Merge branch 'main' into integration-tests

2025-08-12 07:57:32 +00:00 · 2023-04-27 12:47:35 +03:00
parent bd3820cc6c 86f4477ae1
commit 11ab645bb7
104 changed files with 5089 additions and 749 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -14,11 +14,11 @@ const (
 	authenticated = "authenticated"
 )

-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgIDHeader string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
 	ctx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgID, verifier, method)
+	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgIDHeader, verifier, method)
 	if err != nil {
 		return nil, err
 	}
@@ -29,7 +29,7 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID s
 		}, nil
 	}

-	requestedPermissions, allPermissions, err := getUserMethodPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig, ctxData)
+	requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig.RolePermissionMappings, ctxData, ctxData.OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -110,18 +110,6 @@ func HasGlobalPermission(perms []string) bool {
 	return false
 }

-func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
-	for _, perm := range perms {
-		p, ctxID := SplitPermission(perm)
-		if p == permToCheck {
-			if ctxID == "" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 func GetAllPermissionCtxIDs(perms []string) []string {
 	ctxIDs := make([]string, 0)
 	for _, perm := range perms {
@@ -132,16 +120,3 @@ func GetAllPermissionCtxIDs(perms []string) []string {
 	}
 	return ctxIDs
 }
-
-func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
-	ctxIDs := make([]string, 0)
-	for _, perm := range perms {
-		p, ctxID := SplitPermission(perm)
-		if p == searchPerm {
-			if ctxID != "" {
-				ctxIDs = append(ctxIDs, ctxID)
-			}
-		}
-	}
-	return ctxIDs
-}
--- a/internal/api/authz/config.go
+++ b/internal/api/authz/config.go
@@ -14,11 +14,11 @@ type MethodMapping map[string]Option
 type Option struct {
 	Permission string
 	CheckParam string
-	Feature    string
+	AllowSelf  bool
 }

-func (a *Config) getPermissionsFromRole(role string) []string {
-	for _, roleMap := range a.RolePermissionMappings {
+func getPermissionsFromRole(rolePermissionMappings []RoleMapping, role string) []string {
+	for _, roleMap := range rolePermissionMappings {
 		if roleMap.Role == role {
 			return roleMap.Permissions
 		}
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@@ -7,7 +7,28 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config, ctxData CtxData) (requestedPermissions, allPermissions []string, err error) {
+func CheckPermission(ctx context.Context, resolver MembershipsResolver, roleMappings []RoleMapping, permission, orgID, resourceID string, allowSelf bool) (err error) {
+	ctxData := GetCtxData(ctx)
+	if allowSelf && ctxData.UserID == resourceID {
+		return nil
+	}
+	requestedPermissions, _, err := getUserPermissions(ctx, resolver, permission, roleMappings, ctxData, orgID)
+	if err != nil {
+		return err
+	}
+
+	_, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")
+	err = checkUserResourcePermissions(requestedPermissions, resourceID)
+	userPermissionSpan.EndWithError(err)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// getUserPermissions retrieves the memberships of the authenticated user (on instance and provided organisation level),
+// and maps them to permissions. It will return the requested permission(s) and all other granted permissions separately.
+func getUserPermissions(ctx context.Context, resolver MembershipsResolver, requiredPerm string, roleMappings []RoleMapping, ctxData CtxData, orgID string) (requestedPermissions, allPermissions []string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -16,13 +37,13 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 	}

 	ctx = context.WithValue(ctx, dataKey, ctxData)
-	memberships, err := t.SearchMyMemberships(ctx)
+	memberships, err := resolver.SearchMyMemberships(ctx, orgID)
 	if err != nil {
 		return nil, nil, err
 	}
 	if len(memberships) == 0 {
 		err = retry(func() error {
-			memberships, err = t.SearchMyMemberships(ctx)
+			memberships, err = resolver.SearchMyMemberships(ctx, orgID)
 			if err != nil {
 				return err
 			}
@@ -35,24 +56,56 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 			return nil, nil, nil
 		}
 	}
-	requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, authConfig)
+	requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, roleMappings)
 	return requestedPermissions, allPermissions, nil
 }

