TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: user api requests to resource API (#9794)

Browse Source 
# Which Problems Are Solved

This pull request addresses a significant gap in the user service v2
API, which currently lacks methods for managing machine users.

# How the Problems Are Solved

This PR adds new API endpoints to the user service v2 to manage machine
users including their secret, keys and personal access tokens.
Additionally, there's now a CreateUser and UpdateUser endpoints which
allow to create either a human or machine user and update them. The
existing `CreateHumanUser` endpoint has been deprecated along the
corresponding management service endpoints. For details check the
additional context section.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9349

## More details
- API changes: https://github.com/zitadel/zitadel/pull/9680
- Implementation: https://github.com/zitadel/zitadel/pull/9763
- Tests: https://github.com/zitadel/zitadel/pull/9771

## Follow-ups

- Metadata: support managing user metadata using resource API
https://github.com/zitadel/zitadel/pull/10005
- Machine token type: support managing the machine token type (migrate
to new enum with zero value unspecified?)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Elio Bischof
2025-06-04 09:17:23 +02:00
committed by GitHub
parent e2a61a6002
commit 8fc11a7366
86 changed files with 7033 additions and 536 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
internal/api/grpc/user/v2/human.go Normal file
View File

@@ -0,0 +1,187 @@
package user
import (
"context"
"io"
"golang.org/x/text/language"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/zerrors"
legacyobject "github.com/zitadel/zitadel/pkg/grpc/object/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) createUserTypeHuman(ctx context.Context, humanPb *user.CreateUserRequest_Human, orgId string, userName, userId *string) (*user.CreateUserResponse, error) {
addHumanPb := &user.AddHumanUserRequest{
Username: userName,
UserId: userId,
Organization: &legacyobject.Organization{
Org: &legacyobject.Organization_OrgId{OrgId: orgId},
},
Profile: humanPb.Profile,
Email: humanPb.Email,
Phone: humanPb.Phone,
IdpLinks: humanPb.IdpLinks,
TotpSecret: humanPb.TotpSecret,
}
switch pwType := humanPb.GetPasswordType().(type) {
case *user.CreateUserRequest_Human_HashedPassword:
addHumanPb.PasswordType = &user.AddHumanUserRequest_HashedPassword{
HashedPassword: pwType.HashedPassword,
}
case *user.CreateUserRequest_Human_Password:
addHumanPb.PasswordType = &user.AddHumanUserRequest_Password{
Password: pwType.Password,
}
default:
// optional password is not set
}
newHuman, err := AddUserRequestToAddHuman(addHumanPb)
if err != nil {
return nil, err
}
if err = s.command.AddUserHuman(
ctx,
orgId,
newHuman,
false,
s.userCodeAlg,
); err != nil {
return nil, err
}
return &user.CreateUserResponse{
Id: newHuman.ID,
CreationDate: timestamppb.New(newHuman.Details.EventDate),
EmailCode: newHuman.EmailCode,
PhoneCode: newHuman.PhoneCode,
}, nil
}
func (s *Server) updateUserTypeHuman(ctx context.Context, humanPb *user.UpdateUserRequest_Human, userId string, userName *string) (*user.UpdateUserResponse, error) {
cmd, err := updateHumanUserToCommand(userId, userName, humanPb)
if err != nil {
return nil, err
}
if err = s.command.ChangeUserHuman(ctx, cmd, s.userCodeAlg); err != nil {
return nil, err
}
return &user.UpdateUserResponse{
ChangeDate: timestamppb.New(cmd.Details.EventDate),
EmailCode: cmd.EmailCode,
PhoneCode: cmd.PhoneCode,
}, nil
}
func updateHumanUserToCommand(userId string, userName *string, human *user.UpdateUserRequest_Human) (*command.ChangeHuman, error) {
phone := human.GetPhone()
if phone != nil && phone.Phone == "" && phone.GetVerification() != nil {
return nil, zerrors.ThrowInvalidArgument(nil, "USERv2-4f3d6", "Errors.User.Phone.VerifyingRemovalIsNotSupported")
}
email, err := setHumanEmailToEmail(human.Email, userId)
if err != nil {
return nil, err
}
return &command.ChangeHuman{
ID: userId,
Username: userName,
Profile: SetHumanProfileToProfile(human.Profile),
Email: email,
Phone: setHumanPhoneToPhone(human.Phone, true),
Password: setHumanPasswordToPassword(human.Password),
}, nil
}
func updateHumanUserRequestToChangeHuman(req *user.UpdateHumanUserRequest) (*command.ChangeHuman, error) {
email, err := setHumanEmailToEmail(req.Email, req.GetUserId())
if err != nil {
return nil, err
}
changeHuman := &command.ChangeHuman{
ID: req.GetUserId(),
Username: req.Username,
Email: email,
Phone: setHumanPhoneToPhone(req.Phone, false),
Password: setHumanPasswordToPassword(req.Password),
}
if profile := req.GetProfile(); profile != nil {
var firstName *string
if profile.GivenName != "" {
firstName = &profile.GivenName
}
var lastName *string
if profile.FamilyName != "" {
lastName = &profile.FamilyName
}
changeHuman.Profile = SetHumanProfileToProfile(&user.UpdateUserRequest_Human_Profile{
GivenName: firstName,
FamilyName: lastName,
NickName: profile.NickName,
DisplayName: profile.DisplayName,
PreferredLanguage: profile.PreferredLanguage,
Gender: profile.Gender,
})
}
return changeHuman, nil
}
func SetHumanProfileToProfile(profile *user.UpdateUserRequest_Human_Profile) *command.Profile {
if profile == nil {
return nil
}
return &command.Profile{
FirstName: profile.GivenName,
LastName: profile.FamilyName,
NickName: profile.NickName,
DisplayName: profile.DisplayName,
PreferredLanguage: ifNotNilPtr(profile.PreferredLanguage, language.Make),
Gender: ifNotNilPtr(profile.Gender, genderToDomain),
}
}
func setHumanEmailToEmail(email *user.SetHumanEmail, userID string) (*command.Email, error) {
if email == nil {
return nil, nil
}
var urlTemplate string
if email.GetSendCode() != nil && email.GetSendCode().UrlTemplate != nil {
urlTemplate = *email.GetSendCode().UrlTemplate
if err := domain.RenderConfirmURLTemplate(io.Discard, urlTemplate, userID, "code", "orgID"); err != nil {
return nil, err
}
}
return &command.Email{
Address: domain.EmailAddress(email.Email),
Verified: email.GetIsVerified(),
ReturnCode: email.GetReturnCode() != nil,
URLTemplate: urlTemplate,
}, nil
}
func setHumanPhoneToPhone(phone *user.SetHumanPhone, withRemove bool) *command.Phone {
if phone == nil {
return nil
}
number := phone.GetPhone()
return &command.Phone{
Number: domain.PhoneNumber(number),
Verified: phone.GetIsVerified(),
ReturnCode: phone.GetReturnCode() != nil,
Remove: withRemove && number == "",
}
}
func setHumanPasswordToPassword(password *user.SetPassword) *command.Password {
if password == nil {
return nil
}
return &command.Password{
PasswordCode: password.GetVerificationCode(),
OldPassword: password.GetCurrentPassword(),
Password: password.GetPassword().GetPassword(),
EncodedPasswordHash: password.GetHashedPassword().GetHash(),
ChangeRequired: password.GetPassword().GetChangeRequired() || password.GetHashedPassword().GetChangeRequired(),
}
}

