delete old api document

deploy/openldap/README.md

@@ -58,7 +58,7 @@ make ldap-test  # 確認 alice / bob 可查
 | User base DN | `ou=people,dc=gateway,dc=local` |
 | User object class | `inetOrgPerson` |
 | User unique attribute | `uid` |
-| User filters / Login filter | `(&(objectClass=inetOrgPerson)(uid=%s))` 或 `(uid=%s)` |
+| User filters / Login filter | `uid` |
 | Email attribute | `mail` |
 | Display name attribute | `cn` |
 | Username attribute | `uid` |

deploy/openldap/bootstrap/10-people.ldif

@@ -16,6 +16,7 @@ sn: Dev
 givenName: Alice
 uid: alice
 mail: alice@gateway.local
+employeeType: true
 userPassword: Password1!
 
 dn: uid=bob,ou=people,dc=gateway,dc=local
@@ -28,4 +29,5 @@ sn: Dev
 givenName: Bob
 uid: bob
 mail: bob@gateway.local
+employeeType: true
 userPassword: Password1!

deploy/zitadel/bootstrap_dev.py

@@ -29,8 +29,19 @@ APP_NAME = "Gateway Backend"
 REDIRECT_URIS = [
     "http://localhost:5173/auth/callback/login",
     "http://localhost:5173/auth/callback/register",
+    "http://localhost:5713/auth/callback/login",
+    "http://localhost:5713/auth/callback/register",
+    "http://127.0.0.1:5173/auth/callback/login",
+    "http://127.0.0.1:5173/auth/callback/register",
+    "http://127.0.0.1:5713/auth/callback/login",
+    "http://127.0.0.1:5713/auth/callback/register",
+]
+POST_LOGOUT_URIS = [
+    "http://localhost:5173/",
+    "http://localhost:5713/",
+    "http://127.0.0.1:5173/",
+    "http://127.0.0.1:5713/",
 ]
-POST_LOGOUT_URIS = ["http://localhost:5173/"]
 
 LDAP_BODY = {
     "name": LDAP_IDP_NAME,
@@ -41,7 +52,7 @@ LDAP_BODY = {
     "bindPassword": "admin",
     "userBase": "ou=people,dc=gateway,dc=local",
     "userObjectClasses": ["inetOrgPerson"],
-    "userFilters": ["(uid=%s)"],
+    "userFilters": ["uid"],
     "attributes": {
         "idAttribute": "uid",
         "emailAttribute": "mail",
@@ -49,11 +60,14 @@ LDAP_BODY = {
         "lastNameAttribute": "sn",
         "displayNameAttribute": "cn",
         "nickNameAttribute": "uid",
+        "emailVerifiedAttribute": "employeeType",
+    },
+    "providerOptions": {
+        "isCreationAllowed": True,
+        "isLinkingAllowed": True,
+        "isAutoCreation": True,
+        "isAutoUpdate": True,
     },
-    "creationAllowed": True,
-    "linkingAllowed": True,
-    "autoCreation": True,
-    "autoUpdate": True,
 }
 
 
@@ -89,6 +103,10 @@ def api(method: str, path: str, body: dict | None = None) -> dict:
         raise BootstrapError(f"{method} {path} -> HTTP {e.code}: {detail}") from e
 
 
+def is_no_changes(err: BootstrapError) -> bool:
+    return "No changes" in str(err)
+
+
 def read_pat() -> str:
     if not PAT_FILE.is_file():
         raise BootstrapError(f"PAT missing: {PAT_FILE} (run make k6-wait)")
@@ -150,6 +168,13 @@ def ensure_ldap_idp() -> str:
     policy, is_default = login_policy()
     existing = find_ldap_idp_in_policy(policy)
     if existing:
+        try:
+            api("PUT", f"/management/v1/idps/ldap/{existing}", LDAP_BODY)
+            log("updated LDAP IdP config")
+        except BootstrapError as e:
+            if not is_no_changes(e):
+                raise
+            log("LDAP IdP config already up to date")
         log(f"LDAP IdP already linked: {existing}")
         return existing
 
@@ -268,6 +293,33 @@ def create_app(project_id: str) -> tuple[str, str, str]:
     return app_id, client_id, client_secret
 
 
+def update_app_config(project_id: str, app_id: str) -> None:
+    try:
+        api(
+            "PUT",
+            f"/management/v1/projects/{project_id}/apps/{app_id}/oidc_config",
+            {
+                "redirectUris": REDIRECT_URIS,
+                "responseTypes": ["OIDC_RESPONSE_TYPE_CODE"],
+                "grantTypes": [
+                    "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
+                    "OIDC_GRANT_TYPE_REFRESH_TOKEN",
+                ],
+                "appType": "OIDC_APP_TYPE_WEB",
+                "authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
+                "postLogoutRedirectUris": POST_LOGOUT_URIS,
+                "devMode": True,
+                "accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
+            },
+        )
+    except BootstrapError as e:
+        if not is_no_changes(e):
+            raise
+        log("OIDC app redirect URIs already up to date")
+        return
+    log("updated OIDC app redirect URIs")
+
+
 def regenerate_secret(project_id: str, app_id: str) -> str:
     data = api(
         "POST",
@@ -289,6 +341,7 @@ def ensure_oidc_app(saved: dict[str, str]) -> tuple[str, str]:
         return client_id, client_secret
 
     log(f"OIDC app exists client_id={client_id}")
+    update_app_config(project_id, app_id)
     saved_id = saved.get("ZITADEL_OAUTH_CLIENT_ID", "")
     saved_secret = saved.get("ZITADEL_OAUTH_CLIENT_SECRET", "")
     if saved_id == client_id and saved_secret:

go.mod

@@ -4,10 +4,17 @@ go 1.26.1
 
 require (
 	github.com/alicebob/miniredis/v2 v2.37.0
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.61
+	github.com/aws/aws-sdk-go-v2/service/ses v1.30.0
+	github.com/casbin/casbin/v2 v2.135.0
 	github.com/go-playground/locales v0.14.1
 	github.com/go-playground/universal-translator v0.18.1
 	github.com/go-playground/validator/v10 v10.30.2
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0
+	github.com/minchao/go-mitake v1.0.0
+	github.com/redis/go-redis/v9 v9.18.0
 	github.com/shopspring/decimal v1.4.0
 	github.com/stretchr/testify v1.11.1
 	github.com/zeromicro/go-zero v1.10.1
@@ -15,18 +22,15 @@ require (
 	go.uber.org/mock v0.6.0
 	golang.org/x/crypto v0.49.0
 	google.golang.org/grpc v1.79.3
+	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.61 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ses v1.30.0 // indirect
 	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
-	github.com/casbin/casbin/v2 v2.135.0 // indirect
 	github.com/casbin/govaluate v1.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -36,7 +40,6 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/grafana/pyroscope-go v1.2.8 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
@@ -44,7 +47,6 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/minchao/go-mitake v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/openzipkin/zipkin-go v0.4.3 // indirect
 	github.com/pelletier/go-toml/v2 v2.3.0 // indirect
@@ -53,8 +55,6 @@ require (
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
-	github.com/redis/go-redis/v9 v9.18.0 // indirect
-	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/titanous/json5 v1.0.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
@@ -84,7 +84,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
-	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -51,6 +51,7 @@ github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK
 github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
@@ -111,8 +112,6 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
-github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=