mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 03:54:21 +00:00
b5564572bc
This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
300 lines
8.0 KiB
Go
300 lines
8.0 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
|
|
caos_errs "github.com/zitadel/zitadel/internal/errors"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
|
|
es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
proj_model "github.com/zitadel/zitadel/internal/project/model"
|
|
project_es_model "github.com/zitadel/zitadel/internal/project/repository/eventsourcing/model"
|
|
proj_view "github.com/zitadel/zitadel/internal/project/repository/view"
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
|
"github.com/zitadel/zitadel/internal/repository/org"
|
|
"github.com/zitadel/zitadel/internal/repository/project"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
|
|
)
|
|
|
|
const (
|
|
tokenTable = "auth.tokens"
|
|
)
|
|
|
|
var _ handler.Projection = (*Token)(nil)
|
|
|
|
type Token struct {
|
|
view *auth_view.View
|
|
es handler.EventStore
|
|
}
|
|
|
|
func newToken(
|
|
ctx context.Context,
|
|
config handler.Config,
|
|
view *auth_view.View,
|
|
) *handler.Handler {
|
|
return handler.NewHandler(
|
|
ctx,
|
|
&config,
|
|
&Token{
|
|
view: view,
|
|
es: config.Eventstore,
|
|
},
|
|
)
|
|
}
|
|
|
|
// Name implements [handler.Projection]
|
|
func (*Token) Name() string {
|
|
return tokenTable
|
|
}
|
|
|
|
// Reducers implements [handler.Projection]
|
|
func (t *Token) Reducers() []handler.AggregateReducer {
|
|
return []handler.AggregateReducer{
|
|
{
|
|
Aggregate: user.AggregateType,
|
|
EventReducers: []handler.EventReducer{
|
|
{
|
|
Event: user.PersonalAccessTokenAddedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserTokenAddedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserV1ProfileChangedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.HumanProfileChangedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserV1SignedOutType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.HumanSignedOutType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserLockedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserDeactivatedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.UserTokenRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.PersonalAccessTokenRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: user.HumanRefreshTokenRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Aggregate: project.AggregateType,
|
|
EventReducers: []handler.EventReducer{
|
|
{
|
|
Event: project.ApplicationDeactivatedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: project.ApplicationRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: project.ProjectDeactivatedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
{
|
|
Event: project.ProjectRemovedType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Aggregate: org.AggregateType,
|
|
EventReducers: []handler.EventReducer{
|
|
{
|
|
Event: org.OrgRemovedEventType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Aggregate: instance.AggregateType,
|
|
EventReducers: []handler.EventReducer{
|
|
{
|
|
Event: instance.InstanceRemovedEventType,
|
|
Reduce: t.Reduce,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func (t *Token) Reduce(event eventstore.Event) (_ *handler.Statement, err error) { //nolint:gocognit
|
|
return handler.NewStatement(event, func(ex handler.Executer, projectionName string) error {
|
|
switch event.Type() {
|
|
case user.UserTokenAddedType,
|
|
user.PersonalAccessTokenAddedType:
|
|
token := new(view_model.TokenView)
|
|
err := token.AppendEvent(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return t.view.PutToken(token)
|
|
case user.UserV1ProfileChangedType,
|
|
user.HumanProfileChangedType:
|
|
user := new(view_model.UserView)
|
|
err := user.AppendEvent(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tokens, err := t.view.TokensByUserID(event.Aggregate().ID, event.Aggregate().InstanceID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, token := range tokens {
|
|
token.PreferredLanguage = user.PreferredLanguage
|
|
}
|
|
return t.view.PutTokens(tokens)
|
|
case user.UserV1SignedOutType,
|
|
user.HumanSignedOutType:
|
|
id, err := agentIDFromSession(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return t.view.DeleteSessionTokens(id, event)
|
|
case user.UserLockedType,
|
|
user.UserDeactivatedType,
|
|
user.UserRemovedType:
|
|
|
|
return t.view.DeleteUserTokens(event)
|
|
case user.UserTokenRemovedType,
|
|
user.PersonalAccessTokenRemovedType:
|
|
id, err := tokenIDFromRemovedEvent(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return t.view.DeleteToken(id, event.Aggregate().InstanceID)
|
|
case user.HumanRefreshTokenRemovedType:
|
|
id, err := refreshTokenIDFromRemovedEvent(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return t.view.DeleteTokensFromRefreshToken(id, event.Aggregate().InstanceID)
|
|
case project.ApplicationDeactivatedType,
|
|
project.ApplicationRemovedType:
|
|
application, err := applicationFromSession(event)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return t.view.DeleteApplicationTokens(event, application.AppID)
|
|
case project.ProjectDeactivatedType,
|
|
project.ProjectRemovedType:
|
|
project, err := t.getProjectByID(context.Background(), event.Aggregate().ID, event.Aggregate().InstanceID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
applicationIDs := make([]string, 0, len(project.Applications))
|
|
for _, app := range project.Applications {
|
|
if app.OIDCConfig != nil {
|
|
applicationIDs = append(applicationIDs, app.OIDCConfig.ClientID)
|
|
}
|
|
}
|
|
|
|
return t.view.DeleteApplicationTokens(event, applicationIDs...)
