From 40094bee873cc2dbb96d63ff4605751841f97a22 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Tue, 15 Jul 2025 07:38:00 -0400 Subject: [PATCH] fix: permission checks on session API # Which Problems Are Solved The session API allowed any authenticated user to update sessions by their ID without any further check. This was unintentionally introduced with version 2.53.0 when the requirement of providing the latest session token on every session update was removed and no other permission check (e.g. session.write) was ensured. # How the Problems Are Solved - Granted `session.write` to `IAM_OWNER` and `IAM_LOGIN_CLIENT` in the defaults.yaml - Granted `session.read` to `IAM_ORG_MANAGER`, `IAM_USER_MANAGER` and `ORG_OWNER` in the defaults.yaml - Pass the session token to the UpdateSession command. - Check for `session.write` permission on session creation and update. - Alternatively, the (latest) sessionToken can be used to update the session. - Setting an auth request to failed on the OIDC Service `CreateCallback` endpoint now ensures it's either the same user as used to create the auth request (for backwards compatibilty) or requires `session.link` permission. - Setting an device auth request to failed on the OIDC Service `AuthorizeOrDenyDeviceAuthorization` endpoint now requires `session.link` permission. - Setting an auth request to failed on the SAML Service `CreateResponse` endpoint now requires `session.link` permission. # Additional Changes none # Additional Context none (cherry picked from commit 4c942f3477b073e3e270079e6424b2b3797765d6) --- cmd/defaults.yaml | 14 +- .../oidc/v2/integration_test/oidc_test.go | 175 +++++++++++------- .../oidc/v2beta/integration_test/oidc_test.go | 127 +++++++------ .../api/grpc/saml/v2/integration/saml_test.go | 114 ++++++++---- .../grpc/saml/v2/integration/server_test.go | 2 + .../session/v2/integration_test/query_test.go | 12 +- .../v2/integration_test/session_test.go | 78 ++++---- internal/api/grpc/session/v2/session.go | 2 +- .../v2beta/integration_test/query_test.go | 30 +-- .../v2beta/integration_test/server_test.go | 2 + .../v2beta/integration_test/session_test.go | 82 ++++---- internal/api/grpc/session/v2beta/session.go | 10 +- .../api/grpc/session/v2beta/session_test.go | 36 +--- .../grpc/user/v2/integration_test/otp_test.go | 20 +- .../user/v2/integration_test/passkey_test.go | 2 +- .../user/v2/integration_test/phone_test.go | 2 +- .../user/v2/integration_test/totp_test.go | 12 +- .../grpc/user/v2/integration_test/u2f_test.go | 6 +- .../user/v2/integration_test/user_test.go | 6 +- .../user/v2beta/integration_test/otp_test.go | 18 +- .../v2beta/integration_test/passkey_test.go | 2 +- .../v2beta/integration_test/phone_test.go | 2 +- .../user/v2beta/integration_test/totp_test.go | 12 +- .../user/v2beta/integration_test/u2f_test.go | 6 +- .../user/v2beta/integration_test/user_test.go | 2 + .../api/oidc/integration_test/oidc_test.go | 2 +- internal/command/auth_request.go | 5 + internal/command/auth_request_test.go | 46 ++++- internal/command/device_auth.go | 3 + internal/command/device_auth_test.go | 29 ++- internal/command/saml_request.go | 3 + internal/command/saml_request_test.go | 43 ++++- internal/command/session.go | 37 +++- internal/command/session_test.go | 109 +++++++++-- 34 files changed, 684 insertions(+), 367 deletions(-) diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml index 2faf42770b..5b3c91ec6f 100644 --- a/cmd/defaults.yaml +++ b/cmd/defaults.yaml @@ -1358,6 +1358,7 @@ InternalAuthZ: - "events.read" - "milestones.read" - "session.read" + - "session.write" - "session.delete" - "action.target.read" - "action.target.write" @@ -1367,8 +1368,6 @@ InternalAuthZ: - "userschema.read" - "userschema.write" - "userschema.delete" - - "session.read" - - "session.delete" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" @@ -1462,6 +1461,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_USER_MANAGER" Permissions: @@ -1489,6 +1489,7 @@ InternalAuthZ: - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" + - "session.read" - "session.delete" - Role: "IAM_ADMIN_IMPERSONATOR" Permissions: @@ -1552,6 +1553,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_LOGIN_CLIENT" Permissions: @@ -1587,6 +1589,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "session.read" + - "session.write" - "session.link" - "session.delete" - "userschema.read" @@ -1607,6 +1610,7 @@ InternalAuthZ: - "policy.read" - "project.read" - "project.role.read" + - "session.read" - "session.delete" - Role: "ORG_OWNER_VIEWER" Permissions: @@ -1914,6 +1918,7 @@ SystemAuthZ: - "events.read" - "milestones.read" - "session.read" + - "session.write" - "session.delete" - "action.target.read" - "action.target.write" @@ -1923,8 +1928,6 @@ SystemAuthZ: - "userschema.read" - "userschema.write" - "userschema.delete" - - "session.read" - - "session.delete" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" @@ -2018,6 +2021,7 @@ SystemAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_USER_MANAGER" Permissions: @@ -2045,6 +2049,7 @@ SystemAuthZ: - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" + - "session.read" - "session.delete" - Role: "IAM_ADMIN_IMPERSONATOR" Permissions: @@ -2087,6 +2092,7 @@ SystemAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "session.read" + - "session.write" - "session.link" - "session.delete" - "userschema.read" diff --git a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go index 187dc922fc..31d6177201 100644 --- a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go @@ -102,7 +102,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -113,7 +113,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -127,10 +127,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -145,10 +145,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -163,10 +163,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -192,7 +192,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -214,11 +214,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -243,7 +262,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -261,7 +280,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -283,12 +302,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -315,7 +334,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -363,7 +382,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -373,13 +392,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -388,7 +407,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -400,7 +419,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -409,7 +428,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -421,31 +440,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -453,19 +472,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -477,13 +496,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -495,25 +514,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -525,19 +544,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -545,7 +564,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -557,25 +576,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -587,19 +606,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -607,7 +626,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -655,15 +674,15 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) { UserCode: "notFound", }, nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (*oidc.DeviceAuthorizationResponse, error) { - return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + return Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") }, - ctx: CTX, + ctx: CTXLoginClient, }, } for _, tt := range tests { @@ -671,7 +690,7 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) { deviceAuth, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: deviceAuth.UserCode, @@ -697,7 +716,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false) client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -710,7 +729,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: "123", Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{ @@ -724,14 +743,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(t, err) @@ -750,14 +769,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -776,14 +795,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "deny device authorization", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -796,16 +815,38 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, wantErr: false, }, + { + name: "deny device authorization, no permission, error", + ctx: CTX, + req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ + DeviceAuthorizationId: func() string { + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") + require.NoError(t, err) + var id string + assert.EventuallyWithT(t, func(collectT *assert.CollectT) { + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + UserCode: req.UserCode, + }) + assert.NoError(collectT, err) + id = resp.GetDeviceAuthorizationRequest().GetId() + }, 5*time.Second, 100*time.Millisecond) + return id + }(), + Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{}, + }, + want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, + wantErr: true, + }, { name: "authorize, no permission, error", ctx: CTX, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -827,11 +868,11 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) diff --git a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go index bd02f9e068..303cdd3ad5 100644 --- a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go @@ -39,22 +39,22 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { return time.Now(), "123", nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (time.Time, string, error) { - return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) }, - ctx: CTX, + ctx: CTXLoginClient, }, { name: "without login client, no permission", dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTX, wantErr: true, @@ -64,7 +64,7 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTXLoginClient, @@ -75,7 +75,7 @@ func TestServer_GetAuthRequest(t *testing.T) { now, authRequestID, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{ AuthRequestId: authRequestID, @@ -101,7 +101,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -114,7 +114,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -128,10 +128,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -146,10 +146,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -164,10 +164,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -193,7 +193,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -215,11 +215,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -244,7 +263,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -262,7 +281,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -284,12 +303,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -316,7 +335,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -364,7 +383,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -374,13 +393,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -389,7 +408,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -401,7 +420,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -410,7 +429,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -422,31 +441,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -454,19 +473,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -478,13 +497,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -496,25 +515,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -526,19 +545,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -546,7 +565,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -558,25 +577,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -588,19 +607,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -608,7 +627,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, diff --git a/internal/api/grpc/saml/v2/integration/saml_test.go b/internal/api/grpc/saml/v2/integration/saml_test.go index 1974c5236a..241c20715c 100644 --- a/internal/api/grpc/saml/v2/integration/saml_test.go +++ b/internal/api/grpc/saml/v2/integration/saml_test.go @@ -48,13 +48,13 @@ func TestServer_GetSAMLRequest(t *testing.T) { { name: "success, redirect binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) }, }, { name: "success, post binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) }, }, } @@ -63,9 +63,9 @@ func TestServer_GetSAMLRequest(t *testing.T) { creationTime, authRequestID, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { - got, err := Client.GetSAMLRequest(CTX, &saml_pb.GetSAMLRequestRequest{ + got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{ SamlRequestId: authRequestID, }) if tt.wantErr { @@ -90,10 +90,11 @@ func TestServer_CreateResponse(t *testing.T) { _, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false) _, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false) - sessionResp := createSession(CTX, t, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string + ctx context.Context req *saml_pb.CreateResponseRequest AuthError string want *saml_pb.CreateResponseResponse @@ -102,6 +103,7 @@ func TestServer_CreateResponse(t *testing.T) { }{ { name: "Not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: "123", ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -115,9 +117,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -132,9 +135,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session token invalid", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -149,9 +153,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -177,11 +182,12 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post, already failed", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.FailSAMLAuthRequest(CTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) + Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Error{ @@ -195,9 +201,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, redirect", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -219,10 +226,29 @@ func TestServer_CreateResponse(t *testing.T) { wantErr: false, }, { - name: "callback, redirect", + name: "fail callback, no permission, error", + ctx: CTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Error{ + Error: &saml_pb.AuthorizationError{ + Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED, + ErrorDescription: gu.Ptr("nope"), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, redirect", + ctx: LoginCTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -245,9 +271,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -273,11 +300,30 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Session{ + Session: &saml_pb.Session{ + SessionId: sessionResp.GetSessionId(), + SessionToken: sessionResp.GetSessionToken(), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, no permission, error", + ctx: CTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.SuccessfulSAMLAuthRequest(CTX, Instance.Users[integration.UserTypeOrgOwner].ID, authRequestID) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -292,7 +338,7 @@ func TestServer_CreateResponse(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateResponse(CTX, tt.req) + got, err := Client.CreateResponse(tt.ctx, tt.req) if tt.wantErr { require.Error(t, err) return @@ -336,7 +382,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -350,7 +396,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -372,7 +418,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -391,7 +437,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -401,7 +447,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -414,7 +460,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -426,7 +472,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -445,7 +491,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -462,7 +508,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -474,7 +520,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -492,7 +538,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -506,7 +552,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -526,7 +572,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -536,7 +582,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -554,7 +600,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -566,7 +612,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -582,7 +628,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { t.Run(tt.name, func(t *testing.T) { req := tt.dep(IAMCTX, t) - got, err := Client.CreateResponse(CTX, req) + got, err := Client.CreateResponse(LoginCTX, req) if tt.wantErr { require.Error(t, err) return diff --git a/internal/api/grpc/saml/v2/integration/server_test.go b/internal/api/grpc/saml/v2/integration/server_test.go index ab9e92a157..86eba0b809 100644 --- a/internal/api/grpc/saml/v2/integration/server_test.go +++ b/internal/api/grpc/saml/v2/integration/server_test.go @@ -15,6 +15,7 @@ import ( var ( CTX context.Context IAMCTX context.Context + LoginCTX context.Context Instance *integration.Instance Client saml_pb.SAMLServiceClient ) @@ -29,6 +30,7 @@ func TestMain(m *testing.M) { IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) return