zitadel/internal/command/permission_checks.go

package command

import (
	"context"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/repository/project"
	"github.com/zitadel/zitadel/internal/v2/user"
	"github.com/zitadel/zitadel/internal/zerrors"
)

type PermissionCheck func(resourceOwner, aggregateID string) error

func (c *Commands) newPermissionCheck(ctx context.Context, permission string, aggregateType eventstore.AggregateType) PermissionCheck {
	return func(resourceOwner, aggregateID string) error {
		if aggregateID == "" {
			return zerrors.ThrowInternal(nil, "COMMAND-ulBlS", "Errors.IDMissing")
		}
		// For example if a write model didn't query any events, the resource owner is probably empty.
		// In this case, we have to query an event on the given aggregate to get the resource owner.
		if resourceOwner == "" {
			r := NewResourceOwnerModel(authz.GetInstance(ctx).InstanceID(), aggregateType, aggregateID)
			err := c.eventstore.FilterToQueryReducer(ctx, r)
			if err != nil {
				return err
			}
			resourceOwner = r.resourceOwner
		}
		if resourceOwner == "" {
			return zerrors.ThrowNotFound(nil, "COMMAND-4g3xq", "Errors.NotFound")
		}
		return c.checkPermission(ctx, permission, resourceOwner, aggregateID)
	}
}

func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string) PermissionCheck {
	return func(resourceOwner, aggregateID string) error {
		if aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {
			return nil
		}
		return c.newPermissionCheck(ctx, permission, user.AggregateType)(resourceOwner, aggregateID)
	}
}

func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context) PermissionCheck {
	return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite)
}

func (c *Commands) checkPermissionDeleteUser(ctx context.Context, resourceOwner, userID string) error {
	return c.checkPermissionOnUser(ctx, domain.PermissionUserDelete)(resourceOwner, userID)
}

func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string) error {
	return c.NewPermissionCheckUserWrite(ctx)(resourceOwner, userID)
}

func (c *Commands) checkPermissionUpdateUserCredentials(ctx context.Context, resourceOwner, userID string) error {
	return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite)(resourceOwner, userID)
}

func (c *Commands) checkPermissionDeleteProject(ctx context.Context, resourceOwner, projectID string) error {
	return c.newPermissionCheck(ctx, domain.PermissionProjectDelete, project.AggregateType)(resourceOwner, projectID)
}

func (c *Commands) checkPermissionUpdateProject(ctx context.Context, resourceOwner, projectID string) error {
	return c.newPermissionCheck(ctx, domain.PermissionProjectWrite, project.AggregateType)(resourceOwner, projectID)
}

func (c *Commands) checkPermissionWriteProjectGrant(ctx context.Context, resourceOwner, projectGrantID string) error {
	return c.newPermissionCheck(ctx, domain.PermissionProjectGrantWrite, project.AggregateType)(resourceOwner, projectGrantID)
}
fix: allow user self deletion (#9828) # Which Problems Are Solved Currently, users can't delete themselves using the V2 RemoveUser API because of the redunant API middleware permission check. On main, using a machine user PAT to delete the same machine user: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: NotFound Message: membership not found (AUTHZ-cdgFk) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTHZ-cdgFk", "message": "membership not found" } ``` Same on this PRs branch: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser { "details": { "sequence": "3", "changeDate": "2025-05-06T13:44:54.349048Z", "resourceOwner": "318838541083804033" } } ``` Repeated call ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: Unauthenticated Message: Errors.Token.Invalid (AUTH-7fs1e) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ``` # How the Problems Are Solved The middleware permission check is disabled and the domain.PermissionCheck is used exclusively. # Additional Changes A new type command.PermissionCheck allows to optionally accept a permission check for commands, so APIs with middleware permission checks can omit redundant permission checks by passing nil while APIs without middleware permission checks can pass one to the command. # Additional Context This is a subtask of #9763 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-07 15:24:24 +02:00			`package command`

