1419 Commits

Author SHA1 Message Date
Livio Spring
5908b97e7c
fix: rendering of TOTP QR code (#7549)
(cherry picked from commit a28b3a1c2d80572451b0e4d03127deb2950f61d5)
2024-03-12 17:27:50 +01:00
Silvan
e0e5665e17
fix(eventstore): consider IsGlobal-flag of constraints (#7518)
* fix(eventstore): consider `IsGlobal`-flag of constraints

* fix(setup): set `instance_domain`-constraint global

(cherry picked from commit 60ee2610f2ae67e2e33ac8c08df739c44d397809)
2024-03-11 08:44:39 +01:00
Livio Spring
3c0cd30afe
fix: use correct template package (#7522)
(cherry picked from commit 07ec2efa9dc62f7a6c3a58c112b2879d24bc3e3c)
2024-03-11 08:30:15 +01:00
Tim Möhlmann
8e2c3b671f
fix(query): optimize instance by domain query (#7513)
fix(query): optimize instance by domain query

On zitadel cloud we noticed an increase in database CPU usage and slightly higher response times.
By analyzes we found that the instance by domain query was wrongly joining all instance_feature rows against all instances.
This PR adds an additional CTE to limit the join set to only the features that apply to the found instance.

The query was introduced with https://github.com/zitadel/zitadel/pull/7356 and part of the v2.47 release.

(cherry picked from commit 3af28d29d25b9f396c6129ad8d248df4cc3af8dc)
2024-03-07 11:44:31 +01:00
Silvan
ec3076c3c8
fix(ListEvents): add aggregate types to filter if not set (#7490) 2024-03-05 15:44:51 +00:00
Tim Möhlmann
dfcc26de1e
fix: assign instance ID to aggregate ID when converting from v1 to v2 feature (#7505)
* fix: assign instance ID to aggregate ID when converting from v1 to v2 feature

This change fixes a mismatch between v1 and v2 aggregate IDs for instance feature events.
The old v1 used a random aggregate ID, while v2 uses the instance ID as aggregate ID.
The adapter was not correctly mapping, which resulted in the projections.instance_features table being filled with wrong instance IDs.

Closes #7501

* fix unit test
2024-03-05 16:12:49 +01:00
Elio Bischof
38777b478e
perf: filter events by instance ids (#7489)
fix: filter events by instance ids
2024-03-04 07:56:48 +01:00
Miguel Cabrerizo
dfd7cba3f4
fix: remove hard requirement of grant type auth code for device code apps + warnings for missing urls (#7429)
* fix: if device Code is selected Auth Code no longer a hard requirement

* fix: create device code app without auth code as grant type

* fix: don't show redirect uris in overview for devicecode app wizard

* feat: reload component when oidc app is updated

* fix: oidcapp is valid grantTypes cannot be empty

* fix: auth code not mandatory if refresh token and device code combined
2024-02-29 15:28:06 +00:00
Elio Bischof
f4c72cbe14
feat: improve instance not found error (#7413)
* feat: improve instance not found error

* unit tests

* check if is templatable

* lint

* assert

* compile tests

* remove error templates

* link to instance not found page

* fmt

* cleanup

* lint
2024-02-28 10:49:57 +00:00
Tim Möhlmann
062d153cfe
feat: impersonation roles (#7442)
* partial work done

* test IAM membership roles

* org membership tests

* console :(, translations and docs

* fix integration test

* fix tests

* add EnableImpersonation to security policy API

* fix integration test timestamp checking

* add security policy tests and fix projections

* add impersonation setting in console

* add security settings to the settings v2 API

* fix typo

* move impersonation to instance

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-02-28 10:21:11 +00:00
Livio Spring
68af4f59c9
fix(api): handle user disabling events correctly in session API (#7380)
This PR makes sure that user disabling events (deactivate, locked, ...) are correctly checked for sessions.
2024-02-28 09:30:05 +00:00
Tim Möhlmann
26d1563643
feat(api): feature flags (#7356)
* feat(api): feature API proto definitions

