zitadel/internal/api/authz/authorization.go

package authz

import (
	"context"
	"fmt"
	"reflect"
	"strings"

	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

const (
	authenticated = "authenticated"
)

// CheckUserAuthorization verifies that:
// - the token is active,
// - the organisation (**either** provided by ID or verified domain) exists
// - the user is permitted to call the requested endpoint (permission option in proto)
// it will pass the [CtxData] and permission of the user into the ctx [context.Context]
func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, orgDomain string, verifier APITokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
	ctx, span := tracing.NewServerInterceptorSpan(ctx)
	defer func() { span.EndWithError(err) }()

	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgID, orgDomain, verifier)
	if err != nil {
		return nil, err
	}

	if requiredAuthOption.Permission == authenticated {
		return func(parent context.Context) context.Context {
			return context.WithValue(parent, dataKey, ctxData)
		}, nil
	}

	requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig.RolePermissionMappings, ctxData, ctxData.OrgID)
	if err != nil {
		return nil, err
	}

	ctx, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")
	err = checkUserPermissions(req, requestedPermissions, requiredAuthOption)
	userPermissionSpan.EndWithError(err)
	if err != nil {
		return nil, err
	}

	return func(parent context.Context) context.Context {
		parent = context.WithValue(parent, dataKey, ctxData)
		parent = context.WithValue(parent, allPermissionsKey, allPermissions)
		parent = context.WithValue(parent, requestPermissionsKey, requestedPermissions)
		return parent
	}, nil
}

func checkUserPermissions(req interface{}, userPerms []string, authOpt Option) error {
	if len(userPerms) == 0 {
		return zerrors.ThrowPermissionDenied(nil, "AUTH-5mWD2", "No matching permissions found")
	}

	if authOpt.CheckParam == "" {
		return nil
	}

	if HasGlobalPermission(userPerms) {
		return nil
	}

	if hasContextPermission(req, authOpt.CheckParam, userPerms) {
		return nil
	}

	return zerrors.ThrowPermissionDenied(nil, "AUTH-3jknH", "No matching permissions found")
}

func SplitPermission(perm string) (string, string) {
	splittedPerm := strings.Split(perm, ":")
	if len(splittedPerm) == 1 {
		return splittedPerm[0], ""
	}
	return splittedPerm[0], splittedPerm[1]
}

func hasContextPermission(req interface{}, fieldName string, permissions []string) bool {
	for _, perm := range permissions {
		_, ctxID := SplitPermission(perm)
		if checkPermissionContext(req, fieldName, ctxID) {
			return true
		}
	}
	return false
}

func checkPermissionContext(req interface{}, fieldName, roleContextID string) bool {
	field := getFieldFromReq(req, fieldName)
	return field != "" && field == roleContextID
}

func getFieldFromReq(req interface{}, field string) string {
	v := reflect.Indirect(reflect.ValueOf(req)).FieldByName(field)
	if reflect.ValueOf(v).IsZero() {
		return ""
	}
	return fmt.Sprintf("%v", v.Interface())
}

func HasGlobalPermission(perms []string) bool {
	for _, perm := range perms {
		_, ctxID := SplitPermission(perm)
		if ctxID == "" {
			return true
		}
	}
	return false
}

func GetAllPermissionCtxIDs(perms []string) []string {
	ctxIDs := make([]string, 0)
	for _, perm := range perms {
		_, ctxID := SplitPermission(perm)
		if ctxID != "" {
			ctxIDs = append(ctxIDs, ctxID)
		}
	}
	return ctxIDs
}
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`package authz`
feat: add some api packages 2020-03-23 06:01:59 +00:00
			`import (`
			`"context"`
			`"fmt"`
			`"reflect"`
			`"strings"`

chore(v2): move to new org (#3499) * chore: move to new org * logging * fix: org rename caos -> zitadel Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2022-04-26 23:01:45 +00:00			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`"github.com/zitadel/zitadel/internal/zerrors"`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`)`

