mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 19:36:41 +00:00
a3dac4d5cd
# Which Problems Are Solved
When a SAML IDP is created, the signing algorithm defaults to
`RSA-SHA1`.
This PR adds the functionality to configure the signing algorithm while
creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1`
is the default.
Available options:
* RSA_SHA1
* RSA_SHA256
* RSA_SHA512
# How the Problems Are Solved
By introducing a new optional config to specify the Signing Algorithm.
# Additional Changes
N/A
# Additional Context
- Closes #9842
An existing bug in the UpdateSAMLProvider API will be fixed as a
followup in a different
[PR](https://github.com/zitadel/zitadel/pull/10557).
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 255d42da65)
203 lines
6.3 KiB
Go
203 lines
6.3 KiB
Go
package idp
|
|
|
|
import (
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type SAMLIDPAddedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
ID string `json:"id"`
|
|
Name string `json:"name,omitempty"`
|
|
Metadata []byte `json:"metadata,omitempty"`
|
|
Key *crypto.CryptoValue `json:"key,omitempty"`
|
|
Certificate []byte `json:"certificate,omitempty"`
|
|
Binding string `json:"binding,omitempty"`
|
|
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty"`
|
|
WithSignedRequest bool `json:"withSignedRequest,omitempty"`
|
|
NameIDFormat *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"`
|
|
TransientMappingAttributeName string `json:"transientMappingAttributeName,omitempty"`
|
|
FederatedLogoutEnabled bool `json:"federatedLogoutEnabled,omitempty"`
|
|
Options
|
|
}
|
|
|
|
func NewSAMLIDPAddedEvent(
|
|
base *eventstore.BaseEvent,
|
|
id,
|
|
name string,
|
|
metadata []byte,
|
|
key *crypto.CryptoValue,
|
|
certificate []byte,
|
|
binding string,
|
|
withSignedRequest bool,
|
|
signatureAlgorithm string,
|
|
nameIDFormat *domain.SAMLNameIDFormat,
|
|
transientMappingAttributeName string,
|
|
federatedLogoutEnabled bool,
|
|
options Options,
|
|
) *SAMLIDPAddedEvent {
|
|
return &SAMLIDPAddedEvent{
|
|
BaseEvent: *base,
|
|
ID: id,
|
|
Name: name,
|
|
Metadata: metadata,
|
|
Key: key,
|
|
Certificate: certificate,
|
|
Binding: binding,
|
|
WithSignedRequest: withSignedRequest,
|
|
SignatureAlgorithm: signatureAlgorithm,
|
|
NameIDFormat: nameIDFormat,
|
|
TransientMappingAttributeName: transientMappingAttributeName,
|
|
FederatedLogoutEnabled: federatedLogoutEnabled,
|
|
Options: options,
|
|
}
|
|
}
|
|
|
|
func (e *SAMLIDPAddedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *SAMLIDPAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func SAMLIDPAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &SAMLIDPAddedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "IDP-v9uajo3k71", "unable to unmarshal event")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type SAMLIDPChangedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
ID string `json:"id"`
|
|
Name *string `json:"name,omitempty"`
|
|
Metadata []byte `json:"metadata,omitempty"`
|
|
Key *crypto.CryptoValue `json:"key,omitempty"`
|
|
Certificate []byte `json:"certificate,omitempty"`
|
|
Binding *string `json:"binding,omitempty"`
|
|
WithSignedRequest *bool `json:"withSignedRequest,omitempty"`
|
|
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty"`
|
|
NameIDFormat *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"`
|
|
TransientMappingAttributeName *string `json:"transientMappingAttributeName,omitempty"`
|
|
FederatedLogoutEnabled *bool `json:"federatedLogoutEnabled,omitempty"`
|
|
OptionChanges
|
|
}
|
|
|
|
func NewSAMLIDPChangedEvent(
|
|
base *eventstore.BaseEvent,
|
|
id string,
|
|
changes []SAMLIDPChanges,
|
|
) (*SAMLIDPChangedEvent, error) {
|
|
if len(changes) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "IDP-cz6mnf860t", "Errors.NoChangesFound")
|
|
}
|
|
changedEvent := &SAMLIDPChangedEvent{
|
|
BaseEvent: *base,
|
|
ID: id,
|
|
}
|
|
for _, change := range changes {
|
|
change(changedEvent)
|
|
}
|
|
return changedEvent, nil
|
|
}
|
|
|
|
type SAMLIDPChanges func(*SAMLIDPChangedEvent)
|
|
|
|
func ChangeSAMLName(name string) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.Name = &name
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLMetadata(metadata []byte) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.Metadata = metadata
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLKey(key *crypto.CryptoValue) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.Key = key
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLCertificate(certificate []byte) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.Certificate = certificate
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLBinding(binding string) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.Binding = &binding
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLWithSignedRequest(withSignedRequest bool) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.WithSignedRequest = &withSignedRequest
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLSignatureAlgorithm(signatureAlgorithm string) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.SignatureAlgorithm = &signatureAlgorithm
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLNameIDFormat(nameIDFormat *domain.SAMLNameIDFormat) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.NameIDFormat = nameIDFormat
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLTransientMappingAttributeName(name string) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.TransientMappingAttributeName = &name
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLFederatedLogoutEnabled(federatedLogoutEnabled bool) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.FederatedLogoutEnabled = &federatedLogoutEnabled
|
|
}
|
|
}
|
|
|
|
func ChangeSAMLOptions(options OptionChanges) func(*SAMLIDPChangedEvent) {
|
|
return func(e *SAMLIDPChangedEvent) {
|
|
e.OptionChanges = options
|
|
}
|
|
}
|
|
|
|
func (e *SAMLIDPChangedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *SAMLIDPChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func SAMLIDPChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &SAMLIDPChangedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "IDP-w1t1824tw5", "unable to unmarshal event")
|
|
}
|
|
|
|
return e, nil
|
|
}
|