zitadel/internal/command/permission_checks_test.go
Elio Bischof 898366c537
fix: allow user self deletion (#9828)
# Which Problems Are Solved

Currently, users can't delete themselves using the V2 RemoveUser API
because of the redunant API middleware permission check.

On main, using a machine user PAT to delete the same machine user:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: NotFound
  Message: membership not found (AUTHZ-cdgFk)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTHZ-cdgFk",
    	  "message": "membership not found"
    	}
```

Same on this PRs branch:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
{
  "details": {
    "sequence": "3",
    "changeDate": "2025-05-06T13:44:54.349048Z",
    "resourceOwner": "318838541083804033"
  }
}
```

Repeated call
```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: Unauthenticated
  Message: Errors.Token.Invalid (AUTH-7fs1e)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTH-7fs1e",
    	  "message": "Errors.Token.Invalid"
    	}
```

# How the Problems Are Solved

The middleware permission check is disabled and the
domain.PermissionCheck is used exclusively.

# Additional Changes

A new type command.PermissionCheck allows to optionally accept a
permission check for commands, so APIs with middleware permission checks
can omit redundant permission checks by passing nil while APIs without
middleware permission checks can pass one to the command.

# Additional Context

This is a subtask of #9763

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-05-07 15:24:24 +02:00

279 lines
7.2 KiB
Go

package command
import (
"context"
"database/sql"
"errors"
"testing"
"github.com/stretchr/testify/assert"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/repository"
"github.com/zitadel/zitadel/internal/zerrors"
)
func TestCommands_CheckPermission(t *testing.T) {
type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore
domainPermissionCheck func(*testing.T) domain.PermissionCheck
}
type args struct {
ctx context.Context
permission string
aggregateType eventstore.AggregateType
resourceOwner, aggregateID string
}
type want struct {
err func(error) bool
}
ctx := context.Background()
filterErr := errors.New("filter error")
tests := []struct {
name string
fields fields
args args
want want
}{
{
name: "resource owner is given, no query",
fields: fields{
domainPermissionCheck: mockDomainPermissionCheck(
ctx,
"permission",
"resourceOwner",
"aggregateID"),
},
args: args{
ctx: ctx,
permission: "permission",
resourceOwner: "resourceOwner",
aggregateID: "aggregateID",
},
},
{
name: "resource owner is empty, query for resource owner",
fields: fields{
eventstore: expectEventstore(
expectFilter(&repository.Event{
AggregateID: "aggregateID",
ResourceOwner: sql.NullString{String: "resourceOwner"},
}),
),
domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),
},
args: args{
ctx: ctx,
permission: "permission",
resourceOwner: "",
aggregateID: "aggregateID",
},
},
{
name: "resource owner is empty, query for resource owner, error",
fields: fields{
eventstore: expectEventstore(
expectFilterError(filterErr),
),
},
args: args{
ctx: ctx,
permission: "permission",
resourceOwner: "",
aggregateID: "aggregateID",
},
want: want{
err: func(err error) bool {
return errors.Is(err, filterErr)
},
},
},
{
name: "resource owner is empty, query for resource owner, no events",
fields: fields{
eventstore: expectEventstore(
expectFilter(),
),
},
args: args{
ctx: ctx,
permission: "permission",
resourceOwner: "",
aggregateID: "aggregateID",
},
want: want{
err: zerrors.IsNotFound,
},
},
{
name: "no aggregateID, internal error",
args: args{
ctx: ctx,
},
want: want{
err: zerrors.IsInternal,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
return nil
},
eventstore: expectEventstore()(t),
}
if tt.fields.domainPermissionCheck != nil {
c.checkPermission = tt.fields.domainPermissionCheck(t)
}
if tt.fields.eventstore != nil {
c.eventstore = tt.fields.eventstore(t)
}
err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)
if tt.want.err != nil {
assert.True(t, tt.want.err(err))
}
})
}
}
func TestCommands_CheckPermissionUserWrite(t *testing.T) {
type fields struct {
domainPermissionCheck func(*testing.T) domain.PermissionCheck
}
type args struct {
ctx context.Context
resourceOwner, aggregateID string
}
type want struct {
err func(error) bool
}
tests := []struct {
name string
fields fields
args args
want want
}{
{
name: "self, no permission check",
args: args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{
UserID: "aggregateID",
}),
resourceOwner: "resourceOwner",
aggregateID: "aggregateID",
},
},
{
name: "not self, permission check",
fields: fields{
domainPermissionCheck: mockDomainPermissionCheck(
context.Background(),
"user.write",
"resourceOwner",
"foreignAggregateID"),
},
args: args{
ctx: context.Background(),
resourceOwner: "resourceOwner",
aggregateID: "foreignAggregateID",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
return nil
},
}
if tt.fields.domainPermissionCheck != nil {
c.checkPermission = tt.fields.domainPermissionCheck(t)
}
err := c.NewPermissionCheckUserWrite(tt.args.ctx)(tt.args.resourceOwner, tt.args.aggregateID)
if tt.want.err != nil {
assert.True(t, tt.want.err(err))
}
})
}
}
func TestCommands_CheckPermissionUserDelete(t *testing.T) {
type fields struct {
domainPermissionCheck func(*testing.T) domain.PermissionCheck
}
type args struct {
ctx context.Context
resourceOwner, aggregateID string
}
type want struct {
err func(error) bool
}
userCtx := authz.SetCtxData(context.Background(), authz.CtxData{
UserID: "aggregateID",
})
tests := []struct {
name string
fields fields
args args
want want
}{
{
name: "self, no permission check",
args: args{
ctx: userCtx,
resourceOwner: "resourceOwner",
aggregateID: "aggregateID",
},
},
{
name: "not self, permission check",
fields: fields{
domainPermissionCheck: mockDomainPermissionCheck(
context.Background(),
"user.delete",
"resourceOwner",
"foreignAggregateID"),
},
args: args{
ctx: context.Background(),
resourceOwner: "resourceOwner",
aggregateID: "foreignAggregateID",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
return nil
},
}
if tt.fields.domainPermissionCheck != nil {
c.checkPermission = tt.fields.domainPermissionCheck(t)
}
err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)
if tt.want.err != nil {
assert.True(t, tt.want.err(err))
}
})
}
}
func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {
return func(t *testing.T) domain.PermissionCheck {
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
assert.Equal(t, expectCtx, ctx)
assert.Equal(t, expectPermission, permission)
assert.Equal(t, expectResourceOwner, orgID)
assert.Equal(t, expectResourceID, resourceID)
return nil
}
}
}