fix: add pat endpoints

2025-12-07 07:16:54 +00:00 · 2024-09-27 11:47:01 +02:00
parent 1afd9bc198
commit ee5de6563a
9 changed files with 1306 additions and 10 deletions
--- a/internal/command/user_v3_pat.go
+++ b/internal/command/user_v3_pat.go
@@ -0,0 +1,103 @@
+package command
+
+import (
+	"context"
+	"encoding/base64"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	PATPrefix = "pat_"
+)
+
+type AddPAT struct {
+	ResourceOwner string
+	UserID        string
+
+	ExpirationDate time.Time
+	Scope          []string
+	Token          string
+}
+
+func (wm *AddPAT) GetExpirationDate() time.Time {
+	return wm.ExpirationDate
+}
+
+func (wm *AddPAT) SetExpirationDate(date time.Time) {
+	wm.ExpirationDate = date
+}
+
+func (c *Commands) AddPAT(ctx context.Context, pat *AddPAT) (*domain.ObjectDetails, error) {
+	if pat.UserID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing")
+	}
+	schemauser, err := existingSchemaUser(ctx, c, pat.ResourceOwner, pat.UserID)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = existingSchema(ctx, c, "", schemauser.SchemaID)
+	if err != nil {
+		return nil, err
+	}
+	// TODO check for possible authenticators
+
+	id, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	writeModel, err := c.getSchemaPATWM(ctx, schemauser.ResourceOwner, schemauser.AggregateID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	events, err := writeModel.NewCreate(ctx, pat.ExpirationDate, pat.Scope)
+	if err != nil {
+		return nil, err
+	}
+	pat.Token, err = createSchemaUserPAT(c.keyAlgorithm, writeModel.AggregateID, pat.UserID)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) DeletePAT(ctx context.Context, resourceOwner, userID, id string) (*domain.ObjectDetails, error) {
+	if userID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing")
+	}
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing")
+	}
+
+	writeModel, err := c.getSchemaPATWM(ctx, resourceOwner, userID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	events, err := writeModel.NewDelete(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) getSchemaPATWM(ctx context.Context, resourceOwner, userID, id string) (*PATV3WriteModel, error) {
+	writeModel := NewPATV3WriteModel(resourceOwner, userID, id, c.checkPermission)
+	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
+
+func createSchemaUserPAT(algorithm crypto.EncryptionAlgorithm, tokenID, userID string) (string, error) {
+	encrypted, err := algorithm.Encrypt([]byte(tokenID + ":" + userID))
+	if err != nil {
+		return "", err
+	}
+	return PATPrefix + base64.RawURLEncoding.EncodeToString(encrypted), nil
+}
--- a/internal/command/user_v3_pat_model.go
+++ b/internal/command/user_v3_pat_model.go
@@ -0,0 +1,126 @@
+package command
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user/authenticator"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type PATV3WriteModel struct {
+	eventstore.WriteModel
+	UserID         string
+	ExpirationDate time.Time
+	Scopes         []string
+
+	checkPermission domain.PermissionCheck
+}
+
+func (wm *PATV3WriteModel) GetWriteModel() *eventstore.WriteModel {
+	return &wm.WriteModel
+}
+
+func NewPATV3WriteModel(resourceOwner, userID, id string, checkPermission domain.PermissionCheck) *PATV3WriteModel {
+	return &PATV3WriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   id,
+			ResourceOwner: resourceOwner,
+		},
+		UserID:          userID,
+		checkPermission: checkPermission,
+	}
+}
+
+func (wm *PATV3WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *authenticator.PATCreatedEvent:
+			if e.UserID != wm.UserID {
+				continue
+			}
+			wm.UserID = e.UserID
+			wm.Scopes = e.Scopes
+			wm.ExpirationDate = e.ExpirationDate
+		case *authenticator.PATDeletedEvent:
+			wm.UserID = ""
+			wm.Scopes = nil
+			wm.ExpirationDate = time.Time{}
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *PATV3WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(wm.ResourceOwner).
+		AddQuery().