254
internal/api/grpc/user/v2/human_test.go Normal file
View File

@@ -0,0 +1,254 @@
package user
import (
"fmt"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func Test_patchHumanUserToCommand(t *testing.T) {
type args struct {
userId string
userName *string
human *user.UpdateUserRequest_Human
}
tests := []struct {
name string
args args
want *command.ChangeHuman
wantErr assert.ErrorAssertionFunc
}{{
name: "single property",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Profile: &user.UpdateUserRequest_Human_Profile{
GivenName: gu.Ptr("givenName"),
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Profile: &command.Profile{
FirstName: gu.Ptr("givenName"),
},
},
wantErr: assert.NoError,
}, {
name: "all properties",
args: args{
userId: "userId",
userName: gu.Ptr("userName"),
human: &user.UpdateUserRequest_Human{
Profile: &user.UpdateUserRequest_Human_Profile{
GivenName: gu.Ptr("givenName"),
FamilyName: gu.Ptr("familyName"),
NickName: gu.Ptr("nickName"),
DisplayName: gu.Ptr("displayName"),
PreferredLanguage: gu.Ptr("en-US"),
Gender: gu.Ptr(user.Gender_GENDER_FEMALE),
},
Email: &user.SetHumanEmail{
Email: "email@example.com",
Verification: &user.SetHumanEmail_IsVerified{
IsVerified: true,
},
},
Phone: &user.SetHumanPhone{
Phone: "+123456789",
Verification: &user.SetHumanPhone_IsVerified{
IsVerified: true,
},
},
Password: &user.SetPassword{
Verification: &user.SetPassword_CurrentPassword{
CurrentPassword: "currentPassword",
},
PasswordType: &user.SetPassword_Password{
Password: &user.Password{
Password: "newPassword",
ChangeRequired: true,
},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Username: gu.Ptr("userName"),
Profile: &command.Profile{
FirstName: gu.Ptr("givenName"),
LastName: gu.Ptr("familyName"),
NickName: gu.Ptr("nickName"),
DisplayName: gu.Ptr("displayName"),
PreferredLanguage: &language.AmericanEnglish,
Gender: gu.Ptr(domain.GenderFemale),
},
Email: &command.Email{
Address: "email@example.com",
Verified: true,
},
Phone: &command.Phone{
Number: "+123456789",
Verified: true,
},
Password: &command.Password{
OldPassword: "currentPassword",
Password: "newPassword",
ChangeRequired: true,
},
},
wantErr: assert.NoError,
}, {
name: "set email and request code",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Email: &user.SetHumanEmail{
Email: "email@example.com",
Verification: &user.SetHumanEmail_ReturnCode{
ReturnCode: &user.ReturnEmailVerificationCode{},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Email: &command.Email{
Address: "email@example.com",
ReturnCode: true,
},
},
wantErr: assert.NoError,
}, {
name: "set email and send code",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Email: &user.SetHumanEmail{
Email: "email@example.com",
Verification: &user.SetHumanEmail_SendCode{
SendCode: &user.SendEmailVerificationCode{},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Email: &command.Email{
Address: "email@example.com",
},
},
wantErr: assert.NoError,
}, {
name: "set email and send code with template",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Email: &user.SetHumanEmail{
Email: "email@example.com",
Verification: &user.SetHumanEmail_SendCode{
SendCode: &user.SendEmailVerificationCode{
UrlTemplate: gu.Ptr("Code: {{.Code}}"),
},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Email: &command.Email{
Address: "email@example.com",
URLTemplate: "Code: {{.Code}}",
},
},
wantErr: assert.NoError,
}, {
name: "set phone and request code",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Phone: &user.SetHumanPhone{
Phone: "+123456789",
Verification: &user.SetHumanPhone_ReturnCode{
ReturnCode: &user.ReturnPhoneVerificationCode{},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Phone: &command.Phone{
Number: "+123456789",
ReturnCode: true,
},
},
wantErr: assert.NoError,
}, {
name: "set phone and send code",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Phone: &user.SetHumanPhone{
Phone: "+123456789",
Verification: &user.SetHumanPhone_SendCode{
SendCode: &user.SendPhoneVerificationCode{},
},
},
},
},
want: &command.ChangeHuman{
ID: "userId",
Phone: &command.Phone{
Number: "+123456789",
},
},
wantErr: assert.NoError,
}, {
name: "remove phone, ok",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Phone: &user.SetHumanPhone{},
},
},
want: &command.ChangeHuman{
ID: "userId",
Phone: &command.Phone{
Remove: true,
},
},
wantErr: assert.NoError,
}, {
name: "remove phone with verification, error",
args: args{
userId: "userId",
human: &user.UpdateUserRequest_Human{
Phone: &user.SetHumanPhone{
Verification: &user.SetHumanPhone_ReturnCode{},
},
},
},
wantErr: assert.Error,
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := updateHumanUserToCommand(tt.args.userId, tt.args.userName, tt.args.human)
if !tt.wantErr(t, err, fmt.Sprintf("patchHumanUserToCommand(%v, %v, %v)", tt.args.userId, tt.args.userName, tt.args.human)) {
return
}
if diff := cmp.Diff(tt.want, got, cmpopts.EquateComparable(language.Tag{})); diff != "" {
t.Errorf("patchHumanUserToCommand() mismatch (-want +got):\n%s", diff)
}
})
}
}

4
internal/api/grpc/user/v2/integration_test/email_test.go
View File

@@ -10,13 +10,13 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/object/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func TestServer_SetEmail(t *testing.T) {
func TestServer_Deprecated_SetEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
tests := []struct {

659
internal/api/grpc/user/v2/integration_test/key_test.go Normal file
View File

@@ -0,0 +1,659 @@
//go:build integration
package user_test
import (
"context"
"fmt"
"slices"
"testing"
"time"
"github.com/brianvoe/gofakeit/v6"
"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/testing/protocmp"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/filter/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func TestServer_AddKey(t *testing.T) {
resp := Instance.CreateUserTypeMachine(IamCTX)
userId := resp.GetId()
expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
type args struct {
req *user.AddKeyRequest
prepare func(request *user.AddKeyRequest) error
}
tests := []struct {
name string
args args
wantErr bool
wantEmtpyKey bool
}{
{
name: "add key, user not existing",
args: args{
&user.AddKeyRequest{
UserId: "notexisting",
ExpirationDate: expirationDate,
},
func(request *user.AddKeyRequest) error { return nil },
},
wantErr: true,
},
{
name: "generate key pair, ok",
args: args{
&user.AddKeyRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddKeyRequest) error {
request.UserId = userId
return nil
},
},
},
{
name: "add valid public key, ok",
args: args{
&user.AddKeyRequest{
ExpirationDate: expirationDate,
// This is the public key of the tester system user. This must be valid.
PublicKey: []byte(`
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzi+FFSJL7f5yw4KTwzgM
P34ePGycm/M+kT0M7V4Cgx5V3EaDIvTQKTLfBaEB45zb9LtjIXzDw0rXRoS2hO6t
h+CYQCz3KCvh09C0IzxZiB2IS3H/aT+5Bx9EFY+vnAkZjccbyG5YNRvmtOlnvIeI
H7qZ0tEwkPfF5GEZNPJPtmy3UGV7iofdVQS1xRj73+aMw5rvH4D8IdyiAC3VekIb
pt0Vj0SUX3DwKtog337BzTiPk3aXRF0sbFhQoqdJRI8NqgZjCwjq9yfI5tyxYswn
+JGzHGdHvW3idODlmwEt5K2pasiRIWK2OGfq+w0EcltQHabuqEPgZlmhCkRdNfix
BwIDAQAB
-----END PUBLIC KEY-----
`),
},
func(request *user.AddKeyRequest) error {
request.UserId = userId
return nil
},
},
wantEmtpyKey: true,
},
{
name: "add invalid public key, error",
args: args{
&user.AddKeyRequest{
ExpirationDate: expirationDate,
PublicKey: []byte(`
-----BEGIN PUBLIC KEY-----
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
-----END PUBLIC KEY-----
`),
},
func(request *user.AddKeyRequest) error {
request.UserId = userId
return nil
},
},
wantErr: true,
},
{
name: "add key human, error",
args: args{
&user.AddKeyRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddKeyRequest) error {
resp := Instance.CreateUserTypeHuman(IamCTX)
request.UserId = resp.Id
return nil
},
},
wantErr: true,
},
{
name: "add another key, ok",
args: args{
&user.AddKeyRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddKeyRequest) error {
request.UserId = userId
_, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.AddKey(CTX, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.KeyId, "key id is empty")
if tt.wantEmtpyKey {
assert.Empty(t, got.KeyContent, "key content is not empty")
} else {
assert.NotEmpty(t, got.KeyContent, "key content is empty")
}
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_AddKey_Permission(t *testing.T) {
OrgCTX := CTX
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddKey-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
request := &user.AddKeyRequest{
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
UserId: otherOrgUser.GetId(),
}
type args struct {
ctx context.Context
req *user.AddKeyRequest
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{SystemCTX, request},
},
{
name: "instance, ok",
args: args{IamCTX, request},
},
{
name: "org, error",
args: args{OrgCTX, request},
wantErr: true,
},
{
name: "user, error",
args: args{UserCTX, request},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, err)
got, err := Client.AddKey(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.KeyId, "key id is empty")
assert.NotEmpty(t, got.KeyContent, "key content is empty")
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemoveKey(t *testing.T) {
resp := Instance.CreateUserTypeMachine(IamCTX)
userId := resp.GetId()
expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
type args struct {
req *user.RemoveKeyRequest
prepare func(request *user.RemoveKeyRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "remove key, user not existing",
args: args{
&user.RemoveKeyRequest{
UserId: "notexisting",
},
func(request *user.RemoveKeyRequest) error {
key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
request.KeyId = key.GetKeyId()
return err
},
},
wantErr: true,
},
{
name: "remove key, not existing",
args: args{
&user.RemoveKeyRequest{
KeyId: "notexisting",
},
func(request *user.RemoveKeyRequest) error {
request.UserId = userId
return nil
},
},
wantErr: true,
},
{
name: "remove key, ok",
args: args{
&user.RemoveKeyRequest{},
func(request *user.RemoveKeyRequest) error {
key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
request.KeyId = key.GetKeyId()
request.UserId = userId
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.RemoveKey(CTX, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
deletionDate := got.DeletionDate.AsTime()
assert.Greater(t, deletionDate, now, "creation date is before the test started")
assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemoveKey_Permission(t *testing.T) {
OrgCTX := CTX
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveKey-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
request := &user.RemoveKeyRequest{
UserId: otherOrgUser.GetId(),
}
prepare := func(request *user.RemoveKeyRequest) error {
key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
UserId: otherOrgUser.GetId(),
})
request.KeyId = key.GetKeyId()
return err
}
require.NoError(t, err)
type args struct {
ctx context.Context
req *user.RemoveKeyRequest
prepare func(request *user.RemoveKeyRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{SystemCTX, request, prepare},
},
{
name: "instance, ok",
args: args{IamCTX, request, prepare},
},
{
name: "org, error",
args: args{OrgCTX, request, prepare},
wantErr: true,
},
{
name: "user, error",
args: args{UserCTX, request, prepare},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, tt.args.prepare(tt.args.req))
got, err := Client.RemoveKey(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.DeletionDate, "client key is empty")
creationDate := got.DeletionDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_ListKeys(t *testing.T) {
type args struct {
ctx context.Context
req *user.ListKeysRequest
}
type testCase struct {
name string
args args
want *user.ListKeysResponse
}
