Merge remote-tracking branch 'origin/main' into next

zitadel · May 2, 2024 · 65d109e · 65d109e
2 parents 6e60335 + 482a46b
commit 65d109e
Show file tree

Hide file tree

Showing 53 changed files with 1,004 additions and 313 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,6 +1,11 @@
 name: ZITADEL CI/CD
 
 on:
+  push:
+    tags-ignore:
+      - "*"
+    branches:
+      - "main"
   pull_request:
   workflow_dispatch:
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -108,13 +108,13 @@ Please make sure you cover your changes with tests before marking a Pull Request
 
 The code consists of the following parts:
 
-| name            | description                                                     | language                                                                    | where to find                                      |
-| --------------- | --------------------------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------------------- |
-| backend         | Service that serves the grpc(-web) and RESTful API              | [go](https://go.dev)                                                        | [API implementation](./internal/api/grpc)          |
-| console         | Frontend the user interacts with after log in             | [Angular](https://angular.io), [Typescript](https://www.typescriptlang.org) | [./console](./console)                             |
+| name            | description                                                        | language                                                                    | where to find                                      |
+| --------------- | ------------------------------------------------------------------ | --------------------------------------------------------------------------- | -------------------------------------------------- |
+| backend         | Service that serves the grpc(-web) and RESTful API                 | [go](https://go.dev)                                                        | [API implementation](./internal/api/grpc)          |
+| console         | Frontend the user interacts with after log in                      | [Angular](https://angular.io), [Typescript](https://www.typescriptlang.org) | [./console](./console)                             |
 | login           | Server side rendered frontend the user interacts with during login | [go](https://go.dev), [go templates](https://pkg.go.dev/html/template)      | [./internal/api/ui/login](./internal/api/ui/login) |
-| API definitions | Specifications of the API                                       | [Protobuf](https://developers.google.com/protocol-buffers)                  | [./proto/zitadel](./proto/zitadel)                 |
-| docs            | Project documentation made with docusaurus                      | [Docusaurus](https://docusaurus.io/)                                        | [./docs](./docs)                                   |
+| API definitions | Specifications of the API                                          | [Protobuf](https://developers.google.com/protocol-buffers)                  | [./proto/zitadel](./proto/zitadel)                 |
+| docs            | Project documentation made with docusaurus                         | [Docusaurus](https://docusaurus.io/)                                        | [./docs](./docs)                                   |
 
 Please validate and test the code before you contribute.
 
@@ -129,12 +129,12 @@ We add the label "good first issue" for problems we think are a good starting po
 
 We are committed to creating a welcoming and inclusive community for all developers, regardless of their gender identity or expression. To achieve this, we are actively working to ensure that our contribution guidelines are gender-neutral and use inclusive language.
 
-**Use gender-neutral pronouns**: 
+**Use gender-neutral pronouns**:
 Don't use gender-specific pronouns unless the person you're referring to is actually that gender.
 In particular, don't use he, him, his, she, or her as gender-neutral pronouns, and don't use he/she or (s)he or other such punctuational approaches. Instead, use the singular they.
 
-**Choose gender-neutral alternatives**: 
-Opt for gender-neutral terms instead of gendered ones whenever possible. 
+**Choose gender-neutral alternatives**:
+Opt for gender-neutral terms instead of gendered ones whenever possible.
 Replace "policeman" with "police officer," "manpower" with "workforce," and "businessman" with "entrepreneur" or "businessperson."
 
