Elio Bischof 4980cd6a0c
feat: add SYSTEM_OWNER role (#6765)
* define roles and permissions

* support system user memberships

* don't limit system users

* cleanup permissions

* restrict memberships to aggregates

* default to SYSTEM_OWNER

* update unit tests

* test: system user token test (#6778)

* update unit tests

* refactor: make authz testable

* move session constants

* cleanup

* comment

* comment

* decode member type string to enum (#6780)

* decode member type string to enum

* handle all membership types

* decode enums where necessary

* decode member type in steps config

* update system api docs

* add technical advisory

* tweak docs a bit

* comment in comment

* lint

* extract token from Bearer header prefix

* review changes

* fix tests

* fix: add fix for activityhandler

* add isSystemUser

* remove IsSystemUser from activity info

* fix: add fix for activityhandler

---------

Co-authored-by: Stefan Benz <stefan@caos.ch>
2023-10-25 15:10:45 +00:00

86 lines
2.1 KiB
Go

package auth
import (
"context"
"google.golang.org/grpc"
"github.com/zitadel/zitadel/internal/api/assets"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/api/grpc/server"
"github.com/zitadel/zitadel/internal/auth/repository"
"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/config/systemdefaults"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/pkg/grpc/auth"
)
var _ auth.AuthServiceServer = (*Server)(nil)
const (
authName = "Auth-API"
)
type Server struct {
auth.UnimplementedAuthServiceServer
command *command.Commands
query *query.Queries
repo repository.Repository
defaults systemdefaults.SystemDefaults
assetsAPIDomain func(context.Context) string
userCodeAlg crypto.EncryptionAlgorithm
externalSecure bool
}
type Config struct {
Repository eventsourcing.Config
}
func CreateServer(command *command.Commands,
query *query.Queries,
authRepo repository.Repository,
defaults systemdefaults.SystemDefaults,
userCodeAlg crypto.EncryptionAlgorithm,
externalSecure bool,
) *Server {
return &Server{
command: command,
query: query,
repo: authRepo,
defaults: defaults,
assetsAPIDomain: assets.AssetAPI(externalSecure),
userCodeAlg: userCodeAlg,
externalSecure: externalSecure,
}
}
func (s *Server) RegisterServer(grpcServer *grpc.Server) {
auth.RegisterAuthServiceServer(grpcServer, s)
}
func (s *Server) AppName() string {
return authName
}
func (s *Server) MethodPrefix() string {
return auth.AuthService_ServiceDesc.ServiceName
}
func (s *Server) AuthMethods() authz.MethodMapping {
return auth.AuthService_AuthMethods
}
func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
return auth.RegisterAuthServiceHandler
}
func (s *Server) GatewayPathPrefix() string {
return GatewayPathPrefix()
}
func GatewayPathPrefix() string {
return "/auth/v1"
}