mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-15 09:38:37 +00:00

# Which Problems Are Solved Currently, users can't delete themselves using the V2 RemoveUser API because of the redunant API middleware permission check. On main, using a machine user PAT to delete the same machine user: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: NotFound Message: membership not found (AUTHZ-cdgFk) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTHZ-cdgFk", "message": "membership not found" } ``` Same on this PRs branch: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser { "details": { "sequence": "3", "changeDate": "2025-05-06T13:44:54.349048Z", "resourceOwner": "318838541083804033" } } ``` Repeated call ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: Unauthenticated Message: Errors.Token.Invalid (AUTH-7fs1e) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ``` # How the Problems Are Solved The middleware permission check is disabled and the domain.PermissionCheck is used exclusively. # Additional Changes A new type command.PermissionCheck allows to optionally accept a permission check for commands, so APIs with middleware permission checks can omit redundant permission checks by passing nil while APIs without middleware permission checks can pass one to the command. # Additional Context This is a subtask of #9763 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
279 lines
7.2 KiB
Go
279 lines
7.2 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/eventstore/repository"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func TestCommands_CheckPermission(t *testing.T) {
|
|
type fields struct {
|
|
eventstore func(*testing.T) *eventstore.Eventstore
|
|
domainPermissionCheck func(*testing.T) domain.PermissionCheck
|
|
}
|
|
type args struct {
|
|
ctx context.Context
|
|
permission string
|
|
aggregateType eventstore.AggregateType
|
|
resourceOwner, aggregateID string
|
|
}
|
|
type want struct {
|
|
err func(error) bool
|
|
}
|
|
ctx := context.Background()
|
|
filterErr := errors.New("filter error")
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
want want
|
|
}{
|
|
{
|
|
name: "resource owner is given, no query",
|
|
fields: fields{
|
|
domainPermissionCheck: mockDomainPermissionCheck(
|
|
ctx,
|
|
"permission",
|
|
"resourceOwner",
|
|
"aggregateID"),
|
|
},
|
|
args: args{
|
|
ctx: ctx,
|
|
permission: "permission",
|
|
resourceOwner: "resourceOwner",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
},
|
|
{
|
|
name: "resource owner is empty, query for resource owner",
|
|
fields: fields{
|
|
eventstore: expectEventstore(
|
|
expectFilter(&repository.Event{
|
|
AggregateID: "aggregateID",
|
|
ResourceOwner: sql.NullString{String: "resourceOwner"},
|
|
}),
|
|
),
|
|
domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),
|
|
},
|
|
args: args{
|
|
ctx: ctx,
|
|
permission: "permission",
|
|
resourceOwner: "",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
},
|
|
{
|
|
name: "resource owner is empty, query for resource owner, error",
|
|
fields: fields{
|
|
eventstore: expectEventstore(
|
|
expectFilterError(filterErr),
|
|
),
|
|
},
|
|
args: args{
|
|
ctx: ctx,
|
|
permission: "permission",
|
|
resourceOwner: "",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
want: want{
|
|
err: func(err error) bool {
|
|
return errors.Is(err, filterErr)
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "resource owner is empty, query for resource owner, no events",
|
|
fields: fields{
|
|
eventstore: expectEventstore(
|
|
expectFilter(),
|
|
),
|
|
},
|
|
args: args{
|
|
ctx: ctx,
|
|
permission: "permission",
|
|
resourceOwner: "",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
want: want{
|
|
err: zerrors.IsNotFound,
|
|
},
|
|
},
|
|
{
|
|
name: "no aggregateID, internal error",
|
|
args: args{
|
|
ctx: ctx,
|
|
},
|
|
want: want{
|
|
err: zerrors.IsInternal,
