Merge pull request #104 from zitadel/oidc-settings

feat: make oidc settings managable
zitadel · Jun 2, 2023 · 6b35071 · 6b35071
2 parents 587149a + c56b443
commit 6b35071
Show file tree

Hide file tree

Showing 28 changed files with 568 additions and 375 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -27,7 +27,7 @@ export ZITADEL_DEV_UID="$(id -u)"
 docker compose --file ./acceptance/docker-compose.yaml pull
 
 # Setup ZITADEL
-docker compose --file ./acceptance/docker-compose.yaml run wait_for_zitadel
+docker compose --file ./acceptance/docker-compose.yaml run setup
 ```
 
 Run the accepance tests using the machine key generated by ZITADEL.

diff --git a/acceptance/Dockerfile b/acceptance/Dockerfile
@@ -0,0 +1,6 @@
+FROM golang:1.19-alpine
+RUN apk add curl jq
+RUN go install github.com/zitadel/[email protected]
+COPY setup.sh /setup.sh
+RUN chmod +x /setup.sh
+ENTRYPOINT [ "/setup.sh" ]
diff --git a/acceptance/docker-compose.yaml b/acceptance/docker-compose.yaml
@@ -32,3 +32,16 @@ services:
     command: [ "/bin/sh", "-c", "i=0; while ! curl http://zitadel:8080/debug/ready && [ $$i -lt 30 ]; do sleep 1; i=$$((i+1)); done; [ $$i -eq 30 ] && exit 1 || exit 0" ]
     depends_on:
       - zitadel
+
+  setup:
+    user: '${ZITADEL_DEV_UID}'
+    container_name: setup
+    build: .
+    environment:
+      KEY: /key/zitadel-admin-sa.json
+      SERVICE: http://zitadel:8080
+    volumes:
+      - "./machinekey:/key"
+    depends_on:
+      wait_for_zitadel:
+        condition: 'service_completed_successfully'
diff --git a/acceptance/setup.sh b/acceptance/setup.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+set -e
+
+KEY=${KEY:-./machinekey/zitadel-admin-sa.json}
+echo "Using key path ${KEY} to the instance admin service account."
+
+AUDIENCE=${AUDIENCE:-http://localhost:8080}
+echo "Using audience ${AUDIENCE} for which the key is used."
+
+SERVICE=${SERVICE:-$AUDIENCE}
+echo "Using the service ${SERVICE} to connect to ZITADEL. For example in docker compose this can differ from the audience."
+
+AUDIENCE_HOST="$(echo $AUDIENCE | cut -d/ -f3)"
+echo "Deferred the Host header ${AUDIENCE_HOST} which will be sent in requests that ZITADEL then maps to a virtual instance"
+
+JWT=$(zitadel-tools key2jwt --key ${KEY} --audience ${AUDIENCE})
+echo "Created JWT from Admin service account key ${JWT}"
+
+TOKEN_RESPONSE=$(curl -s --request POST \
+  --url ${SERVICE}/oauth/v2/token \
+  --header 'Content-Type: application/x-www-form-urlencoded' \
+  --header "Host: ${AUDIENCE_HOST}" \
+  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
+  --data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
+  --data assertion="${JWT}")
+echo "Got response from token endpoint:"
+echo "${TOKEN_RESPONSE}" | jq
+
+TOKEN=$(echo -n ${TOKEN_RESPONSE} | jq --raw-output '.access_token')
+echo "Extracted access token ${TOKEN}"
+
+ORG_RESPONSE=$(curl -s --request GET \
+  --url ${SERVICE}/admin/v1/orgs/default \
+  --header 'Accept: application/json' \
+  --header "Authorization: Bearer ${TOKEN}" \
+  --header "Host: ${AUDIENCE_HOST}")
+echo "Got default org response:"
+echo "${ORG_RESPONSE}" | jq
+
+ORG_ID=$(echo -n ${ORG_RESPONSE} | jq --raw-output '.org.id')
+echo "Extracted default org id ${ORG_ID}"
+
+HUMAN_USER_USERNAME="[email protected]"
+HUMAN_USER_PASSWORD="Password1!"
+
+HUMAN_USER_PAYLOAD=$(cat << EOM
+{
+  "userName": "${HUMAN_USER_USERNAME}",
+  "profile": {
+    "firstName": "ZITADEL",
+    "lastName": "Admin",
+    "displayName": "ZITADEL Admin",
