1" on init if
`postgres.MaxOpenConns` isn't set in the ZItadel config

# How the Problems Are Solved

Only override the `MaxConns` with the Zitadel configured `MaxOpenConns`
if greater than 0 (default value). The default `MaxConns` [is derived by
`pgxpool`](ea9610f672/pgxpool/pool.go (L309-L324))
itself in a sensible way, but somewhat undocumented: checks for explicit
config in connection url or config and falls back on max(num_cpus, 4).

# Additional Changes

Applied same check in cockroach config

# Additional Context

This is likely a regression from the changes in
https://github.com/zitadel/zitadel/pull/8325

(cherry picked from commit e009ed9fe4)
2024-07-22 13:29:09 +02:00
Silvan
93be062d30
refactor(database): exchange connection pool (#8325)
# Which Problems Are Solved

The connection pool of go uses a high amount of database connections.

# How the Problems Are Solved

The standard lib connection pool was replaced by `pgxpool.Pool`

# Additional Changes

The `db.BeginTx`-spans are removed because they cause to much noise in
the traces.

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/7639

(cherry picked from commit 99c645cc60)
2024-07-22 13:28:57 +02:00
Livio Spring
d85af6ad9f
fix: correctly differ between grpc and grpc-web (#8292)
# Which Problems Are Solved

While #8285 also checked for `+proto` and `+json` grpc content types, it
accidentally matched all grpc-web requests to grpc.

# How the Problems Are Solved

- fixed the regex by checking for an exact match (added start `^` and
end `$` anchors)

# Additional Changes

None

# Additional Context

- relates to #8285

(cherry picked from commit d7c0ec282a)
2024-07-22 13:27:07 +02:00
Silvan
7cb16ef982
fix(api): grpc content type matcher all grpc types (#8285)
# Which Problems Are Solved

ZITADEL returned a 404 Unimplemented error if the client sent
'application/grpc+proto' or 'application/grpc+json' which are both valid
content types.

# How the Problems Are Solved

changed the header matcher to regexp

# Additional Context

Problem occured in
https://github.com/zitadel/typescript/tree/grpc-transport

(cherry picked from commit aa273ad000)
2024-07-22 13:27:06 +02:00
Zach H
e009ed9fe4
fix: always use pgxpool config if MaxOpenConns isn't set (#8328)
# Which Problems Are Solved

- `pgxpool -> pgx` dependency throws "MaxSize must be >= 1" on init if
`postgres.MaxOpenConns` isn't set in the ZItadel config

# How the Problems Are Solved

Only override the `MaxConns` with the Zitadel configured `MaxOpenConns`
if greater than 0 (default value). The default `MaxConns` [is derived by
`pgxpool`](ea9610f672/pgxpool/pool.go (L309-L324))
itself in a sensible way, but somewhat undocumented: checks for explicit
config in connection url or config and falls back on max(num_cpus, 4).

# Additional Changes

Applied same check in cockroach config 

# Additional Context

This is likely a regression from the changes in
https://github.com/zitadel/zitadel/pull/8325
2024-07-22 05:29:20 +00:00
Silvan
99c645cc60
refactor(database): exchange connection pool (#8325)
# Which Problems Are Solved

The connection pool of go uses a high amount of database connections.

# How the Problems Are Solved

The standard lib connection pool was replaced by `pgxpool.Pool`

# Additional Changes

The `db.BeginTx`-spans are removed because they cause to much noise in
the traces.

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/7639
2024-07-17 15:16:02 +00:00
Livio Spring
07b2bac463
fix: allow login with user created through v2 api without password (#8291)
# Which Problems Are Solved

User created through the User V2 API without any authentication method
and possibly unverified email address was not able to login through the
current hosted login UI.

An unverified email address would result in a mail verification and not
an initialization mail like it would with the management API. Also the
login UI would then require the user to enter the init code, which the
user never received.

# How the Problems Are Solved

- When verifying the email through the login UI, it will check for
existing auth methods (password, IdP, passkeys). In case there are none,
the user will be prompted to set a password.
- When a user was created through the V2 API with a verified email and
no auth method, the user will be prompted to set a password in the login
UI.
- Since setting a password requires a corresponding code, the code will
be generated and sent when login in.

