chore!: Introduce ZITADEL v3 (#9645)

This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-08-11 18:57:32 +00:00 · 2025-04-02 16:53:06 +02:00
parent d14a23ae7e
commit 07ce3b6905
559 changed files with 14578 additions and 7622 deletions
--- a/internal/integration/system.go
+++ b/internal/integration/system.go
@@ -17,13 +17,16 @@ import (
 var (
 	//go:embed config/system-user-key.pem
 	systemUserKey []byte
+	//go:embed config/system-user-with-no-permissions.pem
+	systemUserWithNoPermissions []byte
 )

 var (
 	// SystemClient creates a system connection once and reuses it on every use.
 	// Each client call automatically gets the authorization context for the system user.
-	SystemClient = sync.OnceValue[system.SystemServiceClient](systemClient)
-	SystemToken  string
+	SystemClient                     = sync.OnceValue[system.SystemServiceClient](systemClient)
+	SystemToken                      string
+	SystemUserWithNoPermissionsToken string
 )

 func systemClient() system.SystemServiceClient {
@@ -40,7 +43,7 @@ func systemClient() system.SystemServiceClient {
 	return system.NewSystemServiceClient(cc)
 }

-func systemUserToken() string {
+func createSystemUserToken() string {
 	const ISSUER = "tester"
 	audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
 	signer, err := client.NewSignerFromPrivateKeyByte(systemUserKey, "")
@@ -54,6 +57,24 @@ func systemUserToken() string {
 	return token
 }

+func createSystemUserWithNoPermissionsToken() string {
+	const ISSUER = "system-user-with-no-permissions"
+	audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
+	signer, err := client.NewSignerFromPrivateKeyByte(systemUserWithNoPermissions, "")
+	if err != nil {
+		panic(err)
+	}
+	token, err := client.SignedJWTProfileAssertion(ISSUER, []string{audience}, time.Hour, signer)
+	if err != nil {
+		panic(err)
+	}
+	return token
+}
+
 func WithSystemAuthorization(ctx context.Context) context.Context {
 	return WithAuthorizationToken(ctx, SystemToken)
 }
+
+func WithSystemUserWithNoPermissionsAuthorization(ctx context.Context) context.Context {
+	return WithAuthorizationToken(ctx, SystemUserWithNoPermissionsToken)
+}