fix(setup): decode role mappings (#7760)

2024-12-04 23:45:07 +00:00 · 2024-04-14 11:55:54 +02:00 · 2024-04-14 11:55:54 +02:00 · 5b34aabbdd
commit 5b34aabbdd
parent 9865425a0c
3 changed files with 48 additions and 1 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -906,7 +906,7 @@ AuditLogRetention: 0s # ZITADEL_AUDITLOGRETENTION

 InternalAuthZ:
  # Configure the RolePermissionMappings by environment variable using JSON notation:
-  # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.read", "iam.write"]}]'
+  # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]'
  # Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost.
  RolePermissionMappings:
    - Role: "SYSTEM_OWNER"
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@ -69,6 +69,7 @@ func MustNewConfig(v *viper.Viper) *Config {
 			hook.EnumHookFunc(authz.MemberTypeString),
 			actions.HTTPConfigDecodeHook,
 			hooks.MapTypeStringDecode[string, *authz.SystemAPIUser],
+			hooks.SliceTypeStringDecode[authz.RoleMapping],
 		)),
 	)
 	logging.OnError(err).Fatal("unable to read default config")
--- a/cmd/start/config_test.go
+++ b/cmd/start/config_test.go
@ -223,6 +223,52 @@ Actions:
 				Greeting:        "bar",
 			}})
 		},
+	}, {
+		name: "roles ok",
+		args: args{yaml: `
+InternalAuthZ:
+  RolePermissionMappings:
+  - Role: IAM_OWNER
+    Permissions:
+    - iam.write
+  - Role: ORG_OWNER
+    Permissions:
+    - org.write
+    - org.read
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.InternalAuthZ, authz.Config{
+				RolePermissionMappings: []authz.RoleMapping{
+					{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
+					{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
+				},
+			})
+		},
+	}, {
+		name: "roles string ok",
+		args: args{yaml: `
+InternalAuthZ:
+  RolePermissionMappings: >
+    [{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write", "org.read"]}]
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.InternalAuthZ, authz.Config{
+				RolePermissionMappings: []authz.RoleMapping{
+					{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
+					{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
+				},
+			})
+		},
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {