zitadel/internal/api/grpc/internal_permission/v2/administrator.go

package internal_permission

import (
	"context"

	"connectrpc.com/connect"
	"google.golang.org/protobuf/types/known/timestamppb"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/zerrors"
	"github.com/zitadel/zitadel/pkg/grpc/internal_permission/v2"
)

func (s *Server) CreateAdministrator(ctx context.Context, req *connect.Request[internal_permission.CreateAdministratorRequest]) (*connect.Response[internal_permission.CreateAdministratorResponse], error) {
	var creationDate *timestamppb.Timestamp

	switch resource := req.Msg.GetResource().GetResource().(type) {
	case *internal_permission.ResourceType_Instance:
		if resource.Instance {
			member, err := s.command.AddInstanceMember(ctx, createAdministratorInstanceToCommand(authz.GetInstance(ctx).InstanceID(), req.Msg.UserId, req.Msg.Roles))
			if err != nil {
				return nil, err
			}
			if !member.EventDate.IsZero() {
				creationDate = timestamppb.New(member.EventDate)
			}
		}
	case *internal_permission.ResourceType_OrganizationId:
		member, err := s.command.AddOrgMember(ctx, createAdministratorOrganizationToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			creationDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectId:
		member, err := s.command.AddProjectMember(ctx, createAdministratorProjectToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			creationDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectGrant_:
		member, err := s.command.AddProjectGrantMember(ctx, createAdministratorProjectGrantToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			creationDate = timestamppb.New(member.EventDate)
		}
	default:
		return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-IbPp47HDP5", "Errors.Invalid.Argument")
	}

	return connect.NewResponse(&internal_permission.CreateAdministratorResponse{
		CreationDate: creationDate,
	}), nil
}

func createAdministratorInstanceToCommand(instanceID, userID string, roles []string) *command.AddInstanceMember {
	return &command.AddInstanceMember{
		InstanceID: instanceID,
		UserID:     userID,
		Roles:      roles,
	}
}

func createAdministratorOrganizationToCommand(req *internal_permission.ResourceType_OrganizationId, userID string, roles []string) *command.AddOrgMember {
	return &command.AddOrgMember{
		OrgID:  req.OrganizationId,
		UserID: userID,
		Roles:  roles,
	}
}

func createAdministratorProjectToCommand(req *internal_permission.ResourceType_ProjectId, userID string, roles []string) *command.AddProjectMember {
	return &command.AddProjectMember{
		ProjectID: req.ProjectId,
		UserID:    userID,
		Roles:     roles,
	}
}

func createAdministratorProjectGrantToCommand(req *internal_permission.ResourceType_ProjectGrant_, userID string, roles []string) *command.AddProjectGrantMember {
	return &command.AddProjectGrantMember{
		OrganizationID: req.ProjectGrant.OrganizationId,
		ProjectID:      req.ProjectGrant.ProjectId,
		UserID:         userID,
		Roles:          roles,
	}
}

func (s *Server) UpdateAdministrator(ctx context.Context, req *connect.Request[internal_permission.UpdateAdministratorRequest]) (*connect.Response[internal_permission.UpdateAdministratorResponse], error) {
	var changeDate *timestamppb.Timestamp

	switch resource := req.Msg.GetResource().GetResource().(type) {
	case *internal_permission.ResourceType_Instance:
		if resource.Instance {
			member, err := s.command.ChangeInstanceMember(ctx, updateAdministratorInstanceToCommand(authz.GetInstance(ctx).InstanceID(), req.Msg.UserId, req.Msg.Roles))
			if err != nil {
				return nil, err
			}
			if !member.EventDate.IsZero() {
				changeDate = timestamppb.New(member.EventDate)
			}
		}
	case *internal_permission.ResourceType_OrganizationId:
		member, err := s.command.ChangeOrgMember(ctx, updateAdministratorOrganizationToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			changeDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectId:
		member, err := s.command.ChangeProjectMember(ctx, updateAdministratorProjectToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			changeDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectGrant_:
		member, err := s.command.ChangeProjectGrantMember(ctx, updateAdministratorProjectGrantToCommand(resource, req.Msg.UserId, req.Msg.Roles))
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			changeDate = timestamppb.New(member.EventDate)
		}
	default:
		return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-i0V2IbdloZ", "Errors.Invalid.Argument")
	}

