zitadel/internal/api/authz/context.go

package authz

import (
	"context"
	"strings"

	"github.com/zitadel/zitadel/internal/api/grpc"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/errors"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
)

type key int

const (
	requestPermissionsKey key = 1
	dataKey               key = 2
	allPermissionsKey     key = 3
	instanceKey           key = 4
)

type CtxData struct {
	UserID            string
	OrgID             string
	ProjectID         string
	AgentID           string
	PreferredLanguage string
	ResourceOwner     string
}

func (ctxData CtxData) IsZero() bool {
	return ctxData.UserID == "" || ctxData.OrgID == ""
}

type Grants []*Grant

type Grant struct {
	OrgID string
	Roles []string
}

type Memberships []*Membership

type Membership struct {
	MemberType  MemberType
	AggregateID string
	//ObjectID differs from aggregate id if object is sub of an aggregate
	ObjectID string

	Roles []string
}

type MemberType int32

const (
	MemberTypeUnspecified MemberType = iota
	MemberTypeOrganisation
	MemberTypeProject
	MemberTypeProjectGrant
	MemberTypeIam
)

func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain string, t *TokenVerifier, method string) (_ CtxData, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
	if err != nil {
		return CtxData{}, err
	}
	if strings.HasPrefix(method, "/zitadel.system.v1.SystemService") {
		return CtxData{UserID: userID}, nil
	}
	var projectID string
	var origins []string
	if clientID != "" {
		projectID, origins, err = t.ProjectIDAndOriginsByClientID(ctx, clientID)
		if err != nil {
			return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
		}
		// We used to check origins for every token, but service users shouldn't be used publicly (native app / SPA).
		// Therefore, mostly won't send an origin and aren't able to configure them anyway.
		// For the current time we will only check origins for tokens issued to users through apps (code / implicit flow).
		if err := checkOrigin(ctx, origins); err != nil {
			return CtxData{}, err
		}
	}
	if orgID == "" && orgDomain == "" {
		orgID = resourceOwner
	}

	verifiedOrgID, err := t.ExistsOrg(ctx, orgID, orgDomain)
	if err != nil {
		err = retry(func() error {
			verifiedOrgID, err = t.ExistsOrg(ctx, orgID, orgDomain)
			return err
		})
		if err != nil {
			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
		}
	}

	return CtxData{
		UserID:            userID,
		OrgID:             verifiedOrgID,
		ProjectID:         projectID,
		AgentID:           agentID,
		PreferredLanguage: prefLang,
		ResourceOwner:     resourceOwner,
	}, nil

}

func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {
	return context.WithValue(ctx, dataKey, ctxData)
}

func GetCtxData(ctx context.Context) CtxData {
	ctxData, _ := ctx.Value(dataKey).(CtxData)
	return ctxData
}

func GetRequestPermissionsFromCtx(ctx context.Context) []string {
	ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
	return ctxPermission
}

func GetAllPermissionsFromCtx(ctx context.Context) []string {
	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
	return ctxPermission
}

func checkOrigin(ctx context.Context, origins []string) error {
	origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
	if origin == "" {
		origin = http_util.OriginHeader(ctx)
		if origin == "" {
			return nil
		}
	}
	if http_util.IsOriginAllowed(origins, origin) {
		return nil
	}
	return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")
}