vikunja/vikunja
7
43
Fork 73
Code Issues 151 Pull Requests 16 Packages Releases 32 Activity

Compare commits

base: vikunja:71d729dc012d7113382ce52cdc6ef2d4c0f1cab7
Branches Tags
vikunja:main
vikunja:renovate/node-20.x
vikunja:renovate/goreleaser-nfpm-2.x
vikunja:renovate/github-hotkey-3.x
vikunja:renovate/golangci-golangci-lint-1.x
vikunja:renovate/camel-case-5.x
vikunja:renovate/lowlight-3.x
vikunja:renovate/golang.org-x-sync-0.x
vikunja:renovate/major-dev-dependencies
vikunja:renovate/github.com-wneessen-go-mail-0.x
vikunja:feature/better-filter-syntax
vikunja:fix/tiptap-task-list
vikunja:renovate/flexsearch-0.x
vikunja:feature/zod-schema
vikunja:renovate/github.com-typesense-typesense-go-1.x
vikunja:renovate/github.com-golang-jwt-jwt-v4-5.x
vikunja:feature/hide-forbidden-related-tasks
vikunja:renovate/golang-1.x
vikunja:release/0.20
vikunja:release/0.17
vikunja:release/0.16
vikunja:release/0.15
vikunja:release/0.14
vikunja:release/0.13
vikunja:v0.23.0
vikunja:v0.22.1
vikunja:v0.22.0
vikunja:v0.21.0
vikunja:v0.20.4
vikunja:v0.20.3
vikunja:v0.20.2
vikunja:v0.20.1
vikunja:v0.20.0
vikunja:v0.19.2
vikunja:v0.19.1
vikunja:v0.19.0
vikunja:v0.18.1
vikunja:v0.18.0
vikunja:v0.17.1
vikunja:v0.17.0
vikunja:v0.16.1
vikunja:v0.16.0
vikunja:v0.15.1
vikunja:v0.15.0
vikunja:v0.14.1
vikunja:v0.14.0
vikunja:v0.13.1
vikunja:v0.13
vikunja:v0.12
vikunja:v0.11
vikunja:v0.10
vikunja:v0.9
vikunja:v0.8
vikunja:v0.7
vikunja:v0.6
vikunja:v0.5
vikunja:v0.4
vikunja:v0.3
vikunja:v0.2
vikunja:v0.1
...
compare: vikunja:3e068f0142eef9743f64a8a4934df6ec9463ba64
Branches Tags
vikunja:main
vikunja:renovate/node-20.x
vikunja:renovate/goreleaser-nfpm-2.x
vikunja:renovate/github-hotkey-3.x
vikunja:renovate/golangci-golangci-lint-1.x
vikunja:renovate/camel-case-5.x
vikunja:renovate/lowlight-3.x
vikunja:renovate/golang.org-x-sync-0.x
vikunja:renovate/major-dev-dependencies
vikunja:renovate/github.com-wneessen-go-mail-0.x
vikunja:feature/better-filter-syntax
vikunja:fix/tiptap-task-list
vikunja:renovate/flexsearch-0.x
vikunja:feature/zod-schema
vikunja:renovate/github.com-typesense-typesense-go-1.x
vikunja:renovate/github.com-golang-jwt-jwt-v4-5.x
vikunja:feature/hide-forbidden-related-tasks
vikunja:renovate/golang-1.x
vikunja:release/0.20
vikunja:release/0.17
vikunja:release/0.16
vikunja:release/0.15
vikunja:release/0.14
vikunja:release/0.13
vikunja:v0.23.0
vikunja:v0.22.1
vikunja:v0.22.0
vikunja:v0.21.0
vikunja:v0.20.4
vikunja:v0.20.3
vikunja:v0.20.2
vikunja:v0.20.1
vikunja:v0.20.0
vikunja:v0.19.2
vikunja:v0.19.1
vikunja:v0.19.0
vikunja:v0.18.1
vikunja:v0.18.0
vikunja:v0.17.1
vikunja:v0.17.0
vikunja:v0.16.1
vikunja:v0.16.0
vikunja:v0.15.1
vikunja:v0.15.0
vikunja:v0.14.1
vikunja:v0.14.0
vikunja:v0.13.1
vikunja:v0.13
vikunja:v0.12
vikunja:v0.11
vikunja:v0.10
vikunja:v0.9
vikunja:v0.8
vikunja:v0.7
vikunja:v0.6
vikunja:v0.5
vikunja:v0.4
vikunja:v0.3
vikunja:v0.2
vikunja:v0.1

