From 4c942f3477b073e3e270079e6424b2b3797765d6 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Tue, 15 Jul 2025 07:38:00 -0400 Subject: [PATCH] Merge commit from fork * fix: require permission to create and update session * fix: require permission to fail auth requests * merge main and fix integration tests * fix merge * fix integration tests * fix integration tests * fix saml permission check --- cmd/defaults.yaml | 14 +- .../oidc/v2/integration_test/oidc_test.go | 175 +++++++++++------- .../oidc/v2beta/integration_test/oidc_test.go | 127 +++++++------ .../saml/v2/integration_test/saml_test.go | 114 ++++++++---- .../saml/v2/integration_test/server_test.go | 2 + .../session/v2/integration_test/query_test.go | 12 +- .../v2/integration_test/session_test.go | 78 ++++---- internal/api/grpc/session/v2/session.go | 2 +- .../v2beta/integration_test/query_test.go | 30 +-- .../v2beta/integration_test/server_test.go | 2 + .../v2beta/integration_test/session_test.go | 82 ++++---- internal/api/grpc/session/v2beta/session.go | 10 +- .../grpc/user/v2/integration_test/otp_test.go | 20 +- .../user/v2/integration_test/passkey_test.go | 2 +- .../user/v2/integration_test/phone_test.go | 2 +- .../user/v2/integration_test/totp_test.go | 12 +- .../grpc/user/v2/integration_test/u2f_test.go | 6 +- .../user/v2/integration_test/user_test.go | 6 +- .../user/v2beta/integration_test/otp_test.go | 18 +- .../v2beta/integration_test/passkey_test.go | 2 +- .../v2beta/integration_test/phone_test.go | 2 +- .../user/v2beta/integration_test/totp_test.go | 12 +- .../user/v2beta/integration_test/u2f_test.go | 6 +- .../user/v2beta/integration_test/user_test.go | 2 + .../api/oidc/integration_test/oidc_test.go | 2 +- internal/command/auth_request.go | 5 + internal/command/auth_request_test.go | 46 ++++- internal/command/device_auth.go | 3 + internal/command/device_auth_test.go | 29 ++- internal/command/saml_request.go | 3 + internal/command/saml_request_test.go | 43 ++++- internal/command/session.go | 37 +++- internal/command/session_test.go | 109 +++++++++-- 33 files changed, 681 insertions(+), 334 deletions(-) diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml index 2faf42770b..5b3c91ec6f 100644 --- a/cmd/defaults.yaml +++ b/cmd/defaults.yaml @@ -1358,6 +1358,7 @@ InternalAuthZ: - "events.read" - "milestones.read" - "session.read" + - "session.write" - "session.delete" - "action.target.read" - "action.target.write" @@ -1367,8 +1368,6 @@ InternalAuthZ: - "userschema.read" - "userschema.write" - "userschema.delete" - - "session.read" - - "session.delete" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" @@ -1462,6 +1461,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_USER_MANAGER" Permissions: @@ -1489,6 +1489,7 @@ InternalAuthZ: - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" + - "session.read" - "session.delete" - Role: "IAM_ADMIN_IMPERSONATOR" Permissions: @@ -1552,6 +1553,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_LOGIN_CLIENT" Permissions: @@ -1587,6 +1589,7 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "session.read" + - "session.write" - "session.link" - "session.delete" - "userschema.read" @@ -1607,6 +1610,7 @@ InternalAuthZ: - "policy.read" - "project.read" - "project.role.read" + - "session.read" - "session.delete" - Role: "ORG_OWNER_VIEWER" Permissions: @@ -1914,6 +1918,7 @@ SystemAuthZ: - "events.read" - "milestones.read" - "session.read" + - "session.write" - "session.delete" - "action.target.read" - "action.target.write" @@ -1923,8 +1928,6 @@ SystemAuthZ: - "userschema.read" - "userschema.write" - "userschema.delete" - - "session.read" - - "session.delete" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" @@ -2018,6 +2021,7 @@ SystemAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - "session.read" - "session.delete" - Role: "IAM_USER_MANAGER" Permissions: @@ -2045,6 +2049,7 @@ SystemAuthZ: - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" + - "session.read" - "session.delete" - Role: "IAM_ADMIN_IMPERSONATOR" Permissions: @@ -2087,6 +2092,7 @@ SystemAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "session.read" + - "session.write" - "session.link" - "session.delete" - "userschema.read" diff --git a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go index 187dc922fc..31d6177201 100644 --- a/internal/api/grpc/oidc/v2/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2/integration_test/oidc_test.go @@ -102,7 +102,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -113,7 +113,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -127,10 +127,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -145,10 +145,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -163,10 +163,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -192,7 +192,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -214,11 +214,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -243,7 +262,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -261,7 +280,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -283,12 +302,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -315,7 +334,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -363,7 +382,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -373,13 +392,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -388,7 +407,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -400,7 +419,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -409,7 +428,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -421,31 +440,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -453,19 +472,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -477,13 +496,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -495,25 +514,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -525,19 +544,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -545,7 +564,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -557,25 +576,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -587,19 +606,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -607,7 +626,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -655,15 +674,15 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) { UserCode: "notFound", }, nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (*oidc.DeviceAuthorizationResponse, error) { - return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + return Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") }, - ctx: CTX, + ctx: CTXLoginClient, }, } for _, tt := range tests { @@ -671,7 +690,7 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) { deviceAuth, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: deviceAuth.UserCode, @@ -697,7 +716,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false) client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -710,7 +729,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: "123", Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{ @@ -724,14 +743,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(t, err) @@ -750,14 +769,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -776,14 +795,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { }, { name: "deny device authorization", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -796,16 +815,38 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, wantErr: false, }, + { + name: "deny device authorization, no permission, error", + ctx: CTX, + req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ + DeviceAuthorizationId: func() string { + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") + require.NoError(t, err) + var id string + assert.EventuallyWithT(t, func(collectT *assert.CollectT) { + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + UserCode: req.UserCode, + }) + assert.NoError(collectT, err) + id = resp.GetDeviceAuthorizationRequest().GetId() + }, 5*time.Second, 100*time.Millisecond) + return id + }(), + Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{}, + }, + want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, + wantErr: true, + }, { name: "authorize, no permission, error", ctx: CTX, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) @@ -827,11 +868,11 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ DeviceAuthorizationId: func() string { - req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") + req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid") require.NoError(t, err) var id string assert.EventuallyWithT(t, func(collectT *assert.CollectT) { - resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ + resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{ UserCode: req.UserCode, }) assert.NoError(collectT, err) diff --git a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go index bd02f9e068..303cdd3ad5 100644 --- a/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go +++ b/internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go @@ -39,22 +39,22 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { return time.Now(), "123", nil }, - ctx: CTX, + ctx: CTXLoginClient, wantErr: true, }, { name: "success", dep: func() (time.Time, string, error) { - return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) }, - ctx: CTX, + ctx: CTXLoginClient, }, { name: "without login client, no permission", dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTX, wantErr: true, @@ -64,7 +64,7 @@ func TestServer_GetAuthRequest(t *testing.T) { dep: func() (time.Time, string, error) { client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") + return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "") }, ctx: CTXLoginClient, @@ -75,7 +75,7 @@ func TestServer_GetAuthRequest(t *testing.T) { now, authRequestID, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{ AuthRequestId: authRequestID, @@ -101,7 +101,7 @@ func TestServer_CreateCallback(t *testing.T) { require.NoError(t, err) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) require.NoError(t, err) - sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string @@ -114,7 +114,7 @@ func TestServer_CreateCallback(t *testing.T) { }{ { name: "Not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: "123", CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ @@ -128,10 +128,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session not found", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -146,10 +146,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "session token invalid", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -164,10 +164,10 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "fail callback", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -193,7 +193,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -215,11 +215,30 @@ func TestServer_CreateCallback(t *testing.T) { wantErr: false, }, { - name: "code callback", + name: "fail callback, no permission, error", ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) + require.NoError(t, err) + return authRequestID + }(), + CallbackKind: &oidc_pb.CreateCallbackRequest_Error{ + Error: &oidc_pb.AuthorizationError{ + Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED, + ErrorDescription: gu.Ptr("nope"), + ErrorUri: gu.Ptr("https://example.com/docs"), + }, + }, + }, + wantErr: true, + }, + { + name: "code callback", + ctx: CTXLoginClient, + req: &oidc_pb.CreateCallbackRequest{ + AuthRequestId: func() string { + _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI) require.NoError(t, err) return authRequestID }(), @@ -244,7 +263,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTX, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -262,7 +281,7 @@ func TestServer_CreateCallback(t *testing.T) { ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { - _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") + _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "") require.NoError(t, err) return authRequestID }(), @@ -284,12 +303,12 @@ func TestServer_CreateCallback(t *testing.T) { }, { name: "implicit", - ctx: CTX, + ctx: CTXLoginClient, req: &oidc_pb.CreateCallbackRequest{ AuthRequestId: func() string { client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -316,7 +335,7 @@ func TestServer_CreateCallback(t *testing.T) { AuthRequestId: func() string { clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2) require.NoError(t, err) - authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) + authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit) require.NoError(t, err) return authRequestID }(), @@ -364,7 +383,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }{ { name: "usergrant to project and different resourceowner with different project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true) @@ -374,13 +393,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant to project and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -389,7 +408,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -401,7 +420,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "usergrant to project grant and different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -410,7 +429,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -422,31 +441,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) @@ -454,19 +473,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, true) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -478,13 +497,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -496,25 +515,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -526,19 +545,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "projectRoleCheck, usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) @@ -546,7 +565,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -558,25 +577,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "projectRoleCheck, no usergrant on project grant and different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, true, false) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, same resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { user := Instance.CreateHumanUser(ctx) _, clientID := createOIDCApplication(ctx, t, false, true) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, @@ -588,19 +607,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) { }, { name: "hasProjectCheck, different resourceowner", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { _, clientID := createOIDCApplication(ctx, t, false, true) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, wantErr: true, }, { name: "hasProjectCheck, different resourceowner with project grant", - ctx: CTX, + ctx: CTXLoginClient, dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { projectID, clientID := createOIDCApplication(ctx, t, false, true) @@ -608,7 +627,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) + return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId()) }, want: &oidc_pb.CreateCallbackResponse{ CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, diff --git a/internal/api/grpc/saml/v2/integration_test/saml_test.go b/internal/api/grpc/saml/v2/integration_test/saml_test.go index 1974c5236a..241c20715c 100644 --- a/internal/api/grpc/saml/v2/integration_test/saml_test.go +++ b/internal/api/grpc/saml/v2/integration_test/saml_test.go @@ -48,13 +48,13 @@ func TestServer_GetSAMLRequest(t *testing.T) { { name: "success, redirect binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) }, }, { name: "success, post binding", dep: func() (time.Time, string, error) { - return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) }, }, } @@ -63,9 +63,9 @@ func TestServer_GetSAMLRequest(t *testing.T) { creationTime, authRequestID, err := tt.dep() require.NoError(t, err) - retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) + retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { - got, err := Client.GetSAMLRequest(CTX, &saml_pb.GetSAMLRequestRequest{ + got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{ SamlRequestId: authRequestID, }) if tt.wantErr { @@ -90,10 +90,11 @@ func TestServer_CreateResponse(t *testing.T) { _, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false) _, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false) - sessionResp := createSession(CTX, t, Instance.Users[integration.UserTypeOrgOwner].ID) + sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID) tests := []struct { name string + ctx context.Context req *saml_pb.CreateResponseRequest AuthError string want *saml_pb.CreateResponseResponse @@ -102,6 +103,7 @@ func TestServer_CreateResponse(t *testing.T) { }{ { name: "Not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: "123", ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -115,9 +117,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session not found", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -132,9 +135,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "session token invalid", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -149,9 +153,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -177,11 +182,12 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, post, already failed", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.FailSAMLAuthRequest(CTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) + Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Error{ @@ -195,9 +201,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "fail callback, redirect", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -219,10 +226,29 @@ func TestServer_CreateResponse(t *testing.T) { wantErr: false, }, { - name: "callback, redirect", + name: "fail callback, no permission, error", + ctx: CTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Error{ + Error: &saml_pb.AuthorizationError{ + Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED, + ErrorDescription: gu.Ptr("nope"), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, redirect", + ctx: LoginCTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) require.NoError(t, err) return authRequestID }(), @@ -245,9 +271,10 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) return authRequestID }(), @@ -273,11 +300,30 @@ func TestServer_CreateResponse(t *testing.T) { }, { name: "callback, post", + ctx: LoginCTX, req: &saml_pb.CreateResponseRequest{ SamlRequestId: func() string { - _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) + require.NoError(t, err) + Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID) + return authRequestID + }(), + ResponseKind: &saml_pb.CreateResponseRequest_Session{ + Session: &saml_pb.Session{ + SessionId: sessionResp.GetSessionId(), + SessionToken: sessionResp.GetSessionToken(), + }, + }, + }, + wantErr: true, + }, + { + name: "callback, no permission, error", + ctx: CTX, + req: &saml_pb.CreateResponseRequest{ + SamlRequestId: func() string { + _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) require.NoError(t, err) - Instance.SuccessfulSAMLAuthRequest(CTX, Instance.Users[integration.UserTypeOrgOwner].ID, authRequestID) return authRequestID }(), ResponseKind: &saml_pb.CreateResponseRequest_Session{ @@ -292,7 +338,7 @@ func TestServer_CreateResponse(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateResponse(CTX, tt.req) + got, err := Client.CreateResponse(tt.ctx, tt.req) if tt.wantErr { require.Error(t, err) return @@ -336,7 +382,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -350,7 +396,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -372,7 +418,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -391,7 +437,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -401,7 +447,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -414,7 +460,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -426,7 +472,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -445,7 +491,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUser(ctx) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -462,7 +508,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -474,7 +520,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -492,7 +538,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -506,7 +552,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -526,7 +572,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -536,7 +582,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true) user := Instance.CreateHumanUser(ctx) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -554,7 +600,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, wantErr: true, }, @@ -566,7 +612,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) - return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) + return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) }, want: &saml_pb.CreateResponseResponse{ Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, @@ -582,7 +628,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) { t.Run(tt.name, func(t *testing.T) { req := tt.dep(IAMCTX, t) - got, err := Client.CreateResponse(CTX, req) + got, err := Client.CreateResponse(LoginCTX, req) if tt.wantErr { require.Error(t, err) return diff --git a/internal/api/grpc/saml/v2/integration_test/server_test.go b/internal/api/grpc/saml/v2/integration_test/server_test.go index ab9e92a157..86eba0b809 100644 --- a/internal/api/grpc/saml/v2/integration_test/server_test.go +++ b/internal/api/grpc/saml/v2/integration_test/server_test.go @@ -15,6 +15,7 @@ import ( var ( CTX context.Context IAMCTX context.Context + LoginCTX context.Context Instance *integration.Instance Client saml_pb.SAMLServiceClient ) @@ -29,6 +30,7 @@ func TestMain(m *testing.M) { IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) return m.Run() }()) } diff --git a/internal/api/grpc/session/v2/integration_test/query_test.go b/internal/api/grpc/session/v2/integration_test/query_test.go index 4b2eacf570..66f8c9b304 100644 --- a/internal/api/grpc/session/v2/integration_test/query_test.go +++ b/internal/api/grpc/session/v2/integration_test/query_test.go @@ -72,7 +72,7 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{}) @@ -213,7 +213,7 @@ func TestServer_GetSession(t *testing.T) { t.Run(tt.name, func(t *testing.T) { var sequence uint64 if tt.args.dep != nil { - sequence = tt.args.dep(CTX, t, tt.args.req) + sequence = tt.args.dep(LoginCTX, t, tt.args.req) } retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) @@ -360,7 +360,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, "", "", nil, nil) @@ -501,7 +501,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, own creator, ok", args: args{ - CTX, + LoginCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -542,7 +542,7 @@ func TestServer_ListSessions(t *testing.T) { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) request.Queries = append(request.Queries, &session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}}, - &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeOrgOwner).ID)}}}) + &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeLogin).ID)}}}) return []*sessionAttr{info} }, }, @@ -682,7 +682,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { diff --git a/internal/api/grpc/session/v2/integration_test/session_test.go b/internal/api/grpc/session/v2/integration_test/session_test.go index 0982a56121..6c0c079e48 100644 --- a/internal/api/grpc/session/v2/integration_test/session_test.go +++ b/internal/api/grpc/session/v2/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -402,7 +402,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -422,7 +422,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -435,7 +435,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -556,13 +556,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -578,7 +578,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -594,7 +594,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -616,7 +616,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -630,13 +630,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -653,7 +653,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -669,13 +669,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -691,7 +691,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -707,7 +707,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -733,7 +733,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -749,7 +749,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -767,7 +767,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -781,7 +781,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -794,7 +794,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -808,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -823,7 +823,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -838,13 +838,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Instance.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ + _, err = Instance.Client.SessionV2.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -852,7 +852,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -860,7 +860,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -880,14 +880,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -912,7 +912,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -932,7 +932,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -947,7 +947,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -963,7 +963,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -994,7 +994,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2/session.go b/internal/api/grpc/session/v2/session.go index 94f686a72c..99e876d06e 100644 --- a/internal/api/grpc/session/v2/session.go +++ b/internal/api/grpc/session/v2/session.go @@ -51,7 +51,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se return nil, err } - set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) if err != nil { return nil, err } diff --git a/internal/api/grpc/session/v2beta/integration_test/query_test.go b/internal/api/grpc/session/v2beta/integration_test/query_test.go index dc131cdaaf..9cff2c438e 100644 --- a/internal/api/grpc/session/v2beta/integration_test/query_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/query_test.go @@ -61,7 +61,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -72,10 +72,10 @@ func TestServer_GetSession(t *testing.T) { { name: "get session, permission, ok", args: args{ - CTX, + IAMOwnerCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId return resp.GetDetails().GetSequence() @@ -91,7 +91,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) request.SessionId = resp.SessionId request.SessionToken = gu.Ptr(resp.SessionToken) @@ -108,7 +108,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ UserAgent: &session.UserAgent{ FingerprintId: gu.Ptr("fingerPrintID"), Ip: gu.Ptr("1.2.3.4"), @@ -144,7 +144,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(5 * time.Minute), }, ) @@ -165,7 +165,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Metadata: map[string][]byte{"foo": []byte("bar")}, }, ) @@ -187,7 +187,7 @@ func TestServer_GetSession(t *testing.T) { UserCTX, &session.GetSessionRequest{}, func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { - resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -337,7 +337,7 @@ func TestServer_ListSessions(t *testing.T) { }, }, { - name: "list sessions, wrong creator", + name: "list sessions, no permission", args: args{ UserCTX, &session.ListSessionsRequest{}, @@ -349,7 +349,7 @@ func TestServer_ListSessions(t *testing.T) { }, want: &session.ListSessionsResponse{ Details: &object.ListDetails{ - TotalResult: 0, + TotalResult: 1, Timestamp: timestamppb.Now(), }, Sessions: []*session.Session{}, @@ -358,7 +358,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, full, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -391,7 +391,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, multiple, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) @@ -446,7 +446,7 @@ func TestServer_ListSessions(t *testing.T) { { name: "list sessions, userid, ok", args: args{ - CTX, + IAMOwnerCTX, &session.ListSessionsRequest{}, func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { createdUser := createFullUser(ctx) @@ -480,7 +480,7 @@ func TestServer_ListSessions(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - infos := tt.args.dep(CTX, t, tt.args.req) + infos := tt.args.dep(LoginCTX, t, tt.args.req) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) require.EventuallyWithT(t, func(ttt *assert.CollectT) { @@ -499,7 +499,7 @@ func TestServer_ListSessions(t *testing.T) { } // expected count of sessions is not equal to received sessions - if !assert.Equal(ttt, got.Details.TotalResult, tt.want.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { + if !assert.Equal(ttt, tt.want.Details.TotalResult, got.