-func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, authConfig Config) (requestPermissions, allPermissions []string) {
+// checkUserResourcePermissions checks that if a user i granted either the requested permission globally (project.write)
+// or the specific resource (project.write:123)
+func checkUserResourcePermissions(userPerms []string, resourceID string) error {
+	if len(userPerms) == 0 {
+		return errors.ThrowPermissionDenied(nil, "AUTH-AWfge", "No matching permissions found")
+	}
+
+	if resourceID == "" {
+		return nil
+	}
+
+	if HasGlobalPermission(userPerms) {
+		return nil
+	}
+
+	if hasContextResourcePermission(userPerms, resourceID) {
+		return nil
+	}
+
+	return errors.ThrowPermissionDenied(nil, "AUTH-Swrgg2", "No matching permissions found")
+}
+
+func hasContextResourcePermission(permissions []string, resourceID string) bool {
+	for _, perm := range permissions {
+		_, ctxID := SplitPermission(perm)
+		if resourceID == ctxID {
+			return true
+		}
+	}
+	return false
+}
+
+func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, roleMappings []RoleMapping) (requestPermissions, allPermissions []string) {
 	requestPermissions = make([]string, 0)
 	allPermissions = make([]string, 0)
 	for _, membership := range memberships {
-		requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, authConfig, requestPermissions, allPermissions)
+		requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, roleMappings, requestPermissions, allPermissions)
 	}

 	return requestPermissions, allPermissions
 }

-func mapMembershipToPerm(requiredPerm string, membership *Membership, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
+func mapMembershipToPerm(requiredPerm string, membership *Membership, roleMappings []RoleMapping, requestPermissions, allPermissions []string) ([]string, []string) {
 	roleNames, roleContextID := roleWithContext(membership)
 	for _, roleName := range roleNames {
-		perms := authConfig.getPermissionsFromRole(roleName)
+		perms := getPermissionsFromRole(roleMappings, roleName)

 		for _, p := range perms {
 			permWithCtx := addRoleContextIDToPerm(p, roleContextID)
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -18,7 +18,7 @@ type testVerifier struct {
 func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID, projectID string) (string, string, string, string, string, error) {
 	return "userID", "agentID", "clientID", "de", "orgID", nil
 }
-func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*Membership, error) {
+func (v *testVerifier) SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error) {
 	return v.memberships, nil
 }

@@ -46,7 +46,7 @@ func equalStringArray(a, b []string) bool {
 	return true
 }

-func Test_GetUserMethodPermissions(t *testing.T) {
+func Test_GetUserPermissions(t *testing.T) {
 	type args struct {
 		ctxData      CtxData
 		verifier     *TokenVerifier
@@ -139,7 +139,7 @@ func Test_GetUserMethodPermissions(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, perms, err := getUserMethodPermissions(context.Background(), tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig, tt.args.ctxData)
+			_, perms, err := getUserPermissions(context.Background(), tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig.RolePermissionMappings, tt.args.ctxData, tt.args.ctxData.OrgID)

