chore!: Introduce ZITADEL v3 (#9645)

This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-08-11 18:07:31 +00:00 · 2025-04-02 16:53:06 +02:00
parent d14a23ae7e
commit 07ce3b6905
559 changed files with 14578 additions and 7622 deletions
--- a/internal/integration/action.go
+++ b/internal/integration/action.go
@@ -0,0 +1,102 @@
+package integration
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"sync"
+	"time"
+)
+
+type server struct {
+	server *httptest.Server
+	mu     sync.Mutex
+	called int
+}
+
+func (s *server) URL() string {
+	return s.server.URL
+}
+
+func (s *server) Close() {
+	s.server.Close()
+}
+
+func (s *server) Called() int {
+	s.mu.Lock()
+	called := s.called
+	s.mu.Unlock()
+	return called
+}
+
+func (s *server) Increase() {
+	s.mu.Lock()
+	s.called++
+	s.mu.Unlock()
+}
+
+func (s *server) ResetCalled() {
+	s.mu.Lock()
+	s.called = 0
+	s.mu.Unlock()
+}
+
+func TestServerCall(
+	reqBody interface{},
+	sleep time.Duration,
+	statusCode int,
+	respBody interface{},
+) (url string, closeF func(), calledF func() int, resetCalledF func()) {
+	server := &server{
+		called: 0,
+	}
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		server.Increase()
+		if reqBody != nil {
+			data, err := json.Marshal(reqBody)
+			if err != nil {
+				http.Error(w, "error, marshall: "+err.Error(), http.StatusInternalServerError)
+				return
+			}
+			sentBody, err := io.ReadAll(r.Body)
+			if err != nil {
+				http.Error(w, "error, read body: "+err.Error(), http.StatusInternalServerError)
+				return
+			}
+			if !reflect.DeepEqual(data, sentBody) {
+				http.Error(w, "error, equal:\n"+string(data)+"\nsent:\n"+string(sentBody), http.StatusInternalServerError)
+				return
+			}
+		}
+		if statusCode != http.StatusOK {
+			http.Error(w, "error, statusCode", statusCode)
+			return
+		}
+
+		time.Sleep(sleep)
+
+		if respBody != nil {
+			w.Header().Set("Content-Type", "application/json")
+			resp, err := json.Marshal(respBody)
+			if err != nil {
+				http.Error(w, "error", http.StatusInternalServerError)
+				return
+			}
+			if _, err := io.Writer.Write(w, resp); err != nil {
+				http.Error(w, "error", http.StatusInternalServerError)
+				return
+			}
+		} else {
+			if _, err := io.WriteString(w, "finished successfully"); err != nil {
+				http.Error(w, "error", http.StatusInternalServerError)
+				return
+			}
+		}
+	}
+
+	server.server = httptest.NewServer(http.HandlerFunc(handler))
+	return server.URL(), server.Close, server.Called, server.ResetCalled
+}
--- a/internal/integration/client.go
+++ b/internal/integration/client.go
@@ -19,6 +19,7 @@ import (

 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/integration/scim"
+	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/auth"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
@@ -32,10 +33,8 @@ import (
 	oidc_pb_v2beta "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
 	"github.com/zitadel/zitadel/pkg/grpc/org/v2"
 	org_v2beta "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
-	action "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha"
 	user_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
 	userschema_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/userschema/v3alpha"
-	webkey_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/webkey/v3alpha"
 	saml_pb "github.com/zitadel/zitadel/pkg/grpc/saml/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/session/v2"
 	session_v2beta "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
@@ -44,6 +43,7 @@ import (
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
 	user_v2 "github.com/zitadel/zitadel/pkg/grpc/user/v2"
 	user_v2beta "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
+	webkey_v2beta "github.com/zitadel/zitadel/pkg/grpc/webkey/v2beta"
 )

