feat: handle instance from context (#3382)

* commander * commander * selber! * move to packages * fix(errors): implement Is interface * test: command * test: commands * add init steps * setup tenant * add default step yaml * possibility to set password * merge v2 into v2-commander * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: search query builder can filter events in memory * fix: filters for add member * fix(setup): add `ExternalSecure` to config * chore: name iam to instance * fix: matching * remove unsued func * base url * base url * test(command): filter funcs * test: commands * fix: rename orgiampolicy to domain policy * start from init * commands * config * fix indexes and add constraints * fixes * fix: merge conflicts * fix: protos * fix: md files * setup * add deprecated org iam policy again * typo * fix search query * fix filter * Apply suggestions from code review * remove custom org from org setup * add todos for verification * change apps creation * simplify package structure * fix error * move preparation helper for tests * fix unique constraints * fix config mapping in setup * fix error handling in encryption_keys.go * fix projection config * fix query from old views to projection * fix setup of mgmt api * set iam project and fix instance projection * fix tokens view * fix steps.yaml and defaults.yaml * fix projections * change instance context to interface * instance interceptors and additional events in setup * cleanup * tests for interceptors * fix label policy * add todo * single api endpoint in environment.json Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2025-08-12 00:47:33 +00:00 · 2022-03-29 11:53:19 +02:00
parent c5b99274d7
commit 958362e6c9
101 changed files with 1520 additions and 274 deletions
--- a/internal/api/http/middleware/instance_interceptor.go
+++ b/internal/api/http/middleware/instance_interceptor.go
@@ -0,0 +1,65 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+)
+
+type instanceInterceptor struct {
+	verifier   authz.InstanceVerifier
+	headerName string
+}
+
+func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string) *instanceInterceptor {
+	return &instanceInterceptor{
+		verifier:   verifier,
+		headerName: headerName,
+	}
+}
+
+func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx, err := setInstance(r, a.verifier, a.headerName)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+		r = r.WithContext(ctx)
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (a *instanceInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		ctx, err := setInstance(r, a.verifier, a.headerName)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return
+		}
+		r = r.WithContext(ctx)
+		next.ServeHTTP(w, r)
+	}
+}
+
+func setInstance(r *http.Request, verifier authz.InstanceVerifier, headerName string) (_ context.Context, err error) {
+	ctx := r.Context()
+
+	authCtx, span := tracing.NewServerInterceptorSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	host := r.Header.Get(headerName)
+	if host == "" {
+		return nil, fmt.Errorf("host header %s not found", headerName)
+	}
+
+	instance, err := verifier.InstanceByHost(authCtx, host)
+	if err != nil {
+		return nil, err
+	}
+	span.End()
+	return authz.WithInstance(ctx, instance), nil
+}