mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 03:24:26 +00:00
4980cd6a0c
* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
52 lines
1.6 KiB
Go
52 lines
1.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/errors"
|
|
"github.com/zitadel/zitadel/internal/logstore"
|
|
"github.com/zitadel/zitadel/internal/logstore/record"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
)
|
|
|
|
func QuotaExhaustedInterceptor(svc *logstore.Service[*record.AccessLog], ignoreService ...string) grpc.UnaryServerInterceptor {
|
|
for idx, service := range ignoreService {
|
|
if !strings.HasPrefix(service, "/") {
|
|
ignoreService[idx] = "/" + service
|
|
}
|
|
}
|
|
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (_ interface{}, err error) {
|
|
if !svc.Enabled() {
|
|
return handler(ctx, req)
|
|
}
|
|
interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
// The auth interceptor will ensure that only authorized or public requests are allowed.
|
|
// So if there's no authorization context, we don't need to check for limitation
|
|
// Also, we don't limit calls with system user tokens
|
|
ctxData := authz.GetCtxData(ctx)
|
|
if ctxData.IsZero() || ctxData.SystemMemberships != nil {
|
|
return handler(ctx, req)
|
|
}
|
|
|
|
for _, service := range ignoreService {
|
|
if strings.HasPrefix(info.FullMethod, service) {
|
|
return handler(ctx, req)
|
|
}
|
|
}
|
|
|
|
instance := authz.GetInstance(ctx)
|
|
remaining := svc.Limit(interceptorCtx, instance.InstanceID())
|
|
if remaining != nil && *remaining == 0 {
|
|
return nil, errors.ThrowResourceExhausted(nil, "QUOTA-vjAy8", "Quota.Access.Exhausted")
|
|
}
|
|
span.End()
|
|
return handler(ctx, req)
|
|
}
|
|
}
|