zitadel/internal/query/group_users.go

package query

import (
	"context"
	"database/sql"
	"slices"
	"time"

	sq "github.com/Masterminds/squirrel"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/query/projection"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

var (
	groupUsersTable = table{
		name:          projection.GroupUsersProjectionTable,
		instanceIDCol: projection.GroupUsersColumnInstanceID,
	}
	GroupUsersColumnGroupID = Column{
		name:  projection.GroupUsersColumnGroupID,
		table: groupUsersTable,
	}
	GroupUsersColumnUserID = Column{
		name:  projection.GroupUsersColumnUserID,
		table: groupUsersTable,
	}
	GroupUsersColumnResourceOwner = Column{
		name:  projection.GroupUsersColumnResourceOwner,
		table: groupUsersTable,
	}
	GroupUsersColumnCreationDate = Column{
		name:  projection.GroupUsersColumnCreationDate,
		table: groupUsersTable,
	}
	GroupUsersColumnInstanceID = Column{
		name:  projection.GroupUsersColumnInstanceID,
		table: groupUsersTable,
	}
	GroupUsersColumnSequence = Column{
		name:  projection.GroupUsersColumnSequence,
		table: groupUsersTable,
	}
)

type GroupUsers struct {
	SearchResponse
	GroupUsers []*GroupUser
}

type GroupUser struct {
	GroupID       string
	ResourceOwner string
	CreationDate  time.Time
	Sequence      uint64

	// user fields
	UserID             string
	PreferredLoginName string
	DisplayName        string
	AvatarUrl          string
}

type GroupUsersSearchQuery struct {
	SearchRequest
	Queries []SearchQuery
}

func (q *Queries) SearchGroupUsers(ctx context.Context, queries *GroupUsersSearchQuery, permissionCheck domain.PermissionCheck) (_ *GroupUsers, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	permissionCheckV2 := PermissionV2(ctx, permissionCheck)

	groupUsers, err := q.searchGroupUsers(ctx, queries, permissionCheckV2)
	if err != nil {
		return nil, err
	}
	if permissionCheck != nil && !permissionCheckV2 {
		groupUsersCheckPermission(ctx, groupUsers, permissionCheck)
	}
	return groupUsers, nil
}

func NewGroupUsersUserIDsSearchQuery(userIDs []string) (SearchQuery, error) {
	list := make([]interface{}, len(userIDs))
	for i, value := range userIDs {
		list[i] = value
	}
	return NewListQuery(GroupUsersColumnUserID, list, ListIn)
}

func NewGroupUsersGroupIDsSearchQuery(groupIDs []string) (SearchQuery, error) {
	list := make([]interface{}, len(groupIDs))
	for i, value := range groupIDs {
		list[i] = value
	}
	return NewListQuery(GroupUsersColumnGroupID, list, ListIn)
}

func (q *Queries) searchGroupUsers(ctx context.Context, queries *GroupUsersSearchQuery, permissionCheckV2 bool) (groupUsers *GroupUsers, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	query, scan := prepareGroupUsersQuery()
	query = groupUsersPermissionCheckV2(ctx, query, queries, permissionCheckV2)
	eq := sq.And{
		sq.Eq{
			GroupUsersColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
		},
	}
	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
	if err != nil {
		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-TTlfF6", "Errors.Query.InvalidRequest")
	}

	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
		groupUsers, err = scan(rows)
		return err
	}, stmt, args...)
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-M5O50l", "Errors.Internal")
	}
	groupUsers.State, err = q.latestState(ctx, groupUsersTable)
	return groupUsers, nil
}

func prepareGroupUsersQuery() (query sq.SelectBuilder, scan func(*sql.Rows) (*GroupUsers, error)) {
	return sq.Select(
			GroupUsersColumnGroupID.identifier(),
			GroupUsersColumnUserID.identifier(),
			HumanDisplayNameCol.identifier(),
			LoginNameNameCol.identifier(),
			GroupUsersColumnResourceOwner.identifier(),
			HumanAvatarURLCol.identifier(),
			GroupUsersColumnCreationDate.identifier(),
			GroupUsersColumnSequence.identifier(),
			countColumn.identifier(),
		).From(groupUsersTable.identifier()).
			LeftJoin(join(HumanUserIDCol, GroupUsersColumnUserID)).
			LeftJoin(join(LoginNameUserIDCol, GroupUsersColumnUserID)).
			Where(
				sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
			).PlaceholderFormat(sq.Dollar),
		func(rows *sql.Rows) (*GroupUsers, error) {
			groupUsers := make([]*GroupUser, 0)
			var count uint64
			for rows.Next() {
				g := new(GroupUser)

				var (
					displayName        sql.NullString
					avatarURL          sql.NullString
					preferredLoginName sql.NullString
				)

				err := rows.Scan(
					&g.GroupID,
					&g.UserID,
					&displayName,
					&preferredLoginName,
					&g.ResourceOwner,
					&avatarURL,
					&g.CreationDate,
					&g.Sequence,
					&count,
				)
				if err != nil {
					return nil, err
				}