 			if tt.wantErr && err == nil {
 				t.Errorf("got wrong result, should get err: actual: %v ", err)
@@ -295,7 +295,7 @@ func Test_MapMembershipToPermissions(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			requestPerms, allPerms := mapMembershipsToPermissions(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig)
+			requestPerms, allPerms := mapMembershipsToPermissions(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig.RolePermissionMappings)
 			if !equalStringArray(requestPerms, tt.requestPerms) {
 				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
 			}
@@ -435,7 +435,7 @@ func Test_MapMembershipToPerm(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			requestPerms, allPerms := mapMembershipToPerm(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
+			requestPerms, allPerms := mapMembershipToPerm(tt.args.requiredPerm, tt.args.membership, tt.args.authConfig.RolePermissionMappings, tt.args.requestPerms, tt.args.allPerms)
 			if !equalStringArray(requestPerms, tt.requestPerms) {
 				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
 			}
@@ -519,3 +519,109 @@ func Test_ExistisPerm(t *testing.T) {
 		})
 	}
 }
+
+func Test_CheckUserResourcePermissions(t *testing.T) {
+	type args struct {
+		perms      []string
+		resourceID string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "no permissions",
+			args: args{
+				perms:      []string{},
+				resourceID: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "has permission and no context requested",
+			args: args{
+				perms:      []string{"project.read"},
+				resourceID: "",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has global permission",
+			args: args{
+				perms:      []string{"project.read", "project.read:1"},
+				resourceID: "Test",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has specific permission",
+			args: args{
+				perms:      []string{"project.read:Test"},
+				resourceID: "Test",
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has no permission",
+			args: args{
+				perms:      []string{"project.read:Test"},
+				resourceID: "Hodor",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkUserResourcePermissions(tt.args.perms, tt.args.resourceID)
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if !tt.wantErr && err != nil {
+				t.Errorf("shouldn't get err: %v ", err)
+			}
+
+			if tt.wantErr && !caos_errs.IsPermissionDenied(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func Test_HasContextResourcePermission(t *testing.T) {
+	type args struct {
+		perms      []string
+		resourceID string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "existing context permission",
+			args: args{
+				perms:      []string{"test:wrong", "test:right"},
+				resourceID: "right",
+			},
+			result: true,
+		},
+		{
+			name: "not existing context permission",
+			args: args{
+				perms:      []string{"test:wrong", "test:wrong2"},
+				resourceID: "test",
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := hasContextResourcePermission(tt.args.perms, tt.args.resourceID)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -27,10 +27,14 @@ type TokenVerifier struct {
 	systemJWTProfile op.JWTProfileVerifier
 }

+type MembershipsResolver interface {
+	SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error)
+}
+
 type authZRepo interface {
 	VerifyAccessToken(ctx context.Context, token, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error)
 	VerifierClientID(ctx context.Context, name string) (clientID, projectID string, err error)
-	SearchMyMemberships(ctx context.Context) ([]*Membership, error)
+	SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
 	ExistsOrg(ctx context.Context, orgID string) error
 }
@@ -127,10 +131,10 @@ func (v *TokenVerifier) RegisterServer(appName, methodPrefix string, mappings Me
 	}
 }

-func (v *TokenVerifier) SearchMyMemberships(ctx context.Context) (_ []*Membership, err error) {
+func (v *TokenVerifier) SearchMyMemberships(ctx context.Context, orgID string) (_ []*Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	return v.authZRepo.SearchMyMemberships(ctx)
+	return v.authZRepo.SearchMyMemberships(ctx, orgID)
 }

 func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (_ string, _ []string, err error) {
--- a/internal/api/grpc/admin/server.go
+++ b/internal/api/grpc/admin/server.go
@@ -71,7 +71,7 @@ func (s *Server) AppName() string {
 }

 func (s *Server) MethodPrefix() string {
-	return admin.AdminService_MethodPrefix
+	return admin.AdminService_ServiceDesc.ServiceName
 }

 func (s *Server) AuthMethods() authz.MethodMapping {
--- a/internal/api/grpc/auth/server.go
+++ b/internal/api/grpc/auth/server.go
@@ -69,7 +69,7 @@ func (s *Server) AppName() string {
 }

 func (s *Server) MethodPrefix() string {
-	return auth.AuthService_MethodPrefix
+	return auth.AuthService_ServiceDesc.ServiceName
 }

 func (s *Server) AuthMethods() authz.MethodMapping {
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -63,7 +63,7 @@ func (s *Server) AppName() string {
 }

 func (s *Server) MethodPrefix() string {
-	return management.ManagementService_MethodPrefix
+	return management.ManagementService_ServiceDesc.ServiceName
 }