OrgCTX := CTX
otherOrg := Instance.CreateOrganization(SystemCTX, fmt.Sprintf("ListKeys-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(SystemCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
otherOrgUserId := otherOrgUser.GetId()
otherUserId := Instance.CreateUserTypeMachine(SystemCTX).GetId()
onlySinceTestStartFilter := &user.KeysSearchFilter{Filter: &user.KeysSearchFilter_CreatedDateFilter{CreatedDateFilter: &filter.TimestampFilter{
Timestamp: timestamppb.Now(),
Method: filter.TimestampFilterMethod_TIMESTAMP_FILTER_METHOD_AFTER_OR_EQUALS,
}}}
myOrgId := Instance.DefaultOrg.GetId()
myUserId := Instance.Users.Get(integration.UserTypeNoPermission).ID
expiresInADay := time.Now().Truncate(time.Hour).Add(time.Hour * 24)
myDataPoint := setupKeyDataPoint(t, myUserId, myOrgId, expiresInADay)
otherUserDataPoint := setupKeyDataPoint(t, otherUserId, myOrgId, expiresInADay)
otherOrgDataPointExpiringSoon := setupKeyDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, time.Now().Truncate(time.Hour).Add(time.Hour))
otherOrgDataPointExpiringLate := setupKeyDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, expiresInADay.Add(time.Hour*24*30))
sortingColumnExpirationDate := user.KeyFieldName_KEY_FIELD_NAME_KEY_EXPIRATION_DATE
awaitKeys(t, onlySinceTestStartFilter,
otherOrgDataPointExpiringSoon.GetId(),
otherOrgDataPointExpiringLate.GetId(),
otherUserDataPoint.GetId(),
myDataPoint.GetId(),
)
tests := []testCase{
{
name: "list all, instance",
args: args{
IamCTX,
&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherOrgDataPointExpiringLate,
otherOrgDataPointExpiringSoon,
otherUserDataPoint,
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 4,
AppliedLimit: 100,
},
},
},
{
name: "list all, org",
args: args{
OrgCTX,
&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherUserDataPoint,
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "list all, user",
args: args{
UserCTX,
&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 1,
AppliedLimit: 100,
},
},
},
{
name: "list by id",
args: args{
IamCTX,
&user.ListKeysRequest{
Filters: []*user.KeysSearchFilter{
onlySinceTestStartFilter,
{
Filter: &user.KeysSearchFilter_KeyIdFilter{
KeyIdFilter: &filter.IDFilter{Id: otherOrgDataPointExpiringSoon.Id},
},
},
},
},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherOrgDataPointExpiringSoon,
},
Pagination: &filter.PaginationResponse{
TotalResult: 1,
AppliedLimit: 100,
},
},
},
{
name: "list all from other org",
args: args{
IamCTX,
&user.ListKeysRequest{
Filters: []*user.KeysSearchFilter{
onlySinceTestStartFilter,
{
Filter: &user.KeysSearchFilter_OrganizationIdFilter{
OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId},
},
},
},
},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherOrgDataPointExpiringLate,
otherOrgDataPointExpiringSoon,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "sort by next expiration dates",
args: args{
IamCTX,
&user.ListKeysRequest{
Pagination: &filter.PaginationRequest{
Asc: true,
},
SortingColumn: &sortingColumnExpirationDate,
Filters: []*user.KeysSearchFilter{
onlySinceTestStartFilter,
{Filter: &user.KeysSearchFilter_OrganizationIdFilter{OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId}}},
},
},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherOrgDataPointExpiringSoon,
otherOrgDataPointExpiringLate,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "get page",
args: args{
IamCTX,
&user.ListKeysRequest{
Pagination: &filter.PaginationRequest{
Offset: 2,
Limit: 2,
Asc: true,
},
Filters: []*user.KeysSearchFilter{
onlySinceTestStartFilter,
},
},
},
want: &user.ListKeysResponse{
Result: []*user.Key{
otherOrgDataPointExpiringSoon,
otherOrgDataPointExpiringLate,
},
Pagination: &filter.PaginationResponse{
TotalResult: 4,
AppliedLimit: 2,
},
},
},
{
name: "empty list",
args: args{
UserCTX,
&user.ListKeysRequest{
Filters: []*user.KeysSearchFilter{
{
Filter: &user.KeysSearchFilter_KeyIdFilter{
KeyIdFilter: &filter.IDFilter{Id: otherUserDataPoint.Id},
},
},
},
},
},
want: &user.ListKeysResponse{
Result: []*user.Key{},
Pagination: &filter.PaginationResponse{
TotalResult: 0,
AppliedLimit: 100,
},
},
},
}
t.Run("with permission flag v2", func(t *testing.T) {
setPermissionCheckV2Flag(t, true)
defer setPermissionCheckV2Flag(t, false)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.ListKeys(tt.args.ctx, tt.args.req)
require.NoError(t, err)
assert.Len(t, got.Result, len(tt.want.Result))
if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
t.Errorf("ListKeys() mismatch (-want +got):\n%s", diff)
}
})
}
})
t.Run("without permission flag v2", func(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.ListKeys(tt.args.ctx, tt.args.req)
require.NoError(t, err)
assert.Len(t, got.Result, len(tt.want.Result))
// ignore the total result, as this is a known bug with the in-memory permission checks.
// The command can't know how many keys exist in the system if the SQL statement has a limit.
// This is fixed, once the in-memory permission checks are removed with https://github.com/zitadel/zitadel/issues/9188
tt.want.Pagination.TotalResult = got.Pagination.TotalResult
if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
t.Errorf("ListKeys() mismatch (-want +got):\n%s", diff)
}
})
}
})
}
func setupKeyDataPoint(t *testing.T, userId, orgId string, expirationDate time.Time) *user.Key {
expirationDatePb := timestamppb.New(expirationDate)
newKey, err := Client.AddKey(SystemCTX, &user.AddKeyRequest{
UserId: userId,
ExpirationDate: expirationDatePb,
PublicKey: nil,
})
require.NoError(t, err)
return &user.Key{
CreationDate: newKey.CreationDate,
ChangeDate: newKey.CreationDate,
Id: newKey.GetKeyId(),
UserId: userId,
OrganizationId: orgId,
ExpirationDate: expirationDatePb,
}
}
func awaitKeys(t *testing.T, sinceTestStartFilter *user.KeysSearchFilter, keyIds ...string) {
sortingColumn := user.KeyFieldName_KEY_FIELD_NAME_ID
slices.Sort(keyIds)
require.EventuallyWithT(t, func(collect *assert.CollectT) {
result, err := Client.ListKeys(SystemCTX, &user.ListKeysRequest{
Filters: []*user.KeysSearchFilter{sinceTestStartFilter},
SortingColumn: &sortingColumn,
Pagination: &filter.PaginationRequest{
Asc: true,
},
})
require.NoError(t, err)
if !assert.Len(collect, result.Result, len(keyIds)) {
return
}
for i := range keyIds {
keyId := keyIds[i]
require.Equal(collect, keyId, result.Result[i].GetId())
}
}, 5*time.Second, time.Second, "key not created in time")
}

