Merge commit from fork

* fix: require permission to create and update session

* fix: require permission to fail auth requests

* merge main and fix integration tests

* fix merge

* fix integration tests

* fix integration tests

* fix saml permission check

internal/command/session_test.go

@@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) {
 
 func TestCommands_CreateSession(t *testing.T) {
 	type fields struct {
-		idGenerator  id.Generator
-		tokenCreator func(sessionID string) (string, string, error)
+		idGenerator     id.Generator
+		tokenCreator    func(sessionID string) (string, string, error)
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx       context.Context
@@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) {
 				err: zerrors.ThrowInternal(nil, "id", "filter failed"),
 			},
 		},
+		{
+			"missing permission",
+			fields{
+				idGenerator:     mock.NewIDGeneratorExpectIDs(t, "sessionID"),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: context.Background(),
+			},
+			[]expect{
+				expectFilter(),
+			},
+			res{
+				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+			},
+		},
 		{
 			"negative lifetime",
 			fields{
@@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) {
 						"token",
 						nil
 				},
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx: authz.NewMockContext("instance1", "", ""),
@@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) {
 						"token",
 						nil
 				},
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx: authz.NewMockContext("instance1", "", ""),
@@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) {
 				eventstore:          expectEventstore(tt.expect...)(t),
 				idGenerator:         tt.fields.idGenerator,
 				sessionTokenCreator: tt.fields.tokenCreator,
+				checkPermission:     tt.fields.checkPermission,
 			}
 			got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime)
 			require.ErrorIs(t, err, tt.res.err)
@@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) {
 
 func TestCommands_UpdateSession(t *testing.T) {
 	type fields struct {
-		eventstore    func(*testing.T) *eventstore.Eventstore
-		tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		tokenVerifier   func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
-		ctx       context.Context
-		sessionID string
-		checks    []SessionCommand
-		metadata  map[string][]byte
-		lifetime  time.Duration
+		ctx          context.Context
+		sessionID    string
+		sessionToken string
+		checks       []SessionCommand
+		metadata     map[string][]byte
+		lifetime     time.Duration
 	}
 	type res struct {
 		want *SessionChanged
@@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) {
 				err: zerrors.ThrowInternal(nil, "id", "filter failed"),
 			},
 		},
+		{
+			"invalid session token",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(),
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
+								"tokenID")),
+					),
+				),
+				tokenVerifier: newMockTokenVerifierInvalid(),
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "invalid",
+			},
+			res{
+				err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
+			},
+		},
+		{
+			"no token, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(),
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
+								"tokenID")),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx:       context.Background(),
+				sessionID: "sessionID",
+			},
+			res{
+				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+			},
+		},
 		{
 			"no change",
 			fields{
@@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) {
 				},
 			},
 			args{
-				ctx:       context.Background(),
-				sessionID: "sessionID",
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "token",
 			},
 			res{
 				want: &SessionChanged{
@@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) {
 			c := &Commands{
 				eventstore:           tt.fields.eventstore(t),
 				sessionTokenVerifier: tt.fields.tokenVerifier,
+				checkPermission:      tt.fields.checkPermission,
 			}
-			got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime)
+			got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime)
 			require.ErrorIs(t, err, tt.res.err)
 			assert.Equal(t, tt.res.want, got)
 		})