From 17f033f0b4d27bb45fc24acfb0b0573914896297 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Tue, 15 Jul 2025 13:38:00 +0200 Subject: [PATCH] fix: permission checks on session API # Which Problems Are Solved The session API allowed any authenticated user to update sessions by their ID without any further check. This was unintentionally introduced with version 2.53.0 when the requirement of providing the latest session token on every session update was removed and no other permission check (e.g. session.write) was ensured. # How the Problems Are Solved - Granted `session.write` to `IAM_OWNER` and `IAM_LOGIN_CLIENT` in the defaults.yaml - Granted `session.read` to `IAM_ORG_MANAGER`, `IAM_USER_MANAGER` and `ORG_OWNER` in the defaults.yaml - Pass the session token to the UpdateSession command. - Check for `session.write` permission on session creation and update. - Alternatively, the (latest) sessionToken can be used to update the session. - Setting an auth request to failed on the OIDC Service `CreateCallback` endpoint now ensures it's either the same user as used to create the auth request (for backwards compatibilty) or requires `session.link` permission. - Setting an device auth request to failed on the OIDC Service `AuthorizeOrDenyDeviceAuthorization` endpoint now requires `session.link` permission. - Setting an auth request to failed on the SAML Service `CreateResponse` endpoint now requires `session.link` permission. # Additional Changes none # Additional Context none (cherry picked from commit 4c942f3477b073e3e270079e6424b2b3797765d6) --- cmd/defaults.yaml | 8 +- .../oidc/v2/integration_test/oidc_test.go | 173 +++++++++++------- .../oidc/v2beta/integration_test/oidc_test.go | 125 +++++++------ .../api/grpc/saml/v2/integration/saml_test.go | 114 ++++++++---- .../grpc/saml/v2/integration/server_test.go | 2 + .../session/v2/integration_test/query_test.go | 12 +- .../v2/integration_test/session_test.go | 78 ++++---- internal/api/grpc/session/v2/session.go | 2 +- .../v2beta/integration_test/query_test.go | 30 +-- .../v2beta/integration_test/server_test.go | 2 + .../v2beta/integration_test/session_test.go | 82 ++++----- internal/api/grpc/session/v2beta/session.go | 10 +- .../api/grpc/session/v2beta/session_test.go | 14 +- .../grpc/user/v2/integration_test/otp_test.go | 20 +- .../user/v2/integration_test/passkey_test.go | 2 +- .../user/v2/integration_test/phone_test.go | 2 +- .../user/v2/integration_test/totp_test.go | 12 +- .../grpc/user/v2/integration_test/u2f_test.go | 6 +- .../user/v2/integration_test/user_test.go | 4 +- .../user/v2beta/integration_test/otp_test.go | 18 +- .../v2beta/integration_test/passkey_test.go | 2 +- .../v2beta/integration_test/phone_test.go | 2 +- .../user/v2beta/integration_test/totp_test.go | 12 +- .../user/v2beta/integration_test/u2f_test.go | 6 +- .../user/v2beta/integration_test/user_test.go | 2 + .../api/oidc/integration_test/oidc_test.go | 2 +- internal/command/auth_request.go | 5 + internal/command/auth_request_test.go | 45 ++++- internal/command/device_auth.go | 3 + internal/command/device_auth_test.go | 29 ++- internal/command/saml_request.go | 3 + internal/command/saml_request_test.go | 42 ++++- internal/command/session.go | 37 +++- internal/command/session_test.go | 109 +++++++++-- 34 files changed, 675 insertions(+), 340 deletions(-) diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml index 9498c0dd26..b59a97f8b7 100644 --- a/cmd/defaults.yaml +++ b/cmd/defaults.yaml @@ -1294,6 +1294,7 @@ InternalAuthZ: - "events.read" - "milestones.read" - "session.read" + - "session.write" - "session.delete" - "action.target.read" - "action.target.write" @@ -1303,8 +1304,6 @@ InternalAuthZ: - "userschema.read" - "userschema.write" - "userschema.delete" - - "session.read" - - "session.delete" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" @@ -1398,6 +1397,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_USER_MANAGER" Permissions: @@ -1425,6 +1425,7 @@ InternalAuthZ: - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" + - "session.read" - "session.delete" - Role: "IAM_ADMIN_IMPERSONATOR" Permissions: @@ -1488,6 +1489,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_LOGIN_CLIENT" Permissions: @@ -1523,6 +1525,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "session.read" + - "session.write" - "session.link" - "session.delete" - "userschema.read" @@ -1543,6 +1546,7 @@ InternalAuthZ: - "policy.read" - "project.read" - "project.role.read" + - "session.read" - "session.delete" - Role: "ORG_OWNER_VIEWER" Permissions: diff --git a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go index 1eb031bd6d..ba8391c771 100644 --- a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go @@ -101,7 +101,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -114,7 +114,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -128,10 +128,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -146,10 +146,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -164,10 +164,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -193,7 +193,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -215,11 +215,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -244,7 +263,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -262,7 +281,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -284,12 +303,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -316,7 +335,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -364,7 +383,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -374,13 +393,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -389,7 +408,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -401,7 +420,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -410,7 +429,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -422,31 +441,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -454,19 +473,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -478,13 +497,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -496,25 +515,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -526,19 +545,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -546,7 +565,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -558,25 +577,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -588,19 +607,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -608,7 +627,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -657,15 +676,15 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) { UserCode: "notFound", }, nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (*oidc.DeviceAuthorizationResponse, error) { - return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + return Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") }, - ctx: CTX, + ctx: CTXLoginClient, }, } for _, tt := range tests { @@ -697,7 +716,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { require.NoError(t, err) client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -710,7 +729,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: "123", Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{ @@ -724,14 +743,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(t, err) @@ -750,14 +769,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -776,14 +795,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "deny device authorization", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -796,16 +815,38 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, wantErr: false, }, + { + name: "deny device authorization, no permission, error", + ctx: CTX, + req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ + DeviceAuthorizationId: func() string { + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") + require.NoError(t, err) + var id string + assert.EventuallyWithT(t, func(collectT *assert.CollectT) { + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + UserCode: req.UserCode, + }) + assert.NoError(collectT, err) + id = resp.GetDeviceAuthorizationRequest().GetId() + }, 5*time.Second, 100*time.Millisecond) + return id + }(), + Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{}, + }, + want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, + wantErr: true, + }, { name: "authorize, no permission, error", ctx: CTX, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -827,11 +868,11 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) diff --git a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go index 1d2a6d2671..bd2b5d71ab 100644 --- a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go @@ -40,22 +40,22 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { return time.Now(), "123", nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (time.Time, string, error) { - return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) }, - ctx: CTX, + ctx: CTXLoginClient, }, { name: "without login client, no permission", dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTX, wantErr: true, @@ -65,7 +65,7 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTXLoginClient, @@ -100,7 +100,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -113,7 +113,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -127,10 +127,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -145,10 +145,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -163,10 +163,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -192,7 +192,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -214,11 +214,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -243,7 +262,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -261,7 +280,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -283,12 +302,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -315,7 +334,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -363,7 +382,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -373,13 +392,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -388,7 +407,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -400,7 +419,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -409,7 +428,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -421,31 +440,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -453,19 +472,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -477,13 +496,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -495,25 +514,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -525,19 +544,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -545,7 +564,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -557,25 +576,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -587,19 +606,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -607,7 +626,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, diff --git a/internal/api/grpc/saml/v2/integration/saml_test.go b/internal/api/grpc/saml/v2/integration/saml_test.go index 1f227ab149..fbfdae5aab 100644 --- a/internal/api/grpc/saml/v2/integration/saml_test.go +++ b/internal/api/grpc/saml/v2/integration/saml_test.go @@ -48,13 +48,13 @@ func TestServer_GetSAMLRequest(t *testing.T) { { name: "success, redirect binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) }, }, { name: "success, post binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) }, }, } @@ -63,9 +63,9 @@ func TestServer_GetSAMLRequest(t *testing.T) { creationTime, authRequestID, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { - got, err := Client.GetSAMLRequest(CTX, &saml_pb.GetSAMLRequestRequest{ + got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{ SamlRequestId: authRequestID, }) if tt.wantErr { @@ -90,10 +90,11 @@ func TestServer_CreateResponse(t *testing.T) { _, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false) _, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false) - sessionResp := createSession(CTX, t, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string + ctx context.Context req *saml_pb.CreateResponseRequest AuthError string want *saml_pb.CreateResponseResponse @@ -102,6 +103,7 @@ func TestServer_CreateResponse(t *testing.T) { }{ { name: "Not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: "123", ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -115,9 +117,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -132,9 +135,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session token invalid", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -149,9 +153,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -177,11 +182,12 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post, already failed", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.FailSAMLAuthRequest(CTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) + Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Error{ @@ -195,9 +201,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, redirect", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -219,10 +226,29 @@ func TestServer_CreateResponse(t *testing.T) { wantErr: false, }, { - name: "callback, redirect", + name: "fail callback, no permission, error", + ctx: CTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Error{ + Error: &saml_pb.AuthorizationError{ + Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED, + ErrorDescription: gu.Ptr("nope"), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, redirect", + ctx: LoginCTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -245,9 +271,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -273,11 +300,30 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Session{ + Session: &saml_pb.Session{ + SessionId: sessionResp.GetSessionId(), + SessionToken: sessionResp.GetSessionToken(), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, no permission, error", + ctx: CTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.SuccessfulSAMLAuthRequest(CTX, Instance.Users[integration.UserTypeOrgOwner].ID, authRequestID) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -292,7 +338,7 @@ func TestServer_CreateResponse(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateResponse(CTX, tt.req) + got, err := Client.CreateResponse(tt.ctx, tt.req) if tt.wantErr { require.Error(t, err) return @@ -336,7 +382,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -350,7 +396,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -372,7 +418,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -391,7 +437,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -401,7 +447,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -414,7 +460,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -426,7 +472,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -445,7 +491,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -462,7 +508,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -474,7 +520,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -492,7 +538,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -506,7 +552,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -526,7 +572,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -536,7 +582,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -554,7 +600,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -566,7 +612,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -582,7 +628,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { t.Run(tt.name, func(t *testing.T) { req := tt.dep(IAMCTX, t) - got, err := Client.CreateResponse(CTX, req) + got, err := Client.CreateResponse(LoginCTX, req) if tt.wantErr { require.Error(t, err) return diff --git a/internal/api/grpc/saml/v2/integration/server_test.go b/internal/api/grpc/saml/v2/integration/server_test.go index ab9e92a157..86eba0b809 100644 --- a/internal/api/grpc/saml/v2/integration/server_test.go +++ b/internal/api/grpc/saml/v2/integration/server_test.go @@ -15,6 +15,7 @@ import ( var ( CTX context.Context IAMCTX context.Context + LoginCTX context.Context Instance *integration.Instance Client saml_pb.SAMLServiceClient ) @@ -29,6 +30,7 @@ func TestMain(m *testing.M) { IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) return m.Run() }()) } diff --git a/internal/api/grpc/session/v2/integration_test/query_test.go b/internal/api/grpc/session/v2/integration_test/query_test.go index 4b2eacf570..66f8c9b304 100644 --- a/internal/api/grpc/session/v2/integration_test/query_test.go +++ b/internal/api/grpc/session/v2/integration_test/query_test.go @@ -72,7 +72,7 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{}) @@ -213,7 +213,7 @@ func TestServer_GetSession(t *testing.T) { t.Run(tt.name, func(t *testing.T) { var sequence uint64 if tt.args.dep != nil { - sequence = tt.args.dep(CTX, t, tt.args.req) + sequence = tt.args.dep(LoginCTX, t, tt.args.req) } retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) @@ -360,7 +360,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, "", "", nil, nil) @@ -501,7 +501,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, own creator, ok", args: args{ - CTX, + LoginCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -542,7 +542,7 @@ func TestServer_ListSessions(t *testing.T) { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) request.Queries = append(request.Queries, &session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}}, - &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeOrgOwner).ID)}}}) + &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeLogin).ID)}}}) return []*sessionAttr{info} }, }, @@ -682,7 +682,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { diff --git a/internal/api/grpc/session/v2/integration_test/session_test.go b/internal/api/grpc/session/v2/integration_test/session_test.go index 0982a56121..6c0c079e48 100644 --- a/internal/api/grpc/session/v2/integration_test/session_test.go +++ b/internal/api/grpc/session/v2/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -402,7 +402,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -422,7 +422,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -435,7 +435,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -556,13 +556,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -578,7 +578,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -594,7 +594,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -616,7 +616,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -630,13 +630,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -653,7 +653,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -669,13 +669,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -691,7 +691,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -707,7 +707,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -733,7 +733,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -749,7 +749,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -767,7 +767,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -781,7 +781,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -794,7 +794,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -808,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -823,7 +823,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -838,13 +838,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Instance.