mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 11:22:16 +00:00
fa83c39510
# Which Problems Are Solved
This PR fixes the self-management of users for metadata and own removal
and improves the corresponding permission checks.
While looking into the problems, I also noticed that there's a bug in
the metadata mapping when using `api.metadata.push` in actions v1 and
that re-adding a previously existing key after its removal was not
possible.
# How the Problems Are Solved
- Added a parameter `allowSelfManagement` to checkPermissionOnUser to
not require a permission if a user is changing its own data.
- Updated use of `NewPermissionCheckUserWrite` including prevention of
self-management for metadata.
- Pass permission check to the command side (for metadata functions) to
allow it implicitly for login v1 and actions v1.
- Use of json.Marshal for the metadata mapping (as with
`AppendMetadata`)
- Check the metadata state when comparing the value.
# Additional Changes
- added a variadic `roles` parameter to the `CreateOrgMembership`
integration test helper function to allow defining specific roles.
# Additional Context
- noted internally while testing v4.1.x
- requires backport to v4.x
- closes https://github.com/zitadel/zitadel/issues/10470
- relates to https://github.com/zitadel/zitadel/pull/10426
(cherry picked from commit 5329d50509)
64 lines
1.9 KiB
Go
64 lines
1.9 KiB
Go
package user
|
|
|
|
import (
|
|
"context"
|
|
|
|
"connectrpc.com/connect"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
|
|
)
|
|
|
|
func (s *Server) AddKey(ctx context.Context, req *connect.Request[user.AddKeyRequest]) (*connect.Response[user.AddKeyResponse], error) {
|
|
newMachineKey := &command.MachineKey{
|
|
ObjectRoot: models.ObjectRoot{
|
|
AggregateID: req.Msg.GetUserId(),
|
|
},
|
|
ExpirationDate: req.Msg.GetExpirationDate().AsTime(),
|
|
Type: domain.AuthNKeyTypeJSON,
|
|
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx, true),
|
|
}
|
|
newMachineKey.PublicKey = req.Msg.GetPublicKey()
|
|
|
|
pubkeySupplied := len(newMachineKey.PublicKey) > 0
|
|
details, err := s.command.AddUserMachineKey(ctx, newMachineKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// Return key details only if the pubkey wasn't supplied, otherwise the user already has
|
|
// private key locally
|
|
var keyDetails []byte
|
|
if !pubkeySupplied {
|
|
var err error
|
|
keyDetails, err = newMachineKey.Detail()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
return connect.NewResponse(&user.AddKeyResponse{
|
|
KeyId: newMachineKey.KeyID,
|
|
KeyContent: keyDetails,
|
|
CreationDate: timestamppb.New(details.EventDate),
|
|
}), nil
|
|
}
|
|
|
|
func (s *Server) RemoveKey(ctx context.Context, req *connect.Request[user.RemoveKeyRequest]) (*connect.Response[user.RemoveKeyResponse], error) {
|
|
machineKey := &command.MachineKey{
|
|
ObjectRoot: models.ObjectRoot{
|
|
AggregateID: req.Msg.GetUserId(),
|
|
},
|
|
PermissionCheck: s.command.NewPermissionCheckUserWrite(ctx, true),
|
|
KeyID: req.Msg.GetKeyId(),
|
|
}
|
|
objectDetails, err := s.command.RemoveUserMachineKey(ctx, machineKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return connect.NewResponse(&user.RemoveKeyResponse{
|
|
DeletionDate: timestamppb.New(objectDetails.EventDate),
|
|
}), nil
|
|
}
|