# Additional Changes

- Changed `RequestSetPassword` to get the codeGenerator from the
eventstore instead of getting it from query.

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/6600
- closes https://github.com/zitadel/zitadel/issues/8235

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-07-17 06:43:07 +02:00
Livio Spring
e126ccc9aa
feat(IDP): use single callback endpoint (#8295)
# Which Problems Are Solved

Both the login UI and the IdP intent flow have their own IdP callback
endpoints.

This makes configuration hard to impossible (e.g. Github only allows one
endpoint) for customers.

# How the Problems Are Solved

- The login UI prefixes the `state` parameter when creating an auth /
SAML request.
- All requests now use the `/idp/callback` or the corresponding
variation (e.g. SAML)
- On callback, the state, resp. its prefix is checked. In case of the
login UI prefix, the request will be forwarded to the existing login UI
handler without the prefix state.
Existing setups will therefore not be affected and also requests started
before this release can be handled without any impact.
- Console only lists the "new" endpoint(s). Any
`/login/externalidp/callback` is removed.

# Additional Changes

- Cleaned up some images  from the IdP documentation.
- fix the error handling in `handleExternalNotFoundOptionCheck`

# Additional Context

- closes #8236
2024-07-16 13:58:22 +00:00
Stefan Benz
19561a092c
fix: add OrgIDQuery to the queries for organizations (#8312)
# Which Problems Are Solved

ListOrgs has no option to select for organizations specific to Ids.

# How the Problems Are Solved

Add OrgIDQuery to ListOrgs.

# Additional Changes

Clean up double mapping for the OrgQueries.

# Additional Context

- noted internally while checking performance issues (in Console)
2024-07-16 13:12:19 +00:00
Norman-Lee
1e3b350042
feat(cmd): Added machine ID mode to zitadel start up logs (#8251)
# Which Problems Are Solved

Logs the type of sonyflake strategy used for generating unique machine
IDs

# How the Problems Are Solved

- Created function to log machine id strategy on the start up logs

# Additional Changes
- Added public function for retrieving current strategy set by
configuration

# Additional Context
- Closes #7750
2024-07-16 09:53:57 +00:00
borisroman
7d0c7e5b54
feat: allow machine user id to be set during creation (#8265)
# Which Problems Are Solved
Solves the problem described in #8264.

# How the Problems Are Solved

Added a UserID field which can be set during Machine User creation.

# Additional Changes

Added addition unit and integration tests to cover the cases where a
UserID field is present.

# Additional Context

- Closes #8264

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-07-16 09:27:37 +02:00
Zhang Zhe
8afdcd99c6
fix: Correct misspelling in zh.yaml file (#8299)
# Which Problems Are Solved

- Corrected a typo in the file
`internal/api/ui/login/static/i18n/zh.yaml` where "Migrosoft" was
changed to "Microsoft".

# How the Problems Are Solved

- Updated the misspelled word "Migrosoft" to "Microsoft" for consistency
and accuracy.

# Additional Changes

- None

# Additional Context

- None
2024-07-15 10:13:55 +02:00
Livio Spring
d7c0ec282a
fix: correctly differ between grpc and grpc-web (#8292)
# Which Problems Are Solved

While #8285 also checked for `+proto` and `+json` grpc content types, it
accidentally matched all grpc-web requests to grpc.

# How the Problems Are Solved

- fixed the regex by checking for an exact match (added start `^` and
end `$` anchors)

# Additional Changes

None

# Additional Context

- relates to #8285
2024-07-12 11:54:02 +02:00
Silvan
aa273ad000
fix(api): grpc content type matcher all grpc types (#8285)
# Which Problems Are Solved

ZITADEL returned a 404 Unimplemented error if the client sent
'application/grpc+proto' or 'application/grpc+json' which are both valid
content types.

# How the Problems Are Solved

changed the header matcher to regexp

# Additional Context

Problem occured in
https://github.com/zitadel/typescript/tree/grpc-transport
2024-07-11 13:22:01 +00:00
Stefan Benz
fb2d4545b9
fix: add details to ListUsers for user results (#8255)
# Which Problems Are Solved

In User v2 API, the ListUsers endpoint doesn't provide the information
to which organization the user belongs to.

