Merge commit from fork

* fix: require permission to create and update session * fix: require permission to fail auth requests * merge main and fix integration tests * fix merge * fix integration tests * fix integration tests * fix saml permission check
2025-08-11 19:07:30 +00:00 · 2025-07-15 07:38:00 -04:00
parent 91487a0b23
commit 4c942f3477
33 changed files with 681 additions and 334 deletions
--- a/internal/command/device_auth_test.go
+++ b/internal/command/device_auth_test.go
@@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 	pushErr := errors.New("pushErr")

 	type fields struct {
-		eventstore func(*testing.T) *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx    context.Context
@@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 			args:    args{ctx, "123", domain.DeviceAuthCanceledDenied},
 			wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"),
 		},
+		{
+			name: "missing permission, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("123", "instance1"),
+							"client_id", "123", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args:    args{ctx, "123", domain.DeviceAuthCanceledDenied},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+		},
 		{
 			name: "push error",
 			fields: fields{
@@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args:    args{ctx, "123", domain.DeviceAuthCanceledDenied},
 			wantErr: pushErr,
@@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
 			wantDetails: &domain.ObjectDetails{
@@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{ctx, "123", domain.DeviceAuthCanceledExpired},
 			wantDetails: &domain.ObjectDetails{
@@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore(t),
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason)
 			require.ErrorIs(t, err, tt.wantErr)