 func (s *Server) AuthMethods() authz.MethodMapping {
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -210,17 +210,14 @@ func (s *Server) BulkRemoveUserMetadata(ctx context.Context, req *mgmt_pb.BulkRe
 }

 func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequest) (*mgmt_pb.AddHumanUserResponse, error) {
-	details, err := s.command.AddHuman(ctx, authz.GetCtxData(ctx).OrgID, AddHumanUserRequestToAddHuman(req))
+	human := AddHumanUserRequestToAddHuman(req)
+	err := s.command.AddHuman(ctx, authz.GetCtxData(ctx).OrgID, human, true)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.AddHumanUserResponse{
-		UserId: details.ID,
-		Details: obj_grpc.AddToDetailsPb(
-			details.Sequence,
-			details.EventDate,
-			details.ResourceOwner,
-		),
+		UserId:  human.ID,
+		Details: obj_grpc.DomainToAddDetailsPb(human.Details),
 	}, nil
 }

--- a/internal/api/grpc/object/v2/converter.go
+++ b/internal/api/grpc/object/v2/converter.go
@@ -0,0 +1,19 @@
+package object
+
+import (
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+)
+
+func DomainToDetailsPb(objectDetail *domain.ObjectDetails) *object.Details {
+	details := &object.Details{
+		Sequence:      objectDetail.Sequence,
+		ResourceOwner: objectDetail.ResourceOwner,
+	}
+	if !objectDetail.EventDate.IsZero() {
+		details.ChangeDate = timestamppb.New(objectDetail.EventDate)
+	}
+	return details
+}
--- a/internal/api/grpc/server/middleware/auth_interceptor.go
+++ b/internal/api/grpc/server/middleware/auth_interceptor.go
@@ -34,6 +34,9 @@ func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
 	}

 	orgID := grpc_util.GetHeader(authCtx, http.ZitadelOrgID)
+	if o, ok := req.(AuthContext); ok {
+		orgID = o.AuthContext()
+	}

 	ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, verifier, authConfig, authOpt, info.FullMethod)
 	if err != nil {
@@ -42,3 +45,7 @@ func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
 	span.End()
 	return handler(ctxSetter(ctx), req)
 }
+
+type AuthContext interface {
+	AuthContext() string
+}
--- a/internal/api/grpc/server/middleware/auth_interceptor_test.go
+++ b/internal/api/grpc/server/middleware/auth_interceptor_test.go
@@ -24,7 +24,7 @@ type verifierMock struct{}
 func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID, projectID string) (string, string, string, string, string, error) {
 	return "", "", "", "", "", nil
 }
-func (v *verifierMock) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) {
+func (v *verifierMock) SearchMyMemberships(ctx context.Context, orgID string) ([]*authz.Membership, error) {
 	return nil, nil
 }

--- a/internal/api/grpc/server/server.go
+++ b/internal/api/grpc/server/server.go
@@ -50,13 +50,13 @@ func CreateServer(
 				middleware.MetricsHandler(metricTypes, grpc_api.Probes...),
 				middleware.NoCacheInterceptor(),
 				middleware.ErrorHandler(),
-				middleware.InstanceInterceptor(queries, hostHeaderName, system_pb.SystemService_MethodPrefix, healthpb.Health_ServiceDesc.ServiceName),
+				middleware.InstanceInterceptor(queries, hostHeaderName, system_pb.SystemService_ServiceDesc.ServiceName, healthpb.Health_ServiceDesc.ServiceName),
 				middleware.AccessStorageInterceptor(accessSvc),
 				middleware.AuthorizationInterceptor(verifier, authConfig),
 				middleware.TranslationHandler(),
 				middleware.ValidationHandler(),
 				middleware.ServiceHandler(),
-				middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_MethodPrefix),
+				middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_ServiceDesc.ServiceName),
 			),
 		),
 	}
--- a/internal/api/grpc/system/server.go
+++ b/internal/api/grpc/system/server.go
@@ -4,7 +4,6 @@ import (
 	"google.golang.org/grpc"

