TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-03-01 14:27:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/command/main_test.go
Stefan Benz 840da5be2d
feat: permission check on OIDC and SAML service session API (#9304) 
# Which Problems Are Solved

Through configuration on projects, there can be additional permission
checks enabled through an OIDC or SAML flow, which were not included in
the OIDC and SAML services.

# How the Problems Are Solved

Add permission check through the query-side of Zitadel in a singular SQL
query, when an OIDC or SAML flow should be linked to a SSO session. That
way it is eventual consistent, but will not impact the performance on
the eventstore. The permission check is defined in the API, which
provides the necessary function to the command side.

# Additional Changes

Added integration tests for the permission check on OIDC and SAML
service for every combination.
Corrected session list integration test, to content checks without
ordering.
Corrected get auth and saml request integration tests, to check for
timestamp of creation, not start of test.

# Additional Context

Closes #9265

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-02-11 18:45:09 +00:00

298 lines
8.5 KiB
Go
Raw Blame History

package command
import (
"context"
"database/sql"
"strings"
"testing"
"time"
"github.com/zitadel/passwap"
"github.com/zitadel/passwap/verifier"
"go.uber.org/mock/gomock"
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/repository"
"github.com/zitadel/zitadel/internal/eventstore/repository/mock"
"github.com/zitadel/zitadel/internal/feature"
"github.com/zitadel/zitadel/internal/zerrors"
)
type expect func(mockRepository *mock.MockRepository)
// Deprecated: use expectEventstore
func eventstoreExpect(t *testing.T, expects ...expect) *eventstore.Eventstore {
m := mock.NewRepo(t)
for _, e := range expects {
e(m)
}
es := eventstore.NewEventstore(
&eventstore.Config{
Querier: m.MockQuerier,
Pusher: m.MockPusher,
},
)
return es
}
// expectEventstore defines expectations for the Eventstore and is initialized within the scope of a (sub) test.
// This allows proper reporting of the test name, instead of reporting on the top-level
// of the Test function being run.
func expectEventstore(expects ...expect) func(*testing.T) *eventstore.Eventstore {
return func(t *testing.T) *eventstore.Eventstore {
return eventstoreExpect(t, expects...)
}
}
func eventPusherToEvents(eventsPushes ...eventstore.Command) []*repository.Event {
events := make([]*repository.Event, len(eventsPushes))
for i, event := range eventsPushes {
data, err := eventstore.EventData(event)
if err != nil {
return nil
}
events[i] = &repository.Event{
AggregateID: event.Aggregate().ID,
AggregateType: event.Aggregate().Type,
ResourceOwner: sql.NullString{String: event.Aggregate().ResourceOwner, Valid: event.Aggregate().ResourceOwner != ""},
EditorUser: event.Creator(),
Typ: event.Type(),
Version: event.Aggregate().Version,
Data: data,
Constraints: event.UniqueConstraints(),
}
}
return events
}
func expectPush(commands ...eventstore.Command) expect {
return func(m *mock.MockRepository) {
m.ExpectPush(commands, 0)
}
}
func expectPushSlow(sleep time.Duration, commands ...eventstore.Command) expect {
return func(m *mock.MockRepository) {
m.ExpectPush(commands, sleep)
}
}
func expectPushFailed(err error, commands ...eventstore.Command) expect {
return func(m *mock.MockRepository) {
m.ExpectPushFailed(err, commands)
}
}
func expectRandomPush(events []eventstore.Command) expect {
return func(m *mock.MockRepository) {
m.ExpectRandomPush(events)
}
}
func expectRandomPushFailed(err error, events []eventstore.Command) expect {
return func(m *mock.MockRepository) {
m.ExpectRandomPushFailed(err, events)
}
}
func expectFilter(events ...eventstore.Event) expect {
return func(m *mock.MockRepository) {
m.ExpectFilterEvents(events...)
}
}
func expectFilterError(err error) expect {
return func(m *mock.MockRepository) {
m.ExpectFilterEventsError(err)
}
}
func expectFilterOrgDomainNotFound() expect {
return func(m *mock.MockRepository) {
m.ExpectFilterNoEventsNoError()
}
}
func expectFilterOrgMemberNotFound() expect {
return func(m *mock.MockRepository) {
m.ExpectFilterNoEventsNoError()
}
}
func eventFromEventPusher(event eventstore.Command) *repository.Event {
data, _ := eventstore.EventData(event)
return &repository.Event{
InstanceID: event.Aggregate().InstanceID,
ID: "",
Seq: 0,
CreationDate: time.Time{},
Typ: event.Type(),
Data: data,
EditorUser: event.Creator(),
Version: event.Aggregate().Version,