2
internal/api/grpc/user/v2/integration_test/password_test.go
View File

@@ -104,7 +104,7 @@ func TestServer_RequestPasswordReset(t *testing.T) {
}
}
func TestServer_SetPassword(t *testing.T) {
func TestServer_Deprecated_SetPassword(t *testing.T) {
type args struct {
ctx context.Context
req *user.SetPasswordRequest

615
internal/api/grpc/user/v2/integration_test/pat_test.go Normal file
View File

@@ -0,0 +1,615 @@
//go:build integration
package user_test
import (
"context"
"fmt"
"slices"
"testing"
"time"
"github.com/brianvoe/gofakeit/v6"
"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/testing/protocmp"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/filter/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func TestServer_AddPersonalAccessToken(t *testing.T) {
resp := Instance.CreateUserTypeMachine(IamCTX)
userId := resp.GetId()
expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
type args struct {
req *user.AddPersonalAccessTokenRequest
prepare func(request *user.AddPersonalAccessTokenRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "add pat, user not existing",
args: args{
&user.AddPersonalAccessTokenRequest{
UserId: "notexisting",
ExpirationDate: expirationDate,
},
func(request *user.AddPersonalAccessTokenRequest) error { return nil },
},
wantErr: true,
},
{
name: "add pat, ok",
args: args{
&user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddPersonalAccessTokenRequest) error {
request.UserId = userId
return nil
},
},
},
{
name: "add pat human, not ok",
args: args{
&user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddPersonalAccessTokenRequest) error {
resp := Instance.CreateUserTypeHuman(IamCTX)
request.UserId = resp.Id
return nil
},
},
wantErr: true,
},
{
name: "add another pat, ok",
args: args{
&user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
},
func(request *user.AddPersonalAccessTokenRequest) error {
request.UserId = userId
_, err := Client.AddPersonalAccessToken(IamCTX, &user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.AddPersonalAccessToken(CTX, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.TokenId, "id is empty")
assert.NotEmpty(t, got.Token, "token is empty")
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_AddPersonalAccessToken_Permission(t *testing.T) {
OrgCTX := CTX
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddPersonalAccessToken-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
request := &user.AddPersonalAccessTokenRequest{
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
UserId: otherOrgUser.GetId(),
}
type args struct {
ctx context.Context
req *user.AddPersonalAccessTokenRequest
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{SystemCTX, request},
},
{
name: "instance, ok",
args: args{IamCTX, request},
},
{
name: "org, error",
args: args{OrgCTX, request},
wantErr: true,
},
{
name: "user, error",
args: args{UserCTX, request},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, err)
got, err := Client.AddPersonalAccessToken(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.TokenId, "id is empty")
assert.NotEmpty(t, got.Token, "token is empty")
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemovePersonalAccessToken(t *testing.T) {
resp := Instance.CreateUserTypeMachine(IamCTX)
userId := resp.GetId()
expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
type args struct {
req *user.RemovePersonalAccessTokenRequest
prepare func(request *user.RemovePersonalAccessTokenRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "remove pat, user not existing",
args: args{
&user.RemovePersonalAccessTokenRequest{
UserId: "notexisting",
},
func(request *user.RemovePersonalAccessTokenRequest) error {
pat, err := Client.AddPersonalAccessToken(CTX, &user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
request.TokenId = pat.GetTokenId()
return err
},
},
wantErr: true,
},
{
name: "remove pat, not existing",
args: args{
&user.RemovePersonalAccessTokenRequest{
TokenId: "notexisting",
},
func(request *user.RemovePersonalAccessTokenRequest) error {
request.UserId = userId
return nil
},
},
wantErr: true,
},
{
name: "remove pat, ok",
args: args{
&user.RemovePersonalAccessTokenRequest{},
func(request *user.RemovePersonalAccessTokenRequest) error {
pat, err := Client.AddPersonalAccessToken(CTX, &user.AddPersonalAccessTokenRequest{
ExpirationDate: expirationDate,
UserId: userId,
})
request.TokenId = pat.GetTokenId()
request.UserId = userId
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.RemovePersonalAccessToken(CTX, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
deletionDate := got.DeletionDate.AsTime()
assert.Greater(t, deletionDate, now, "creation date is before the test started")
assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemovePersonalAccessToken_Permission(t *testing.T) {
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemovePersonalAccessToken-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
request := &user.RemovePersonalAccessTokenRequest{
UserId: otherOrgUser.GetId(),
}
prepare := func(request *user.RemovePersonalAccessTokenRequest) error {
pat, err := Client.AddPersonalAccessToken(IamCTX, &user.AddPersonalAccessTokenRequest{
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
UserId: otherOrgUser.GetId(),
})
request.TokenId = pat.GetTokenId()
return err
}
require.NoError(t, err)
type args struct {
ctx context.Context
req *user.RemovePersonalAccessTokenRequest
prepare func(request *user.RemovePersonalAccessTokenRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{SystemCTX, request, prepare},
},
{
name: "instance, ok",
args: args{IamCTX, request, prepare},
},
{
name: "org, error",
args: args{CTX, request, prepare},
wantErr: true,
},
{
name: "user, error",
args: args{UserCTX, request, prepare},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, tt.args.prepare(tt.args.req))
got, err := Client.RemovePersonalAccessToken(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.DeletionDate, "client pat is empty")
creationDate := got.DeletionDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_ListPersonalAccessTokens(t *testing.T) {
type args struct {
ctx context.Context
req *user.ListPersonalAccessTokensRequest
}
type testCase struct {
name string
args args
want *user.ListPersonalAccessTokensResponse
}
OrgCTX := CTX
otherOrg := Instance.CreateOrganization(SystemCTX, fmt.Sprintf("ListPersonalAccessTokens-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Client.CreateUser(SystemCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
otherOrgUserId := otherOrgUser.GetId()
otherUserId := Instance.CreateUserTypeMachine(SystemCTX).GetId()
onlySinceTestStartFilter := &user.PersonalAccessTokensSearchFilter{Filter: &user.PersonalAccessTokensSearchFilter_CreatedDateFilter{CreatedDateFilter: &filter.TimestampFilter{
Timestamp: timestamppb.Now(),
Method: filter.TimestampFilterMethod_TIMESTAMP_FILTER_METHOD_AFTER_OR_EQUALS,
}}}
myOrgId := Instance.DefaultOrg.GetId()
myUserId := Instance.Users.Get(integration.UserTypeNoPermission).ID
expiresInADay := time.Now().Truncate(time.Hour).Add(time.Hour * 24)
myDataPoint := setupPATDataPoint(t, myUserId, myOrgId, expiresInADay)
otherUserDataPoint := setupPATDataPoint(t, otherUserId, myOrgId, expiresInADay)
otherOrgDataPointExpiringSoon := setupPATDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, time.Now().Truncate(time.Hour).Add(time.Hour))
otherOrgDataPointExpiringLate := setupPATDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, expiresInADay.Add(time.Hour*24*30))
sortingColumnExpirationDate := user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE
awaitPersonalAccessTokens(t,
onlySinceTestStartFilter,
otherOrgDataPointExpiringSoon.GetId(),
otherOrgDataPointExpiringLate.GetId(),
otherUserDataPoint.GetId(),
myDataPoint.GetId(),
)
tests := []testCase{
{
name: "list all, instance",
args: args{
IamCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherOrgDataPointExpiringLate,
otherOrgDataPointExpiringSoon,
otherUserDataPoint,
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 4,
AppliedLimit: 100,
},
},
},
{
name: "list all, org",
args: args{
OrgCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherUserDataPoint,
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "list all, user",
args: args{
UserCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
myDataPoint,
},
Pagination: &filter.PaginationResponse{
TotalResult: 1,
AppliedLimit: 100,
},
},
},
{
name: "list by id",
args: args{
IamCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{
onlySinceTestStartFilter,
{
Filter: &user.PersonalAccessTokensSearchFilter_TokenIdFilter{
TokenIdFilter: &filter.IDFilter{Id: otherOrgDataPointExpiringSoon.Id},
},
},
},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherOrgDataPointExpiringSoon,
},
Pagination: &filter.PaginationResponse{
TotalResult: 1,
AppliedLimit: 100,
},
},
},
{
name: "list all from other org",
args: args{
IamCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{
onlySinceTestStartFilter,
{
Filter: &user.PersonalAccessTokensSearchFilter_OrganizationIdFilter{
OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId},
},
}},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherOrgDataPointExpiringLate,
otherOrgDataPointExpiringSoon,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "sort by next expiration dates",
args: args{
IamCTX,
&user.ListPersonalAccessTokensRequest{
Pagination: &filter.PaginationRequest{
Asc: true,
},
SortingColumn: &sortingColumnExpirationDate,
Filters: []*user.PersonalAccessTokensSearchFilter{
onlySinceTestStartFilter,
{Filter: &user.PersonalAccessTokensSearchFilter_OrganizationIdFilter{OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId}}},
},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherOrgDataPointExpiringSoon,
otherOrgDataPointExpiringLate,
},
Pagination: &filter.PaginationResponse{
TotalResult: 2,
AppliedLimit: 100,
},
},
},
{
name: "get page",
args: args{
IamCTX,
&user.ListPersonalAccessTokensRequest{
Pagination: &filter.PaginationRequest{
Offset: 2,
Limit: 2,
Asc: true,
},
Filters: []*user.PersonalAccessTokensSearchFilter{
onlySinceTestStartFilter,
},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{
otherOrgDataPointExpiringSoon,
otherOrgDataPointExpiringLate,
},
Pagination: &filter.PaginationResponse{
TotalResult: 4,
AppliedLimit: 2,
},
},
},
{
name: "empty list",
args: args{
UserCTX,
&user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{
{
Filter: &user.PersonalAccessTokensSearchFilter_TokenIdFilter{
TokenIdFilter: &filter.IDFilter{Id: otherUserDataPoint.Id},
},
},
},
},
},
want: &user.ListPersonalAccessTokensResponse{
Result: []*user.PersonalAccessToken{},
Pagination: &filter.PaginationResponse{
TotalResult: 0,
AppliedLimit: 100,
},
},
},
}
t.Run("with permission flag v2", func(t *testing.T) {
setPermissionCheckV2Flag(t, true)
defer setPermissionCheckV2Flag(t, false)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.ListPersonalAccessTokens(tt.args.ctx, tt.args.req)
require.NoError(t, err)
assert.Len(t, got.Result, len(tt.want.Result))
if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
t.Errorf("ListPersonalAccessTokens() mismatch (-want +got):\n%s", diff)
}
})
}
})
t.Run("without permission flag v2", func(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.ListPersonalAccessTokens(tt.args.ctx, tt.args.req)
require.NoError(t, err)
assert.Len(t, got.Result, len(tt.want.Result))
// ignore the total result, as this is a known bug with the in-memory permission checks.
// The command can't know how many keys exist in the system if the SQL statement has a limit.
// This is fixed, once the in-memory permission checks are removed with https://github.com/zitadel/zitadel/issues/9188
tt.want.Pagination.TotalResult = got.Pagination.TotalResult
if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
t.Errorf("ListPersonalAccessTokens() mismatch (-want +got):\n%s", diff)
}
})
}
})
}
func setupPATDataPoint(t *testing.T, userId, orgId string, expirationDate time.Time) *user.PersonalAccessToken {
expirationDatePb := timestamppb.New(expirationDate)
newPersonalAccessToken, err := Client.AddPersonalAccessToken(SystemCTX, &user.AddPersonalAccessTokenRequest{
UserId: userId,
ExpirationDate: expirationDatePb,
})
require.NoError(t, err)
return &user.PersonalAccessToken{
CreationDate: newPersonalAccessToken.CreationDate,
ChangeDate: newPersonalAccessToken.CreationDate,
Id: newPersonalAccessToken.GetTokenId(),
UserId: userId,
OrganizationId: orgId,
ExpirationDate: expirationDatePb,
}
}
func awaitPersonalAccessTokens(t *testing.T, sinceTestStartFilter *user.PersonalAccessTokensSearchFilter, patIds ...string) {
sortingColumn := user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID
slices.Sort(patIds)
require.EventuallyWithT(t, func(collect *assert.CollectT) {
result, err := Client.ListPersonalAccessTokens(SystemCTX, &user.ListPersonalAccessTokensRequest{
Filters: []*user.PersonalAccessTokensSearchFilter{sinceTestStartFilter},
SortingColumn: &sortingColumn,
Pagination: &filter.PaginationRequest{
Asc: true,
},
})
require.NoError(t, err)
if !assert.Len(collect, result.Result, len(patIds)) {
return
}
for i := range patIds {
patId := patIds[i]
require.Equal(collect, patId, result.Result[i].GetId())
}
}, 5*time.Second, time.Second, "pat not created in time")
}

