zitadel/internal/api/grpc/user/v2/pat_query.go

package user

import (
	"context"

	"google.golang.org/protobuf/types/known/timestamppb"

	"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
	"github.com/zitadel/zitadel/internal/query"
	"github.com/zitadel/zitadel/internal/zerrors"
	filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)

func (s *Server) ListPersonalAccessTokens(ctx context.Context, req *user.ListPersonalAccessTokensRequest) (*user.ListPersonalAccessTokensResponse, error) {
	offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
	if err != nil {
		return nil, err
	}
	filters, err := patFiltersToQueries(req.Filters)
	if err != nil {
		return nil, err
	}
	search := &query.PersonalAccessTokenSearchQueries{
		SearchRequest: query.SearchRequest{
			Offset:        offset,
			Limit:         limit,
			Asc:           asc,
			SortingColumn: authnPersonalAccessTokenFieldNameToSortingColumn(req.SortingColumn),
		},
		Queries: filters,
	}
	result, err := s.query.SearchPersonalAccessTokens(ctx, search, s.checkPermission)
	if err != nil {
		return nil, err
	}
	resp := &user.ListPersonalAccessTokensResponse{
		Result:     make([]*user.PersonalAccessToken, len(result.PersonalAccessTokens)),
		Pagination: filter.QueryToPaginationPb(search.SearchRequest, result.SearchResponse),
	}
	for i, pat := range result.PersonalAccessTokens {
		resp.Result[i] = &user.PersonalAccessToken{
			CreationDate:   timestamppb.New(pat.CreationDate),
			ChangeDate:     timestamppb.New(pat.ChangeDate),
			Id:             pat.ID,
			UserId:         pat.UserID,
			OrganizationId: pat.ResourceOwner,
			ExpirationDate: timestamppb.New(pat.Expiration),
		}
	}
	return resp, nil
}

func patFiltersToQueries(filters []*user.PersonalAccessTokensSearchFilter) (_ []query.SearchQuery, err error) {
	q := make([]query.SearchQuery, len(filters))
	for i, filter := range filters {
		q[i], err = patFilterToQuery(filter)
		if err != nil {
			return nil, err
		}
	}
	return q, nil
}

func patFilterToQuery(filter *user.PersonalAccessTokensSearchFilter) (query.SearchQuery, error) {
	switch q := filter.Filter.(type) {
	case *user.PersonalAccessTokensSearchFilter_CreatedDateFilter:
		return authnPersonalAccessTokenCreatedFilterToQuery(q.CreatedDateFilter)
	case *user.PersonalAccessTokensSearchFilter_ExpirationDateFilter:
		return authnPersonalAccessTokenExpirationFilterToQuery(q.ExpirationDateFilter)
	case *user.PersonalAccessTokensSearchFilter_TokenIdFilter:
		return authnPersonalAccessTokenIdFilterToQuery(q.TokenIdFilter)
	case *user.PersonalAccessTokensSearchFilter_UserIdFilter:
		return authnPersonalAccessTokenUserIdFilterToQuery(q.UserIdFilter)
	case *user.PersonalAccessTokensSearchFilter_OrganizationIdFilter:
		return authnPersonalAccessTokenOrgIdFilterToQuery(q.OrganizationIdFilter)
	default:
		return nil, zerrors.ThrowInvalidArgument(nil, "GRPC-vR9nC", "List.Query.Invalid")
	}
}

func authnPersonalAccessTokenIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
	return query.NewPersonalAccessTokenIDQuery(f.Id)
}

func authnPersonalAccessTokenUserIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
	return query.NewPersonalAccessTokenUserIDSearchQuery(f.Id)
}

func authnPersonalAccessTokenOrgIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {
	return query.NewPersonalAccessTokenResourceOwnerSearchQuery(f.Id)
}

func authnPersonalAccessTokenCreatedFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
	return query.NewPersonalAccessTokenCreationDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}

func authnPersonalAccessTokenExpirationFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {
	return query.NewPersonalAccessTokenExpirationDateDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))
}

// authnPersonalAccessTokenFieldNameToSortingColumn defaults to the creation date because this ensures deterministic pagination
func authnPersonalAccessTokenFieldNameToSortingColumn(field *user.PersonalAccessTokenFieldName) query.Column {
	if field == nil {
		return query.PersonalAccessTokenColumnCreationDate
	}
	switch *field {
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_UNSPECIFIED:
		return query.PersonalAccessTokenColumnCreationDate
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID:
		return query.PersonalAccessTokenColumnID
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_USER_ID:
		return query.PersonalAccessTokenColumnUserID
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ORGANIZATION_ID:
		return query.PersonalAccessTokenColumnResourceOwner
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_CREATED_DATE:
		return query.PersonalAccessTokenColumnCreationDate
	case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE:
		return query.PersonalAccessTokenColumnExpiration
	default:
		return query.PersonalAccessTokenColumnCreationDate
	}
}
feat: user api requests to resource API (#9794) # Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-06-04 09:17:23 +02:00			`package user`

			`import (`
			`"context"`

			`"google.golang.org/protobuf/types/known/timestamppb"`

			`"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"`
			`"github.com/zitadel/zitadel/internal/query"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"`
			`"github.com/zitadel/zitadel/pkg/grpc/user/v2"`
			`)`

