feat: port reduction (#323)

* move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto
2025-08-12 03:47:33 +00:00 · 2020-07-08 13:56:37 +02:00
parent 708652a655
commit 3549a8b64e
330 changed files with 30495 additions and 30809 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -0,0 +1,110 @@
+package authz
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+const (
+	authenticated = "authenticated"
+)
+
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (context.Context, error) {
+	ctx, err := VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier, method)
+	if err != nil {
+		return nil, err
+	}
+
+	var perms []string
+	if requiredAuthOption.Permission == authenticated {
+		return ctx, nil
+	}
+
+	ctx, perms, err = getUserMethodPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	err = checkUserPermissions(req, perms, requiredAuthOption)
+	if err != nil {
+		return nil, err
+	}
+
+	return ctx, nil
+}
+
+func checkUserPermissions(req interface{}, userPerms []string, authOpt Option) error {
+	if len(userPerms) == 0 {
+		return errors.ThrowPermissionDenied(nil, "AUTH-5mWD2", "No matching permissions found")
+	}
+
+	if authOpt.CheckParam == "" {
+		return nil
+	}
+
+	if HasGlobalPermission(userPerms) {
+		return nil
+	}
+
+	if hasContextPermission(req, authOpt.CheckParam, userPerms) {
+		return nil
+	}
+
+	return errors.ThrowPermissionDenied(nil, "AUTH-3jknH", "No matching permissions found")
+}
+
+func SplitPermission(perm string) (string, string) {
+	splittedPerm := strings.Split(perm, ":")
+	if len(splittedPerm) == 1 {
+		return splittedPerm[0], ""
+	}
+	return splittedPerm[0], splittedPerm[1]
+}
+
+func hasContextPermission(req interface{}, fieldName string, permissions []string) bool {
+	for _, perm := range permissions {
+		_, ctxID := SplitPermission(perm)
+		if checkPermissionContext(req, fieldName, ctxID) {
+			return true
+		}
+	}
+	return false
+}
+
+func checkPermissionContext(req interface{}, fieldName, roleContextID string) bool {
+	field := getFieldFromReq(req, fieldName)
+	return field != "" && field == roleContextID
+}
+
+func getFieldFromReq(req interface{}, field string) string {
+	v := reflect.Indirect(reflect.ValueOf(req)).FieldByName(field)
+	if reflect.ValueOf(v).IsZero() {
+		return ""
+	}
+	return fmt.Sprintf("%v", v.Interface())
+}
+
+func HasGlobalPermission(perms []string) bool {
+	for _, perm := range perms {
+		_, ctxID := SplitPermission(perm)
+		if ctxID == "" {
+			return true
+		}
+	}
+	return false
+}
+
+func GetPermissionCtxIDs(perms []string) []string {
+	ctxIDs := make([]string, 0)
+	for _, perm := range perms {
+		_, ctxID := SplitPermission(perm)
+		if ctxID != "" {
+			ctxIDs = append(ctxIDs, ctxID)
+		}
+	}
+	return ctxIDs
+}