 	"github.com/zitadel/zitadel/internal/admin/repository"
-
 	"github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
@@ -60,7 +59,7 @@ func (s *Server) AppName() string {
 }

 func (s *Server) MethodPrefix() string {
-	return system.SystemService_MethodPrefix
+	return system.SystemService_ServiceDesc.ServiceName
 }

 func (s *Server) AuthMethods() authz.MethodMapping {
--- a/internal/api/grpc/user/v2/email.go
+++ b/internal/api/grpc/user/v2/email.go
@@ -0,0 +1,65 @@
+package user
+
+import (
+	"context"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func (s *Server) SetEmail(ctx context.Context, req *user.SetEmailRequest) (resp *user.SetEmailResponse, err error) {
+	var resourceOwner string // TODO: check if still needed
+	var email *domain.Email
+
+	switch v := req.GetVerification().(type) {
+	case *user.SetEmailRequest_SendCode:
+		email, err = s.command.ChangeUserEmailURLTemplate(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg, v.SendCode.GetUrlTemplate())
+	case *user.SetEmailRequest_ReturnCode:
+		email, err = s.command.ChangeUserEmailReturnCode(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg)
+	case *user.SetEmailRequest_IsVerified:
+		if v.IsVerified {
+			email, err = s.command.ChangeUserEmailVerified(ctx, req.GetUserId(), resourceOwner, req.GetEmail())
+		} else {
+			email, err = s.command.ChangeUserEmail(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg)
+		}
+	case nil:
+		email, err = s.command.ChangeUserEmail(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg)
+	default:
+		err = caos_errs.ThrowUnimplementedf(nil, "USERv2-Ahng0", "verification oneOf %T in method SetEmail not implemented", v)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.SetEmailResponse{
+		Details: &object.Details{
+			Sequence:      email.Sequence,
+			ChangeDate:    timestamppb.New(email.ChangeDate),
+			ResourceOwner: email.ResourceOwner,
+		},
+		VerificationCode: email.PlainCode,
+	}, nil
+}
+
+func (s *Server) VerifyEmail(ctx context.Context, req *user.VerifyEmailRequest) (*user.VerifyEmailResponse, error) {
+	details, err := s.command.VerifyUserEmail(ctx,
+		req.GetUserId(),
+		"", // TODO: check if still needed
+		req.GetVerificationCode(),
+		s.userCodeAlg,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &user.VerifyEmailResponse{
+		Details: &object.Details{
+			Sequence:      details.Sequence,
+			ChangeDate:    timestamppb.New(details.EventDate),
+			ResourceOwner: details.ResourceOwner,
+		},
+	}, nil
+}
--- a/internal/api/grpc/user/v2/server.go
+++ b/internal/api/grpc/user/v2/server.go
@@ -6,27 +6,27 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
-	"github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
 )

 var _ user.UserServiceServer = (*Server)(nil)

 type Server struct {
 	user.UnimplementedUserServiceServer
-	command *command.Commands
-	query   *query.Queries
+	command     *command.Commands
+	query       *query.Queries
+	userCodeAlg crypto.EncryptionAlgorithm
 }

 type Config struct{}

-func CreateServer(
-	command *command.Commands,
-	query *query.Queries,
-) *Server {
+func CreateServer(command *command.Commands, query *query.Queries, userCodeAlg crypto.EncryptionAlgorithm) *Server {
 	return &Server{
-		command: command,
-		query:   query,
+		command:     command,
+		query:       query,
+		userCodeAlg: userCodeAlg,
 	}
 }

