zitadel/internal/api/authz/context.go

package authz

import (
	"context"

	"github.com/caos/zitadel/internal/api/grpc"
	http_util "github.com/caos/zitadel/internal/api/http"
	"github.com/caos/zitadel/internal/errors"
	"github.com/caos/zitadel/internal/telemetry/tracing"
)

type key int

const (
	requestPermissionsKey key = 1
	dataKey               key = 2
	allPermissionsKey     key = 3
)

type CtxData struct {
	UserID            string
	OrgID             string
	ProjectID         string
	AgentID           string
	PreferredLanguage string
}

func (ctxData CtxData) IsZero() bool {
	return ctxData.UserID == "" || ctxData.OrgID == ""
}

type Grants []*Grant

type Grant struct {
	OrgID string
	Roles []string
}

func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ CtxData, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	if orgID != "" {
		err = t.ExistsOrg(ctx, orgID)
		if err != nil {
			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
		}
	}

	userID, clientID, agentID, prefLang, err := verifyAccessToken(ctx, token, t, method)
	if err != nil {
		return CtxData{}, err
	}
	projectID, origins, err := t.ProjectIDAndOriginsByClientID(ctx, clientID)
	if err != nil {
		return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
	}
	if err := checkOrigin(ctx, origins); err != nil {
		return CtxData{}, err
	}
	return CtxData{
		UserID:            userID,
		OrgID:             orgID,
		ProjectID:         projectID,
		AgentID:           agentID,
		PreferredLanguage: prefLang,
	}, nil

}

func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {
	return context.WithValue(ctx, dataKey, ctxData)
}

func GetCtxData(ctx context.Context) CtxData {
	ctxData, _ := ctx.Value(dataKey).(CtxData)
	return ctxData
}

func GetRequestPermissionsFromCtx(ctx context.Context) []string {
	ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
	return ctxPermission
}

func GetAllPermissionsFromCtx(ctx context.Context) []string {
	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
	return ctxPermission
}

func checkOrigin(ctx context.Context, origins []string) error {
	origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
	if origin == "" {
		return nil
	}
	if http_util.IsOriginAllowed(origins, origin) {
		return nil
	}
	return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")
}
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`package authz`

			`import (`
			`"context"`

fix: cors (#621) * fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg 2020-08-24 08:06:55 +00:00			`"github.com/caos/zitadel/internal/api/grpc"`
			`http_util "github.com/caos/zitadel/internal/api/http"`
			`"github.com/caos/zitadel/internal/errors"`
feat: metrics (#1024) * refactor: switch from opencensus to opentelemetry * tempo works as designed nooooot * fix: log traceids * with grafana agent * fix: http tracing * fix: cleanup files * chore: remove todo * fix: bad test * fix: ignore methods in grpc interceptors * fix: remove test log * clean up * typo * fix(config): configure tracing endpoint * fix(span): add error id to span * feat: metrics package * feat: metrics package * fix: counter * fix: metric * try metrics * fix: coutner metrics * fix: active sessin counter * fix: active sessin counter * fix: change current Sequence table * fix: change current Sequence table * fix: current sequences * fix: spooler div metrics * fix: console view * fix: merge master * fix: Last spool run on search result instead of eventtimestamp * fix: go mod * Update console/src/assets/i18n/de.json Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr review * fix: map * update oidc pkg * fix: handlers * fix: value observer * fix: remove fmt * fix: handlers * fix: tests * fix: handler minimum cycle duration 1s * fix(spooler): handler channel buffer * fix interceptors Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2020-12-02 07:50:59 +00:00			`"github.com/caos/zitadel/internal/telemetry/tracing"`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`)`

			`type key int`

			`const (`
feat: usergrant (#489) * fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com> 2020-07-22 12:00:29 +00:00			`requestPermissionsKey key = 1`
			`dataKey key = 2`
			`allPermissionsKey key = 3`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`)`

			`type CtxData struct {`
			`UserID string`
			`OrgID string`
			`ProjectID string`
			`AgentID string`
			`PreferredLanguage string`
			`}`