6 Commits
71d729dc01 ... 3e068f0142

Author SHA1 Message Date
Daniel Herrmann
3e068f0142 Revert "refactor: move logic to create a team outside of Create and add additional parameter to control default admin behaviour"
All checks were successful
continuous-integration/drone/pr Build is passing
Details 
This reverts commit 3bad0afbc3.
 2024-03-04 19:03:32 +00:00
Daniel Herrmann
a2fab50dd3 refactor: move logic to create a team outside of Create and add additional parameter to control default admin behaviour 2024-03-04 19:03:32 +00:00
Daniel Herrmann
f53ed3b45e fix: wording in error message 2024-03-04 19:03:32 +00:00
Daniel Herrmann
7adf75487b fix: OIDC team IDs should be bound to an issuer 
This commit introduces changes to make sure that (a) the Team name is no longer used when comparing teams for existence and (b) the issuer if stored instead, as the oidcID is only guaranteed to be unique within the same provider
 2024-03-04 19:03:32 +00:00
Daniel Herrmann
144f142acc fix: OIDC team comparison should not include the team name 2024-03-04 19:03:32 +00:00
renovate
87ac9e261f fix(deps): update module golang.org/x/term to v0.18.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2024-03-04 18:06:30 +00:00
8 changed files with 71 additions and 22 deletions
Show Stats Expand all files Collapse all files

2
go.mod
View File

@ -71,7 +71,7 @@ require (
golang.org/x/oauth2 v0.17.0
golang.org/x/sync v0.6.0
golang.org/x/sys v0.18.0
golang.org/x/term v0.17.0
golang.org/x/term v0.18.0
golang.org/x/text v0.14.0
gopkg.in/d4l3k/messagediff.v1 v1.2.1
gopkg.in/yaml.v3 v3.0.1

2
go.sum
View File

@ -741,6 +741,8 @@ golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

3
pkg/db/fixtures/teams.yml
View File

@ -32,4 +32,5 @@
- id: 14
name: testteam14
created_by_id: 7
oidc_id: 14
oidc_id: 14
issuer: "https://some.issuer"

43
pkg/migration/20240304153738.go Normal file
View File

@ -0,0 +1,43 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public Licensee as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public Licensee for more details.
//
// You should have received a copy of the GNU Affero General Public Licensee
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package migration
import (
"src.techknowlogick.com/xormigrate"
"xorm.io/xorm"
)
type teams20240304153738 struct {
Issuer string `xorm:"text null" json:"-"`
}
func (teams20240304153738) TableName() string {
return "teams"
}
func init() {
migrations = append(migrations, &xormigrate.Migration{
ID: "20240304153738",
Description: "Add issuer column to teams to track the OIDC provider this issue has bene created by",
Migrate: func(tx *xorm.Engine) error {
return tx.Sync2(teams20240304153738{})
},
Rollback: func(tx *xorm.Engine) error {
return nil
},
})
}

8
pkg/models/error.go
View File

@ -1177,10 +1177,10 @@ func (err ErrTeamDoesNotHaveAccessToProject) HTTPError() web.HTTPError {
return web.HTTPError{HTTPCode: http.StatusForbidden, Code: ErrCodeTeamDoesNotHaveAccessToProject, Message: "This team does not have access to the project."}
}
// ErrOIDCTeamDoesNotExist represents an error where a team with specified name and specified oidcId property does not exist
// ErrOIDCTeamDoesNotExist represents an error where a team with specified oidcId property does not exist for a given issuer
type ErrOIDCTeamDoesNotExist struct {
OidcID string
Name string
Issuer string
}
// IsErrOIDCTeamDoesNotExist checks if an error is ErrOIDCTeamDoesNotExist.
@ -1191,7 +1191,7 @@ func IsErrOIDCTeamDoesNotExist(err error) bool {
// ErrTeamDoesNotExist represents an error where a team does not exist
func (err ErrOIDCTeamDoesNotExist) Error() string {
return fmt.Sprintf("No team with that name and valid oidcId could be found. [Team Name: %v] [OidcID : %v] ", err.Name, err.OidcID)
return fmt.Sprintf("No team could be found for the given oidcId and issuer. [OIDC ID : %v] [Issuer: %v] ", err.OidcID, err.Issuer)
}
// ErrCodeTeamDoesNotExist holds the unique world-error code of this error
@ -1199,7 +1199,7 @@ const ErrCodeOIDCTeamDoesNotExist = 6008
// HTTPError holds the http error description
func (err ErrOIDCTeamDoesNotExist) HTTPError() web.HTTPError {
return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team with that name and valid oidcId could be found."}
return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team could be found for the given OIDC ID and issuer."}
}
// ErrOIDCTeamsDoNotExistForUser represents an error where an oidcTeam does not exist for the user

10
pkg/models/teams.go
View File

@ -40,6 +40,8 @@ type Team struct {
CreatedByID int64 `xorm:"bigint not null INDEX" json:"-"`
// The team's oidc id delivered by the oidc provider
OidcID string `xorm:"varchar(250) null" maxLength:"250" json:"oidc_id"`
// Contains the issuer extracted from the vikunja_groups claim if this team was created through oidc
Issuer string `xorm:"text null" json:"-"`
// The user who created this team.
CreatedBy *user.User `xorm:"-" json:"created_by"`
@ -129,16 +131,16 @@ func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
return
}
// GetTeamByOidcIDAndName gets teams where oidc_id and name match parameters
// GetTeamByOidcID returns a team matching the given oidc_id
// For oidc team creation oidcID and Name need to be set
func GetTeamByOidcIDAndName(s *xorm.Session, oidcID string, teamName string) (*Team, error) {
func GetTeamByOidcIDAndIssuer(s *xorm.Session, oidcID string, issuer string) (*Team, error) {
team := &Team{}
has, err := s.
Table("teams").
Where("oidc_id = ? AND name = ?", oidcID, teamName).
Where("oidc_id = ? AND issuer = ?", oidcID, issuer).
Get(team)
if !has || err != nil {
return nil, ErrOIDCTeamDoesNotExist{teamName, oidcID}
return nil, ErrOIDCTeamDoesNotExist{issuer, oidcID}
}
return team, nil
}