 type Client struct {
@@ -61,11 +61,11 @@ type Client struct {
 	OIDCv2         oidc_pb.OIDCServiceClient
 	OrgV2beta      org_v2beta.OrganizationServiceClient
 	OrgV2          org.OrganizationServiceClient
-	ActionV3Alpha  action.ZITADELActionsClient
+	ActionV2beta   action.ActionServiceClient
 	FeatureV2beta  feature_v2beta.FeatureServiceClient
 	FeatureV2      feature.FeatureServiceClient
 	UserSchemaV3   userschema_v3alpha.ZITADELUserSchemasClient
-	WebKeyV3Alpha  webkey_v3alpha.ZITADELWebKeysClient
+	WebKeyV2Beta   webkey_v2beta.WebKeyServiceClient
 	IDPv2          idp_pb.IdentityProviderServiceClient
 	UserV3Alpha    user_v3alpha.ZITADELUsersClient
 	SAMLv2         saml_pb.SAMLServiceClient
@@ -94,11 +94,11 @@ func newClient(ctx context.Context, target string) (*Client, error) {
 		OIDCv2:         oidc_pb.NewOIDCServiceClient(cc),
 		OrgV2beta:      org_v2beta.NewOrganizationServiceClient(cc),
 		OrgV2:          org.NewOrganizationServiceClient(cc),
-		ActionV3Alpha:  action.NewZITADELActionsClient(cc),
+		ActionV2beta:   action.NewActionServiceClient(cc),
 		FeatureV2beta:  feature_v2beta.NewFeatureServiceClient(cc),
 		FeatureV2:      feature.NewFeatureServiceClient(cc),
 		UserSchemaV3:   userschema_v3alpha.NewZITADELUserSchemasClient(cc),
-		WebKeyV3Alpha:  webkey_v3alpha.NewZITADELWebKeysClient(cc),
+		WebKeyV2Beta:   webkey_v2beta.NewWebKeyServiceClient(cc),
 		IDPv2:          idp_pb.NewIdentityProviderServiceClient(cc),
 		UserV3Alpha:    user_v3alpha.NewZITADELUsersClient(cc),
 		SAMLv2:         saml_pb.NewSAMLServiceClient(cc),
@@ -721,47 +721,52 @@ func (i *Instance) CreateTarget(ctx context.Context, t *testing.T, name, endpoin
 	if name == "" {
 		name = gofakeit.Name()
 	}
-	reqTarget := &action.Target{
+	req := &action.CreateTargetRequest{
 		Name:     name,
 		Endpoint: endpoint,
-		Timeout:  durationpb.New(10 * time.Second),
+		Timeout:  durationpb.New(5 * time.Second),
 	}
 	switch ty {
 	case domain.TargetTypeWebhook:
-		reqTarget.TargetType = &action.Target_RestWebhook{
-			RestWebhook: &action.SetRESTWebhook{
+		req.TargetType = &action.CreateTargetRequest_RestWebhook{
+			RestWebhook: &action.RESTWebhook{
 				InterruptOnError: interrupt,
 			},
 		}
 	case domain.TargetTypeCall:
-		reqTarget.TargetType = &action.Target_RestCall{
-			RestCall: &action.SetRESTCall{
+		req.TargetType = &action.CreateTargetRequest_RestCall{
+			RestCall: &action.RESTCall{
 				InterruptOnError: interrupt,
 			},
 		}
 	case domain.TargetTypeAsync:
-		reqTarget.TargetType = &action.Target_RestAsync{
-			RestAsync: &action.SetRESTAsync{},
+		req.TargetType = &action.CreateTargetRequest_RestAsync{
+			RestAsync: &action.RESTAsync{},
 		}
 	}
-	target, err := i.Client.ActionV3Alpha.CreateTarget(ctx, &action.CreateTargetRequest{Target: reqTarget})
+	target, err := i.Client.ActionV2beta.CreateTarget(ctx, req)
 	require.NoError(t, err)
 	return target
 }

