mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-16 10:38:50 +00:00
07ce3b6905
This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
81 lines
2.4 KiB
Go
81 lines
2.4 KiB
Go
package integration
|
|
|
|
import (
|
|
"context"
|
|
_ "embed"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/client"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials/insecure"
|
|
|
|
http_util "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/pkg/grpc/system"
|
|
)
|
|
|
|
var (
|
|
//go:embed config/system-user-key.pem
|
|
systemUserKey []byte
|
|
//go:embed config/system-user-with-no-permissions.pem
|
|
systemUserWithNoPermissions []byte
|
|
)
|
|
|
|
var (
|
|
// SystemClient creates a system connection once and reuses it on every use.
|
|
// Each client call automatically gets the authorization context for the system user.
|
|
SystemClient = sync.OnceValue[system.SystemServiceClient](systemClient)
|
|
SystemToken string
|
|
SystemUserWithNoPermissionsToken string
|
|
)
|
|
|
|
func systemClient() system.SystemServiceClient {
|
|
cc, err := grpc.NewClient(loadedConfig.Host(),
|
|
grpc.WithTransportCredentials(insecure.NewCredentials()),
|
|
grpc.WithChainUnaryInterceptor(func(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
|
|
ctx = WithSystemAuthorization(ctx)
|
|
return invoker(ctx, method, req, reply, cc, opts...)
|
|
}),
|
|
)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return system.NewSystemServiceClient(cc)
|
|
}
|
|
|
|
func createSystemUserToken() string {
|
|
const ISSUER = "tester"
|
|
audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
|
|
signer, err := client.NewSignerFromPrivateKeyByte(systemUserKey, "")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
token, err := client.SignedJWTProfileAssertion(ISSUER, []string{audience}, time.Hour, signer)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return token
|
|
}
|
|
|
|
func createSystemUserWithNoPermissionsToken() string {
|
|
const ISSUER = "system-user-with-no-permissions"
|
|
audience := http_util.BuildOrigin(loadedConfig.Host(), loadedConfig.Secure)
|
|
signer, err := client.NewSignerFromPrivateKeyByte(systemUserWithNoPermissions, "")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
token, err := client.SignedJWTProfileAssertion(ISSUER, []string{audience}, time.Hour, signer)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return token
|
|
}
|
|
|
|
func WithSystemAuthorization(ctx context.Context) context.Context {
|
|
return WithAuthorizationToken(ctx, SystemToken)
|
|
}
|
|
|
|
func WithSystemUserWithNoPermissionsAuthorization(ctx context.Context) context.Context {
|
|
return WithAuthorizationToken(ctx, SystemUserWithNoPermissionsToken)
|
|
}
|