feat: impersonation roles (#7442)

* partial work done * test IAM membership roles * org membership tests * console :(, translations and docs * fix integration test * fix tests * add EnableImpersonation to security policy API * fix integration test timestamp checking * add security policy tests and fix projections * add impersonation setting in console * add security settings to the settings v2 API * fix typo * move impersonation to instance --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 17:27:31 +00:00 · 2024-02-28 12:21:11 +02:00
parent 68af4f59c9
commit 062d153cfe
60 changed files with 1624 additions and 144 deletions
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -681,7 +681,7 @@ service AdminService {
        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
            tags: "Settings";
            summary: "Get Security Settings";
-            description: "Returns the security settings of the ZITADEL instance. The settings define if the iframe is allowed and from which origins."
+            description: "Returns the security settings of the ZITADEL instance."
        };
    }

@@ -698,7 +698,7 @@ service AdminService {
        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
            tags: "Settings";
            summary: "Set Security Settings";
-            description: "Set the security settings of the ZITADEL instance. The settings define if the iframe is allowed and from which origins."
+            description: "Set the security settings of the ZITADEL instance."
        };
    }

@@ -4295,6 +4295,8 @@ message SetSecurityPolicyRequest{
    bool enable_iframe_embedding = 1;
    // origins allowed loading ZITADEL in an iframe if enable_iframe_embedding is true
    repeated string allowed_origins = 2;
+    // allows users to impersonate other users. The impersonator needs the appropriate `*_IMPERSONATOR` roles assigned as well"
+    bool enable_impersonation = 3;
 }

 message SetSecurityPolicyResponse{
--- a/proto/zitadel/settings.proto
+++ b/proto/zitadel/settings.proto
@@ -122,4 +122,6 @@ message SecurityPolicy {
  bool enable_iframe_embedding = 2;
  // origins allowed loading ZITADEL in an iframe if enable_iframe_embedding is true
  repeated string allowed_origins = 3;
+  // allows users to impersonate other users. The impersonator needs the appropriate `*_IMPERSONATOR` roles assigned as well"
+  bool enable_impersonation = 4;
 }
--- a/proto/zitadel/settings/v2beta/security_settings.proto
+++ b/proto/zitadel/settings/v2beta/security_settings.proto
@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+package zitadel.settings.v2beta;
+
+option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta;settings";
+
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+message SecuritySettings {
+  EmbeddedIframeSettings embedded_iframe = 1;
+  bool enable_impersonation = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "default language for the current context"
+      example: "\"en\""
+    }
+  ];
+}
+
+message EmbeddedIframeSettings{
+  bool enabled = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "states if iframe embedding is enabled or disabled"
+    }
+  ];
+  repeated string allowed_origins = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "origins allowed loading ZITADEL in an iframe if enabled."
+      example: "[\"foo.bar.com\", \"localhost:8080\"]"
+    }
+  ];
+}
--- a/proto/zitadel/settings/v2beta/settings_service.proto
+++ b/proto/zitadel/settings/v2beta/settings_service.proto
@@ -10,6 +10,7 @@ import "zitadel/settings/v2beta/legal_settings.proto";
 import "zitadel/settings/v2beta/lockout_settings.proto";
 import "zitadel/settings/v2beta/login_settings.proto";
 import "zitadel/settings/v2beta/password_settings.proto";
+import "zitadel/settings/v2beta/security_settings.proto";
 import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
@@ -298,6 +299,45 @@ service SettingsService {
      };
    };
  }
+
+// Get the security settings
+  rpc GetSecuritySettings(GetSecuritySettingsRequest) returns (GetSecuritySettingsResponse) {
+    option (google.api.http) = {
+      get: "/v2beta/settings/security";
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "iam.policy.read"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Settings";
+      summary: "Get Security Settings";
+      description: "Returns the security settings of the ZITADEL instance."
+    };
+  }
+
+// Set the security settings
+  rpc SetSecuritySettings(SetSecuritySettingsRequest) returns (SetSecuritySettingsResponse) {
+    option (google.api.http) = {
+      put: "/v2beta/policies/security";
+      body: "*"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "iam.policy.write"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "Settings";
+      summary: "Set Security Settings";
+      description: "Set the security settings of the ZITADEL instance."
+    };
+  }
 }

 message GetLoginSettingsRequest {
@@ -383,3 +423,24 @@ message GetGeneralSettingsResponse {
    }
  ];
 }
+
+// This is an empty request
+message GetSecuritySettingsRequest{}
+
+message GetSecuritySettingsResponse{
+  zitadel.object.v2beta.Details details = 1;
+  SecuritySettings settings = 2;
+}
+
+message SetSecuritySettingsRequest{
+  EmbeddedIframeSettings embedded_iframe = 1;
+  bool enable_impersonation = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "allows users to impersonate other users. The impersonator needs the appropriate `*_IMPERSONATOR` roles assigned as well"
+    }
+  ];
+}
+
+message SetSecuritySettingsResponse{
+  zitadel.object.v2beta.Details details = 1;
+}