				g.DisplayName = displayName.String
				g.AvatarUrl = avatarURL.String
				g.PreferredLoginName = preferredLoginName.String
				groupUsers = append(groupUsers, g)
			}
			if err := rows.Close(); err != nil {
				return nil, zerrors.ThrowInternal(err, "QUERY-JuX6i5", "Errors.Query.CloseRows")
			}
			return &GroupUsers{
				GroupUsers: groupUsers,
				SearchResponse: SearchResponse{
					Count: count,
				},
			}, nil
		}
}

func groupUsersCheckPermission(ctx context.Context, groupUsers *GroupUsers, permissionCheck domain.PermissionCheck) {
	groupUsers.GroupUsers = slices.DeleteFunc(groupUsers.GroupUsers,
		func(gu *GroupUser) bool {
			return permissionCheck(ctx, domain.PermissionGroupUserRead, gu.ResourceOwner, gu.GroupID) != nil
		},
	)
}

func groupUsersPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, queries *GroupUsersSearchQuery, permissionCheckV2 bool) sq.SelectBuilder {
	if !permissionCheckV2 {
		return query
	}

	join, args := PermissionClause(
		ctx,
		GroupUsersColumnResourceOwner,
		domain.PermissionGroupUserRead,
	)

	return query.JoinClause(join, args...)
}

func (q *GroupUsersSearchQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
	query = q.SearchRequest.toQuery(query)
	for _, q := range q.Queries {
		query = q.toQuery(query)
	}
	return query
}
feat(group): manage users in user groups (#10940) # Which Problems Are Solved 1. Adding users to user groups and removing users from user groups. 2. Searching for users in user groups by group IDs or user IDs # How the Problems Are Solved By adding: 1. The API definitions to manage users in users groups 3. The command-layer implementation of adding users/removing users to/from user groups. 4. The projection table group_users1 5. Query-side implementation to search for users in user groups # Additional Changes 1. Remove debug statements from unit tests. 2. Fix removal of groups when orgs are removed 3. Add unit tests for groups projection # Additional Context * Related to #9702 * Follow-up for PRs * https://github.com/zitadel/zitadel/pull/10455 * https://github.com/zitadel/zitadel/pull/10758 * https://github.com/zitadel/zitadel/pull/10853 2025-10-28 14:23:54 +01:00			`package query`

			`import (`
			`"context"`
			`"database/sql"`
			`"slices"`
			`"time"`

			`sq "github.com/Masterminds/squirrel"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/query/projection"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`)`

			`var (`
			`groupUsersTable = table{`
			`name: projection.GroupUsersProjectionTable,`
			`instanceIDCol: projection.GroupUsersColumnInstanceID,`
			`}`
			`GroupUsersColumnGroupID = Column{`
			`name: projection.GroupUsersColumnGroupID,`
			`table: groupUsersTable,`
			`}`
			`GroupUsersColumnUserID = Column{`
			`name: projection.GroupUsersColumnUserID,`
			`table: groupUsersTable,`
			`}`
			`GroupUsersColumnResourceOwner = Column{`
			`name: projection.GroupUsersColumnResourceOwner,`
			`table: groupUsersTable,`
			`}`
			`GroupUsersColumnCreationDate = Column{`
			`name: projection.GroupUsersColumnCreationDate,`
			`table: groupUsersTable,`
			`}`
			`GroupUsersColumnInstanceID = Column{`
			`name: projection.GroupUsersColumnInstanceID,`
			`table: groupUsersTable,`
			`}`
			`GroupUsersColumnSequence = Column{`
			`name: projection.GroupUsersColumnSequence,`
			`table: groupUsersTable,`
			`}`
			`)`

			`type GroupUsers struct {`
			`SearchResponse`
			`GroupUsers []*GroupUser`
			`}`

			`type GroupUser struct {`
			`GroupID string`
			`ResourceOwner string`
			`CreationDate time.Time`
			`Sequence uint64`

			`// user fields`
			`UserID string`
			`PreferredLoginName string`
			`DisplayName string`
			`AvatarUrl string`
			`}`

			`type GroupUsersSearchQuery struct {`
			`SearchRequest`
			`Queries []SearchQuery`
			`}`

			`func (q Queries) SearchGroupUsers(ctx context.Context, queries GroupUsersSearchQuery, permissionCheck domain.PermissionCheck) (_ *GroupUsers, err error) {`
			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

			`permissionCheckV2 := PermissionV2(ctx, permissionCheck)`

			`groupUsers, err := q.searchGroupUsers(ctx, queries, permissionCheckV2)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if permissionCheck != nil && !permissionCheckV2 {`
			`groupUsersCheckPermission(ctx, groupUsers, permissionCheck)`
			`}`
			`return groupUsers, nil`
			`}`

			`func NewGroupUsersUserIDsSearchQuery(userIDs []string) (SearchQuery, error) {`
			`list := make([]interface{}, len(userIDs))`
			`for i, value := range userIDs {`
			`list[i] = value`
			`}`
			`return NewListQuery(GroupUsersColumnUserID, list, ListIn)`
			`}`

