feat: port reduction (#323)

* move mgmt pkg

* begin package restructure

* rename auth package to authz

* begin start api

* move auth

* move admin

* fix merge

* configs and interceptors

* interceptor

* revert generate-grpc.sh

* some cleanups

* console

* move console

* fix tests and merging

* js linting

* merge

* merging and configs

* change k8s base to current ports

* fixes

* cleanup

* regenerate proto

* remove unnecessary whitespace

* missing param

* go mod tidy

* fix merging

* move login pkg

* cleanup

* move api pkgs again

* fix pkg naming

* fix generate-static.sh for login

* update workflow

* fixes

* logging

* remove duplicate

* comment for optional gateway interfaces

* regenerate protos

* fix proto imports for grpc web

* protos

* grpc web generate

* grpc web generate

* fix changes

* add translation interceptor

* fix merging

* regenerate mgmt proto

internal/api/grpc/server/middleware/auth_interceptor.go

@@ -2,37 +2,39 @@ package middleware
 
 import (
 	"context"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
-	"github.com/caos/zitadel/internal/api"
-	"github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/api/authz"
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
 )
 
-func AuthorizationInterceptor(verifier auth.TokenVerifier, authConfig *auth.Config, authMethods auth.MethodMapping) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+func AuthorizationInterceptor(verifier *authz.TokenVerifier, authConfig authz.Config) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		authOpt, needsToken := authMethods[info.FullMethod]
-		if !needsToken {
-			return handler(ctx, req)
-		}
-
-		authToken := ""
-		//TODO: Remove check internal as soon as authentification is implemented
-		if !auth.CheckInternal(ctx) {
-			authToken = grpc_util.GetAuthorizationHeader(ctx)
-			if authToken == "" {
-				return nil, status.Error(codes.Unauthenticated, "auth header missing")
-			}
-		}
-		orgID := grpc_util.GetHeader(ctx, api.ZitadelOrgID)
-
-		ctx, err := auth.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt)
-		if err != nil {
-			return nil, err
-		}
-
-		return handler(ctx, req)
+		return authorize(ctx, req, info, handler, verifier, authConfig)
 	}
 }
+
+func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, verifier *authz.TokenVerifier, authConfig authz.Config) (interface{}, error) {
+	authOpt, needsToken := verifier.CheckAuthMethod(info.FullMethod)
+	if !needsToken {
+		return handler(ctx, req)
+	}
+
+	authToken := grpc_util.GetAuthorizationHeader(ctx)
+	if authToken == "" {
+		return nil, status.Error(codes.Unauthenticated, "auth header missing")
+	}
+
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
+
+	ctx, err := authz.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt, info.FullMethod)
+	if err != nil {
+		return nil, err
+	}
+
+	return handler(ctx, req)
+}

internal/api/grpc/server/middleware/auth_interceptor_test.go

@@ -0,0 +1,148 @@
+package middleware
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+
+	"github.com/caos/zitadel/internal/api/authz"
+)
+
+var (
+	mockMethods = authz.MethodMapping{
+		"need.authentication": authz.Option{
+			Permission: "authenticated",
+		},
+	}
+)
+
+type verifierMock struct{}
+
+func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, error) {
+	return "", "", nil
+}
+func (v *verifierMock) ResolveGrants(ctx context.Context) (*authz.Grant, error) {
+	return nil, nil
+}
+func (v *verifierMock) ProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
+	return "", nil
+}
+func (v *verifierMock) VerifierClientID(ctx context.Context, appName string) (string, error) {
+	return "", nil
+}
+
+func Test_authorize(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		req         interface{}
+		info        *grpc.UnaryServerInfo
+		handler     grpc.UnaryHandler
+		verifier    *authz.TokenVerifier
+		authConfig  authz.Config
+		authMethods authz.MethodMapping
+	}
+	type res struct {
+		want    interface{}
+		wantErr bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no token needed ok",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				info:    mockInfo("/no/token/needed"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{})
+					return verifier
+				}(),
+				authMethods: mockMethods,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+		{
+			"auth header missing error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"unauthorized error",
+			args{
+				ctx:     metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "wrong")),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"authorized ok",
+			args{
+				ctx:     metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "Bearer token")),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := authorize(tt.args.ctx, tt.args.req, tt.args.info, tt.args.handler, tt.args.verifier, tt.args.authConfig)
+			if (err != nil) != tt.res.wantErr {
+				t.Errorf("authorize() error = %v, wantErr %v", err, tt.res.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("authorize() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}

internal/api/grpc/server/middleware/error_interceptor.go

@@ -4,18 +4,22 @@ import (
 	"context"
 