			`const (`
			`authenticated = "authenticated"`
			`)`

feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 15:34:53 +00:00			`// CheckUserAuthorization verifies that:`
			`// - the token is active,`
			`// - the organisation (either provided by ID or verified domain) exists`
			`// - the user is permitted to call the requested endpoint (permission option in proto)`
			`// it will pass the [CtxData] and permission of the user into the ctx [context.Context]`
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, orgDomain string, verifier APITokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {`
feat: add tracing interceptors to login and oidc (#764) * add tracing interceptors to login and oidc * add some tracing spans * trace login calls * add some spans * add some spans (change password) * add some more tracing in oauth/oidc * revert org exists * Merge branch 'master' into http-tracing # Conflicts: # internal/api/oidc/auth_request.go # internal/api/oidc/client.go # internal/auth/repository/eventsourcing/eventstore/auth_request.go # internal/auth/repository/eventsourcing/eventstore/user.go # internal/authz/repository/eventsourcing/eventstore/token_verifier.go # internal/authz/repository/eventsourcing/view/token.go # internal/user/repository/eventsourcing/eventstore.go 2020-10-21 08:18:34 +00:00			`ctx, span := tracing.NewServerInterceptorSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgID, orgDomain, verifier)`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`if requiredAuthOption.Permission == authenticated {`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return func(parent context.Context) context.Context {`
			`return context.WithValue(parent, dataKey, ctxData)`
			`}, nil`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`}`

feat: user v2alpha email API (#5708) * chore(proto): update versions * change protoc plugin * some cleanups * define api for setting emails in new api * implement user.SetEmail * move SetEmail buisiness logic into command * resuse newCryptoCode * command: add ChangeEmail unit tests Not complete, was not able to mock the generator. * Revert "resuse newCryptoCode" This reverts commit c89e90ae35ae924a3f706a0a7394f933910c2e65. * undo change to crypto code generators * command: use a generator so we can test properly * command: reorganise ChangeEmail improve test coverage * implement VerifyEmail including unit tests * add URL template tests * proto: change context to object * remove old auth option * remove old auth option * fix linting errors run gci on modified files * add permission checks and fix some errors * comments * comments --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-04-25 07:02:29 +00:00			`requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig.RolePermissionMappings, ctxData, ctxData.OrgID)`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`if err != nil {`
			`return nil, err`
			`}`

feat: add tracing interceptors to login and oidc (#764) * add tracing interceptors to login and oidc * add some tracing spans * trace login calls * add some spans * add some spans (change password) * add some more tracing in oauth/oidc * revert org exists * Merge branch 'master' into http-tracing # Conflicts: # internal/api/oidc/auth_request.go # internal/api/oidc/client.go # internal/auth/repository/eventsourcing/eventstore/auth_request.go # internal/auth/repository/eventsourcing/eventstore/user.go # internal/authz/repository/eventsourcing/eventstore/token_verifier.go # internal/authz/repository/eventsourcing/view/token.go # internal/user/repository/eventsourcing/eventstore.go 2020-10-21 08:18:34 +00:00			`ctx, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`err = checkUserPermissions(req, requestedPermissions, requiredAuthOption)`
feat: add tracing interceptors to login and oidc (#764) * add tracing interceptors to login and oidc * add some tracing spans * trace login calls * add some spans * add some spans (change password) * add some more tracing in oauth/oidc * revert org exists * Merge branch 'master' into http-tracing # Conflicts: # internal/api/oidc/auth_request.go # internal/api/oidc/client.go # internal/auth/repository/eventsourcing/eventstore/auth_request.go # internal/auth/repository/eventsourcing/eventstore/user.go # internal/authz/repository/eventsourcing/eventstore/token_verifier.go # internal/authz/repository/eventsourcing/view/token.go # internal/user/repository/eventsourcing/eventstore.go 2020-10-21 08:18:34 +00:00			`userPermissionSpan.EndWithError(err)`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Project commands (#26) * feat: eventstore repository * fix: remove gorm * version * feat: pkg * feat: add some files for project * feat: eventstore without eventstore-lib * rename files * gnueg * fix: key json * fix: add object * fix: change imports * fix: internal models * fix: some imports * fix: global model * fix: add some functions on repo * feat(eventstore): sdk * fix(eventstore): search query * fix(eventstore): rename app to eventstore * delete empty test * remove unused func * merge master * fix(eventstore): tests * fix(models): delete unused struct * fix: some funcitons * feat(eventstore): implemented push events * fix: move project eventstore to project package * fix: change project eventstore funcs * feat(eventstore): overwrite context data * fix: change project eventstore * fix: add project repo to mgmt server * feat(types): SQL-config * fix: commented code * feat(eventstore): options to overwrite editor * feat: auth interceptor and cockroach migrations * fix: migrations * fix: fix filter * fix: not found on getbyid * fix: add sequence * fix: add some tests * fix(eventstore): nullable sequence * fix: add some tests * merge * fix: add some tests * fix(migrations): correct statements for sequence * fix: add some tests * fix: add some tests * fix: changes from mr * Update internal/eventstore/models/field.go Co-Authored-By: livio-a <livio.a@gmail.com> * fix(eventstore): code quality * fix: add types to aggregate/Event-types * fix(eventstore): rename modifier* to editor* * fix(eventstore): delete editor_org * fix(migrations): remove editor_org field, rename modifier_* to editor_* * fix: generate files * fix(eventstore): tests * fix(eventstore): rename modifier to editor * fix(migrations): add cluster migration, fix(migrations): fix typo of host in clean clsuter * fix(eventstore): move health * fix(eventstore): AggregateTypeFilter aggregateType as param * code quality * feat: start implementing project members * feat: remove member funcs * feat: remove member model * feat: remove member events * feat: remove member repo model * fix: better error func testing * Update docs/local.md Co-Authored-By: Silvan <silvan.reusser@gmail.com> * Update docs/local.md Co-Authored-By: Silvan <silvan.reusser@gmail.com> * fix: mr requests * fix: md file Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: livio-a <livio.a@gmail.com> 2020-04-07 11:23:04 +00:00
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return func(parent context.Context) context.Context {`
			`parent = context.WithValue(parent, dataKey, ctxData)`
			`parent = context.WithValue(parent, allPermissionsKey, allPermissions)`
			`parent = context.WithValue(parent, requestPermissionsKey, requestedPermissions)`
			`return parent`
			`}, nil`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`}`

