feat: implement user schema management (#7416)

This PR adds the functionality to manage user schemas through the new user schema service. It includes the possibility to create a basic JSON schema and also provides a way on defining permissions (read, write) for owner and self context with an annotation. Further annotations for OIDC claims and SAML attribute mappings will follow. A guide on how to create a schema and assign permissions has been started. It will be extended though out the process of implementing the schema and users based on those. Note: This feature is in an early stage and therefore not enabled by default. To test it out, please enable the UserSchema feature flag on your instance / system though the feature service.
2025-08-12 00:47:33 +00:00 · 2024-03-12 14:50:13 +01:00
parent 2a39cc16f5
commit 0e181b218c
61 changed files with 3614 additions and 35 deletions
--- a/internal/domain/schema/permission.go
+++ b/internal/domain/schema/permission.go
@@ -0,0 +1,120 @@
+package schema
+
+import (
+	_ "embed"
+
+	"github.com/santhosh-tekuri/jsonschema/v5"
+
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var (
+	//go:embed permission.schema.v1.json
+	permissionJSON string
+
+	permissionSchema = jsonschema.MustCompileString(PermissionSchemaID, permissionJSON)
+)
+
+const (
+	PermissionSchemaID = "urn:zitadel:schema:permission-schema:v1"
+	PermissionProperty = "urn:zitadel:schema:permission"
+)
+
+type role int32
+
+const (
+	roleUnspecified role = iota
+	roleSelf
+	roleOwner
+)
+
+type permissionExtension struct {
+	role role
+}
+
+// Compile implements the [jsonschema.ExtCompiler] interface.
+// It parses the permission schema extension / annotation of the passed field.
+func (c permissionExtension) Compile(ctx jsonschema.CompilerContext, m map[string]interface{}) (_ jsonschema.ExtSchema, err error) {
+	perm, ok := m[PermissionProperty]
+	if !ok {
+		return nil, nil
+	}
+	p, ok := perm.(map[string]interface{})
+	if !ok {
+		return nil, zerrors.ThrowInvalidArgument(nil, "SCHEMA-WR5gs", "invalid permission")
+	}
+	perms := new(permissions)
+	for key, value := range p {
+		switch key {
+		case "self":
+			perms.self, err = mapPermission(value)
+			if err != nil {
+				return
+			}
+		case "owner":
+			perms.owner, err = mapPermission(value)
+			if err != nil {
+				return
+			}
+		default:
+			return nil, zerrors.ThrowInvalidArgument(nil, "SCHEMA-GFjio", "invalid permission role")
+		}
+	}
+	return permissionExtensionConfig{c.role, perms}, nil
+}
+
+type permissionExtensionConfig struct {
+	role        role
+	permissions *permissions
+}
+
+// Validate implements the [jsonschema.ExtSchema] interface.
+// It validates the fields of the json instance according to the permission schema.
+func (s permissionExtensionConfig) Validate(ctx jsonschema.ValidationContext, v interface{}) error {
+	switch s.role {
+	case roleSelf:
+		if s.permissions.self == nil || !s.permissions.self.write {
+			return ctx.Error("permission", "missing required permission")
+		}
+		return nil
+	case roleOwner:
+		if s.permissions.owner == nil || !s.permissions.owner.write {
+			return ctx.Error("permission", "missing required permission")
+		}
+		return nil
+	case roleUnspecified:
+		fallthrough
+	default:
+		return ctx.Error("permission", "missing required permission")
+	}
+}
+
+func mapPermission(value any) (*permission, error) {
+	p := new(permission)
+	switch v := value.(type) {
+	case string:
+		for _, s := range v {
+			switch s {
+			case 'r':
+				p.read = true
+			case 'w':
+				p.write = true
+			default:
+				return nil, zerrors.ThrowInvalidArgumentf(nil, "SCHEMA-EZ5zjh", "invalid permission pattern: `%s` in (%s)", string(s), v)
+			}
+		}
+		return p, nil
+	default:
+		return nil, zerrors.ThrowInvalidArgumentf(nil, "SCHEMA-E5h31", "invalid permission type %T (%v)", v, v)
+	}
+}
+
+type permissions struct {
+	self  *permission
+	owner *permission
+}
+
+type permission struct {
+	read  bool
+	write bool
+}