feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-12 00:27:31 +00:00 · 2023-10-25 17:10:45 +02:00
parent c8b9b0ac75
commit 4980cd6a0c
34 changed files with 959 additions and 410 deletions
--- a/internal/api/authz/api_token_verifier.go
+++ b/internal/api/authz/api_token_verifier.go
@@ -0,0 +1,69 @@
+package authz
+
+import (
+	"context"
+	"sync"
+
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+// TODO: Define interfaces where they are accepted
+type APITokenVerifier interface {
+	AccessTokenVerifier
+	SystemTokenVerifier
+	RegisterServer(appName, methodPrefix string, mappings MethodMapping)
+	CheckAuthMethod(method string) (Option, bool)
+	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (_ string, _ []string, err error)
+	ExistsOrg(ctx context.Context, id, domain string) (orgID string, err error)
+	SearchMyMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*Membership, err error)
+}
+
+type ApiTokenVerifier struct {
+	AccessTokenVerifier
+	SystemTokenVerifier
+	authZRepo   authZRepo
+	clients     sync.Map
+	authMethods MethodMapping
+}
+
+func StartAPITokenVerifier(authZRepo authZRepo, accessTokenVerifier AccessTokenVerifier, systemTokenVerifier SystemTokenVerifier) *ApiTokenVerifier {
+	return &ApiTokenVerifier{
+		authZRepo:           authZRepo,
+		SystemTokenVerifier: systemTokenVerifier,
+		AccessTokenVerifier: accessTokenVerifier,
+	}
+}
+
+func (v *ApiTokenVerifier) RegisterServer(appName, methodPrefix string, mappings MethodMapping) {
+	v.clients.Store(methodPrefix, &client{name: appName})
+	if v.authMethods == nil {
+		v.authMethods = make(map[string]Option)
+	}
+	for method, option := range mappings {
+		v.authMethods[method] = option
+	}
+}
+
+func (v *ApiTokenVerifier) SearchMyMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*Membership, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	return v.authZRepo.SearchMyMemberships(ctx, orgID, shouldTriggerBulk)
+}
+
+func (v *ApiTokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (_ string, _ []string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	return v.authZRepo.ProjectIDAndOriginsByClientID(ctx, clientID)
+}
+
+func (v *ApiTokenVerifier) ExistsOrg(ctx context.Context, id, domain string) (orgID string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	return v.authZRepo.ExistsOrg(ctx, id, domain)
+}
+
+func (v *ApiTokenVerifier) CheckAuthMethod(method string) (Option, bool) {
+	authOpt, ok := v.authMethods[method]
+	return authOpt, ok
+}