--- a/internal/api/grpc/user/v2/test.go
+++ b/internal/api/grpc/user/v2/test.go
@@ -1,55 +0,0 @@
-package user
-
-import (
-	"context"
-
-	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/errors"
-	"github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
-)
-
-func (s *Server) TestGet(ctx context.Context, req *user.TestGetRequest) (*user.TestGetResponse, error) {
-	return &user.TestGetResponse{
-		Ctx: req.Ctx.String(),
-	}, nil
-}
-
-func (s *Server) TestPost(ctx context.Context, req *user.TestPostRequest) (*user.TestPostResponse, error) {
-	return &user.TestPostResponse{
-		Ctx: req.Ctx.String(),
-	}, nil
-}
-
-func (s *Server) TestAuth(ctx context.Context, req *user.TestAuthRequest) (*user.TestAuthResponse, error) {
-	reqCtx, err := authDemo(ctx, req.Ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &user.TestAuthResponse{
-		User: &user.User{Id: authz.GetCtxData(ctx).UserID},
-		Ctx:  reqCtx,
-	}, nil
-}
-
-func authDemo(ctx context.Context, reqCtx *user.Context) (*user.Context, error) {
-	ro := authz.GetCtxData(ctx).ResourceOwner
-	if reqCtx == nil {
-		return &user.Context{Ctx: &user.Context_OrgId{OrgId: ro}}, nil
-	}
-	switch c := reqCtx.Ctx.(type) {
-	case *user.Context_OrgId:
-		if c.OrgId == ro {
-			return reqCtx, nil
-		}
-		return nil, errors.ThrowPermissionDenied(nil, "USER-dg4g", "Errors.User.NotAllowedOrg")
-	case *user.Context_OrgDomain:
-		if c.OrgDomain == "forbidden.com" {
-			return nil, errors.ThrowPermissionDenied(nil, "USER-SDg4g", "Errors.User.NotAllowedOrg")
-		}
-		return reqCtx, nil
-	case *user.Context_Instance:
-		return reqCtx, nil
-	default:
-		return reqCtx, nil
-	}
-}
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -0,0 +1,112 @@
+package user
+
+import (
+	"context"
+	"io"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func (s *Server) AddHumanUser(ctx context.Context, req *user.AddHumanUserRequest) (_ *user.AddHumanUserResponse, err error) {
+	human, err := addUserRequestToAddHuman(req)
+	if err != nil {
+		return nil, err
+	}
+	orgID := req.GetOrganisation().GetOrgId()
+	if orgID == "" {
+		orgID = authz.GetCtxData(ctx).OrgID
+	}
+	err = s.command.AddHuman(ctx, orgID, human, false)
+	if err != nil {
+		return nil, err
+	}
+	return &user.AddHumanUserResponse{
+		UserId:    human.ID,
+		Details:   object.DomainToDetailsPb(human.Details),
+		EmailCode: human.EmailCode,
+	}, nil
+}
+
+func addUserRequestToAddHuman(req *user.AddHumanUserRequest) (*command.AddHuman, error) {
+	username := req.GetUsername()
+	if username == "" {
+		username = req.GetEmail().GetEmail()
+	}
+	var urlTemplate string
+	if req.GetEmail().GetSendCode() != nil {
+		urlTemplate = req.GetEmail().GetSendCode().GetUrlTemplate()
+		// test the template execution so the async notification will not fail because of it and the user won't realize
+		if err := domain.RenderConfirmURLTemplate(io.Discard, urlTemplate, req.GetUserId(), "code", "orgID"); err != nil {
+			return nil, err
+		}
+	}
+	bcryptedPassword, err := hashedPasswordToCommand(req.GetHashedPassword())
+	if err != nil {
+		return nil, err
+	}
+	passwordChangeRequired := req.GetPassword().GetChangeRequired() || req.GetHashedPassword().GetChangeRequired()
+	metadata := make([]*command.AddMetadataEntry, len(req.Metadata))
+	for i, metadataEntry := range req.Metadata {
+		metadata[i] = &command.AddMetadataEntry{
+			Key:   metadataEntry.GetKey(),
+			Value: metadataEntry.GetValue(),
+		}
+	}
+	return &command.AddHuman{
+		ID:          req.GetUserId(),
+		Username:    username,
