feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:57:32 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/internal/command/instance_policy_security_model.go
+++ b/internal/command/instance_policy_security_model.go
@@ -2,7 +2,7 @@ package command

 import (
 	"context"
-	"reflect"
+	"slices"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/eventstore"
@@ -11,9 +11,7 @@ import (

 type InstanceSecurityPolicyWriteModel struct {
 	eventstore.WriteModel
-
-	Enabled        bool
-	AllowedOrigins []string
+	SecurityPolicy
 }

 func NewInstanceSecurityPolicyWriteModel(ctx context.Context) *InstanceSecurityPolicyWriteModel {
@@ -28,8 +26,11 @@ func NewInstanceSecurityPolicyWriteModel(ctx context.Context) *InstanceSecurityP
 func (wm *InstanceSecurityPolicyWriteModel) Reduce() error {
 	for _, event := range wm.Events {
 		if e, ok := event.(*instance.SecurityPolicySetEvent); ok {
-			if e.Enabled != nil {
-				wm.Enabled = *e.Enabled
+
+			if e.EnableIframeEmbedding != nil {
+				wm.EnableIframeEmbedding = *e.EnableIframeEmbedding
+			} else if e.Enabled != nil {
+				wm.EnableIframeEmbedding = *e.Enabled
 			}
 			if e.AllowedOrigins != nil {
 				wm.AllowedOrigins = *e.AllowedOrigins
@@ -53,17 +54,19 @@ func (wm *InstanceSecurityPolicyWriteModel) Query() *eventstore.SearchQueryBuild
 func (wm *InstanceSecurityPolicyWriteModel) NewSetEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	enabled bool,
-	allowedOrigins []string,
+	policy *SecurityPolicy,
 ) (*instance.SecurityPolicySetEvent, error) {
 	changes := make([]instance.SecurityPolicyChanges, 0, 2)
 	var err error

-	if wm.Enabled != enabled {
-		changes = append(changes, instance.ChangeSecurityPolicyEnabled(enabled))
+	if wm.EnableIframeEmbedding != policy.EnableIframeEmbedding {
+		changes = append(changes, instance.ChangeSecurityPolicyEnableIframeEmbedding(policy.EnableIframeEmbedding))
 	}
-	if enabled && !reflect.DeepEqual(wm.AllowedOrigins, allowedOrigins) {
-		changes = append(changes, instance.ChangeSecurityPolicyAllowedOrigins(allowedOrigins))
+	if !slices.Equal(wm.AllowedOrigins, policy.AllowedOrigins) {
+		changes = append(changes, instance.ChangeSecurityPolicyAllowedOrigins(policy.AllowedOrigins))
+	}
+	if wm.EnableImpersonation != policy.EnableImpersonation {
+		changes = append(changes, instance.ChangeSecurityPolicyEnableImpersonation(policy.EnableImpersonation))
 	}
 	changeEvent, err := instance.NewSecurityPolicySetEvent(ctx, aggregate, changes)
 	if err != nil {