TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-05-06 09:06:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(setup): decode role mappings (#7760)

Browse Source
This commit is contained in:
Elio Bischof 2024-04-14 11:55:54 +02:00 committed by GitHub
parent 9865425a0c
commit 5b34aabbdd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/defaults.yaml
View File

@ -906,7 +906,7 @@ AuditLogRetention: 0s # ZITADEL_AUDITLOGRETENTION
InternalAuthZ: InternalAuthZ:
# Configure the RolePermissionMappings by environment variable using JSON notation: # Configure the RolePermissionMappings by environment variable using JSON notation:
# ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.read", "iam.write"]}]' # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]'
# Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost. # Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost.
RolePermissionMappings: RolePermissionMappings:
- Role: "SYSTEM_OWNER" - Role: "SYSTEM_OWNER"

1
cmd/setup/config.go
View File

@ -69,6 +69,7 @@ func MustNewConfig(v *viper.Viper) *Config {
hook.EnumHookFunc(authz.MemberTypeString), hook.EnumHookFunc(authz.MemberTypeString),
actions.HTTPConfigDecodeHook, actions.HTTPConfigDecodeHook,
hooks.MapTypeStringDecode[string, *authz.SystemAPIUser], hooks.MapTypeStringDecode[string, *authz.SystemAPIUser],
hooks.SliceTypeStringDecode[authz.RoleMapping],
)), )),
) )
logging.OnError(err).Fatal("unable to read default config") logging.OnError(err).Fatal("unable to read default config")

46
cmd/start/config_test.go
View File

@ -223,6 +223,52 @@ Actions:
Greeting: "bar", Greeting: "bar",
}}) }})
}, },
}, {
name: "roles ok",
args: args{yaml: `
InternalAuthZ:
RolePermissionMappings:
- Role: IAM_OWNER
Permissions:
- iam.write
- Role: ORG_OWNER
Permissions:
- org.write
- org.read
Log:
Level: info
Actions:
HTTP:
DenyList: []
`},
want: func(t *testing.T, config *Config) {
assert.Equal(t, config.InternalAuthZ, authz.Config{
RolePermissionMappings: []authz.RoleMapping{
{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
},
})
},
}, {
name: "roles string ok",
args: args{yaml: `
InternalAuthZ:
RolePermissionMappings: >
[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write", "org.read"]}]
Log:
Level: info
Actions:
HTTP:
DenyList: []
`},
want: func(t *testing.T, config *Config) {
assert.Equal(t, config.InternalAuthZ, authz.Config{
RolePermissionMappings: []authz.RoleMapping{
{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
},
})
},
}} }}
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {