feat(api): new session service (#5801)

* backup new protoc plugin

* backup

* session

* backup

* initial implementation

* change to specific events

* implement tests

* cleanup

* refactor: use new protoc plugin for api v2

* change package

* simplify code

* cleanup

* cleanup

* fix merge

* start queries

* fix tests

* improve returned values

* add token to projection

* tests

* test db map

* update query

* permission checks

* fix tests and linting

* rework token creation

* i18n

* refactor token check and fix tests

* session to PB test

* request to query tests

* cleanup proto

* test user check

* add comment

* simplify database map type

* Update docs/docs/guides/integrate/access-zitadel-system-api.md

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

* fix test

* cleanup

* docs

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

internal/api/grpc/session/v2/server.go

@@ -6,16 +6,18 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
-	"github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
+	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
 )
 
 var _ session.SessionServiceServer = (*Server)(nil)
 
 type Server struct {
 	session.UnimplementedSessionServiceServer
-	command *command.Commands
-	query   *query.Queries
+	command         *command.Commands
+	query           *query.Queries
+	checkPermission domain.PermissionCheck
 }
 
 type Config struct{}
@@ -23,10 +25,12 @@ type Config struct{}
 func CreateServer(
 	command *command.Commands,
 	query *query.Queries,
+	checkPermission domain.PermissionCheck,
 ) *Server {
 	return &Server{
-		command: command,
-		query:   query,
+		command:         command,
+		query:           query,
+		checkPermission: checkPermission,
 	}
 }
 

internal/api/grpc/session/v2/session.go

@@ -3,16 +3,260 @@ package session
 import (
 	"context"
 
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
-	"github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/command"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
+	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
 )
 
