feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:17:32 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@@ -411,23 +411,24 @@ func prepareInstanceDomainQuery(ctx context.Context, db prepareDatabase) (sq.Sel
 }

 type authzInstance struct {
-	id                string
-	iamProjectID      string
-	consoleID         string
-	consoleAppID      string
-	host              string
-	domain            string
-	defaultLang       language.Tag
-	defaultOrgID      string
-	csp               csp
-	block             *bool
-	auditLogRetention *time.Duration
-	features          feature.Features
+	id                  string
+	iamProjectID        string
+	consoleID           string
+	consoleAppID        string
+	host                string
+	domain              string
+	defaultLang         language.Tag
+	defaultOrgID        string
+	csp                 csp
+	enableImpersonation bool
+	block               *bool
+	auditLogRetention   *time.Duration
+	features            feature.Features
 }

 type csp struct {
-	enabled        bool
-	allowedOrigins database.TextArray[string]
+	enableIframeEmbedding bool
+	allowedOrigins        database.TextArray[string]
 }

 func (i *authzInstance) InstanceID() string {
@@ -463,12 +464,16 @@ func (i *authzInstance) DefaultOrganisationID() string {
 }

 func (i *authzInstance) SecurityPolicyAllowedOrigins() []string {
-	if !i.csp.enabled {
+	if !i.csp.enableIframeEmbedding {
 		return nil
 	}
 	return i.csp.allowedOrigins
 }

+func (i *authzInstance) EnableImpersonation() bool {
+	return i.enableImpersonation
+}
+
 func (i *authzInstance) Block() *bool {
 	return i.block
 }
@@ -489,7 +494,8 @@ func scanAuthzInstance(host, domain string) (*authzInstance, func(row *sql.Row)
 	return instance, func(row *sql.Row) error {
 		var (
 			lang                  string
-			securityPolicyEnabled sql.NullBool
+			enableIframeEmbedding sql.NullBool
+			enableImpersonation   sql.NullBool
 			auditLogRetention     database.NullDuration
 			block                 sql.NullBool
 			features              []byte
@@ -501,8 +507,9 @@ func scanAuthzInstance(host, domain string) (*authzInstance, func(row *sql.Row)
 			&instance.consoleID,
 			&instance.consoleAppID,
 			&lang,
-			&securityPolicyEnabled,
+			&enableIframeEmbedding,
 			&instance.csp.allowedOrigins,
+			&enableImpersonation,
 			&auditLogRetention,
 			&block,
 			&features,
@@ -520,7 +527,8 @@ func scanAuthzInstance(host, domain string) (*authzInstance, func(row *sql.Row)
 		if block.Valid {
 			instance.block = &block.Bool
 		}
-		instance.csp.enabled = securityPolicyEnabled.Bool
+		instance.csp.enableIframeEmbedding = enableIframeEmbedding.Bool
+		instance.enableImpersonation = enableImpersonation.Bool
 		if len(features) == 0 {
 			return nil
 		}
--- a/internal/query/instance_by_domain.sql
+++ b/internal/query/instance_by_domain.sql
@@ -18,13 +18,14 @@ select
    i.console_client_id,
    i.console_app_id,
    i.default_language,
-    s.enabled,
+    s.enable_iframe_embedding,
    s.origins,
+	s.enable_impersonation,
    l.audit_log_retention,
    l.block,
 	f.features
 from domain d
 join projections.instances i on i.id = d.instance_id
-left join projections.security_policies s on i.id = s.instance_id
+left join projections.security_policies2 s on i.id = s.instance_id
 left join projections.limits l on i.id = l.instance_id
 left join features f on i.id = f.instance_id;
--- a/internal/query/instance_by_id.sql
+++ b/internal/query/instance_by_id.sql
@@ -15,13 +15,14 @@ select
    i.console_client_id,
    i.console_app_id,
    i.default_language,
-    s.enabled,
+    s.enable_iframe_embedding,
    s.origins,
+	s.enable_impersonation,
    l.audit_log_retention,
    l.block,
 	f.features
 from projections.instances i
-left join projections.security_policies s on i.id = s.instance_id
+left join projections.security_policies2 s on i.id = s.instance_id
 left join projections.limits l on i.id = l.instance_id
 left join features f on i.id = f.instance_id
 where i.id = $1;
--- a/internal/query/projection/security_policy.go
+++ b/internal/query/projection/security_policy.go
@@ -11,13 +11,14 @@ import (
 )

 const (
-	SecurityPolicyProjectionTable      = "projections.security_policies"
-	SecurityPolicyColumnInstanceID     = "instance_id"
-	SecurityPolicyColumnCreationDate   = "creation_date"
-	SecurityPolicyColumnChangeDate     = "change_date"
-	SecurityPolicyColumnSequence       = "sequence"
-	SecurityPolicyColumnEnabled        = "enabled"
-	SecurityPolicyColumnAllowedOrigins = "origins"
+	SecurityPolicyProjectionTable             = "projections.security_policies2"
+	SecurityPolicyColumnInstanceID            = "instance_id"
+	SecurityPolicyColumnCreationDate          = "creation_date"
+	SecurityPolicyColumnChangeDate            = "change_date"
+	SecurityPolicyColumnSequence              = "sequence"
+	SecurityPolicyColumnEnableIframeEmbedding = "enable_iframe_embedding"
+	SecurityPolicyColumnAllowedOrigins        = "origins"
+	SecurityPolicyColumnEnableImpersonation   = "enable_impersonation"
 )

