feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 17:27:31 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -3795,6 +3795,59 @@ service AdminService {
            description: "Returns a list of reached instance usage milestones."
        };
    }
+
+    // Sets restrictions
+    rpc SetRestrictions(SetRestrictionsRequest) returns (SetRestrictionsResponse) {
+        option (google.api.http) = {
+            put: "/restrictions"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.restrictions.write";
+        };
+
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Feature Restrictions"];
+            summary: "Restrict the instances features";
+            description: "Undefined values don't change the current restriction. Zero values remove the current restriction.";
+            responses: {
+                key: "200";
+                value: {
+                    description: "Restrictions set.";
+                };
+            };
+            responses: {
+                key: "400";
+                value: {
+                    description: "No restriction is defined.";
+                };
+            };
+        };
+    }
+
+    // Gets restrictions
+    rpc GetRestrictions(GetRestrictionsRequest) returns (GetRestrictionsResponse) {
+        option (google.api.http) = {
+            get: "/restrictions"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.restrictions.read";
+        };
+
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Feature Restrictions"];
+            summary: "Get the current feature restrictions for the instance";
+            description: "Undefined values mean that the feature is not restricted. If restrictions were never set, the instances features are not restricted, all properties are undefined and the details object is empty.";
+            responses: {
+                key: "200";
+                value: {
+                    description: "The status 200 is also returned if no restrictions were ever set. In this case, all feature restrictions have zero values.";
+                };
+            };
+        };
+    }
 }


@@ -7934,3 +7987,27 @@ message ListMilestonesResponse {
    zitadel.v1.ListDetails details = 1;
    repeated zitadel.milestone.v1.Milestone result = 2;
 }
+
+message SetRestrictionsRequest {
+    optional bool disallow_public_org_registration = 1 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if ZITADEL should expose the endpoint /ui/login/register/org. If it is true, the org registration endpoint returns the HTTP status 404 on GET requests, and 409 on POST requests.";
+        }
+    ];
+}
+
+message SetRestrictionsResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetRestrictionsRequest {}
+
+message GetRestrictionsResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    bool disallow_public_org_registration = 2 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if ZITADEL should expose the endpoint /ui/login/register/org. If it is true, the org registration endpoint returns the HTTP status 404 on GET requests, and 409 on POST requests.";
+        }
+    ];
+}
+
--- a/proto/zitadel/system.proto
+++ b/proto/zitadel/system.proto
@@ -433,7 +433,7 @@ service SystemService {
    };

    option (zitadel.v1.auth_option) = {
-      permission: "authenticated";
+      permission: "system.limits.write";
    };

    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -465,7 +465,7 @@ service SystemService {
    };

    option (zitadel.v1.auth_option) = {
-      permission: "authenticated";
+      permission: "system.limits.delete";
    };

    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -766,7 +766,7 @@ message SetLimitsRequest {
  string instance_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
  google.protobuf.Duration audit_log_retention = 2 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "AuditLogRetention limits the number of events that can be queried via the events API by their age. A value of '0s' means that all events are available. If this value is set, it overwrites the system default.";
+      description: "auditLogRetention limits the number of events that can be queried via the events API by their age. A value of '0s' means that all events are available. If this value is set, it overwrites the system default.";
    }
  ];
 }