 **Avoid ableist language**:
@@ -194,7 +194,7 @@ make core_unit_test
 To test the database-connected gRPC API, run PostgreSQL and CockroachDB, set up a ZITADEL instance and run the tests including integration tests:
 
 ```bash
-export INTEGRATION_DB_FLAVOR="postgres" ZITADEL_MASTERKEY="MasterkeyNeedsToHave32Characters"
+export INTEGRATION_DB_FLAVOR="cockroach" ZITADEL_MASTERKEY="MasterkeyNeedsToHave32Characters"
 docker compose -f internal/integration/config/docker-compose.yaml up --pull always --wait ${INTEGRATION_DB_FLAVOR}
 make core_integration_test
 docker compose -f internal/integration/config/docker-compose.yaml down

diff --git a/cmd/setup/config.go b/cmd/setup/config.go
@@ -12,13 +12,14 @@ import (
 	"github.com/zitadel/zitadel/cmd/encryption"
 	"github.com/zitadel/zitadel/cmd/hooks"
 	"github.com/zitadel/zitadel/internal/actions"
-	"github.com/zitadel/zitadel/internal/api/authz"
+	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/config/hook"
 	"github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/notification/handlers"
@@ -29,7 +30,7 @@ import (
 type Config struct {
 	Database        database.Config
 	SystemDefaults  systemdefaults.SystemDefaults
-	InternalAuthZ   authz.Config
+	InternalAuthZ   internal_authz.Config
 	ExternalDomain  string
 	ExternalPort    uint16
 	ExternalSecure  bool
@@ -46,7 +47,7 @@ type Config struct {
 	Login           login.Config
 	WebAuthNName    string
 	Telemetry       *handlers.TelemetryPusherConfig
-	SystemAPIUsers  map[string]*authz.SystemAPIUser
+	SystemAPIUsers  map[string]*internal_authz.SystemAPIUser
 }
 
 type InitProjections struct {
@@ -60,16 +61,18 @@ func MustNewConfig(v *viper.Viper) *Config {
 	config := new(Config)
 	err := v.Unmarshal(config,
 		viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
+			hooks.SliceTypeStringDecode[*domain.CustomMessageText],
+			hooks.SliceTypeStringDecode[internal_authz.RoleMapping],
+			hooks.MapTypeStringDecode[string, *internal_authz.SystemAPIUser],
+			hooks.MapHTTPHeaderStringDecode,
+			database.DecodeHook,
+			actions.HTTPConfigDecodeHook,
+			hook.EnumHookFunc(internal_authz.MemberTypeString),
 			hook.Base64ToBytesHookFunc(),
 			hook.TagToLanguageHookFunc(),
 			mapstructure.StringToTimeDurationHookFunc(),
 			mapstructure.StringToTimeHookFunc(time.RFC3339),
 			mapstructure.StringToSliceHookFunc(","),
-			database.DecodeHook,
-			hook.EnumHookFunc(authz.MemberTypeString),
-			actions.HTTPConfigDecodeHook,
-			hooks.MapTypeStringDecode[string, *authz.SystemAPIUser],
-			hooks.SliceTypeStringDecode[authz.RoleMapping],
 		)),
 	)
 	logging.OnError(err).Fatal("unable to read default config")

diff --git a/cmd/setup/config_test.go b/cmd/setup/config_test.go
@@ -0,0 +1,245 @@
+package setup
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/muhlemmer/gu"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+)
+
+func TestMustNewConfig(t *testing.T) {
+	encodedKey := "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6aStGRlNKTDdmNXl3NEtUd3pnTQpQMzRlUEd5Y20vTStrVDBNN1Y0Q2d4NVYzRWFESXZUUUtUTGZCYUVCNDV6YjlMdGpJWHpEdzByWFJvUzJoTzZ0CmgrQ1lRQ3ozS0N2aDA5QzBJenhaaUIySVMzSC9hVCs1Qng5RUZZK3ZuQWtaamNjYnlHNVlOUnZtdE9sbnZJZUkKSDdxWjB0RXdrUGZGNUdFWk5QSlB0bXkzVUdWN2lvZmRWUVMxeFJqNzMrYU13NXJ2SDREOElkeWlBQzNWZWtJYgpwdDBWajBTVVgzRHdLdG9nMzM3QnpUaVBrM2FYUkYwc2JGaFFvcWRKUkk4TnFnWmpDd2pxOXlmSTV0eXhZc3duCitKR3pIR2RIdlczaWRPRGxtd0V0NUsycGFzaVJJV0syT0dmcSt3MEVjbHRRSGFidXFFUGdabG1oQ2tSZE5maXgKQndJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+	decodedKey, err := base64.StdEncoding.DecodeString(encodedKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	type args struct {
+		yaml string
+	}
+	tests := []struct {
+		name string
+		args args
+		want func(*testing.T, *Config)
+	}{{
+		name: "features ok",
+		args: args{yaml: `
+DefaultInstance:
+  Features:
+    LoginDefaultOrg: true
+    LegacyIntrospection: true
+    TriggerIntrospectionProjections: true
+    UserSchema: true
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.DefaultInstance.Features, &command.InstanceFeatures{
+				LoginDefaultOrg:                 gu.Ptr(true),
+				LegacyIntrospection:             gu.Ptr(true),
+				TriggerIntrospectionProjections: gu.Ptr(true),
+				UserSchema:                      gu.Ptr(true),
+			})
+		},
+	}, {
+		name: "system api users ok",
+		args: args{yaml: `
+SystemAPIUsers:
+- superuser:
+    Memberships:
+    - MemberType: System
+    - MemberType: Organization
+    - MemberType: IAM
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.SystemAPIUsers, map[string]*authz.SystemAPIUser{
+				"superuser": {
+					Memberships: authz.Memberships{{
+						MemberType: authz.MemberTypeSystem,
+					}, {
+						MemberType: authz.MemberTypeOrganization,
+					}, {
+						MemberType: authz.MemberTypeIAM,
+					}},
+				},
+			})
+		},
+	}, {
+		name: "system api users string ok",
+		args: args{yaml: fmt.Sprintf(`
+SystemAPIUsers: >
+  {"systemuser": {"path": "/path/to/superuser/key.pem"}, "systemuser2": {"keyData": "%s"}}
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`, encodedKey)},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.SystemAPIUsers, map[string]*authz.SystemAPIUser{