+		AggregateTypes(authenticator.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			authenticator.PATCreatedType,
+			authenticator.PATDeletedType,
+		).Builder()
+}
+
+func (wm *PATV3WriteModel) checkPermissionWrite(ctx context.Context) error {
+	if wm.UserID == authz.GetCtxData(ctx).UserID {
+		return nil
+	}
+	if err := wm.checkPermission(ctx, domain.PermissionUserWrite, wm.ResourceOwner, wm.UserID); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (wm *PATV3WriteModel) NewCreate(
+	ctx context.Context,
+	expirationDate time.Time,
+	scopes []string,
+) ([]eventstore.Command, error) {
+	if err := wm.NotExists(); err != nil {
+		return nil, err
+	}
+	if err := wm.checkPermissionWrite(ctx); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{
+		authenticator.NewPATCreatedEvent(ctx,
+			AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
+			wm.UserID,
+			expirationDate,
+			scopes,
+		),
+	}, nil
+}
+
+func (wm *PATV3WriteModel) NewDelete(ctx context.Context) ([]eventstore.Command, error) {
+	if err := wm.Exists(); err != nil {
+		return nil, err
+	}
+	if err := wm.checkPermissionWrite(ctx); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{
+		authenticator.NewPATDeletedEvent(ctx,
+			AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
+		),
+	}, nil
+}
+
+func (wm *PATV3WriteModel) Exists() error {
+	if len(wm.Scopes) == 0 {
+		return zerrors.ThrowNotFound(nil, "TODO", "TODO")
+	}
+	return nil
+}
+
+func (wm *PATV3WriteModel) NotExists() error {
+	if err := wm.Exists(); err != nil {
+		return nil
+	}
+	return zerrors.ThrowAlreadyExists(nil, "TODO", "TODO")
+}
--- a/internal/command/user_v3_pat_test.go
+++ b/internal/command/user_v3_pat_test.go
@@ -0,0 +1,404 @@
+package command
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/user/authenticator"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func filterPATExisting() expect {
+	return expectFilter(
+		eventFromEventPusher(
+			authenticator.NewPATCreatedEvent(
+				context.Background(),
+				&authenticator.NewAggregate("pk1", "org1").Aggregate,
+				"user1",
+				time.Time{},
+				[]string{"first", "second", "third"},
+			),
+		),
+	)
+}
+
+func TestCommands_AddPAT(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		idGenerator     id.Generator
+		checkPermission domain.PermissionCheck
+		tokenAlg        crypto.EncryptionAlgorithm
+	}
+	type args struct {
+		ctx  context.Context
+		user *AddPAT
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		token   string
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"user not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{
+					UserID: "notexisting",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-syHyCsGmvM", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"no permission, error",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{
+					UserID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"userschema not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{
+					UserID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists"))
+				},
+			},
+		},
+		{
+			"pat added, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+					expectPush(
+						authenticator.NewPATCreatedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							"user1",
+							time.Time{},
+							[]string{"first", "second", "third"},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+				tokenAlg:        crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{
+					UserID: "user1",
+					Scope:  []string{"first", "second", "third"},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				token: "pat_cGsxOnVzZXIx",
+			},
+		},
+		{
+			"pat added, expirationdate, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+					expectPush(
+						authenticator.NewPATCreatedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							"user1",
+							time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
+							[]string{"first", "second", "third"},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+				tokenAlg:        crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPAT{
+					UserID:         "user1",
+					ExpirationDate: time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
+					Scope:          []string{"first", "second", "third"},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				token: "pat_cGsxOnVzZXIx",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				idGenerator:     tt.fields.idGenerator,
+				checkPermission: tt.fields.checkPermission,
+				keyAlgorithm:    tt.fields.tokenAlg,
+			}
+			details, err := c.AddPAT(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+				assert.Equal(t, tt.res.token, tt.args.user.Token)
+			}
+		})
+	}
+}
+
+func TestCommands_DeletePAT(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx           context.Context
+		resourceOwner string
+		userID        string
+		id            string
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"no ID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"pk not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "notexisting",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
+				},
+			},
+		},
+		{
+			"pk already removed, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							authenticator.NewPATCreatedEvent(
+								context.Background(),
+								&authenticator.NewAggregate("pk1", "org1").Aggregate,
+								"user1",
+								time.Time{},
+								[]string{"first", "second", "third"},
+							),
+						),
+						eventFromEventPusher(
+							authenticator.NewPATDeletedEvent(
+								context.Background(),
+								&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "notexisting",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
+				},
+			},
+		},
+		{
+			"no permission, error",
+			fields{
+				eventstore: expectEventstore(
+					filterPATExisting(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "pk1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"pk removed, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterPATExisting(),
+					expectPush(
+						authenticator.NewPATDeletedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "pk1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			details, err := c.DeletePAT(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.id)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+		})
+	}
+}