TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:57:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fix-acceptance
zitadel/internal/command/user_machine.go
Stefan Benz 6d98b33c56 feat: organization settings for user uniqueness (#10246) 
# Which Problems Are Solved

Currently the username uniqueness is on instance level, we want to
achieve a way to set it at organization level.

# How the Problems Are Solved

Addition of endpoints and a resource on organization level, where this
setting can be managed. If nothing it set, the uniqueness is expected to
be at instance level, where only users with instance permissions should
be able to change this setting.

# Additional Changes

None

# Additional Context

Includes #10086
Closes #9964 

---------

Co-authored-by: Marco A. <marco@zitadel.com>
2025-07-29 15:56:21 +02:00

217 lines
6.9 KiB
Go
Raw Permalink Blame History

package command
import (
"context"
"github.com/zitadel/zitadel/internal/command/preparation"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/repository/user"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
type AddMachine struct {
Machine *Machine
Pat *AddPat
MachineKey *AddMachineKey
}
type Machine struct {
models.ObjectRoot
Username string
Name string
Description string
AccessTokenType domain.OIDCTokenType
PermissionCheck PermissionCheck
}
func (m *Machine) IsZero() bool {
return m.Username == "" && m.Name == ""
}
func AddMachineCommand(a *user.Aggregate, machine *Machine) preparation.Validation {
return func() (_ preparation.CreateCommands, err error) {
if a.ResourceOwner == "" && machine.PermissionCheck == nil {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-xiown3", "Errors.ResourceOwnerMissing")
}
if a.ID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-p0p2mi", "Errors.User.UserIDMissing")
}
if machine.Name == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-bs9Ds", "Errors.User.Invalid")
}
if machine.Username == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-bm9Ds", "Errors.User.Invalid")
}
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
writeModel, err := getMachineWriteModel(ctx, a.ID, a.ResourceOwner, filter, machine.PermissionCheck)
if err != nil {
return nil, err
}
if isUserStateExists(writeModel.UserState) {
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-k2una", "Errors.User.AlreadyExisting")
}
domainPolicy, err := domainPolicyWriteModel(ctx, filter, a.ResourceOwner)
if err != nil {
return nil, zerrors.ThrowPreconditionFailed(err, "COMMAND-3M9fs", "Errors.Org.DomainPolicy.NotFound")
}
orgScopedUsername, err := checkOrganizationScopedUsernames(ctx, filter, a.ResourceOwner, nil)
if err != nil {
return nil, err
}
return []eventstore.Command{
user.NewMachineAddedEvent(ctx, &a.Aggregate, machine.Username, machine.Name, machine.Description, domainPolicy.UserLoginMustBeDomain || orgScopedUsername, machine.AccessTokenType),
}, nil
}, nil
}
}
type addMachineOption func(context.Context, *Machine) error
func AddMachineWithUsernameToIDFallback() addMachineOption {
return func(ctx context.Context, m *Machine) error {
if m.Username == "" {
m.Username = m.AggregateID
}
return nil
}
}
func (c *Commands) AddMachine(ctx context.Context, machine *Machine, state *domain.UserState, check PermissionCheck, options ...addMachineOption) (_ *domain.ObjectDetails, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
if machine.AggregateID == "" {
userID, err := c.idGenerator.Next()
if err != nil {
return nil, err
}
machine.AggregateID = userID
}
agg := user.NewAggregate(machine.AggregateID, machine.ResourceOwner)
for _, option := range options {
if err = option(ctx, machine); err != nil {
return nil, err
}
}
if check != nil {
if err = check(machine.ResourceOwner, machine.AggregateID); err != nil {
return nil, err
}
}
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, AddMachineCommand(agg, machine))
if err != nil {
return nil, err
}
if state != nil {
var cmd eventstore.Command
switch *state {
case domain.UserStateInactive:
cmd = user.NewUserDeactivatedEvent(ctx, &agg.Aggregate)
case domain.UserStateLocked:
cmd = user.NewUserLockedEvent(ctx, &agg.Aggregate)
case domain.UserStateDeleted:
// users are never imported if deleted
case domain.UserStateActive:
// added because of the linter
case domain.UserStateSuspend:
// added because of the linter
case domain.UserStateInitial:
// added because of the linter
case domain.UserStateUnspecified:
// added because of the linter
}
if cmd != nil {
cmds = append(cmds, cmd)
}
}
events, err := c.eventstore.Push(ctx, cmds...)
if err != nil {
return nil, err
}
return &domain.ObjectDetails{
Sequence: events[len(events)-1].Sequence(),
EventDate: events[len(events)-1].CreatedAt(),
ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
}, nil
}
// Deprecated: use ChangeUserMachine instead
func (c *Commands) ChangeMachine(ctx context.Context, machine *Machine) (*domain.ObjectDetails, error) {
agg := user.NewAggregate(machine.AggregateID, machine.ResourceOwner)
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, changeMachineCommand(agg, machine))
if err != nil {
return nil, err
}
events, err := c.eventstore.Push(ctx, cmds...)
if err != nil {
return nil, err
}
return &domain.ObjectDetails{
Sequence: events[len(events)-1].Sequence(),
EventDate: events[len(events)-1].CreatedAt(),
ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
}, nil
}
func changeMachineCommand(a *user.Aggregate, machine *Machine) preparation.Validation {
return func() (_ preparation.CreateCommands, err error) {
if a.ResourceOwner == "" && machine.PermissionCheck == nil {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-xiown3", "Errors.ResourceOwnerMissing")
}
if a.ID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-p0p3mi", "Errors.User.UserIDMissing")
}
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
writeModel, err := getMachineWriteModel(ctx, a.ID, a.ResourceOwner, filter, machine.PermissionCheck)
if err != nil {
return nil, err
}
if !isUserStateExists(writeModel.UserState) {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-5M0od", "Errors.User.NotFound")
}
changedEvent, hasChanged := writeModel.NewChangedEvent(ctx, &a.Aggregate, machine.Name, machine.Description, machine.AccessTokenType)
if !hasChanged {
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-2n8vs", "Errors.User.NotChanged")
}
return []eventstore.Command{
changedEvent,
}, nil
}, nil
}
}
func getMachineWriteModel(ctx context.Context, userID, resourceOwner string, filter preparation.FilterToQueryReducer, permissionCheck PermissionCheck) (_ *MachineWriteModel, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
writeModel := NewMachineWriteModel(userID, resourceOwner)
events, err := filter(ctx, writeModel.Query())
if err != nil {
return nil, err
}
if len(events) == 0 {
return writeModel, nil
}
writeModel.AppendEvents(events...)
err = writeModel.Reduce()
if permissionCheck != nil {
if err := permissionCheck(writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
return nil, err
}
}
return writeModel, err
}
Reference in New Issue View Git Blame Copy Permalink