4
internal/api/grpc/user/v2/integration_test/phone_test.go
View File

@@ -17,7 +17,7 @@ import (
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func TestServer_SetPhone(t *testing.T) {
func TestServer_Deprecated_SetPhone(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
tests := []struct {
@@ -249,7 +249,7 @@ func TestServer_VerifyPhone(t *testing.T) {
}
}
func TestServer_RemovePhone(t *testing.T) {
func TestServer_Deprecated_RemovePhone(t *testing.T) {
userResp := Instance.CreateHumanUser(CTX)
failResp := Instance.CreateHumanUserNoPhone(CTX)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()

347
internal/api/grpc/user/v2/integration_test/secret_test.go Normal file
View File

@@ -0,0 +1,347 @@
//go:build integration
package user_test
import (
"context"
"fmt"
"testing"
"time"
"github.com/brianvoe/gofakeit/v6"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func TestServer_AddSecret(t *testing.T) {
type args struct {
ctx context.Context
req *user.AddSecretRequest
prepare func(request *user.AddSecretRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "add secret, user not existing",
args: args{
CTX,
&user.AddSecretRequest{
UserId: "notexisting",
},
func(request *user.AddSecretRequest) error { return nil },
},
wantErr: true,
},
{
name: "add secret, ok",
args: args{
CTX,
&user.AddSecretRequest{},
func(request *user.AddSecretRequest) error {
resp := Instance.CreateUserTypeMachine(CTX)
request.UserId = resp.GetId()
return nil
},
},
},
{
name: "add secret human, not ok",
args: args{
CTX,
&user.AddSecretRequest{},
func(request *user.AddSecretRequest) error {
resp := Instance.CreateUserTypeMachine(CTX)
request.UserId = resp.GetId()
return nil
},
},
},
{
name: "overwrite secret, ok",
args: args{
CTX,
&user.AddSecretRequest{},
func(request *user.AddSecretRequest) error {
resp := Instance.CreateUserTypeMachine(CTX)
request.UserId = resp.GetId()
_, err := Client.AddSecret(CTX, &user.AddSecretRequest{
UserId: resp.GetId(),
})
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_AddSecret_Permission(t *testing.T) {
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddSecret-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
type args struct {
ctx context.Context
req *user.AddSecretRequest
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{
SystemCTX,
&user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
},
},
},
{
name: "instance, ok",
args: args{
IamCTX,
&user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
},
},
},
{
name: "org, error",
args: args{
CTX,
&user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
},
},
wantErr: true,
},
{
name: "user, error",
args: args{
UserCTX,
&user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
},
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, err)
got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
creationDate := got.CreationDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemoveSecret(t *testing.T) {
type args struct {
ctx context.Context
req *user.RemoveSecretRequest
prepare func(request *user.RemoveSecretRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "remove secret, user not existing",
args: args{
CTX,
&user.RemoveSecretRequest{
UserId: "notexisting",
},
func(request *user.RemoveSecretRequest) error { return nil },
},
wantErr: true,
},
{
name: "remove secret, not existing",
args: args{
CTX,
&user.RemoveSecretRequest{},
func(request *user.RemoveSecretRequest) error {
resp := Instance.CreateUserTypeMachine(CTX)
request.UserId = resp.GetId()
return nil
},
},
wantErr: true,
},
{
name: "remove secret, ok",
args: args{
CTX,
&user.RemoveSecretRequest{},
func(request *user.RemoveSecretRequest) error {
resp := Instance.CreateUserTypeMachine(CTX)
request.UserId = resp.GetId()
_, err := Instance.Client.UserV2.AddSecret(CTX, &user.AddSecretRequest{
UserId: resp.GetId(),
})
return err
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
deletionDate := got.DeletionDate.AsTime()
assert.Greater(t, deletionDate, now, "creation date is before the test started")
assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
})
}
}
func TestServer_RemoveSecret_Permission(t *testing.T) {
otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveSecret-%s", gofakeit.AppName()), gofakeit.Email())
otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
OrganizationId: otherOrg.OrganizationId,
UserType: &user.CreateUserRequest_Machine_{
Machine: &user.CreateUserRequest_Machine{
Name: gofakeit.Name(),
},
},
})
require.NoError(t, err)
type args struct {
ctx context.Context
req *user.RemoveSecretRequest
prepare func(request *user.RemoveSecretRequest) error
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "system, ok",
args: args{
SystemCTX,
&user.RemoveSecretRequest{
UserId: otherOrgUser.GetId(),
},
func(request *user.RemoveSecretRequest) error {
_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
})
return err
},
},
},
{
name: "instance, ok",
args: args{
IamCTX,
&user.RemoveSecretRequest{
UserId: otherOrgUser.GetId(),
},
func(request *user.RemoveSecretRequest) error {
_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
})
return err
},
},
},
{
name: "org, error",
args: args{
CTX,
&user.RemoveSecretRequest{
UserId: otherOrgUser.GetId(),
},
func(request *user.RemoveSecretRequest) error {
_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
})
return err
},
},
wantErr: true,
},
{
name: "user, error",
args: args{
UserCTX,
&user.RemoveSecretRequest{
UserId: otherOrgUser.GetId(),
},
func(request *user.RemoveSecretRequest) error {
_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
UserId: otherOrgUser.GetId(),
})
return err
},
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
now := time.Now()
require.NoError(t, tt.args.prepare(tt.args.req))
got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.NotEmpty(t, got.DeletionDate, "client secret is empty")
creationDate := got.DeletionDate.AsTime()
assert.Greater(t, creationDate, now, "creation date is before the test started")
assert.Less(t, creationDate, time.Now(), "creation date is in the future")
})
}
}

1711
internal/api/grpc/user/v2/integration_test/user_test.go
View File

File diff suppressed because it is too large Load Diff

62
internal/api/grpc/user/v2/key.go Normal file
View File

@@ -0,0 +1,62 @@
package user
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) AddKey(ctx context.Context, req *user.AddKeyRequest) (*user.AddKeyResponse, error) {
newMachineKey := &command.MachineKey{
ObjectRoot: models.ObjectRoot{
AggregateID: req.UserId,
},
ExpirationDate: req.GetExpirationDate().AsTime(),
Type: domain.AuthNKeyTypeJSON,
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx),
}
newMachineKey.PublicKey = req.PublicKey
pubkeySupplied := len(newMachineKey.PublicKey) > 0
details, err := s.command.AddUserMachineKey(ctx, newMachineKey)
if err != nil {
return nil, err
}
// Return key details only if the pubkey wasn't supplied, otherwise the user already has
// private key locally
var keyDetails []byte
if !pubkeySupplied {
var err error
keyDetails, err = newMachineKey.Detail()
if err != nil {
return nil, err
}
}
return &user.AddKeyResponse{
KeyId: newMachineKey.KeyID,
KeyContent: keyDetails,
CreationDate: timestamppb.New(details.EventDate),
}, nil
}
func (s *Server) RemoveKey(ctx context.Context, req *user.RemoveKeyRequest) (*user.RemoveKeyResponse, error) {
machineKey := &command.MachineKey{
ObjectRoot: models.ObjectRoot{
AggregateID: req.UserId,
},
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx),
KeyID: req.KeyId,
}
objectDetails, err := s.command.RemoveUserMachineKey(ctx, machineKey)
if err != nil {
return nil, err
}
return &user.RemoveKeyResponse{
DeletionDate: timestamppb.New(objectDetails.EventDate),
}, nil
}

124
internal/api/grpc/user/v2/key_query.go Normal file
View File

@@ -0,0 +1,124 @@
package user
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/zerrors"
filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) ListKeys(ctx context.Context, req *user.ListKeysRequest) (*user.ListKeysResponse, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
filters, err := keyFiltersToQueries(req.Filters)
if err != nil {
return nil, err
}
search := &query.AuthNKeySearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: authnKeyFieldNameToSortingColumn(req.SortingColumn),
},
Queries: filters,
}
result, err := s.query.SearchAuthNKeys(ctx, search, query.JoinFilterUserMachine, s.checkPermission)
if err != nil {
return nil, err
}
resp := &user.ListKeysResponse{
Result: make([]*user.Key, len(result.AuthNKeys)),
Pagination: filter.QueryToPaginationPb(search.SearchRequest, result.SearchResponse),
}
for i, key := range result.AuthNKeys {
resp.Result[i] = &user.Key{
CreationDate: timestamppb.New(key.CreationDate),
ChangeDate: timestamppb.New(key.ChangeDate),
Id: key.ID,
UserId: key.AggregateID,
OrganizationId: key.ResourceOwner,
ExpirationDate: timestamppb.New(key.Expiration),
}
}
return resp, nil
}
func keyFiltersToQueries(filters []*user.KeysSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(filters))
for i, filter := range filters {
q[i], err = keyFilterToQuery(filter)
if err != nil {
return nil, err
}
}
return q, nil
}
func keyFilterToQuery(filter *user.KeysSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *user.KeysSearchFilter_CreatedDateFilter:
return authnKeyCreatedFilterToQuery(q.CreatedDateFilter)
case *user.KeysSearchFilter_ExpirationDateFilter:
return authnKeyExpirationFilterToQuery(q.ExpirationDateFilter)
case *user.KeysSearchFilter_KeyIdFilter:
return authnKeyIdFilterToQuery(q.KeyIdFilter)
case *user.KeysSearchFilter_UserIdFilter:
return authnKeyUserIdFilterToQuery(q.UserIdFilter)
case *user.KeysSearchFilter_OrganizationIdFilter:
return authnKeyOrgIdFilterToQuery(q.OrganizationIdFilter)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "GRPC-vR9nC", "List.Query.Invalid")
}
}
func authnKeyIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewAuthNKeyIDQuery(f.Id)
}
func authnKeyUserIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewAuthNKeyIdentifyerQuery(f.Id)
}
func authnKeyOrgIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewAuthNKeyResourceOwnerQuery(f.Id)
}
func authnKeyCreatedFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
return query.NewAuthNKeyCreationDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}
func authnKeyExpirationFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
return query.NewAuthNKeyExpirationDateDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}
// authnKeyFieldNameToSortingColumn defaults to the creation date because this ensures deterministic pagination
func authnKeyFieldNameToSortingColumn(field *user.KeyFieldName) query.Column {
if field == nil {
return query.AuthNKeyColumnCreationDate
}
switch *field {
case user.KeyFieldName_KEY_FIELD_NAME_UNSPECIFIED:
return query.AuthNKeyColumnCreationDate
case user.KeyFieldName_KEY_FIELD_NAME_ID:
return query.AuthNKeyColumnID
case user.KeyFieldName_KEY_FIELD_NAME_USER_ID:
return query.AuthNKeyColumnIdentifier
case user.KeyFieldName_KEY_FIELD_NAME_ORGANIZATION_ID:
return query.AuthNKeyColumnResourceOwner
case user.KeyFieldName_KEY_FIELD_NAME_CREATED_DATE:
return query.AuthNKeyColumnCreationDate
case user.KeyFieldName_KEY_FIELD_NAME_KEY_EXPIRATION_DATE:
return query.AuthNKeyColumnExpiration
default:
return query.AuthNKeyColumnCreationDate
}
}

