zitadel/internal/domain/permission.go

package domain

import "context"

type Permissions struct {
	Permissions []string
}

func (p *Permissions) AppendPermissions(ctxID string, permissions ...string) {
	for _, permission := range permissions {
		p.appendPermission(ctxID, permission)
	}
}

func (p *Permissions) appendPermission(ctxID, permission string) {
	if ctxID != "" {
		permission = permission + ":" + ctxID
	}
	for _, existingPermission := range p.Permissions {
		if existingPermission == permission {
			return
		}
	}
	p.Permissions = append(p.Permissions, permission)
}

type PermissionCheck func(ctx context.Context, permission, orgID, resourceID string) (err error)

const (
	PermissionUserWrite           = "user.write"
	PermissionUserRead            = "user.read"
	PermissionUserDelete          = "user.delete"
	PermissionUserCredentialWrite = "user.credential.write"
	PermissionSessionWrite        = "session.write"
	PermissionSessionRead         = "session.read"
	PermissionSessionLink         = "session.link"
	PermissionSessionDelete       = "session.delete"
	PermissionOrgRead             = "org.read"
	PermissionIDPRead             = "iam.idp.read"
	PermissionOrgIDPRead          = "org.idp.read"
	PermissionProjectWrite        = "project.write"
	PermissionProjectRead         = "project.read"
	PermissionProjectDelete       = "project.delete"
	PermissionProjectGrantWrite   = "project.grant.write"
	PermissionProjectGrantRead    = "project.grant.read"
	PermissionProjectGrantDelete  = "project.grant.delete"
	PermissionProjectRoleWrite    = "project.role.write"
	PermissionProjectRoleRead     = "project.role.read"
	PermissionProjectRoleDelete   = "project.role.delete"
)

// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.
// Configurable on the project the application belongs to through the flags related to authentication.
type ProjectPermissionCheck func(ctx context.Context, clientID, userID string) (err error)
fix: move activity log to queries and remove old code (#3096) * move changes to queries and remove old code * fix changes query * remove unused code * fix sorting * fix sorting * refactor and remove old code * remove accidental go.mod replace * add missing file * remove listDetail from ChangesResponse 2022-01-26 10:16:33 +01:00			`package domain`

feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00			`import "context"`

fix: move activity log to queries and remove old code (#3096) * move changes to queries and remove old code * fix changes query * remove unused code * fix sorting * fix sorting * refactor and remove old code * remove accidental go.mod replace * add missing file * remove listDetail from ChangesResponse 2022-01-26 10:16:33 +01:00			`type Permissions struct {`
			`Permissions []string`
			`}`

			`func (p *Permissions) AppendPermissions(ctxID string, permissions ...string) {`
			`for _, permission := range permissions {`
			`p.appendPermission(ctxID, permission)`
			`}`
			`}`

			`func (p *Permissions) appendPermission(ctxID, permission string) {`
			`if ctxID != "" {`
			`permission = permission + ":" + ctxID`
			`}`
			`for _, existingPermission := range p.Permissions {`
			`if existingPermission == permission {`
			`return`
			`}`
			`}`
			`p.Permissions = append(p.Permissions, permission)`
			`}`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00
			`type PermissionCheck func(ctx context.Context, permission, orgID, resourceID string) (err error)`

			`const (`
fix: allow other users to set up MFAs (#7914) * fix: allow other users to set up MFAs * update tests * update integration tests 2024-05-07 07:38:26 +02:00			`PermissionUserWrite = "user.write"`
			`PermissionUserRead = "user.read"`
			`PermissionUserDelete = "user.delete"`
			`PermissionUserCredentialWrite = "user.credential.write"`
			`PermissionSessionWrite = "session.write"`
feat: specify login UI version on instance and apps (#9071) # Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702 2024-12-19 10:37:46 +01:00			`PermissionSessionRead = "session.read"`
			`PermissionSessionLink = "session.link"`
fix: allow other users to set up MFAs (#7914) * fix: allow other users to set up MFAs * update tests * update integration tests 2024-05-07 07:38:26 +02:00			`PermissionSessionDelete = "session.delete"`
feat: org v2 ListOrganizations (#8411) # Which Problems Are Solved Org v2 service does not have a ListOrganizations endpoint. # How the Problems Are Solved Implement ListOrganizations endpoint. # Additional Changes - moved descriptions in the protos to comments - corrected the RemoveNoPermissions for the ListUsers, to get the correct TotalResults # Additional Context For new typescript login 2024-08-15 06:37:06 +02:00			`PermissionOrgRead = "org.read"`
feat: idp v2 api GetIDPByID (#8425) # Which Problems Are Solved GetIDPByID as endpoint in the API v2 so that it can be available for the new login. # How the Problems Are Solved Create GetIDPByID endpoint with IDP v2 API, throught the GetProviderByID implementation from admin and management API. # Additional Changes - Remove the OwnerType attribute from the response, as the information is available through the resourceOwner. - correct refs to messages in proto which are used for doc generation - renaming of elements for API v3 # Additional Context Closes #8337 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-08-14 20:18:29 +02:00			`PermissionIDPRead = "iam.idp.read"`
			`PermissionOrgIDPRead = "org.idp.read"`
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`PermissionProjectWrite = "project.write"`
			`PermissionProjectRead = "project.read"`
			`PermissionProjectDelete = "project.delete"`
			`PermissionProjectGrantWrite = "project.grant.write"`
			`PermissionProjectGrantRead = "project.grant.read"`
			`PermissionProjectGrantDelete = "project.grant.delete"`
			`PermissionProjectRoleWrite = "project.role.write"`
			`PermissionProjectRoleRead = "project.role.read"`
			`PermissionProjectRoleDelete = "project.role.delete"`
feat(api): new session service (#5801) * backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-05-05 17:34:53 +02:00			`)`
feat: permission check on OIDC and SAML service session API (#9304) # Which Problems Are Solved Through configuration on projects, there can be additional permission checks enabled through an OIDC or SAML flow, which were not included in the OIDC and SAML services. # How the Problems Are Solved Add permission check through the query-side of Zitadel in a singular SQL query, when an OIDC or SAML flow should be linked to a SSO session. That way it is eventual consistent, but will not impact the performance on the eventstore. The permission check is defined in the API, which provides the necessary function to the command side. # Additional Changes Added integration tests for the permission check on OIDC and SAML service for every combination. Corrected session list integration test, to content checks without ordering. Corrected get auth and saml request integration tests, to check for timestamp of creation, not start of test. # Additional Context Closes #9265 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-02-11 19:45:09 +01:00
			`// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.`
			`// Configurable on the project the application belongs to through the flags related to authentication.`
			`type ProjectPermissionCheck func(ctx context.Context, clientID, userID string) (err error)`