fix: check private labeling features on command side (#2365)

2025-08-11 21:07:31 +00:00 · 2021-09-14 09:28:21 +02:00
parent 33a2054be9
commit 0300871767
2 changed files with 212 additions and 4 deletions
--- a/internal/command/org_policy_label_test.go
+++ b/internal/command/org_policy_label_test.go
@@ -7,11 +7,13 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/repository"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/repository/iam"
 	"github.com/caos/zitadel/internal/repository/org"
 	"github.com/caos/zitadel/internal/repository/policy"
 	"github.com/caos/zitadel/internal/static"
@@ -20,7 +22,8 @@ import (

 func TestCommandSide_AddLabelPolicy(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore    *eventstore.Eventstore
+		tokenVerifier *authz.TokenVerifier
 	}
 	type args struct {
 		ctx    context.Context
@@ -101,12 +104,78 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 				err: caos_errs.IsErrorAlreadyExists,
 			},
 		},
+		{
+			name: "add policy, permission denied",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLabelPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								false,
+							),
+						),
+					),
+				),
+				tokenVerifier: GetMockVerifier(t),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				policy: &domain.LabelPolicy{
+					PrimaryColor:        "#ffffff",
+					BackgroundColor:     "#ffffff",
+					WarnColor:           "#ffffff",
+					FontColor:           "#ffffff",
+					PrimaryColorDark:    "#ffffff",
+					BackgroundColorDark: "#ffffff",
+					WarnColorDark:       "#ffffff",
+					FontColorDark:       "#ffffff",
+					HideLoginNameSuffix: true,
+					ErrorMsgPopup:       true,
+					DisableWatermark:    true,
+				},
+			},
+			res: res{
+				err: caos_errs.IsPermissionDenied,
+			},
+		},
 		{
 			name: "add policy,ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLabelPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								false,
+							),
+						),
+					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
@@ -128,6 +197,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 						},
 					),
 				),
+				tokenVerifier: GetMockVerifier(t, domain.FeatureLabelPolicyPrivateLabel, domain.FeatureLabelPolicyWatermark),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -170,7 +240,8 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:    tt.fields.eventstore,
+				tokenVerifier: tt.fields.tokenVerifier,
 			}
 			got, err := r.AddLabelPolicy(tt.args.ctx, tt.args.orgID, tt.args.policy)
 			if tt.res.err == nil {
@@ -188,7 +259,8 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {

 func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore    *eventstore.Eventstore
+		tokenVerifier *authz.TokenVerifier
 	}
 	type args struct {
 		ctx    context.Context
@@ -244,6 +316,71 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 				err: caos_errs.IsNotFound,
 			},
 		},
+		{
+			name: "permission denied error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewLabelPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLabelPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								false,
+							),
+						),
+					),
+				),
+				tokenVerifier: GetMockVerifier(t),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				policy: &domain.LabelPolicy{
+					PrimaryColor:        "#000000",
+					BackgroundColor:     "#000000",
+					WarnColor:           "#000000",
+					FontColor:           "#000000",
+					PrimaryColorDark:    "#000000",
+					BackgroundColorDark: "#000000",
+					WarnColorDark:       "#000000",
+					FontColorDark:       "#000000",
+					HideLoginNameSuffix: true,
+					ErrorMsgPopup:       true,
+					DisableWatermark:    true,
+				},
+			},
+			res: res{
+				err: caos_errs.IsPermissionDenied,
+			},
+		},
 		{
 			name: "no changes, precondition error",
 			fields: fields{
@@ -267,7 +404,26 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLabelPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								false,
+							),
+						),
+					),
 				),
+				tokenVerifier: GetMockVerifier(t, domain.FeatureLabelPolicyPrivateLabel, domain.FeatureLabelPolicyWatermark),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -313,6 +469,24 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLabelPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								"#ffffff",
+								true,
+								true,
+								false,
+							),
+						),
+					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
@@ -334,6 +508,7 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 						},
 					),
 				),
+				tokenVerifier: GetMockVerifier(t, domain.FeatureLabelPolicyPrivateLabel, domain.FeatureLabelPolicyWatermark),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -376,7 +551,8 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:    tt.fields.eventstore,
+				tokenVerifier: tt.fields.tokenVerifier,
 			}
 			got, err := r.ChangeLabelPolicy(tt.args.ctx, tt.args.orgID, tt.args.policy)
 			if tt.res.err == nil {