mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 10:52:17 +00:00
fa83c39510
# Which Problems Are Solved
This PR fixes the self-management of users for metadata and own removal
and improves the corresponding permission checks.
While looking into the problems, I also noticed that there's a bug in
the metadata mapping when using `api.metadata.push` in actions v1 and
that re-adding a previously existing key after its removal was not
possible.
# How the Problems Are Solved
- Added a parameter `allowSelfManagement` to checkPermissionOnUser to
not require a permission if a user is changing its own data.
- Updated use of `NewPermissionCheckUserWrite` including prevention of
self-management for metadata.
- Pass permission check to the command side (for metadata functions) to
allow it implicitly for login v1 and actions v1.
- Use of json.Marshal for the metadata mapping (as with
`AppendMetadata`)
- Check the metadata state when comparing the value.
# Additional Changes
- added a variadic `roles` parameter to the `CreateOrgMembership`
integration test helper function to allow defining specific roles.
# Additional Context
- noted internally while testing v4.1.x
- requires backport to v4.x
- closes https://github.com/zitadel/zitadel/issues/10470
- relates to https://github.com/zitadel/zitadel/pull/10426
(cherry picked from commit 5329d50509)
226 lines
6.8 KiB
Go
226 lines
6.8 KiB
Go
package command
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func (c *Commands) SetUserMetadata(ctx context.Context, metadata *domain.Metadata, userID, resourceOwner string, check PermissionCheck) (_ *domain.Metadata, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if check != nil {
|
|
if err := check(userResourceOwner, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
setMetadata, err := c.getUserMetadataModelByID(ctx, userID, userResourceOwner, metadata.Key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userAgg := UserAggregateFromWriteModel(&setMetadata.WriteModel)
|
|
// return if no change in the metadata
|
|
if setMetadata.State == domain.MetadataStateActive && bytes.Equal(setMetadata.Value, metadata.Value) {
|
|
return writeModelToUserMetadata(setMetadata), nil
|
|
}
|
|
|
|
event, err := c.setUserMetadata(ctx, userAgg, metadata)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pushedEvents, err := c.eventstore.Push(ctx, event)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = AppendAndReduce(setMetadata, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToUserMetadata(setMetadata), nil
|
|
}
|
|
|
|
func (c *Commands) BulkSetUserMetadata(ctx context.Context, userID, resourceOwner string, check PermissionCheck, metadatas ...*domain.Metadata) (_ *domain.ObjectDetails, err error) {
|
|
if len(metadatas) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "META-9mm2d", "Errors.Metadata.NoData")
|
|
}
|
|
userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if check != nil {
|
|
if err := check(userResourceOwner, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
events := make([]eventstore.Command, 0)
|
|
setMetadata, err := c.getUserMetadataListModelByID(ctx, userID, userResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userAgg := UserAggregateFromWriteModel(&setMetadata.WriteModel)
|
|
for _, data := range metadatas {
|
|
// if no change to metadata no event has to be pushed
|
|
if existingValue, ok := setMetadata.metadataList[data.Key]; ok && bytes.Equal(existingValue, data.Value) {
|
|
continue
|
|
}
|
|
event, err := c.setUserMetadata(ctx, userAgg, data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
events = append(events, event)
|
|
}
|
|
// no changes for the metadata
|
|
if len(events) == 0 {
|
|
return writeModelToObjectDetails(&setMetadata.WriteModel), nil
|
|
}
|
|
|
|
pushedEvents, err := c.eventstore.Push(ctx, events...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = AppendAndReduce(setMetadata, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&setMetadata.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) setUserMetadata(ctx context.Context, userAgg *eventstore.Aggregate, metadata *domain.Metadata) (command eventstore.Command, err error) {
|
|
if !metadata.IsValid() {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "META-2m00f", "Errors.Metadata.Invalid")
|
|
}
|
|
return user.NewMetadataSetEvent(
|
|
ctx,
|
|
userAgg,
|
|
metadata.Key,
|
|
metadata.Value,
|
|
), nil
|
|
}
|
|
|
|
func (c *Commands) RemoveUserMetadata(ctx context.Context, metadataKey, userID, resourceOwner string, check PermissionCheck) (_ *domain.ObjectDetails, err error) {
|
|
if metadataKey == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "META-2n0fs", "Errors.Metadata.Invalid")
|
|
}
|
|
userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if check != nil {
|
|
if err := check(userResourceOwner, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
removeMetadata, err := c.getUserMetadataModelByID(ctx, userID, userResourceOwner, metadataKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !removeMetadata.State.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "META-ncnw3", "Errors.Metadata.NotFound")
|
|
}
|
|
userAgg := UserAggregateFromWriteModel(&removeMetadata.WriteModel)
|
|
event, err := c.removeUserMetadata(ctx, userAgg, metadataKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pushedEvents, err := c.eventstore.Push(ctx, event)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = AppendAndReduce(removeMetadata, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&removeMetadata.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) BulkRemoveUserMetadata(ctx context.Context, userID, resourceOwner string, check PermissionCheck, metadataKeys ...string) (_ *domain.ObjectDetails, err error) {
|
|
if len(metadataKeys) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "META-9mm2d", "Errors.Metadata.NoData")
|
|
}
|
|
userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if check != nil {
|
|
if err := check(userResourceOwner, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
events := make([]eventstore.Command, len(metadataKeys))
|
|
removeMetadata, err := c.getUserMetadataListModelByID(ctx, userID, userResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userAgg := UserAggregateFromWriteModel(&removeMetadata.WriteModel)
|
|
for i, key := range metadataKeys {
|
|
if key == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-m29ds", "Errors.Metadata.Invalid")
|
|
}
|
|
if _, found := removeMetadata.metadataList[key]; !found {
|
|
return nil, zerrors.ThrowNotFound(nil, "META-2nnds", "Errors.Metadata.KeyNotExisting")
|
|
}
|
|
event, err := c.removeUserMetadata(ctx, userAgg, key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
events[i] = event
|
|
}
|
|
|
|
pushedEvents, err := c.eventstore.Push(ctx, events...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = AppendAndReduce(removeMetadata, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&removeMetadata.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) removeUserMetadata(ctx context.Context, userAgg *eventstore.Aggregate, metadataKey string) (command eventstore.Command, err error) {
|
|
command = user.NewMetadataRemovedEvent(
|
|
ctx,
|
|
userAgg,
|
|
metadataKey,
|
|
)
|
|
return command, nil
|
|
}
|
|
|
|
func (c *Commands) getUserMetadataModelByID(ctx context.Context, userID, resourceOwner, key string) (*UserMetadataWriteModel, error) {
|
|
userMetadataWriteModel := NewUserMetadataWriteModel(userID, resourceOwner, key)
|
|
err := c.eventstore.FilterToQueryReducer(ctx, userMetadataWriteModel)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return userMetadataWriteModel, nil
|
|
}
|
|
|
|
func (c *Commands) getUserMetadataListModelByID(ctx context.Context, userID, resourceOwner string) (*UserMetadataListWriteModel, error) {
|
|
userMetadataWriteModel := NewUserMetadataListWriteModel(userID, resourceOwner)
|
|
err := c.eventstore.FilterToQueryReducer(ctx, userMetadataWriteModel)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return userMetadataWriteModel, nil
|
|
}
|