mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-15 16:28:36 +00:00
07ce3b6905
This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
142 lines
4.8 KiB
Go
142 lines
4.8 KiB
Go
package authz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func CheckPermission(ctx context.Context, resolver MembershipsResolver, systemUserRoleMapping []RoleMapping, roleMappings []RoleMapping, permission, orgID, resourceID string) (err error) {
|
|
requestedPermissions, _, err := getUserPermissions(ctx, resolver, permission, systemUserRoleMapping, roleMappings, GetCtxData(ctx), orgID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")
|
|
err = checkUserResourcePermissions(requestedPermissions, resourceID)
|
|
userPermissionSpan.EndWithError(err)
|
|
|
|
return err
|
|
}
|
|
|
|
// getUserPermissions retrieves the memberships of the authenticated user (on instance and provided organisation level),
|
|
// and maps them to permissions. It will return the requested permission(s) and all other granted permissions separately.
|
|
func getUserPermissions(ctx context.Context, resolver MembershipsResolver, requiredPerm string, systemUserRoleMappings []RoleMapping, roleMappings []RoleMapping, ctxData CtxData, orgID string) (requestedPermissions, allPermissions []string, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
if ctxData.IsZero() {
|
|
return nil, nil, zerrors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
|
|
}
|
|
|
|
if ctxData.SystemMemberships != nil {
|
|
requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, ctxData.SystemMemberships, systemUserRoleMappings)
|
|
return requestedPermissions, allPermissions, nil
|
|
}
|
|
|
|
ctx = context.WithValue(ctx, dataKey, ctxData)
|
|
memberships, err := resolver.SearchMyMemberships(ctx, orgID, false)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
if len(memberships) == 0 {
|
|
memberships, err = resolver.SearchMyMemberships(ctx, orgID, true)
|
|
if len(memberships) == 0 {
|
|
return nil, nil, zerrors.ThrowNotFound(nil, "AUTHZ-cdgFk", "membership not found")
|
|
}
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, roleMappings)
|
|
return requestedPermissions, allPermissions, nil
|
|
}
|
|
|
|
// checkUserResourcePermissions checks that if a user i granted either the requested permission globally (project.write)
|
|
// or the specific resource (project.write:123)
|
|
func checkUserResourcePermissions(userPerms []string, resourceID string) error {
|
|
if len(userPerms) == 0 {
|
|
return zerrors.ThrowPermissionDenied(nil, "AUTH-AWfge", "No matching permissions found")
|
|
}
|
|
|
|
if resourceID == "" {
|
|
return nil
|
|
}
|
|
|
|
if HasGlobalPermission(userPerms) {
|
|
return nil
|
|
}
|
|
|
|
if hasContextResourcePermission(userPerms, resourceID) {
|
|
return nil
|
|
}
|
|
|
|
return zerrors.ThrowPermissionDenied(nil, "AUTH-Swrgg2", "No matching permissions found")
|
|
}
|
|
|
|
func hasContextResourcePermission(permissions []string, resourceID string) bool {
|
|
for _, perm := range permissions {
|
|
_, ctxID := SplitPermission(perm)
|
|
if resourceID == ctxID {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, roleMappings []RoleMapping) (requestPermissions, allPermissions []string) {
|
|
requestPermissions = make([]string, 0)
|
|
allPermissions = make([]string, 0)
|
|
for _, membership := range memberships {
|
|
requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, roleMappings, requestPermissions, allPermissions)
|
|
}
|
|
|
|
return requestPermissions, allPermissions
|
|
}
|
|
|
|
func mapMembershipToPerm(requiredPerm string, membership *Membership, roleMappings []RoleMapping, requestPermissions, allPermissions []string) ([]string, []string) {
|
|
roleNames, roleContextID := roleWithContext(membership)
|
|
for _, roleName := range roleNames {
|
|
perms := getPermissionsFromRole(roleMappings, roleName)
|
|
|
|
for _, p := range perms {
|
|
permWithCtx := addRoleContextIDToPerm(p, roleContextID)
|
|
if !ExistsPerm(allPermissions, permWithCtx) {
|
|
allPermissions = append(allPermissions, permWithCtx)
|
|
}
|
|
|
|
p, _ = SplitPermission(p)
|
|
if p == requiredPerm {
|
|
if !ExistsPerm(requestPermissions, permWithCtx) {
|
|
requestPermissions = append(requestPermissions, permWithCtx)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return requestPermissions, allPermissions
|
|
}
|
|
|
|
func addRoleContextIDToPerm(perm, roleContextID string) string {
|
|
if roleContextID != "" {
|
|
perm = perm + ":" + roleContextID
|
|
}
|
|
return perm
|
|
}
|
|
|
|
func ExistsPerm(existingPermissions []string, perm string) bool {
|
|
for _, existingPermission := range existingPermissions {
|
|
if existingPermission == perm {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func roleWithContext(membership *Membership) (roles []string, ctxID string) {
|
|
if membership.MemberType == MemberTypeProject || membership.MemberType == MemberTypeProjectGrant {
|
|
return membership.Roles, membership.ObjectID
|
|
}
|
|
return membership.Roles, ""
|
|
}
|