			`func (ctxData CtxData) IsZero() bool {`
			`return ctxData.UserID == "" \|\| ctxData.OrgID == ""`
			`}`

			`type Grants []*Grant`

			`type Grant struct {`
			`OrgID string`
			`Roles []string`
			`}`

fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ CtxData, err error) {`
feat: add tracing interceptors to login and oidc (#764) * add tracing interceptors to login and oidc * add some tracing spans * trace login calls * add some spans * add some spans (change password) * add some more tracing in oauth/oidc * revert org exists * Merge branch 'master' into http-tracing # Conflicts: # internal/api/oidc/auth_request.go # internal/api/oidc/client.go # internal/auth/repository/eventsourcing/eventstore/auth_request.go # internal/auth/repository/eventsourcing/eventstore/user.go # internal/authz/repository/eventsourcing/eventstore/token_verifier.go # internal/authz/repository/eventsourcing/view/token.go # internal/user/repository/eventsourcing/eventstore.go 2020-10-21 08:18:34 +00:00			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

fix: check if org id not empty before checking if it exists (#482) 2020-07-16 11:51:37 +00:00			`if orgID != "" {`
			`err = t.ExistsOrg(ctx, orgID)`
			`if err != nil {`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")`
fix: check if org id not empty before checking if it exists (#482) 2020-07-16 11:51:37 +00:00			`}`
feat: check if org exists (#480) * feat: check if org exists * feat: check if org exists * Update internal/authz/repository/eventsourcing/eventstore/token_verifier.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err handling Co-authored-by: Silvan <silvan.reusser@gmail.com> 2020-07-16 11:27:36 +00:00			`}`
fix: check if org id not empty before checking if it exists (#482) 2020-07-16 11:51:37 +00:00
fix: translation (#647) * fix: translation * fix: translation * fix: translation * fix: remove unused code * fix: log err 2020-08-28 07:44:43 +00:00			`userID, clientID, agentID, prefLang, err := verifyAccessToken(ctx, token, t, method)`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`if err != nil {`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return CtxData{}, err`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`}`
fix: cors (#621) * fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg 2020-08-24 08:06:55 +00:00			`projectID, origins, err := t.ProjectIDAndOriginsByClientID(ctx, clientID)`
			`if err != nil {`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")`
fix: cors (#621) * fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg 2020-08-24 08:06:55 +00:00			`}`
			`if err := checkOrigin(ctx, origins); err != nil {`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return CtxData{}, err`
fix: cors (#621) * fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg 2020-08-24 08:06:55 +00:00			`}`
fix(tracing): business logic has grpc server span as parent (#1017) * start fix * fix(tracing): business logic has grpc server span as parent * fix: response name * fix: tests * fix: simplify ctxData 2020-12-14 12:34:05 +00:00			`return CtxData{`
			`UserID: userID,`
			`OrgID: orgID,`
			`ProjectID: projectID,`
			`AgentID: agentID,`
			`PreferredLanguage: prefLang,`
			`}, nil`

feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`}`

			`func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {`
			`return context.WithValue(ctx, dataKey, ctxData)`
			`}`

			`func GetCtxData(ctx context.Context) CtxData {`
			`ctxData, _ := ctx.Value(dataKey).(CtxData)`
			`return ctxData`
			`}`

feat: usergrant (#489) * fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com> 2020-07-22 12:00:29 +00:00			`func GetRequestPermissionsFromCtx(ctx context.Context) []string {`
			`ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)`
			`return ctxPermission`
			`}`

			`func GetAllPermissionsFromCtx(ctx context.Context) []string {`
			`ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)`
feat: port reduction (#323) * move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto 2020-07-08 11:56:37 +00:00			`return ctxPermission`
			`}`
fix: cors (#621) * fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg 2020-08-24 08:06:55 +00:00
			`func checkOrigin(ctx context.Context, origins []string) error {`
			`origin := grpc.GetGatewayHeader(ctx, http_util.Origin)`
			`if origin == "" {`
			`return nil`
			`}`
			`if http_util.IsOriginAllowed(origins, origin) {`
			`return nil`
			`}`
			`return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")`
			`}`