zitadel/internal/command/permission_checks_test.go

package command

import (
	"context"
	"database/sql"
	"errors"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/eventstore/repository"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func TestCommands_CheckPermission(t *testing.T) {
	type fields struct {
		eventstore            func(*testing.T) *eventstore.Eventstore
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		permission                 string
		aggregateType              eventstore.AggregateType
		resourceOwner, aggregateID string
	}
	type want struct {
		err func(error) bool
	}
	ctx := context.Background()
	filterErr := errors.New("filter error")
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "resource owner is given, no query",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					ctx,
					"permission",
					"resourceOwner",
					"aggregateID"),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "resource owner is empty, query for resource owner",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(&repository.Event{
						AggregateID:   "aggregateID",
						ResourceOwner: sql.NullString{String: "resourceOwner"},
					}),
				),
				domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "resource owner is empty, query for resource owner, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterError(filterErr),
				),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
			want: want{
				err: func(err error) bool {
					return errors.Is(err, filterErr)
				},
			},
		},
		{
			name: "resource owner is empty, query for resource owner, no events",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
			want: want{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "no aggregateID, internal error",
			args: args{
				ctx: ctx,
			},
			want: want{
				err: zerrors.IsInternal,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
				eventstore: expectEventstore()(t),
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			if tt.fields.eventstore != nil {
				c.eventstore = tt.fields.eventstore(t)
			}
			err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func TestCommands_CheckPermissionUserWrite(t *testing.T) {
	type fields struct {
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		resourceOwner, aggregateID string
	}
	type want struct {
		err func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "self, no permission check",
			args: args{
				ctx: authz.SetCtxData(context.Background(), authz.CtxData{
					UserID: "aggregateID",
				}),
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "not self, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					context.Background(),
					"user.write",
					"resourceOwner",
					"foreignAggregateID"),
			},
			args: args{
				ctx:           context.Background(),
				resourceOwner: "resourceOwner",
				aggregateID:   "foreignAggregateID",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			err := c.NewPermissionCheckUserWrite(tt.args.ctx)(tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func TestCommands_CheckPermissionUserDelete(t *testing.T) {
	type fields struct {
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		resourceOwner, aggregateID string
	}
	type want struct {
		err func(error) bool
	}
	userCtx := authz.SetCtxData(context.Background(), authz.CtxData{
		UserID: "aggregateID",
	})
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "self, no permission check",
			args: args{
				ctx:           userCtx,
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "not self, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					context.Background(),
					"user.delete",
					"resourceOwner",
					"foreignAggregateID"),
			},
			args: args{
				ctx:           context.Background(),
				resourceOwner: "resourceOwner",
				aggregateID:   "foreignAggregateID",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {
	return func(t *testing.T) domain.PermissionCheck {
		return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
			assert.Equal(t, expectCtx, ctx)
			assert.Equal(t, expectPermission, permission)
			assert.Equal(t, expectResourceOwner, orgID)
			assert.Equal(t, expectResourceID, resourceID)
			return nil
		}
	}
}
fix: allow user self deletion (#9828) # Which Problems Are Solved Currently, users can't delete themselves using the V2 RemoveUser API because of the redunant API middleware permission check. On main, using a machine user PAT to delete the same machine user: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: NotFound Message: membership not found (AUTHZ-cdgFk) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTHZ-cdgFk", "message": "membership not found" } ``` Same on this PRs branch: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser { "details": { "sequence": "3", "changeDate": "2025-05-06T13:44:54.349048Z", "resourceOwner": "318838541083804033" } } ``` Repeated call ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: Unauthenticated Message: Errors.Token.Invalid (AUTH-7fs1e) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ``` # How the Problems Are Solved The middleware permission check is disabled and the domain.PermissionCheck is used exclusively. # Additional Changes A new type command.PermissionCheck allows to optionally accept a permission check for commands, so APIs with middleware permission checks can omit redundant permission checks by passing nil while APIs without middleware permission checks can pass one to the command. # Additional Context This is a subtask of #9763 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-07 15:24:24 +02:00			`package command`

			`import (`
			`"context"`
			`"database/sql"`
			`"errors"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/eventstore"`
			`"github.com/zitadel/zitadel/internal/eventstore/repository"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`)`

