feat: user v2alpha email API (#5708)

* chore(proto): update versions * change protoc plugin * some cleanups * define api for setting emails in new api * implement user.SetEmail * move SetEmail buisiness logic into command * resuse newCryptoCode * command: add ChangeEmail unit tests Not complete, was not able to mock the generator. * Revert "resuse newCryptoCode" This reverts commit c89e90ae35. * undo change to crypto code generators * command: use a generator so we can test properly * command: reorganise ChangeEmail improve test coverage * implement VerifyEmail including unit tests * add URL template tests * proto: change context to object * remove old auth option * remove old auth option * fix linting errors run gci on modified files * add permission checks and fix some errors * comments * comments --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 21:17:32 +00:00 · 2023-04-25 09:02:29 +02:00
parent 2a79e77c7b
commit 095ec21678
58 changed files with 3589 additions and 399 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -14,11 +14,11 @@ const (
 	authenticated = "authenticated"
 )

-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgIDHeader string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
 	ctx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgID, verifier, method)
+	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgIDHeader, verifier, method)
 	if err != nil {
 		return nil, err
 	}
@@ -29,7 +29,7 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID s
 		}, nil
 	}

-	requestedPermissions, allPermissions, err := getUserMethodPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig, ctxData)
+	requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig.RolePermissionMappings, ctxData, ctxData.OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -110,18 +110,6 @@ func HasGlobalPermission(perms []string) bool {
 	return false
 }

-func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
-	for _, perm := range perms {
-		p, ctxID := SplitPermission(perm)
-		if p == permToCheck {
-			if ctxID == "" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 func GetAllPermissionCtxIDs(perms []string) []string {
 	ctxIDs := make([]string, 0)
 	for _, perm := range perms {
@@ -132,16 +120,3 @@ func GetAllPermissionCtxIDs(perms []string) []string {
 	}
 	return ctxIDs
 }
-
-func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
-	ctxIDs := make([]string, 0)
-	for _, perm := range perms {
-		p, ctxID := SplitPermission(perm)
-		if p == searchPerm {
-			if ctxID != "" {
-				ctxIDs = append(ctxIDs, ctxID)
-			}
-		}
-	}
-	return ctxIDs
-}
--- a/internal/api/authz/config.go
+++ b/internal/api/authz/config.go
@@ -14,11 +14,11 @@ type MethodMapping map[string]Option
 type Option struct {
 	Permission string
 	CheckParam string
-	Feature    string
+	AllowSelf  bool
 }

-func (a *Config) getPermissionsFromRole(role string) []string {
-	for _, roleMap := range a.RolePermissionMappings {
+func getPermissionsFromRole(rolePermissionMappings []RoleMapping, role string) []string {
+	for _, roleMap := range rolePermissionMappings {
 		if roleMap.Role == role {
 			return roleMap.Permissions
 		}
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@@ -7,7 +7,28 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config, ctxData CtxData) (requestedPermissions, allPermissions []string, err error) {
+func CheckPermission(ctx context.Context, resolver MembershipsResolver, roleMappings []RoleMapping, permission, orgID, resourceID string, allowSelf bool) (err error) {
+	ctxData := GetCtxData(ctx)
+	if allowSelf && ctxData.UserID == resourceID {
+		return nil
+	}
+	requestedPermissions, _, err := getUserPermissions(ctx, resolver, permission, roleMappings, ctxData, orgID)
+	if err != nil {
+		return err
+	}
+
+	_, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")
+	err = checkUserResourcePermissions(requestedPermissions, resourceID)
+	userPermissionSpan.EndWithError(err)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// getUserPermissions retrieves the memberships of the authenticated user (on instance and provided organisation level),
+// and maps them to permissions. It will return the requested permission(s) and all other granted permissions separately.
+func getUserPermissions(ctx context.Context, resolver MembershipsResolver, requiredPerm string, roleMappings []RoleMapping, ctxData CtxData, orgID string) (requestedPermissions, allPermissions []string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -16,13 +37,13 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 	}

 	ctx = context.WithValue(ctx, dataKey, ctxData)
-	memberships, err := t.SearchMyMemberships(ctx)
+	memberships, err := resolver.SearchMyMemberships(ctx, orgID)
 	if err != nil {
 		return nil, nil, err
 	}
 	if len(memberships) == 0 {
 		err = retry(func() error {
-			memberships, err = t.SearchMyMemberships(ctx)
+			memberships, err = resolver.SearchMyMemberships(ctx, orgID)
 			if err != nil {
 				return err
 			}
@@ -35,24 +56,56 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 			return nil, nil, nil
 		}
 	}
-	requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, authConfig)
+	requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, roleMappings)
 	return requestedPermissions, allPermissions, nil
 }

-func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, authConfig Config) (requestPermissions, allPermissions []string) {
+// checkUserResourcePermissions checks that if a user i granted either the requested permission globally (project.write)
+// or the specific resource (project.write:123)
+func checkUserResourcePermissions(userPerms []string, resourceID string) error {
+	if len(userPerms) == 0 {
+		return errors.ThrowPermissionDenied(nil, "AUTH-AWfge", "No matching permissions found")
+	}
+
+	if resourceID == "" {
+		return nil
+	}
+
+	if HasGlobalPermission(userPerms) {
+		return nil
+	}
+
+	if hasContextResourcePermission(userPerms, resourceID) {
+		return nil
+	}
+
+	return errors.ThrowPermissionDenied(nil, "AUTH-Swrgg2", "No matching permissions found")
+}
+
+func hasContextResourcePermission(permissions []string, resourceID string) bool {
+	for _, perm := range permissions {
+		_, ctxID := SplitPermission(perm)
+		if resourceID == ctxID {
+			return true
+		}
+	}
+	return false
+}
+
+func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, roleMappings []RoleMapping) (requestPermissions, allPermissions []string) {
 	requestPermissions = make([]string, 0)
 	allPermissions = make([]string, 0)
 	for _, membership := range memberships {
-		requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, authConfig, requestPermissions, allPermissions)
+		requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, roleMappings, requestPermissions, allPermissions)
 	}

