mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 12:27:59 +00:00
90b908c361
# Which Problems Are Solved Do not push secret succeeded and failed events for API and OIDC clients on the introspection endpoint. On instances where introspection was fequently called, the pushed events created issues on duplicate primary keys, due to collisions on the `sequence` column in the eventstore. As the event pusher retries on this collision and we pushed above mentioned events async, it would create a backpressure of concurrent pushers and effectively cripple an instance. We considered that pushing these events have little value with regards to the audit trail, as we do not push similar events when client assertion is used. Also, before #7657 the events were defined, but not pushed. # How the Problems Are Solved - Removed API secret check succeeded and faild event definitions - Removed OIDC secret check succeeded and faild event definitions - Push only Hash Updated event when needed # Additional Changes - None # Additional Context - Fixes https://github.com/zitadel/zitadel/issues/8479 - Closes https://github.com/zitadel/zitadel/issues/8430 - Intoduced in https://github.com/zitadel/zitadel/pull/7657
445 lines
13 KiB
Go
445 lines
13 KiB
Go
package project
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
const (
|
|
OIDCConfigAddedType = applicationEventTypePrefix + "config.oidc.added"
|
|
OIDCConfigChangedType = applicationEventTypePrefix + "config.oidc.changed"
|
|
OIDCConfigSecretChangedType = applicationEventTypePrefix + "config.oidc.secret.changed"
|
|
OIDCConfigSecretHashUpdatedType = applicationEventTypePrefix + "config.oidc.secret.updated"
|
|
)
|
|
|
|
type OIDCConfigAddedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
Version domain.OIDCVersion `json:"oidcVersion,omitempty"`
|
|
AppID string `json:"appId"`
|
|
ClientID string `json:"clientId,omitempty"`
|
|
|
|
// New events only use EncodedHash. However, the ClientSecret field
|
|
// is preserved to handle events older than the switch to Passwap.
|
|
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
|
|
RedirectUris []string `json:"redirectUris,omitempty"`
|
|
ResponseTypes []domain.OIDCResponseType `json:"responseTypes,omitempty"`
|
|
GrantTypes []domain.OIDCGrantType `json:"grantTypes,omitempty"`
|
|
ApplicationType domain.OIDCApplicationType `json:"applicationType,omitempty"`
|
|
AuthMethodType domain.OIDCAuthMethodType `json:"authMethodType,omitempty"`
|
|
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
|
|
DevMode bool `json:"devMode,omitempty"`
|
|
AccessTokenType domain.OIDCTokenType `json:"accessTokenType,omitempty"`
|
|
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"`
|
|
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"`
|
|
IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion,omitempty"`
|
|
ClockSkew time.Duration `json:"clockSkew,omitempty"`
|
|
AdditionalOrigins []string `json:"additionalOrigins,omitempty"`
|
|
SkipNativeAppSuccessPage bool `json:"skipNativeAppSuccessPage,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigAddedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
version domain.OIDCVersion,
|
|
appID string,
|
|
clientID string,
|
|
hashedSecret string,
|
|
redirectUris []string,
|
|
responseTypes []domain.OIDCResponseType,
|
|
grantTypes []domain.OIDCGrantType,
|
|
applicationType domain.OIDCApplicationType,
|
|
authMethodType domain.OIDCAuthMethodType,
|
|
postLogoutRedirectUris []string,
|
|
devMode bool,
|
|
accessTokenType domain.OIDCTokenType,
|
|
accessTokenRoleAssertion bool,
|
|
idTokenRoleAssertion bool,
|
|
idTokenUserinfoAssertion bool,
|
|
clockSkew time.Duration,
|
|
additionalOrigins []string,
|
|
skipNativeAppSuccessPage bool,
|
|
) *OIDCConfigAddedEvent {
|
|
return &OIDCConfigAddedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigAddedType,
|
|
),
|
|
Version: version,
|
|
AppID: appID,
|
|
ClientID: clientID,
|
|
HashedSecret: hashedSecret,
|
|
RedirectUris: redirectUris,
|
|
ResponseTypes: responseTypes,
|
|
GrantTypes: grantTypes,
|
|
ApplicationType: applicationType,
|
|
AuthMethodType: authMethodType,
|
|
