feat: setup (#1166)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 00:47:33 +00:00 · 2021-01-12 12:59:51 +01:00
parent ff87264f95
commit e5731b0d3b
97 changed files with 1664 additions and 698 deletions
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -23,6 +23,7 @@ type CtxData struct {
 	ProjectID         string
 	AgentID           string
 	PreferredLanguage string
+	ResourceOwner     string
 }

 func (ctxData CtxData) IsZero() bool {
@@ -47,7 +48,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 		}
 	}

-	userID, clientID, agentID, prefLang, err := verifyAccessToken(ctx, token, t, method)
+	userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
 	if err != nil {
 		return CtxData{}, err
 	}
@@ -64,6 +65,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 		ProjectID:         projectID,
 		AgentID:           agentID,
 		PreferredLanguage: prefLang,
+		ResourceOwner:     resourceOwner,
 	}, nil

 }
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -15,8 +15,8 @@ type testVerifier struct {
 	grant *Grant
 }

-func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, error) {
-	return "userID", "agentID", "de", nil
+func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) {
+	return "userID", "agentID", "de", "orgID", nil
 }

 func (v *testVerifier) ResolveGrants(ctx context.Context) (*Grant, error) {
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -20,7 +20,7 @@ type TokenVerifier struct {
 }

 type authZRepo interface {
-	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID, prefLang string, err error)
+	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID, prefLang, resourceOwner string, err error)
 	VerifierClientID(ctx context.Context, name string) (clientID string, err error)
 	ResolveGrants(ctx context.Context) (grant *Grant, err error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
@@ -31,13 +31,13 @@ func Start(authZRepo authZRepo) (v *TokenVerifier) {
 	return &TokenVerifier{authZRepo: authZRepo}
 }

-func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang string, err error) {
+func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang, resourceOwner string, err error) {
 	clientID, err = v.clientIDFromMethod(ctx, method)
 	if err != nil {
-		return "", "", "", "", err
+		return "", "", "", "", "", err
 	}
-	userID, agentID, prefLang, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID)
-	return userID, clientID, agentID, prefLang, err
+	userID, agentID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID)
+	return userID, clientID, agentID, prefLang, resourceOwner, err
 }

 type client struct {
@@ -111,13 +111,13 @@ func (v *TokenVerifier) CheckAuthMethod(method string) (Option, bool) {
 	return authOpt, ok
 }

-func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID, prefLang string, err error) {
+func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID, prefLan, resourceOwner string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	parts := strings.Split(token, BearerPrefix)
 	if len(parts) != 2 {
-		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
+		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
 	}
 	return t.VerifyAccessToken(ctx, parts[1], method)
 }
--- a/internal/api/authz/token_test.go
+++ b/internal/api/authz/token_test.go
@@ -58,7 +58,7 @@ func Test_VerifyAccessToken(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, _, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier, tt.args.method)
+			_, _, _, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier, tt.args.method)
 			if tt.wantErr && err == nil {
 				t.Errorf("got wrong result, should get err: actual: %v ", err)
 			}
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@@ -2,9 +2,10 @@ package auth

 import (
 	"context"
-	"github.com/caos/zitadel/internal/api/authz"
+
 	"github.com/golang/protobuf/ptypes/empty"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/auth"
 )

@@ -71,7 +72,7 @@ func (s *Server) UpdateMyUserProfile(ctx context.Context, request *auth.UpdateUs

 func (s *Server) ChangeMyUserName(ctx context.Context, request *auth.ChangeUserNameRequest) (*empty.Empty, error) {
 	ctxData := authz.GetCtxData(ctx)
-	return &empty.Empty{}, s.command.ChangeUsername(ctx, ctxData.OrgID, ctxData.UserID, request.UserName)
+	return &empty.Empty{}, s.command.ChangeUsername(ctx, ctxData.ResourceOwner, ctxData.UserID, request.UserName)
 }

 func (s *Server) ChangeMyUserEmail(ctx context.Context, request *auth.UpdateUserEmailRequest) (*auth.UserEmail, error) {
--- a/internal/api/grpc/auth/user_converter.go
+++ b/internal/api/grpc/auth/user_converter.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-	"github.com/caos/zitadel/internal/v2/domain"

