feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-11 21:17:32 +00:00 · 2023-10-25 17:10:45 +02:00
parent c8b9b0ac75
commit 4980cd6a0c
34 changed files with 959 additions and 410 deletions
--- a/internal/api/http/middleware/activity_interceptor.go
+++ b/internal/api/http/middleware/activity_interceptor.go
@@ -2,31 +2,13 @@ package middleware

 import (
 	"net/http"
-	"strings"

 	"github.com/zitadel/zitadel/internal/api/info"
 )

-func ActivityHandler(handlerPrefixes []string) func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ctx := r.Context()
-			activityInfo := info.ActivityInfoFromContext(ctx)
-			hasPrefix := false
-			// only add path to context if handler is called
-			for _, prefix := range handlerPrefixes {
-				if strings.HasPrefix(r.URL.Path, prefix) {
-					activityInfo.SetPath(r.URL.Path)
-					hasPrefix = true
-					break
-				}
-			}
-			// last call is with grpc method as path
-			if !hasPrefix {
-				activityInfo.SetMethod(r.URL.Path)
-			}
-			ctx = activityInfo.SetRequestMethod(r.Method).IntoContext(ctx)
-			next.ServeHTTP(w, r.WithContext(ctx))
-		})
-	}
+func ActivityHandler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := info.ActivityInfoFromContext(r.Context()).SetPath(r.URL.Path).SetRequestMethod(r.Method).IntoContext(r.Context())
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
 }
--- a/internal/api/http/middleware/auth_interceptor.go
+++ b/internal/api/http/middleware/auth_interceptor.go
@@ -11,11 +11,11 @@ import (
 )

 type AuthInterceptor struct {
-	verifier   *authz.TokenVerifier
+	verifier   authz.APITokenVerifier
 	authConfig authz.Config
 }

-func AuthorizationInterceptor(verifier *authz.TokenVerifier, authConfig authz.Config) *AuthInterceptor {
+func AuthorizationInterceptor(verifier authz.APITokenVerifier, authConfig authz.Config) *AuthInterceptor {
 	return &AuthInterceptor{
 		verifier:   verifier,
 		authConfig: authConfig,
@@ -48,7 +48,7 @@ func (a *AuthInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {

 type httpReq struct{}

-func authorize(r *http.Request, verifier *authz.TokenVerifier, authConfig authz.Config) (_ context.Context, err error) {
+func authorize(r *http.Request, verifier authz.APITokenVerifier, authConfig authz.Config) (_ context.Context, err error) {
 	ctx := r.Context()
 	authOpt, needsToken := verifier.CheckAuthMethod(r.Method + ":" + r.RequestURI)
 	if !needsToken {