PostLogoutRedirectUris: postLogoutRedirectUris,
|
|
DevMode: devMode,
|
|
AccessTokenType: accessTokenType,
|
|
AccessTokenRoleAssertion: accessTokenRoleAssertion,
|
|
IDTokenRoleAssertion: idTokenRoleAssertion,
|
|
IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
|
|
ClockSkew: clockSkew,
|
|
AdditionalOrigins: additionalOrigins,
|
|
SkipNativeAppSuccessPage: skipNativeAppSuccessPage,
|
|
}
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) Validate(cmd eventstore.Command) bool {
|
|
c, ok := cmd.(*OIDCConfigAddedEvent)
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
if e.Version != c.Version {
|
|
return false
|
|
}
|
|
if e.AppID != c.AppID {
|
|
return false
|
|
}
|
|
if e.ClientID != c.ClientID {
|
|
return false
|
|
}
|
|
if e.ClientSecret != c.ClientSecret {
|
|
return false
|
|
}
|
|
if len(e.RedirectUris) != len(c.RedirectUris) {
|
|
return false
|
|
}
|
|
for i, uri := range e.RedirectUris {
|
|
if uri != c.RedirectUris[i] {
|
|
return false
|
|
}
|
|
}
|
|
if len(e.ResponseTypes) != len(c.ResponseTypes) {
|
|
return false
|
|
}
|
|
for i, typ := range e.ResponseTypes {
|
|
if typ != c.ResponseTypes[i] {
|
|
return false
|
|
}
|
|
}
|
|
if len(e.GrantTypes) != len(c.GrantTypes) {
|
|
return false
|
|
}
|
|
for i, typ := range e.GrantTypes {
|
|
if typ != c.GrantTypes[i] {
|
|
return false
|
|
}
|
|
}
|
|
if e.ApplicationType != c.ApplicationType {
|
|
return false
|
|
}
|
|
if e.AuthMethodType != c.AuthMethodType {
|
|
return false
|
|
}
|
|
if len(e.PostLogoutRedirectUris) != len(c.PostLogoutRedirectUris) {
|
|
return false
|
|
}
|
|
for i, uri := range e.PostLogoutRedirectUris {
|
|
if uri != c.PostLogoutRedirectUris[i] {
|
|
return false
|
|
}
|
|
}
|
|
if e.DevMode != c.DevMode {
|
|
return false
|
|
}
|
|
if e.AccessTokenType != c.AccessTokenType {
|
|
return false
|
|
}
|
|
if e.AccessTokenRoleAssertion != c.AccessTokenRoleAssertion {
|
|
return false
|
|
}
|
|
if e.IDTokenRoleAssertion != c.IDTokenRoleAssertion {
|
|
return false
|
|
}
|
|
if e.IDTokenUserinfoAssertion != c.IDTokenUserinfoAssertion {
|
|
return false
|
|
}
|
|
if e.ClockSkew != c.ClockSkew {
|
|
return false
|
|
}
|
|
if len(e.AdditionalOrigins) != len(c.AdditionalOrigins) {
|
|
return false
|
|
}
|
|
for i, origin := range e.AdditionalOrigins {
|
|
if origin != c.AdditionalOrigins[i] {
|
|
return false
|
|
}
|
|
}
|
|
return e.SkipNativeAppSuccessPage == c.SkipNativeAppSuccessPage
|
|
}
|
|
|
|
func OIDCConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigAddedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigChangedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
Version *domain.OIDCVersion `json:"oidcVersion,omitempty"`
|
|
AppID string `json:"appId"`
|
|
RedirectUris *[]string `json:"redirectUris,omitempty"`
|
|
ResponseTypes *[]domain.OIDCResponseType `json:"responseTypes,omitempty"`
|
|
GrantTypes *[]domain.OIDCGrantType `json:"grantTypes,omitempty"`
|
|
ApplicationType *domain.OIDCApplicationType `json:"applicationType,omitempty"`
|
|
AuthMethodType *domain.OIDCAuthMethodType `json:"authMethodType,omitempty"`
|
|
PostLogoutRedirectUris *[]string `json:"postLogoutRedirectUris,omitempty"`
|
|
DevMode *bool `json:"devMode,omitempty"`
|
|
AccessTokenType *domain.OIDCTokenType `json:"accessTokenType,omitempty"`
|
|
AccessTokenRoleAssertion *bool `json:"accessTokenRoleAssertion,omitempty"`
|
|
IDTokenRoleAssertion *bool `json:"idTokenRoleAssertion,omitempty"`
|
|
IDTokenUserinfoAssertion *bool `json:"idTokenUserinfoAssertion,omitempty"`
|
|
ClockSkew *time.Duration `json:"clockSkew,omitempty"`
|
|
AdditionalOrigins *[]string `json:"additionalOrigins,omitempty"`
|
|
SkipNativeAppSuccessPage *bool `json:"skipNativeAppSuccessPage,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigChangedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigChangedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
changes []OIDCConfigChanges,
|
|
) (*OIDCConfigChangedEvent, error) {
|
|
if len(changes) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-i8idç", "Errors.NoChangesFound")
|
|
}
|
|
|
|
changeEvent := &OIDCConfigChangedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigChangedType,