58
internal/api/grpc/user/v2/machine.go Normal file
View File

@@ -0,0 +1,58 @@
package user
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) createUserTypeMachine(ctx context.Context, machinePb *user.CreateUserRequest_Machine, orgId, userName, userId string) (*user.CreateUserResponse, error) {
cmd := &command.Machine{
Username: userName,
Name: machinePb.Name,
Description: machinePb.GetDescription(),
AccessTokenType: domain.OIDCTokenTypeBearer,
ObjectRoot: models.ObjectRoot{
ResourceOwner: orgId,
AggregateID: userId,
},
}
details, err := s.command.AddMachine(
ctx,
cmd,
s.command.NewPermissionCheckUserWrite(ctx),
command.AddMachineWithUsernameToIDFallback(),
)
if err != nil {
return nil, err
}
return &user.CreateUserResponse{
Id: cmd.AggregateID,
CreationDate: timestamppb.New(details.EventDate),
}, nil
}
func (s *Server) updateUserTypeMachine(ctx context.Context, machinePb *user.UpdateUserRequest_Machine, userId string, userName *string) (*user.UpdateUserResponse, error) {
cmd := updateMachineUserToCommand(userId, userName, machinePb)
err := s.command.ChangeUserMachine(ctx, cmd)
if err != nil {
return nil, err
}
return &user.UpdateUserResponse{
ChangeDate: timestamppb.New(cmd.Details.EventDate),
}, nil
}
func updateMachineUserToCommand(userId string, userName *string, machine *user.UpdateUserRequest_Machine) *command.ChangeMachine {
return &command.ChangeMachine{
ID: userId,
Username: userName,
Name: machine.Name,
Description: machine.Description,
}
}

62
internal/api/grpc/user/v2/machine_test.go Normal file
View File

@@ -0,0 +1,62 @@
package user
import (
"testing"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/muhlemmer/gu"
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func Test_patchMachineUserToCommand(t *testing.T) {
type args struct {
userId string
userName *string
machine *user.UpdateUserRequest_Machine
}
tests := []struct {
name string
args args
want *command.ChangeMachine
}{{
name: "single property",
args: args{
userId: "userId",
machine: &user.UpdateUserRequest_Machine{
Name: gu.Ptr("name"),
},
},
want: &command.ChangeMachine{
ID: "userId",
Name: gu.Ptr("name"),
},
}, {
name: "all properties",
args: args{
userId: "userId",
userName: gu.Ptr("userName"),
machine: &user.UpdateUserRequest_Machine{
Name: gu.Ptr("name"),
Description: gu.Ptr("description"),
},
},
want: &command.ChangeMachine{
ID: "userId",
Username: gu.Ptr("userName"),
Name: gu.Ptr("name"),
Description: gu.Ptr("description"),
},
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := updateMachineUserToCommand(tt.args.userId, tt.args.userName, tt.args.machine)
if diff := cmp.Diff(tt.want, got, cmpopts.EquateComparable(language.Tag{})); diff != "" {
t.Errorf("patchMachineUserToCommand() mismatch (-want +got):\n%s", diff)
}
})
}
}

56
internal/api/grpc/user/v2/pat.go Normal file
View File

@@ -0,0 +1,56 @@
package user
import (
"context"
"github.com/zitadel/oidc/v3/pkg/oidc"
"google.golang.org/protobuf/types/known/timestamppb"
z_oidc "github.com/zitadel/zitadel/internal/api/oidc"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) AddPersonalAccessToken(ctx context.Context, req *user.AddPersonalAccessTokenRequest) (*user.AddPersonalAccessTokenResponse, error) {
newPat := &command.PersonalAccessToken{
ObjectRoot: models.ObjectRoot{
AggregateID: req.UserId,
},
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx),
ExpirationDate: req.ExpirationDate.AsTime(),
Scopes: []string{
oidc.ScopeOpenID,
oidc.ScopeProfile,
z_oidc.ScopeUserMetaData,
z_oidc.ScopeResourceOwner,
},
AllowedUserType: domain.UserTypeMachine,
}
details, err := s.command.AddPersonalAccessToken(ctx, newPat)
if err != nil {
return nil, err
}
return &user.AddPersonalAccessTokenResponse{
CreationDate: timestamppb.New(details.EventDate),
TokenId: newPat.TokenID,
Token: newPat.Token,
}, nil
}
func (s *Server) RemovePersonalAccessToken(ctx context.Context, req *user.RemovePersonalAccessTokenRequest) (*user.RemovePersonalAccessTokenResponse, error) {
objectDetails, err := s.command.RemovePersonalAccessToken(ctx, &command.PersonalAccessToken{
TokenID: req.TokenId,
ObjectRoot: models.ObjectRoot{
AggregateID: req.UserId,
},
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx),
})
if err != nil {
return nil, err
}
return &user.RemovePersonalAccessTokenResponse{
DeletionDate: timestamppb.New(objectDetails.EventDate),
}, nil
}

123
internal/api/grpc/user/v2/pat_query.go Normal file
View File

@@ -0,0 +1,123 @@
package user
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/zerrors"
filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) ListPersonalAccessTokens(ctx context.Context, req *user.ListPersonalAccessTokensRequest) (*user.ListPersonalAccessTokensResponse, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
filters, err := patFiltersToQueries(req.Filters)
if err != nil {
return nil, err
}
search := &query.PersonalAccessTokenSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: authnPersonalAccessTokenFieldNameToSortingColumn(req.SortingColumn),
},
Queries: filters,
}
result, err := s.query.SearchPersonalAccessTokens(ctx, search, s.checkPermission)
if err != nil {
return nil, err
}
resp := &user.ListPersonalAccessTokensResponse{
Result: make([]*user.PersonalAccessToken, len(result.PersonalAccessTokens)),
Pagination: filter.QueryToPaginationPb(search.SearchRequest, result.SearchResponse),
}
for i, pat := range result.PersonalAccessTokens {
resp.Result[i] = &user.PersonalAccessToken{
CreationDate: timestamppb.New(pat.CreationDate),
ChangeDate: timestamppb.New(pat.ChangeDate),
Id: pat.ID,
UserId: pat.UserID,
OrganizationId: pat.ResourceOwner,
ExpirationDate: timestamppb.New(pat.Expiration),
}
}
return resp, nil
}
func patFiltersToQueries(filters []*user.PersonalAccessTokensSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(filters))
for i, filter := range filters {
q[i], err = patFilterToQuery(filter)
if err != nil {
return nil, err
}
}
return q, nil
}
func patFilterToQuery(filter *user.PersonalAccessTokensSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *user.PersonalAccessTokensSearchFilter_CreatedDateFilter:
return authnPersonalAccessTokenCreatedFilterToQuery(q.CreatedDateFilter)
case *user.PersonalAccessTokensSearchFilter_ExpirationDateFilter:
return authnPersonalAccessTokenExpirationFilterToQuery(q.ExpirationDateFilter)
case *user.PersonalAccessTokensSearchFilter_TokenIdFilter:
return authnPersonalAccessTokenIdFilterToQuery(q.TokenIdFilter)
case *user.PersonalAccessTokensSearchFilter_UserIdFilter:
return authnPersonalAccessTokenUserIdFilterToQuery(q.UserIdFilter)
case *user.PersonalAccessTokensSearchFilter_OrganizationIdFilter:
return authnPersonalAccessTokenOrgIdFilterToQuery(q.OrganizationIdFilter)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "GRPC-vR9nC", "List.Query.Invalid")
}
}
func authnPersonalAccessTokenIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewPersonalAccessTokenIDQuery(f.Id)
}
func authnPersonalAccessTokenUserIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewPersonalAccessTokenUserIDSearchQuery(f.Id)
}
func authnPersonalAccessTokenOrgIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewPersonalAccessTokenResourceOwnerSearchQuery(f.Id)
}
func authnPersonalAccessTokenCreatedFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
return query.NewPersonalAccessTokenCreationDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}
func authnPersonalAccessTokenExpirationFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
return query.NewPersonalAccessTokenExpirationDateDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}
// authnPersonalAccessTokenFieldNameToSortingColumn defaults to the creation date because this ensures deterministic pagination
func authnPersonalAccessTokenFieldNameToSortingColumn(field *user.PersonalAccessTokenFieldName) query.Column {
if field == nil {
return query.PersonalAccessTokenColumnCreationDate
}
switch *field {
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_UNSPECIFIED:
return query.PersonalAccessTokenColumnCreationDate
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID:
return query.PersonalAccessTokenColumnID
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_USER_ID:
return query.PersonalAccessTokenColumnUserID
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ORGANIZATION_ID:
return query.PersonalAccessTokenColumnResourceOwner
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_CREATED_DATE:
return query.PersonalAccessTokenColumnCreationDate
case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE:
return query.PersonalAccessTokenColumnExpiration
default:
return query.PersonalAccessTokenColumnCreationDate
}
}