			`func (s Server) ListPersonalAccessTokens(ctx context.Context, req user.ListPersonalAccessTokensRequest) (*user.ListPersonalAccessTokensResponse, error) {`
			`offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)`
			`if err != nil {`
			`return nil, err`
			`}`
			`filters, err := patFiltersToQueries(req.Filters)`
			`if err != nil {`
			`return nil, err`
			`}`
			`search := &query.PersonalAccessTokenSearchQueries{`
			`SearchRequest: query.SearchRequest{`
			`Offset: offset,`
			`Limit: limit,`
			`Asc: asc,`
			`SortingColumn: authnPersonalAccessTokenFieldNameToSortingColumn(req.SortingColumn),`
			`},`
			`Queries: filters,`
			`}`
			`result, err := s.query.SearchPersonalAccessTokens(ctx, search, s.checkPermission)`
			`if err != nil {`
			`return nil, err`
			`}`
			`resp := &user.ListPersonalAccessTokensResponse{`
			`Result: make([]*user.PersonalAccessToken, len(result.PersonalAccessTokens)),`
			`Pagination: filter.QueryToPaginationPb(search.SearchRequest, result.SearchResponse),`
			`}`
			`for i, pat := range result.PersonalAccessTokens {`
			`resp.Result[i] = &user.PersonalAccessToken{`
			`CreationDate: timestamppb.New(pat.CreationDate),`
			`ChangeDate: timestamppb.New(pat.ChangeDate),`
			`Id: pat.ID,`
			`UserId: pat.UserID,`
			`OrganizationId: pat.ResourceOwner,`
			`ExpirationDate: timestamppb.New(pat.Expiration),`
			`}`
			`}`
			`return resp, nil`
			`}`

			`func patFiltersToQueries(filters []*user.PersonalAccessTokensSearchFilter) (_ []query.SearchQuery, err error) {`
			`q := make([]query.SearchQuery, len(filters))`
			`for i, filter := range filters {`
			`q[i], err = patFilterToQuery(filter)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`
			`return q, nil`
			`}`

			`func patFilterToQuery(filter *user.PersonalAccessTokensSearchFilter) (query.SearchQuery, error) {`
			`switch q := filter.Filter.(type) {`
			`case *user.PersonalAccessTokensSearchFilter_CreatedDateFilter:`
			`return authnPersonalAccessTokenCreatedFilterToQuery(q.CreatedDateFilter)`
			`case *user.PersonalAccessTokensSearchFilter_ExpirationDateFilter:`
			`return authnPersonalAccessTokenExpirationFilterToQuery(q.ExpirationDateFilter)`
			`case *user.PersonalAccessTokensSearchFilter_TokenIdFilter:`
			`return authnPersonalAccessTokenIdFilterToQuery(q.TokenIdFilter)`
			`case *user.PersonalAccessTokensSearchFilter_UserIdFilter:`
			`return authnPersonalAccessTokenUserIdFilterToQuery(q.UserIdFilter)`
			`case *user.PersonalAccessTokensSearchFilter_OrganizationIdFilter:`
			`return authnPersonalAccessTokenOrgIdFilterToQuery(q.OrganizationIdFilter)`
			`default:`
			`return nil, zerrors.ThrowInvalidArgument(nil, "GRPC-vR9nC", "List.Query.Invalid")`
			`}`
			`}`

			`func authnPersonalAccessTokenIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {`
			`return query.NewPersonalAccessTokenIDQuery(f.Id)`
			`}`

			`func authnPersonalAccessTokenUserIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {`
			`return query.NewPersonalAccessTokenUserIDSearchQuery(f.Id)`
			`}`

			`func authnPersonalAccessTokenOrgIdFilterToQuery(f *filter_pb.IDFilter) (query.SearchQuery, error) {`
			`return query.NewPersonalAccessTokenResourceOwnerSearchQuery(f.Id)`
			`}`

			`func authnPersonalAccessTokenCreatedFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {`
			`return query.NewPersonalAccessTokenCreationDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))`
			`}`

			`func authnPersonalAccessTokenExpirationFilterToQuery(f *filter_pb.TimestampFilter) (query.SearchQuery, error) {`
			`return query.NewPersonalAccessTokenExpirationDateDateQuery(f.Timestamp.AsTime(), filter.TimestampMethodPbToQuery(f.Method))`
			`}`

			`// authnPersonalAccessTokenFieldNameToSortingColumn defaults to the creation date because this ensures deterministic pagination`
			`func authnPersonalAccessTokenFieldNameToSortingColumn(field *user.PersonalAccessTokenFieldName) query.Column {`
			`if field == nil {`
			`return query.PersonalAccessTokenColumnCreationDate`
			`}`
			`switch *field {`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_UNSPECIFIED:`
			`return query.PersonalAccessTokenColumnCreationDate`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID:`
			`return query.PersonalAccessTokenColumnID`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_USER_ID:`
			`return query.PersonalAccessTokenColumnUserID`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ORGANIZATION_ID:`
			`return query.PersonalAccessTokenColumnResourceOwner`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_CREATED_DATE:`
			`return query.PersonalAccessTokenColumnCreationDate`
			`case user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE:`
			`return query.PersonalAccessTokenColumnExpiration`
			`default:`
			`return query.PersonalAccessTokenColumnCreationDate`
			`}`
			`}`