|
|
case instance.InstanceRemovedEventType:
|
|
return t.view.DeleteInstanceTokens(event)
|
|
case org.OrgRemovedEventType:
|
|
// deletes all tokens including PATs, which is expected for now
|
|
// if there is an undo of the org deletion in the future,
|
|
// we will need to have a look on how to handle the deleted PATs
|
|
return t.view.DeleteOrgTokens(event)
|
|
default:
|
|
return nil
|
|
}
|
|
}), nil
|
|
}
|
|
|
|
func agentIDFromSession(event eventstore.Event) (string, error) {
|
|
session := make(map[string]interface{})
|
|
if err := event.Unmarshal(&session); err != nil {
|
|
logging.WithError(err).Error("could not unmarshal event data")
|
|
return "", caos_errs.ThrowInternal(nil, "MODEL-sd325", "could not unmarshal data")
|
|
}
|
|
return session["userAgentID"].(string), nil
|
|
}
|
|
|
|
func applicationFromSession(event eventstore.Event) (*project_es_model.Application, error) {
|
|
application := new(project_es_model.Application)
|
|
if err := event.Unmarshal(application); err != nil {
|
|
logging.WithError(err).Error("could not unmarshal event data")
|
|
return nil, caos_errs.ThrowInternal(nil, "MODEL-Hrw1q", "could not unmarshal data")
|
|
}
|
|
return application, nil
|
|
}
|
|
|
|
func tokenIDFromRemovedEvent(event eventstore.Event) (string, error) {
|
|
removed := make(map[string]interface{})
|
|
if err := event.Unmarshal(&removed); err != nil {
|
|
logging.WithError(err).Error("could not unmarshal event data")
|
|
return "", caos_errs.ThrowInternal(nil, "MODEL-Sff32", "could not unmarshal data")
|
|
}
|
|
return removed["tokenId"].(string), nil
|
|
}
|
|
|
|
func refreshTokenIDFromRemovedEvent(event eventstore.Event) (string, error) {
|
|
removed := make(map[string]interface{})
|
|
if err := event.Unmarshal(&removed); err != nil {
|
|
logging.WithError(err).Error("could not unmarshal event data")
|
|
return "", caos_errs.ThrowInternal(nil, "MODEL-Dfb3w", "could not unmarshal data")
|
|
}
|
|
return removed["tokenId"].(string), nil
|
|
}
|
|
|
|
func (t *Token) getProjectByID(ctx context.Context, projID, instanceID string) (*proj_model.Project, error) {
|
|
query, err := proj_view.ProjectByIDQuery(projID, instanceID, 0)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
esProject := &project_es_model.Project{
|
|
ObjectRoot: es_models.ObjectRoot{
|
|
AggregateID: projID,
|
|
},
|
|
}
|
|
events, err := t.es.Filter(ctx, query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err = esProject.AppendEvents(events...); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if esProject.Sequence == 0 {
|
|
return nil, caos_errs.ThrowNotFound(nil, "EVENT-Dsdw2", "Errors.Project.NotFound")
|
|
}
|
|
return project_es_model.ProjectToModel(esProject), nil
|
|
}
|