17
pkg/modules/auth/openid/openid.go
View File

@ -215,7 +215,7 @@ func HandleCallback(c echo.Context) error {
if err != nil {
log.Debugf("No oidc teams found for user %v", err)
}
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData, idToken.Issuer)
if err != nil {
log.Errorf("Could not proceed with group routine %v", err)
}
@ -241,13 +241,13 @@ func HandleCallback(c echo.Context) error {
return auth.NewUserAuthTokenResponse(u, c, false)
}
func AssignOrCreateUserToTeams(s *xorm.Session, u *user.User, teamData []*models.OIDCTeam) (oidcTeams []int64, err error) {
func AssignOrCreateUserToTeams(s *xorm.Session, u *user.User, teamData []*models.OIDCTeam, issuer string) (oidcTeams []int64, err error) {
if len(teamData) == 0 {
return
}
// check if we have seen these teams before.
// find or create Teams and assign user as teammember.
teams, err := GetOrCreateTeamsByOIDCAndNames(s, teamData, u)
teams, err := GetOrCreateTeamsByOIDC(s, teamData, u, issuer)
if err != nil {
log.Errorf("Error verifying team for %v, got %v. Error: %v", u.Name, teams, err)
return nil, err
@ -333,28 +333,29 @@ func getOIDCTeamName(name string) string {
return name + " (OIDC)"
}
func CreateOIDCTeam(s *xorm.Session, teamData *models.OIDCTeam, u *user.User) (team *models.Team, err error) {
func CreateOIDCTeam(s *xorm.Session, teamData *models.OIDCTeam, u *user.User, issuer string) (team *models.Team, err error) {
team = &models.Team{
Name: getOIDCTeamName(teamData.Name),
Description: teamData.Description,
OidcID: teamData.OidcID,
Issuer: issuer,
}
err = team.Create(s, u)
return team, err
}
// GetOrCreateTeamsByOIDCAndNames returns a slice of teams which were generated from the oidc data. If a team did not exist previously it is automatically created.
func GetOrCreateTeamsByOIDCAndNames(s *xorm.Session, teamData []*models.OIDCTeam, u *user.User) (te []*models.Team, err error) {
// GetOrCreateTeamsByOIDC returns a slice of teams which were generated from the oidc data. If a team did not exist previously it is automatically created.
func GetOrCreateTeamsByOIDC(s *xorm.Session, teamData []*models.OIDCTeam, u *user.User, issuer string) (te []*models.Team, err error) {
te = []*models.Team{}
// Procedure can only be successful if oidcID is set
for _, oidcTeam := range teamData {
team, err := models.GetTeamByOidcIDAndName(s, oidcTeam.OidcID, oidcTeam.Name)
team, err := models.GetTeamByOidcIDAndIssuer(s, oidcTeam.OidcID, issuer)
if err != nil && !models.IsErrOIDCTeamDoesNotExist(err) {
return nil, err
}
if err != nil && models.IsErrOIDCTeamDoesNotExist(err) {
log.Debugf("Team with oidc_id %v and name %v does not exist. Creating team… ", oidcTeam.OidcID, oidcTeam.Name)
newTeam, err := CreateOIDCTeam(s, oidcTeam, u)
newTeam, err := CreateOIDCTeam(s, oidcTeam, u, issuer)
if err != nil {
return te, err
}

8
pkg/modules/auth/openid/openid_test.go
View File

@ -118,7 +118,7 @@ func TestGetOrCreateUser(t *testing.T) {
require.NoError(t, err)
}
require.NoError(t, err)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData, "https://some.issuer")
require.NoError(t, err)
err = s.Commit()
require.NoError(t, err)
@ -152,7 +152,7 @@ func TestGetOrCreateUser(t *testing.T) {
for _, err := range errs {
require.NoError(t, err)
}
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData, "https://some.issuer")
require.NoError(t, err)
err = s.Commit()
require.NoError(t, err)
@ -181,7 +181,7 @@ func TestGetOrCreateUser(t *testing.T) {
}
oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
require.NoError(t, err)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData, "https://some.issuer")
require.NoError(t, err)
teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
require.NoError(t, err)
@ -222,7 +222,7 @@ func TestGetOrCreateUser(t *testing.T) {
}
oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
require.NoError(t, err)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData, "https://some.issuer")
require.NoError(t, err)
teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
require.NoError(t, err)