 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
@@ -15,6 +14,7 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/auth"
 	"github.com/caos/zitadel/pkg/grpc/message"
 )
@@ -103,7 +103,7 @@ func updateProfileToDomain(ctx context.Context, u *auth.UpdateUserProfileRequest
 	logging.Log("GRPC-lk73L").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("language malformed")

 	return &domain.Profile{
-		ObjectRoot:        models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
+		ObjectRoot:        ctxToObjectRoot(ctx),
 		FirstName:         u.FirstName,
 		LastName:          u.LastName,
 		NickName:          u.NickName,
@@ -148,7 +148,7 @@ func emailViewFromModel(email *usr_model.Email) *auth.UserEmailView {

 func updateEmailToDomain(ctx context.Context, e *auth.UpdateUserEmailRequest) *domain.Email {
 	return &domain.Email{
-		ObjectRoot:   models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
+		ObjectRoot:   ctxToObjectRoot(ctx),
 		EmailAddress: e.Email,
 	}
 }
@@ -189,7 +189,7 @@ func phoneViewFromModel(phone *usr_model.Phone) *auth.UserPhoneView {

 func updatePhoneToDomain(ctx context.Context, e *auth.UpdateUserPhoneRequest) *domain.Phone {
 	return &domain.Phone{
-		ObjectRoot:  models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
+		ObjectRoot:  ctxToObjectRoot(ctx),
 		PhoneNumber: e.Phone,
 	}
 }
@@ -236,7 +236,7 @@ func addressViewFromModel(address *usr_model.Address) *auth.UserAddressView {

 func updateAddressToModel(ctx context.Context, address *auth.UpdateUserAddressRequest) *usr_model.Address {
 	return &usr_model.Address{
-		ObjectRoot:    models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
+		ObjectRoot:    ctxToObjectRoot(ctx),
 		Country:       address.Country,
 		StreetAddress: address.StreetAddress,
 		Region:        address.Region,
@@ -254,7 +254,7 @@ func externalIDPSearchRequestToModel(request *auth.ExternalIDPSearchRequest) *us

 func externalIDPRemoveToModel(ctx context.Context, idp *auth.ExternalIDPRemoveRequest) *usr_model.ExternalIDP {
 	return &usr_model.ExternalIDP{
-		ObjectRoot:  models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
+		ObjectRoot:  ctxToObjectRoot(ctx),
 		IDPConfigID: idp.IdpConfigId,
 		UserID:      idp.ExternalUserId,
 	}
@@ -454,3 +454,11 @@ func webAuthNTokenFromModel(token *usr_model.WebAuthNToken) *auth.WebAuthNToken
 		State: mfaStateFromModel(token.State),
 	}
 }
+
+func ctxToObjectRoot(ctx context.Context) models.ObjectRoot {
+	ctxData := authz.GetCtxData(ctx)
+	return models.ObjectRoot{
+		AggregateID:   ctxData.UserID,
+		ResourceOwner: ctxData.ResourceOwner,
+	}
+}
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -60,7 +60,7 @@ func (s *Server) CreateUser(ctx context.Context, in *management.CreateUserReques
 }

 func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*management.UserResponse, error) {
-	user, err := s.command.DeactivateUser(ctx, in.Id)
+	user, err := s.command.DeactivateUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -68,7 +68,7 @@ func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*ma
 }

 func (s *Server) ReactivateUser(ctx context.Context, in *management.UserID) (*management.UserResponse, error) {
-	user, err := s.command.ReactivateUser(ctx, in.Id)
+	user, err := s.command.ReactivateUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -76,7 +76,7 @@ func (s *Server) ReactivateUser(ctx context.Context, in *management.UserID) (*ma
 }

 func (s *Server) LockUser(ctx context.Context, in *management.UserID) (*management.UserResponse, error) {
-	user, err := s.command.LockUser(ctx, in.Id)
+	user, err := s.command.LockUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -84,7 +84,7 @@ func (s *Server) LockUser(ctx context.Context, in *management.UserID) (*manageme
 }

 func (s *Server) UnlockUser(ctx context.Context, in *management.UserID) (*management.UserResponse, error) {
-	user, err := s.command.UnlockUser(ctx, in.Id)
+	user, err := s.command.UnlockUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -92,12 +92,12 @@ func (s *Server) UnlockUser(ctx context.Context, in *management.UserID) (*manage
 }