+func (i *Instance) DeleteTarget(ctx context.Context, t *testing.T, id string) {
+	_, err := i.Client.ActionV2beta.DeleteTarget(ctx, &action.DeleteTargetRequest{
+		Id: id,
+	})
+	require.NoError(t, err)
+}
+
 func (i *Instance) DeleteExecution(ctx context.Context, t *testing.T, cond *action.Condition) {
-	_, err := i.Client.ActionV3Alpha.SetExecution(ctx, &action.SetExecutionRequest{
+	_, err := i.Client.ActionV2beta.SetExecution(ctx, &action.SetExecutionRequest{
 		Condition: cond,
 	})
 	require.NoError(t, err)
 }

 func (i *Instance) SetExecution(ctx context.Context, t *testing.T, cond *action.Condition, targets []*action.ExecutionTargetType) *action.SetExecutionResponse {
-	target, err := i.Client.ActionV3Alpha.SetExecution(ctx, &action.SetExecutionRequest{
+	target, err := i.Client.ActionV2beta.SetExecution(ctx, &action.SetExecutionRequest{
 		Condition: cond,
-		Execution: &action.Execution{
-			Targets: targets,
-		},
+		Targets:   targets,
 	})
 	require.NoError(t, err)
 	return target
--- a/internal/integration/config.go
+++ b/internal/integration/config.go
@@ -20,10 +20,8 @@ type Config struct {
 	WebAuthNName string
 }

-var (
-	//go:embed config/client.yaml
-	clientYAML []byte
-)
+//go:embed config/client.yaml
+var clientYAML []byte

 var (
 	tmpDir       string
@@ -49,5 +47,6 @@ func init() {
 	if err := loadedConfig.Log.SetLogger(); err != nil {
 		panic(err)
 	}
-	SystemToken = systemUserToken()
+	SystemToken = createSystemUserToken()
+	SystemUserWithNoPermissionsToken = createSystemUserWithNoPermissionsToken()
 }
--- a/internal/integration/config/cockroach.yaml
+++ b/internal/integration/config/cockroach.yaml
@@ -1,10 +0,0 @@
-Database:
-  cockroach:
-    Host: localhost
-    Port: 26257
-    Database: zitadel
-    Options: ""
-    User:
-      Username: zitadel
-    Admin:
-      Username: root
--- a/internal/integration/config/docker-compose.yaml
+++ b/internal/integration/config/docker-compose.yaml
@@ -1,11 +1,6 @@
 version: '3.8'