m.Run() }()) } diff --git a/internal/api/grpc/session/v2/integration_test/query_test.go b/internal/api/grpc/session/v2/integration_test/query_test.go index 4b2eacf570..66f8c9b304 100644 --- a/internal/api/grpc/session/v2/integration_test/query_test.go +++ b/internal/api/grpc/session/v2/integration_test/query_test.go @@ -72,7 +72,7 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{}) @@ -213,7 +213,7 @@ func TestServer_GetSession(t *testing.T) { t.Run(tt.name, func(t *testing.T) { var sequence uint64 if tt.args.dep != nil { - sequence = tt.args.dep(CTX, t, tt.args.req) + sequence = tt.args.dep(LoginCTX, t, tt.args.req) } retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) @@ -360,7 +360,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, "", "", nil, nil) @@ -501,7 +501,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, own creator, ok", args: args{ - CTX, + LoginCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -542,7 +542,7 @@ func TestServer_ListSessions(t *testing.T) { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) request.Queries = append(request.Queries, &session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}}, - &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeOrgOwner).ID)}}}) + &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeLogin).ID)}}}) return []*sessionAttr{info} }, }, @@ -682,7 +682,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { diff --git a/internal/api/grpc/session/v2/integration_test/session_test.go b/internal/api/grpc/session/v2/integration_test/session_test.go index 0982a56121..6c0c079e48 100644 --- a/internal/api/grpc/session/v2/integration_test/session_test.go +++ b/internal/api/grpc/session/v2/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -402,7 +402,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -422,7 +422,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -435,7 +435,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -556,13 +556,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -578,7 +578,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -594,7 +594,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -616,7 +616,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -630,13 +630,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -653,7 +653,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -669,13 +669,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -691,7 +691,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -707,7 +707,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -733,7 +733,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -749,7 +749,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -767,7 +767,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -781,7 +781,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -794,7 +794,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -808,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -823,7 +823,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -838,13 +838,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Instance.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ + _, err = Instance.Client.SessionV2.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -852,7 +852,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -860,7 +860,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -880,14 +880,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -912,7 +912,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -932,7 +932,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -947,7 +947,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -963,7 +963,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -994,7 +994,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2/session.go b/internal/api/grpc/session/v2/session.go index 94f686a72c..99e876d06e 100644 --- a/internal/api/grpc/session/v2/session.go +++ b/internal/api/grpc/session/v2/session.go @@ -51,7 +51,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se return nil, err } - set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) if err != nil { return nil, err } diff --git a/internal/api/grpc/session/v2beta/integration_test/query_test.go b/internal/api/grpc/session/v2beta/integration_test/query_test.go index dc131cdaaf..9cff2c438e 100644 --- a/internal/api/grpc/session/v2beta/integration_test/query_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/query_test.go @@ -61,7 +61,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -72,10 +72,10 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -91,7 +91,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId request.SessionToken = gu.Ptr(resp.SessionToken) @@ -108,7 +108,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ UserAgent: &session.UserAgent{ FingerprintId: gu.Ptr("fingerPrintID"), Ip: gu.Ptr("1.2.3.4"), @@ -144,7 +144,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(5 * time.Minute), }, ) @@ -165,7 +165,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Metadata: map[string][]byte{"foo": []byte("bar")}, }, ) @@ -187,7 +187,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -337,7 +337,7 @@ func TestServer_ListSessions(t *testing.T) { }, }, { - name: "list sessions, wrong creator", + name: "list sessions, no permission", args: args{ UserCTX, &session.ListSessionsRequest{}, @@ -349,7 +349,7 @@ func TestServer_ListSessions(t *testing.T) { }, want: &session.ListSessionsResponse{ Details: &object.ListDetails{ - TotalResult: 0, + TotalResult: 1, Timestamp: timestamppb.Now(), }, Sessions: []*session.Session{}, @@ -358,7 +358,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, full, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -391,7 +391,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, multiple, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -446,7 +446,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, userid, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { createdUser := createFullUser(ctx) @@ -480,7 +480,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { @@ -499,7 +499,7 @@ func TestServer_ListSessions(t *testing.T) { } // expected count of sessions is not equal to received sessions - if !assert.Equal(ttt, got.Details.TotalResult, tt.want.