			`func NewGroupUsersGroupIDsSearchQuery(groupIDs []string) (SearchQuery, error) {`
			`list := make([]interface{}, len(groupIDs))`
			`for i, value := range groupIDs {`
			`list[i] = value`
			`}`
			`return NewListQuery(GroupUsersColumnGroupID, list, ListIn)`
			`}`

			`func (q Queries) searchGroupUsers(ctx context.Context, queries GroupUsersSearchQuery, permissionCheckV2 bool) (groupUsers *GroupUsers, err error) {`
			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

			`query, scan := prepareGroupUsersQuery()`
			`query = groupUsersPermissionCheckV2(ctx, query, queries, permissionCheckV2)`
			`eq := sq.And{`
			`sq.Eq{`
			`GroupUsersColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),`
			`},`
			`}`
			`stmt, args, err := queries.toQuery(query).Where(eq).ToSql()`
			`if err != nil {`
			`return nil, zerrors.ThrowInvalidArgument(err, "QUERY-TTlfF6", "Errors.Query.InvalidRequest")`
			`}`

			`err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {`
			`groupUsers, err = scan(rows)`
			`return err`
			`}, stmt, args...)`
			`if err != nil {`
			`return nil, zerrors.ThrowInternal(err, "QUERY-M5O50l", "Errors.Internal")`
			`}`
			`groupUsers.State, err = q.latestState(ctx, groupUsersTable)`
			`return groupUsers, nil`
			`}`

			`func prepareGroupUsersQuery() (query sq.SelectBuilder, scan func(sql.Rows) (GroupUsers, error)) {`
			`return sq.Select(`
			`GroupUsersColumnGroupID.identifier(),`
			`GroupUsersColumnUserID.identifier(),`
			`HumanDisplayNameCol.identifier(),`
			`LoginNameNameCol.identifier(),`
			`GroupUsersColumnResourceOwner.identifier(),`
			`HumanAvatarURLCol.identifier(),`
			`GroupUsersColumnCreationDate.identifier(),`
			`GroupUsersColumnSequence.identifier(),`
			`countColumn.identifier(),`
			`).From(groupUsersTable.identifier()).`
			`LeftJoin(join(HumanUserIDCol, GroupUsersColumnUserID)).`
			`LeftJoin(join(LoginNameUserIDCol, GroupUsersColumnUserID)).`
			`Where(`
			`sq.Eq{LoginNameIsPrimaryCol.identifier(): true},`
			`).PlaceholderFormat(sq.Dollar),`
			`func(rows sql.Rows) (GroupUsers, error) {`
			`groupUsers := make([]*GroupUser, 0)`
			`var count uint64`
			`for rows.Next() {`
			`g := new(GroupUser)`

			`var (`
			`displayName sql.NullString`
			`avatarURL sql.NullString`
			`preferredLoginName sql.NullString`
			`)`

			`err := rows.Scan(`
			`&g.GroupID,`
			`&g.UserID,`
			`&displayName,`
			`&preferredLoginName,`
			`&g.ResourceOwner,`
			`&avatarURL,`
			`&g.CreationDate,`
			`&g.Sequence,`
			`&count,`
			`)`
			`if err != nil {`
			`return nil, err`
			`}`

			`g.DisplayName = displayName.String`
			`g.AvatarUrl = avatarURL.String`
			`g.PreferredLoginName = preferredLoginName.String`
			`groupUsers = append(groupUsers, g)`
			`}`
			`if err := rows.Close(); err != nil {`
			`return nil, zerrors.ThrowInternal(err, "QUERY-JuX6i5", "Errors.Query.CloseRows")`
			`}`
			`return &GroupUsers{`
			`GroupUsers: groupUsers,`
			`SearchResponse: SearchResponse{`
			`Count: count,`
			`},`
			`}, nil`
			`}`
			`}`

			`func groupUsersCheckPermission(ctx context.Context, groupUsers *GroupUsers, permissionCheck domain.PermissionCheck) {`
			`groupUsers.GroupUsers = slices.DeleteFunc(groupUsers.GroupUsers,`
			`func(gu *GroupUser) bool {`
			`return permissionCheck(ctx, domain.PermissionGroupUserRead, gu.ResourceOwner, gu.GroupID) != nil`
			`},`
			`)`
			`}`

			`func groupUsersPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, queries *GroupUsersSearchQuery, permissionCheckV2 bool) sq.SelectBuilder {`
			`if !permissionCheckV2 {`
			`return query`
			`}`

			`join, args := PermissionClause(`
			`ctx,`
			`GroupUsersColumnResourceOwner,`
			`domain.PermissionGroupUserRead,`
			`)`

			`return query.JoinClause(join, args...)`
			`}`

			`func (q *GroupUsersSearchQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {`
			`query = q.SearchRequest.toQuery(query)`
			`for _, q := range q.Queries {`
			`query = q.toQuery(query)`
			`}`
			`return query`
			`}`