mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-13 20:18:32 +00:00
07ce3b6905
This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
92 lines
3.3 KiB
Go
92 lines
3.3 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
_ "embed"
|
|
"strings"
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/database"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/permission"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
// SynchronizeRolePermission checks the current state of role permissions in the eventstore for the aggregate.
|
|
// It pushes the commands required to reach the desired state passed in target.
|
|
// For system level permissions aggregateID must be set to `SYSTEM`, else it is the instance ID.
|
|
func (c *Commands) SynchronizeRolePermission(ctx context.Context, aggregateID string, target []authz.RoleMapping) (_ *domain.ObjectDetails, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
cmds, err := synchronizeRolePermissionCommands(ctx, c.eventstore.Client(), aggregateID,
|
|
rolePermissionMappingsToDatabaseMap(target, aggregateID == "SYSTEM"),
|
|
)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "COMMA-Iej2r", "Errors.Internal")
|
|
}
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
|
if err != nil {
|
|
logging.WithError(err).Error("failed to push role permission commands")
|
|
return nil, zerrors.ThrowInternal(err, "COMMA-AiV3u", "Errors.Internal")
|
|
}
|
|
return pushedEventsToObjectDetails(events), nil
|
|
}
|
|
|
|
func rolePermissionMappingsToDatabaseMap(mappings []authz.RoleMapping, system bool) database.Map[[]string] {
|
|
out := make(database.Map[[]string], len(mappings))
|
|
for _, m := range mappings {
|
|
if system == strings.HasPrefix(m.Role, "SYSTEM") {
|
|
out[m.Role] = m.Permissions
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
var (
|
|
//go:embed instance_role_permissions_sync.sql
|
|
instanceRolePermissionsSyncQuery string
|
|
)
|
|
|
|
// synchronizeRolePermissionCommands checks the current state of role permissions in the eventstore for the aggregate.
|
|
// It returns the commands required to reach the desired state passed in target.
|
|
// For system level permissions aggregateID must be set to `SYSTEM`, else it is the instance ID.
|
|
func synchronizeRolePermissionCommands(ctx context.Context, db *database.DB, aggregateID string, target database.Map[[]string]) (cmds []eventstore.Command, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
err = db.QueryContext(ctx,
|
|
rolePermissionScanner(ctx, permission.NewAggregate(aggregateID), &cmds),
|
|
instanceRolePermissionsSyncQuery,
|
|
aggregateID, target)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return cmds, nil
|
|
}
|
|
|
|
func rolePermissionScanner(ctx context.Context, aggregate *eventstore.Aggregate, cmds *[]eventstore.Command) func(rows *sql.Rows) error {
|
|
return func(rows *sql.Rows) error {
|
|
for rows.Next() {
|
|
var operation, role, perm string
|
|
if err := rows.Scan(&operation, &role, &perm); err != nil {
|
|
return err
|
|
}
|
|
logging.WithFields("aggregate_id", aggregate.ID, "operation", operation, "role", role, "permission", perm).Debug("sync role permission")
|
|
switch operation {
|
|
case "add":
|
|
*cmds = append(*cmds, permission.NewAddedEvent(ctx, aggregate, role, perm))
|
|
case "remove":
|
|
*cmds = append(*cmds, permission.NewRemovedEvent(ctx, aggregate, role, perm))
|
|
}
|
|
}
|
|
return rows.Close()
|
|
|
|
}
|
|
}
|