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { return } diff --git a/internal/api/grpc/session/v2beta/integration_test/server_test.go b/internal/api/grpc/session/v2beta/integration_test/server_test.go index 4920e6ec35..03fbfc37da 100644 --- a/internal/api/grpc/session/v2beta/integration_test/server_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/server_test.go @@ -18,6 +18,7 @@ import ( var ( CTX context.Context IAMOwnerCTX context.Context + LoginCTX context.Context UserCTX context.Context Instance *integration.Instance Client session.SessionServiceClient @@ -36,6 +37,7 @@ func TestMain(m *testing.M) { CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) User = createFullUser(CTX) DeactivatedUser = createDeactivatedUser(CTX) diff --git a/internal/api/grpc/session/v2beta/integration_test/session_test.go b/internal/api/grpc/session/v2beta/integration_test/session_test.go index 4c189e0f80..8a2c4094b6 100644 --- a/internal/api/grpc/session/v2beta/integration_test/session_test.go +++ b/internal/api/grpc/session/v2beta/integration_test/session_test.go @@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Client.CreateSession(CTX, tt.req) + got, err := Client.CreateSession(LoginCTX, tt.req) if tt.wantErr { require.Error(t, err) return @@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { require.NoError(t, err) for i := 0; i <= maxAttempts; i++ { - _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) { // create new session with user and request the webauthn challenge - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { require.NoError(t, err) // update the session with webauthn assertion data - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -342,7 +342,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) { func TestServer_CreateSession_successfulIntent(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -356,7 +356,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) { intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) require.NoError(t, err) - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -403,7 +403,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) // session with intent check must now succeed - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -423,7 +423,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -436,7 +436,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) intent := Instance.CreateIntent(CTX, idpID) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ IdpIntent: &session.CheckIDPIntent{ @@ -557,13 +557,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { userExisting := createFullUser(CTX) // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -579,7 +579,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -595,7 +595,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -617,7 +617,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -631,13 +631,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { }) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) - createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionTokenImport := createRespImport.GetSessionToken() verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -654,7 +654,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createRespImport.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -670,13 +670,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) sessionToken := createResp.GetSessionToken() verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) t.Run("check user", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ User: &session.CheckUser{ @@ -692,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -708,7 +708,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -734,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) { session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, } { t.Run(userVerificationRequirement.String(), func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ WebAuthN: &session.RequestChallenges_WebAuthN{ @@ -750,7 +750,7 @@ func TestServer_SetSession_flow(t *testing.T) { assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) require.NoError(t, err) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ WebAuthN: &session.CheckWebAuthN{ @@ -768,7 +768,7 @@ func TestServer_SetSession_flow(t *testing.T) { t.Run("check TOTP", func(t *testing.T) { code, err := totp.GenerateCode(totpSecret, time.Now()) require.NoError(t, err) - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ Totp: &session.CheckTOTP{ @@ -782,7 +782,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP SMS", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, @@ -795,7 +795,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpSms() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpSms: &session.CheckOTP{ @@ -809,7 +809,7 @@ func TestServer_SetSession_flow(t *testing.T) { }) t.Run("check OTP Email", func(t *testing.T) { - resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Challenges: &session.RequestChallenges{ OtpEmail: &session.RequestChallenges_OTPEmail{ @@ -824,7 +824,7 @@ func TestServer_SetSession_flow(t *testing.T) { otp := resp.GetChallenges().GetOtpEmail() require.NotEmpty(t, otp) - resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ + resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Checks: &session.Checks{ OtpEmail: &session.CheckOTP{ @@ -839,13 +839,13 @@ func TestServer_SetSession_flow(t *testing.T) { } func TestServer_SetSession_expired(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Lifetime: durationpb.New(20 * time.Second), }) require.NoError(t, err) // test session token works - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -853,7 +853,7 @@ func TestServer_SetSession_expired(t *testing.T) { // ensure session expires and does not work anymore time.Sleep(20 * time.Second) - _, err = Client.SetSession(CTX, &session.SetSessionRequest{ + _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{ SessionId: createResp.GetSessionId(), Lifetime: durationpb.New(20 * time.Second), }) @@ -861,7 +861,7 @@ func TestServer_SetSession_expired(t *testing.T) { } func TestServer_DeleteSession_token(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ @@ -881,14 +881,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) { // create two users for the test and a session each to get tokens for authorization user1 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) - _, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) + _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword) user2 := Instance.CreateHumanUser(CTX) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) - _, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) + _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword) // create a new session for the first user - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -913,7 +913,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) { } func TestServer_DeleteSession_with_permission(t *testing.T) { - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{ @@ -933,7 +933,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { // create new, empty session - createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) + createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{}) require.NoError(t, err) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) @@ -948,7 +948,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) { } func Test_ZITADEL_API_success(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) ctx := integration.WithAuthorizationToken(context.Background(), token) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) @@ -964,7 +964,7 @@ func Test_ZITADEL_API_success(t *testing.T) { } func Test_ZITADEL_API_session_not_found(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId()) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) @@ -995,7 +995,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) { } func Test_ZITADEL_API_session_expired(t *testing.T) { - id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) + id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second) // test session token works ctx := integration.WithAuthorizationToken(context.Background(), token) diff --git a/internal/api/grpc/session/v2beta/session.go b/internal/api/grpc/session/v2beta/session.go