TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(session v2): allow searching for own sessions or user agent (fingerprintID) (#9110)

Browse Source 
# Which Problems Are Solved

ListSessions only works to list the sessions that you are the creator
of.

# How the Problems Are Solved

Add options to search for sessions created by other users, sessions
belonging to the same useragent and sessions belonging to your user.
Possible through additional search parameters which as default use the
information contained in your session token but can also be filled with
specific IDs.

# Additional Changes

Remodel integration tests, to separate the Create and Get of sessions
correctly.

# Additional Context

Closes #8301

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2025-01-14 14:15:59 +01:00
committed by GitHub
parent e2a2e13d44
commit 84997ffe1a
25 changed files with 2398 additions and 702 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
internal/query/session.go
View File

@@ -6,6 +6,7 @@ import (
"errors"
"net"
"net/http"
"slices"
"time"
sq "github.com/Masterminds/squirrel"
@@ -80,6 +81,39 @@ type SessionsSearchQueries struct {
Queries []SearchQuery
}
func sessionsCheckPermission(ctx context.Context, sessions *Sessions, permissionCheck domain.PermissionCheck) {
sessions.Sessions = slices.DeleteFunc(sessions.Sessions,
func(session *Session) bool {
return sessionCheckPermission(ctx, session.ResourceOwner, session.Creator, session.UserAgent, session.UserFactor, permissionCheck) != nil
},
)
}
func sessionCheckPermission(ctx context.Context, resourceOwner string, creator string, useragent domain.UserAgent, userFactor SessionUserFactor, permissionCheck domain.PermissionCheck) error {
data := authz.GetCtxData(ctx)
// no permission check necessary if user is creator
if data.UserID == creator {
return nil
}
// no permission check necessary if session belongs to the user
if userFactor.UserID != "" && data.UserID == userFactor.UserID {
return nil
}
// no permission check necessary if session belongs to the same useragent as used
if data.AgentID != "" && useragent.FingerprintID != nil && *useragent.FingerprintID != "" && data.AgentID == *useragent.FingerprintID {
return nil
}
// if session belongs to a user, check for permission on the user resource
if userFactor.ResourceOwner != "" {
if err := permissionCheck(ctx, domain.PermissionSessionRead, userFactor.ResourceOwner, userFactor.UserID); err != nil {
return err
}
return nil
}
// default, check for permission on instance
return permissionCheck(ctx, domain.PermissionSessionRead, resourceOwner, "")
}
func (q *SessionsSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
query = q.SearchRequest.toQuery(query)
for _, q := range q.Queries {
@@ -195,7 +229,24 @@ var (
}
)
func (q *Queries) SessionByID(ctx context.Context, shouldTriggerBulk bool, id, sessionToken string) (session *Session, err error) {
func (q *Queries) SessionByID(ctx context.Context, shouldTriggerBulk bool, id, sessionToken string, permissionCheck domain.PermissionCheck) (session *Session, err error) {
session, tokenID, err := q.sessionByID(ctx, shouldTriggerBulk, id)
if err != nil {
return nil, err
}
if sessionToken == "" {
if err := sessionCheckPermission(ctx, session.ResourceOwner, session.Creator, session.UserAgent, session.UserFactor, permissionCheck); err != nil {
return nil, err
}
return session, nil
}
if err := q.sessionTokenVerifier(ctx, sessionToken, session.ID, tokenID); err != nil {