 func (s *Server) DeleteUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.RemoveUser(ctx, in.Id)
+	err := s.command.RemoveUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

 func (s *Server) UpdateUserMachine(ctx context.Context, in *management.UpdateMachineRequest) (*management.MachineResponse, error) {
-	machine, err := s.command.ChangeMachine(ctx, updateMachineToDomain(in))
+	machine, err := s.command.ChangeMachine(ctx, updateMachineToDomain(authz.GetCtxData(ctx), in))
 	if err != nil {
 		return nil, err
 	}
@@ -141,7 +141,7 @@ func (s *Server) ChangeUserEmail(ctx context.Context, request *management.Update
 }

 func (s *Server) ResendEmailVerificationMail(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.CreateHumanEmailVerificationCode(ctx, in.Id)
+	err := s.command.CreateHumanEmailVerificationCode(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

@@ -162,12 +162,12 @@ func (s *Server) ChangeUserPhone(ctx context.Context, request *management.Update
 }

 func (s *Server) RemoveUserPhone(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
-	err := s.command.RemoveHumanPhone(ctx, userID.Id)
+	err := s.command.RemoveHumanPhone(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

 func (s *Server) ResendPhoneVerificationCode(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.CreateHumanPhoneVerificationCode(ctx, in.Id)
+	err := s.command.CreateHumanPhoneVerificationCode(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

@@ -180,7 +180,7 @@ func (s *Server) GetUserAddress(ctx context.Context, in *management.UserID) (*ma
 }

 func (s *Server) UpdateUserAddress(ctx context.Context, request *management.UpdateUserAddressRequest) (*management.UserAddress, error) {
-	address, err := s.command.ChangeHumanAddress(ctx, updateAddressToDomain(request))
+	address, err := s.command.ChangeHumanAddress(ctx, updateAddressToDomain(authz.GetCtxData(ctx), request))
 	if err != nil {
 		return nil, err
 	}
@@ -188,7 +188,7 @@ func (s *Server) UpdateUserAddress(ctx context.Context, request *management.Upda
 }

 func (s *Server) SendSetPasswordNotification(ctx context.Context, request *management.SetPasswordNotificationRequest) (*empty.Empty, error) {
-	err := s.command.RequestSetPassword(ctx, request.Id, notifyTypeToDomain(request.Type))
+	err := s.command.RequestSetPassword(ctx, request.Id, authz.GetCtxData(ctx).OrgID, notifyTypeToDomain(request.Type))
 	return &empty.Empty{}, err
 }

@@ -197,7 +197,7 @@ func (s *Server) SetInitialPassword(ctx context.Context, request *management.Pas
 }

 func (s *Server) ResendInitialMail(ctx context.Context, request *management.InitialMailRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.ResendInitialMail(ctx, request.Id, request.Email)
+	return &empty.Empty{}, s.command.ResendInitialMail(ctx, request.Id, request.Email, authz.GetCtxData(ctx).OrgID)
 }

 func (s *Server) SearchUserExternalIDPs(ctx context.Context, request *management.ExternalIDPSearchRequest) (*management.ExternalIDPSearchResponse, error) {
@@ -209,7 +209,7 @@ func (s *Server) SearchUserExternalIDPs(ctx context.Context, request *management
 }

 func (s *Server) RemoveExternalIDP(ctx context.Context, request *management.ExternalIDPRemoveRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.RemoveHumanExternalIDP(ctx, externalIDPRemoveToDomain(request))
+	return &empty.Empty{}, s.command.RemoveHumanExternalIDP(ctx, externalIDPRemoveToDomain(authz.GetCtxData(ctx), request))
 }

 func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.UserMultiFactors, error) {
@@ -221,11 +221,11 @@ func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*m
 }

 func (s *Server) RemoveMfaOTP(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.RemoveHumanOTP(ctx, userID.Id)
+	return &empty.Empty{}, s.command.RemoveHumanOTP(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
 }

