feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:57:32 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/internal/command/instance_policy_security.go
+++ b/internal/command/instance_policy_security.go
@@ -10,9 +10,15 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/instance"
 )

-func (c *Commands) SetSecurityPolicy(ctx context.Context, enabled bool, allowedOrigins []string) (*domain.ObjectDetails, error) {
+type SecurityPolicy struct {
+	EnableIframeEmbedding bool
+	AllowedOrigins        []string
+	EnableImpersonation   bool
+}
+
+func (c *Commands) SetSecurityPolicy(ctx context.Context, policy *SecurityPolicy) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
-	validation := c.prepareSetSecurityPolicy(instanceAgg, enabled, allowedOrigins)
+	validation := c.prepareSetSecurityPolicy(instanceAgg, policy)
 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
 	if err != nil {
 		return nil, err
@@ -28,14 +34,14 @@ func (c *Commands) SetSecurityPolicy(ctx context.Context, enabled bool, allowedO
 	}, nil
 }

-func (c *Commands) prepareSetSecurityPolicy(a *instance.Aggregate, enabled bool, allowedOrigins []string) preparation.Validation {
+func (c *Commands) prepareSetSecurityPolicy(a *instance.Aggregate, policy *SecurityPolicy) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			writeModel, err := c.getSecurityPolicyWriteModel(ctx, filter)
 			if err != nil {
 				return nil, err
 			}
-			cmd, err := writeModel.NewSetEvent(ctx, &a.Aggregate, enabled, allowedOrigins)
+			cmd, err := writeModel.NewSetEvent(ctx, &a.Aggregate, policy)
 			if err != nil {
 				return nil, err
 			}