 services:
-  cockroach:
-    extends:
-      file: '../../../e2e/config/localhost/docker-compose.yaml'
-      service: 'db'
-  
  postgres:
    restart: 'always'
    image: 'postgres:latest'
--- a/internal/integration/config/postgres.yaml
+++ b/internal/integration/config/postgres.yaml
@@ -1,16 +1,11 @@
 Database:
-  EventPushConnRatio: 0.2 # 4
-  ProjectionSpoolerConnRatio: 0.3 # 6
  postgres:
-    Host: localhost
-    Port: 5432
-    Database: zitadel
    MaxOpenConns: 20
    MaxIdleConns: 20
    MaxConnLifetime: 1h
    MaxConnIdleTime: 5m
    User:
-      Username: zitadel
+      Password: zitadel
      SSL:
        Mode: disable
    Admin:
--- a/internal/integration/config/system-user-with-no-permissions.pem
+++ b/internal/integration/config/system-user-with-no-permissions.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCMxYRfqb4fdnBl
+ZmYweqUaZnWQv8RhWDYGifYGen00ozCFT2L6gGov4YCxRVe+l3aFQ79j5SJb1C+v
+H68DJkyCTrhDpATqdjVuCu7CEEI//16Ivfmj3gbNdsp0IcDKVIAF0bN9kve5ofRX
+CgU6DIx8GjLsXSooSniZnJ4d/Rnt69mpSsPkykUs3RpG2NSOn3WLAoVKh1q/kqeV
+qf8eQ+KzuyD/R9QNAPiyB+ivAuOtVuvmIqojQYK5o8veTg/waBxdmzkim7eg8J7B
+VDSjBeHagS5K9IJr/Q2VeO0rZOOeJfLlH9xlSrDvc3AIS/3HtkqI268kNkvpGz0I
+sg61pUQtAgMBAAECggEAFzZrv1WPaQNAAex6fdR/fKS4Dqwcjxu7XuUpeUSB+GfP
+dLAUR2/c8rPJ45FmaGJz9AIpoWiTe5Z33XYJRyjt1U/zQQ4fFGV1JoXtfHkvX3u1
+5DEFZQDT2NYViMRXFNYNvUfow9Rz/nuG/cJEfd+7W6x7SLANJ1MuY1Ao35OQjsOG
+ftTtmEUppEIXyWL0PCeHQc83z8aJrP+p4hpjJOW2mui0NR2Hk456DGYXg8I8fcQD
+ar7Ar7/A6thR0OmwG7tkkLjRiCjGwnkr19hCNLz+QAWB2o284T12zZueOqRuYQzu
+KwNBZKJlClsPkhdZSPLL4RMFP6hJjKoP5mY0Zdzh8QKBgQDEPrM70aZQiweXHqoE
+/vZry7tphGycoEAf6nwBBrZaRPpJdnEA61LBlJFv7C3s59uy6L7nHssTyVUJha9i
+zFCWRQ0mHNrwxF5Ybd5p//hgblt3X53IV6vZBFF1+OrwRS/AKki3GynDc/oI++hu
+PGHWmUF6lIi3uzWwOTqk6EGovQKBgQC3oqpUlpJ78e0zPjIr9ov61TtnPzAa883D
+LL7fuNYP9zxIMoFZw++2bZfT5tbINflQdZnVVDNs5KiwtEu3oZJrsqXpQmzCl3j2
+KA9FTdVJQXc2lU90uYb76c5JZPownojbXFFOPQokBqfsYLSdfvNVHSQGjZ3C90wL
+YZC0vA9YMQKBgQDCKSraD2YWoEeFO+CJityx8GNfVZbELETljvDbbxGyJDbhwh6y
+AyHgxyZR7wHNN+UFkQN31d6kl/jbr/nDrVQ6KN2GjNwNhKu3oBSDGa9bcTRr2h1Y
+32z2DTCvoPSJflptLSi+iVB7wd5rTxk7H+DJGt5O8nCGH+JRlX2xNN3pnQKBgDdA
+u21eLM8cWNmNQj1WHoInfIsxSQEjEGtEYF4iWE5PfpTelWrz+IF0cjVxBHkTPGPI
+LrQwdJS0LEmWxh2HgO3kv+TydpUKTHwMS6P3qlAzYXJL9K9TT1km3UnaFylf2h/e
+pBwdY5q5YfdOlam50+9tKDTMkYZjMD9QaODooNlRAoGAOWow99WCATFtRrG+mGyl
+UpwApgkZKT0nhkXUnLdNoQVeP0WHeQBSoOA24YnGBntvG/98Uj2rOwdCAYzTGepz
+91bNqscrSOPdD3VN85GEl2DQKtxsRCKCdPKmYkvC/WMGhuzXSIp2U+ePgqEjEQO2
+Sn4xXZ1zwl+4cYHmDvzEQnA=
+-----END PRIVATE KEY-----
--- a/internal/integration/config/zitadel.yaml
+++ b/internal/integration/config/zitadel.yaml
@@ -82,6 +82,13 @@ SystemAPIUsers:
            - "ORG_OWNER"
  - cypress:
      KeyData: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6aStGRlNKTDdmNXl3NEtUd3pnTQpQMzRlUEd5Y20vTStrVDBNN1Y0Q2d4NVYzRWFESXZUUUtUTGZCYUVCNDV6YjlMdGpJWHpEdzByWFJvUzJoTzZ0CmgrQ1lRQ3ozS0N2aDA5QzBJenhaaUIySVMzSC9hVCs1Qng5RUZZK3ZuQWtaamNjYnlHNVlOUnZtdE9sbnZJZUkKSDdxWjB0RXdrUGZGNUdFWk5QSlB0bXkzVUdWN2lvZmRWUVMxeFJqNzMrYU13NXJ2SDREOElkeWlBQzNWZWtJYgpwdDBWajBTVVgzRHdLdG9nMzM3QnpUaVBrM2FYUkYwc2JGaFFvcWRKUkk4TnFnWmpDd2pxOXlmSTV0eXhZc3duCitKR3pIR2RIdlczaWRPRGxtd0V0NUsycGFzaVJJV0syT0dmcSt3MEVjbHRRSGFidXFFUGdabG1oQ2tSZE5maXgKQndJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+  - system-user-with-no-permissions:
+      KeyData: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFqTVdFWDZtK0gzWndaV1ptTUhxbApHbVoxa0wvRVlWZzJCb24yQm5wOU5LTXdoVTlpK29CcUwrR0FzVVZYdnBkMmhVTy9ZK1VpVzlRdnJ4K3ZBeVpNCmdrNjRRNlFFNm5ZMWJncnV3aEJDUC85ZWlMMzVvOTRHelhiS2RDSEF5bFNBQmRHemZaTDN1YUgwVndvRk9neU0KZkJveTdGMHFLRXA0bVp5ZUhmMFo3ZXZacVVyRDVNcEZMTjBhUnRqVWpwOTFpd0tGU29kYXY1S25sYW4vSGtQaQpzN3NnLzBmVURRRDRzZ2ZvcndManJWYnI1aUtxSTBHQ3VhUEwzazRQOEdnY1haczVJcHUzb1BDZXdWUTBvd1hoCjJvRXVTdlNDYS8wTmxYanRLMlRqbmlYeTVSL2NaVXF3NzNOd0NFdjl4N1pLaU51dkpEWkw2UnM5Q0xJT3RhVkUKTFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+      Memberships:
+      # MemberType System allows the user to access all APIs for all instances or organizations
+      - MemberType: IAM
+        Roles:
+          - "NO_ROLES"