|
|
),
|
|
AppID: appID,
|
|
}
|
|
for _, change := range changes {
|
|
change(changeEvent)
|
|
}
|
|
return changeEvent, nil
|
|
}
|
|
|
|
type OIDCConfigChanges func(event *OIDCConfigChangedEvent)
|
|
|
|
func ChangeVersion(version domain.OIDCVersion) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.Version = &version
|
|
}
|
|
}
|
|
|
|
func ChangeRedirectURIs(uris []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.RedirectUris = &uris
|
|
}
|
|
}
|
|
|
|
func ChangeResponseTypes(responseTypes []domain.OIDCResponseType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ResponseTypes = &responseTypes
|
|
}
|
|
}
|
|
|
|
func ChangeGrantTypes(grantTypes []domain.OIDCGrantType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.GrantTypes = &grantTypes
|
|
}
|
|
}
|
|
|
|
func ChangeApplicationType(appType domain.OIDCApplicationType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ApplicationType = &appType
|
|
}
|
|
}
|
|
|
|
func ChangeAuthMethodType(authMethodType domain.OIDCAuthMethodType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AuthMethodType = &authMethodType
|
|
}
|
|
}
|
|
|
|
func ChangePostLogoutRedirectURIs(logoutRedirects []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.PostLogoutRedirectUris = &logoutRedirects
|
|
}
|
|
}
|
|
|
|
func ChangeDevMode(devMode bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.DevMode = &devMode
|
|
}
|
|
}
|
|
|
|
func ChangeAccessTokenType(accessTokenType domain.OIDCTokenType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AccessTokenType = &accessTokenType
|
|
}
|
|
}
|
|
|
|
func ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AccessTokenRoleAssertion = &accessTokenRoleAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeIDTokenRoleAssertion(idTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.IDTokenRoleAssertion = &idTokenRoleAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.IDTokenUserinfoAssertion = &idTokenUserinfoAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ClockSkew = &clockSkew
|
|
}
|
|
}
|
|
|
|
func ChangeAdditionalOrigins(additionalOrigins []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AdditionalOrigins = &additionalOrigins
|
|
}
|
|
}
|
|
|
|
func ChangeSkipNativeAppSuccessPage(skipNativeAppSuccessPage bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.SkipNativeAppSuccessPage = &skipNativeAppSuccessPage
|
|
}
|
|
}
|
|
|
|
func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigChangedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigSecretChangedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
AppID string `json:"appId"`
|
|
|
|
// New events only use EncodedHash. However, the ClientSecret field
|
|
// is preserved to handle events older than the switch to Passwap.
|
|
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigSecretChangedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigSecretChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigSecretChangedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
hashedSecret string,
|
|
) *OIDCConfigSecretChangedEvent {
|
|
return &OIDCConfigSecretChangedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigSecretChangedType,
|
|
),
|
|
AppID: appID,
|
|
HashedSecret: hashedSecret,
|
|
}
|
|
}
|
|
|
|
func OIDCConfigSecretChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigSecretChangedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-M893d", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigSecretHashUpdatedEvent struct {
|
|
*eventstore.BaseEvent `json:"-"`
|
|
|
|
AppID string `json:"appId"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
}
|
|
|
|
func NewOIDCConfigSecretHashUpdatedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
hashedSecret string,
|
|
) *OIDCConfigSecretHashUpdatedEvent {
|
|
return &OIDCConfigSecretHashUpdatedEvent{
|
|
BaseEvent: eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigSecretHashUpdatedType,
|
|
),
|
|
AppID: appID,
|
|
HashedSecret: hashedSecret,
|
|
}
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
|
|
e.BaseEvent = b
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|