# How the Problems Are Solved

Add the details to the user results from the ListUsers endpoint, so that
the OrgID is also included as ResourceOwner.

# Additional Changes
 
None

# Additional Context

Closes #8172
2024-07-10 17:49:35 +02:00
Stefan Benz
19a8ab02ad
fix: add missing totp remove endpoint in user v2 API (#8256)
# Which Problems Are Solved

TOTP remove endpoint available in management API, not in user v2 API.

# How the Problems Are Solved

Add endpoint RemoveTOTP to user v2 API.

# Additional Changes

None

# Additional Context

close #6605

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-07-10 12:31:28 +00:00
adlerhurst
7a552bd495 Merge branch 'main' into next-rc 2024-07-05 10:17:43 +02:00
Silvan
5ca8ad2075
fix(eventstore): early return if no events in field handler (#8254)
# Which Problems Are Solved

Fixes a panic which can occur if there are no events to reduce in the fields handler

# How the Problems Are Solved

Check if there are any events to reduce

# Additional Context

- Panic was added in https://github.com/zitadel/zitadel/pull/8191
2024-07-05 10:16:12 +02:00
Tim Möhlmann
7967e6f98b
perf(import): optimize search for domains claimed by other organizations (#8200)
# Which Problems Are Solved

Improve the performance of human imports by optimizing the query that
finds domains claimed by other organizations.

# How the Problems Are Solved

Use the fields search table introduced in
https://github.com/zitadel/zitadel/pull/8191 by storing each
organization domain as Object ID and the verified status as field value.

# Additional Changes

- Feature flag for this optimization

# Additional Context

- Performance improvements for import are evaluated and acted upon
internally at the moment

---------

Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
2024-07-05 09:36:00 +02:00
Tim Möhlmann
ecfb9d0d6d
perf(command): user grant pre-condition check using the search table (#8230)
# Which Problems Are Solved

Imporve the performance of user grant addition, especially for import.

# How the Problems Are Solved

Use the search table to query for the project grant state. 
This could easily be done by making the search used in
`checkProjectGrantPreCondition` reusable.

# Additional Changes

Chanded event declerations to `const` in the
`internal/repository/project` package.

# Additional Context

- Performance improvements for import are evaluated and acted upon
internally at the moment

---------

Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-07-04 16:18:43 +00:00
Livio Spring
d705cb11b7
fix: error handling to prevent panics (#8248)
# Which Problems Are Solved

We found multiple cases where either the error was not properly handled,
which led to panics.

# How the Problems Are Solved

Handle the errors.

# Additional Changes

None.

# Additional Context

- noticed internally
2024-07-04 14:11:06 +00:00
Elio Bischof
7573e0ea8f
feat: add http_server_return_code_counter metric to gateway (#8173)
# Which Problems Are Solved

The metric `http_server_return_code_counter` doesn't record calls to the
gRPC gateway.

# How the Problems Are Solved

The DefaultMetricsHandler that is used for the gPRC gateway doesn't
record `http_server_return_code_counter`.
Instead of the DefaultMetricsHandler, a custom metrics handler which
includes `http_server_return_code_counter` is created for the gRPC
gateway

# Additional Changes

The DefaultMetricsHandler function is removed, as it is no longer used.

# Additional Context

Reported by a customer

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-07-04 09:37:23 +00:00
Brian Tajuddin
32b707cf46
feat(6222): remove @ and project from OIDC client ID (#8178)
# Which Problems Are Solved

The client ID for OIDC applications has an `@` in it, which is not
allowed in some 3rd-party systems (such as AWS).

# How the Problems Are Solved

Per @fforootd and @hifabienne in #6222, remove the project suffix and
the `@` from the client ID and just use the generated ID.