+    "preferredLanguage": "en"
+  },
+  "email": {
+    "email": "[email protected]",
+    "isEmailVerified": true
+  },
+  "password": "${HUMAN_USER_PASSWORD}",
+  "passwordChangeRequired": false
+}
+EOM
+)
+echo "Creating human user"
+echo "${HUMAN_USER_PAYLOAD}" | jq
+
+HUMAN_USER_RESPONSE=$(curl -s --request POST \
+  --url ${SERVICE}/management/v1/users/human/_import \
+  --header 'Content-Type: application/json' \
+  --header 'Accept: application/json' \
+  --header "Authorization: Bearer ${TOKEN}" \
+  --header "Host: ${AUDIENCE_HOST}" \
+  --data-raw "${HUMAN_USER_PAYLOAD}")
+echo "Create human user response"
+echo "${HUMAN_USER_RESPONSE}" | jq
+
+if [ "$(echo -n "${HUMAN_USER_RESPONSE}" | jq --raw-output '.code')" == "6" ]; then
+  echo "admin user already exists"
+  exit 0
+fi
+
+HUMAN_USER_ID=$(echo -n ${HUMAN_USER_RESPONSE} | jq --raw-output '.userId')
+echo "Extracted human user id ${HUMAN_USER_ID}"
+
+HUMAN_ADMIN_PAYLOAD=$(cat << EOM
+{
+  "userId": "${HUMAN_USER_ID}",
+  "roles": [
+    "IAM_OWNER"
+  ]
+}
+EOM
+)
+echo "Granting iam owner to human user"
+echo "${HUMAN_ADMIN_PAYLOAD}" | jq
+
+HUMAN_ADMIN_RESPONSE=$(curl -s --request POST \
+  --url ${SERVICE}/admin/v1/members \
+  --header 'Content-Type: application/json' \
+  --header 'Accept: application/json' \
+  --header "Authorization: Bearer ${TOKEN}" \
+  --header "Host: ${AUDIENCE_HOST}" \
+  --data-raw "${HUMAN_ADMIN_PAYLOAD}")
+
+echo "Grant iam owner to human user response"
+echo "${HUMAN_ADMIN_RESPONSE}" | jq
+
+echo "You can now log in at ${AUDIENCE}/ui/login"
+echo "username: ${HUMAN_USER_USERNAME}"
+echo "password: ${HUMAN_USER_PASSWORD}"
diff --git a/docs/data-sources/default_oidc_settings.md b/docs/data-sources/default_oidc_settings.md
@@ -0,0 +1,31 @@
+---
+page_title: "zitadel_default_oidc_settings Data Source - terraform-provider-zitadel"
+subcategory: ""
+description: |-
+  Datasource representing the default oidc settings.
+---
+
+# zitadel_default_oidc_settings (Data Source)
+
+Datasource representing the default oidc settings.
+
+## Example Usage
+
+```terraform
+data zitadel_default_oidc_settings oidc_settings {}
+
+output oidc_settings {
+  value = data.zitadel_default_oidc_settings.oidc_settings
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `access_token_lifetime` (String) lifetime duration of access tokens
+- `id` (String) The ID of this resource.
+- `id_token_lifetime` (String) lifetime duration of id tokens
+- `refresh_token_expiration` (String) expiration duration of refresh tokens
+- `refresh_token_idle_expiration` (String) expiration duration of idle refresh tokens
diff --git a/docs/resources/application_oidc.md b/docs/resources/application_oidc.md
@@ -39,7 +39,7 @@ resource zitadel_application_oidc application_oidc {
 
 ### Required
 
-- `grant_types` (List of String) Grant types, supported values: OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN
+- `grant_types` (List of String) Grant types, supported values: OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE
 - `name` (String) Name of the application
 - `org_id` (String) orgID of the application
 - `project_id` (String) ID of the project

diff --git a/docs/resources/default_login_texts.md b/docs/resources/default_login_texts.md
@@ -1,14 +1,14 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "zitadel_default_login_texts Resource - terraform-provider-zitadel"
 subcategory: ""
 description: |-
-
+  
 ---
 
 # zitadel_default_login_texts (Resource)
 
 
+
 ## Example Usage
 