			`import (`
			`"context"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/eventstore"`
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`"github.com/zitadel/zitadel/internal/repository/project"`
fix: allow user self deletion (#9828) # Which Problems Are Solved Currently, users can't delete themselves using the V2 RemoveUser API because of the redunant API middleware permission check. On main, using a machine user PAT to delete the same machine user: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: NotFound Message: membership not found (AUTHZ-cdgFk) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTHZ-cdgFk", "message": "membership not found" } ``` Same on this PRs branch: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser { "details": { "sequence": "3", "changeDate": "2025-05-06T13:44:54.349048Z", "resourceOwner": "318838541083804033" } } ``` Repeated call ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: Unauthenticated Message: Errors.Token.Invalid (AUTH-7fs1e) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ``` # How the Problems Are Solved The middleware permission check is disabled and the domain.PermissionCheck is used exclusively. # Additional Changes A new type command.PermissionCheck allows to optionally accept a permission check for commands, so APIs with middleware permission checks can omit redundant permission checks by passing nil while APIs without middleware permission checks can pass one to the command. # Additional Context This is a subtask of #9763 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-07 15:24:24 +02:00			`"github.com/zitadel/zitadel/internal/v2/user"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`)`

			`type PermissionCheck func(resourceOwner, aggregateID string) error`

			`func (c *Commands) newPermissionCheck(ctx context.Context, permission string, aggregateType eventstore.AggregateType) PermissionCheck {`
			`return func(resourceOwner, aggregateID string) error {`
			`if aggregateID == "" {`
			`return zerrors.ThrowInternal(nil, "COMMAND-ulBlS", "Errors.IDMissing")`
			`}`
			`// For example if a write model didn't query any events, the resource owner is probably empty.`
			`// In this case, we have to query an event on the given aggregate to get the resource owner.`
			`if resourceOwner == "" {`
			`r := NewResourceOwnerModel(authz.GetInstance(ctx).InstanceID(), aggregateType, aggregateID)`
			`err := c.eventstore.FilterToQueryReducer(ctx, r)`
			`if err != nil {`
			`return err`
			`}`
			`resourceOwner = r.resourceOwner`
			`}`
			`if resourceOwner == "" {`
			`return zerrors.ThrowNotFound(nil, "COMMAND-4g3xq", "Errors.NotFound")`
			`}`
			`return c.checkPermission(ctx, permission, resourceOwner, aggregateID)`
			`}`
			`}`

			`func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string) PermissionCheck {`
			`return func(resourceOwner, aggregateID string) error {`
			`if aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {`
			`return nil`
			`}`
			`return c.newPermissionCheck(ctx, permission, user.AggregateType)(resourceOwner, aggregateID)`
			`}`
			`}`

			`func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context) PermissionCheck {`
			`return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite)`
			`}`

			`func (c *Commands) checkPermissionDeleteUser(ctx context.Context, resourceOwner, userID string) error {`
			`return c.checkPermissionOnUser(ctx, domain.PermissionUserDelete)(resourceOwner, userID)`
			`}`

			`func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string) error {`
			`return c.NewPermissionCheckUserWrite(ctx)(resourceOwner, userID)`
			`}`

			`func (c *Commands) checkPermissionUpdateUserCredentials(ctx context.Context, resourceOwner, userID string) error {`
			`return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite)(resourceOwner, userID)`
			`}`
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00
			`func (c *Commands) checkPermissionDeleteProject(ctx context.Context, resourceOwner, projectID string) error {`
			`return c.newPermissionCheck(ctx, domain.PermissionProjectDelete, project.AggregateType)(resourceOwner, projectID)`
			`}`

			`func (c *Commands) checkPermissionUpdateProject(ctx context.Context, resourceOwner, projectID string) error {`
			`return c.newPermissionCheck(ctx, domain.PermissionProjectWrite, project.AggregateType)(resourceOwner, projectID)`
			`}`

			`func (c *Commands) checkPermissionWriteProjectGrant(ctx context.Context, resourceOwner, projectGrantID string) error {`
			`return c.newPermissionCheck(ctx, domain.PermissionProjectGrantWrite, project.AggregateType)(resourceOwner, projectGrantID)`
			`}`