# Additional Changes

N/A

# Additional Context

- Closes #6222

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-07-04 08:31:40 +00:00
Livio Spring
9e72c67f72
Merge branch 'refs/heads/main' into next-rc 2024-07-04 10:26:55 +02:00
RedstonePfalz
02c98f570b
fix: Fixed spelling and grammar misstakes (#8240)
# Which Problems Are Solved

I fixed spelling, grammar and translation misstakes in the german
translation file.

I noticed something else. Some strings use the formal form ("sie") of
address and some strings use the informal (du) form of address.

# Additional Context

- Discussion #8211
2024-07-04 08:02:04 +00:00
Silvan
1d84635836
feat(eventstore): add search table (#8191)
# Which Problems Are Solved

To improve performance a new table and method is implemented on
eventstore. The goal of this table is to index searchable fields on
command side to use it on command and query side.

The table allows to store one primitive value (numeric, text) per row.

The eventstore framework is extended by the `Search`-method which allows
to search for objects.
The `Command`-interface is extended by the `SearchOperations()`-method
which does manipulate the the `search`-table.

# How the Problems Are Solved

This PR adds the capability of improving performance for command and
query side by using the `Search`-method of the eventstore instead of
using one of the `Filter`-methods.

# Open Tasks

- [x] Add feature flag
- [x] Unit tests
- [ ] ~~Benchmarks if needed~~
- [x] Ensure no behavior change
- [x] Add setup step to fill table with current data
- [x] Add projection which ensures data added between setup and start of
the new version are also added to the table

# Additional Changes

The `Search`-method is currently used by `ProjectGrant`-command side.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/8094
2024-07-03 15:00:56 +00:00
Livio Spring
08a75635d2
fix: correctly set user agent / fingerprint id on user sessions (#8231)
# Which Problems Are Solved

When we switched to V2 tokens (#7822), the user agent was incorrectly
set for sessions created though the login UI.
Additionally, when calling the ListMyUserSessions from the AuthService,
any session without the fingerprint ID (e.g. created through the session
API) would be listed.

# How the Problems Are Solved

- Use the intended ID of the user agent (fingerprint)
- Ignore empty user agent IDs when listing the user sessions

# Additional Changes

None.

# Additional Context

- relates #7822 
- closes #8213
2024-07-03 09:43:34 +02:00
Miguel Cabrerizo
c8e168ac69
fix: remove non-existent colums in getMembershipFromQuery queries (#7869)
In issue #7841 @mahmoodfathy commented an issue when the API call for
Listing My ZITADEL Manager Roles is called with any kind of query
(orgQuery, projectQuery, projectGrantQuery...). A column XXXXXX does not
exist (SQLSTATE 42703) error is thrown.

The issue was focused in getMembershipFromQuery where filtering queries
functions are called: prepareOrgMember, prepareIAMMember,
prepareProjectMember and prepareProjectGrantMember

Those functions allow queries for columns that are not members of the
table to be queried so I've added a conditional clause to avoid using
the queries that cannot be called.

For example, for prepareOrgMember, member.id, member.project_id and
member.grant_id columns are not added to the filter queries

```
for _, q := range query.Queries {
		if q.Col().table.name == membershipAlias.name &&
			!slices.Contains([]string{membershipIAMID.name, membershipProjectID.name, membershipGrantID.name}, q.Col().name) {
			builder = q.toQuery(builder)
		}
	}
	return builder.MustSql()
```

Here I show one screenshot where the error "column XXXXXX does not exist
(SQLSTATE 42703)" is no longer thrown using an orgQuery.


![image](https://github.com/zitadel/zitadel/assets/30386061/77621e69-71df-42de-b3c5-fa9b4dbf1b89)

Should close #7841 

### Definition of Ready

- [X] I am happy with the code
- [X] Short description of the feature/issue is added in the pr
description
- [X] PR is linked to the corresponding user story
- [X] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [X] No debug or dead code
- [X] My code has no repetitions
- [X] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [ ] Documentation/examples are up-to-date
- [ ] All non-functional requirements are met
- [X] Functionality of the acceptance criteria is checked manually on
the dev system.

