zitadel/internal/api/grpc/project/v2beta/project_role.go

package project

import (
	"context"

	"google.golang.org/protobuf/types/known/timestamppb"

	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
	"github.com/zitadel/zitadel/internal/query"
	project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)

func (s *Server) AddProjectRole(ctx context.Context, req *project_pb.AddProjectRoleRequest) (*project_pb.AddProjectRoleResponse, error) {
	role, err := s.command.AddProjectRole(ctx, addProjectRoleRequestToCommand(req))
	if err != nil {
		return nil, err
	}
	var creationDate *timestamppb.Timestamp
	if !role.EventDate.IsZero() {
		creationDate = timestamppb.New(role.EventDate)
	}
	return &project_pb.AddProjectRoleResponse{
		CreationDate: creationDate,
	}, nil
}

func addProjectRoleRequestToCommand(req *project_pb.AddProjectRoleRequest) *command.AddProjectRole {
	group := ""
	if req.Group != nil {
		group = *req.Group
	}

	return &command.AddProjectRole{
		ObjectRoot: models.ObjectRoot{
			AggregateID: req.ProjectId,
		},
		Key:         req.RoleKey,
		DisplayName: req.DisplayName,
		Group:       group,
	}
}

func (s *Server) UpdateProjectRole(ctx context.Context, req *project_pb.UpdateProjectRoleRequest) (*project_pb.UpdateProjectRoleResponse, error) {
	role, err := s.command.ChangeProjectRole(ctx, updateProjectRoleRequestToCommand(req))
	if err != nil {
		return nil, err
	}
	var changeDate *timestamppb.Timestamp
	if !role.EventDate.IsZero() {
		changeDate = timestamppb.New(role.EventDate)
	}
	return &project_pb.UpdateProjectRoleResponse{
		ChangeDate: changeDate,
	}, nil
}

func updateProjectRoleRequestToCommand(req *project_pb.UpdateProjectRoleRequest) *command.ChangeProjectRole {
	displayName := ""
	if req.DisplayName != nil {
		displayName = *req.DisplayName
	}
	group := ""
	if req.Group != nil {
		group = *req.Group
	}

	return &command.ChangeProjectRole{
		ObjectRoot: models.ObjectRoot{
			AggregateID: req.ProjectId,
		},
		Key:         req.RoleKey,
		DisplayName: displayName,
		Group:       group,
	}
}

func (s *Server) RemoveProjectRole(ctx context.Context, req *project_pb.RemoveProjectRoleRequest) (*project_pb.RemoveProjectRoleResponse, error) {
	userGrantIDs, err := s.userGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)
	if err != nil {
		return nil, err
	}
	projectGrantIDs, err := s.projectGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)
	if err != nil {
		return nil, err
	}
	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, "", projectGrantIDs, userGrantIDs...)
	if err != nil {
		return nil, err
	}
	var deletionDate *timestamppb.Timestamp
	if !details.EventDate.IsZero() {
		deletionDate = timestamppb.New(details.EventDate)
	}
	return &project_pb.RemoveProjectRoleResponse{
		RemovalDate: deletionDate,
	}, nil
}

func (s *Server) userGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
	if err != nil {
		return nil, err
	}
	rolesQuery, err := query.NewUserGrantRoleQuery(roleKey)
	if err != nil {
		return nil, err
	}
	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
		Queries: []query.SearchQuery{projectQuery, rolesQuery},
	}, false)
	if err != nil {
		return nil, err
	}
	return userGrantsToIDs(userGrants.UserGrants), nil
}

func (s *Server) projectGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
	projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, projectID, roleKey)
	if err != nil {
		return nil, err
	}
	return projectGrantsToIDs(projectGrants), nil
}

func projectGrantsToIDs(projectGrants *query.ProjectGrants) []string {
	converted := make([]string, len(projectGrants.ProjectGrants))
	for i, grant := range projectGrants.ProjectGrants {
		converted[i] = grant.GrantID
	}
	return converted
}
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`package project`

