feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-10-10 08:03:07 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/internal/query/security_policy.go
+++ b/internal/query/security_policy.go
@@ -36,14 +36,18 @@ var (
 		name:  projection.SecurityPolicyColumnSequence,
 		table: securityPolicyTable,
 	}
-	SecurityPolicyColumnEnabled = Column{
-		name:  projection.SecurityPolicyColumnEnabled,
+	SecurityPolicyColumnEnableIframeEmbedding = Column{
+		name:  projection.SecurityPolicyColumnEnableIframeEmbedding,
 		table: securityPolicyTable,
 	}
 	SecurityPolicyColumnAllowedOrigins = Column{
 		name:  projection.SecurityPolicyColumnAllowedOrigins,
 		table: securityPolicyTable,
 	}
+	SecurityPolicyColumnEnableImpersonation = Column{
+		name:  projection.SecurityPolicyColumnEnableImpersonation,
+		table: securityPolicyTable,
+	}
 )

 type SecurityPolicy struct {
@@ -53,8 +57,9 @@ type SecurityPolicy struct {
 	ResourceOwner string
 	Sequence      uint64

-	Enabled        bool
-	AllowedOrigins database.TextArray[string]
+	EnableIframeEmbedding bool
+	AllowedOrigins        database.TextArray[string]
+	EnableImpersonation   bool
 }

 func (q *Queries) SecurityPolicy(ctx context.Context) (policy *SecurityPolicy, err error) {
@@ -80,8 +85,9 @@ func prepareSecurityPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sel
 			SecurityPolicyColumnChangeDate.identifier(),
 			SecurityPolicyColumnInstanceID.identifier(),
 			SecurityPolicyColumnSequence.identifier(),
-			SecurityPolicyColumnEnabled.identifier(),
-			SecurityPolicyColumnAllowedOrigins.identifier()).
+			SecurityPolicyColumnEnableIframeEmbedding.identifier(),
+			SecurityPolicyColumnAllowedOrigins.identifier(),
+			SecurityPolicyColumnEnableImpersonation.identifier()).
 			From(securityPolicyTable.identifier() + db.Timetravel(call.Took(ctx))).
 			PlaceholderFormat(sq.Dollar),
 		func(row *sql.Row) (*SecurityPolicy, error) {
@@ -92,8 +98,9 @@ func prepareSecurityPolicyQuery(ctx context.Context, db prepareDatabase) (sq.Sel
 				&securityPolicy.ChangeDate,
 				&securityPolicy.ResourceOwner,
 				&securityPolicy.Sequence,
-				&securityPolicy.Enabled,
+				&securityPolicy.EnableIframeEmbedding,
 				&securityPolicy.AllowedOrigins,
+				&securityPolicy.EnableImpersonation,
 			)
 			if err != nil && !errors.Is(err, sql.ErrNoRows) { // ignore not found errors
 				return nil, zerrors.ThrowInternal(err, "QUERY-Dfrt2", "Errors.Internal")