			`func checkUserPermissions(req interface{}, userPerms []string, authOpt Option) error {`
			`if len(userPerms) == 0 {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return zerrors.ThrowPermissionDenied(nil, "AUTH-5mWD2", "No matching permissions found")`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`}`

			`if authOpt.CheckParam == "" {`
			`return nil`
			`}`

			`if HasGlobalPermission(userPerms) {`
			`return nil`
			`}`

			`if hasContextPermission(req, authOpt.CheckParam, userPerms) {`
			`return nil`
			`}`

refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return zerrors.ThrowPermissionDenied(nil, "AUTH-3jknH", "No matching permissions found")`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`}`

			`func SplitPermission(perm string) (string, string) {`
			`splittedPerm := strings.Split(perm, ":")`
			`if len(splittedPerm) == 1 {`
			`return splittedPerm[0], ""`
			`}`
			`return splittedPerm[0], splittedPerm[1]`
			`}`

			`func hasContextPermission(req interface{}, fieldName string, permissions []string) bool {`
			`for _, perm := range permissions {`
			`_, ctxID := SplitPermission(perm)`
			`if checkPermissionContext(req, fieldName, ctxID) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func checkPermissionContext(req interface{}, fieldName, roleContextID string) bool {`
			`field := getFieldFromReq(req, fieldName)`
			`return field != "" && field == roleContextID`
			`}`

			`func getFieldFromReq(req interface{}, field string) string {`
			`v := reflect.Indirect(reflect.ValueOf(req)).FieldByName(field)`
			`if reflect.ValueOf(v).IsZero() {`
			`return ""`
			`}`
			`return fmt.Sprintf("%v", v.Interface())`
			`}`

			`func HasGlobalPermission(perms []string) bool {`
			`for _, perm := range perms {`
			`_, ctxID := SplitPermission(perm)`
			`if ctxID == "" {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

feat: usergrant (#489) * fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com> 2020-07-22 12:00:29 +00:00			`func GetAllPermissionCtxIDs(perms []string) []string {`
feat: add some api packages 2020-03-23 06:01:59 +00:00			`ctxIDs := make([]string, 0)`
			`for _, perm := range perms {`
			`_, ctxID := SplitPermission(perm)`
			`if ctxID != "" {`
			`ctxIDs = append(ctxIDs, ctxID)`
			`}`
			`}`
			`return ctxIDs`
			`}`