 func (s *Server) GetSession(ctx context.Context, req *session.GetSessionRequest) (*session.GetSessionResponse, error) {
+	res, err := s.query.SessionByID(ctx, req.GetSessionId(), req.GetSessionToken())
+	if err != nil {
+		return nil, err
+	}
 	return &session.GetSessionResponse{
-		Session: &session.Session{
-			Id:   req.Id,
-			User: &user.User{Id: authz.GetCtxData(ctx).UserID},
-		},
+		Session: sessionToPb(res),
 	}, nil
 }
+
+func (s *Server) ListSessions(ctx context.Context, req *session.ListSessionsRequest) (*session.ListSessionsResponse, error) {
+	queries, err := listSessionsRequestToQuery(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	sessions, err := s.query.SearchSessions(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &session.ListSessionsResponse{
+		Details:  object.ToListDetails(sessions.SearchResponse),
+		Sessions: sessionsToPb(sessions.Sessions),
+	}, nil
+}
+
+func (s *Server) CreateSession(ctx context.Context, req *session.CreateSessionRequest) (*session.CreateSessionResponse, error) {
+	checks, metadata, err := s.createSessionRequestToCommand(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	set, err := s.command.CreateSession(ctx, checks, metadata)
+	if err != nil {
+		return nil, err
+	}
+	return &session.CreateSessionResponse{
+		Details:      object.DomainToDetailsPb(set.ObjectDetails),
+		SessionId:    set.ID,
+		SessionToken: set.NewToken,
+	}, nil
+}
+
+func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest) (*session.SetSessionResponse, error) {
+	checks, err := s.setSessionRequestToCommand(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), checks, req.GetMetadata())
+	if err != nil {
+		return nil, err
+	}
+	// if there's no new token, just return the current
+	if set.NewToken == "" {
+		set.NewToken = req.GetSessionToken()
+	}
+	return &session.SetSessionResponse{
+		Details:      object.DomainToDetailsPb(set.ObjectDetails),
+		SessionToken: set.NewToken,
+	}, nil
+}
+
+func (s *Server) DeleteSession(ctx context.Context, req *session.DeleteSessionRequest) (*session.DeleteSessionResponse, error) {
+	details, err := s.command.TerminateSession(ctx, req.GetSessionId(), req.GetSessionToken())
+	if err != nil {
+		return nil, err
+	}
+	return &session.DeleteSessionResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func sessionsToPb(sessions []*query.Session) []*session.Session {
+	s := make([]*session.Session, len(sessions))
+	for i, session := range sessions {
+		s[i] = sessionToPb(session)
+	}
+	return s
+}
+
+func sessionToPb(s *query.Session) *session.Session {
+	return &session.Session{
+		Id:           s.ID,
+		CreationDate: timestamppb.New(s.CreationDate),
+		ChangeDate:   timestamppb.New(s.ChangeDate),
+		Sequence:     s.Sequence,
+		Factors:      factorsToPb(s),
+		Metadata:     s.Metadata,
+	}
+}
+
+func factorsToPb(s *query.Session) *session.Factors {
+	user := userFactorToPb(s.UserFactor)
+	pw := passwordFactorToPb(s.PasswordFactor)
+	if user == nil && pw == nil {
+		return nil
+	}
+	return &session.Factors{
+		User:     user,
+		Password: pw,
+	}
+}
+
+func passwordFactorToPb(factor query.SessionPasswordFactor) *session.PasswordFactor {
+	if factor.PasswordCheckedAt.IsZero() {
+		return nil
+	}
+	return &session.PasswordFactor{
+		VerifiedAt: timestamppb.New(factor.PasswordCheckedAt),
+	}
+}
+
+func userFactorToPb(factor query.SessionUserFactor) *session.UserFactor {
+	if factor.UserID == "" || factor.UserCheckedAt.IsZero() {
+		return nil
+	}
+	return &session.UserFactor{
+		VerifiedAt:  timestamppb.New(factor.UserCheckedAt),
+		Id:          factor.UserID,
+		LoginName:   factor.LoginName,
+		DisplayName: factor.DisplayName,
+	}
+}
+
+func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRequest) (*query.SessionsSearchQueries, error) {
+	offset, limit, asc := object.ListQueryToQuery(req.Query)
+	queries, err := sessionQueriesToQuery(ctx, req.GetQueries())
+	if err != nil {
+		return nil, err
+	}
+	return &query.SessionsSearchQueries{
+		SearchRequest: query.SearchRequest{
+			Offset: offset,
+			Limit:  limit,
+			Asc:    asc,
+		},
+		Queries: queries,
+	}, nil
+}
+
+func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) {
+	q := make([]query.SearchQuery, len(queries)+1)
+	for i, query := range queries {
+		q[i], err = sessionQueryToQuery(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID)
+	if err != nil {
+		return nil, err
+	}
+	q[len(queries)] = creatorQuery
+	return q, nil
+}
+
+func sessionQueryToQuery(query *session.SearchQuery) (query.SearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *session.SearchQuery_IdsQuery:
+		return idsQueryToQuery(q.IdsQuery)
+	default:
+		return nil, caos_errs.ThrowInvalidArgument(nil, "GRPC-Sfefs", "List.Query.Invalid")
+	}
+}
+
+func idsQueryToQuery(q *session.IDsQuery) (query.SearchQuery, error) {
+	return query.NewSessionIDsSearchQuery(q.Ids)
+}
+
+func (s *Server) createSessionRequestToCommand(ctx context.Context, req *session.CreateSessionRequest) ([]command.SessionCheck, map[string][]byte, error) {
+	checks, err := s.checksToCommand(ctx, req.Checks)
+	if err != nil {
+		return nil, nil, err
+	}
+	return checks, req.GetMetadata(), nil
+}
+
+func (s *Server) setSessionRequestToCommand(ctx context.Context, req *session.SetSessionRequest) ([]command.SessionCheck, error) {
+	checks, err := s.checksToCommand(ctx, req.Checks)
+	if err != nil {
+		return nil, err
+	}
+	return checks, nil
+}
+
+func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([]command.SessionCheck, error) {
+	checkUser, err := userCheck(checks.GetUser())
+	if err != nil {
+		return nil, err
+	}
+	sessionChecks := make([]command.SessionCheck, 0, 2)
+	if checkUser != nil {
+		user, err := checkUser.search(ctx, s.query)
+		if err != nil {
+			return nil, err
+		}
+		sessionChecks = append(sessionChecks, command.CheckUser(user.ID))
+	}
+	if password := checks.GetPassword(); password != nil {
+		sessionChecks = append(sessionChecks, command.CheckPassword(password.GetPassword()))
+	}
+	return sessionChecks, nil
+}
+
+func userCheck(user *session.CheckUser) (userSearch, error) {
+	if user == nil {
+		return nil, nil
+	}
+	switch s := user.GetSearch().(type) {
+	case *session.CheckUser_UserId:
+		return userByID(s.UserId), nil
+	case *session.CheckUser_LoginName:
+		return userByLoginName(s.LoginName)
+	default:
+		return nil, caos_errs.ThrowUnimplementedf(nil, "SESSION-d3b4g0", "user search %T not implemented", s)
+	}
+}
+
+type userSearch interface {
+	search(ctx context.Context, q *query.Queries) (*query.User, error)
+}
+
+func userByID(userID string) userSearch {
+	return userSearchByID{userID}
+}
+
+func userByLoginName(loginName string) (userSearch, error) {
+	loginNameQuery, err := query.NewUserLoginNamesSearchQuery(loginName)
+	if err != nil {
+		return nil, err
+	}
+	return userSearchByLoginName{loginNameQuery}, nil
+}
+
+type userSearchByID struct {
+	id string
+}
+
+func (u userSearchByID) search(ctx context.Context, q *query.Queries) (*query.User, error) {
+	return q.GetUserByID(ctx, true, u.id, false)
+}
+
+type userSearchByLoginName struct {
+	loginNameQuery query.SearchQuery
+}
+
+func (u userSearchByLoginName) search(ctx context.Context, q *query.Queries) (*query.User, error) {
+	return q.GetUser(ctx, true, false, u.loginNameQuery)
+}

internal/api/grpc/session/v2/session_test.go

@@ -0,0 +1,379 @@
+package session
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
+)
+
+func Test_sessionsToPb(t *testing.T) {
+	now := time.Now()
+	past := now.Add(-time.Hour)
+
+	sessions := []*query.Session{
+		{ // no factor
+			ID:            "999",
+			CreationDate:  now,
+			ChangeDate:    now,
+			Sequence:      123,
+			State:         domain.SessionStateActive,
+			ResourceOwner: "me",
+			Creator:       "he",
+			Metadata:      map[string][]byte{"hello": []byte("world")},
+		},
+		{ // user factor
+			ID:            "999",
+			CreationDate:  now,
+			ChangeDate:    now,
+			Sequence:      123,
+			State:         domain.SessionStateActive,
+			ResourceOwner: "me",
+			Creator:       "he",
+			UserFactor: query.SessionUserFactor{
+				UserID:        "345",
+				UserCheckedAt: past,
+				LoginName:     "donald",
+				DisplayName:   "donald duck",
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
+		{ // no factor
+			ID:            "999",
+			CreationDate:  now,
+			ChangeDate:    now,
+			Sequence:      123,
+			State:         domain.SessionStateActive,
+			ResourceOwner: "me",
+			Creator:       "he",
+			PasswordFactor: query.SessionPasswordFactor{
+				PasswordCheckedAt: past,
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
+	}
+
+	want := []*session.Session{
+		{ // no factor
+			Id:           "999",
+			CreationDate: timestamppb.New(now),
+			ChangeDate:   timestamppb.New(now),
+			Sequence:     123,
+			Factors:      nil,
+			Metadata:     map[string][]byte{"hello": []byte("world")},
+		},
+		{ // user factor
+			Id:           "999",
+			CreationDate: timestamppb.New(now),
+			ChangeDate:   timestamppb.New(now),
+			Sequence:     123,
+			Factors: &session.Factors{
+				User: &session.UserFactor{
+					VerifiedAt:  timestamppb.New(past),
+					Id:          "345",
+					LoginName:   "donald",
+					DisplayName: "donald duck",
+				},
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
+		{ // password factor
+			Id:           "999",
+			CreationDate: timestamppb.New(now),
+			ChangeDate:   timestamppb.New(now),
+			Sequence:     123,
+			Factors: &session.Factors{
+				Password: &session.PasswordFactor{
+					VerifiedAt: timestamppb.New(past),
+				},
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
+	}
+
+	out := sessionsToPb(sessions)
+	require.Len(t, out, len(want))
+
+	for i, got := range out {
+		if !proto.Equal(got, want[i]) {
+			t.Errorf("session %d got:\n%v\nwant:\n%v", i, got, want)
+		}
+	}
+}
+
+func mustNewTextQuery(t testing.TB, column query.Column, value string, compare query.TextComparison) query.SearchQuery {
+	q, err := query.NewTextQuery(column, value, compare)
+	require.NoError(t, err)
+	return q
+}
+
+func mustNewListQuery(t testing.TB, column query.Column, list []any, compare query.ListComparison) query.SearchQuery {
+	q, err := query.NewListQuery(query.SessionColumnID, list, compare)
+	require.NoError(t, err)
+	return q
+}
+
+func Test_listSessionsRequestToQuery(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *session.ListSessionsRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *query.SessionsSearchQueries
+		wantErr error
+	}{
+		{
+			name: "default request",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+				req: &session.ListSessionsRequest{},
+			},
+			want: &query.SessionsSearchQueries{
+				SearchRequest: query.SearchRequest{
+					Offset: 0,
+					Limit:  0,
+					Asc:    false,
+				},
+				Queries: []query.SearchQuery{
+					mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
+				},
+			},
+		},
+		{
+			name: "with list query and sessions",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+				req: &session.ListSessionsRequest{
+					Query: &object.ListQuery{
+						Offset: 10,
+						Limit:  20,
+						Asc:    true,
+					},
+					Queries: []*session.SearchQuery{
+						{Query: &session.SearchQuery_IdsQuery{
+							IdsQuery: &session.IDsQuery{
+								Ids: []string{"1", "2", "3"},
+							},
+						}},
+						{Query: &session.SearchQuery_IdsQuery{
+							IdsQuery: &session.IDsQuery{
+								Ids: []string{"4", "5", "6"},
+							},
+						}},
+					},
+				},
+			},
+			want: &query.SessionsSearchQueries{
+				SearchRequest: query.SearchRequest{
+					Offset: 10,
+					Limit:  20,
+					Asc:    true,
