zitadel/internal/api/grpc/instance/v2/server.go

package instance

import (
	"context"
	"net/http"

	"connectrpc.com/connect"
	"google.golang.org/protobuf/reflect/protoreflect"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/config/systemdefaults"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/query"
	"github.com/zitadel/zitadel/pkg/grpc/instance/v2"
	"github.com/zitadel/zitadel/pkg/grpc/instance/v2/instanceconnect"
)

var _ instanceconnect.InstanceServiceHandler = (*Server)(nil)

type Server struct {
	command         *command.Commands
	query           *query.Queries
	systemDefaults  systemdefaults.SystemDefaults
	defaultInstance command.InstanceSetup
	externalDomain  string
	permissionCheck domain.PermissionCheck
}

func CreateServer(
	command *command.Commands,
	query *query.Queries,
	defaultInstance command.InstanceSetup,
	externalDomain string,
	check domain.PermissionCheck,
) *Server {
	return &Server{
		command:         command,
		query:           query,
		defaultInstance: defaultInstance,
		externalDomain:  externalDomain,
		permissionCheck: check,
	}
}

func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {
	return instanceconnect.NewInstanceServiceHandler(s, connect.WithInterceptors(interceptors...))
}

func (s *Server) FileDescriptor() protoreflect.FileDescriptor {
	return instance.File_zitadel_instance_v2_instance_service_proto
}

func (s *Server) AppName() string {
	return instance.InstanceService_ServiceDesc.ServiceName
}

func (s *Server) MethodPrefix() string {
	return instance.InstanceService_ServiceDesc.ServiceName
}

func (s *Server) AuthMethods() authz.MethodMapping {
	return instance.InstanceService_AuthMethods
}

// checkPermission checks if either the system-wide or the instance-specific permission is granted.
func (s *Server) checkPermission(ctx context.Context, systemPermission, instancePermission string) error {
	// Let's first check the system permission since it's already resolved into the context.
	// If that succeeds, we don't need to resolve the instance permission.
	if err := s.permissionCheck(ctx, systemPermission, "", ""); err == nil {
		return nil
	}
	return s.permissionCheck(ctx, instancePermission, "", "")
}
feat(api): move instance service to v2 (#10919) # Which Problems Are Solved As part of our efforts to simplify the structure and versions of our APIs, were moving all existing v2beta endpoints to v2 and deprecate them. They will be removed in Zitadel V5. # How the Problems Are Solved - This PR moves instance v2beta service and its endpoints to a corresponding v2 version. The v2beta service and endpoints are deprecated. - The docs are moved to the new GA service and its endpoints. The v2beta is not displayed anymore. - The comments and have been improved and, where not already done, moved from swagger annotations to proto. - All required fields have been marked with (google.api.field_behavior) = REQUIRED and validation rules have been added where missing - `Domain` has been renamed to `CustomDomain` to align with naming conventions - `..Query` has been renamed to `..Filter` to align with other services - The `instance_id` parameter can now passed on all endpoints and is properly used, but requires `system` permissions. It can be omitted to use the own instance (identified by context as any other service). - The following endpoints are affected: - GetInstance - UpdateInstance - ListCustomDomains - AddTrustedDomain - RemoveTrustedDomain - ListTrustedDomains - InstanceService has been added the InstanceInterceptor's `explicitInstanceIdServices` to allow passing the id - If the instance is not found by id, the error is not directly returned to prevent enumeration. - Permissions are checked in the API instead of the interceptor for these calls. - Setting the same instance name in the update no longer returns an error, but the previous change date. # Additional Changes none # Additional Context - part of https://github.com/zitadel/zitadel/issues/10772 - requires backport to v4.x 2025-10-28 14:01:14 +01:00			`package instance`

			`import (`
			`"context"`
			`"net/http"`

			`"connectrpc.com/connect"`
			`"google.golang.org/protobuf/reflect/protoreflect"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/config/systemdefaults"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/query"`
			`"github.com/zitadel/zitadel/pkg/grpc/instance/v2"`
			`"github.com/zitadel/zitadel/pkg/grpc/instance/v2/instanceconnect"`
			`)`

			`var _ instanceconnect.InstanceServiceHandler = (*Server)(nil)`

			`type Server struct {`
			`command *command.Commands`
			`query *query.Queries`
			`systemDefaults systemdefaults.SystemDefaults`
			`defaultInstance command.InstanceSetup`
			`externalDomain string`
			`permissionCheck domain.PermissionCheck`
			`}`

			`func CreateServer(`
			`command *command.Commands,`
			`query *query.Queries,`
			`defaultInstance command.InstanceSetup,`
			`externalDomain string,`
			`check domain.PermissionCheck,`
			`) *Server {`
			`return &Server{`
			`command: command,`
			`query: query,`
			`defaultInstance: defaultInstance,`
			`externalDomain: externalDomain,`
			`permissionCheck: check,`
			`}`
			`}`

			`func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {`
			`return instanceconnect.NewInstanceServiceHandler(s, connect.WithInterceptors(interceptors...))`
			`}`

			`func (s *Server) FileDescriptor() protoreflect.FileDescriptor {`
			`return instance.File_zitadel_instance_v2_instance_service_proto`
			`}`

			`func (s *Server) AppName() string {`
			`return instance.InstanceService_ServiceDesc.ServiceName`
			`}`

			`func (s *Server) MethodPrefix() string {`
			`return instance.InstanceService_ServiceDesc.ServiceName`
			`}`

			`func (s *Server) AuthMethods() authz.MethodMapping {`
			`return instance.InstanceService_AuthMethods`
			`}`

			`// checkPermission checks if either the system-wide or the instance-specific permission is granted.`
			`func (s *Server) checkPermission(ctx context.Context, systemPermission, instancePermission string) error {`
			`// Let's first check the system permission since it's already resolved into the context.`
			`// If that succeeds, we don't need to resolve the instance permission.`
			`if err := s.permissionCheck(ctx, systemPermission, "", ""); err == nil {`
			`return nil`
			`}`
			`return s.permissionCheck(ctx, instancePermission, "", "")`
			`}`