fix: add pat endpoints

2025-12-07 06:22:18 +00:00 · 2024-09-27 11:47:01 +02:00
parent 1afd9bc198
commit ee5de6563a
9 changed files with 1306 additions and 10 deletions
--- a/internal/api/grpc/resources/user/v3alpha/integration_test/pat_test.go
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/pat_test.go
@@ -0,0 +1,440 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	resource_object "github.com/zitadel/zitadel/pkg/grpc/resources/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func TestServer_AddPersonalAccessToken(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want *resource_object.Details
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.AddPersonalAccessTokenRequest) error
+		req     *user.AddPersonalAccessTokenRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "pat add, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat add, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat add, pat empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat add, user not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat add, user not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id:                  "notexisting",
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat add, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "pat add, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "pat add, expirationdate, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "pat add, generated, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessToken: &user.SetPersonalAccessToken{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				assert.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.AddPersonalAccessToken(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+		})
+	}
+}
+
+func TestServer_DeletePersonalAccessToken(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want *resource_object.Details
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.RemovePersonalAccessTokenRequest) error
+		req     *user.RemovePersonalAccessTokenRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "pat delete, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.RemovePersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				patResp := instance.AddAuthenticatorPersonalAccessToken(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId())
+				req.PersonalAccessTokenId = patResp.GetPersonalAccessTokenId()
+				return nil
+			},
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat delete, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.RemovePersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				patResp := instance.AddAuthenticatorPersonalAccessToken(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId())
+				req.PersonalAccessTokenId = patResp.GetPersonalAccessTokenId()
+				return nil
+			},
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat remove, id empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessTokenId: "notempty",
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat delete, userid empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notempty",
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat remove, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PersonalAccessTokenId: "notempty",
+				Id:                    "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat remove, no pat",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "pat remove, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				patResp := instance.AddAuthenticatorPersonalAccessToken(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId())
+				req.PersonalAccessTokenId = patResp.GetPersonalAccessTokenId()
+				return nil
+			},
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "pat remove, already removed",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePersonalAccessTokenRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				resp := instance.AddAuthenticatorPersonalAccessToken(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				req.PersonalAccessTokenId = resp.GetPersonalAccessTokenId()
+				instance.RemoveAuthenticatorPersonalAccessToken(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, req.PersonalAccessTokenId)
+				return nil
+			},
+			req: &user.RemovePersonalAccessTokenRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				assert.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.RemovePersonalAccessToken(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+
+		})
+	}
+}
--- a/internal/api/grpc/resources/user/v3alpha/pat.go
+++ b/internal/api/grpc/resources/user/v3alpha/pat.go
@@ -0,0 +1,57 @@
+package user
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+
+	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
+	z_oidc "github.com/zitadel/zitadel/internal/api/oidc"
+	"github.com/zitadel/zitadel/internal/command"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func (s *Server) AddPersonalAccessToken(ctx context.Context, req *user.AddPersonalAccessTokenRequest) (_ *user.AddPersonalAccessTokenResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	pat := addPersonalAccessTokenRequestToAddPAT(req)
+	details, err := s.command.AddPAT(ctx, pat)
+	if err != nil {
+		return nil, err
+	}
+	return &user.AddPersonalAccessTokenResponse{
+		Details:               resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		PersonalAccessTokenId: details.ID,
+		PersonalAccessToken:   pat.Token,
+	}, nil
+}
+
+func addPersonalAccessTokenRequestToAddPAT(req *user.AddPersonalAccessTokenRequest) *command.AddPAT {
+	expDate := time.Time{}
+	if req.GetPersonalAccessToken().GetExpirationDate() != nil {
+		expDate = req.GetPersonalAccessToken().GetExpirationDate().AsTime()
+	}
+
+	return &command.AddPAT{
+		ResourceOwner:  organizationToUpdateResourceOwner(req.Organization),
+		UserID:         req.GetId(),
+		ExpirationDate: expDate,
+		Scope:          []string{oidc.ScopeOpenID, oidc.ScopeProfile, z_oidc.ScopeUserMetaData, z_oidc.ScopeResourceOwner},
+	}
+}
+
+func (s *Server) RemovePersonalAccessToken(ctx context.Context, req *user.RemovePersonalAccessTokenRequest) (_ *user.RemovePersonalAccessTokenResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	details, err := s.command.DeletePAT(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId(), req.GetPersonalAccessTokenId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.RemovePersonalAccessTokenResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
--- a/internal/api/grpc/resources/user/v3alpha/publickey.go
+++ b/internal/api/grpc/resources/user/v3alpha/publickey.go
@@ -2,6 +2,7 @@ package user

 import (
 	"context"
+	"time"

 	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
 	"github.com/zitadel/zitadel/internal/command"
@@ -26,10 +27,15 @@ func (s *Server) AddPublicKey(ctx context.Context, req *user.AddPublicKeyRequest
 }

 func addPublicKeyRequestToAddPublicKey(req *user.AddPublicKeyRequest) *command.AddPublicKey {
+	expDate := time.Time{}
+	if req.GetPublicKey().GetExpirationDate() != nil {
+		expDate = req.GetPublicKey().GetExpirationDate().AsTime()
+	}
 	return &command.AddPublicKey{
-		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
-		UserID:        req.GetId(),
-		PublicKey:     req.GetPublicKey().GetPublicKey().GetPublicKey(),
+		ResourceOwner:  organizationToUpdateResourceOwner(req.Organization),
+		UserID:         req.GetId(),
+		PublicKey:      req.GetPublicKey().GetPublicKey().GetPublicKey(),
+		ExpirationDate: expDate,
 	}
 }