+				"systemuser": {
+					Path: "/path/to/superuser/key.pem",
+				},
+				"systemuser2": {
+					KeyData: decodedKey,
+				},
+			})
+		},
+	}, {
+		name: "headers ok",
+		args: args{yaml: `
+Telemetry:
+  Headers:
+    single-value: single-value
+    multi-value:
+    - multi-value1
+    - multi-value2
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.Telemetry.Headers, http.Header{
+				"single-value": []string{"single-value"},
+				"multi-value":  []string{"multi-value1", "multi-value2"},
+			})
+		},
+	}, {
+		name: "headers string ok",
+		args: args{yaml: `
+Telemetry:
+  Headers: >
+    {"single-value": "single-value", "multi-value": ["multi-value1", "multi-value2"]}
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.Telemetry.Headers, http.Header{
+				"single-value": []string{"single-value"},
+				"multi-value":  []string{"multi-value1", "multi-value2"},
+			})
+		},
+	}, {
+		name: "message texts ok",
+		args: args{yaml: `
+DefaultInstance:
+  MessageTexts:
+  - MessageTextType: InitCode
+    Title: foo
+  - MessageTextType: PasswordReset
+    Greeting: bar
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.DefaultInstance.MessageTexts, []*domain.CustomMessageText{{
+				MessageTextType: "InitCode",
+				Title:           "foo",
+			}, {
+				MessageTextType: "PasswordReset",
+				Greeting:        "bar",
+			}})
+		},
+	}, {
+		name: "message texts string ok",
+		args: args{yaml: `
+DefaultInstance:
+  MessageTexts: >
+    [{"messageTextType": "InitCode", "title": "foo"}, {"messageTextType": "PasswordReset", "greeting": "bar"}]
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.DefaultInstance.MessageTexts, []*domain.CustomMessageText{{
+				MessageTextType: "InitCode",
+				Title:           "foo",
+			}, {
+				MessageTextType: "PasswordReset",
+				Greeting:        "bar",
+			}})
+		},
+	}, {
+		name: "roles ok",
+		args: args{yaml: `
+InternalAuthZ:
+  RolePermissionMappings:
+  - Role: IAM_OWNER
+    Permissions:
+    - iam.write
+  - Role: ORG_OWNER
+    Permissions:
+    - org.write
+    - org.read
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.InternalAuthZ, authz.Config{
+				RolePermissionMappings: []authz.RoleMapping{
+					{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
+					{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
+				},
+			})
+		},
+	}, {
+		name: "roles string ok",
+		args: args{yaml: `
+InternalAuthZ:
+  RolePermissionMappings: >
+    [{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write", "org.read"]}]
+Log:
+  Level: info
+Actions:
+  HTTP:
+    DenyList: []
+`},
+		want: func(t *testing.T, config *Config) {
+			assert.Equal(t, config.InternalAuthZ, authz.Config{
+				RolePermissionMappings: []authz.RoleMapping{
+					{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
+					{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
+				},
+			})
+		},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := viper.New()
+			v.SetConfigType("yaml")
+			require.NoError(t, v.ReadConfig(strings.NewReader(tt.args.yaml)))
+			got := MustNewConfig(v)
+			tt.want(t, got)
+		})
+	}
+}
diff --git a/cmd/start/config.go b/cmd/start/config.go
@@ -85,19 +85,19 @@ func MustNewConfig(v *viper.Viper) *Config {
 	err := v.Unmarshal(config,
 		viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
 			hooks.SliceTypeStringDecode[*domain.CustomMessageText],
-			hooks.SliceTypeStringDecode[*command.SetQuota],
 			hooks.SliceTypeStringDecode[internal_authz.RoleMapping],
 			hooks.MapTypeStringDecode[string, *internal_authz.SystemAPIUser],
-			hooks.MapTypeStringDecode[domain.Feature, any],
 			hooks.MapHTTPHeaderStringDecode,
+			database.DecodeHook,
+			actions.HTTPConfigDecodeHook,
+			hook.EnumHookFunc(internal_authz.MemberTypeString),
+			hooks.MapTypeStringDecode[domain.Feature, any],
+			hooks.SliceTypeStringDecode[*command.SetQuota],
 			hook.Base64ToBytesHookFunc(),
 			hook.TagToLanguageHookFunc(),
 			mapstructure.StringToTimeDurationHookFunc(),
 			mapstructure.StringToTimeHookFunc(time.RFC3339),
 			mapstructure.StringToSliceHookFunc(","),
-			database.DecodeHook,
-			actions.HTTPConfigDecodeHook,
-			hook.EnumHookFunc(internal_authz.MemberTypeString),
 		)),
 	)
 	logging.OnError(err).Fatal("unable to read config")

diff --git a/console/src/app/modules/nav/nav.component.html b/console/src/app/modules/nav/nav.component.html
@@ -96,7 +96,12 @@
                     [routerLinkActive]="['active']"
                     [routerLinkActiveOptions]="{ exact: false }"
                     [routerLink]="['/org-settings']"
-                    *ngIf="(['policy.read'] | hasRole | async) && ((authService.cachedOrgs | async)?.length ?? 1) > 1"
+                    *ngIf="
+                      (['policy.read'] | hasRole | async) &&
+                      ((['iam.read$', 'iam.write$'] | hasRole | async) === false ||
+                        (((authService.cachedOrgs | async)?.length ?? 1) > 1 &&
+                          (['iam.read$', 'iam.write$'] | hasRole | async)))
+                    "
                   >
                     <span class="label">{{ 'MENU.SETTINGS' | translate }}</span>
                   </a>