mirror of
https://github.com/zitadel/zitadel.git
synced 2025-11-04 05:52:51 +00:00
8a5badddf6
* fix: change oidc config * fix: change oidc config secret * begin models * begin repo * fix: implement grpc app funcs * fix: add application requests * fix: converter * fix: converter * fix: converter and generate clientid * fix: tests * feat: project grant aggregate * feat: project grant * fix: project grant check if role existing * fix: project grant requests * fix: project grant fixes * fix: project grant member model * fix: project grant member aggregate * fix: project grant member eventstore * fix: project grant member requests * feat: user model * begin repo * repo models and more * feat: user command side * lots of functions * user command side * profile requests * commit before rebase on user * save * local config with gopass and more * begin new auth command (user centric) * Update internal/user/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/user_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/eventstore_mock_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * changes from mr review * save files into basedir * changes from mr review * changes from mr review * move to auth request * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * changes requested on mr * fix generate codes * fix return if no events * password code * email verification step * more steps * lot of mfa * begin tests * more next steps * auth api * auth api (user) * auth api (user) * auth api (user) * differ requests * merge * tests * fix compilation error * mock for id generator * Update internal/user/repository/eventsourcing/model/password.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * requests of mr * check email * begin separation of command and query * otp * change packages * some cleanup and fixes * tests for auth request / next steps * add VerificationLifetimes to config and make it run * tests * fix code challenge validation * cleanup * fix merge * begin view * repackaging tests and configs * fix startup config for auth * add migration * add PromptSelectAccount * fix copy / paste * remove user_agent files * fixes * fix sequences in user_session * token commands * token queries and signout * fix * fix set password test * add token handler and table * handle session init * add session state * add user view test cases * change VerifyMyMfaOTP * some fixes * fix user repo in auth api * cleanup * add user session view test * fix merge * begin oidc * user agent and more * config * keys * key command and query * add login statics * key handler * start login * login handlers * lot of fixes * merge oidc * add missing exports * add missing exports * fix some bugs * authrequestid in htmls * getrequest * update auth request * fix userid check * add username to authrequest * fix user session and auth request handling * fix UserSessionsByAgentID * fix auth request tests * fix user session on UserPasswordChanged and MfaOtpRemoved * fix MfaTypesSetupPossible * handle mfa * fill username * auth request query checks new events * fix userSessionByIDs * fix tokens * fix userSessionByIDs test * add user selection * init code * user code creation date * add init user step * add verification failed types * add verification failures * verify init code * user init code handle * user init code handle * fix userSessionByIDs * update logging * user agent cookie * browserinfo from request * add DeleteAuthRequest * add static login files to binary * add login statik to build * move generate to separate file and remove statik.go files * remove static dirs from startup.yaml * generate into separate namespaces * merge master * auth request code * auth request type mapping * fix keys * improve tokens * improve register and basic styling * fix ailerons font * improve password reset * add audience to token * all oidc apps as audience * fix test nextStep * fix email texts * remove "not set" * lot of style changes * improve copy to clipboard * fix footer * add cookie handler * remove placeholders * fix compilation after merge * fix auth config * remove comments * typo * use new secrets store * change default pws to match default policy * fixes * add todo * enable login * fix db name * Auth queries (#179) * my usersession * org structure/ auth handlers * working user grant spooler * auth internal user grants * search my project orgs * remove permissions file * my zitadel permissions * my zitadel permissions * remove unused code * authz * app searches in view * token verification * fix user grant load * fix tests * fix tests * read configs * remove unused const * remove todos * env variables * app_name * working authz * search projects * global resourceowner * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * model2 rename * at least it works * check token expiry * search my user grants * remove token table from authz Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix test * fix ports and enable console Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
425 lines
9.8 KiB
Go
425 lines
9.8 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
caos_errs "github.com/caos/zitadel/internal/errors"
|
|
)
|
|
|
|
func getTestCtx(userID, orgID string) context.Context {
|
|
return context.WithValue(context.Background(), dataKey, CtxData{UserID: userID, OrgID: orgID})
|
|
}
|
|
|
|
type testVerifier struct {
|
|
grant *Grant
|
|
}
|
|
|
|
func (v *testVerifier) VerifyAccessToken(ctx context.Context, token string) (string, string, string, error) {
|
|
return "userID", "clientID", "agentID", nil
|
|
}
|
|
|
|
func (v *testVerifier) ResolveGrant(ctx context.Context) (*Grant, error) {
|
|
return v.grant, nil
|
|
}
|
|
|
|
func (v *testVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
|
|
return "", nil
|
|
}
|
|
|
|
func equalStringArray(a, b []string) bool {
|
|
if len(a) != len(b) {
|
|
return false
|
|
}
|
|
for i, v := range a {
|
|
if v != b[i] {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func Test_GetUserMethodPermissions(t *testing.T) {
|
|
type args struct {
|
|
ctx context.Context
|
|
verifier TokenVerifier
