feat: system api requires authenticated requests (#3570)

* begin auth

* feat: system api requires authenticated requests

* fix tests

internal/api/grpc/server/middleware/auth_interceptor.go

@@ -15,10 +15,6 @@ import (
 
 func AuthorizationInterceptor(verifier *authz.TokenVerifier, authConfig authz.Config) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		//TODO: Change as soon as we know how to authenticate system api
-		if verifier == nil {
-			return handler(ctx, req)
-		}
 		return authorize(ctx, req, info, handler, verifier, authConfig)
 	}
 }

internal/api/grpc/server/middleware/auth_interceptor_test.go

@@ -65,7 +65,7 @@ func Test_authorize(t *testing.T) {
 				info:    mockInfo("/no/token/needed"),
 				handler: emptyMockHandler,
 				verifier: func() *authz.TokenVerifier {
-					verifier := authz.Start(&verifierMock{})
+					verifier := authz.Start(&verifierMock{}, "", nil)
 					verifier.RegisterServer("need", "need", authz.MethodMapping{})
 					return verifier
 				}(),
@@ -84,7 +84,7 @@ func Test_authorize(t *testing.T) {
 				info:    mockInfo("/need/authentication"),
 				handler: emptyMockHandler,
 				verifier: func() *authz.TokenVerifier {
-					verifier := authz.Start(&verifierMock{})
+					verifier := authz.Start(&verifierMock{}, "", nil)
 					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
 					return verifier
 				}(),
@@ -104,7 +104,7 @@ func Test_authorize(t *testing.T) {
 				info:    mockInfo("/need/authentication"),
 				handler: emptyMockHandler,
 				verifier: func() *authz.TokenVerifier {
-					verifier := authz.Start(&verifierMock{})
+					verifier := authz.Start(&verifierMock{}, "", nil)
 					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
 					return verifier
 				}(),
@@ -124,7 +124,7 @@ func Test_authorize(t *testing.T) {
 				info:    mockInfo("/need/authentication"),
 				handler: emptyMockHandler,
 				verifier: func() *authz.TokenVerifier {
-					verifier := authz.Start(&verifierMock{})
+					verifier := authz.Start(&verifierMock{}, "", nil)
 					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
 					return verifier
 				}(),

internal/api/grpc/server/middleware/instance_interceptor.go

@@ -28,6 +28,9 @@ func setInstance(ctx context.Context, req interface{}, info *grpc.UnaryServerInf
 	interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	for _, service := range ignoredServices {
+		if !strings.HasPrefix(service, "/") {
+			service = "/" + service
+		}
 		if strings.HasPrefix(info.FullMethod, service) {
 			return handler(ctx, req)
 		}

internal/api/grpc/server/server.go

@@ -9,6 +9,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/server/middleware"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/metrics"
+	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
 )
 
 type Server interface {
@@ -29,8 +30,7 @@ func CreateServer(verifier *authz.TokenVerifier, authConfig authz.Config, querie
 				middleware.SentryHandler(),
 				middleware.NoCacheInterceptor(),
 				middleware.ErrorHandler(),
-				//TODO: Handle Ignored Services
-				middleware.InstanceInterceptor(queries, hostHeaderName, "/zitadel.system.v1.SystemService"),
+				middleware.InstanceInterceptor(queries, hostHeaderName, system_pb.SystemService_MethodPrefix),
 				middleware.AuthorizationInterceptor(verifier, authConfig),
 				middleware.TranslationHandler(),
 				middleware.ValidationHandler(),