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-07-02 12:08:28 +00:00
Miguel Cabrerizo
cd6b452fc9
fix: add missing SAML type for GetActiveIdentityProviders (#8186)
# Which Problems Are Solved

- When the endpoint http://{CUSTOM-DOMAIN}/v2beta/settings/login/idps is
called the type for an activated SAML provider is not sent.
- The IDENTITY_PROVIDER_TYPE_SAML is missing

# How the Problems Are Solved

- Adds the missing IDENTITY_PROVIDER_TYPE_SAML to the
IdentityProviderType proto definition
- Adds the missing case for idpTypeToPb 
- Adds the missing test case for idpTypeToPb

Here's a screenshot showing the endpoint response:


![image](https://github.com/zitadel/zitadel/assets/30386061/6e3e9c41-543c-472e-96ab-3d40736a2699)

# Additional Context

- Closes #7885

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-06-28 15:00:56 +00:00
Stefan Benz
406fa44b63
Merge remote-tracking branch 'origin/main' into next-rc 2024-06-28 15:50:18 +02:00
Stefan Benz
d92717a1c6
fix: encode ldap values to make valid UTF8 (#8210)
# Which Problems Are Solved

UUIDs stored in LDAP are Octet Strings and have to be parsed, so that
they can be stored as IDs as they are not valid UTF8.

# How the Problems Are Solved

Try to parse the RawValue from LDAP as UUID, otherwise try to base64
decode and then parse as UUID, else use the data as string as before.

# Additional Changes

None

# Additional Context

Closes #7601
2024-06-28 13:46:54 +00:00
Miguel Cabrerizo
14aeb42cc2
fix: RFC1342 encode sender name that goes in from header (#8193)
# Which Problems Are Solved

- Some smtp server/client combination may have problems with non-ASCII
sender names for example using an umlaut

# How the Problems Are Solved

- The same RFC1342 mechanism that was added in
#https://github.com/zitadel/zitadel/pull/6637 and later improved by
@eliobischof with BEncoding has been added to the sender name that goes
in the From header

# Additional Context

- Closes #7976
2024-06-28 08:33:42 +00:00
Livio Spring
12ac53df1a
Merge branch 'main' into next-rc 2024-06-25 13:10:35 -07:00
Livio Spring
1b0e773ceb
fix(ldap): add more logs (#8197)
# Which Problems Are Solved

In case the user bind (user password check for LDAP IdP) fails, there's
no information about what went wrong.
This makes it hard to even impossible to find the cause.

# How the Problems Are Solved

Added logging of the error.

# Additional Changes

Additionally added a log in case no single user (none / multiple) are
found.

# Additional Context

- reported internally
2024-06-25 19:04:10 +00:00
Tim Möhlmann
dc170dc46e
feat(crypto): support md5 plain for imported password hashes (#8189)
# Which Problems Are Solved

Allow verification of imported passwords hashed with plain md5, without
salt. These are password digests typically created by one of:

- `printf "password" | md5sum` on most linux systems.
- PHP's `md5("password")`
- Python3's `hashlib.md5(b"password").hexdigest()`

# How the Problems Are Solved

- Upgrade passwap to
[v0.6.0](https://github.com/zitadel/passwap/releases/tag/v0.6.0)
- Add md5plain as a new verfier option in `defaults.yaml`

# Additional Changes

- Updated documentation to explain difference between `md5` (crypt) and
`md5plain` verifiers.

# Additional Context

- Requested by customer for import case
2024-06-25 11:10:49 +03:00
Livio Spring
9a9753a911
Merge branch 'main' into next
# Conflicts:
#	go.mod
#	internal/query/user_auth_method_test.go
2024-06-21 13:30:08 +02:00
Miguel Cabrerizo
3635320ce8
feat: send test mail (#7968)
# Which Problems Are Solved

- Zitadel doesn't have a way to test SMTP settings either before
creating a new provider or once the SMTP provider has been created.
- Zitadel SMTP messages can be more informative for usual errors

# How the Problems Are Solved

- A new step is added to the new/update SMTP provider wizard that allows
us to test a configuration. The result is shown in a text area.
- From the table of SMTP providers you can test your settings too.
- The email address to send the email is by default the email address
for the logged in user as suggested.
- Some of the SMTP error messages have been changed to give more
information about the possible situation. For example: could not contact
with the SMTP server, check the port, firewall issues... instead of
could not dial

Here's a video showing this new option in action:


https://github.com/zitadel/zitadel/assets/30386061/50128ba1-c9fa-4481-8eec-e79a3ca69bda

# Additional Changes

Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- The docs explicitly describe that the property XY is mandatory
- Adds missing translations for validations.