+		FirstName:   req.GetProfile().GetFirstName(),
+		LastName:    req.GetProfile().GetLastName(),
+		NickName:    req.GetProfile().GetNickName(),
+		DisplayName: req.GetProfile().GetDisplayName(),
+		Email: command.Email{
+			Address:     domain.EmailAddress(req.GetEmail().GetEmail()),
+			Verified:    req.GetEmail().GetIsVerified(),
+			ReturnCode:  req.GetEmail().GetReturnCode() != nil,
+			URLTemplate: urlTemplate,
+		},
+		PreferredLanguage:      language.Make(req.GetProfile().GetPreferredLanguage()),
+		Gender:                 genderToDomain(req.GetProfile().GetGender()),
+		Phone:                  command.Phone{}, // TODO: add as soon as possible
+		Password:               req.GetPassword().GetPassword(),
+		BcryptedPassword:       bcryptedPassword,
+		PasswordChangeRequired: passwordChangeRequired,
+		Passwordless:           false,
+		ExternalIDP:            false,
+		Register:               false,
+		Metadata:               metadata,
+	}, nil
+}
+
+func genderToDomain(gender user.Gender) domain.Gender {
+	switch gender {
+	case user.Gender_GENDER_UNSPECIFIED:
+		return domain.GenderUnspecified
+	case user.Gender_GENDER_FEMALE:
+		return domain.GenderFemale
+	case user.Gender_GENDER_MALE:
+		return domain.GenderMale
+	case user.Gender_GENDER_DIVERSE:
+		return domain.GenderDiverse
+	default:
+		return domain.GenderUnspecified
+	}
+}
+
+func hashedPasswordToCommand(hashed *user.HashedPassword) (string, error) {
+	if hashed == nil {
+		return "", nil
+	}
+	// we currently only handle bcrypt
+	if hashed.GetAlgorithm() != "bcrypt" {
+		return "", errors.ThrowInvalidArgument(nil, "USER-JDk4t", "Errors.InvalidArgument")
+	}
+	return hashed.GetHash(), nil
+}
--- a/internal/api/grpc/user/v2/user_test.go
+++ b/internal/api/grpc/user/v2/user_test.go
@@ -0,0 +1,80 @@
+package user
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func Test_hashedPasswordToCommand(t *testing.T) {
+	type args struct {
+		hashed *user.HashedPassword
+	}
+	type res struct {
+		want string
+		err  func(error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"not hashed",
+			args{
+				hashed: nil,
+			},
+			res{
+				"",
+				nil,
+			},
+		},
+		{
+			"hashed, not bcrypt",
+			args{
+				hashed: &user.HashedPassword{
+					Hash:      "hash",
+					Algorithm: "custom",
+				},
+			},
+			res{
+				"",
+				func(err error) bool {
+					return errors.Is(err, caos_errs.ThrowInvalidArgument(nil, "USER-JDk4t", "Errors.InvalidArgument"))
+				},
+			},
+		},
+		{
+			"hashed, bcrypt",
+			args{
+				hashed: &user.HashedPassword{
+					Hash:      "hash",
+					Algorithm: "bcrypt",
+				},
+			},
+			res{
+				"hash",
+				nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := hashedPasswordToCommand(tt.args.hashed)
+			if tt.res.err == nil {
+				require.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assert.Equal(t, tt.res.want, got)
+			}
+		})
+	}
+}
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -176,7 +176,7 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
 		if errors.IsErrorAlreadyExists(err) {
 			return nil
 		}
-		logging.OnError(err).Warn("initial lock failed")
+		logging.OnError(err).Debug("initial lock failed")
 		return err
 	}

--- a/internal/api/saml/certificate.go
+++ b/internal/api/saml/certificate.go
@@ -123,7 +123,7 @@ func (p *Storage) lockAndGenerateCertificateAndKey(ctx context.Context, usage do
 		if errors.IsErrorAlreadyExists(err) {
 			return nil
 		}
-		logging.OnError(err).Warn("initial lock failed")
+		logging.OnError(err).Debug("initial lock failed")
 		return err
 	}