 	return requestPermissions, allPermissions
 }

-func mapMembershipToPerm(requiredPerm string, membership *Membership, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
+func mapMembershipToPerm(requiredPerm string, membership *Membership, roleMappings []RoleMapping, requestPermissions, allPermissions []string) ([]string, []string) {
 	roleNames, roleContextID := roleWithContext(membership)
 	for _, roleName := range roleNames {
-		perms := authConfig.getPermissionsFromRole(roleName)
+		perms := getPermissionsFromRole(roleMappings, roleName)

 		for _, p := range perms {
 			permWithCtx := addRoleContextIDToPerm(p, roleContextID)
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -18,7 +18,7 @@ type testVerifier struct {
 func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID, projectID string) (string, string, string, string, string, error) {
 	return "userID", "agentID", "clientID", "de", "orgID", nil
 }
-func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*Membership, error) {
+func (v *testVerifier) SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error) {
 	return v.memberships, nil
 }

@@ -46,7 +46,7 @@ func equalStringArray(a, b []string) bool {
 	return true
 }

-func Test_GetUserMethodPermissions(t *testing.T) {
+func Test_GetUserPermissions(t *testing.T) {
 	type args struct {
 		ctxData      CtxData
 		verifier     *TokenVerifier
@@ -139,7 +139,7 @@ func Test_GetUserMethodPermissions(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, perms, err := getUserMethodPermissions(context.Background(), tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig, tt.args.ctxData)
+			_, perms, err := getUserPermissions(context.Background(), tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig.RolePermissionMappings, tt.args.ctxData, tt.args.ctxData.OrgID)

 			if tt.wantErr && err == nil {
 				t.Errorf("got wrong result, should get err: actual: %v ", err)
@@ -295,7 +295,7 @@ func Test_MapMembershipToPermissions(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			requestPerms, allPerms := mapMembershipsToPermissions(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig)
+			requestPerms, allPerms := mapMembershipsToPermissions(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig.RolePermissionMappings)
 			if !equalStringArray(requestPerms, tt.requestPerms) {
 				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
 			}
@@ -435,7 +435,7 @@ func Test_MapMembershipToPerm(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			requestPerms, allPerms := mapMembershipToPerm(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
+			requestPerms, allPerms := mapMembershipToPerm(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig.RolePermissionMappings, tt.args.requestPerms, tt.args.allPerms)
 			if !equalStringArray(requestPerms, tt.requestPerms) {
 				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
 			}
@@ -519,3 +519,109 @@ func Test_ExistisPerm(t *testing.T) {
 		})
 	}
 }
+
+func Test_CheckUserResourcePermissions(t *testing.T) {
+	type args struct {
+		perms      []string
+		resourceID string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "no permissions",
+			args: args{
+				perms:      []string{},
+				resourceID: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "has permission and no context requested",
+			args: args{
+				perms:      []string{"project.read"},
+				resourceID: "",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has global permission",
+			args: args{
+				perms:      []string{"project.read", "project.read:1"},
+				resourceID: "Test",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has specific permission",
+			args: args{
+				perms:      []string{"project.read:Test"},
+				resourceID: "Test",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has no permission",
+			args: args{
+				perms:      []string{"project.read:Test"},
+				resourceID: "Hodor",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkUserResourcePermissions(tt.args.perms, tt.args.resourceID)
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if !tt.wantErr && err != nil {
+				t.Errorf("shouldn't get err: %v ", err)
+			}
+
+			if tt.wantErr && !caos_errs.IsPermissionDenied(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func Test_HasContextResourcePermission(t *testing.T) {
+	type args struct {
+		perms      []string
+		resourceID string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "existing context permission",
+			args: args{
+				perms:      []string{"test:wrong", "test:right"},
+				resourceID: "right",
+			},
+			result: true,
+		},
+		{
+			name: "not existing context permission",
+			args: args{
+				perms:      []string{"test:wrong", "test:wrong2"},
+				resourceID: "test",
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := hasContextResourcePermission(tt.args.perms, tt.args.resourceID)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -27,10 +27,14 @@ type TokenVerifier struct {
 	systemJWTProfile op.JWTProfileVerifier
 }

+type MembershipsResolver interface {
+	SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error)
+}
+
 type authZRepo interface {
 	VerifyAccessToken(ctx context.Context, token, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error)
 	VerifierClientID(ctx context.Context, name string) (clientID, projectID string, err error)
-	SearchMyMemberships(ctx context.Context) ([]*Membership, error)
+	SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
 	ExistsOrg(ctx context.Context, orgID string) error
 }
@@ -127,10 +131,10 @@ func (v *TokenVerifier) RegisterServer(appName, methodPrefix string, mappings Me
 	}
 }

-func (v *TokenVerifier) SearchMyMemberships(ctx context.Context) (_ []*Membership, err error) {
+func (v *TokenVerifier) SearchMyMemberships(ctx context.Context, orgID string) (_ []*Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	return v.authZRepo.SearchMyMemberships(ctx)
+	return v.authZRepo.SearchMyMemberships(ctx, orgID)
 }

 func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (_ string, _ []string, err error) {