# Additional Context

- Closes #4504
2024-06-20 19:51:42 +00:00
Livio Spring
00b5e55565
fix: set certificate validity for SAML IdPs (#8170)
# Which Problems Are Solved

Certificates created for a SAML IdP (used for metadata and request
singing) did not have any validity set. While it's not required for
SAML, when trying to import the certificate into a (keychain) tool it
might fail.

# How the Problems Are Solved

The validity is set based on the `CertificateLifetime` set in the
runtime config.

## After the fix:
If an IdP was created with a certificate without validity, an admin can
regenerate the certificate:
- for instance wide IdPs:
https://zitadel.com/docs/apis/resources/admin/admin-service-regenerate-saml-provider-certificate#regenerate-saml-identity-provider-certificate
- for organization specific IdPs:
https://zitadel.com/docs/apis/resources/mgmt/management-service-regenerate-saml-provider-certificate#regenerate-saml-identity-provider-certificate

Due to the new certificate, the metadata will change and will need to be
updated at the external IdP.

# Additional Changes

Additionally the `CertificateSize` instead of the `Size` (used for keys)
is used for generating the certificate, resp. the underlying key pair.

# Additional Context

- noted by a customer
- needs backports

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-06-20 14:09:20 +00:00
Tim Möhlmann
669ac6bda2
perf(import): do not check for existing grant ID (#8164)
# Which Problems Are Solved

Improve the performance of the `admin/v1/import` API endpoint.
Specifaclly the import of large amount of project grants.

# How the Problems Are Solved

`AddProjectGrantWithID` and `AddProjectGrantMember` methods of
`Commands` used to get the current state of the Writemodel to check if
the current GrantID or the combination of GrantID & UserID wasn't
already used. However, the Added events already have protection against
duplication by the `UniqueConstaint` methods.

The queries become very slow when there is a great amount of project
grants. Because all the events are pushed to the aggregate ID of the
project, we had to obtain all related project events, including events
of grantIDs we do not care about. This O(n) duration for bached import
jobs adding many organization granted to a single project.

This change removes the unnecesary state query to improve performance.

# Additional Changes

- Add integration tests for import

# Additional Context

- reported internally
2024-06-20 13:31:58 +00:00
Tim Möhlmann
f9742a58f4
fix(import): add tracing spans to all import related functions (#8160)
# Which Problems Are Solved

This fix adds tracing spans to all V1 API import related functions. This
is to troubleshoot import related performance issues reported to us.

# How the Problems Are Solved

Add a tracing span to `api/grpc/admin/import.go` and all related
functions that are called in the `command` package.

# Additional Changes

- none

# Additional Context

- Reported by internal communication
2024-06-19 12:56:33 +02:00
Livio Spring
fb8cd18f93
feat: password age policy (#8132)
# Which Problems Are Solved

Some organizations / customers have the requirement, that there users
regularly need to change their password.
ZITADEL already had the possibility to manage a `password age policy` (
thought the API) with the maximum amount of days a password should be
valid, resp. days after with the user should be warned of the upcoming
expiration.
The policy could not be managed though the Console UI and was not
checked in the Login UI.

# How the Problems Are Solved

- The policy can be managed in the Console UI's settings sections on an
instance and organization level.
- During an authentication in the Login UI, if a policy is set with an
expiry (>0) and the user's last password change exceeds the amount of
days set, the user will be prompted to change their password.
- The prompt message of the Login UI can be customized in the Custom
Login Texts though the Console and API on the instance and each
organization.
- The information when the user last changed their password is returned
in the Auth, Management and User V2 API.
- The policy can be retrieved in the settings service as `password
expiry settings`.

# Additional Changes

None.

# Additional Context

- closes #8081

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-18 11:27:44 +00:00