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ + _, err = Instance.Client.SessionV2.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -852,7 +852,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -860,7 +860,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -880,14 +880,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -912,7 +912,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -932,7 +932,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -947,7 +947,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -963,7 +963,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -994,7 +994,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2/session.go b/internal/api/grpc/session/v2/session.go index 7562d64350..39937693cb 100644 --- a/internal/api/grpc/session/v2/session.go +++ b/internal/api/grpc/session/v2/session.go @@ -50,7 +50,7 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest) return nil, err } - set, err := s.command.UpdateSession(ctx, req.GetSessionId(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) if err != nil { return nil, err } diff --git a/internal/api/grpc/session/v2beta/integration_test/query_test.go b/internal/api/grpc/session/v2beta/integration_test/query_test.go index dc131cdaaf..9cff2c438e 100644 --- a/internal/api/grpc/session/v2beta/integration_test/query_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/query_test.go @@ -61,7 +61,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -72,10 +72,10 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -91,7 +91,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId request.SessionToken = gu.Ptr(resp.SessionToken) @@ -108,7 +108,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ UserAgent: &session.UserAgent{ FingerprintId: gu.Ptr("fingerPrintID"), Ip: gu.Ptr("1.2.3.4"), @@ -144,7 +144,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(5 * time.Minute), }, ) @@ -165,7 +165,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Metadata: map[string][]byte{"foo": []byte("bar")}, }, ) @@ -187,7 +187,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -337,7 +337,7 @@ func TestServer_ListSessions(t *testing.T) { }, }, { - name: "list sessions, wrong creator", + name: "list sessions, no permission", args: args{ UserCTX, &session.ListSessionsRequest{}, @@ -349,7 +349,7 @@ func TestServer_ListSessions(t *testing.T) { }, want: &session.ListSessionsResponse{ Details: &object.ListDetails{ - TotalResult: 0, + TotalResult: 1, Timestamp: timestamppb.Now(), }, Sessions: []*session.Session{}, @@ -358,7 +358,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, full, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -391,7 +391,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, multiple, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -446,7 +446,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, userid, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { createdUser := createFullUser(ctx) @@ -480,7 +480,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { @@ -499,7 +499,7 @@ func TestServer_ListSessions(t *testing.T) { } // expected count of sessions is not equal to received sessions - if !assert.Equal(ttt, got.Details.TotalResult, tt.want.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { + if !assert.Equal(ttt, tt.want.Details.TotalResult, got.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { return } diff --git a/internal/api/grpc/session/v2beta/integration_test/server_test.go b/internal/api/grpc/session/v2beta/integration_test/server_test.go index 4920e6ec35..03fbfc37da 100644 --- a/internal/api/grpc/session/v2beta/integration_test/server_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/server_test.go @@ -18,6 +18,7 @@ import ( var ( CTX context.Context IAMOwnerCTX context.Context + LoginCTX context.Context UserCTX context.Context Instance *integration.Instance Client session.SessionServiceClient @@ -36,6 +37,7 @@ func TestMain(m *testing.M) { CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) User = createFullUser(CTX) DeactivatedUser = createDeactivatedUser(CTX) diff --git a/internal/api/grpc/session/v2beta/integration_test/session_test.go b/internal/api/grpc/session/v2beta/integration_test/session_test.go index 4c189e0f80..8a2c4094b6 100644 --- a/internal/api/grpc/session/v2beta/integration_test/session_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -342,7 +342,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { func TestServer_CreateSession_successfulIntent(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -356,7 +356,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -403,7 +403,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -423,7 +423,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -436,7 +436,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -557,13 +557,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -579,7 +579,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -595,7 +595,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -617,7 +617,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -631,13 +631,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -654,7 +654,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -670,13 +670,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -692,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -708,7 +708,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -734,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -750,7 +750,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -768,7 +768,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -782,7 +782,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -795,7 +795,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -809,7 +809,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -824,7 +824,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -839,13 +839,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -853,7 +853,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -861,7 +861,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -881,14 +881,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -913,7 +913,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -933,7 +933,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -948,7 +948,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -964,7 +964,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -995,7 +995,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2beta/session.go b/internal/api/grpc/session/v2beta/session.go index 3b36b8ba83..fb32ba7b4d 100644 --- a/internal/api/grpc/session/v2beta/session.go +++ b/internal/api/grpc/session/v2beta/session.go @@ -11,7 +11,6 @@ import ( "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" - "github.com/zitadel/zitadel/internal/api/authz" object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta" "github.com/zitadel/zitadel/internal/command" "github.com/zitadel/zitadel/internal/domain" @@ -89,7 +88,7 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest) return nil, err } - set, err := s.command.UpdateSession(ctx, req.GetSessionId(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) if err != nil { return nil, err } @@ -255,18 +254,13 @@ func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRe } func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) { - q := make([]query.SearchQuery, len(queries)+1) + q := make([]query.SearchQuery, len(queries)) for i, v := range queries { q[i], err = sessionQueryToQuery(v) if err != nil { return nil, err } } - creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID) - if err != nil { - return nil, err - } - q[len(queries)] = creatorQuery return q, nil } diff --git a/internal/api/grpc/session/v2beta/session_test.go b/internal/api/grpc/session/v2beta/session_test.go index c088b5b886..de043ed0e2 100644 --- a/internal/api/grpc/session/v2beta/session_test.go +++ b/internal/api/grpc/session/v2beta/session_test.go @@ -339,9 +339,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) { Limit: 0, Asc: false, }, - Queries: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, + Queries: []query.SearchQuery{}, }, }, { @@ -359,9 +357,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) { SortingColumn: query.SessionColumnCreationDate, Asc: false, }, - Queries: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, + Queries: []query.SearchQuery{}, }, }, { @@ -410,7 +406,6 @@ func Test_listSessionsRequestToQuery(t *testing.T) { mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), mustNewTextQuery(t, query.SessionColumnUserID, "10", query.TextEquals), mustNewTimestampQuery(t, query.SessionColumnCreationDate, creationDate, query.TimestampGreater), - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), }, }, }, @@ -462,9 +457,7 @@ func Test_sessionQueriesToQuery(t *testing.T) { args: args{ ctx: authz.NewMockContext("123", "456", "789"), }, - want: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, + want: []query.SearchQuery{}, }, { name: "invalid argument", @@ -496,7 +489,6 @@ func Test_sessionQueriesToQuery(t *testing.T) { want: []query.SearchQuery{ mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn), mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), }, }, } diff --git a/internal/api/grpc/user/v2/integration_test/otp_test.go b/internal/api/grpc/user/v2/integration_test/otp_test.go index 01e6c07a40..4ec54b26b9 100644 --- a/internal/api/grpc/user/v2/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -335,7 +335,7 @@ func TestServer_RemoveOTPEmail(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ UserId: userSelf.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/passkey_test.go b/internal/api/grpc/user/v2/integration_test/passkey_test.go index 055a47ec46..4a035869fe 100644 --- a/internal/api/grpc/user/v2/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2/integration_test/passkey_test.go @@ -28,7 +28,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2/integration_test/phone_test.go b/internal/api/grpc/user/v2/integration_test/phone_test.go index 49050c5fe6..87a8260389 100644 --- a/internal/api/grpc/user/v2/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2/integration_test/phone_test.go @@ -256,7 +256,7 @@ func TestServer_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2/integration_test/totp_test.go b/internal/api/grpc/user/v2/integration_test/totp_test.go index e65756c1c1..65d1003c35 100644 --- a/internal/api/grpc/user/v2/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{ @@ -118,7 +118,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -209,11 +209,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/u2f_test.go b/internal/api/grpc/user/v2/integration_test/u2f_test.go index b8af753f85..962671d608 100644 --- a/internal/api/grpc/user/v2/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -183,7 +183,7 @@ func TestServer_VerifyU2FRegistration(t *testing.T) { func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2/integration_test/user_test.go b/internal/api/grpc/user/v2/integration_test/user_test.go index 8c86d9a7c7..c517a25d3e 100644 --- a/internal/api/grpc/user/v2/integration_test/user_test.go +++ b/internal/api/grpc/user/v2/integration_test/user_test.go @@ -33,6 +33,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context Instance *integration.Instance @@ -48,6 +49,7 @@ func TestMain(m *testing.M) { UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2 @@ -2545,7 +2547,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) { func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{}) diff --git a/internal/api/grpc/user/v2beta/integration_test/otp_test.go b/internal/api/grpc/user/v2beta/integration_test/otp_test.go index fae6c069a4..0b49c3e6b6 100644 --- a/internal/api/grpc/user/v2beta/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) diff --git a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go index 7bc0465956..f2b4c4e95e 100644 --- a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go @@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2beta/integration_test/phone_test.go b/internal/api/grpc/user/v2beta/integration_test/phone_test.go index 73d065231c..8d1a07cca2 100644 --- a/internal/api/grpc/user/v2beta/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/phone_test.go @@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2beta/integration_test/totp_test.go b/internal/api/grpc/user/v2beta/integration_test/totp_test.go index 4afe5e1f31..0917faa809 100644 --- a/internal/api/grpc/user/v2beta/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) var reg *user.RegisterTOTPResponse @@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go index 6e47cbbb99..f03136a3aa 100644 --- a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) { func TestServer_VerifyU2FRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2beta/integration_test/user_test.go b/internal/api/grpc/user/v2beta/integration_test/user_test.go index a5a1309d1a..85e8ea65b4 100644 --- a/internal/api/grpc/user/v2beta/integration_test/user_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/user_test.go @@ -31,6 +31,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context Instance *integration.Instance @@ -46,6 +47,7 @@ func TestMain(m *testing.M) { UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2beta diff --git a/internal/api/oidc/integration_test/oidc_test.go b/internal/api/oidc/integration_test/oidc_test.go index 2ab78b972e..c68cb67736 100644 --- a/internal/api/oidc/integration_test/oidc_test.go +++ b/internal/api/oidc/integration_test/oidc_test.go @@ -90,7 +90,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { clientID, _ := createClient(t, Instance) authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) - createResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Instance.Client.SessionV2.CreateSession(CTXLOGIN, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{UserId: User.GetUserId()}, diff --git a/internal/command/auth_request.go b/internal/command/auth_request.go index 340155d11b..9355c5b54f 100644 --- a/internal/command/auth_request.go +++ b/internal/command/auth_request.go @@ -135,6 +135,11 @@ func (c *Commands) FailAuthRequest(ctx context.Context, id string, reason domain if writeModel.AuthRequestState != domain.AuthRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled") } + if authz.GetCtxData(ctx).UserID != writeModel.LoginClient { + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } + } err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent( ctx, &authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/auth_request_test.go b/internal/command/auth_request_test.go index 590e4086f4..963cfb3338 100644 --- a/internal/command/auth_request_test.go +++ b/internal/command/auth_request_test.go @@ -893,7 +893,8 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { func TestCommands_FailAuthRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -927,6 +928,44 @@ func TestCommands_FailAuthRequest(t *testing.T) { wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"), }, }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "clientID", + "redirectURI", + "state", + "nonce", + []string{"openid"}, + []string{"audience"}, + domain.OIDCResponseTypeCode, + domain.OIDCResponseModeQuery, + nil, + nil, + nil, + nil, + nil, + nil, + true, + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.OIDCErrorReasonLoginRequired, + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "failed", fields{ @@ -958,6 +997,7 @@ func TestCommands_FailAuthRequest(t *testing.T) { domain.OIDCErrorReasonLoginRequired), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -986,7 +1026,8 @@ func TestCommands_FailAuthRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/device_auth.go b/internal/command/device_auth.go index ef6b069cc9..7d4a0f2070 100644 --- a/internal/command/device_auth.go +++ b/internal/command/device_auth.go @@ -136,6 +136,9 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai if !model.State.Exists() { return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil { + return nil, err + } pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason)) if err != nil { return nil, err diff --git a/internal/command/device_auth_test.go b/internal/command/device_auth_test.go index 021ae25d36..19c1601c88 100644 --- a/internal/command/device_auth_test.go +++ b/internal/command/device_auth_test.go @@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { pushErr := errors.New("pushErr") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"), }, + { + name: "missing permission, error", + fields: fields{ + eventstore: expectEventstore( + expectFilter(eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "client_id", "123", "456", now, + []string{"a", "b", "c"}, + []string{"projectID", "clientID"}, true, + ), + )), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, { name: "push error", fields: fields{ @@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: pushErr, @@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantDetails: &domain.ObjectDetails{ @@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledExpired}, wantDetails: &domain.ObjectDetails{ @@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.wantErr) diff --git a/internal/command/saml_request.go b/internal/command/saml_request.go index 17f56101ec..f5440d4e65 100644 --- a/internal/command/saml_request.go +++ b/internal/command/saml_request.go @@ -117,6 +117,9 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent( ctx, &samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/saml_request_test.go b/internal/command/saml_request_test.go index 761edde8fb..4801de24ad 100644 --- a/internal/command/saml_request_test.go +++ b/internal/command/saml_request_test.go @@ -768,7 +768,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) { func TestCommands_FailSAMLRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(t *testing.T) *eventstore.Eventstore + eventstore func(t *testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -802,7 +803,39 @@ func TestCommands_FailSAMLRequest(t *testing.T) { res{ wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"), }, - }, { + }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "application", + "acs", + "relaystate", + "request", + "binding", + "issuer", + "destination", + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.SAMLErrorReasonAuthNFailed, + description: "desc", + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, + { "already failed", fields{ eventstore: expectEventstore( @@ -824,6 +857,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -859,6 +893,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -887,7 +922,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/session.go b/internal/command/session.go index 3c06c22967..87eb56139b 100644 --- a/internal/command/session.go +++ b/internal/command/session.go @@ -285,7 +285,13 @@ func (s *SessionCommands) commands(ctx context.Context) (string, []eventstore.Co return token, s.eventCommands, nil } -func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, metadata map[string][]byte, userAgent *domain.UserAgent, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) CreateSession( + ctx context.Context, + cmds []SessionCommand, + metadata map[string][]byte, + userAgent *domain.UserAgent, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionID, err := c.idGenerator.Next() if err != nil { return nil, err @@ -295,17 +301,29 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, ""); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) cmd.Start(ctx, userAgent) return c.updateSession(ctx, cmd, metadata, lifetime) } -func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) UpdateSession( + ctx context.Context, + sessionID, sessionToken string, + cmds []SessionCommand, + metadata map[string][]byte, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()) err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, sessionToken); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) return c.updateSession(ctx, cmd, metadata, lifetime) } @@ -380,6 +398,21 @@ func (c *Commands) updateSession(ctx context.Context, checks *SessionCommands, m return changed, nil } +// checkSessionWritePermission will check that the provided sessionToken is correct or +// if empty, check that the caller is granted the "session.write" permission on the resource owner of the authenticated user. +// In case the user is not set and the userResourceOwner is not set (also the case for the session creation), +// it will check permission on the instance. +func (c *Commands) checkSessionWritePermission(ctx context.Context, model *SessionWriteModel, sessionToken string) error { + if sessionToken != "" { + return c.sessionTokenVerifier(ctx, sessionToken, model.AggregateID, model.TokenID) + } + userResourceOwner, err := c.sessionUserResourceOwner(ctx, model) + if err != nil { + return err + } + return c.checkPermission(ctx, domain.PermissionSessionWrite, userResourceOwner, model.UserID) +} + // checkSessionTerminationPermission will check that the provided sessionToken is correct or // if empty, check that the caller is either terminating the own session or // is granted the "session.delete" permission on the resource owner of the authenticated user. diff --git a/internal/command/session_test.go b/internal/command/session_test.go index e65f32fb57..630feeea1a 100644 --- a/internal/command/session_test.go +++ b/internal/command/session_test.go @@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) { func TestCommands_CreateSession(t *testing.T) { type fields struct { - idGenerator id.Generator - tokenCreator func(sessionID string) (string, string, error) + idGenerator id.Generator + tokenCreator func(sessionID string) (string, string, error) + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "missing permission", + fields{ + idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + }, + []expect{ + expectFilter(), + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "negative lifetime", fields{ @@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) { eventstore: expectEventstore(tt.expect...)(t), idGenerator: tt.fields.idGenerator, sessionTokenCreator: tt.fields.tokenCreator, + checkPermission: tt.fields.checkPermission, } got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) @@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) { func TestCommands_UpdateSession(t *testing.T) { type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore - tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + eventstore func(*testing.T) *eventstore.Eventstore + tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + checkPermission domain.PermissionCheck } type args struct { - ctx context.Context - sessionID string - checks []SessionCommand - metadata map[string][]byte - lifetime time.Duration + ctx context.Context + sessionID string + sessionToken string + checks []SessionCommand + metadata map[string][]byte + lifetime time.Duration } type res struct { want *SessionChanged @@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "invalid session token", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + tokenVerifier: newMockTokenVerifierInvalid(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "invalid", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"), + }, + }, + { + "no token, no permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "no change", fields{ @@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) { }, }, args{ - ctx: context.Background(), - sessionID: "sessionID", + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "token", }, res{ want: &SessionChanged{ @@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) { c := &Commands{ eventstore: tt.fields.eventstore(t), sessionTokenVerifier: tt.fields.tokenVerifier, + checkPermission: tt.fields.checkPermission, } - got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime) + got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) assert.Equal(t, tt.res.want, got) })