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-dsfr3", "Errors.PermissionDenied")
}
return session, nil
}
func (q *Queries) sessionByID(ctx context.Context, shouldTriggerBulk bool, id string) (session *Session, tokenID string, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -214,27 +265,31 @@ func (q *Queries) SessionByID(ctx context.Context, shouldTriggerBulk bool, id, s
},
).ToSql()
if err != nil {
return nil, zerrors.ThrowInternal(err, "QUERY-dn9JW", "Errors.Query.SQLStatement")
return nil, "", zerrors.ThrowInternal(err, "QUERY-dn9JW", "Errors.Query.SQLStatement")
}
var tokenID string
err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
session, tokenID, err = scan(row)
return err
}, stmt, args...)
if err != nil {
return nil, err
return nil, "", err
}
if sessionToken == "" {
return session, nil
}
if err := q.sessionTokenVerifier(ctx, sessionToken, session.ID, tokenID); err != nil {
return nil, zerrors.ThrowPermissionDenied(nil, "QUERY-dsfr3", "Errors.PermissionDenied")
}
return session, nil
return session, tokenID, nil
}
func (q *Queries) SearchSessions(ctx context.Context, queries *SessionsSearchQueries) (sessions *Sessions, err error) {
func (q *Queries) SearchSessions(ctx context.Context, queries *SessionsSearchQueries, permissionCheck domain.PermissionCheck) (*Sessions, error) {
sessions, err := q.searchSessions(ctx, queries)
if err != nil {
return nil, err
}
if permissionCheck != nil {
sessionsCheckPermission(ctx, sessions, permissionCheck)
}
return sessions, nil
}
func (q *Queries) searchSessions(ctx context.Context, queries *SessionsSearchQueries) (sessions *Sessions, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -272,6 +327,10 @@ func NewSessionCreatorSearchQuery(creator string) (SearchQuery, error) {
return NewTextQuery(SessionColumnCreator, creator, TextEquals)
}
func NewSessionUserAgentFingerprintIDSearchQuery(fingerprintID string) (SearchQuery, error) {
return NewTextQuery(SessionColumnUserAgentFingerprintID, fingerprintID, TextEquals)
}
func NewUserIDSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(SessionColumnUserID, id, TextEquals)
}
@@ -415,6 +474,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
SessionColumnOTPSMSCheckedAt.identifier(),
SessionColumnOTPEmailCheckedAt.identifier(),
SessionColumnMetadata.identifier(),
SessionColumnUserAgentFingerprintID.identifier(),
SessionColumnUserAgentIP.identifier(),
SessionColumnUserAgentDescription.identifier(),
SessionColumnUserAgentHeader.identifier(),
SessionColumnExpiration.identifier(),
countColumn.identifier(),
).From(sessionsTable.identifier()).
@@ -441,6 +504,8 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
otpSMSCheckedAt sql.NullTime
otpEmailCheckedAt sql.NullTime
metadata database.Map[[]byte]
userAgentIP sql.NullString
userAgentHeader database.Map[[]string]
expiration sql.NullTime
)
@@ -465,6 +530,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
&otpSMSCheckedAt,
&otpEmailCheckedAt,
&metadata,
&session.UserAgent.FingerprintID,
&userAgentIP,
&session.UserAgent.Description,
&userAgentHeader,
&expiration,
&sessions.Count,
)
@@ -485,6 +554,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
session.OTPSMSFactor.OTPCheckedAt = otpSMSCheckedAt.Time
session.OTPEmailFactor.OTPCheckedAt = otpEmailCheckedAt.Time
session.Metadata = metadata
session.UserAgent.Header = http.Header(userAgentHeader)
if userAgentIP.Valid {
session.UserAgent.IP = net.ParseIP(userAgentIP.String)
}
session.Expiration = expiration.Time
sessions.Sessions = append(sessions.Sessions, session)

