zitadel/internal/domain/permission.go

package domain

import "context"

type Permissions struct {
	Permissions []string
}

func (p *Permissions) AppendPermissions(ctxID string, permissions ...string) {
	for _, permission := range permissions {
		p.appendPermission(ctxID, permission)
	}
}

func (p *Permissions) appendPermission(ctxID, permission string) {
	if ctxID != "" {
		permission = permission + ":" + ctxID
	}
	for _, existingPermission := range p.Permissions {
		if existingPermission == permission {
			return
		}
	}
	p.Permissions = append(p.Permissions, permission)
}

type PermissionCheck func(ctx context.Context, permission, resourceOwnerID, aggregateID string) (err error)

const (
	PermissionUserWrite                = "user.write"
	PermissionUserRead                 = "user.read"
	PermissionUserDelete               = "user.delete"
	PermissionUserCredentialWrite      = "user.credential.write"
	PermissionSessionWrite             = "session.write"
	PermissionSessionRead              = "session.read"
	PermissionSessionLink              = "session.link"
	PermissionSessionDelete            = "session.delete"
	PermissionOrgRead                  = "org.read"
	PermissionIDPRead                  = "iam.idp.read"
	PermissionOrgIDPRead               = "org.idp.read"
	PermissionProjectWrite             = "project.write"
	PermissionProjectRead              = "project.read"
	PermissionProjectDelete            = "project.delete"
	PermissionProjectGrantWrite        = "project.grant.write"
	PermissionProjectGrantRead         = "project.grant.read"
	PermissionProjectGrantDelete       = "project.grant.delete"
	PermissionProjectRoleWrite         = "project.role.write"
	PermissionProjectRoleRead          = "project.role.read"
	PermissionProjectRoleDelete        = "project.role.delete"
	PermissionProjectAppWrite          = "project.app.write"
	PermissionProjectAppDelete         = "project.app.delete"
	PermissionProjectAppRead           = "project.app.read"
	PermissionInstanceMemberWrite      = "iam.member.write"
	PermissionInstanceMemberDelete     = "iam.member.delete"
	PermissionInstanceMemberRead       = "iam.member.read"
	PermissionOrgMemberWrite           = "org.member.write"
	PermissionOrgMemberDelete          = "org.member.delete"
	PermissionOrgMemberRead            = "org.member.read"
	PermissionProjectMemberWrite       = "project.member.write"
	PermissionProjectMemberDelete      = "project.member.delete"
	PermissionProjectMemberRead        = "project.member.read"
	PermissionProjectGrantMemberWrite  = "project.grant.member.write"
	PermissionProjectGrantMemberDelete = "project.grant.member.delete"
	PermissionProjectGrantMemberRead   = "project.grant.member.read"
	PermissionUserGrantWrite           = "user.grant.write"
	PermissionUserGrantRead            = "user.grant.read"
	PermissionUserGrantDelete          = "user.grant.delete"
	PermissionIAMPolicyWrite           = "iam.policy.write"
	PermissionIAMPolicyDelete          = "iam.policy.delete"
	PermissionPolicyRead               = "policy.read"
)

// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.
// Configurable on the project the application belongs to through the flags related to authentication.
type ProjectPermissionCheck func(ctx context.Context, clientID, userID string) (err error)
fix: move activity log to queries and remove old code (#3096) * move changes to queries and remove old code * fix changes query * remove unused code * fix sorting * fix sorting * refactor and remove old code * remove accidental go.mod replace * add missing file * remove listDetail from ChangesResponse 2022-01-26 10:16:33 +01:00			`package domain`

feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00			`import "context"`

fix: move activity log to queries and remove old code (#3096) * move changes to queries and remove old code * fix changes query * remove unused code * fix sorting * fix sorting * refactor and remove old code * remove accidental go.mod replace * add missing file * remove listDetail from ChangesResponse 2022-01-26 10:16:33 +01:00			`type Permissions struct {`
			`Permissions []string`
			`}`

			`func (p *Permissions) AppendPermissions(ctxID string, permissions ...string) {`
			`for _, permission := range permissions {`
			`p.appendPermission(ctxID, permission)`
			`}`
			`}`

			`func (p *Permissions) appendPermission(ctxID, permission string) {`
			`if ctxID != "" {`
			`permission = permission + ":" + ctxID`
			`}`
			`for _, existingPermission := range p.Permissions {`
			`if existingPermission == permission {`
			`return`
			`}`
			`}`
			`p.Permissions = append(p.Permissions, permission)`
			`}`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00
feat: user api requests to resource API (#9794) # Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-06-04 09:17:23 +02:00			`type PermissionCheck func(ctx context.Context, permission, resourceOwnerID, aggregateID string) (err error)`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00
			`const (`
feat: user profile requests in resource APIs (#10151) # Which Problems Are Solved The commands for the resource based v2beta AuthorizationService API are added. Authorizations, previously knows as user grants, give a user in a specific organization and project context roles. The project can be owned or granted. The given roles can be used to restrict access within the projects applications. The commands for the resource based v2beta InteralPermissionService API are added. Administrators, previously knows as memberships, give a user in a specific organization and project context roles. The project can be owned or granted. The give roles give the user permissions to manage different resources in Zitadel. API definitions from https://github.com/zitadel/zitadel/issues/9165 are implemented. Contains endpoints for user metadata. # How the Problems Are Solved ### New Methods - CreateAuthorization - UpdateAuthorization - DeleteAuthorization - ActivateAuthorization - DeactivateAuthorization - ListAuthorizations - CreateAdministrator - UpdateAdministrator - DeleteAdministrator - ListAdministrators - SetUserMetadata to set metadata on a user - DeleteUserMetadata to delete metadata on a user - ListUserMetadata to query for metadata of a user ## Deprecated Methods ### v1.ManagementService - GetUserGrantByID - ListUserGrants - AddUserGrant - UpdateUserGrant - DeactivateUserGrant - ReactivateUserGrant - RemoveUserGrant - BulkRemoveUserGrant ### v1.AuthService - ListMyUserGrants - ListMyProjectPermissions # Additional Changes - Permission checks for metadata functionality on query and command side - correct existence checks for resources, for example you can only be an administrator on an existing project - combined all member tables to singular query for the administrators - add permission checks for command an query side functionality - combined functions on command side where necessary for easier maintainability # Additional Context Closes #9165 --------- Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-07-04 18:12:59 +02:00			`PermissionUserWrite = "user.write"`
			`PermissionUserRead = "user.read"`
			`PermissionUserDelete = "user.delete"`
			`PermissionUserCredentialWrite = "user.credential.write"`
			`PermissionSessionWrite = "session.write"`
			`PermissionSessionRead = "session.read"`
			`PermissionSessionLink = "session.link"`
			`PermissionSessionDelete = "session.delete"`
			`PermissionOrgRead = "org.read"`
			`PermissionIDPRead = "iam.idp.read"`
			`PermissionOrgIDPRead = "org.idp.read"`
			`PermissionProjectWrite = "project.write"`
			`PermissionProjectRead = "project.read"`
			`PermissionProjectDelete = "project.delete"`
			`PermissionProjectGrantWrite = "project.grant.write"`
			`PermissionProjectGrantRead = "project.grant.read"`
			`PermissionProjectGrantDelete = "project.grant.delete"`
			`PermissionProjectRoleWrite = "project.role.write"`
			`PermissionProjectRoleRead = "project.role.read"`
			`PermissionProjectRoleDelete = "project.role.delete"`
			`PermissionProjectAppWrite = "project.app.write"`
			`PermissionProjectAppDelete = "project.app.delete"`
			`PermissionProjectAppRead = "project.app.read"`
			`PermissionInstanceMemberWrite = "iam.member.write"`
			`PermissionInstanceMemberDelete = "iam.member.delete"`
			`PermissionInstanceMemberRead = "iam.member.read"`
			`PermissionOrgMemberWrite = "org.member.write"`
			`PermissionOrgMemberDelete = "org.member.delete"`
			`PermissionOrgMemberRead = "org.member.read"`
			`PermissionProjectMemberWrite = "project.member.write"`
			`PermissionProjectMemberDelete = "project.member.delete"`
			`PermissionProjectMemberRead = "project.member.read"`
			`PermissionProjectGrantMemberWrite = "project.grant.member.write"`
			`PermissionProjectGrantMemberDelete = "project.grant.member.delete"`
			`PermissionProjectGrantMemberRead = "project.grant.member.read"`
			`PermissionUserGrantWrite = "user.grant.write"`
			`PermissionUserGrantRead = "user.grant.read"`
			`PermissionUserGrantDelete = "user.grant.delete"`
feat: organization settings for user uniqueness (#10246) # Which Problems Are Solved Currently the username uniqueness is on instance level, we want to achieve a way to set it at organization level. # How the Problems Are Solved Addition of endpoints and a resource on organization level, where this setting can be managed. If nothing it set, the uniqueness is expected to be at instance level, where only users with instance permissions should be able to change this setting. # Additional Changes None # Additional Context Includes #10086 Closes #9964 --------- Co-authored-by: Marco A. <marco@zitadel.com> 2025-07-29 15:56:21 +02:00			`PermissionIAMPolicyWrite = "iam.policy.write"`
			`PermissionIAMPolicyDelete = "iam.policy.delete"`
			`PermissionPolicyRead = "policy.read"`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00			`)`
feat: permission check on OIDC and SAML service session API (#9304) # Which Problems Are Solved Through configuration on projects, there can be additional permission checks enabled through an OIDC or SAML flow, which were not included in the OIDC and SAML services. # How the Problems Are Solved Add permission check through the query-side of Zitadel in a singular SQL query, when an OIDC or SAML flow should be linked to a SSO session. That way it is eventual consistent, but will not impact the performance on the eventstore. The permission check is defined in the API, which provides the necessary function to the command side. # Additional Changes Added integration tests for the permission check on OIDC and SAML service for every combination. Corrected session list integration test, to content checks without ordering. Corrected get auth and saml request integration tests, to check for timestamp of creation, not start of test. # Additional Context Closes #9265 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-02-11 19:45:09 +01:00
			`// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.`
			`// Configurable on the project the application belongs to through the flags related to authentication.`
			`type ProjectPermissionCheck func(ctx context.Context, clientID, userID string) (err error)`