feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:17:32 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/internal/api/grpc/management/org_integration_test.go
+++ b/internal/api/grpc/management/org_integration_test.go
@@ -0,0 +1,327 @@
+//go:build integration
+
+package management_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
+	"github.com/zitadel/zitadel/pkg/grpc/member"
+	"github.com/zitadel/zitadel/pkg/grpc/object"
+)
+
+var iamRoles = []string{
+	"SELF_MANAGEMENT_GLOBAL",
+	"ORG_OWNER",
+	"ORG_USER_MANAGER",
+	"ORG_OWNER_VIEWER",
+	"ORG_SETTINGS_MANAGER",
+	"ORG_USER_PERMISSION_EDITOR",
+	"ORG_PROJECT_PERMISSION_EDITOR",
+	"ORG_PROJECT_CREATOR",
+	"ORG_USER_SELF_MANAGER",
+	"ORG_ADMIN_IMPERSONATOR",
+	"ORG_END_USER_IMPERSONATOR",
+}
+
+func TestServer_ListOrgMemberRoles(t *testing.T) {
+	got, err := Client.ListOrgMemberRoles(OrgCTX, &mgmt_pb.ListOrgMemberRolesRequest{})
+	require.NoError(t, err)
+	assert.ElementsMatch(t, iamRoles, got.GetResult())
+}
+
+func TestServer_ListOrgMembers(t *testing.T) {
+	user := Tester.CreateHumanUserVerified(OrgCTX, Tester.Organisation.ID, gofakeit.Email())
+	_, err := Client.AddOrgMember(OrgCTX, &mgmt_pb.AddOrgMemberRequest{
+		UserId: user.GetUserId(),
+		Roles:  iamRoles[1:],
+	})
+	require.NoError(t, err)
+	type args struct {
+		ctx context.Context
+		req *mgmt_pb.ListOrgMembersRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *mgmt_pb.ListOrgMembersResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: CTX,
+				req: &mgmt_pb.ListOrgMembersRequest{
+					Query: &object.ListQuery{},
+					Queries: []*member.SearchQuery{{
+						Query: &member.SearchQuery_UserIdQuery{
+							UserIdQuery: &member.UserIDQuery{
+								UserId: user.GetUserId(),
+							},
+						},
+					}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.ListOrgMembersRequest{
+					Query: &object.ListQuery{},
+					Queries: []*member.SearchQuery{{
+						Query: &member.SearchQuery_UserIdQuery{
+							UserIdQuery: &member.UserIDQuery{
+								UserId: user.GetUserId(),
+							},
+						},
+					}},
+				},
+			},
+			want: &mgmt_pb.ListOrgMembersResponse{
+				Result: []*member.Member{{
+					UserId: user.GetUserId(),
+					Roles:  iamRoles[1:],
+				}},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.ListOrgMembers(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			wantResult := tt.want.GetResult()
+			gotResult := got.GetResult()
+
+			require.Len(t, gotResult, len(wantResult))
+			for i, want := range wantResult {
+				assert.Equal(t, want.GetUserId(), gotResult[i].GetUserId())
+				assert.ElementsMatch(t, want.GetRoles(), gotResult[i].GetRoles())
+			}
+		})
+	}
+}
+
+func TestServer_AddOrgMember(t *testing.T) {
+	user := Tester.CreateHumanUserVerified(OrgCTX, Tester.Organisation.ID, gofakeit.Email())
+	type args struct {
+		ctx context.Context
+		req *mgmt_pb.AddOrgMemberRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *mgmt_pb.AddOrgMemberResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: CTX,
+				req: &mgmt_pb.AddOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  iamRoles,
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.AddOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  iamRoles[1:],
+				},
+			},
+			want: &mgmt_pb.AddOrgMemberResponse{
+				Details: &object.ObjectDetails{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "unknown roles error",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.AddOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  []string{"FOO", "BAR"},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "iam role error",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.AddOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  []string{"IAM_OWNER"},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.AddOrgMember(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_UpdateOrgMember(t *testing.T) {
+	user := Tester.CreateHumanUserVerified(OrgCTX, Tester.Organisation.ID, gofakeit.Email())
+	_, err := Client.AddOrgMember(OrgCTX, &mgmt_pb.AddOrgMemberRequest{
+		UserId: user.GetUserId(),
+		Roles:  []string{"ORG_OWNER"},
+	})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx context.Context
+		req *mgmt_pb.UpdateOrgMemberRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *mgmt_pb.UpdateOrgMemberResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: CTX,
+				req: &mgmt_pb.UpdateOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  iamRoles,
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.UpdateOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  iamRoles[1:],
+				},
+			},
+			want: &mgmt_pb.UpdateOrgMemberResponse{
+				Details: &object.ObjectDetails{
+					ResourceOwner: Tester.Organisation.ID,
+					ChangeDate:    timestamppb.Now(),
+				},
+			},
+		},
+		{
+			name: "unknown roles error",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.UpdateOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  []string{"FOO", "BAR"},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "iam role error",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.UpdateOrgMemberRequest{
+					UserId: user.GetUserId(),
+					Roles:  []string{"IAM_OWNER"},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.UpdateOrgMember(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_RemoveIAMMember(t *testing.T) {
+	user := Tester.CreateHumanUserVerified(OrgCTX, Tester.Organisation.ID, gofakeit.Email())
+	_, err := Client.AddOrgMember(OrgCTX, &mgmt_pb.AddOrgMemberRequest{
+		UserId: user.GetUserId(),
+		Roles:  []string{"ORG_OWNER"},
+	})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx context.Context
+		req *mgmt_pb.RemoveOrgMemberRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *mgmt_pb.RemoveOrgMemberResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: CTX,
+				req: &mgmt_pb.RemoveOrgMemberRequest{
+					UserId: user.GetUserId(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: OrgCTX,
+				req: &mgmt_pb.RemoveOrgMemberRequest{
+					UserId: user.GetUserId(),
+				},
+			},
+			want: &mgmt_pb.RemoveOrgMemberResponse{
+				Details: &object.ObjectDetails{
+					ResourceOwner: Tester.Organisation.ID,
+					ChangeDate:    timestamppb.Now(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.RemoveOrgMember(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
--- a/internal/api/grpc/management/server_integration_test.go
+++ b/internal/api/grpc/management/server_integration_test.go
@@ -0,0 +1,34 @@
+//go:build integration
+
+package management_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
+)
+
+var (
+	CTX, OrgCTX context.Context
+	Tester      *integration.Tester
+	Client      mgmt_pb.ManagementServiceClient
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, _, cancel := integration.Contexts(3 * time.Minute)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+
+		CTX = ctx
+		OrgCTX = Tester.WithAuthorization(ctx, integration.OrgOwner)
+		Client = Tester.Client.Mgmt
+		return m.Run()
+	}())
+}
--- a/internal/api/grpc/management/user_integration_test.go
+++ b/internal/api/grpc/management/user_integration_test.go
@@ -3,8 +3,6 @@
 package management_test

