feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions

* support system user memberships

* don't limit system users

* cleanup permissions

* restrict memberships to aggregates

* default to SYSTEM_OWNER

* update unit tests

* test: system user token test (#6778)

* update unit tests

* refactor: make authz testable

* move session constants

* cleanup

* comment

* comment

* decode member type string to enum (#6780)

* decode member type string to enum

* handle all membership types

* decode enums where necessary

* decode member type in steps config

* update system api docs

* add technical advisory

* tweak docs a bit

* comment in comment

* lint

* extract token from Bearer header prefix

* review changes

* fix tests

* fix: add fix for activityhandler

* add isSystemUser

* remove IsSystemUser from activity info

* fix: add fix for activityhandler

---------

Co-authored-by: Stefan Benz <stefan@caos.ch>

cmd/start/config.go

@@ -24,6 +24,7 @@ import (
 	"github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/logstore"
@@ -92,7 +93,8 @@ func MustNewConfig(v *viper.Viper) *Config {
 			database.DecodeHook,
 			actions.HTTPConfigDecodeHook,
 			systemAPIUsersDecodeHook,
-			hook.StringToFeatureHookFunc(),
+			hook.EnumHookFunc(domain.FeatureString),
+			hook.EnumHookFunc(internal_authz.MemberTypeString),
 		)),
 	)
 	logging.OnError(err).Fatal("unable to read config")

cmd/start/config_test.go

@@ -0,0 +1,84 @@
+package start
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/actions"
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+)
+
+func TestMustNewConfig(t *testing.T) {
+	type args struct {
+		yaml string
+	}
+	tests := []struct {
+		name string
+		args args
+		want *Config
+	}{{
+		name: "features ok",
+		args: args{yaml: `
+DefaultInstance:
+  Features:
+  - FeatureLoginDefaultOrg: true
+`},
+		want: &Config{
+			DefaultInstance: command.InstanceSetup{
+				Features: map[domain.Feature]any{
+					domain.FeatureLoginDefaultOrg: true,
+				},
+			},
+		},
+	}, {
+		name: "membership types ok",
+		args: args{yaml: `
+SystemAPIUsers:
+- superuser:
+    Memberships:
+    - MemberType: System
+    - MemberType: Organization
+    - MemberType: IAM
+`},
+		want: &Config{
+			SystemAPIUsers: map[string]*authz.SystemAPIUser{
+				"superuser": {
+					Memberships: authz.Memberships{{
+						MemberType: authz.MemberTypeSystem,
+					}, {
+						MemberType: authz.MemberTypeOrganization,
+					}, {
+						MemberType: authz.MemberTypeIAM,
+					}},
+				},
+			},
+		},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := viper.New()
+			v.SetConfigType("yaml")
+			err := v.ReadConfig(strings.NewReader(`Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+` + tt.args.yaml))
+			require.NoError(t, err)
+			tt.want.Log = &logging.Config{Level: "info"}
+			tt.want.Actions = &actions.Config{HTTP: actions.HTTPConfig{DenyList: []actions.AddressChecker{}}}
+			require.NoError(t, tt.want.Log.SetLogger())
+			got := MustNewConfig(v)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("MustNewConfig() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

cmd/start/start.go

@@ -320,8 +320,13 @@ func startAPIs(
 	// always set the origin in the context if available in the http headers, no matter for what protocol
 	router.Use(middleware.OriginHandler)
 	// adds used HTTPPathPattern and RequestMethod to context
-	router.Use(middleware.ActivityHandler(append(oidcPrefixes, saml.HandlerPrefix, admin.GatewayPathPrefix(), management.GatewayPathPrefix())))
-	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), config.SystemAPIUsers)
+	router.Use(middleware.ActivityHandler)
+	systemTokenVerifier, err := internal_authz.StartSystemTokenVerifierFromConfig(http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), config.SystemAPIUsers)
+	if err != nil {
+		return err
+	}
+	accessTokenVerifer := internal_authz.StartAccessTokenVerifierFromRepo(repo)
+	verifier := internal_authz.StartAPITokenVerifier(repo, accessTokenVerifer, systemTokenVerifier)
 	tlsConfig, err := config.TLS.Config()
 	if err != nil {
 		return err