39
internal/api/grpc/user/v2/secret.go Normal file
View File

@@ -0,0 +1,39 @@
package user
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
func (s *Server) AddSecret(ctx context.Context, req *user.AddSecretRequest) (*user.AddSecretResponse, error) {
newSecret := &command.GenerateMachineSecret{
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx),
}
details, err := s.command.GenerateMachineSecret(ctx, req.UserId, "", newSecret)
if err != nil {
return nil, err
}
return &user.AddSecretResponse{
CreationDate: timestamppb.New(details.EventDate),
ClientSecret: newSecret.ClientSecret,
}, nil
}
func (s *Server) RemoveSecret(ctx context.Context, req *user.RemoveSecretRequest) (*user.RemoveSecretResponse, error) {
details, err := s.command.RemoveMachineSecret(
ctx,
req.UserId,
"",
s.command.NewPermissionCheckUserWrite(ctx),
)
if err != nil {
return nil, err
}
return &user.RemoveSecretResponse{
DeletionDate: timestamppb.New(details.EventDate),
}, nil
}

16
internal/api/grpc/user/v2/server.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/api/grpc/server"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/config/systemdefaults"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
@@ -18,12 +19,13 @@ var _ user.UserServiceServer = (*Server)(nil)
type Server struct {
user.UnimplementedUserServiceServer
command *command.Commands
query *query.Queries
userCodeAlg crypto.EncryptionAlgorithm
idpAlg crypto.EncryptionAlgorithm
idpCallback func(ctx context.Context) string
samlRootURL func(ctx context.Context, idpID string) string
systemDefaults systemdefaults.SystemDefaults
command *command.Commands
query *query.Queries
userCodeAlg crypto.EncryptionAlgorithm
idpAlg crypto.EncryptionAlgorithm
idpCallback func(ctx context.Context) string
samlRootURL func(ctx context.Context, idpID string) string
assetAPIPrefix func(context.Context) string
@@ -33,6 +35,7 @@ type Server struct {
type Config struct{}
func CreateServer(
systemDefaults systemdefaults.SystemDefaults,
command *command.Commands,
query *query.Queries,
userCodeAlg crypto.EncryptionAlgorithm,
@@ -43,6 +46,7 @@ func CreateServer(
checkPermission domain.PermissionCheck,
) *Server {
return &Server{
systemDefaults: systemDefaults,
command: command,
query: query,
userCodeAlg: userCodeAlg,

105
internal/api/grpc/user/v2/user.go
View File

@@ -11,6 +11,7 @@ import (
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/zerrors"
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)
@@ -117,7 +118,7 @@ func genderToDomain(gender user.Gender) domain.Gender {
}
func (s *Server) UpdateHumanUser(ctx context.Context, req *user.UpdateHumanUserRequest) (_ *user.UpdateHumanUserResponse, err error) {
human, err := UpdateUserRequestToChangeHuman(req)
human, err := updateHumanUserRequestToChangeHuman(req)
if err != nil {
return nil, err
}
@@ -181,86 +182,6 @@ func ifNotNilPtr[v, p any](value *v, conv func(v) p) *p {
return &pVal
}
func UpdateUserRequestToChangeHuman(req *user.UpdateHumanUserRequest) (*command.ChangeHuman, error) {
email, err := SetHumanEmailToEmail(req.Email, req.GetUserId())
if err != nil {
return nil, err
}
return &command.ChangeHuman{
ID: req.GetUserId(),
Username: req.Username,
Profile: SetHumanProfileToProfile(req.Profile),
Email: email,
Phone: SetHumanPhoneToPhone(req.Phone),
Password: SetHumanPasswordToPassword(req.Password),
}, nil
}
func SetHumanProfileToProfile(profile *user.SetHumanProfile) *command.Profile {
if profile == nil {
return nil
}
var firstName *string
if profile.GivenName != "" {
firstName = &profile.GivenName
}
var lastName *string
if profile.FamilyName != "" {
lastName = &profile.FamilyName
}
return &command.Profile{
FirstName: firstName,
LastName: lastName,
NickName: profile.NickName,
DisplayName: profile.DisplayName,
PreferredLanguage: ifNotNilPtr(profile.PreferredLanguage, language.Make),
Gender: ifNotNilPtr(profile.Gender, genderToDomain),
}
}
func SetHumanEmailToEmail(email *user.SetHumanEmail, userID string) (*command.Email, error) {
if email == nil {
return nil, nil
}
var urlTemplate string
if email.GetSendCode() != nil && email.GetSendCode().UrlTemplate != nil {
urlTemplate = *email.GetSendCode().UrlTemplate
if err := domain.RenderConfirmURLTemplate(io.Discard, urlTemplate, userID, "code", "orgID"); err != nil {
return nil, err
}
}
return &command.Email{
Address: domain.EmailAddress(email.Email),
Verified: email.GetIsVerified(),
ReturnCode: email.GetReturnCode() != nil,
URLTemplate: urlTemplate,
}, nil
}
func SetHumanPhoneToPhone(phone *user.SetHumanPhone) *command.Phone {
if phone == nil {
return nil
}
return &command.Phone{
Number: domain.PhoneNumber(phone.GetPhone()),
Verified: phone.GetIsVerified(),
ReturnCode: phone.GetReturnCode() != nil,
}
}
func SetHumanPasswordToPassword(password *user.SetPassword) *command.Password {
if password == nil {
return nil
}
return &command.Password{
PasswordCode: password.GetVerificationCode(),
OldPassword: password.GetCurrentPassword(),
Password: password.GetPassword().GetPassword(),
EncodedPasswordHash: password.GetHashedPassword().GetHash(),
ChangeRequired: password.GetPassword().GetChangeRequired() || password.GetHashedPassword().GetChangeRequired(),
}
}
func (s *Server) DeleteUser(ctx context.Context, req *user.DeleteUserRequest) (_ *user.DeleteUserResponse, err error) {
memberships, grants, err := s.removeUserDependencies(ctx, req.GetUserId())
if err != nil {
@@ -482,3 +403,25 @@ func (s *Server) HumanMFAInitSkipped(ctx context.Context, req *user.HumanMFAInit
Details: object.DomainToDetailsPb(details),
}, nil
}
func (s *Server) CreateUser(ctx context.Context, req *user.CreateUserRequest) (*user.CreateUserResponse, error) {
switch userType := req.GetUserType().(type) {
case *user.CreateUserRequest_Human_:
return s.createUserTypeHuman(ctx, userType.Human, req.OrganizationId, req.Username, req.UserId)
case *user.CreateUserRequest_Machine_:
return s.createUserTypeMachine(ctx, userType.Machine, req.OrganizationId, req.GetUsername(), req.GetUserId())
default:
return nil, zerrors.ThrowInternal(nil, "", "user type is not implemented")
}
}
func (s *Server) UpdateUser(ctx context.Context, req *user.UpdateUserRequest) (*user.UpdateUserResponse, error) {
switch userType := req.GetUserType().(type) {
case *user.UpdateUserRequest_Human_:
return s.updateUserTypeHuman(ctx, userType.Human, req.UserId, req.Username)
case *user.UpdateUserRequest_Machine_:
return s.updateUserTypeMachine(ctx, userType.Machine, req.UserId, req.Username)
default:
return nil, zerrors.ThrowUnimplemented(nil, "", "user type is not implemented")
}
}

0
internal/api/grpc/user/v2/query.go → internal/api/grpc/user/v2/user_query.go
View File