* update proto based on discussion with @livio-a

* cleanup old feature flag stuff

* authz instance queries

* align defaults

* projection definitions

* define commands and event reducers

* implement system and instance setter APIs

* api getter implementation

* unit test repository package

* command unit tests

* unit test Get queries

* grpc converter unit tests

* migrate the V1 features

* migrate oidc to dynamic features

* projection unit test

* fix instance by host

* fix instance by id data type in sql

* fix linting errors

* add system projection test

* fix behavior inversion

* resolve proto file comments

* rename SystemDefaultLoginInstanceEventType to SystemLoginDefaultOrgEventType so it's consistent with the instance level event

* use write models and conditional set events

* system features integration tests

* instance features integration tests

* error on empty request

* documentation entry

* typo in feature.proto

* fix start unit tests

* solve linting error on key case switch

* remove system defaults after discussion with @eliobischof

* fix system feature projection

* resolve comments in defaults.yaml

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-02-28 10:55:54 +02:00
Livio Spring
b877abd7a2
fix(login): ignore domain suffix for email / phone check (#7446)
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-02-26 14:05:18 +00:00
Fabi
0542b29517
docs: Contribution guidelines (#7443)
* docs: gender neutrality

* docs: gender neutrality

* docs: gender neutrality

* Update docs/docs/concepts/features/identity-brokering.md

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* Update docs/docs/guides/integrate/login-ui/mfa.mdx

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* Update docs/docs/guides/integrate/login-ui/passkey.mdx

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* Update internal/static/i18n/en.yaml

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* Update internal/static/i18n/en.yaml

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-02-26 13:11:09 +00:00
Stefan Benz
2731099db3
feat: add executions for actions v2 (#7433)
* feat: add events for execution

* feat: add events for execution and command side

* feat: add events for execution and command side

* feat: add api endpoints for set and delete executions with integration tests

* feat: add integration and unit tests and more existence checks

* feat: add integration and unit tests and more existence checks

* feat: unit tests for includes in executions

* feat: integration tests for includes in executions

* fix: linting

* fix: update internal/api/api.go

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* fix: update internal/command/command.go

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* fix: apply suggestions from code review

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* fix: change api return

* fix: change aggregateID with prefix of execution type and add to documentation

* fix: change body in proto for documentation and correct linting

* fix: changed existing check to single query in separate writemodel

* fix: linter changes and list endpoints for conditions in executions

* fix: remove writemodel query on exeuction set as state before is irrelevant

* fix: testing for exists write models and correction

* fix: translations for errors and event types

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-02-26 12:49:43 +02:00
Tim Möhlmann
1890e28f79
fix(eventstore): retry push on primary key sequence collision (#7420)
* fix(eventstore): retry push on primary key sequence collision

* MaxRetries config option and unit test
2024-02-23 08:29:10 +00:00
Elio Bischof
4f54cfb0a9
fix(projections): stop updating creation dates (#6930)
* feat: return 404 or 409 if org reg disallowed

* fix: system limit permissions

* feat: add iam limits api

* feat: disallow public org registrations on default instance

* add integration test

* test: integration

* fix test

* docs: describe public org registrations

* avoid updating docs deps

* fix system limits integration test

* silence integration tests

* fix linting

* ignore strange linter complaints

* review

* improve reset properties naming

* redefine the api

* use restrictions aggregate

* test query

* simplify and test projection

* test commands

* fix unit tests

* move integration test

* support restrictions on default instance

* also test GetRestrictions

* self review

* lint

* fix(projections): stop updating creation dates

* abstract away resource owner

* fix tests

* update main

* fix tests
2024-02-22 17:25:47 +00:00
Elio Bischof
a88662bb3a
fix(smtp): support UTF-8 subjects (#7432)
fix(smtp): support utf8 subjects
2024-02-22 15:11:55 +01:00
Tim Möhlmann
1d6dfadad8
fix(oidc): return bad request for an invalid refresh token (#7419) 2024-02-20 16:54:52 +01:00
Elio Bischof
585988bd83
chore(ci): merge test runs (#7388)
* chore(ci): merge test runs

* docs: improve CONTRIBUTING.md

* expect failure

* expect failure unit

* cleanup

* fix: correct binding in integration tests

* fix: correct binding in integration tests

---------

Co-authored-by: Stefan Benz <stefan@caos.ch>
2024-02-19 07:50:37 +01:00
Elio Bischof
19af2f7372
feat: support whole config as env (#6336)
* fix existing env vars

* feat: support all config by env

* cleanup

* remove system users hook

* decode system users in setup
2024-02-16 16:04:42 +00:00
Livio Spring
d5266ea51c
fix: set user agent cookie on host only (without subdomains) (#7297)
This PR changes the domain / prefix of the user agent cookie from including the subdomain to the domain only and therefore changing the prefix from __Secure to __Host.

