feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 21:07:31 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/internal/integration/client.go
+++ b/internal/integration/client.go
@@ -59,7 +59,7 @@ func newClient(cc *grpc.ClientConn) Client {
 }

 func (t *Tester) UseIsolatedInstance(iamOwnerCtx, systemCtx context.Context) (primaryDomain, instanceId string, authenticatedIamOwnerCtx context.Context) {
-	primaryDomain = randString(5) + ".integration"
+	primaryDomain = randString(5) + ".integration.localhost"
 	instance, err := t.Client.System.CreateInstance(systemCtx, &system.CreateInstanceRequest{
 		InstanceName: "testinstance",
 		CustomDomain: primaryDomain,
@@ -74,7 +74,7 @@ func (t *Tester) UseIsolatedInstance(iamOwnerCtx, systemCtx context.Context) (pr
 	if err != nil {
 		panic(err)
 	}
-	t.createClientConn(iamOwnerCtx, grpc.WithAuthority(primaryDomain))
+	t.createClientConn(iamOwnerCtx, fmt.Sprintf("%s:%d", primaryDomain, t.Config.Port))
 	instanceId = instance.GetInstanceId()
 	t.Users.Set(instanceId, IAMOwner, &User{
 		Token: instance.GetPat(),
--- a/internal/integration/integration.go
+++ b/internal/integration/integration.go
@@ -127,12 +127,11 @@ func (s *Tester) Host() string {
 	return fmt.Sprintf("%s:%d", s.Config.ExternalDomain, s.Config.Port)
 }

-func (s *Tester) createClientConn(ctx context.Context, opts ...grpc.DialOption) {
-	target := s.Host()
-	cc, err := grpc.DialContext(ctx, target, append(opts,
+func (s *Tester) createClientConn(ctx context.Context, target string) {
+	cc, err := grpc.DialContext(ctx, target,
 		grpc.WithBlock(),
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
-	)...)
+	)
 	if err != nil {
 		s.Shutdown <- os.Interrupt
 		s.wg.Wait()
@@ -346,9 +345,10 @@ func NewTester(ctx context.Context) *Tester {
 	case <-ctx.Done():
 		logging.OnError(ctx.Err()).Fatal("waiting for integration tester server")
 	}
-	tester.createClientConn(ctx)
+	host := tester.Host()
+	tester.createClientConn(ctx, host)
 	tester.createLoginClient(ctx)
-	tester.WebAuthN = webauthn.NewClient(tester.Config.WebAuthNName, tester.Config.ExternalDomain, http_util.BuildOrigin(tester.Host(), tester.Config.ExternalSecure))
+	tester.WebAuthN = webauthn.NewClient(tester.Config.WebAuthNName, tester.Config.ExternalDomain, http_util.BuildOrigin(host, tester.Config.ExternalSecure))
 	tester.createMachineUserOrgOwner(ctx)
 	tester.createMachineUserInstanceOwner(ctx)
 	tester.WebAuthN = webauthn.NewClient(tester.Config.WebAuthNName, tester.Config.ExternalDomain, "https://"+tester.Host())