feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-11 18:17:35 +00:00 · 2023-10-25 17:10:45 +02:00
parent c8b9b0ac75
commit 4980cd6a0c
34 changed files with 959 additions and 410 deletions
--- a/internal/activity/activity.go
+++ b/internal/activity/activity.go
@@ -45,29 +45,47 @@ func (t TriggerMethod) String() string {
 }

 func Trigger(ctx context.Context, orgID, userID string, trigger TriggerMethod) {
-	triggerLog(authz.GetInstance(ctx).InstanceID(), orgID, userID, http_utils.ComposedOrigin(ctx), trigger, info.ActivityInfoFromContext(ctx))
+	ai := info.ActivityInfoFromContext(ctx)
+	triggerLog(
+		authz.GetInstance(ctx).InstanceID(),
+		orgID,
+		userID,
+		http_utils.ComposedOrigin(ctx),
+		trigger,
+		ai.Method,
+		ai.Path,
+		ai.RequestMethod,
+		authz.GetCtxData(ctx).SystemMemberships != nil,
+	)
 }

 func TriggerWithContext(ctx context.Context, trigger TriggerMethod) {
-	data := authz.GetCtxData(ctx)
 	ai := info.ActivityInfoFromContext(ctx)
-	// if GRPC call, path is prefilled with the grpc fullmethod and method is empty
-	if ai.Method == "" {
-		ai.Method = ai.Path
-		ai.Path = ""
-	}
-	triggerLog(authz.GetInstance(ctx).InstanceID(), data.OrgID, data.UserID, http_utils.ComposedOrigin(ctx), trigger, ai)
+	// GRPC call the method is contained in the HTTP request path
+	method := ai.Path
+	triggerLog(
+		authz.GetInstance(ctx).InstanceID(),
+		authz.GetCtxData(ctx).OrgID,
+		authz.GetCtxData(ctx).UserID,
+		http_utils.ComposedOrigin(ctx),
+		trigger,
+		method,
+		"",
+		ai.RequestMethod,
+		authz.GetCtxData(ctx).SystemMemberships != nil,
+	)
 }

-func triggerLog(instanceID, orgID, userID, domain string, trigger TriggerMethod, ai *info.ActivityInfo) {
+func triggerLog(instanceID, orgID, userID, domain string, trigger TriggerMethod, method, path, requestMethod string, isSystemUser bool) {
 	logging.WithFields(
 		"instance", instanceID,
 		"org", orgID,
 		"user", userID,
 		"domain", domain,
 		"trigger", trigger.String(),
-		"method", ai.Method,
-		"path", ai.Path,
-		"requestMethod", ai.RequestMethod,
+		"method", method,
+		"path", path,
+		"requestMethod", requestMethod,
+		"isSystemUser", isSystemUser,
 	).Info(Activity)
 }