			`import (`
			`"context"`

			`"google.golang.org/protobuf/types/known/timestamppb"`

			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/eventstore/v1/models"`
			`"github.com/zitadel/zitadel/internal/query"`
			`project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"`
			`)`

			`func (s Server) AddProjectRole(ctx context.Context, req project_pb.AddProjectRoleRequest) (*project_pb.AddProjectRoleResponse, error) {`
			`role, err := s.command.AddProjectRole(ctx, addProjectRoleRequestToCommand(req))`
			`if err != nil {`
			`return nil, err`
			`}`
			`var creationDate *timestamppb.Timestamp`
			`if !role.EventDate.IsZero() {`
			`creationDate = timestamppb.New(role.EventDate)`
			`}`
			`return &project_pb.AddProjectRoleResponse{`
			`CreationDate: creationDate,`
			`}, nil`
			`}`

			`func addProjectRoleRequestToCommand(req project_pb.AddProjectRoleRequest) command.AddProjectRole {`
			`group := ""`
			`if req.Group != nil {`
			`group = *req.Group`
			`}`

			`return &command.AddProjectRole{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: req.ProjectId,`
			`},`
			`Key: req.RoleKey,`
			`DisplayName: req.DisplayName,`
			`Group: group,`
			`}`
			`}`

			`func (s Server) UpdateProjectRole(ctx context.Context, req project_pb.UpdateProjectRoleRequest) (*project_pb.UpdateProjectRoleResponse, error) {`
			`role, err := s.command.ChangeProjectRole(ctx, updateProjectRoleRequestToCommand(req))`
			`if err != nil {`
			`return nil, err`
			`}`
			`var changeDate *timestamppb.Timestamp`
			`if !role.EventDate.IsZero() {`
			`changeDate = timestamppb.New(role.EventDate)`
			`}`
			`return &project_pb.UpdateProjectRoleResponse{`
			`ChangeDate: changeDate,`
			`}, nil`
			`}`

			`func updateProjectRoleRequestToCommand(req project_pb.UpdateProjectRoleRequest) command.ChangeProjectRole {`
			`displayName := ""`
			`if req.DisplayName != nil {`
			`displayName = *req.DisplayName`
			`}`
			`group := ""`
			`if req.Group != nil {`
			`group = *req.Group`
			`}`

			`return &command.ChangeProjectRole{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: req.ProjectId,`
			`},`
			`Key: req.RoleKey,`
			`DisplayName: displayName,`
			`Group: group,`
			`}`
			`}`

			`func (s Server) RemoveProjectRole(ctx context.Context, req project_pb.RemoveProjectRoleRequest) (*project_pb.RemoveProjectRoleResponse, error) {`
			`userGrantIDs, err := s.userGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`projectGrantIDs, err := s.projectGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, "", projectGrantIDs, userGrantIDs...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`var deletionDate *timestamppb.Timestamp`
			`if !details.EventDate.IsZero() {`
			`deletionDate = timestamppb.New(details.EventDate)`
			`}`
			`return &project_pb.RemoveProjectRoleResponse{`
			`RemovalDate: deletionDate,`
			`}, nil`
			`}`

			`func (s *Server) userGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {`
			`projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`rolesQuery, err := query.NewUserGrantRoleQuery(roleKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{`
			`Queries: []query.SearchQuery{projectQuery, rolesQuery},`
			`}, false)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return userGrantsToIDs(userGrants.UserGrants), nil`
			`}`

			`func (s *Server) projectGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {`
			`projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, projectID, roleKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return projectGrantsToIDs(projectGrants), nil`
			`}`

			`func projectGrantsToIDs(projectGrants *query.ProjectGrants) []string {`
			`converted := make([]string, len(projectGrants.ProjectGrants))`
			`for i, grant := range projectGrants.ProjectGrants {`
			`converted[i] = grant.GrantID`
			`}`
			`return converted`
			`}`