index 459cf77f05..c5c129fb11 100644 --- a/internal/api/grpc/session/v2beta/session.go +++ b/internal/api/grpc/session/v2beta/session.go @@ -12,7 +12,6 @@ import ( "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" - "github.com/zitadel/zitadel/internal/api/authz" object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta" "github.com/zitadel/zitadel/internal/command" "github.com/zitadel/zitadel/internal/domain" @@ -90,7 +89,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se return nil, err } - set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) + set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration()) if err != nil { return nil, err } @@ -256,18 +255,13 @@ func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRe } func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) { - q := make([]query.SearchQuery, len(queries)+1) + q := make([]query.SearchQuery, len(queries)) for i, v := range queries { q[i], err = sessionQueryToQuery(v) if err != nil { return nil, err } } - creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID) - if err != nil { - return nil, err - } - q[len(queries)] = creatorQuery return q, nil } diff --git a/internal/api/grpc/user/v2/integration_test/otp_test.go b/internal/api/grpc/user/v2/integration_test/otp_test.go index 01e6c07a40..4ec54b26b9 100644 --- a/internal/api/grpc/user/v2/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -335,7 +335,7 @@ func TestServer_RemoveOTPEmail(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ UserId: userSelf.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/passkey_test.go b/internal/api/grpc/user/v2/integration_test/passkey_test.go index 055a47ec46..4a035869fe 100644 --- a/internal/api/grpc/user/v2/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2/integration_test/passkey_test.go @@ -28,7 +28,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2/integration_test/phone_test.go b/internal/api/grpc/user/v2/integration_test/phone_test.go index b87f9a9f28..25227048f9 100644 --- a/internal/api/grpc/user/v2/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2/integration_test/phone_test.go @@ -256,7 +256,7 @@ func TestServer_Deprecated_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2/integration_test/totp_test.go b/internal/api/grpc/user/v2/integration_test/totp_test.go index e65756c1c1..65d1003c35 100644 --- a/internal/api/grpc/user/v2/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{ @@ -118,7 +118,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -209,11 +209,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2/integration_test/u2f_test.go b/internal/api/grpc/user/v2/integration_test/u2f_test.go index b8af753f85..962671d608 100644 --- a/internal/api/grpc/user/v2/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -183,7 +183,7 @@ func TestServer_VerifyU2FRegistration(t *testing.T) { func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2/integration_test/user_test.go b/internal/api/grpc/user/v2/integration_test/user_test.go index 452de6720c..0401b05218 100644 --- a/internal/api/grpc/user/v2/integration_test/user_test.go +++ b/internal/api/grpc/user/v2/integration_test/user_test.go @@ -34,6 +34,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context SystemUserWithNoPermissionsCTX context.Context @@ -51,6 +52,7 @@ func TestMain(m *testing.M) { SystemUserWithNoPermissionsCTX = integration.WithSystemUserWithNoPermissionsAuthorization(ctx) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2 @@ -1853,7 +1855,7 @@ func TestServer_DeleteUser(t *testing.T) { require.NoError(t, err) request.UserId = removeUser.Id Instance.RegisterUserPasskey(CTX, removeUser.Id) - _, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, removeUser.Id) + _, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, removeUser.Id) return integration.WithAuthorizationToken(UserCTX, token) }, }, @@ -2745,7 +2747,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) { func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{}) diff --git a/internal/api/grpc/user/v2beta/integration_test/otp_test.go b/internal/api/grpc/user/v2beta/integration_test/otp_test.go index fae6c069a4..0b49c3e6b6 100644 --- a/internal/api/grpc/user/v2beta/integration_test/otp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/otp_test.go @@ -17,11 +17,11 @@ import ( func TestServer_AddOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ @@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) @@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) { userSelf := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) - _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) + _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId()) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) _, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{ UserId: userSelf.GetUserId(), @@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) userVerified := Instance.CreateHumanUser(CTX) _, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) { }) require.NoError(t, err) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerified2 := Instance.CreateHumanUser(CTX) _, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ @@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) diff --git a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go index 7bc0465956..f2b4c4e95e 100644 --- a/internal/api/grpc/user/v2beta/integration_test/passkey_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/passkey_test.go @@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) type args struct { ctx context.Context diff --git a/internal/api/grpc/user/v2beta/integration_test/phone_test.go b/internal/api/grpc/user/v2beta/integration_test/phone_test.go index 73d065231c..8d1a07cca2 100644 --- a/internal/api/grpc/user/v2beta/integration_test/phone_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/phone_test.go @@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) { doubleRemoveUser := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) tests := []struct { name string diff --git a/internal/api/grpc/user/v2beta/integration_test/totp_test.go b/internal/api/grpc/user/v2beta/integration_test/totp_test.go index 4afe5e1f31..0917faa809 100644 --- a/internal/api/grpc/user/v2beta/integration_test/totp_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/totp_test.go @@ -20,12 +20,12 @@ import ( func TestServer_RegisterTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) type args struct { @@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) var reg *user.RegisterTOTPResponse @@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { otherUser := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ @@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) userVerified := Instance.CreateHumanUser(CTX) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) - _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) + _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId()) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) _, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ UserId: userVerified.GetUserId(), diff --git a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go index 6e47cbbb99..f03136a3aa 100644 --- a/internal/api/grpc/user/v2beta/integration_test/u2f_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/u2f_test.go @@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) { // We also need a user session Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) Instance.RegisterUserPasskey(CTX, otherUser) - _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) + _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser) type args struct { ctx context.Context @@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) { func TestServer_VerifyU2FRegistration(t *testing.T) { userID := Instance.CreateHumanUser(CTX).GetUserId() Instance.RegisterUserPasskey(CTX, userID) - _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) + _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID) ctx := integration.WithAuthorizationToken(CTX, sessionToken) pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ diff --git a/internal/api/grpc/user/v2beta/integration_test/user_test.go b/internal/api/grpc/user/v2beta/integration_test/user_test.go index 077ed02d0e..dd75986a3f 100644 --- a/internal/api/grpc/user/v2beta/integration_test/user_test.go +++ b/internal/api/grpc/user/v2beta/integration_test/user_test.go @@ -31,6 +31,7 @@ import ( var ( CTX context.Context IamCTX context.Context + LoginCTX context.Context UserCTX context.Context SystemCTX context.Context Instance *integration.Instance @@ -46,6 +47,7 @@ func TestMain(m *testing.M) { UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) + LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin) SystemCTX = integration.WithSystemAuthorization(ctx) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) Client = Instance.Client.UserV2beta diff --git a/internal/api/oidc/integration_test/oidc_test.go b/internal/api/oidc/integration_test/oidc_test.go index 8bb103d0eb..2b43154743 100644 --- a/internal/api/oidc/integration_test/oidc_test.go +++ b/internal/api/oidc/integration_test/oidc_test.go @@ -90,7 +90,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) { clientID, _ := createClient(t, Instance) authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) - createResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{ + createResp, err := Instance.Client.SessionV2.CreateSession(CTXLOGIN, &session.CreateSessionRequest{ Checks: &session.Checks{ User: &session.CheckUser{ Search: &session.CheckUser_UserId{UserId: User.GetUserId()}, diff --git a/internal/command/auth_request.go b/internal/command/auth_request.go index d60012637a..0ce8741b3b 100644 --- a/internal/command/auth_request.go +++ b/internal/command/auth_request.go @@ -137,6 +137,11 @@ func (c *Commands) FailAuthRequest(ctx context.Context, id string, reason domain if writeModel.AuthRequestState != domain.AuthRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled") } + if authz.GetCtxData(ctx).UserID != writeModel.LoginClient { + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } + } err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent( ctx, &authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/auth_request_test.go b/internal/command/auth_request_test.go index c0b5f630f7..2d3c72b088 100644 --- a/internal/command/auth_request_test.go +++ b/internal/command/auth_request_test.go @@ -911,7 +911,8 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) { func TestCommands_FailAuthRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -945,6 +946,45 @@ func TestCommands_FailAuthRequest(t *testing.T) { wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"), }, }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "clientID", + "redirectURI", + "state", + "nonce", + []string{"openid"}, + []string{"audience"}, + domain.OIDCResponseTypeCode, + domain.OIDCResponseModeQuery, + nil, + nil, + nil, + nil, + nil, + nil, + true, + "issuer", + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.OIDCErrorReasonLoginRequired, + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "failed", fields{ @@ -977,6 +1017,7 @@ func TestCommands_FailAuthRequest(t *testing.T) { domain.OIDCErrorReasonLoginRequired), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -1006,7 +1047,8 @@ func TestCommands_FailAuthRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/device_auth.go b/internal/command/device_auth.go index ef6b069cc9..7d4a0f2070 100644 --- a/internal/command/device_auth.go +++ b/internal/command/device_auth.go @@ -136,6 +136,9 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai if !model.State.Exists() { return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil { + return nil, err + } pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason)) if err != nil { return nil, err diff --git a/internal/command/device_auth_test.go b/internal/command/device_auth_test.go index 021ae25d36..19c1601c88 100644 --- a/internal/command/device_auth_test.go +++ b/internal/command/device_auth_test.go @@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { pushErr := errors.New("pushErr") type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore + eventstore func(*testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"), }, + { + name: "missing permission, error", + fields: fields{ + eventstore: expectEventstore( + expectFilter(eventFromEventPusherWithInstanceID( + "instance1", + deviceauth.NewAddedEvent( + ctx, + deviceauth.NewAggregate("123", "instance1"), + "client_id", "123", "456", now, + []string{"a", "b", "c"}, + []string{"projectID", "clientID"}, true, + ), + )), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, { name: "push error", fields: fields{ @@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantErr: pushErr, @@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, wantDetails: &domain.ObjectDetails{ @@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args: args{ctx, "123", domain.DeviceAuthCanceledExpired}, wantDetails: &domain.ObjectDetails{ @@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.wantErr) diff --git a/internal/command/saml_request.go b/internal/command/saml_request.go index 40e0643f0c..9331aed579 100644 --- a/internal/command/saml_request.go +++ b/internal/command/saml_request.go @@ -119,6 +119,9 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded { return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled") } + if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil { + return nil, nil, err + } err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent( ctx, &samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, diff --git a/internal/command/saml_request_test.go b/internal/command/saml_request_test.go index c11c87ec48..49d211731c 100644 --- a/internal/command/saml_request_test.go +++ b/internal/command/saml_request_test.go @@ -786,7 +786,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) { func TestCommands_FailSAMLRequest(t *testing.T) { mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") type fields struct { - eventstore func(t *testing.T) *eventstore.Eventstore + eventstore func(t *testing.T) *eventstore.Eventstore + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -820,7 +821,40 @@ func TestCommands_FailSAMLRequest(t *testing.T) { res{ wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"), }, - }, { + }, + { + "missing permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate, + "login", + "application", + "acs", + "relaystate", + "request", + "binding", + "issuer", + "destination", + "responseissuer", + ), + ), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: mockCtx, + id: "V2_id", + reason: domain.SAMLErrorReasonAuthNFailed, + description: "desc", + }, + res{ + wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, + { "already failed", fields{ eventstore: expectEventstore( @@ -843,6 +877,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -879,6 +914,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) { ), ), ), + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: mockCtx, @@ -908,7 +944,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { c := &Commands{ - eventstore: tt.fields.eventstore(t), + eventstore: tt.fields.eventstore(t), + checkPermission: tt.fields.checkPermission, } details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason) require.ErrorIs(t, err, tt.res.wantErr) diff --git a/internal/command/session.go b/internal/command/session.go index 3c06c22967..87eb56139b 100644 --- a/internal/command/session.go +++ b/internal/command/session.go @@ -285,7 +285,13 @@ func (s *SessionCommands) commands(ctx context.Context) (string, []eventstore.Co return token, s.eventCommands, nil } -func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, metadata map[string][]byte, userAgent *domain.UserAgent, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) CreateSession( + ctx context.Context, + cmds []SessionCommand, + metadata map[string][]byte, + userAgent *domain.UserAgent, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionID, err := c.idGenerator.Next() if err != nil { return nil, err @@ -295,17 +301,29 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, ""); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) cmd.Start(ctx, userAgent) return c.updateSession(ctx, cmd, metadata, lifetime) } -func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { +func (c *Commands) UpdateSession( + ctx context.Context, + sessionID, sessionToken string, + cmds []SessionCommand, + metadata map[string][]byte, + lifetime time.Duration, +) (set *SessionChanged, err error) { sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()) err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) if err != nil { return nil, err } + if err = c.checkSessionWritePermission(ctx, sessionWriteModel, sessionToken); err != nil { + return nil, err + } cmd := c.NewSessionCommands(cmds, sessionWriteModel) return c.updateSession(ctx, cmd, metadata, lifetime) } @@ -380,6 +398,21 @@ func (c *Commands) updateSession(ctx context.Context, checks *SessionCommands, m return changed, nil } +// checkSessionWritePermission will check that the provided sessionToken is correct or +// if empty, check that the caller is granted the "session.write" permission on the resource owner of the authenticated user. +// In case the user is not set and the userResourceOwner is not set (also the case for the session creation), +// it will check permission on the instance. +func (c *Commands) checkSessionWritePermission(ctx context.Context, model *SessionWriteModel, sessionToken string) error { + if sessionToken != "" { + return c.sessionTokenVerifier(ctx, sessionToken, model.AggregateID, model.TokenID) + } + userResourceOwner, err := c.sessionUserResourceOwner(ctx, model) + if err != nil { + return err + } + return c.checkPermission(ctx, domain.PermissionSessionWrite, userResourceOwner, model.UserID) +} + // checkSessionTerminationPermission will check that the provided sessionToken is correct or // if empty, check that the caller is either terminating the own session or // is granted the "session.delete" permission on the resource owner of the authenticated user. diff --git a/internal/command/session_test.go b/internal/command/session_test.go index e65f32fb57..630feeea1a 100644 --- a/internal/command/session_test.go +++ b/internal/command/session_test.go @@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) { func TestCommands_CreateSession(t *testing.T) { type fields struct { - idGenerator id.Generator - tokenCreator func(sessionID string) (string, string, error) + idGenerator id.Generator + tokenCreator func(sessionID string) (string, string, error) + checkPermission domain.PermissionCheck } type args struct { ctx context.Context @@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "missing permission", + fields{ + idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + }, + []expect{ + expectFilter(), + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "negative lifetime", fields{ @@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) { "token", nil }, + checkPermission: newMockPermissionCheckAllowed(), }, args{ ctx: authz.NewMockContext("instance1", "", ""), @@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) { eventstore: expectEventstore(tt.expect...)(t), idGenerator: tt.fields.idGenerator, sessionTokenCreator: tt.fields.tokenCreator, + checkPermission: tt.fields.checkPermission, } got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) @@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) { func TestCommands_UpdateSession(t *testing.T) { type fields struct { - eventstore func(*testing.T) *eventstore.Eventstore - tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + eventstore func(*testing.T) *eventstore.Eventstore + tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) + checkPermission domain.PermissionCheck } type args struct { - ctx context.Context - sessionID string - checks []SessionCommand - metadata map[string][]byte - lifetime time.Duration + ctx context.Context + sessionID string + sessionToken string + checks []SessionCommand + metadata map[string][]byte + lifetime time.Duration } type res struct { want *SessionChanged @@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) { err: zerrors.ThrowInternal(nil, "id", "filter failed"), }, }, + { + "invalid session token", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + tokenVerifier: newMockTokenVerifierInvalid(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "invalid", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"), + }, + }, + { + "no token, no permission", + fields{ + eventstore: expectEventstore( + expectFilter( + eventFromEventPusher( + session.NewAddedEvent(context.Background(), + &session.NewAggregate("sessionID", "instance1").Aggregate, + &domain.UserAgent{ + FingerprintID: gu.Ptr("fp1"), + IP: net.ParseIP("1.2.3.4"), + Description: gu.Ptr("firefox"), + Header: http.Header{"foo": []string{"bar"}}, + }, + )), + eventFromEventPusher( + session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate, + "tokenID")), + ), + ), + checkPermission: newMockPermissionCheckNotAllowed(), + }, + args{ + ctx: context.Background(), + sessionID: "sessionID", + }, + res{ + err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"), + }, + }, { "no change", fields{ @@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) { }, }, args{ - ctx: context.Background(), - sessionID: "sessionID", + ctx: context.Background(), + sessionID: "sessionID", + sessionToken: "token", }, res{ want: &SessionChanged{ @@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) { c := &Commands{ eventstore: tt.fields.eventstore(t), sessionTokenVerifier: tt.fields.tokenVerifier, + checkPermission: tt.fields.checkPermission, } - got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime) + got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime) require.ErrorIs(t, err, tt.res.err) assert.Equal(t, tt.res.want, got) })