mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 19:44:21 +00:00
958362e6c9
* commander * commander * selber! * move to packages * fix(errors): implement Is interface * test: command * test: commands * add init steps * setup tenant * add default step yaml * possibility to set password * merge v2 into v2-commander * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: search query builder can filter events in memory * fix: filters for add member * fix(setup): add `ExternalSecure` to config * chore: name iam to instance * fix: matching * remove unsued func * base url * base url * test(command): filter funcs * test: commands * fix: rename orgiampolicy to domain policy * start from init * commands * config * fix indexes and add constraints * fixes * fix: merge conflicts * fix: protos * fix: md files * setup * add deprecated org iam policy again * typo * fix search query * fix filter * Apply suggestions from code review * remove custom org from org setup * add todos for verification * change apps creation * simplify package structure * fix error * move preparation helper for tests * fix unique constraints * fix config mapping in setup * fix error handling in encryption_keys.go * fix projection config * fix query from old views to projection * fix setup of mgmt api * set iam project and fix instance projection * fix tokens view * fix steps.yaml and defaults.yaml * fix projections * change instance context to interface * instance interceptors and additional events in setup * cleanup * tests for interceptors * fix label policy * add todo * single api endpoint in environment.json Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
135 lines
3.1 KiB
Go
135 lines
3.1 KiB
Go
package authz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/caos/zitadel/internal/api/grpc"
|
|
http_util "github.com/caos/zitadel/internal/api/http"
|
|
"github.com/caos/zitadel/internal/errors"
|
|
"github.com/caos/zitadel/internal/telemetry/tracing"
|
|
)
|
|
|
|
type key int
|
|
|
|
const (
|
|
requestPermissionsKey key = 1
|
|
dataKey key = 2
|
|
allPermissionsKey key = 3
|
|
instanceKey key = 4
|
|
)
|
|
|
|
type CtxData struct {
|
|
UserID string
|
|
OrgID string
|
|
ProjectID string
|
|
AgentID string
|
|
PreferredLanguage string
|
|
ResourceOwner string
|
|
}
|
|
|
|
func (ctxData CtxData) IsZero() bool {
|
|
return ctxData.UserID == "" || ctxData.OrgID == ""
|
|
}
|
|
|
|
type Grants []*Grant
|
|
|
|
type Grant struct {
|
|
OrgID string
|
|
Roles []string
|
|
}
|
|
|
|
type Memberships []*Membership
|
|
|
|
type Membership struct {
|
|
MemberType MemberType
|
|
AggregateID string
|
|
//ObjectID differs from aggregate id if object is sub of an aggregate
|
|
ObjectID string
|
|
|
|
Roles []string
|
|
}
|
|
|
|
type MemberType int32
|
|
|
|
const (
|
|
MemberTypeUnspecified MemberType = iota
|
|
MemberTypeOrganisation
|
|
MemberTypeProject
|
|
MemberTypeProjectGrant
|
|
MemberTypeIam
|
|
)
|
|
|
|
func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ CtxData, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
|
|
if err != nil {
|
|
return CtxData{}, err
|
|
}
|
|
var projectID string
|
|
var origins []string
|
|
if clientID != "" {
|
|
projectID, origins, err = t.ProjectIDAndOriginsByClientID(ctx, clientID)
|
|
if err != nil {
|
|
return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
|
|
}
|
|
}
|
|
if err := checkOrigin(ctx, origins); err != nil {
|
|
return CtxData{}, err
|
|
}
|
|
if orgID == "" {
|
|
orgID = resourceOwner
|
|
}
|
|
|
|
err = t.ExistsOrg(ctx, orgID)
|
|
if err != nil {
|
|
err = retry(func() error {
|
|
return t.ExistsOrg(ctx, orgID)
|
|
})
|
|
if err != nil {
|
|
return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
|
|
}
|
|
}
|
|
|
|
return CtxData{
|
|
UserID: userID,
|
|
OrgID: orgID,
|
|
ProjectID: projectID,
|
|
AgentID: agentID,
|
|
PreferredLanguage: prefLang,
|
|
ResourceOwner: resourceOwner,
|
|
}, nil
|
|
|
|
}
|
|
|
|
func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {
|
|
return context.WithValue(ctx, dataKey, ctxData)
|
|
}
|
|
|
|
func GetCtxData(ctx context.Context) CtxData {
|
|
ctxData, _ := ctx.Value(dataKey).(CtxData)
|
|
return ctxData
|
|
}
|
|
|
|
func GetRequestPermissionsFromCtx(ctx context.Context) []string {
|
|
ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
|
|
return ctxPermission
|
|
}
|
|
|
|
func GetAllPermissionsFromCtx(ctx context.Context) []string {
|
|
ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
|
|
return ctxPermission
|
|
}
|
|
|
|
func checkOrigin(ctx context.Context, origins []string) error {
|
|
origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
|
|
if origin == "" {
|
|
return nil
|
|
}
|
|
if http_util.IsOriginAllowed(origins, origin) {
|
|
return nil
|
|
}
|
|
return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")
|
|
}
|