Merge commit from fork

* fix: require permission to create and update session * fix: require permission to fail auth requests * merge main and fix integration tests * fix merge * fix integration tests * fix integration tests * fix saml permission check
2025-08-11 20:47:32 +00:00 · 2025-07-15 07:38:00 -04:00
parent 91487a0b23
commit 4c942f3477
33 changed files with 681 additions and 334 deletions
--- a/internal/command/saml_request_test.go
+++ b/internal/command/saml_request_test.go
@@ -786,7 +786,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
 func TestCommands_FailSAMLRequest(t *testing.T) {
 	mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient")
 	type fields struct {
-		eventstore func(t *testing.T) *eventstore.Eventstore
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx         context.Context
@@ -820,7 +821,40 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
 			res{
 				wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"),
 			},
-		}, {
+		},
+		{
+			"missing permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate,
+								"login",
+								"application",
+								"acs",
+								"relaystate",
+								"request",
+								"binding",
+								"issuer",
+								"destination",
+								"responseissuer",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx:         mockCtx,
+				id:          "V2_id",
+				reason:      domain.SAMLErrorReasonAuthNFailed,
+				description: "desc",
+			},
+			res{
+				wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+			},
+		},
+		{
 			"already failed",
 			fields{
 				eventstore: expectEventstore(
@@ -843,6 +877,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx:         mockCtx,
@@ -879,6 +914,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx:         mockCtx,
@@ -908,7 +944,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore(t),
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason)
 			require.ErrorIs(t, err, tt.res.wantErr)