193
internal/query/sessions_test.go
View File

@@ -15,6 +15,7 @@ import (
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/zerrors"
)
@@ -71,6 +72,10 @@ var (
` projections.sessions8.otp_sms_checked_at,` +
` projections.sessions8.otp_email_checked_at,` +
` projections.sessions8.metadata,` +
` projections.sessions8.user_agent_fingerprint_id,` +
` projections.sessions8.user_agent_ip,` +
` projections.sessions8.user_agent_description,` +
` projections.sessions8.user_agent_header,` +
` projections.sessions8.expiration,` +
` COUNT(*) OVER ()` +
` FROM projections.sessions8` +
@@ -129,6 +134,10 @@ var (
"otp_sms_checked_at",
"otp_email_checked_at",
"metadata",
"user_agent_fingerprint_id",
"user_agent_ip",
"user_agent_description",
"user_agent_header",
"expiration",
"count",
}
@@ -186,6 +195,10 @@ func Test_SessionsPrepare(t *testing.T) {
testNow,
testNow,
[]byte(`{"key": "dmFsdWU="}`),
"fingerPrintID",
"1.2.3.4",
"agentDescription",
[]byte(`{"foo":["foo","bar"]}`),
testNow,
},
},
@@ -233,6 +246,12 @@ func Test_SessionsPrepare(t *testing.T) {
Metadata: map[string][]byte{
"key": []byte("value"),
},
UserAgent: domain.UserAgent{
FingerprintID: gu.Ptr("fingerPrintID"),
IP: net.IPv4(1, 2, 3, 4),
Description: gu.Ptr("agentDescription"),
Header: http.Header{"foo": []string{"foo", "bar"}},
},
Expiration: testNow,
},
},
@@ -267,6 +286,10 @@ func Test_SessionsPrepare(t *testing.T) {
testNow,
testNow,
[]byte(`{"key": "dmFsdWU="}`),
"fingerPrintID",
"1.2.3.4",
"agentDescription",
[]byte(`{"foo":["foo","bar"]}`),
testNow,
},
{
@@ -290,6 +313,10 @@ func Test_SessionsPrepare(t *testing.T) {
testNow,
testNow,
[]byte(`{"key": "dmFsdWU="}`),
"fingerPrintID",
"1.2.3.4",
"agentDescription",
[]byte(`{"foo":["foo","bar"]}`),
testNow,
},
},
@@ -337,6 +364,12 @@ func Test_SessionsPrepare(t *testing.T) {
Metadata: map[string][]byte{
"key": []byte("value"),
},
UserAgent: domain.UserAgent{
FingerprintID: gu.Ptr("fingerPrintID"),
IP: net.IPv4(1, 2, 3, 4),
Description: gu.Ptr("agentDescription"),
Header: http.Header{"foo": []string{"foo", "bar"}},
},
Expiration: testNow,
},
{
@@ -376,6 +409,12 @@ func Test_SessionsPrepare(t *testing.T) {
Metadata: map[string][]byte{
"key": []byte("value"),
},
UserAgent: domain.UserAgent{
FingerprintID: gu.Ptr("fingerPrintID"),
IP: net.IPv4(1, 2, 3, 4),
Description: gu.Ptr("agentDescription"),
Header: http.Header{"foo": []string{"foo", "bar"}},
},
Expiration: testNow,
},
},
@@ -553,3 +592,157 @@ func prepareSessionQueryTesting(t *testing.T, token string) func(context.Context
}
}
}
func Test_sessionCheckPermission(t *testing.T) {
type args struct {
ctx context.Context
resourceOwner string
creator string
useragent domain.UserAgent
userFactor SessionUserFactor
permissionCheck domain.PermissionCheck
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "permission check, no user in context",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "", ""),
resourceOwner: "instance",
creator: "creator",
permissionCheck: expectedFailedPermissionCheck("instance", ""),
},
wantErr: true,
},
{
name: "permission check, factor, no user in context",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "", ""),
resourceOwner: "instance",
creator: "creator",
userFactor: SessionUserFactor{ResourceOwner: "resourceowner", UserID: "user"},
permissionCheck: expectedFailedPermissionCheck("resourceowner", "user"),
},
wantErr: true,
},
{
name: "no permission check, creator",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "user",
},
wantErr: false,
},
{
name: "no permission check, same user",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "creator",
userFactor: SessionUserFactor{UserID: "user"},
},
wantErr: false,
},
{
name: "no permission check, same useragent",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user1", "agent"),
resourceOwner: "instance",
creator: "creator",
userFactor: SessionUserFactor{UserID: "user2"},
useragent: domain.UserAgent{
FingerprintID: gu.Ptr("agent"),
},
},
wantErr: false,
},
{
name: "permission check, factor",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "not-user",
useragent: domain.UserAgent{
FingerprintID: gu.Ptr("not-agent"),
},
userFactor: SessionUserFactor{UserID: "user2", ResourceOwner: "resourceowner2"},
permissionCheck: expectedSuccessfulPermissionCheck("resourceowner2", "user2"),
},
wantErr: false,
},
{
name: "permission check, factor, error",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "not-user",
useragent: domain.UserAgent{
FingerprintID: gu.Ptr("not-agent"),
},
userFactor: SessionUserFactor{UserID: "user2", ResourceOwner: "resourceowner2"},
permissionCheck: expectedFailedPermissionCheck("resourceowner2", "user2"),
},
wantErr: true,
},
{
name: "permission check",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "not-user",
useragent: domain.UserAgent{
FingerprintID: gu.Ptr("not-agent"),
},
userFactor: SessionUserFactor{},
permissionCheck: expectedSuccessfulPermissionCheck("instance", ""),
},
wantErr: false,
},
{
name: "permission check, error",
args: args{
ctx: authz.NewMockContextWithAgent("instance", "org", "user", "agent"),
resourceOwner: "instance",
creator: "not-user",
useragent: domain.UserAgent{
FingerprintID: gu.Ptr("not-agent"),
},
userFactor: SessionUserFactor{},
permissionCheck: expectedFailedPermissionCheck("instance", ""),
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := sessionCheckPermission(tt.args.ctx, tt.args.resourceOwner, tt.args.creator, tt.args.useragent, tt.args.userFactor, tt.args.permissionCheck)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
})
}
}
func expectedSuccessfulPermissionCheck(resourceOwner, userID string) func(ctx context.Context, permission, orgID, resourceID string) (err error) {
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
if orgID == resourceOwner && resourceID == userID {
return nil
}
return fmt.Errorf("permission check failed: %s %s", orgID, resourceID)
}
}
func expectedFailedPermissionCheck(resourceOwner, userID string) func(ctx context.Context, permission, orgID, resourceID string) (err error) {
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
if orgID == resourceOwner && resourceID == userID {
return fmt.Errorf("permission check failed: %s %s", orgID, resourceID)
}
return nil
}
}