+				},
+				Queries: []query.SearchQuery{
+					mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn),
+					mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn),
+					mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
+				},
+			},
+		},
+		{
+			name: "invalid argument error",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+				req: &session.ListSessionsRequest{
+					Query: &object.ListQuery{
+						Offset: 10,
+						Limit:  20,
+						Asc:    true,
+					},
+					Queries: []*session.SearchQuery{
+						{Query: &session.SearchQuery_IdsQuery{
+							IdsQuery: &session.IDsQuery{
+								Ids: []string{"1", "2", "3"},
+							},
+						}},
+						{Query: nil},
+					},
+				},
+			},
+			wantErr: caos_errs.ThrowInvalidArgument(nil, "GRPC-Sfefs", "List.Query.Invalid"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := listSessionsRequestToQuery(tt.args.ctx, tt.args.req)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_sessionQueriesToQuery(t *testing.T) {
+	type args struct {
+		ctx     context.Context
+		queries []*session.SearchQuery
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []query.SearchQuery
+		wantErr error
+	}{
+		{
+			name: "creator only",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+			},
+			want: []query.SearchQuery{
+				mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
+			},
+		},
+		{
+			name: "invalid argument",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+				queries: []*session.SearchQuery{
+					{Query: nil},
+				},
+			},
+			wantErr: caos_errs.ThrowInvalidArgument(nil, "GRPC-Sfefs", "List.Query.Invalid"),
+		},
+		{
+			name: "creator and sessions",
+			args: args{
+				ctx: authz.NewMockContext("123", "456", "789"),
+				queries: []*session.SearchQuery{
+					{Query: &session.SearchQuery_IdsQuery{
+						IdsQuery: &session.IDsQuery{
+							Ids: []string{"1", "2", "3"},
+						},
+					}},
+					{Query: &session.SearchQuery_IdsQuery{
+						IdsQuery: &session.IDsQuery{
+							Ids: []string{"4", "5", "6"},
+						},
+					}},
+				},
+			},
+			want: []query.SearchQuery{
+				mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn),
+				mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn),
+				mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := sessionQueriesToQuery(tt.args.ctx, tt.args.queries)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_sessionQueryToQuery(t *testing.T) {
+	type args struct {
+		query *session.SearchQuery
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    query.SearchQuery
+		wantErr error
+	}{
+		{
+			name: "invalid argument",
+			args: args{&session.SearchQuery{
+				Query: nil,
+			}},
+			wantErr: caos_errs.ThrowInvalidArgument(nil, "GRPC-Sfefs", "List.Query.Invalid"),
+		},
+		{
+			name: "query",
+			args: args{&session.SearchQuery{
+				Query: &session.SearchQuery_IdsQuery{
+					IdsQuery: &session.IDsQuery{
+						Ids: []string{"1", "2", "3"},
+					},
+				},
+			}},
+			want: mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := sessionQueryToQuery(tt.args.query)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func mustUserLoginNamesSearchQuery(t testing.TB, value string) query.SearchQuery {
+	loginNameQuery, err := query.NewUserLoginNamesSearchQuery("bar")
+	require.NoError(t, err)
+	return loginNameQuery
+}
+
+func Test_userCheck(t *testing.T) {
+	type args struct {
+		user *session.CheckUser
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    userSearch
+		wantErr error
+	}{
+		{
+			name: "nil user",
+			args: args{nil},
+			want: nil,
+		},
+		{
+			name: "by user id",
+			args: args{&session.CheckUser{
+				Search: &session.CheckUser_UserId{
+					UserId: "foo",
+				},
+			}},
+			want: userSearchByID{"foo"},
+		},
+		{
+			name: "by user id",
+			args: args{&session.CheckUser{
+				Search: &session.CheckUser_LoginName{
+					LoginName: "bar",
+				},
+			}},
+			want: userSearchByLoginName{mustUserLoginNamesSearchQuery(t, "bar")},
+		},
+		{
+			name: "unimplemented error",
+			args: args{&session.CheckUser{
+				Search: nil,
+			}},
+			wantErr: caos_errs.ThrowUnimplementedf(nil, "SESSION-d3b4g0", "user search %T not implemented", nil),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := userCheck(tt.args.user)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}