TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: generalise permission check for query user information (#8458)

Browse Source 
# Which Problems Are Solved

IDPLinks list and other list endpoints can provide you with empty
results if the used user has no permission for the information.

# How the Problems Are Solved

List endpoints with subelements to users, and provided userIDQuery, will
return a PermissionDenied error if no permission for the user exsists.

# Additional Changes

Function to check for permission is re-used from the GetUserByID.

# Additional Context

Closes #8451
This commit is contained in:
Stefan Benz
2024-08-23 08:44:18 +02:00
committed by GitHub
parent 8051a63147
commit 2847806531
27 changed files with 552 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
internal/query/user_auth_method_test.go
View File

@@ -10,11 +10,176 @@ import (
"testing"
sq "github.com/Masterminds/squirrel"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/zerrors"
)
func TestUser_authMethodsCheckPermission(t *testing.T) {
type want struct {
methods []*AuthMethod
}
type args struct {
user string
methods *AuthMethods
}
tests := []struct {
name string
args args
want want
permissions []string
}{
{
"permissions for all users",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
[]string{"first", "second", "third"},
},
{
"permissions for one user, first",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "first"},
},
},
[]string{"first"},
},
{
"permissions for one user, second",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "second"},
},
},
[]string{"second"},
},
{
"permissions for one user, third",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "third"},
},
},
[]string{"third"},
},
{
"permissions for two users, first",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "first"}, {UserID: "third"},
},
},
[]string{"first", "third"},
},
{
"permissions for two users, second",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{
{UserID: "second"}, {UserID: "third"},
},
},
[]string{"second", "third"},
},
{
"no permissions",
args{
"none",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{},
},
[]string{},
},
{
"no permissions, self",
args{
"second",
&AuthMethods{
AuthMethods: []*AuthMethod{
{UserID: "first"}, {UserID: "second"}, {UserID: "third"},
},
},
},
want{
methods: []*AuthMethod{{UserID: "second"}},
},
[]string{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
checkPermission := func(ctx context.Context, permission, orgID, resourceID string) (err error) {
for _, perm := range tt.permissions {
if resourceID == perm {
return nil
}
}
return errors.New("failed")
}
authMethodsCheckPermission(authz.SetCtxData(context.Background(), authz.CtxData{UserID: tt.args.user}), tt.args.methods, checkPermission)
require.Equal(t, tt.want.methods, tt.args.methods.AuthMethods)
})
}
}
var (
prepareUserAuthMethodsStmt = `SELECT projections.user_auth_methods4.token_id,` +
` projections.user_auth_methods4.creation_date,` +