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { + if !assert.Equal(ttt, tt.want.Details.TotalResult, got.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { return } diff --git a/internal/api/grpc/session/v2beta/integration_test/server_test.go b/internal/api/grpc/session/v2beta/integration_test/server_test.go index 4920e6ec35..03fbfc37da 100644 --- a/internal/api/grpc/session/v2beta/integration_test/server_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/server_test.go @@ -18,6 +18,7 @@ import ( var ( CTX context.Context IAMOwnerCTX context.Context + LoginCTX context.Context UserCTX context.Context Instance *integration.Instance Client session.SessionServiceClient @@ -36,6 +37,7 @@ func TestMain(m *testing.M) { CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) User = createFullUser(CTX) DeactivatedUser = createDeactivatedUser(CTX) diff --git a/internal/api/grpc/session/v2beta/integration_test/session_test.go b/internal/api/grpc/session/v2beta/integration_test/session_test.go index 4c189e0f80..8a2c4094b6 100644 --- a/internal/api/grpc/session/v2beta/integration_test/session_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -342,7 +342,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { func TestServer_CreateSession_successfulIntent(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -356,7 +356,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -403,7 +403,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -423,7 +423,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -436,7 +436,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -557,13 +557,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -579,7 +579,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -595,7 +595,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -617,7 +617,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -631,13 +631,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -654,7 +654,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -670,13 +670,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -692,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -708,7 +708,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -734,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -750,7 +750,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -768,7 +768,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -782,7 +782,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -795,7 +795,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -809,7 +809,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -824,7 +824,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -839,13 +839,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -853,7 +853,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -861,7 +861,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -881,14 +881,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -913,7 +913,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -933,7 +933,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -948,7 +948,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -964,7 +964,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -995,7 +995,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2beta/session.go b/internal/api/grpc/session/v2beta/session.go index 459cf77f05..c5c129fb11 100644 --- a/internal/api/grpc/session/v2beta/session.go +++ b/internal/api/grpc/session/v2beta/session.go @@ -12,7 +12,6 @@ import ( "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" - "github.com/zitadel/zitadel/internal/api/authz" object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta" "github.com/zitadel/zitadel/internal/command" "github.com/zitadel/zitadel/internal/domain" @@ -90,7 +89,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se return nil, err } - set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) if err != nil { return nil, err } @@ -256,18 +255,13 @@ func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRe } func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) { - q := make([]query.SearchQuery, len(queries)+1) + q := make([]query.SearchQuery, len(queries)) for i, v := range queries { q[i], err = sessionQueryToQuery(v) if err != nil { return nil, err } } - creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID) - if err != nil { - return nil, err - } - q[len(queries)] = creatorQuery return q, nil } diff --git a/internal/api/grpc/session/v2beta/session_test.go b/internal/api/grpc/session/v2beta/session_test.go index c088b5b886..16de30a9b1 100644 --- a/internal/api/grpc/session/v2beta/session_test.go +++ b/internal/api/grpc/session/v2beta/session_test.go @@ -328,24 +328,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) { wantErr error }{ { - name: "default request", - args: args{ - ctx: authz.NewMockContext("123", "456", "789"), - req: &session.ListSessionsRequest{}, - }, - want: &query.SessionsSearchQueries{ - SearchRequest: query.SearchRequest{ - Offset: 0, - Limit: 0, - Asc: false, - }, - Queries: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, - }, - }, - { - name: "default request with sorting column", + name: "sorting column", args: args{ ctx: authz.NewMockContext("123", "456", "789"), req: &session.ListSessionsRequest{ @@ -359,9 +342,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) { SortingColumn: query.SessionColumnCreationDate, Asc: false, }, - Queries: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, + Queries: []query.SearchQuery{}, }, }, { @@ -410,7 +391,6 @@ func Test_listSessionsRequestToQuery(t *testing.T) { mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), mustNewTextQuery(t, query.SessionColumnUserID, "10", query.TextEquals), mustNewTimestampQuery(t, query.SessionColumnCreationDate, creationDate, query.TimestampGreater), - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), }, }, }, @@ -457,15 +437,6 @@ func Test_sessionQueriesToQuery(t *testing.T) { want []query.SearchQuery wantErr error }{ - { - name: "creator only", - args: args{ - ctx: authz.NewMockContext("123", "456", "789"), - }, - want: []query.SearchQuery{ - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), - }, - }, { name: "invalid argument", args: args{ @@ -477,7 +448,7 @@ func Test_sessionQueriesToQuery(t *testing.T) { wantErr: zerrors.ThrowInvalidArgument(nil, "GRPC-Sfefs", "List.Query.Invalid"), }, { - name: "creator and sessions", + name: "sessions", args: args{ ctx: authz.NewMockContext("123", "456", "789"), queries: []*session.SearchQuery{ @@ -496,7 +467,6 @@ func Test_sessionQueriesToQuery(t *testing.T) { want: []query.SearchQuery{ mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn), mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), - mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals), }, }, } diff --git a/internal/api/grpc/user/v2/integration_test/otp_test.go b/internal/api/grpc/user/v2/integration_test/otp_test.go index 01e6c07a40..4ec54b26b9 100644 --- a/internal/api/grpc/user/v2/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -335,7 +335,7 @@ func TestServer_RemoveOTPEmail(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ UserId: userSelf.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/passkey_test.go b/internal/api/grpc/user/v2/integration_test/passkey_test.go index 055a47ec46..4a035869fe 100644 --- a/internal/api/grpc/user/v2/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2/integration_test/passkey_test.go @@ -28,7 +28,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2/integration_test/phone_test.go b/internal/api/grpc/user/v2/integration_test/phone_test.go index b87f9a9f28..25227048f9 100644 --- a/internal/api/grpc/user/v2/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2/integration_test/phone_test.go @@ -256,7 +256,7 @@ func TestServer_Deprecated_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2/integration_test/totp_test.go b/internal/api/grpc/user/v2/integration_test/totp_test.go index e65756c1c1..65d1003c35 100644 --- a/internal/api/grpc/user/v2/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{ @@ -118,7 +118,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -209,11 +209,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/u2f_test.go b/internal/api/grpc/user/v2/integration_test/u2f_test.go index b8af753f85..962671d608 100644 --- a/internal/api/grpc/user/v2/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -183,7 +183,7 @@ func TestServer_VerifyU2FRegistration(t *testing.T) { func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2/integration_test/user_test.go b/internal/api/grpc/user/v2/integration_test/user_test.go index bc3abc8faf..959dbeddab 100644 --- a/internal/api/grpc/user/v2/integration_test/user_test.go +++ b/internal/api/grpc/user/v2/integration_test/user_test.go @@ -34,6 +34,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context SystemUserWithNoPermissionsCTX context.Context @@ -51,6 +52,7 @@ func TestMain(m *testing.M) { SystemUserWithNoPermissionsCTX = integration.WithSystemUserWithNoPermissionsAuthorization(ctx) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2 @@ -1853,7 +1855,7 @@ func TestServer_DeleteUser(t *testing.T) { require.NoError(t, err) request.UserId = removeUser.Id Instance.RegisterUserPasskey(CTX, removeUser.Id) - _, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, removeUser.Id) + _, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, removeUser.Id) return integration.WithAuthorizationToken(UserCTX, token) }, }, @@ -2769,7 +2771,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) { func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{}) diff --git a/internal/api/grpc/user/v2beta/integration_test/otp_test.go b/internal/api/grpc/user/v2beta/integration_test/otp_test.go index fae6c069a4..0b49c3e6b6 100644 --- a/internal/api/grpc/user/v2beta/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) diff --git a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go index 7bc0465956..f2b4c4e95e 100644 --- a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go @@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2beta/integration_test/phone_test.go b/internal/api/grpc/user/v2beta/integration_test/phone_test.go index 73d065231c..8d1a07cca2 100644 --- a/internal/api/grpc/user/v2beta/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/phone_test.go @@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2beta/integration_test/totp_test.go b/internal/api/grpc/user/v2beta/integration_test/totp_test.go index 4afe5e1f31..0917faa809 100644 --- a/internal/api/grpc/user/v2beta/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) var reg *user.RegisterTOTPResponse @@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go index 6e47cbbb99..f03136a3aa 100644 --- a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) { func TestServer_VerifyU2FRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2beta/integration_test/user_test.go b/internal/api/grpc/user/v2beta/integration_test/user_test.go index 077ed02d0e..dd75986a3f 100644 --- a/internal/api/grpc/user/v2beta/integration_test/user_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/user_test.go @@ -31,6 +31,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context Instance *integration.Instance @@ -46,6 +47,7 @@ func TestMain(m *testing.M) { UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2beta diff --git a/internal/api/oidc/integration_test/oidc_test.go b/internal/api/oidc/integration_test/oidc_test.go index 8bb103d0eb..2b43154743 100644 --- a/internal/api/oidc/integration_test/oidc_test.go +++ b/internal/api/oidc/integration_test/oidc_test.go @@ -90,7 +90,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { clientID, _ := createClient(t, Instance) authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) - createResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Instance.Client.SessionV2.CreateSession(CTXLOGIN, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{UserId: User.GetUserId()}, diff --git a/internal/command/auth_request.go b/internal/command/auth_request.go index d60012637a..0ce8741b3b 100644 --- a/internal/command/auth_request.go +++ b/internal/command/auth_request.go @@ -137,6 +137,11 @@ func (c *Commands) FailAuthRequest(ctx context.Context, id string, reason domain if writeModel.AuthRequestState != domain.AuthRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled") } + if authz.GetCtxData(ctx).UserID != writeModel.LoginClient { + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } + } err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent( ctx, &authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/auth_request_test.go b/internal/command/auth_request_test.go index c0b5f630f7..2d3c72b088 100644 --- a/internal/command/auth_request_test.go +++ b/internal/command/auth_request_test.go @@ -911,7 +911,8 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { func TestCommands_FailAuthRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -945,6 +946,45 @@ func TestCommands_FailAuthRequest(t *testing.T) { wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"), }, }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "clientID", + "redirectURI", + "state", + "nonce", + []string{"openid"}, + []string{"audience"}, + domain.OIDCResponseTypeCode, + domain.OIDCResponseModeQuery, + nil, + nil, + nil, + nil, + nil, + nil, + true, + "issuer", + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.OIDCErrorReasonLoginRequired, + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "failed", fields{ @@ -977,6 +1017,7 @@ func TestCommands_FailAuthRequest(t *testing.T) { domain.OIDCErrorReasonLoginRequired), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -1006,7 +1047,8 @@ func TestCommands_FailAuthRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/device_auth.go b/internal/command/device_auth.go index ef6b069cc9..7d4a0f2070 100644 --- a/internal/command/device_auth.go +++ b/internal/command/device_auth.go @@ -136,6 +136,9 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai if !model.State.Exists() { return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil { + return nil, err + } pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason)) if err != nil { return nil, err diff --git a/internal/command/device_auth_test.go b/internal/command/device_auth_test.go index 021ae25d36..19c1601c88 100644 --- a/internal/command/device_auth_test.go +++ b/internal/command/device_auth_test.go @@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { pushErr := errors.New("pushErr") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"), }, + { + name: "missing permission, error", + fields: fields{ + eventstore: expectEventstore( + expectFilter(eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "client_id", "123", "456", now, + []string{"a", "b", "c"}, + []string{"projectID", "clientID"}, true, + ), + )), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, { name: "push error", fields: fields{ @@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: pushErr, @@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantDetails: &domain.ObjectDetails{ @@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledExpired}, wantDetails: &domain.ObjectDetails{ @@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.wantErr) diff --git a/internal/command/saml_request.go b/internal/command/saml_request.go index 40e0643f0c..9331aed579 100644 --- a/internal/command/saml_request.go +++ b/internal/command/saml_request.go @@ -119,6 +119,9 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent( ctx, &samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/saml_request_test.go b/internal/command/saml_request_test.go index c11c87ec48..49d211731c 100644 --- a/internal/command/saml_request_test.go +++ b/internal/command/saml_request_test.go @@ -786,7 +786,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) { func TestCommands_FailSAMLRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(t *testing.T) *eventstore.Eventstore + eventstore func(t *testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -820,7 +821,40 @@ func TestCommands_FailSAMLRequest(t *testing.T) { res{ wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"), }, - }, { + }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "application", + "acs", + "relaystate", + "request", + "binding", + "issuer", + "destination", + "responseissuer", + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.SAMLErrorReasonAuthNFailed, + description: "desc", + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, + { "already failed", fields{ eventstore: expectEventstore( @@ -843,6 +877,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -879,6 +914,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -908,7 +944,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/session.go b/internal/command/session.go index 3c06c22967..87eb56139b 100644 --- a/internal/command/session.go +++ b/internal/command/session.go @@ -285,7 +285,13 @@ func (s *SessionCommands) commands(ctx context.Context) (string, []eventstore.Co return token, s.eventCommands, nil } -func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, metadata map[string][]byte, userAgent *domain.UserAgent, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) CreateSession( + ctx context.Context, + cmds []SessionCommand, + metadata map[string][]byte, + userAgent *domain.UserAgent, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionID, err := c.idGenerator.Next() if err != nil { return nil, err @@ -295,17 +301,29 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, ""); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) cmd.Start(ctx, userAgent) return c.updateSession(ctx, cmd, metadata, lifetime) } -func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) UpdateSession( + ctx context.Context, + sessionID, sessionToken string, + cmds []SessionCommand, + metadata map[string][]byte, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()) err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, sessionToken); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) return c.updateSession(ctx, cmd, metadata, lifetime) } @@ -380,6 +398,21 @@ func (c *Commands) updateSession(ctx context.Context, checks *SessionCommands, m return changed, nil } +// checkSessionWritePermission will check that the provided sessionToken is correct or +// if empty, check that the caller is granted the "session.write" permission on the resource owner of the authenticated user. +// In case the user is not set and the userResourceOwner is not set (also the case for the session creation), +// it will check permission on the instance. +func (c *Commands) checkSessionWritePermission(ctx context.Context, model *SessionWriteModel, sessionToken string) error { + if sessionToken != "" { + return c.sessionTokenVerifier(ctx, sessionToken, model.AggregateID, model.TokenID) + } + userResourceOwner, err := c.sessionUserResourceOwner(ctx, model) + if err != nil { + return err + } + return c.checkPermission(ctx, domain.PermissionSessionWrite, userResourceOwner, model.UserID) +} + // checkSessionTerminationPermission will check that the provided sessionToken is correct or // if empty, check that the caller is either terminating the own session or // is granted the "session.delete" permission on the resource owner of the authenticated user. diff --git a/internal/command/session_test.go b/internal/command/session_test.go index e65f32fb57..630feeea1a 100644 --- a/internal/command/session_test.go +++ b/internal/command/session_test.go @@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) { func TestCommands_CreateSession(t *testing.T) { type fields struct { - idGenerator id.Generator - tokenCreator func(sessionID string) (string, string, error) + idGenerator id.Generator + tokenCreator func(sessionID string) (string, string, error) + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "missing permission", + fields{ + idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + }, + []expect{ + expectFilter(), + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "negative lifetime", fields{ @@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) { eventstore: expectEventstore(tt.expect...)(t), idGenerator: tt.fields.idGenerator, sessionTokenCreator: tt.fields.tokenCreator, + checkPermission: tt.fields.checkPermission, } got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) @@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) { func TestCommands_UpdateSession(t *testing.T) { type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore - tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + eventstore func(*testing.T) *eventstore.Eventstore + tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + checkPermission domain.PermissionCheck } type args struct { - ctx context.Context - sessionID string - checks []SessionCommand - metadata map[string][]byte - lifetime time.Duration + ctx context.Context + sessionID string + sessionToken string + checks []SessionCommand + metadata map[string][]byte + lifetime time.Duration } type res struct { want *SessionChanged @@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "invalid session token", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + tokenVerifier: newMockTokenVerifierInvalid(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "invalid", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"), + }, + }, + { + "no token, no permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "no change", fields{ @@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) { }, }, args{ - ctx: context.Background(), - sessionID: "sessionID", + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "token", }, res{ want: &SessionChanged{ @@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) { c := &Commands{ eventstore: tt.fields.eventstore(t), sessionTokenVerifier: tt.fields.tokenVerifier, + checkPermission: tt.fields.checkPermission, } - got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime) + got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) assert.Equal(t, tt.res.want, got) })