2020-05-11 10:16:29 +00:00
|
|
|
package eventstore
|
2020-05-11 08:16:27 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2020-07-15 11:24:36 +00:00
|
|
|
"github.com/caos/logging"
|
2020-07-22 12:00:29 +00:00
|
|
|
"github.com/caos/zitadel/internal/api/authz"
|
|
|
|
caos_errors "github.com/caos/zitadel/internal/errors"
|
2020-05-12 04:30:53 +00:00
|
|
|
"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
|
2020-07-22 12:00:29 +00:00
|
|
|
global_model "github.com/caos/zitadel/internal/model"
|
2020-05-11 08:16:27 +00:00
|
|
|
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
|
|
|
grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
|
2020-05-12 04:30:53 +00:00
|
|
|
"github.com/caos/zitadel/internal/usergrant/repository/view/model"
|
2020-07-22 12:00:29 +00:00
|
|
|
"github.com/caos/zitadel/internal/view/repository"
|
|
|
|
)
|
|
|
|
|
2020-05-11 08:16:27 +00:00
|
|
|
type UserGrantRepo struct {
|
2020-05-12 04:30:53 +00:00
|
|
|
SearchLimit uint64
|
2020-05-11 08:16:27 +00:00
|
|
|
UserGrantEvents *grant_event.UserGrantEventStore
|
2020-05-12 04:30:53 +00:00
|
|
|
View *view.View
|
2020-05-11 08:16:27 +00:00
|
|
|
}
|
|
|
|
|
2020-06-23 05:06:07 +00:00
|
|
|
func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*grant_model.UserGrantView, error) {
|
|
|
|
grant, err := repo.View.UserGrantByID(grantID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return model.UserGrantToModel(grant), nil
|
2020-05-11 08:16:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
|
2020-07-22 12:00:29 +00:00
|
|
|
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-11 08:16:27 +00:00
|
|
|
return repo.UserGrantEvents.AddUserGrant(ctx, grant)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
|
2020-07-22 12:00:29 +00:00
|
|
|
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-11 08:16:27 +00:00
|
|
|
return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
|
2020-07-22 12:00:29 +00:00
|
|
|
grant, err := repo.UserGrantByID(ctx, grantID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-11 08:16:27 +00:00
|
|
|
return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
|
2020-07-22 12:00:29 +00:00
|
|
|
grant, err := repo.UserGrantByID(ctx, grantID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-11 08:16:27 +00:00
|
|
|
return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
|
2020-07-22 12:00:29 +00:00
|
|
|
grant, err := repo.UserGrantByID(ctx, grantID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-05-11 08:16:27 +00:00
|
|
|
return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
|
|
|
|
}
|
2020-05-12 04:30:53 +00:00
|
|
|
|
2020-06-19 13:32:03 +00:00
|
|
|
func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
|
2020-07-22 12:00:29 +00:00
|
|
|
for _, grant := range grants {
|
|
|
|
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2020-06-19 13:32:03 +00:00
|
|
|
return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
|
2020-07-22 12:00:29 +00:00
|
|
|
for _, grant := range grants {
|
|
|
|
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2020-06-19 13:32:03 +00:00
|
|
|
return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
|
2020-07-22 12:00:29 +00:00
|
|
|
for _, grantID := range grantIDs {
|
|
|
|
grant, err := repo.UserGrantByID(ctx, grantID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2020-06-19 13:32:03 +00:00
|
|
|
return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
|
|
|
|
}
|
|
|
|
|
2020-05-12 04:30:53 +00:00
|
|
|
func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_model.UserGrantSearchRequest) (*grant_model.UserGrantSearchResponse, error) {
|
|
|
|
request.EnsureLimit(repo.SearchLimit)
|
2020-08-26 07:56:23 +00:00
|
|
|
sequence, sequenceErr := repo.View.GetLatestUserGrantSequence()
|
|
|
|
logging.Log("EVENT-5Viwf").OnError(sequenceErr).Warn("could not read latest user grant sequence")
|
2020-07-22 12:00:29 +00:00
|
|
|
|
|
|
|
result := handleSearchUserGrantPermissions(ctx, request, sequence)
|
|
|
|
if result != nil {
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
|
2020-05-12 04:30:53 +00:00
|
|
|
grants, count, err := repo.View.SearchUserGrants(request)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-07-22 12:00:29 +00:00
|
|
|
|
|
|
|
result = &grant_model.UserGrantSearchResponse{
|
2020-05-12 04:30:53 +00:00
|
|
|
Offset: request.Offset,
|
|
|
|
Limit: request.Limit,
|
|
|
|
TotalResult: uint64(count),
|
|
|
|
Result: model.UserGrantsToModel(grants),
|
2020-07-15 11:24:36 +00:00
|
|
|
}
|
2020-08-26 07:56:23 +00:00
|
|
|
if sequenceErr == nil {
|
2020-07-15 11:24:36 +00:00
|
|
|
result.Sequence = sequence.CurrentSequence
|
|
|
|
result.Timestamp = sequence.CurrentTimestamp
|
|
|
|
}
|
|
|
|
return result, nil
|
2020-05-12 04:30:53 +00:00
|
|
|
}
|
2020-07-22 12:00:29 +00:00
|
|
|
|
|
|
|
func handleSearchUserGrantPermissions(ctx context.Context, request *grant_model.UserGrantSearchRequest, sequence *repository.CurrentSequence) *grant_model.UserGrantSearchResponse {
|
|
|
|
permissions := authz.GetAllPermissionsFromCtx(ctx)
|
|
|
|
if authz.HasGlobalExplicitPermission(permissions, projectReadPerm) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
ids := authz.GetExplicitPermissionCtxIDs(permissions, projectReadPerm)
|
|
|
|
if _, q := request.GetSearchQuery(grant_model.UserGrantSearchKeyProjectID); q != nil {
|
|
|
|
containsID := false
|
|
|
|
for _, id := range ids {
|
|
|
|
if id == q.Value {
|
|
|
|
containsID = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !containsID {
|
|
|
|
result := &grant_model.UserGrantSearchResponse{
|
|
|
|
Offset: request.Offset,
|
|
|
|
Limit: request.Limit,
|
|
|
|
TotalResult: uint64(0),
|
|
|
|
Result: []*grant_model.UserGrantView{},
|
|
|
|
}
|
|
|
|
if sequence != nil {
|
|
|
|
result.Sequence = sequence.CurrentSequence
|
|
|
|
result.Timestamp = sequence.CurrentTimestamp
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
|
|
|
|
permissions := authz.GetRequestPermissionsFromCtx(ctx)
|
|
|
|
if authz.HasGlobalPermission(permissions) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
ids := authz.GetAllPermissionCtxIDs(permissions)
|
|
|
|
containsID := false
|
|
|
|
if grantID != "" {
|
|
|
|
containsID = listContainsID(ids, grantID)
|
|
|
|
if containsID {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
containsID = listContainsID(ids, projectID)
|
|
|
|
if !containsID {
|
|
|
|
return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func listContainsID(ids []string, id string) bool {
|
|
|
|
containsID := false
|
|
|
|
for _, i := range ids {
|
|
|
|
if i == id {
|
|
|
|
containsID = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return containsID
|
|
|
|
}
|