 type securityPolicyProjection struct{}
@@ -37,8 +38,9 @@ func (*securityPolicyProjection) Init() *old_handler.Check {
 			handler.NewColumn(SecurityPolicyColumnChangeDate, handler.ColumnTypeTimestamp),
 			handler.NewColumn(SecurityPolicyColumnInstanceID, handler.ColumnTypeText),
 			handler.NewColumn(SecurityPolicyColumnSequence, handler.ColumnTypeInt64),
-			handler.NewColumn(SecurityPolicyColumnEnabled, handler.ColumnTypeBool, handler.Default(false)),
+			handler.NewColumn(SecurityPolicyColumnEnableIframeEmbedding, handler.ColumnTypeBool, handler.Default(false)),
 			handler.NewColumn(SecurityPolicyColumnAllowedOrigins, handler.ColumnTypeTextArray, handler.Nullable()),
+			handler.NewColumn(SecurityPolicyColumnEnableImpersonation, handler.ColumnTypeBool, handler.Default(false)),
 		},
 			handler.NewPrimaryKey(SecurityPolicyColumnInstanceID),
 		),
@@ -74,12 +76,17 @@ func (p *securityPolicyProjection) reduceSecurityPolicySet(event eventstore.Even
 		handler.NewCol(SecurityPolicyColumnInstanceID, e.Aggregate().InstanceID),
 		handler.NewCol(SecurityPolicyColumnSequence, e.Sequence()),
 	}
-	if e.Enabled != nil {
-		changes = append(changes, handler.NewCol(SecurityPolicyColumnEnabled, *e.Enabled))
+	if e.EnableIframeEmbedding != nil {
+		changes = append(changes, handler.NewCol(SecurityPolicyColumnEnableIframeEmbedding, *e.EnableIframeEmbedding))
+	} else if e.Enabled != nil {
+		changes = append(changes, handler.NewCol(SecurityPolicyColumnEnableIframeEmbedding, *e.Enabled))
 	}
 	if e.AllowedOrigins != nil {
 		changes = append(changes, handler.NewCol(SecurityPolicyColumnAllowedOrigins, e.AllowedOrigins))
 	}
+	if e.EnableImpersonation != nil {
+		changes = append(changes, handler.NewCol(SecurityPolicyColumnEnableImpersonation, e.EnableImpersonation))
+	}
 	return handler.NewUpsertStatement(
 		e,
 		[]handler.Column{
--- a/internal/query/security_policy.go
+++ b/internal/query/security_policy.go
@@ -36,14 +36,18 @@ var (
 		name:  projection.SecurityPolicyColumnSequence,
 		table: securityPolicyTable,
 	}
-	SecurityPolicyColumnEnabled = Column{
-		name:  projection.SecurityPolicyColumnEnabled,
+	SecurityPolicyColumnEnableIframeEmbedding = Column{
+		name:  projection.SecurityPolicyColumnEnableIframeEmbedding,
 		table: securityPolicyTable,
 	}
 	SecurityPolicyColumnAllowedOrigins = Column{
 		name:  projection.SecurityPolicyColumnAllowedOrigins,
 		table: securityPolicyTable,
 	}
+	SecurityPolicyColumnEnableImpersonation = Column{
+		name:  projection.SecurityPolicyColumnEnableImpersonation,
+		table: securityPolicyTable,
+	}
 )

 type SecurityPolicy struct {
@@ -53,8 +57,9 @@ type SecurityPolicy struct {
 	ResourceOwner string
 	Sequence      uint64

-	Enabled        bool
-	AllowedOrigins database.TextArray[string]
+	EnableIframeEmbedding bool
+	AllowedOrigins        database.TextArray[string]
+	EnableImpersonation   bool
 }

 func (q *Queries) SecurityPolicy(ctx context.Context) (policy *SecurityPolicy, err error) {
@@ -80,8 +85,9 @@ func prepareSecurityPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sel
 			SecurityPolicyColumnChangeDate.identifier(),
 			SecurityPolicyColumnInstanceID.identifier(),
 			SecurityPolicyColumnSequence.identifier(),
-			SecurityPolicyColumnEnabled.identifier(),
-			SecurityPolicyColumnAllowedOrigins.identifier()).
+			SecurityPolicyColumnEnableIframeEmbedding.identifier(),
+			SecurityPolicyColumnAllowedOrigins.identifier(),
+			SecurityPolicyColumnEnableImpersonation.identifier()).
 			From(securityPolicyTable.identifier() + db.Timetravel(call.Took(ctx))).
 			PlaceholderFormat(sq.Dollar),
 		func(row *sql.Row) (*SecurityPolicy, error) {
@@ -92,8 +98,9 @@ func prepareSecurityPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sel
 				&securityPolicy.ChangeDate,
 				&securityPolicy.ResourceOwner,
 				&securityPolicy.Sequence,
-				&securityPolicy.Enabled,
+				&securityPolicy.EnableIframeEmbedding,
 				&securityPolicy.AllowedOrigins,
+				&securityPolicy.EnableImpersonation,
 			)
 			if err != nil && !errors.Is(err, sql.ErrNoRows) { // ignore not found errors
 				return nil, zerrors.ThrowInternal(err, "QUERY-Dfrt2", "Errors.Internal")