	return connect.NewResponse(&internal_permission.UpdateAdministratorResponse{
		ChangeDate: changeDate,
	}), nil
}

func updateAdministratorInstanceToCommand(instanceID, userID string, roles []string) *command.ChangeInstanceMember {
	return &command.ChangeInstanceMember{
		InstanceID: instanceID,
		UserID:     userID,
		Roles:      roles,
	}
}

func updateAdministratorOrganizationToCommand(req *internal_permission.ResourceType_OrganizationId, userID string, roles []string) *command.ChangeOrgMember {
	return &command.ChangeOrgMember{
		OrgID:  req.OrganizationId,
		UserID: userID,
		Roles:  roles,
	}
}

func updateAdministratorProjectToCommand(req *internal_permission.ResourceType_ProjectId, userID string, roles []string) *command.ChangeProjectMember {
	return &command.ChangeProjectMember{
		ProjectID: req.ProjectId,
		UserID:    userID,
		Roles:     roles,
	}
}

func updateAdministratorProjectGrantToCommand(req *internal_permission.ResourceType_ProjectGrant_, userID string, roles []string) *command.ChangeProjectGrantMember {
	return &command.ChangeProjectGrantMember{
		OrganizationID: req.ProjectGrant.OrganizationId,
		ProjectID:      req.ProjectGrant.ProjectId,
		UserID:         userID,
		Roles:          roles,
	}
}

func (s *Server) DeleteAdministrator(ctx context.Context, req *connect.Request[internal_permission.DeleteAdministratorRequest]) (*connect.Response[internal_permission.DeleteAdministratorResponse], error) {
	var deletionDate *timestamppb.Timestamp

	switch resource := req.Msg.GetResource().GetResource().(type) {
	case *internal_permission.ResourceType_Instance:
		if resource.Instance {
			member, err := s.command.RemoveInstanceMember(ctx, authz.GetInstance(ctx).InstanceID(), req.Msg.UserId)
			if err != nil {
				return nil, err
			}
			if !member.EventDate.IsZero() {
				deletionDate = timestamppb.New(member.EventDate)
			}
		}
	case *internal_permission.ResourceType_OrganizationId:
		member, err := s.command.RemoveOrgMember(ctx, resource.OrganizationId, req.Msg.UserId)
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			deletionDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectId:
		member, err := s.command.RemoveProjectMember(ctx, resource.ProjectId, req.Msg.UserId, "")
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			deletionDate = timestamppb.New(member.EventDate)
		}
	case *internal_permission.ResourceType_ProjectGrant_:
		member, err := s.command.RemoveProjectGrantMember(ctx, resource.ProjectGrant.ProjectId, req.Msg.UserId, "", resource.ProjectGrant.OrganizationId)
		if err != nil {
			return nil, err
		}
		if !member.EventDate.IsZero() {
			deletionDate = timestamppb.New(member.EventDate)
		}
	default:
		return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-3UOjLtuohh", "Errors.Invalid.Argument")
	}

