From 84644214d7a8c35fc45e191864c37c3261c8ab51 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Wed, 27 Mar 2024 19:22:17 +0100
Subject: [PATCH] fix: remove resourceowner read from context in user v2 api
 (#7641)

* fix: remove resourceowner read from context in user v2 api

* fix: lint

* fix: remove orgID in addIDPLink

* fix: remove comment as unnecessary

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 internal/api/grpc/user/v2/otp.go      |  9 ++++-----
 internal/api/grpc/user/v2/passkey.go  | 17 ++++++-----------
 internal/api/grpc/user/v2/password.go |  8 +++-----
 internal/api/grpc/user/v2/totp.go     |  5 ++---
 internal/api/grpc/user/v2/u2f.go      |  6 ++----
 internal/api/grpc/user/v2/user.go     |  3 +--
 internal/command/user_idp_link.go     | 12 +++++++++---
 7 files changed, 27 insertions(+), 33 deletions(-)

diff --git a/internal/api/grpc/user/v2/otp.go b/internal/api/grpc/user/v2/otp.go
index 0171e1a653..0eae8c6bdd 100644
--- a/internal/api/grpc/user/v2/otp.go
+++ b/internal/api/grpc/user/v2/otp.go
@@ -3,13 +3,12 @@ package user
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
 )
 
 func (s *Server) AddOTPSMS(ctx context.Context, req *user.AddOTPSMSRequest) (*user.AddOTPSMSResponse, error) {
-	details, err := s.command.AddHumanOTPSMS(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID)
+	details, err := s.command.AddHumanOTPSMS(ctx, req.GetUserId(), "")
 	if err != nil {
 		return nil, err
 	}
@@ -18,7 +17,7 @@ func (s *Server) AddOTPSMS(ctx context.Context, req *user.AddOTPSMSRequest) (*us
 }
 
 func (s *Server) RemoveOTPSMS(ctx context.Context, req *user.RemoveOTPSMSRequest) (*user.RemoveOTPSMSResponse, error) {
-	objectDetails, err := s.command.RemoveHumanOTPSMS(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID)
+	objectDetails, err := s.command.RemoveHumanOTPSMS(ctx, req.GetUserId(), "")
 	if err != nil {
 		return nil, err
 	}
@@ -26,7 +25,7 @@ func (s *Server) RemoveOTPSMS(ctx context.Context, req *user.RemoveOTPSMSRequest
 }
 
 func (s *Server) AddOTPEmail(ctx context.Context, req *user.AddOTPEmailRequest) (*user.AddOTPEmailResponse, error) {
-	details, err := s.command.AddHumanOTPEmail(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID)
+	details, err := s.command.AddHumanOTPEmail(ctx, req.GetUserId(), "")
 	if err != nil {
 		return nil, err
 	}
@@ -35,7 +34,7 @@ func (s *Server) AddOTPEmail(ctx context.Context, req *user.AddOTPEmailRequest)
 }
 
 func (s *Server) RemoveOTPEmail(ctx context.Context, req *user.RemoveOTPEmailRequest) (*user.RemoveOTPEmailResponse, error) {
-	objectDetails, err := s.command.RemoveHumanOTPEmail(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID)
+	objectDetails, err := s.command.RemoveHumanOTPEmail(ctx, req.GetUserId(), "")
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/user/v2/passkey.go b/internal/api/grpc/user/v2/passkey.go
index 69a7e8fdaa..58c89ae22e 100644
--- a/internal/api/grpc/user/v2/passkey.go
+++ b/internal/api/grpc/user/v2/passkey.go
@@ -5,7 +5,6 @@ import (
 
 	"google.golang.org/protobuf/types/known/structpb"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -15,16 +14,15 @@ import (
 
 func (s *Server) RegisterPasskey(ctx context.Context, req *user.RegisterPasskeyRequest) (resp *user.RegisterPasskeyResponse, err error) {
 	var (
-		resourceOwner = authz.GetCtxData(ctx).OrgID
 		authenticator = passkeyAuthenticatorToDomain(req.GetAuthenticator())
 	)
 	if code := req.GetCode(); code != nil {
 		return passkeyRegistrationDetailsToPb(
-			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, req.GetDomain(), s.userCodeAlg),
+			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), "", authenticator, code.Id, code.Code, req.GetDomain(), s.userCodeAlg),
 		)
 	}
 	return passkeyRegistrationDetailsToPb(
-		s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, req.GetDomain(), authenticator),
+		s.command.RegisterUserPasskey(ctx, req.GetUserId(), "", req.GetDomain(), authenticator),
 	)
 }
 
