TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: generalise permission check for query user information (#8458)

Browse Source 
# Which Problems Are Solved

IDPLinks list and other list endpoints can provide you with empty
results if the used user has no permission for the information.

# How the Problems Are Solved

List endpoints with subelements to users, and provided userIDQuery, will
return a PermissionDenied error if no permission for the user exsists.

# Additional Changes

Function to check for permission is re-used from the GetUserByID.

# Additional Context

Closes #8451
This commit is contained in:
Stefan Benz
2024-08-23 08:44:18 +02:00
committed by GitHub
parent 8051a63147
commit 2847806531
27 changed files with 552 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
internal/query/idp_user_link_test.go
View File

@@ -1,6 +1,7 @@
package query
import (
"context"
"database/sql"
"database/sql/driver"
"errors"
@@ -8,9 +9,175 @@ import (
"regexp"
"testing"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
)
func TestUser_idpLinksCheckPermission(t *testing.T) {
type want struct {
links []*IDPUserLink
}
type args struct {
user string
links *IDPUserLinks
}
tests := []struct {
name string
args args
want want
permissions []string
}{
{
"permissions for all users",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
[]string{"first", "second", "third"},
},
{
"permissions for one user, first",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "first"},
},
},
[]string{"first"},
},
{
"permissions for one user, second",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "second"},
},
},
[]string{"second"},
},
{
"permissions for one user, third",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "third"},
},
},
[]string{"third"},
},
{
"permissions for two users, first",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "first"}, {UserID: "third"},
},
},
[]string{"first", "third"},
},
{
"permissions for two users, second",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{
{UserID: "second"}, {UserID: "third"},
},
},
[]string{"second", "third"},
},
{
"no permissions",
args{
"none",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{},
},
[]string{},
},
{
"no permissions, self",
args{
"second",
&IDPUserLinks{
Links: []*IDPUserLink{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
links: []*IDPUserLink{{UserID: "second"}},
},
[]string{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
checkPermission := func(ctx context.Context, permission, orgID, resourceID string) (err error) {
for _, perm := range tt.permissions {
if resourceID == perm {
return nil
}
}
return errors.New("failed")
}
idpLinksCheckPermission(authz.SetCtxData(context.Background(), authz.CtxData{UserID: tt.args.user}), tt.args.links, checkPermission)
require.Equal(t, tt.want.links, tt.args.links.Links)
})
}
}
var (
idpUserLinksQuery = regexp.QuoteMeta(`SELECT projections.idp_user_links3.idp_id,` +
` projections.idp_user_links3.user_id,` +