	return connect.NewResponse(&internal_permission.DeleteAdministratorResponse{
		DeletionDate: deletionDate,
	}), nil
}
feat(api): move internal permission service to GA (and deprecate v2beta) (#10898) # Which Problems Are Solved As part of our efforts to simplify the structure and versions of our APIs, were moving all existing v2beta endpoints to v2 and deprecate them. They will be removed in Zitadel V5. # How the Problems Are Solved - This PR moves the internal permission v2beta service and its endpoints to a corresponding v2 version. The v2beta service and endpoints are deprecated. - The docs are moved to the new GA service and its endpoints. The v2beta is not displayed anymore. - The comments and have been improved and, where not already done, moved from swagger annotations to proto. - All required fields have been marked with (google.api.field_behavior) = REQUIRED and validation rules have been added where missing. - Listing administrators of a project grant can now be done with the `ProjectGrant` (`project_id` and `organization_id`) instead of a `project_id`, which corresponds to creation of the administrator ship of such grant. - formatted using `buf` # Additional Changes None # Additional Context - part of https://github.com/zitadel/zitadel/issues/10772 - requires backport to v4.x --------- Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com> (cherry picked from commit 0f2a349ec145fc3efe0ec45db52d1f974fa180d2) 2025-10-17 07:35:35 +02:00			`package internal_permission`

			`import (`
			`"context"`

			`"connectrpc.com/connect"`
			`"google.golang.org/protobuf/types/known/timestamppb"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`"github.com/zitadel/zitadel/pkg/grpc/internal_permission/v2"`
			`)`

			`func (s Server) CreateAdministrator(ctx context.Context, req connect.Request[internal_permission.CreateAdministratorRequest]) (*connect.Response[internal_permission.CreateAdministratorResponse], error) {`
			`var creationDate *timestamppb.Timestamp`

			`switch resource := req.Msg.GetResource().GetResource().(type) {`
			`case *internal_permission.ResourceType_Instance:`
			`if resource.Instance {`
			`member, err := s.command.AddInstanceMember(ctx, createAdministratorInstanceToCommand(authz.GetInstance(ctx).InstanceID(), req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`creationDate = timestamppb.New(member.EventDate)`
			`}`
			`}`
			`case *internal_permission.ResourceType_OrganizationId:`
			`member, err := s.command.AddOrgMember(ctx, createAdministratorOrganizationToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`creationDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectId:`
			`member, err := s.command.AddProjectMember(ctx, createAdministratorProjectToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`creationDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectGrant_:`
			`member, err := s.command.AddProjectGrantMember(ctx, createAdministratorProjectGrantToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`creationDate = timestamppb.New(member.EventDate)`
			`}`
			`default:`
			`return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-IbPp47HDP5", "Errors.Invalid.Argument")`
			`}`

			`return connect.NewResponse(&internal_permission.CreateAdministratorResponse{`
			`CreationDate: creationDate,`
			`}), nil`
			`}`

			`func createAdministratorInstanceToCommand(instanceID, userID string, roles []string) *command.AddInstanceMember {`
			`return &command.AddInstanceMember{`
			`InstanceID: instanceID,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func createAdministratorOrganizationToCommand(req internal_permission.ResourceType_OrganizationId, userID string, roles []string) command.AddOrgMember {`
			`return &command.AddOrgMember{`
			`OrgID: req.OrganizationId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func createAdministratorProjectToCommand(req internal_permission.ResourceType_ProjectId, userID string, roles []string) command.AddProjectMember {`
			`return &command.AddProjectMember{`
			`ProjectID: req.ProjectId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func createAdministratorProjectGrantToCommand(req internal_permission.ResourceType_ProjectGrant_, userID string, roles []string) command.AddProjectGrantMember {`
			`return &command.AddProjectGrantMember{`
			`OrganizationID: req.ProjectGrant.OrganizationId,`
			`ProjectID: req.ProjectGrant.ProjectId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func (s Server) UpdateAdministrator(ctx context.Context, req connect.Request[internal_permission.UpdateAdministratorRequest]) (*connect.Response[internal_permission.UpdateAdministratorResponse], error) {`
			`var changeDate *timestamppb.Timestamp`