@@ -65,12 +63,11 @@ func passkeyRegistrationDetailsToPb(details *domain.WebAuthNRegistrationDetails,
 }
 
 func (s *Server) VerifyPasskeyRegistration(ctx context.Context, req *user.VerifyPasskeyRegistrationRequest) (*user.VerifyPasskeyRegistrationResponse, error) {
-	resourceOwner := authz.GetCtxData(ctx).OrgID
 	pkc, err := req.GetPublicKeyCredential().MarshalJSON()
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "USERv2-Pha2o", "Errors.Internal")
 	}
-	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", pkc)
+	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), "", req.GetPasskeyName(), "", pkc)
 	if err != nil {
 		return nil, err
 	}
@@ -80,20 +77,18 @@ func (s *Server) VerifyPasskeyRegistration(ctx context.Context, req *user.Verify
 }
 
 func (s *Server) CreatePasskeyRegistrationLink(ctx context.Context, req *user.CreatePasskeyRegistrationLinkRequest) (resp *user.CreatePasskeyRegistrationLinkResponse, err error) {
-	resourceOwner := authz.GetCtxData(ctx).OrgID
-
 	switch medium := req.Medium.(type) {
 	case nil:
 		return passkeyDetailsToPb(
-			s.command.AddUserPasskeyCode(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
+			s.command.AddUserPasskeyCode(ctx, req.GetUserId(), "", s.userCodeAlg),
 		)
 	case *user.CreatePasskeyRegistrationLinkRequest_SendLink:
 		return passkeyDetailsToPb(
-			s.command.AddUserPasskeyCodeURLTemplate(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg, medium.SendLink.GetUrlTemplate()),
+			s.command.AddUserPasskeyCodeURLTemplate(ctx, req.GetUserId(), "", s.userCodeAlg, medium.SendLink.GetUrlTemplate()),
 		)
 	case *user.CreatePasskeyRegistrationLinkRequest_ReturnCode:
 		return passkeyCodeDetailsToPb(
-			s.command.AddUserPasskeyCodeReturn(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
+			s.command.AddUserPasskeyCodeReturn(ctx, req.GetUserId(), "", s.userCodeAlg),
 		)
 	default:
 		return nil, zerrors.ThrowUnimplementedf(nil, "USERv2-gaD8y", "verification oneOf %T in method CreatePasskeyRegistrationLink not implemented", medium)
diff --git a/internal/api/grpc/user/v2/password.go b/internal/api/grpc/user/v2/password.go
index 119806c4d9..0651013cd9 100644
--- a/internal/api/grpc/user/v2/password.go
+++ b/internal/api/grpc/user/v2/password.go
@@ -3,7 +3,6 @@ package user
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -48,16 +47,15 @@ func notificationTypeToDomain(notificationType user.NotificationType) domain.Not
 }
 
 func (s *Server) SetPassword(ctx context.Context, req *user.SetPasswordRequest) (_ *user.SetPasswordResponse, err error) {
-	var resourceOwner = authz.GetCtxData(ctx).OrgID
 	var details *domain.ObjectDetails
 
 	switch v := req.GetVerification().(type) {
 	case *user.SetPasswordRequest_CurrentPassword:
-		details, err = s.command.ChangePassword(ctx, resourceOwner, req.GetUserId(), v.CurrentPassword, req.GetNewPassword().GetPassword(), "")
+		details, err = s.command.ChangePassword(ctx, "", req.GetUserId(), v.CurrentPassword, req.GetNewPassword().GetPassword(), "")
 	case *user.SetPasswordRequest_VerificationCode:
-		details, err = s.command.SetPasswordWithVerifyCode(ctx, resourceOwner, req.GetUserId(), v.VerificationCode, req.GetNewPassword().GetPassword(), "")
+		details, err = s.command.SetPasswordWithVerifyCode(ctx, "", req.GetUserId(), v.VerificationCode, req.GetNewPassword().GetPassword(), "")
 	case nil:
-		details, err = s.command.SetPassword(ctx, resourceOwner, req.GetUserId(), req.GetNewPassword().GetPassword(), req.GetNewPassword().GetChangeRequired())
+		details, err = s.command.SetPassword(ctx, "", req.GetUserId(), req.GetNewPassword().GetPassword(), req.GetNewPassword().GetChangeRequired())
 	default:
 		err = zerrors.ThrowUnimplementedf(nil, "USERv2-SFdf2", "verification oneOf %T in method SetPasswordRequest not implemented", v)
 	}
diff --git a/internal/api/grpc/user/v2/totp.go b/internal/api/grpc/user/v2/totp.go
index ab7ec03583..691f31a833 100644
--- a/internal/api/grpc/user/v2/totp.go
+++ b/internal/api/grpc/user/v2/totp.go
@@ -3,7 +3,6 @@ package user
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/domain"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -11,7 +10,7 @@ import (
 
 func (s *Server) RegisterTOTP(ctx context.Context, req *user.RegisterTOTPRequest) (*user.RegisterTOTPResponse, error) {
 	return totpDetailsToPb(
-		s.command.AddUserTOTP(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID),
+		s.command.AddUserTOTP(ctx, req.GetUserId(), ""),
 	)
 
