TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-03-02 22:31:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/api/grpc/settings/v2/integration_test/settings_test.go
Livio Spring 50d2b26a28
feat: specify login UI version on instance and apps (#9071) 
# Which Problems Are Solved

To be able to migrate or test the new login UI, admins might want to
(temporarily) switch individual apps.
At a later point admin might want to make sure all applications use the
new login UI.

# How the Problems Are Solved

- Added a feature flag `` on instance level to require all apps to use
the new login and provide an optional base url.
- if the flag is enabled, all (OIDC) applications will automatically use
the v2 login.
  - if disabled, applications can decide based on their configuration
- Added an option on OIDC apps to use the new login UI and an optional
base url.
- Removed the requirement to use `x-zitadel-login-client` to be
redirected to the login V2 and retrieve created authrequest and link
them to SSO sessions.
- Added a new "IAM_LOGIN_CLIENT" role to allow management of users,
sessions, grants and more without `x-zitadel-login-client`.

# Additional Changes

None

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8702
2024-12-19 10:37:46 +01:00

463 lines
14 KiB
Go
Raw Blame History

//go:build integration
package settings_test
import (
"context"
"testing"
"time"
"github.com/brianvoe/gofakeit/v6"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/idp"
idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
)
func TestServer_GetSecuritySettings(t *testing.T) {
_, err := Client.SetSecuritySettings(AdminCTX, &settings.SetSecuritySettingsRequest{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
Enabled: true,
AllowedOrigins: []string{"foo", "bar"},
},
EnableImpersonation: true,
})
require.NoError(t, err)
tests := []struct {
name string
ctx context.Context
want *settings.GetSecuritySettingsResponse
wantErr bool
}{
{
name: "permission error",
ctx: Instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
wantErr: true,
},
{
name: "success",
ctx: AdminCTX,
want: &settings.GetSecuritySettingsResponse{
Settings: &settings.SecuritySettings{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
Enabled: true,
AllowedOrigins: []string{"foo", "bar"},
},
EnableImpersonation: true,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.ctx, time.Minute)
assert.EventuallyWithT(t, func(ct *assert.CollectT) {
resp, err := Client.GetSecuritySettings(tt.ctx, &settings.GetSecuritySettingsRequest{})
if tt.wantErr {
assert.Error(ct, err)
return
}
if !assert.NoError(ct, err) {
return
}
got, want := resp.GetSettings(), tt.want.GetSettings()
assert.Equal(ct, want.GetEmbeddedIframe().GetEnabled(), got.GetEmbeddedIframe().GetEnabled(), "enable iframe embedding")
assert.Equal(ct, want.GetEmbeddedIframe().GetAllowedOrigins(), got.GetEmbeddedIframe().GetAllowedOrigins(), "allowed origins")
assert.Equal(ct, want.GetEnableImpersonation(), got.GetEnableImpersonation(), "enable impersonation")
}, retryDuration, tick)
})
}
}
func TestServer_SetSecuritySettings(t *testing.T) {
type args struct {
ctx context.Context
req *settings.SetSecuritySettingsRequest
}
tests := []struct {
name string
args args
want *settings.SetSecuritySettingsResponse
wantErr bool
}{
{
name: "permission error",
args: args{
ctx: Instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
req: &settings.SetSecuritySettingsRequest{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
Enabled: true,
AllowedOrigins: []string{"foo.com", "bar.com"},
},
EnableImpersonation: true,
},
},
wantErr: true,
},
{
name: "success allowed origins",
args: args{
ctx: AdminCTX,
req: &settings.SetSecuritySettingsRequest{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
AllowedOrigins: []string{"foo.com", "bar.com"},
},
},
},
want: &settings.SetSecuritySettingsResponse{
Details: &object_pb.Details{
ChangeDate: timestamppb.Now(),
ResourceOwner: Instance.ID(),
},
},
},
{
name: "success enable iframe embedding",
args: args{
ctx: AdminCTX,
req: &settings.SetSecuritySettingsRequest{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
Enabled: true,
},
},
},
want: &settings.SetSecuritySettingsResponse{
Details: &object_pb.Details{
ChangeDate: timestamppb.Now(),
ResourceOwner: Instance.ID(),
},
},
},
{
name: "success impersonation",
args: args{
ctx: AdminCTX,
req: &settings.SetSecuritySettingsRequest{
EnableImpersonation: true,
},
},
want: &settings.SetSecuritySettingsResponse{
Details: &object_pb.Details{
ChangeDate: timestamppb.Now(),
ResourceOwner: Instance.ID(),
},
},
},
{
name: "success all",
args: args{
ctx: AdminCTX,
req: &settings.SetSecuritySettingsRequest{
EmbeddedIframe: &settings.EmbeddedIframeSettings{
Enabled: true,
AllowedOrigins: []string{"foo.com", "bar.com"},
},
EnableImpersonation: true,
},
},
want: &settings.SetSecuritySettingsResponse{
Details: &object_pb.Details{
ChangeDate: timestamppb.Now(),
ResourceOwner: Instance.ID(),
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.SetSecuritySettings(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
integration.AssertDetails(t, tt.want, got)
})
}
}
func idpResponse(id, name string, linking, creation, autoCreation, autoUpdate bool, autoLinking idp_pb.AutoLinkingOption) *settings.IdentityProvider {
return &settings.IdentityProvider{
Id: id,
Name: name,
Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH,
Options: &idp_pb.Options{
IsLinkingAllowed: linking,
IsCreationAllowed: creation,
IsAutoCreation: autoCreation,
IsAutoUpdate: autoUpdate,
AutoLinking: autoLinking,
},
}
}
func TestServer_GetActiveIdentityProviders(t *testing.T) {
instance := integration.NewInstance(CTX)
isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, gofakeit.AppName()) // inactive
idpActiveName := gofakeit.AppName()
idpActiveResp := instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, idpActiveName)
instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpActiveResp.GetId())
idpActiveResponse := idpResponse(idpActiveResp.GetId(), idpActiveName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
idpLinkingDisallowedName := gofakeit.AppName()
idpLinkingDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpLinkingDisallowedName, false, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpLinkingDisallowedResp.GetId())
idpLinkingDisallowedResponse := idpResponse(idpLinkingDisallowedResp.GetId(), idpLinkingDisallowedName, false, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
idpCreationDisallowedName := gofakeit.AppName()
idpCreationDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpCreationDisallowedName, true, false, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpCreationDisallowedResp.GetId())
idpCreationDisallowedResponse := idpResponse(idpCreationDisallowedResp.GetId(), idpCreationDisallowedName, true, false, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
idpNoAutoCreationName := gofakeit.AppName()
idpNoAutoCreationResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoCreationName, true, true, false, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoCreationResp.GetId())
idpNoAutoCreationResponse := idpResponse(idpNoAutoCreationResp.GetId(), idpNoAutoCreationName, true, true, false, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
idpNoAutoLinkingName := gofakeit.AppName()
idpNoAutoLinkingResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoLinkingName, true, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoLinkingResp.GetId())
idpNoAutoLinkingResponse := idpResponse(idpNoAutoLinkingResp.GetId(), idpNoAutoLinkingName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
type args struct {
ctx context.Context
req *settings.GetActiveIdentityProvidersRequest
}
tests := []struct {
name string
args args
want *settings.GetActiveIdentityProvidersResponse
wantErr bool
}{
{
name: "permission error",
args: args{
ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
req: &settings.GetActiveIdentityProvidersRequest{},
},
wantErr: true,
},
{
name: "success, all",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 5,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
idpLinkingDisallowedResponse,
idpCreationDisallowedResponse,
idpNoAutoCreationResponse,
idpNoAutoLinkingResponse,
},
},
},
{
name: "success, exclude linking disallowed",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
LinkingAllowed: gu.Ptr(true),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 4,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
idpCreationDisallowedResponse,
idpNoAutoCreationResponse,
idpNoAutoLinkingResponse,
},
},
},
{
name: "success, only linking disallowed",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
LinkingAllowed: gu.Ptr(false),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpLinkingDisallowedResponse,
},
},
},
{
name: "success, exclude creation disallowed",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
CreationAllowed: gu.Ptr(true),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 4,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
idpLinkingDisallowedResponse,
idpNoAutoCreationResponse,
idpNoAutoLinkingResponse,
},
},
},
{
name: "success, only creation disallowed",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
CreationAllowed: gu.Ptr(false),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpCreationDisallowedResponse,
},
},
},
{
name: "success, auto creation",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
AutoCreation: gu.Ptr(true),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 4,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
idpLinkingDisallowedResponse,
idpCreationDisallowedResponse,
idpNoAutoLinkingResponse,
},
},
},
{
name: "success, no auto creation",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
AutoCreation: gu.Ptr(false),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpNoAutoCreationResponse,
},
},
},
{
name: "success, auto linking",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
AutoLinking: gu.Ptr(true),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 4,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
idpLinkingDisallowedResponse,
idpCreationDisallowedResponse,
idpNoAutoCreationResponse,
},
},
},
{
name: "success, no auto linking",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
AutoLinking: gu.Ptr(false),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpNoAutoLinkingResponse,
},
},
},
{
name: "success, exclude all",
args: args{
ctx: isolatedIAMOwnerCTX,
req: &settings.GetActiveIdentityProvidersRequest{
LinkingAllowed: gu.Ptr(true),
CreationAllowed: gu.Ptr(true),
AutoCreation: gu.Ptr(true),
AutoLinking: gu.Ptr(true),
},
},
want: &settings.GetActiveIdentityProvidersResponse{
Details: &object_pb.ListDetails{
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
IdentityProviders: []*settings.IdentityProvider{
idpActiveResponse,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
assert.EventuallyWithT(t, func(ct *assert.CollectT) {
got, err := instance.Client.SettingsV2.GetActiveIdentityProviders(tt.args.ctx, tt.args.req)
if tt.wantErr {
assert.Error(ct, err)
return
}
if !assert.NoError(ct, err) {
return
}
for i, result := range tt.want.GetIdentityProviders() {
assert.EqualExportedValues(ct, result, got.GetIdentityProviders()[i])
}
integration.AssertListDetails(ct, tt.want, got)
}, retryDuration, tick)
})
}
}
Reference in New Issue View Git Blame Copy Permalink