 import (
-	"context"
-	"os"
 	"strconv"
 	"strings"
 	"testing"
@@ -20,26 +18,6 @@ import (
 	"github.com/zitadel/zitadel/pkg/grpc/user"
 )

-var (
-	CTX    context.Context
-	Tester *integration.Tester
-	Client management.ManagementServiceClient
-)
-
-func TestMain(m *testing.M) {
-	os.Exit(func() int {
-		ctx, errCtx, cancel := integration.Contexts(3 * time.Minute)
-		defer cancel()
-
-		Tester = integration.NewTester(ctx)
-		defer Tester.Done()
-
-		CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
-		Client = Tester.Client.Mgmt
-		return m.Run()
-	}())
-}
-
 // TestImport_and_Get reproduces https://github.com/zitadel/zitadel/issues/5808
 // which led to consistency issues due the call timestamp not being
 // updated after a bulk Trigger.
@@ -57,7 +35,7 @@ func TestImport_and_Get(t *testing.T) {
 			userName := strings.Join([]string{firstName, lastName}, "_")
 			email := strings.Join([]string{userName, "example.com"}, "@")

-			res, err := Client.ImportHumanUser(CTX, &management.ImportHumanUserRequest{
+			res, err := Client.ImportHumanUser(OrgCTX, &management.ImportHumanUserRequest{
 				UserName: userName,
 				Profile: &management.ImportHumanUserRequest_Profile{
 					FirstName:         firstName,
@@ -72,7 +50,7 @@ func TestImport_and_Get(t *testing.T) {
 			})
 			require.NoError(t, err)

-			_, err = Client.GetUserByID(CTX, &management.GetUserByIDRequest{Id: res.GetUserId()})
+			_, err = Client.GetUserByID(OrgCTX, &management.GetUserByIDRequest{Id: res.GetUserId()})

 			s, ok := status.FromError(err)
 			if ok && s != nil && s.Code() == codes.NotFound {
@@ -85,7 +63,7 @@ func TestImport_and_Get(t *testing.T) {

 func TestImport_UnparsablePreferredLanguage(t *testing.T) {
 	random := integration.RandString(5)
-	_, err := Client.ImportHumanUser(CTX, &management.ImportHumanUserRequest{
+	_, err := Client.ImportHumanUser(OrgCTX, &management.ImportHumanUserRequest{
 		UserName: random,
 		Profile: &management.ImportHumanUserRequest_Profile{
 			FirstName:         random,