 InitProjections:
  Enabled: true
--- a/internal/integration/system.go
+++ b/internal/integration/system.go
@@ -17,13 +17,16 @@ import (
 var (
 	//go:embed config/system-user-key.pem
 	systemUserKey []byte
+	//go:embed config/system-user-with-no-permissions.pem
+	systemUserWithNoPermissions []byte
 )

 var (
 	// SystemClient creates a system connection once and reuses it on every use.
 	// Each client call automatically gets the authorization context for the system user.
-	SystemClient = sync.OnceValue[system.SystemServiceClient](systemClient)
-	SystemToken  string
+	SystemClient                     = sync.OnceValue[system.SystemServiceClient](systemClient)
+	SystemToken                      string
+	SystemUserWithNoPermissionsToken string
 )

 func systemClient() system.SystemServiceClient {
@@ -40,7 +43,7 @@ func systemClient() system.SystemServiceClient {
 	return system.NewSystemServiceClient(cc)
 }

-func systemUserToken() string {
+func createSystemUserToken() string {
 	const ISSUER = "tester"
 	audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
 	signer, err := client.NewSignerFromPrivateKeyByte(systemUserKey, "")
@@ -54,6 +57,24 @@ func systemUserToken() string {
 	return token
 }

+func createSystemUserWithNoPermissionsToken() string {
+	const ISSUER = "system-user-with-no-permissions"
+	audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
+	signer, err := client.NewSignerFromPrivateKeyByte(systemUserWithNoPermissions, "")
+	if err != nil {
+		panic(err)
+	}
+	token, err := client.SignedJWTProfileAssertion(ISSUER, []string{audience}, time.Hour, signer)
+	if err != nil {
+		panic(err)
+	}
+	return token
+}
+
 func WithSystemAuthorization(ctx context.Context) context.Context {
 	return WithAuthorizationToken(ctx, SystemToken)
 }
+
+func WithSystemUserWithNoPermissionsAuthorization(ctx context.Context) context.Context {
+	return WithAuthorizationToken(ctx, SystemUserWithNoPermissionsToken)
+}