zitadel/internal/api/grpc/server/middleware/auth_interceptor.go

package middleware

import (
	"context"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/zitadel/zitadel/internal/api/authz"
	grpc_util "github.com/zitadel/zitadel/internal/api/grpc"
	"github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
)

func AuthorizationInterceptor(verifier authz.APITokenVerifier, authConfig authz.Config) grpc.UnaryServerInterceptor {
	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
		return authorize(ctx, req, info, handler, verifier, authConfig)
	}
}

func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, verifier authz.APITokenVerifier, authConfig authz.Config) (_ interface{}, err error) {
	authOpt, needsToken := verifier.CheckAuthMethod(info.FullMethod)
	if !needsToken {
		return handler(ctx, req)
	}

	authCtx, span := tracing.NewServerInterceptorSpan(ctx)
	defer func() { span.EndWithError(err) }()

	authToken := grpc_util.GetAuthorizationHeader(authCtx)
	if authToken == "" {
		return nil, status.Error(codes.Unauthenticated, "auth header missing")
	}

	orgID, orgDomain := orgIDAndDomainFromRequest(authCtx, req)
	ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, orgDomain, verifier, authConfig, authOpt, info.FullMethod)
	if err != nil {
		return nil, err
	}
	span.End()
	return handler(ctxSetter(ctx), req)
}

func orgIDAndDomainFromRequest(ctx context.Context, req interface{}) (id, domain string) {
	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
	oz, ok := req.(OrganizationFromRequest)
	if ok {
		id = oz.OrganizationFromRequest().ID
		domain = oz.OrganizationFromRequest().Domain
		if id != "" || domain != "" {
			return id, domain
		}
	}
	return orgID, domain
}

type Organization struct {
	ID     string
	Domain string
}

type OrganizationFromRequest interface {
	OrganizationFromRequest() *Organization
}
add tracing and refactor some api pkgs 2020-03-24 13:15:01 +00:00			`package middleware`
feat: add some api packages 2020-03-23 06:01:59 +00:00
			`import (`
			`"context"`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00
feat: add some api packages 2020-03-23 06:01:59 +00:00			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

chore(v2): move to new org (#3499) * chore: move to new org * logging * fix: org rename caos -> zitadel Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2022-04-26 23:01:45 +00:00			`"github.com/zitadel/zitadel/internal/api/authz"`
			`grpc_util "github.com/zitadel/zitadel/internal/api/grpc"`
			`"github.com/zitadel/zitadel/internal/api/http"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`)`

feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`func AuthorizationInterceptor(verifier authz.APITokenVerifier, authConfig authz.Config) grpc.UnaryServerInterceptor {`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`return authorize(ctx, req, info, handler, verifier, authConfig)`
			`}`
			`}`
feat: add some api packages 2020-03-23 06:01:59 +00:00
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, verifier authz.APITokenVerifier, authConfig authz.Config) (_ interface{}, err error) {`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`authOpt, needsToken := verifier.CheckAuthMethod(info.FullMethod)`
			`if !needsToken {`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`return handler(ctx, req)`
			`}`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`authCtx, span := tracing.NewServerInterceptorSpan(ctx)`
fix(tracing): from opencensus to opentelemetry (#937) * refactor: switch from opencensus to opentelemetry * tempo works as designed nooooot * fix: log traceids * with grafana agent * fix: http tracing * fix: cleanup files * chore: remove todo * fix: bad test * fix: ignore methods in grpc interceptors * fix: remove test log * clean up * typo * fix(config): configure tracing endpoint * fix(span): add error id to span 2020-11-20 06:57:39 +00:00			`defer func() { span.EndWithError(err) }()`

fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`authToken := grpc_util.GetAuthorizationHeader(authCtx)`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`if authToken == "" {`
			`return nil, status.Error(codes.Unauthenticated, "auth header missing")`
			`}`

