From 3f49f5b699d340b8a58f394361f248846f64230b Mon Sep 17 00:00:00 2001 From: Iraq Jaber Date: Fri, 7 Mar 2025 08:43:05 +0000 Subject: [PATCH] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! feat(permissions): Addeding system user support for permission check v2 --- cmd/setup/51/01-permitted_orgs_function.sql | 6 +++--- internal/api/authz/authorization.go | 12 ++++++------ internal/query/permission.go | 10 +++++----- internal/query/user.go | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cmd/setup/51/01-permitted_orgs_function.sql b/cmd/setup/51/01-permitted_orgs_function.sql index 07dc49ccfa..bf66426329 100644 --- a/cmd/setup/51/01-permitted_orgs_function.sql +++ b/cmd/setup/51/01-permitted_orgs_function.sql @@ -4,7 +4,7 @@ CREATE OR REPLACE FUNCTION eventstore.permitted_orgs( instanceId TEXT , userId TEXT , perm TEXT - , system_roles TEXT[] + , system_user_roles TEXT[] , filter_orgs TEXT , org_ids OUT TEXT[] @@ -20,12 +20,12 @@ BEGIN WHERE rp.instance_id = instanceId AND rp.permission = perm; - IF system_roles IS NOT NULL THEN + IF system_user_roles IS NOT NULL THEN DECLARE permission_found_in_system_roles bool; BEGIN SELECT result.role_found INTO permission_found_in_system_roles - FROM (SELECT matched_roles && system_roles AS role_found) AS result; + FROM (SELECT matched_roles && system_user_roles AS role_found) AS result; IF permission_found_in_system_roles THEN SELECT array_agg(o.org_id) INTO org_ids diff --git a/internal/api/authz/authorization.go b/internal/api/authz/authorization.go index 7e0b60f5a4..5455ad97db 100644 --- a/internal/api/authz/authorization.go +++ b/internal/api/authz/authorization.go @@ -31,7 +31,7 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, if requiredAuthOption.Permission == authenticated { return func(parent context.Context) context.Context { - parent = addGetSystemRolesFuncToCtx(parent, ctxData) + parent = addGetSystemUserRolesFuncToCtx(parent, ctxData) return context.WithValue(parent, dataKey, ctxData) }, nil } @@ -52,7 +52,7 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, parent = context.WithValue(parent, dataKey, ctxData) parent = context.WithValue(parent, allPermissionsKey, allPermissions) parent = context.WithValue(parent, requestPermissionsKey, requestedPermissions) - parent = addGetSystemRolesFuncToCtx(parent, ctxData) + parent = addGetSystemUserRolesFuncToCtx(parent, ctxData) return parent }, nil } @@ -129,7 +129,7 @@ func GetAllPermissionCtxIDs(perms []string) []string { return ctxIDs } -func addGetSystemRolesFuncToCtx(ctx context.Context, ctxData CtxData) context.Context { +func addGetSystemUserRolesFuncToCtx(ctx context.Context, ctxData CtxData) context.Context { if len(ctxData.SystemMemberships) != 0 { ctx = context.WithValue(ctx, systemUserRolesFuncKey, func() func(ctx context.Context) ([]string, error) { var roles []string @@ -138,7 +138,7 @@ func addGetSystemRolesFuncToCtx(ctx context.Context, ctxData CtxData) context.Co return roles, nil } var err error - roles, err = getSystemRoles(ctx) + roles, err = getSystemUserRoles(ctx) return roles, err } }()) @@ -146,7 +146,7 @@ func addGetSystemRolesFuncToCtx(ctx context.Context, ctxData CtxData) context.Co return ctx } -func GetSystemRoles(ctx context.Context) ([]string, error) { +func GetSystemUserRoles(ctx context.Context) ([]string, error) { getSystemUserRolesFuncValue := ctx.Value(systemUserRolesFuncKey) if getSystemUserRolesFuncValue == nil { return nil, nil @@ -158,7 +158,7 @@ func GetSystemRoles(ctx context.Context) ([]string, error) { return getSystemUserRolesFunc(ctx) } -func getSystemRoles(ctx context.Context) ([]string, error) { +func getSystemUserRoles(ctx context.Context) ([]string, error) { ctxData, ok := ctx.Value(dataKey).(CtxData) if !ok { return nil, errors.New("unable to obtain ctxData") diff --git a/internal/query/permission.go b/internal/query/permission.go index 369e602414..6d2f251d62 100644 --- a/internal/query/permission.go +++ b/internal/query/permission.go @@ -11,7 +11,7 @@ import ( ) const ( - // eventstore.permitted_orgs(instanceid text, userid text, perm text, system_roles text[], filter_orgs text) + // eventstore.permitted_orgs(instanceid text, userid text, perm text, system_user_roles text[], filter_orgs text) wherePermittedOrgsClause = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))" wherePermittedOrgsOrCurrentUserClause = "(" + wherePermittedOrgsClause + " OR %s = ?" + ")" ) @@ -24,7 +24,7 @@ const ( // and is typically the `resource_owner` column in ZITADEL. // We use full identifiers in the query builder so this function should be // called with something like `UserResourceOwnerCol.identifier()` for example. -func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, systemRoles []string, filterOrgIds, orgIDColumn, permission string) sq.SelectBuilder { +func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, systemUserRoles []string, filterOrgIds, orgIDColumn, permission string) sq.SelectBuilder { userID := authz.GetCtxData(ctx).UserID logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "permission", permission, "user_id", userID).Debug("permitted orgs check used") @@ -33,12 +33,12 @@ func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, systemRoles authz.GetInstance(ctx).InstanceID(), userID, permission, - systemRoles, + systemUserRoles, filterOrgIds, ) } -func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, systemRoles []string, filterOrgIds, orgIDColumn, userIdColum, permission string) sq.SelectBuilder { +func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, systemUserRoles []string, filterOrgIds, orgIDColumn, userIdColum, permission string) sq.SelectBuilder { userID := authz.GetCtxData(ctx).UserID logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "user_id_colum", userIdColum, "permission", permission, "user_id", userID).Debug("permitted orgs check used") @@ -47,7 +47,7 @@ func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder authz.GetInstance(ctx).InstanceID(), userID, permission, - systemRoles, + systemUserRoles, filterOrgIds, userID, ) diff --git a/internal/query/user.go b/internal/query/user.go index fe2d25b52d..9fab437d3f 100644 --- a/internal/query/user.go +++ b/internal/query/user.go @@ -656,11 +656,11 @@ func (q *Queries) searchUsers(ctx context.Context, queries *UserSearchQueries, f }) if permissionCheckV2 { // extract system roles - systemRoles, err := authz.GetSystemRoles(ctx) + systemUserRoles, err := authz.GetSystemUserRoles(ctx) if err != nil { return nil, zerrors.ThrowInternal(err, "QUERY-GS9gs", "Errors.Internal") } - query = wherePermittedOrgsOrCurrentUser(ctx, query, systemRoles, filterOrgIds, UserResourceOwnerCol.identifier(), UserIDCol.identifier(), domain.PermissionUserRead) + query = wherePermittedOrgsOrCurrentUser(ctx, query, systemUserRoles, filterOrgIds, UserResourceOwnerCol.identifier(), UserIDCol.identifier(), domain.PermissionUserRead) } stmt, args, err := query.ToSql()