chore!: Introduce ZITADEL v3 (#9645)

This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-08-12 00:17:32 +00:00 · 2025-04-02 16:53:06 +02:00
parent d14a23ae7e
commit 07ce3b6905
559 changed files with 14578 additions and 7622 deletions
--- a/internal/query/permission.go
+++ b/internal/query/permission.go
@@ -2,51 +2,74 @@ package query

 import (
 	"context"
+	"encoding/json"
 	"fmt"

 	sq "github.com/Masterminds/squirrel"
 	"github.com/zitadel/logging"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )

 const (
-	// eventstore.permitted_orgs(instanceid text, userid text, perm text, filter_orgs text)
-	wherePermittedOrgsClause              = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?))"
+	// eventstore.permitted_orgs(instanceid text, userid text, system_user_perms JSONB, perm text filter_orgs text)
+	wherePermittedOrgsClause              = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))"
 	wherePermittedOrgsOrCurrentUserClause = "(" + wherePermittedOrgsClause + " OR %s = ?" + ")"
 )

 // wherePermittedOrgs sets a `WHERE` clause to the query that filters the orgs
 // for which the authenticated user has the requested permission for.
 // The user ID is taken from the context.
-//
 // The `orgIDColumn` specifies the table column to which this filter must be applied,
 // and is typically the `resource_owner` column in ZITADEL.
 // We use full identifiers in the query builder so this function should be
 // called with something like `UserResourceOwnerCol.identifier()` for example.
-func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, permission string) sq.SelectBuilder {
-	userID := authz.GetCtxData(ctx).UserID
-	logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "permission", permission, "user_id", userID).Debug("permitted orgs check used")
+// func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, permission string) (sq.SelectBuilder, error) {
+// 	userID := authz.GetCtxData(ctx).UserID
+// 	logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "permission", permission, "user_id", userID).Debug("permitted orgs check used")

-	return query.Where(
-		fmt.Sprintf(wherePermittedOrgsClause, orgIDColumn),
-		authz.GetInstance(ctx).InstanceID(),
-		userID,
-		permission,
-		filterOrgIds,
-	)
-}
+// 	systemUserPermissions := authz.GetSystemUserPermissions(ctx)
+// 	var systemUserPermissionsJson []byte
+// 	if systemUserPermissions != nil {
+// 		var err error
+// 		systemUserPermissionsJson, err = json.Marshal(systemUserPermissions)
+// 		if err != nil {
+// 			return query, err
+// 		}
+// 	}

-func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, userIdColum, permission string) sq.SelectBuilder {
+// 	return query.Where(
+// 		fmt.Sprintf(wherePermittedOrgsClause, orgIDColumn),
+// 		authz.GetInstance(ctx).InstanceID(),
+// 		userID,
+// 		systemUserPermissionsJson,
+// 		permission,
+// 		filterOrgIds,
+// 	), nil
+// }
+
+func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, userIdColum, permission string) (sq.SelectBuilder, error) {
 	userID := authz.GetCtxData(ctx).UserID
 	logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "user_id_colum", userIdColum, "permission", permission, "user_id", userID).Debug("permitted orgs check used")

+	systemUserPermissions := authz.GetSystemUserPermissions(ctx)
+	var systemUserPermissionsJson []byte
+	if systemUserPermissions != nil {
+		var err error
+		systemUserPermissionsJson, err = json.Marshal(systemUserPermissions)
+		if err != nil {
+			return query, zerrors.ThrowInternal(err, "AUTHZ-HS4us", "Errors.Internal")
+		}
+	}
+
 	return query.Where(
 		fmt.Sprintf(wherePermittedOrgsOrCurrentUserClause, orgIDColumn, userIdColum),
 		authz.GetInstance(ctx).InstanceID(),
 		userID,
+		systemUserPermissionsJson,
 		permission,
 		filterOrgIds,
 		userID,
-	)
+	), nil
 }