feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-11 19:07:30 +00:00 · 2023-10-25 17:10:45 +02:00
parent c8b9b0ac75
commit 4980cd6a0c
34 changed files with 959 additions and 410 deletions
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -28,7 +28,7 @@ import (
 type API struct {
 	port              uint16
 	grpcServer        *grpc.Server
-	verifier          *internal_authz.TokenVerifier
+	verifier          internal_authz.APITokenVerifier
 	health            healthCheck
 	router            *mux.Router
 	http1HostName     string
@@ -47,7 +47,7 @@ func New(
 	port uint16,
 	router *mux.Router,
 	queries *query.Queries,
-	verifier *internal_authz.TokenVerifier,
+	verifier internal_authz.APITokenVerifier,
 	authZ internal_authz.Config,
 	tlsConfig *tls.Config, http2HostName, http1HostName string,
 	accessInterceptor *http_mw.AccessInterceptor,