feat(api): new session service (#5801)

* backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 21:17:32 +00:00 · 2023-05-05 17:34:53 +02:00
parent 74377c2c37
commit c2cb84cd24
55 changed files with 3911 additions and 106 deletions
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -50,6 +50,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	cryptoDB "github.com/zitadel/zitadel/internal/crypto/database"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/logstore"
@@ -129,7 +130,21 @@ func startZitadel(config *Config, masterKey string, server chan<- *Server) error
 		return fmt.Errorf("cannot start eventstore for queries: %w", err)
 	}

-	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, config.SystemDefaults, keys.IDPConfig, keys.OTP, keys.OIDC, keys.SAML, config.InternalAuthZ.RolePermissionMappings)
+	sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
+
+	queries, err := query.StartQueries(
+		ctx,
+		eventstoreClient,
+		dbClient,
+		config.Projections,
+		config.SystemDefaults,
+		keys.IDPConfig,
+		keys.OTP,
+		keys.OIDC,
+		keys.SAML,
+		config.InternalAuthZ.RolePermissionMappings,
+		sessionTokenVerifier,
+	)
 	if err != nil {
 		return fmt.Errorf("cannot start queries: %w", err)
 	}
@@ -138,6 +153,9 @@ func startZitadel(config *Config, masterKey string, server chan<- *Server) error
 	if err != nil {
 		return fmt.Errorf("error starting authz repo: %w", err)
 	}
+	permissionCheck := func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+		return internal_authz.CheckPermission(ctx, authZRepo, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+	}

 	storage, err := config.AssetStorage.NewStorage(dbClient.DB)
 	if err != nil {
@@ -165,7 +183,8 @@ func startZitadel(config *Config, masterKey string, server chan<- *Server) error
 		keys.OIDC,
 		keys.SAML,
 		&http.Client{},
-		authZRepo,
+		permissionCheck,
+		sessionTokenVerifier,
 	)
 	if err != nil {
 		return fmt.Errorf("cannot start commands: %w", err)
@@ -195,7 +214,22 @@ func startZitadel(config *Config, masterKey string, server chan<- *Server) error
 	if err != nil {
 		return err
 	}
-	err = startAPIs(ctx, clock, router, commands, queries, eventstoreClient, dbClient, config, storage, authZRepo, keys, queries, usageReporter)
+	err = startAPIs(
+		ctx,
+		clock,
+		router,
+		commands,
+		queries,
+		eventstoreClient,
+		dbClient,
+		config,
+		storage,
+		authZRepo,
+		keys,
+		queries,
+		usageReporter,
+		permissionCheck,
+	)
 	if err != nil {
 		return err
 	}
@@ -239,6 +273,7 @@ func startAPIs(
 	keys *encryptionKeys,
 	quotaQuerier logstore.QuotaQuerier,
 	usageReporter logstore.UsageReporter,
+	permissionCheck domain.PermissionCheck,
 ) error {
 	repo := struct {
 		authz_repo.Repository
@@ -294,7 +329,7 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, user.CreateServer(commands, queries, keys.User)); err != nil {
 		return err
 	}
-	if err := apis.RegisterService(ctx, session.CreateServer(commands, queries)); err != nil {
+	if err := apis.RegisterService(ctx, session.CreateServer(commands, queries, permissionCheck)); err != nil {
 		return err
 	}
 	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader, login.IgnoreInstanceEndpoints...)