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
c := &Commands{
|
|
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
|
|
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
|
|
return nil
|
|
},
|
|
eventstore: expectEventstore()(t),
|
|
}
|
|
if tt.fields.domainPermissionCheck != nil {
|
|
c.checkPermission = tt.fields.domainPermissionCheck(t)
|
|
}
|
|
if tt.fields.eventstore != nil {
|
|
c.eventstore = tt.fields.eventstore(t)
|
|
}
|
|
err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)
|
|
if tt.want.err != nil {
|
|
assert.True(t, tt.want.err(err))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCommands_CheckPermissionUserWrite(t *testing.T) {
|
|
type fields struct {
|
|
domainPermissionCheck func(*testing.T) domain.PermissionCheck
|
|
}
|
|
type args struct {
|
|
ctx context.Context
|
|
resourceOwner, aggregateID string
|
|
}
|
|
type want struct {
|
|
err func(error) bool
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
want want
|
|
}{
|
|
{
|
|
name: "self, no permission check",
|
|
args: args{
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{
|
|
UserID: "aggregateID",
|
|
}),
|
|
resourceOwner: "resourceOwner",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
},
|
|
{
|
|
name: "not self, permission check",
|
|
fields: fields{
|
|
domainPermissionCheck: mockDomainPermissionCheck(
|
|
context.Background(),
|
|
"user.write",
|
|
"resourceOwner",
|
|
"foreignAggregateID"),
|
|
},
|
|
args: args{
|
|
ctx: context.Background(),
|
|
resourceOwner: "resourceOwner",
|
|
aggregateID: "foreignAggregateID",
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
c := &Commands{
|
|
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
|
|
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
|
|
return nil
|
|
},
|
|
}
|
|
if tt.fields.domainPermissionCheck != nil {
|
|
c.checkPermission = tt.fields.domainPermissionCheck(t)
|
|
}
|
|
err := c.NewPermissionCheckUserWrite(tt.args.ctx)(tt.args.resourceOwner, tt.args.aggregateID)
|
|
if tt.want.err != nil {
|
|
assert.True(t, tt.want.err(err))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCommands_CheckPermissionUserDelete(t *testing.T) {
|
|
type fields struct {
|
|
domainPermissionCheck func(*testing.T) domain.PermissionCheck
|
|
}
|
|
type args struct {
|
|
ctx context.Context
|
|
resourceOwner, aggregateID string
|
|
}
|
|
type want struct {
|
|
err func(error) bool
|
|
}
|
|
userCtx := authz.SetCtxData(context.Background(), authz.CtxData{
|
|
UserID: "aggregateID",
|
|
})
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
want want
|
|
}{
|
|
{
|
|
name: "self, no permission check",
|
|
args: args{
|
|
ctx: userCtx,
|
|
resourceOwner: "resourceOwner",
|
|
aggregateID: "aggregateID",
|
|
},
|
|
},
|
|
{
|
|
name: "not self, permission check",
|
|
fields: fields{
|
|
domainPermissionCheck: mockDomainPermissionCheck(
|
|
context.Background(),
|
|
"user.delete",
|
|
"resourceOwner",
|
|
"foreignAggregateID"),
|
|
},
|
|
args: args{
|
|
ctx: context.Background(),
|
|
resourceOwner: "resourceOwner",
|
|
aggregateID: "foreignAggregateID",
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
c := &Commands{
|
|
checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
|
|
assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
|
|
return nil
|
|
},
|
|
}
|
|
if tt.fields.domainPermissionCheck != nil {
|
|
c.checkPermission = tt.fields.domainPermissionCheck(t)
|
|
}
|
|
err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)
|
|
if tt.want.err != nil {
|
|
assert.True(t, tt.want.err(err))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {
|
|
return func(t *testing.T) domain.PermissionCheck {
|
|
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
|
|
assert.Equal(t, expectCtx, ctx)
|
|
assert.Equal(t, expectPermission, permission)
|
|
assert.Equal(t, expectResourceOwner, orgID)
|
|
assert.Equal(t, expectResourceID, resourceID)
|
|
return nil
|
|
}
|
|
}
|
|
}
|