 	"golang.org/x/text/language"
-
 	"google.golang.org/grpc"
 
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/i18n"
 	_ "github.com/caos/zitadel/internal/statik"
 )
 
-func ErrorHandler(defaultLanguage language.Tag) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+func ErrorHandler(defaultLanguage language.Tag) grpc.UnaryServerInterceptor {
 	translator := newZitadelTranslator(defaultLanguage)
 
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		resp, err := handler(ctx, req)
-		return resp, grpc_util.CaosToGRPCError(err, ctx, translator)
+		return toGRPCError(ctx, req, handler, translator)
 	}
 }
+
+func toGRPCError(ctx context.Context, req interface{}, handler grpc.UnaryHandler, translator *i18n.Translator) (interface{}, error) {
+	resp, err := handler(ctx, req)
+	return resp, grpc_util.CaosToGRPCError(ctx, err, translator)
+}

internal/api/grpc/server/middleware/error_interceptor_test.go

@@ -0,0 +1,63 @@
+package middleware
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"google.golang.org/grpc"
+)
+
+func Test_toGRPCError(t *testing.T) {
+	type args struct {
+		ctx     context.Context
+		req     interface{}
+		handler grpc.UnaryHandler
+	}
+	type res struct {
+		want    interface{}
+		wantErr bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				handler: emptyMockHandler,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+		{
+			"error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				handler: errorMockHandler,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := toGRPCError(tt.args.ctx, tt.args.req, tt.args.handler, nil)
+			if (err != nil) != tt.res.wantErr {
+				t.Errorf("toGRPCError() error = %v, wantErr %v", err, tt.res.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("toGRPCError() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}

internal/api/grpc/server/middleware/mock_test.go

@@ -0,0 +1,26 @@
+package middleware
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func emptyMockHandler(_ context.Context, req interface{}) (interface{}, error) {
+	return req, nil
+}
+
+func errorMockHandler(_ context.Context, req interface{}) (interface{}, error) {
+	return nil, errors.ThrowInternal(nil, "test", "error")
+}
+
+type mockReq struct{}
+
+func mockInfo(path string) *grpc.UnaryServerInfo {
+	return &grpc.UnaryServerInfo{
+		Server:     nil,
+		FullMethod: path,
+	}
+}

internal/api/grpc/server/middleware/tracing.go

@@ -9,13 +9,28 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/stats"
 
+	"github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/tracing"
 )
 
 type GRPCMethod string
 
 func TracingStatsServer(ignoredMethods ...GRPCMethod) grpc.ServerOption {
-	return grpc.StatsHandler(&tracingServerHandler{ignoredMethods, ocgrpc.ServerHandler{StartOptions: trace.StartOptions{Sampler: tracing.Sampler(), SpanKind: trace.SpanKindServer}}})
+	return grpc.StatsHandler(
+		&tracingServerHandler{
+			ignoredMethods,
+			ocgrpc.ServerHandler{
+				StartOptions: trace.StartOptions{
+					Sampler:  tracing.Sampler(),
+					SpanKind: trace.SpanKindServer,
+				},
+			},
+		},
+	)
+}
+
+func DefaultTracingStatsServer() grpc.ServerOption {
+	return TracingStatsServer(http.Healthz, http.Readiness, http.Validation)
 }
 
 type tracingServerHandler struct {

internal/api/grpc/server/middleware/tracing_test.go

@@ -0,0 +1,71 @@
+package middleware
+
+import (
+	"context"
+	"testing"
+
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc/stats"
+)
+
+func Test_tracingServerHandler_TagRPC(t *testing.T) {
+	type fields struct {
+		IgnoredMethods []GRPCMethod
+		ServerHandler  ocgrpc.ServerHandler
+	}
+	type args struct {
+		ctx     context.Context
+		tagInfo *stats.RPCTagInfo
+	}
+	type res struct {
+		wantSpan bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"ignored method",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ServerHandler:  ocgrpc.ServerHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "ignore",
+				},
+			},
+			res{false},
+		},
+		{
+			"tag",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ServerHandler:  ocgrpc.ServerHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "tag",
+				},
+			},
+			res{true},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := &tracingServerHandler{
+				IgnoredMethods: tt.fields.IgnoredMethods,
+				ServerHandler:  tt.fields.ServerHandler,
+			}
+			got := s.TagRPC(tt.args.ctx, tt.args.tagInfo)
+			if (trace.FromContext(got) != nil) != tt.res.wantSpan {
+				t.Errorf("TagRPC() = %v, want %v", got, tt.res.wantSpan)
+			}
+		})
+	}
+}