 func (s *Server) RemoveMfaU2F(ctx context.Context, webAuthNTokenID *management.WebAuthNTokenID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.RemoveHumanU2F(ctx, webAuthNTokenID.UserId, webAuthNTokenID.Id)
+	return &empty.Empty{}, s.command.RemoveHumanU2F(ctx, webAuthNTokenID.UserId, webAuthNTokenID.Id, authz.GetCtxData(ctx).OrgID)
 }

 func (s *Server) GetPasswordless(ctx context.Context, userID *management.UserID) (_ *management.WebAuthNTokens, err error) {
@@ -237,7 +237,7 @@ func (s *Server) GetPasswordless(ctx context.Context, userID *management.UserID)
 }

 func (s *Server) RemovePasswordless(ctx context.Context, id *management.WebAuthNTokenID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.RemoveHumanPasswordless(ctx, id.UserId, id.Id)
+	return &empty.Empty{}, s.command.RemoveHumanPasswordless(ctx, id.UserId, id.Id, authz.GetCtxData(ctx).OrgID)
 }

 func (s *Server) SearchUserMemberships(ctx context.Context, in *management.UserMembershipSearchRequest) (*management.UserMembershipSearchResponse, error) {
--- a/internal/api/grpc/management/user_converter.go
+++ b/internal/api/grpc/management/user_converter.go
@@ -4,12 +4,14 @@ import (
 	"encoding/json"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"

+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/v2/domain"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
@@ -76,9 +78,12 @@ func externalIDPSearchRequestToModel(request *management.ExternalIDPSearchReques
 	}
 }

-func externalIDPRemoveToDomain(idp *management.ExternalIDPRemoveRequest) *domain.ExternalIDP {
+func externalIDPRemoveToDomain(ctxData authz.CtxData, idp *management.ExternalIDPRemoveRequest) *domain.ExternalIDP {
 	return &domain.ExternalIDP{
-		ObjectRoot:     models.ObjectRoot{AggregateID: idp.UserId},
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:   idp.UserId,
+			ResourceOwner: ctxData.ResourceOwner,
+		},
 		IDPConfigID:    idp.IdpConfigId,
 		ExternalUserID: idp.ExternalUserId,
 	}
@@ -387,9 +392,12 @@ func addressViewFromModel(address *usr_model.Address) *management.UserAddressVie
 	}
 }

-func updateAddressToDomain(address *management.UpdateUserAddressRequest) *domain.Address {
+func updateAddressToDomain(ctxData authz.CtxData, address *management.UpdateUserAddressRequest) *domain.Address {
 	return &domain.Address{
-		ObjectRoot:    models.ObjectRoot{AggregateID: address.Id},
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:   address.Id,
+			ResourceOwner: ctxData.OrgID,
+		},
 		Country:       address.Country,
 		StreetAddress: address.StreetAddress,
 		Region:        address.Region,
--- a/internal/api/grpc/management/user_machine_converter.go
+++ b/internal/api/grpc/management/user_machine_converter.go
@@ -2,15 +2,18 @@ package management

 import (
 	"encoding/json"
-	"github.com/caos/zitadel/internal/v2/domain"
 	"time"

+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/v2/domain"
+
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
 )

 func machineCreateToDomain(machine *management.CreateMachineRequest) *domain.Machine {
@@ -20,9 +23,12 @@ func machineCreateToDomain(machine *management.CreateMachineRequest) *domain.Mac
 	}
 }

-func updateMachineToDomain(machine *management.UpdateMachineRequest) *domain.Machine {
+func updateMachineToDomain(ctxData authz.CtxData, machine *management.UpdateMachineRequest) *domain.Machine {
 	return &domain.Machine{
-		ObjectRoot:  models.ObjectRoot{AggregateID: machine.Id},
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:   machine.Id,
+			ResourceOwner: ctxData.ResourceOwner,
+		},
 		Name:        machine.Name,
 		Description: machine.Description,
 	}
--- a/internal/api/grpc/server/middleware/auth_interceptor_test.go
+++ b/internal/api/grpc/server/middleware/auth_interceptor_test.go
@@ -21,8 +21,8 @@ var (

 type verifierMock struct{}

-func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, error) {
-	return "", "", "", nil
+func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) {
+	return "", "", "", "", nil
 }
 func (v *verifierMock) ResolveGrants(ctx context.Context) (*authz.Grant, error) {
 	return nil, nil