Note:
As the cookie is used to determine existing session on the login UI, applying the change will require end-users to start a new session on the next login, since the existing ones cannot be retrieved anymore.
2024-02-15 07:53:59 +01:00
Stefan Benz
198bc017b8
feat: actions v2 execution targets command side (#7384)
Adds the API to create, update, delete targets for execution in a new ExecutionService (v3alpha)
2024-02-15 05:39:10 +00:00
Stefan Benz
f6995fcb6c
feat: add implementation for resend of email and phone code (#7348)
* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: apply suggestions from code review

Co-authored-by: Livio Spring <livio.a@gmail.com>

* fix: review changes to remove resourceowner as parameters

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-02-14 07:22:55 +00:00
Miguel Cabrerizo
83ed1f37d8
fix: trim whitespaces in redirect, post and origins uris set through console (#7334)
* fix: trim whitespaces in redirect, postlogout and origins uris set through console

* fix: add @livio-a review suggestions
2024-02-12 09:56:55 +01:00
Filip Sandborg
f0ba2b955a
fix: db MaxOpenConns setting (#7360)
* Fix pg MaxOpenConns setting

* fix: crdb open conns

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-02-09 13:43:01 +01:00
Livio Spring
7f7fb55f34
fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding (#7341)
fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding
2024-02-05 14:45:15 +00:00
Livio Spring
e000fdd792
fix: handle context correctly in processEvents (#7320) 2024-01-31 11:25:28 +01:00
Silvan
aa407c3c3e
fix(auth): optimise user sessions (#7199)
* fix(auth): start optimise user sessions

* reduce and query user sessions directly without gorm statements

* cleanup

* cleanup

* fix requested changes

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-30 15:17:54 +00:00
Livio Spring
c20204d84d
fix: set userAgentID in password change event if available (#7319) 2024-01-30 15:36:34 +01:00
Tim Möhlmann
df57a64ed7
fix(oidc): ignore public key expiry for ID Token hints (#7293)
* fix(oidc): ignore public key expiry for ID Token hints

This splits the key sets used for access token and ID token hints.
ID Token hints should be able to be verified by with public keys that are already expired.
However, we do not want to change this behavior for Access Tokens,
where an error for an expired public key is still returned.

The public key cache is modified to purge public keys based on last use,
instead of expiry.
The cache is shared between both verifiers.

* resolve review comments

* pin oidc 3.11
2024-01-29 15:11:52 +00:00
Livio Spring
121f9f8da1
feat(actions): add org metadata in complement token and saml response flows (#7263)
* feat(actions): add org metadata in complement token and saml response flows

* document actions
2024-01-26 08:56:10 +00:00
Silvan
17953e9040
fix(setup): init projections (#7194)
Even though this is a feature it's released as fix so that we can back port to earlier revisions.

As reported by multiple users startup of ZITADEL after leaded to downtime and worst case rollbacks to the previously deployed version.

The problem starts rising when there are too many events to process after the start of ZITADEL. The root cause are changes on projections (database tables) which must be recomputed. This PR solves this problem by adding a new step to the setup phase which prefills the projections. The step can be enabled by adding the `--init-projections`-flag to `setup`, `start-from-init` and `start-from-setup`. Setting this flag results in potentially longer duration of the setup phase but reduces the risk of the problems mentioned in the paragraph above.
2024-01-25 17:28:20 +01:00
Miguel Cabrerizo
d590da7c7d
fix(console): display granted org name in authorizations and show user information (#7116)
* fix: add granted org info to user grants query response

* fix: show user info, tests and add columns to user grant

* fix: add check for org membership

* fix: typo in find logic

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-01-24 11:36:04 +01:00
Miguel Cabrerizo
89169b64ff
fix: detect autofill in chrome to enable login buttons (#7056)
* fix: detect autofill in chrome to enable login buttons

* fix: add -webkit-autofill to input scss

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-01-22 10:24:36 +01:00
Livio Spring
8470649ecb
chore: pin crdb version for unit tests (#7260)
* chore: pin crdb version for unit tests

* use latest 23.1 version

* use latest available 23.1 version
2024-01-18 08:16:54 +00:00
Tim Möhlmann
af4e0484d0
fix: uniform oidc errors (#7237)
* fix: uniform oidc errors

sanitize oidc error reporting when passing package boundary towards oidc.