AggregateID: event.Aggregate().ID,
AggregateType: event.Aggregate().Type,
ResourceOwner: sql.NullString{String: event.Aggregate().ResourceOwner, Valid: event.Aggregate().ResourceOwner != ""},
Constraints: event.UniqueConstraints(),
}
}
func eventFromEventPusherWithInstanceID(instanceID string, event eventstore.Command) *repository.Event {
data, _ := eventstore.EventData(event)
return &repository.Event{
ID: "",
Seq: 0,
CreationDate: time.Time{},
Typ: event.Type(),
Data: data,
EditorUser: event.Creator(),
Version: event.Aggregate().Version,
AggregateID: event.Aggregate().ID,
AggregateType: event.Aggregate().Type,
ResourceOwner: sql.NullString{String: event.Aggregate().ResourceOwner, Valid: event.Aggregate().ResourceOwner != ""},
InstanceID: instanceID,
}
}
func eventFromEventPusherWithCreationDateNow(event eventstore.Command) *repository.Event {
e := eventFromEventPusher(event)
e.CreationDate = time.Now()
return e
}
func GetMockSecretGenerator(t *testing.T) crypto.Generator {
ctrl := gomock.NewController(t)
alg := crypto.CreateMockEncryptionAlg(ctrl)
generator := crypto.NewMockGenerator(ctrl)
generator.EXPECT().Length().Return(uint(1)).AnyTimes()
generator.EXPECT().Runes().Return([]rune("aa")).AnyTimes()
generator.EXPECT().Alg().Return(alg).AnyTimes()
generator.EXPECT().Expiry().Return(time.Hour * 1).AnyTimes()
return generator
}
type mockInstance struct{}
func (m *mockInstance) Block() *bool {
panic("shouldn't be called here")
}
func (m *mockInstance) AuditLogRetention() *time.Duration {
panic("shouldn't be called here")
}
func (m *mockInstance) InstanceID() string {
return "INSTANCE"
}
func (m *mockInstance) ProjectID() string {
return "projectID"
}
func (m *mockInstance) ConsoleClientID() string {
return "consoleID"
}
func (m *mockInstance) ConsoleApplicationID() string {
return "consoleApplicationID"
}
func (m *mockInstance) DefaultLanguage() language.Tag {
return AllowedLanguage
}
func (m *mockInstance) DefaultOrganisationID() string {
return "defaultOrgID"
}
func (m *mockInstance) SecurityPolicyAllowedOrigins() []string {
return nil
}
func (m *mockInstance) EnableImpersonation() bool {
return false
}
func (m *mockInstance) Features() feature.Features {
return feature.Features{}
}
func newMockPermissionCheckAllowed() domain.PermissionCheck {
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
return nil
}
}
func newMockPermissionCheckNotAllowed() domain.PermissionCheck {
return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
return zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied")
}
}
func newMockProjectPermissionCheckAllowed() domain.ProjectPermissionCheck {
return func(ctx context.Context, clientID, userID string) (err error) {
return nil
}
}
func newMockProjectPermissionCheckOIDCNotAllowed() domain.ProjectPermissionCheck {
return func(ctx context.Context, clientID, userID string) (err error) {
return zerrors.ThrowPermissionDenied(nil, "OIDC-foSyH49RvL", "Errors.PermissionDenied")
}
}
func newMockProjectPermissionCheckSAMLNotAllowed() domain.ProjectPermissionCheck {
return func(ctx context.Context, clientID, userID string) (err error) {
return zerrors.ThrowPermissionDenied(nil, "SAML-foSyH49RvL", "Errors.PermissionDenied")
}
}
func newMockTokenVerifierValid() func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
return nil
}
}
func newMockTokenVerifierInvalid() func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
return zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
}
}
type plainHasher struct {
x string // arbitrary info that triggers update when different from encoding
}
func (h plainHasher) Hash(password string) (string, error) {
return strings.Join([]string{"", "plain", h.x, password}, "$"), nil
}
func (h plainHasher) Verify(encoded, password string) (verifier.Result, error) {
nodes := strings.Split(encoded, "$")
if len(nodes) != 4 || nodes[1] != "plain" {
return verifier.Skip, nil
}
if nodes[3] != password {
return verifier.Fail, nil
}
if nodes[2] != h.x {
return verifier.NeedUpdate, nil
}
return verifier.OK, nil
}
// mockPasswordHasher creates a swapper for plain (cleartext) password used in tests.
// x can be set to arbitrary info which triggers updates when different from the
// setting in the encoded hashes. (normally cost parameters)
//
// With `x` set to "foo", the following encoded string would be produced by Hash:
// $plain$foo$password
func mockPasswordHasher(x string) *crypto.Hasher {
return &crypto.Hasher{
Swapper: passwap.NewSwapper(plainHasher{x: x}),
Prefixes: []string{"$plain$"},
}
}
Reference in New Issue View Git Blame Copy Permalink