mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 20:38:00 +00:00
0e181b218c
This PR adds the functionality to manage user schemas through the new user schema service. It includes the possibility to create a basic JSON schema and also provides a way on defining permissions (read, write) for owner and self context with an annotation. Further annotations for OIDC claims and SAML attribute mappings will follow. A guide on how to create a schema and assign permissions has been started. It will be extended though out the process of implementing the schema and users based on those. Note: This feature is in an early stage and therefore not enabled by default. To test it out, please enable the UserSchema feature flag on your instance / system though the feature service.
121 lines
2.8 KiB
Go
121 lines
2.8 KiB
Go
package schema
|
|
|
|
import (
|
|
_ "embed"
|
|
|
|
"github.com/santhosh-tekuri/jsonschema/v5"
|
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
var (
|
|
//go:embed permission.schema.v1.json
|
|
permissionJSON string
|
|
|
|
permissionSchema = jsonschema.MustCompileString(PermissionSchemaID, permissionJSON)
|
|
)
|
|
|
|
const (
|
|
PermissionSchemaID = "urn:zitadel:schema:permission-schema:v1"
|
|
PermissionProperty = "urn:zitadel:schema:permission"
|
|
)
|
|
|
|
type role int32
|
|
|
|
const (
|
|
roleUnspecified role = iota
|
|
roleSelf
|
|
roleOwner
|
|
)
|
|
|
|
type permissionExtension struct {
|
|
role role
|
|
}
|
|
|
|
// Compile implements the [jsonschema.ExtCompiler] interface.
|
|
// It parses the permission schema extension / annotation of the passed field.
|
|
func (c permissionExtension) Compile(ctx jsonschema.CompilerContext, m map[string]interface{}) (_ jsonschema.ExtSchema, err error) {
|
|
perm, ok := m[PermissionProperty]
|
|
if !ok {
|
|
return nil, nil
|
|
}
|
|
p, ok := perm.(map[string]interface{})
|
|
if !ok {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "SCHEMA-WR5gs", "invalid permission")
|
|
}
|
|
perms := new(permissions)
|
|
for key, value := range p {
|
|
switch key {
|
|
case "self":
|
|
perms.self, err = mapPermission(value)
|
|
if err != nil {
|
|
return
|
|
}
|
|
case "owner":
|
|
perms.owner, err = mapPermission(value)
|
|
if err != nil {
|
|
return
|
|
}
|
|
default:
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "SCHEMA-GFjio", "invalid permission role")
|
|
}
|
|
}
|
|
return permissionExtensionConfig{c.role, perms}, nil
|
|
}
|
|
|
|
type permissionExtensionConfig struct {
|
|
role role
|
|
permissions *permissions
|
|
}
|
|
|
|
// Validate implements the [jsonschema.ExtSchema] interface.
|
|
// It validates the fields of the json instance according to the permission schema.
|
|
func (s permissionExtensionConfig) Validate(ctx jsonschema.ValidationContext, v interface{}) error {
|
|
switch s.role {
|
|
case roleSelf:
|
|
if s.permissions.self == nil || !s.permissions.self.write {
|
|
return ctx.Error("permission", "missing required permission")
|
|
}
|
|
return nil
|
|
case roleOwner:
|
|
if s.permissions.owner == nil || !s.permissions.owner.write {
|
|
return ctx.Error("permission", "missing required permission")
|
|
}
|
|
return nil
|
|
case roleUnspecified:
|
|
fallthrough
|
|
default:
|
|
return ctx.Error("permission", "missing required permission")
|
|
}
|
|
}
|
|
|
|
func mapPermission(value any) (*permission, error) {
|
|
p := new(permission)
|
|
switch v := value.(type) {
|
|
case string:
|
|
for _, s := range v {
|
|
switch s {
|
|
case 'r':
|
|
p.read = true
|
|
case 'w':
|
|
p.write = true
|
|
default:
|
|
return nil, zerrors.ThrowInvalidArgumentf(nil, "SCHEMA-EZ5zjh", "invalid permission pattern: `%s` in (%s)", string(s), v)
|
|
}
|
|
}
|
|
return p, nil
|
|
default:
|
|
return nil, zerrors.ThrowInvalidArgumentf(nil, "SCHEMA-E5h31", "invalid permission type %T (%v)", v, v)
|
|
}
|
|
}
|
|
|
|
type permissions struct {
|
|
self *permission
|
|
owner *permission
|
|
}
|
|
|
|
type permission struct {
|
|
read bool
|
|
write bool
|
|
}
|