|
|
requiredPerm string
|
|
authConfig *Config
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
wantErr bool
|
|
errFunc func(err error) bool
|
|
result []string
|
|
}{
|
|
{
|
|
name: "Empty Context",
|
|
args: args{
|
|
ctx: getTestCtx("", ""),
|
|
verifier: &testVerifier{grant: &Grant{
|
|
Roles: []string{"ORG_OWNER"}}},
|
|
requiredPerm: "project.read",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
errFunc: caos_errs.IsUnauthenticated,
|
|
result: []string{"project.read"},
|
|
},
|
|
{
|
|
name: "No Grants",
|
|
args: args{
|
|
ctx: getTestCtx("", ""),
|
|
verifier: &testVerifier{grant: &Grant{}},
|
|
requiredPerm: "project.read",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: make([]string, 0),
|
|
},
|
|
{
|
|
name: "Get Permissions",
|
|
args: args{
|
|
ctx: getTestCtx("userID", "orgID"),
|
|
verifier: &testVerifier{grant: &Grant{
|
|
Roles: []string{"ORG_OWNER"}}},
|
|
requiredPerm: "project.read",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: []string{"project.read"},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
_, perms, err := getUserMethodPermissions(tt.args.ctx, tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig)
|
|
|
|
if tt.wantErr && err == nil {
|
|
t.Errorf("got wrong result, should get err: actual: %v ", err)
|
|
}
|
|
|
|
if tt.wantErr && !tt.errFunc(err) {
|
|
t.Errorf("got wrong err: %v ", err)
|
|
}
|
|
|
|
if !tt.wantErr && !equalStringArray(perms, tt.result) {
|
|
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, perms)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_MapGrantsToPermissions(t *testing.T) {
|
|
type args struct {
|
|
requiredPerm string
|
|
grant *Grant
|
|
authConfig *Config
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
result []string
|
|
}{
|
|
{
|
|
name: "One Role existing perm",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
grant: &Grant{Roles: []string{"ORG_OWNER"}},
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: []string{"project.read"},
|
|
},
|
|
{
|
|
name: "One Role not existing perm",
|
|
args: args{
|
|
requiredPerm: "project.write",
|
|
grant: &Grant{Roles: []string{"ORG_OWNER"}},
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: []string{},
|
|
},
|
|
{
|
|
name: "Multiple Roles one existing",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
grant: &Grant{Roles: []string{"ORG_OWNER", "IAM_OWNER"}},
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: []string{"project.read"},
|
|
},
|
|
{
|
|
name: "Multiple Roles, global and specific",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
grant: &Grant{Roles: []string{"ORG_OWNER", "PROJECT_OWNER:1"}},
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "PROJECT_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
result: []string{"project.read", "project.read:1"},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
|
|
if !equalStringArray(result, tt.result) {
|
|
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_MapRoleToPerm(t *testing.T) {
|
|
type args struct {
|
|
requiredPerm string
|
|
actualRole string
|
|
authConfig *Config
|
|
resolvedPermissions []string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
result []string
|
|
}{
|
|
{
|
|
name: "first perm without context id",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
actualRole: "ORG_OWNER",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
resolvedPermissions: []string{},
|
|
},
|
|
result: []string{"project.read"},
|
|
},
|
|
{
|
|
name: "existing perm without context id",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
actualRole: "ORG_OWNER",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "IAM_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
resolvedPermissions: []string{"project.read"},
|
|
},
|
|
result: []string{"project.read"},
|
|
},
|
|
{
|
|
name: "first perm with context id",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
actualRole: "PROJECT_OWNER:1",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "PROJECT_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
resolvedPermissions: []string{},
|
|
},
|
|
result: []string{"project.read:1"},
|
|
},
|
|
{
|
|
name: "perm with context id, existing global",
|
|
args: args{
|
|
requiredPerm: "project.read",
|
|
actualRole: "PROJECT_OWNER:1",
|
|
authConfig: &Config{
|
|
RolePermissionMappings: []RoleMapping{
|
|
RoleMapping{
|
|
Role: "PROJECT_OWNER",
|
|
Permissions: []string{"project.read"},
|
|
},
|
|
RoleMapping{
|
|
Role: "ORG_OWNER",
|
|
Permissions: []string{"org.read", "project.read"},
|
|
},
|
|
},
|
|
},
|
|
resolvedPermissions: []string{"project.read"},
|
|
},
|
|
result: []string{"project.read", "project.read:1"},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions)
|
|
if !equalStringArray(result, tt.result) {
|
|
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_AddRoleContextIDToPerm(t *testing.T) {
|
|
type args struct {
|
|
perm string
|
|
ctxID string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
result string
|
|
}{
|
|
{
|
|
name: "with ctx id",
|
|
args: args{
|
|
perm: "perm1",
|
|
ctxID: "2",
|
|
},
|
|
result: "perm1:2",
|
|
},
|
|
{
|
|
name: "with ctx id",
|
|
args: args{
|
|
perm: "perm1",
|
|
ctxID: "",
|
|
},
|
|
result: "perm1",
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := addRoleContextIDToPerm(tt.args.perm, tt.args.ctxID)
|
|
if result != tt.result {
|
|
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_ExistisPerm(t *testing.T) {
|
|
type args struct {
|
|
existing []string
|
|
perm string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
result bool
|
|
}{
|
|
{
|
|
name: "not existing perm",
|
|
args: args{
|
|
existing: []string{"perm1", "perm2", "perm3"},
|
|
perm: "perm4",
|
|
},
|
|
result: false,
|
|
},
|
|
{
|
|
name: "existing perm",
|
|
args: args{
|
|
existing: []string{"perm1", "perm2", "perm3"},
|
|
perm: "perm2",
|
|
},
|
|
result: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := ExistsPerm(tt.args.existing, tt.args.perm)
|
|
if result != tt.result {
|
|
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
|
}
|
|
})
|
|
}
|
|
}
|