feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-13 02:58:11 +00:00 · 2023-10-25 17:10:45 +02:00
parent c8b9b0ac75
commit 4980cd6a0c
34 changed files with 959 additions and 410 deletions
--- a/internal/api/authz/access_token_test.go
+++ b/internal/api/authz/access_token_test.go
@@ -0,0 +1,66 @@
+package authz
+
+import (
+	"context"
+	"testing"
+
+	"github.com/zitadel/zitadel/internal/errors"
+)
+
+func Test_extractBearerToken(t *testing.T) {
+
+	type args struct {
+		ctx      context.Context
+		token    string
+		verifier AccessTokenVerifier
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "no auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "wrong auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "Basic sds",
+			},
+			wantErr: true,
+		},
+		{
+			name: "auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "Bearer AUTH",
+				verifier: AccessTokenVerifierFunc(func(context.Context, string) (string, string, string, string, string, error) {
+					return "", "", "", "", "", nil
+				}),
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := extractBearerToken(tt.args.token)
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if !tt.wantErr && err != nil {
+				t.Errorf("got wrong result, should not get err: actual: %v ", err)
+			}
+
+			if tt.wantErr && !errors.IsUnauthenticated(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}