mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 23:13:40 +00:00
c3b97a91a2
# Which Problems Are Solved It is currently not possible to use SAML with the Session API. # How the Problems Are Solved Add SAML service, to get and resolve SAML requests. Add SAML session and SAML request aggregate, which can be linked to the Session to get back a SAMLResponse from the API directly. # Additional Changes Update of dependency zitadel/saml to provide all functionality for handling of SAML requests and responses. # Additional Context Closes #6053 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
82 lines
2.2 KiB
Go
82 lines
2.2 KiB
Go
package query
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
_ "embed"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/api/call"
|
|
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
|
|
"github.com/zitadel/zitadel/internal/query/projection"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type SamlRequest struct {
|
|
ID string
|
|
CreationDate time.Time
|
|
LoginClient string
|
|
Issuer string
|
|
ACS string
|
|
RelayState string
|
|
Binding string
|
|
}
|
|
|
|
func (a *SamlRequest) checkLoginClient(ctx context.Context) error {
|
|
if uid := authz.GetCtxData(ctx).UserID; uid != a.LoginClient {
|
|
return zerrors.ThrowPermissionDenied(nil, "OIDCv2-aL0ag", "Errors.SamlRequest.WrongLoginClient")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
//go:embed saml_request_by_id.sql
|
|
var samlRequestByIDQuery string
|
|
|
|
func (q *Queries) samlRequestByIDQuery(ctx context.Context) string {
|
|
return fmt.Sprintf(samlRequestByIDQuery, q.client.Timetravel(call.Took(ctx)))
|
|
}
|
|
|
|
func (q *Queries) SamlRequestByID(ctx context.Context, shouldTriggerBulk bool, id string, checkLoginClient bool) (_ *SamlRequest, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
if shouldTriggerBulk {
|
|
_, traceSpan := tracing.NewNamedSpan(ctx, "TriggerSamlRequestProjection")
|
|
ctx, err = projection.SamlRequestProjection.Trigger(ctx, handler.WithAwaitRunning())
|
|
logging.OnError(err).Debug("trigger failed")
|
|
traceSpan.EndWithError(err)
|
|
}
|
|
|
|
dst := new(SamlRequest)
|
|
err = q.client.QueryRowContext(
|
|
ctx,
|
|
func(row *sql.Row) error {
|
|
return row.Scan(
|
|
&dst.ID, &dst.CreationDate, &dst.LoginClient, &dst.Issuer, &dst.ACS, &dst.RelayState, &dst.Binding,
|
|
)
|
|
},
|
|
q.samlRequestByIDQuery(ctx),
|
|
id, authz.GetInstance(ctx).InstanceID(),
|
|
)
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, zerrors.ThrowNotFound(err, "QUERY-Thee9", "Errors.SamlRequest.NotExisting")
|
|
}
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "QUERY-Ou8ue", "Errors.Internal")
|
|
}
|
|
|
|
if checkLoginClient {
|
|
if err = dst.checkLoginClient(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return dst, nil
|
|
}
|