 }
@@ -28,7 +27,7 @@ func totpDetailsToPb(totp *domain.TOTP, err error) (*user.RegisterTOTPResponse,
 }
 
 func (s *Server) VerifyTOTPRegistration(ctx context.Context, req *user.VerifyTOTPRegistrationRequest) (*user.VerifyTOTPRegistrationResponse, error) {
-	objectDetails, err := s.command.CheckUserTOTP(ctx, req.GetUserId(), req.GetCode(), authz.GetCtxData(ctx).OrgID)
+	objectDetails, err := s.command.CheckUserTOTP(ctx, req.GetUserId(), req.GetCode(), "")
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/user/v2/u2f.go b/internal/api/grpc/user/v2/u2f.go
index 56310508ff..f13d21736e 100644
--- a/internal/api/grpc/user/v2/u2f.go
+++ b/internal/api/grpc/user/v2/u2f.go
@@ -3,7 +3,6 @@ package user
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -12,7 +11,7 @@ import (
 
 func (s *Server) RegisterU2F(ctx context.Context, req *user.RegisterU2FRequest) (*user.RegisterU2FResponse, error) {
 	return u2fRegistrationDetailsToPb(
-		s.command.RegisterUserU2F(ctx, req.GetUserId(), authz.GetCtxData(ctx).OrgID, req.GetDomain()),
+		s.command.RegisterUserU2F(ctx, req.GetUserId(), "", req.GetDomain()),
 	)
 }
 
@@ -29,12 +28,11 @@ func u2fRegistrationDetailsToPb(details *domain.WebAuthNRegistrationDetails, err
 }
 
 func (s *Server) VerifyU2FRegistration(ctx context.Context, req *user.VerifyU2FRegistrationRequest) (*user.VerifyU2FRegistrationResponse, error) {
-	resourceOwner := authz.GetCtxData(ctx).OrgID
 	pkc, err := req.GetPublicKeyCredential().MarshalJSON()
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "USERv2-IeTh4", "Errors.Internal")
 	}
-	objectDetails, err := s.command.HumanVerifyU2FSetup(ctx, req.GetUserId(), resourceOwner, req.GetTokenName(), "", pkc)
+	objectDetails, err := s.command.HumanVerifyU2FSetup(ctx, req.GetUserId(), "", req.GetTokenName(), "", pkc)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/user/v2/user.go b/internal/api/grpc/user/v2/user.go
index c7516bdc0e..f6290e7248 100644
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -280,8 +280,7 @@ func SetHumanPasswordToPassword(password *user.SetPassword) *command.Password {
 }
 
 func (s *Server) AddIDPLink(ctx context.Context, req *user.AddIDPLinkRequest) (_ *user.AddIDPLinkResponse, err error) {
-	orgID := authz.GetCtxData(ctx).OrgID
-	details, err := s.command.AddUserIDPLink(ctx, req.UserId, orgID, &command.AddLink{
+	details, err := s.command.AddUserIDPLink(ctx, req.UserId, "", &command.AddLink{
 		IDPID:         req.GetIdpLink().GetIdpId(),
 		DisplayName:   req.GetIdpLink().GetUserName(),
 		IDPExternalID: req.GetIdpLink().GetUserId(),
diff --git a/internal/command/user_idp_link.go b/internal/command/user_idp_link.go
index afbdb47cdc..38d913ca6a 100644
--- a/internal/command/user_idp_link.go
+++ b/internal/command/user_idp_link.go
@@ -15,15 +15,21 @@ func (c *Commands) AddUserIDPLink(ctx context.Context, userID, resourceOwner str
 	if userID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-03j8f", "Errors.IDMissing")
 	}
-	if err := c.checkUserExists(ctx, userID, resourceOwner); err != nil {
+
+	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
+	if err != nil {
 		return nil, err
 	}
+	if !isUserStateExists(existingUser.UserState) {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-vzktar7b7f", "Errors.User.NotFound")
+	}
 	if userID != authz.GetCtxData(ctx).UserID {
-		if err := c.checkPermission(ctx, domain.PermissionUserWrite, resourceOwner, userID); err != nil {
+		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingUser.ResourceOwner, existingUser.AggregateID); err != nil {
 			return nil, err
 		}
 	}
-	event, err := addLink(ctx, c.eventstore.Filter, user.NewAggregate(userID, resourceOwner), link)
+	//nolint:staticcheck
+	event, err := addLink(ctx, c.eventstore.Filter, user.NewAggregate(existingUser.AggregateID, existingUser.ResourceOwner), link)
 	if err != nil {
 		return nil, err
 	}