mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 04:47:33 +00:00
fix: permission checks on session API
# Which Problems Are Solved
The session API allowed any authenticated user to update sessions by their ID without any further check.
This was unintentionally introduced with version 2.53.0 when the requirement of providing the latest session token on every session update was removed and no other permission check (e.g. session.write) was ensured.
# How the Problems Are Solved
- Granted `session.write` to `IAM_OWNER` and `IAM_LOGIN_CLIENT` in the defaults.yaml
- Granted `session.read` to `IAM_ORG_MANAGER`, `IAM_USER_MANAGER` and `ORG_OWNER` in the defaults.yaml
- Pass the session token to the UpdateSession command.
- Check for `session.write` permission on session creation and update.
- Alternatively, the (latest) sessionToken can be used to update the session.
- Setting an auth request to failed on the OIDC Service `CreateCallback` endpoint now ensures it's either the same user as used to create the auth request (for backwards compatibilty) or requires `session.link` permission.
- Setting an device auth request to failed on the OIDC Service `AuthorizeOrDenyDeviceAuthorization` endpoint now requires `session.link` permission.
- Setting an auth request to failed on the SAML Service `CreateResponse` endpoint now requires `session.link` permission.
# Additional Changes
none
# Additional Context
none
(cherry picked from commit 4c942f3477)
This commit is contained in:
Livio Spring
@@ -17,11 +17,11 @@ import (
|
||||
func TestServer_AddOTPSMS(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
|
||||
userVerified := Instance.CreateHumanUser(CTX)
|
||||
_, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
|
||||
@@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
|
||||
})
|
||||
require.NoError(t, err)
|
||||
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
|
||||
|
||||
userVerified2 := Instance.CreateHumanUser(CTX)
|
||||
_, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
|
||||
@@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
|
||||
func TestServer_RemoveOTPSMS(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
userVerified := Instance.CreateHumanUser(CTX)
|
||||
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
|
||||
@@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
|
||||
|
||||
userSelf := Instance.CreateHumanUser(CTX)
|
||||
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
|
||||
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
|
||||
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
|
||||
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
|
||||
_, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{
|
||||
UserId: userSelf.GetUserId(),
|
||||
@@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
|
||||
func TestServer_AddOTPEmail(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
|
||||
userVerified := Instance.CreateHumanUser(CTX)
|
||||
_, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
|
||||
@@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
|
||||
})
|
||||
require.NoError(t, err)
|
||||
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
|
||||
|
||||
userVerified2 := Instance.CreateHumanUser(CTX)
|
||||
_, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
|
||||
@@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
|
||||
func TestServer_RemoveOTPEmail(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
userVerified := Instance.CreateHumanUser(CTX)
|
||||
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
|
||||
|
||||
@@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
|
||||
|
||||
// We also need a user session
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
|
||||
@@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) {
|
||||
doubleRemoveUser := Instance.CreateHumanUser(CTX)
|
||||
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
|
||||
@@ -20,12 +20,12 @@ import (
|
||||
func TestServer_RegisterTOTP(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
|
||||
|
||||
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
|
||||
|
||||
type args struct {
|
||||
@@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) {
|
||||
func TestServer_VerifyTOTPRegistration(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
|
||||
|
||||
var reg *user.RegisterTOTPResponse
|
||||
@@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
|
||||
|
||||
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
|
||||
|
||||
regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
|
||||
@@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
|
||||
func TestServer_RemoveTOTP(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
|
||||
userVerified := Instance.CreateHumanUser(CTX)
|
||||
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
|
||||
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
|
||||
userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
|
||||
_, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
|
||||
UserId: userVerified.GetUserId(),
|
||||
|
||||
@@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) {
|
||||
|
||||
// We also need a user session
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
Instance.RegisterUserPasskey(CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
|
||||
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
|
||||
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
@@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) {
|
||||
func TestServer_VerifyU2FRegistration(t *testing.T) {
|
||||
userID := Instance.CreateHumanUser(CTX).GetUserId()
|
||||
Instance.RegisterUserPasskey(CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
|
||||
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
|
||||
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
|
||||
|
||||
pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{
|
||||
|
||||
@@ -31,6 +31,7 @@ import (
|
||||
var (
|
||||
CTX context.Context
|
||||
IamCTX context.Context
|
||||
LoginCTX context.Context
|
||||
UserCTX context.Context
|
||||
SystemCTX context.Context
|
||||
Instance *integration.Instance
|
||||
@@ -46,6 +47,7 @@ func TestMain(m *testing.M) {
|
||||
|
||||
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
|
||||
IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
|
||||
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
|
||||
SystemCTX = integration.WithSystemAuthorization(ctx)
|
||||
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
|
||||
Client = Instance.Client.UserV2beta
|
||||
|
||||
Reference in New Issue
Block a user