fix(api): use organization instead of organisation (#6720) * fix(api): use organization instead of organisation * fix test * docs: add deprecation notice * remove validation 2023-10-13 12:37:35 +00:00			`orgID, orgDomain := orgIDAndDomainFromRequest(authCtx, req)`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 15:34:53 +00:00			`ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, orgDomain, verifier, authConfig, authOpt, info.FullMethod)`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`if err != nil {`
			`return nil, err`
			`}`
feat: add tracing interceptors to login and oidc (#764) * add tracing interceptors to login and oidc * add some tracing spans * trace login calls * add some spans * add some spans (change password) * add some more tracing in oauth/oidc * revert org exists * Merge branch 'master' into http-tracing # Conflicts: # internal/api/oidc/auth_request.go # internal/api/oidc/client.go # internal/auth/repository/eventsourcing/eventstore/auth_request.go # internal/auth/repository/eventsourcing/eventstore/user.go # internal/authz/repository/eventsourcing/eventstore/token_verifier.go # internal/authz/repository/eventsourcing/view/token.go # internal/user/repository/eventsourcing/eventstore.go 2020-10-21 08:18:34 +00:00			`span.End()`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return handler(ctxSetter(ctx), req)`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`}`
feat(api): add user creation to user service (#5745) * chore(proto): update versions * change protoc plugin * some cleanups * define api for setting emails in new api * implement user.SetEmail * move SetEmail buisiness logic into command * resuse newCryptoCode * command: add ChangeEmail unit tests Not complete, was not able to mock the generator. * Revert "resuse newCryptoCode" This reverts commit c89e90ae35ae924a3f706a0a7394f933910c2e65. * undo change to crypto code generators * command: use a generator so we can test properly * command: reorganise ChangeEmail improve test coverage * implement VerifyEmail including unit tests * add URL template tests * begin user creation * change protos * implement metadata and move context * merge commands * proto: change context to object * remove old auth option * remove old auth option * fix linting errors run gci on modified files * add permission checks and fix some errors * comments * comments * update email requests * rename proto requests * cleanup and docs * simplify * simplify * fix setup * remove unused proto messages / fields --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-04-26 05:47:57 +00:00
fix(api): use organization instead of organisation (#6720) * fix(api): use organization instead of organisation * fix test * docs: add deprecation notice * remove validation 2023-10-13 12:37:35 +00:00			`func orgIDAndDomainFromRequest(ctx context.Context, req interface{}) (id, domain string) {`
			`orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)`
fix: add organizationID query for user v2 ListUsers and clean up depeprecated attribute (#7593) Add organizationID as query for ListUsers and clean up the deprecated Organisation attributes in other queries. This PR removes the following fields from API requests (user service v2): organisation from AddHumanUser (deprecated some time ago, organization still exists) organization from GetUserByID 2024-03-21 08:07:00 +00:00			`oz, ok := req.(OrganizationFromRequest)`
			`if ok {`
			`id = oz.OrganizationFromRequest().ID`
			`domain = oz.OrganizationFromRequest().Domain`
			`if id != "" \|\| domain != "" {`
			`return id, domain`
			`}`
fix(api): use organization instead of organisation (#6720) * fix(api): use organization instead of organisation * fix test * docs: add deprecation notice * remove validation 2023-10-13 12:37:35 +00:00			`}`
			`return orgID, domain`
			`}`

			`type Organization struct {`
feat(api): move resource apis to beta (#6530) Moves UserService, SessionService, SettingsService and OIDCService to beta state. This includes gRPC and HTTP path changes. 2023-09-13 12:43:01 +00:00			`ID string`
			`Domain string`
feat(api): add user creation to user service (#5745) * chore(proto): update versions * change protoc plugin * some cleanups * define api for setting emails in new api * implement user.SetEmail * move SetEmail buisiness logic into command * resuse newCryptoCode * command: add ChangeEmail unit tests Not complete, was not able to mock the generator. * Revert "resuse newCryptoCode" This reverts commit c89e90ae35ae924a3f706a0a7394f933910c2e65. * undo change to crypto code generators * command: use a generator so we can test properly * command: reorganise ChangeEmail improve test coverage * implement VerifyEmail including unit tests * add URL template tests * begin user creation * change protos * implement metadata and move context * merge commands * proto: change context to object * remove old auth option * remove old auth option * fix linting errors run gci on modified files * add permission checks and fix some errors * comments * comments * update email requests * rename proto requests * cleanup and docs * simplify * simplify * fix setup * remove unused proto messages / fields --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-04-26 05:47:57 +00:00			`}`
fix(api): use organization instead of organisation (#6720) * fix(api): use organization instead of organisation * fix test * docs: add deprecation notice * remove validation 2023-10-13 12:37:35 +00:00
			`type OrganizationFromRequest interface {`
			`OrganizationFromRequest() *Organization`
			`}`