* add should TriggerBulk in get audiences for auth request

* upgrade to oidc 3.10.1

* provisional oidc upgrade to error branch

* pin oidc 3.10.2
2024-01-18 07:10:49 +01:00
Elio Bischof
cdfcdec101
test(integration, user): fix flakiness (#7252)
* test: fix user integration test flakiness

* assert with *assert.CollectT
2024-01-17 16:24:11 +01:00
Elio Bischof
ed0bc39ea4
feat: block instances (#7129)
* docs: fix init description typos

* feat: block instances using limits

* translate

* unit tests

* fix translations

* redirect /ui/login

* fix http interceptor

* cleanup

* fix http interceptor

* fix: delete cookies on gateway 200

* add integration tests

* add command test

* docs

* fix integration tests

* add bulk api and integration test

* optimize bulk set limits

* unit test bulk limits

* fix broken link

* fix assets middleware

* fix broken link

* validate instance id format

* Update internal/eventstore/search_query.go

Co-authored-by: Livio Spring <livio.a@gmail.com>

* remove support for owner bulk limit commands

* project limits to instances

* migrate instances projection

* Revert "migrate instances projection"

This reverts commit 214218732a56e6df823beac1972adfcf8beeded5.

* join limits, remove owner

* remove todo

* use optional bool

* normally validate instance ids

* use 302

* cleanup

* cleanup

* Update internal/api/grpc/system/limits_converter.go

Co-authored-by: Livio Spring <livio.a@gmail.com>

* remove owner

* remove owner from reset

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-01-17 10:16:48 +00:00
Stefan Benz
d9d376a275
feat: user v2 service query (#7095)
* feat: add query endpoints for user v2 api

* fix: correct integration tests

* fix: correct linting

* fix: correct linting

* fix: comment out permission check on user get and list

* fix: permission check on user v2 query

* fix: merge back origin/main

* fix: add search query in user emails

* fix: reset count for SearchUser if users are removed due to permissions

* fix: reset count for SearchUser if users are removed due to permissions

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-01-17 10:00:10 +01:00
Livio Spring
96d0291848
fix: enable iframe use on http://localhost (#7152)
* fix: enable iframe use on http://localhost

* docs(iframe): add info about cookies

* improve comments
2024-01-16 11:28:56 +01:00
Tim Möhlmann
c0b355e24a
fix: pass configured slog to oidc server (#7229) 2024-01-16 06:37:36 +00:00
Elio Bischof
29b386005d
fix(origin): fall back to ExternalSecure (#7228)
* fix(origin): fall back to ExternalSecure

* avoid middleware.Middleware

* avoid else

* lint
2024-01-15 16:44:35 +00:00
Silvan
3c5fc31372
fix(handler): handle trigger err correctly (#7205) 2024-01-11 17:55:50 +00:00
Stefan Benz
3d3264eb8f
fix: add RollbackUnlessCommitted for gorm transactions (#7197) 2024-01-10 23:02:50 +00:00
Livio Spring
7c592ce638
fix(idp): provide id_token for tenant id based azure ad (#7188)
* fix(idp): provide id_token for tenant based azure ad

* comments

* remove unintentional changes
2024-01-10 15:02:17 +00:00
Silvan
43f1d59649
fix(auth): efficient user session projection (#7187)
* fix(auth): cache users during session projection

* fix(auth.user_sessions): add index for more efficient by user search
2024-01-09 18:36:46 +00:00
Tim Möhlmann
62cb29aba9
fix(query): separate login policy queries (#7174)
This change moves IDPLoginPolicyLinks out of the scan function Login Policy queries in order to prevent potential deadlocks.
2024-01-08 21:13:46 +00:00
Miguel Cabrerizo
17153b694e
feat: search users by list of emails (users/_search) (#6983)
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-01-08 18:45:54 +01:00
Stefan Benz
e769b163ef
perf: user grant owner removed (#6962)
* fix: change logic for usergrants projection with no selects

* fix: change logic for usergrants projection with one select

* fix: move resource owner select to single function

* fix: move resource owner select to single function

* fix: changes after merge

* fix: changes after merge

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-01-08 15:26:30 +00:00