			`switch resource := req.Msg.GetResource().GetResource().(type) {`
			`case *internal_permission.ResourceType_Instance:`
			`if resource.Instance {`
			`member, err := s.command.ChangeInstanceMember(ctx, updateAdministratorInstanceToCommand(authz.GetInstance(ctx).InstanceID(), req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`changeDate = timestamppb.New(member.EventDate)`
			`}`
			`}`
			`case *internal_permission.ResourceType_OrganizationId:`
			`member, err := s.command.ChangeOrgMember(ctx, updateAdministratorOrganizationToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`changeDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectId:`
			`member, err := s.command.ChangeProjectMember(ctx, updateAdministratorProjectToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`changeDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectGrant_:`
			`member, err := s.command.ChangeProjectGrantMember(ctx, updateAdministratorProjectGrantToCommand(resource, req.Msg.UserId, req.Msg.Roles))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`changeDate = timestamppb.New(member.EventDate)`
			`}`
			`default:`
			`return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-i0V2IbdloZ", "Errors.Invalid.Argument")`
			`}`

			`return connect.NewResponse(&internal_permission.UpdateAdministratorResponse{`
			`ChangeDate: changeDate,`
			`}), nil`
			`}`

			`func updateAdministratorInstanceToCommand(instanceID, userID string, roles []string) *command.ChangeInstanceMember {`
			`return &command.ChangeInstanceMember{`
			`InstanceID: instanceID,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func updateAdministratorOrganizationToCommand(req internal_permission.ResourceType_OrganizationId, userID string, roles []string) command.ChangeOrgMember {`
			`return &command.ChangeOrgMember{`
			`OrgID: req.OrganizationId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func updateAdministratorProjectToCommand(req internal_permission.ResourceType_ProjectId, userID string, roles []string) command.ChangeProjectMember {`
			`return &command.ChangeProjectMember{`
			`ProjectID: req.ProjectId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func updateAdministratorProjectGrantToCommand(req internal_permission.ResourceType_ProjectGrant_, userID string, roles []string) command.ChangeProjectGrantMember {`
			`return &command.ChangeProjectGrantMember{`
			`OrganizationID: req.ProjectGrant.OrganizationId,`
			`ProjectID: req.ProjectGrant.ProjectId,`
			`UserID: userID,`
			`Roles: roles,`
			`}`
			`}`

			`func (s Server) DeleteAdministrator(ctx context.Context, req connect.Request[internal_permission.DeleteAdministratorRequest]) (*connect.Response[internal_permission.DeleteAdministratorResponse], error) {`
			`var deletionDate *timestamppb.Timestamp`

			`switch resource := req.Msg.GetResource().GetResource().(type) {`
			`case *internal_permission.ResourceType_Instance:`
			`if resource.Instance {`
			`member, err := s.command.RemoveInstanceMember(ctx, authz.GetInstance(ctx).InstanceID(), req.Msg.UserId)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`deletionDate = timestamppb.New(member.EventDate)`
			`}`
			`}`
			`case *internal_permission.ResourceType_OrganizationId:`
			`member, err := s.command.RemoveOrgMember(ctx, resource.OrganizationId, req.Msg.UserId)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`deletionDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectId:`
			`member, err := s.command.RemoveProjectMember(ctx, resource.ProjectId, req.Msg.UserId, "")`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`deletionDate = timestamppb.New(member.EventDate)`
			`}`
			`case *internal_permission.ResourceType_ProjectGrant_:`
			`member, err := s.command.RemoveProjectGrantMember(ctx, resource.ProjectGrant.ProjectId, req.Msg.UserId, "", resource.ProjectGrant.OrganizationId)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !member.EventDate.IsZero() {`
			`deletionDate = timestamppb.New(member.EventDate)`
			`}`
			`default:`
			`return nil, zerrors.ThrowInvalidArgument(nil, "ADMIN-3UOjLtuohh", "Errors.Invalid.Argument")`
			`}`

			`return connect.NewResponse(&internal_permission.DeleteAdministratorResponse{`
			`DeletionDate: deletionDate,`
			`}), nil`
			`}`