mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 20:13:40 +00:00
4980cd6a0c
* define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
33 lines
1.0 KiB
Go
33 lines
1.0 KiB
Go
package authz
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
zitadel_errors "github.com/zitadel/zitadel/internal/errors"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
)
|
|
|
|
const (
|
|
SessionTokenPrefix = "sess_"
|
|
SessionTokenFormat = SessionTokenPrefix + "%s:%s"
|
|
)
|
|
|
|
func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
|
|
return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
|
|
decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
|
|
token, err := algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())
|
|
spanPasswordComparison.EndWithError(err)
|
|
if err != nil || token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {
|
|
return zitadel_errors.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
|
|
}
|
|
return nil
|
|
}
|
|
}
|