 ```terraform
@@ -304,8 +304,6 @@ resource zitadel_default_login_texts login_texts_en {
 }
 ```
 
-
-
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

diff --git a/docs/resources/default_oidc_settings.md b/docs/resources/default_oidc_settings.md
@@ -0,0 +1,35 @@
+---
+page_title: "zitadel_default_oidc_settings Resource - terraform-provider-zitadel"
+subcategory: ""
+description: |-
+  Resource representing the default oidc settings.
+---
+
+# zitadel_default_oidc_settings (Resource)
+
+Resource representing the default oidc settings.
+
+## Example Usage
+
+```terraform
+resource zitadel_default_oidc_settings oidc_settings {
+  access_token_lifetime = "12h0m0s"
+  id_token_lifetime = "12h0m0s"
+  refresh_token_expiration = "720h0m0s"
+  refresh_token_idle_expiration = "2160h0m0s"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `access_token_lifetime` (String) lifetime duration of access tokens
+- `id_token_lifetime` (String) lifetime duration of id tokens
+- `refresh_token_expiration` (String) expiration duration of refresh tokens
+- `refresh_token_idle_expiration` (String) expiration duration of idle refresh tokens
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/default_password_change_message_text.md b/docs/resources/default_password_change_message_text.md
@@ -1,14 +1,14 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "zitadel_default_password_change_message_text Resource - terraform-provider-zitadel"
 subcategory: ""
 description: |-
-
+  
 ---
 
 # zitadel_default_password_change_message_text (Resource)
 
 
+
 ## Example Usage
 
 ```terraform
@@ -25,7 +25,6 @@ resource zitadel_default_password_change_message_text password_change_en {
 }
 ```
 
-
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

diff --git a/docs/resources/password_change_message_text.md b/docs/resources/password_change_message_text.md
@@ -1,14 +1,14 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "zitadel_password_change_message_text Resource - terraform-provider-zitadel"
 subcategory: ""
 description: |-
-
+  
 ---
 
 # zitadel_password_change_message_text (Resource)
 
 
+
 ## Example Usage
 
 ```terraform
@@ -26,7 +26,6 @@ resource zitadel_password_change_message_text password_change_en {
 }
 ```
 
-
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

diff --git a/examples/provider/data-sources/default_oidc_settings.tf b/examples/provider/data-sources/default_oidc_settings.tf
@@ -0,0 +1,5 @@
+data zitadel_default_oidc_settings oidc_settings {}
+
+output oidc_settings {
+  value = data.zitadel_default_oidc_settings.oidc_settings
+}
diff --git a/examples/provider/resources/default_oidc_settings.tf b/examples/provider/resources/default_oidc_settings.tf
@@ -0,0 +1,6 @@
+resource zitadel_default_oidc_settings oidc_settings {
+  access_token_lifetime = "12h0m0s"
+  id_token_lifetime = "12h0m0s"
+  refresh_token_expiration = "720h0m0s"
+  refresh_token_idle_expiration = "2160h0m0s"
+}
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/zitadel/terraform-provider-zitadel
 go 1.19
 
 require (
-	github.com/envoyproxy/protoc-gen-validate v0.9.1
+	github.com/envoyproxy/protoc-gen-validate v1.0.1
 	github.com/gabriel-vasile/mimetype v1.4.1
 	github.com/gogo/protobuf v1.3.2
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
@@ -14,9 +14,9 @@ require (
 	github.com/hashicorp/terraform-plugin-log v0.8.0
 	github.com/hashicorp/terraform-plugin-mux v0.7.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.26.1
-	github.com/zitadel/oidc v1.13.2
-	github.com/zitadel/zitadel-go/v2 v2.0.13
-	golang.org/x/oauth2 v0.7.0
+	github.com/zitadel/oidc v1.13.4
+	github.com/zitadel/zitadel-go/v2 v2.0.14
+	golang.org/x/oauth2 v0.8.0
 	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.30.0
 )
@@ -31,7 +31,7 @@ require (
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/go-test/deep v1.0.7 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/schema v1.2.0 // indirect
@@ -72,9 +72,9 @@ require (
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/zclconf/go-cty v1.13.1 // indirect
 	golang.org/x/crypto v0.7.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 // indirect