feat(api): new session service (#5801)

* backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 21:17:32 +00:00 · 2023-05-05 17:34:53 +02:00
parent 74377c2c37
commit c2cb84cd24
55 changed files with 3911 additions and 106 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -14,11 +14,16 @@ const (
 	authenticated = "authenticated"
 )

-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgIDHeader string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
+// CheckUserAuthorization verifies that:
+// - the token is active,
+// - the organisation (**either** provided by ID or verified domain) exists
+// - the user is permitted to call the requested endpoint (permission option in proto)
+// it will pass the [CtxData] and permission of the user into the ctx [context.Context]
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, orgDomain string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
 	ctx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgIDHeader, verifier, method)
+	ctxData, err := VerifyTokenAndCreateCtxData(ctx, token, orgID, orgDomain, verifier, method)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -60,7 +60,7 @@ const (
 	MemberTypeIam
 )

-func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ CtxData, err error) {
+func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain string, t *TokenVerifier, method string) (_ CtxData, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -82,14 +82,15 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 	if err := checkOrigin(ctx, origins); err != nil {
 		return CtxData{}, err
 	}
-	if orgID == "" {
+	if orgID == "" && orgDomain == "" {
 		orgID = resourceOwner
 	}

-	err = t.ExistsOrg(ctx, orgID)
+	verifiedOrgID, err := t.ExistsOrg(ctx, orgID, orgDomain)
 	if err != nil {
 		err = retry(func() error {
-			return t.ExistsOrg(ctx, orgID)
+			verifiedOrgID, err = t.ExistsOrg(ctx, orgID, orgDomain)
+			return err
 		})
 		if err != nil {
 			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
@@ -98,7 +99,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To

 	return CtxData{
 		UserID:            userID,
-		OrgID:             orgID,
+		OrgID:             verifiedOrgID,
 		ProjectID:         projectID,
 		AgentID:           agentID,
 		PreferredLanguage: prefLang,
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@@ -7,12 +7,8 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func CheckPermission(ctx context.Context, resolver MembershipsResolver, roleMappings []RoleMapping, permission, orgID, resourceID string, allowSelf bool) (err error) {
-	ctxData := GetCtxData(ctx)
-	if allowSelf && ctxData.UserID == resourceID {
-		return nil
-	}
-	requestedPermissions, _, err := getUserPermissions(ctx, resolver, permission, roleMappings, ctxData, orgID)
+func CheckPermission(ctx context.Context, resolver MembershipsResolver, roleMappings []RoleMapping, permission, orgID, resourceID string) (err error) {
+	requestedPermissions, _, err := getUserPermissions(ctx, resolver, permission, roleMappings, GetCtxData(ctx), orgID)
 	if err != nil {
 		return err
 	}
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -26,8 +26,8 @@ func (v *testVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, client
 	return "", nil, nil
 }

-func (v *testVerifier) ExistsOrg(ctx context.Context, orgID string) error {
-	return nil
+func (v *testVerifier) ExistsOrg(ctx context.Context, orgID, domain string) (string, error) {
+	return orgID, nil
 }

 func (v *testVerifier) VerifierClientID(ctx context.Context, appName string) (string, string, error) {
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -3,6 +3,8 @@ package authz
 import (
 	"context"
 	"crypto/rsa"
+	"encoding/base64"
+	"fmt"
 	"os"
 	"strings"
 	"sync"
@@ -17,7 +19,8 @@ import (
 )

 const (
-	BearerPrefix = "Bearer "
+	BearerPrefix       = "Bearer "
+	SessionTokenFormat = "sess_%s:%s"
 )

 type TokenVerifier struct {
@@ -36,7 +39,7 @@ type authZRepo interface {
 	VerifierClientID(ctx context.Context, name string) (clientID, projectID string, err error)
 	SearchMyMemberships(ctx context.Context, orgID string) ([]*Membership, error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
-	ExistsOrg(ctx context.Context, orgID string) error
+	ExistsOrg(ctx context.Context, id, domain string) (string, error)
 }

 func Start(authZRepo authZRepo, issuer string, keys map[string]*SystemAPIUser) (v *TokenVerifier) {
@@ -144,10 +147,10 @@ func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clien
 	return v.authZRepo.ProjectIDAndOriginsByClientID(ctx, clientID)
 }

-func (v *TokenVerifier) ExistsOrg(ctx context.Context, orgID string) (err error) {
+func (v *TokenVerifier) ExistsOrg(ctx context.Context, id, domain string) (orgID string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	return v.authZRepo.ExistsOrg(ctx, orgID)
+	return v.authZRepo.ExistsOrg(ctx, id, domain)
 }

 func (v *TokenVerifier) CheckAuthMethod(method string) (Option, bool) {
@@ -165,3 +168,20 @@ func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, meth
 	}
 	return t.VerifyAccessToken(ctx, parts[1], method)
 }
+
+func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+	return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+		decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)
+		if err != nil {
+			return err
+		}
+		_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
+		var token string
+		token, err = algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())
+		spanPasswordComparison.EndWithError(err)
+		if err != nil || token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {
+			return caos_errs.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
+		}
+		return nil
+	}
+}