feat: port reduction (#323)

* move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto
2025-08-11 21:17:32 +00:00 · 2020-07-08 13:56:37 +02:00
parent 708652a655
commit 3549a8b64e
330 changed files with 30495 additions and 30809 deletions
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@@ -0,0 +1,63 @@
+package authz
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (context.Context, []string, error) {
+	ctxData := GetCtxData(ctx)
+	if ctxData.IsZero() {
+		return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
+	}
+	grant, err := t.ResolveGrant(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	if grant == nil {
+		return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil
+	}
+	permissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
+	return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
+}
+
+func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
+	resolvedPermissions := make([]string, 0)
+	for _, role := range grant.Roles {
+		resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
+	}
+
+	return resolvedPermissions
+}
+
+func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
+	roleName, roleContextID := SplitPermission(actualRole)
+	perms := authConfig.getPermissionsFromRole(roleName)
+
+	for _, p := range perms {
+		if p == requiredPerm {
+			p = addRoleContextIDToPerm(p, roleContextID)
+			if !ExistsPerm(resolvedPermissions, p) {
+				resolvedPermissions = append(resolvedPermissions, p)
+			}
+		}
+	}
+	return resolvedPermissions
+}
+
+func addRoleContextIDToPerm(perm, roleContextID string) string {
+	if roleContextID != "" {
+		perm = perm + ":" + roleContextID
+	}
+	return perm
+}
+
+func ExistsPerm(existing []string, perm string) bool {
+	for _, e := range existing {
+		if e == perm {
+			return true
+		}
+	}
+	return false
+}