			`func TestCommands_CheckPermission(t *testing.T) {`
			`type fields struct {`
			`eventstore func(testing.T) eventstore.Eventstore`
			`domainPermissionCheck func(*testing.T) domain.PermissionCheck`
			`}`
			`type args struct {`
			`ctx context.Context`
			`permission string`
			`aggregateType eventstore.AggregateType`
			`resourceOwner, aggregateID string`
			`}`
			`type want struct {`
			`err func(error) bool`
			`}`
			`ctx := context.Background()`
			`filterErr := errors.New("filter error")`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`want want`
			`}{`
			`{`
			`name: "resource owner is given, no query",`
			`fields: fields{`
			`domainPermissionCheck: mockDomainPermissionCheck(`
			`ctx,`
			`"permission",`
			`"resourceOwner",`
			`"aggregateID"),`
			`},`
			`args: args{`
			`ctx: ctx,`
			`permission: "permission",`
			`resourceOwner: "resourceOwner",`
			`aggregateID: "aggregateID",`
			`},`
			`},`
			`{`
			`name: "resource owner is empty, query for resource owner",`
			`fields: fields{`
			`eventstore: expectEventstore(`
			`expectFilter(&repository.Event{`
			`AggregateID: "aggregateID",`
			`ResourceOwner: sql.NullString{String: "resourceOwner"},`
			`}),`
			`),`
			`domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),`
			`},`
			`args: args{`
			`ctx: ctx,`
			`permission: "permission",`
			`resourceOwner: "",`
			`aggregateID: "aggregateID",`
			`},`
			`},`
			`{`
			`name: "resource owner is empty, query for resource owner, error",`
			`fields: fields{`
			`eventstore: expectEventstore(`
			`expectFilterError(filterErr),`
			`),`
			`},`
			`args: args{`
			`ctx: ctx,`
			`permission: "permission",`
			`resourceOwner: "",`
			`aggregateID: "aggregateID",`
			`},`
			`want: want{`
			`err: func(err error) bool {`
			`return errors.Is(err, filterErr)`
			`},`
			`},`
			`},`
			`{`
			`name: "resource owner is empty, query for resource owner, no events",`
			`fields: fields{`
			`eventstore: expectEventstore(`
			`expectFilter(),`
			`),`
			`},`
			`args: args{`
			`ctx: ctx,`
			`permission: "permission",`
			`resourceOwner: "",`
			`aggregateID: "aggregateID",`
			`},`
			`want: want{`
			`err: zerrors.IsNotFound,`
			`},`
			`},`
			`{`
			`name: "no aggregateID, internal error",`
			`args: args{`
			`ctx: ctx,`
			`},`
			`want: want{`
			`err: zerrors.IsInternal,`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`c := &Commands{`
			`checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {`
			`assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)`
			`return nil`
			`},`
			`eventstore: expectEventstore()(t),`
			`}`
			`if tt.fields.domainPermissionCheck != nil {`
			`c.checkPermission = tt.fields.domainPermissionCheck(t)`
			`}`
			`if tt.fields.eventstore != nil {`
			`c.eventstore = tt.fields.eventstore(t)`
			`}`
			`err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)`
			`if tt.want.err != nil {`
			`assert.True(t, tt.want.err(err))`
			`}`
			`})`
			`}`
			`}`

			`func TestCommands_CheckPermissionUserWrite(t *testing.T) {`
			`type fields struct {`
			`domainPermissionCheck func(*testing.T) domain.PermissionCheck`
			`}`
			`type args struct {`
			`ctx context.Context`
			`resourceOwner, aggregateID string`
			`}`
			`type want struct {`
			`err func(error) bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`want want`
			`}{`
			`{`
			`name: "self, no permission check",`
			`args: args{`
			`ctx: authz.SetCtxData(context.Background(), authz.CtxData{`
			`UserID: "aggregateID",`
			`}),`
			`resourceOwner: "resourceOwner",`
			`aggregateID: "aggregateID",`
			`},`
			`},`
			`{`
			`name: "not self, permission check",`
			`fields: fields{`
			`domainPermissionCheck: mockDomainPermissionCheck(`
			`context.Background(),`
			`"user.write",`
			`"resourceOwner",`
			`"foreignAggregateID"),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`resourceOwner: "resourceOwner",`
			`aggregateID: "foreignAggregateID",`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`c := &Commands{`
			`checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {`
			`assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)`
			`return nil`
			`},`
			`}`
			`if tt.fields.domainPermissionCheck != nil {`
			`c.checkPermission = tt.fields.domainPermissionCheck(t)`
			`}`
			`err := c.NewPermissionCheckUserWrite(tt.args.ctx)(tt.args.resourceOwner, tt.args.aggregateID)`
			`if tt.want.err != nil {`
			`assert.True(t, tt.want.err(err))`
			`}`
			`})`
			`}`
			`}`

			`func TestCommands_CheckPermissionUserDelete(t *testing.T) {`
			`type fields struct {`
			`domainPermissionCheck func(*testing.T) domain.PermissionCheck`
			`}`
			`type args struct {`
			`ctx context.Context`
			`resourceOwner, aggregateID string`
			`}`
			`type want struct {`
			`err func(error) bool`
			`}`
			`userCtx := authz.SetCtxData(context.Background(), authz.CtxData{`
			`UserID: "aggregateID",`
			`})`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`want want`
			`}{`
			`{`
			`name: "self, no permission check",`
			`args: args{`
			`ctx: userCtx,`
			`resourceOwner: "resourceOwner",`
			`aggregateID: "aggregateID",`
			`},`
			`},`
			`{`
			`name: "not self, permission check",`
			`fields: fields{`
			`domainPermissionCheck: mockDomainPermissionCheck(`
			`context.Background(),`
			`"user.delete",`
			`"resourceOwner",`
			`"foreignAggregateID"),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`resourceOwner: "resourceOwner",`
			`aggregateID: "foreignAggregateID",`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`c := &Commands{`
			`checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {`
			`assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)`
			`return nil`
			`},`
			`}`
			`if tt.fields.domainPermissionCheck != nil {`
			`c.checkPermission = tt.fields.domainPermissionCheck(t)`
			`}`
			`err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)`
			`if tt.want.err != nil {`
			`assert.True(t, tt.want.err(err))`
			`}`
			`})`
			`}`
			`}`

			`func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {`
			`return func(t *testing.T) domain.PermissionCheck {`
			`return func(ctx context.Context, permission, orgID, resourceID string) (err error) {`
			`assert.Equal(t, expectCtx, ctx)`
			`assert.Equal(t, expectPermission, permission)`
			`assert.Equal(t, expectResourceOwner, orgID)`
			`assert.Equal(t, expectResourceID, resourceID)`
			`return nil`
			`}`
			`}`
			`}`