2022-03-24 17:21:34 +01:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2025-07-04 18:12:59 +02:00
|
|
|
"slices"
|
2022-03-24 17:21:34 +01:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/command/preparation"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2022-03-24 17:21:34 +01:00
|
|
|
)
|
|
|
|
|
|
2022-04-20 16:59:37 +02:00
|
|
|
func (c *Commands) AddInstanceMemberCommand(a *instance.Aggregate, userID string, roles ...string) preparation.Validation {
|
2022-04-12 16:20:17 +02:00
|
|
|
return func() (preparation.CreateCommands, error) {
|
|
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-SDSfs", "Errors.Invalid.Argument")
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
|
if len(domain.CheckForInvalidRoles(roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
|
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
|
2025-06-04 09:17:23 +02:00
|
|
|
if exists, err := ExistsUser(ctx, filter, userID, "", false); err != nil || !exists {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(err, "INSTA-GSXOn", "Errors.User.NotFound")
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
|
if isMember, err := IsInstanceMember(ctx, filter, a.ID, userID); err != nil || isMember {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowAlreadyExists(err, "INSTA-pFDwe", "Errors.Instance.Member.AlreadyExists")
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
|
return []eventstore.Command{instance.NewMemberAddedEvent(ctx, &a.Aggregate, userID, roles...)}, nil
|
|
|
|
|
},
|
|
|
|
|
nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func IsInstanceMember(ctx context.Context, filter preparation.FilterToQueryReducer, instanceID, userID string) (isMember bool, err error) {
|
|
|
|
|
events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
|
|
|
OrderAsc().
|
|
|
|
|
AddQuery().
|
|
|
|
|
AggregateIDs(instanceID).
|
|
|
|
|
AggregateTypes(instance.AggregateType).
|
|
|
|
|
EventTypes(
|
|
|
|
|
instance.MemberAddedEventType,
|
|
|
|
|
instance.MemberRemovedEventType,
|
|
|
|
|
instance.MemberCascadeRemovedEventType,
|
|
|
|
|
).Builder())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, event := range events {
|
|
|
|
|
switch e := event.(type) {
|
|
|
|
|
case *instance.MemberAddedEvent:
|
|
|
|
|
if e.UserID == userID {
|
|
|
|
|
isMember = true
|
|
|
|
|
}
|
|
|
|
|
case *instance.MemberRemovedEvent:
|
|
|
|
|
if e.UserID == userID {
|
|
|
|
|
isMember = false
|
|
|
|
|
}
|
|
|
|
|
case *instance.MemberCascadeRemovedEvent:
|
|
|
|
|
if e.UserID == userID {
|
|
|
|
|
isMember = false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return isMember, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
type AddInstanceMember struct {
|
|
|
|
|
InstanceID string
|
|
|
|
|
UserID string
|
|
|
|
|
Roles []string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Commands) AddInstanceMember(ctx context.Context, member *AddInstanceMember) (*domain.ObjectDetails, error) {
|
|
|
|
|
instanceAgg := instance.NewAggregate(member.InstanceID)
|
|
|
|
|
if err := c.checkPermissionUpdateInstanceMember(ctx, member.InstanceID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
//nolint:staticcheck
|
|
|
|
|
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.AddInstanceMemberCommand(instanceAgg, member.UserID, member.Roles...))
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-04-20 16:59:37 +02:00
|
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
addedMember := NewInstanceMemberWriteModel(member.InstanceID, member.UserID)
|
2022-04-20 16:59:37 +02:00
|
|
|
err = AppendAndReduce(addedMember, events...)
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
return writeModelToObjectDetails(&addedMember.WriteModel), nil
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
type ChangeInstanceMember struct {
|
|
|
|
|
InstanceID string
|
|
|
|
|
UserID string
|
|
|
|
|
Roles []string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (i *ChangeInstanceMember) IsValid(zitadelRoles []authz.RoleMapping) error {
|
|
|
|
|
if i.InstanceID == "" || i.UserID == "" || len(i.Roles) == 0 {
|
|
|
|
|
return zerrors.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IAM.MemberInvalid")
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
if len(domain.CheckForInvalidRoles(i.Roles, domain.IAMRolePrefix, zitadelRoles)) > 0 {
|
|
|
|
|
return zerrors.ThrowInvalidArgument(nil, "INSTANCE-3m9fs", "Errors.IAM.MemberInvalid")
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
2022-03-24 17:21:34 +01:00
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
// ChangeInstanceMember updates an existing member
|
|
|
|
|
func (c *Commands) ChangeInstanceMember(ctx context.Context, member *ChangeInstanceMember) (*domain.ObjectDetails, error) {
|
|
|
|
|
if err := member.IsValid(c.zitadelRoles); err != nil {
|
2022-03-24 17:21:34 +01:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
existingMember, err := c.instanceMemberWriteModelByID(ctx, member.InstanceID, member.UserID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
if !existingMember.State.Exists() {
|
|
|
|
|
return nil, zerrors.ThrowNotFound(nil, "INSTANCE-D8JxR", "Errors.NotFound")
|
|
|
|
|
}
|
|
|
|
|
if err := c.checkPermissionUpdateInstanceMember(ctx, existingMember.AggregateID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if slices.Compare(existingMember.Roles, member.Roles) == 0 {
|
|
|
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
|
|
|
|
}
|
|
|
|
|
pushedEvents, err := c.eventstore.Push(ctx,
|
|
|
|
|
instance.NewMemberChangedEvent(ctx,
|
|
|
|
|
InstanceAggregateFromWriteModel(&existingMember.WriteModel),
|
|
|
|
|
member.UserID,
|
|
|
|
|
member.Roles...,
|
|
|
|
|
),
|
|
|
|
|
)
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
err = AppendAndReduce(existingMember, pushedEvents...)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
func (c *Commands) RemoveInstanceMember(ctx context.Context, instanceID, userID string) (*domain.ObjectDetails, error) {
|
2022-03-24 17:21:34 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IDMissing")
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
existingMember, err := c.instanceMemberWriteModelByID(ctx, instanceID, userID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := c.checkPermissionDeleteInstanceMember(ctx, instanceID); err != nil {
|
2022-03-24 17:21:34 +01:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
if !existingMember.State.Exists() {
|
|
|
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
pushedEvents, err := c.eventstore.Push(ctx,
|
|
|
|
|
c.removeInstanceMember(ctx,
|
|
|
|
|
InstanceAggregateFromWriteModel(&existingMember.WriteModel),
|
|
|
|
|
userID,
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
)
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-07-04 18:12:59 +02:00
|
|
|
err = AppendAndReduce(existingMember, pushedEvents...)
|
2022-03-24 17:21:34 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
2022-03-24 17:21:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *Commands) removeInstanceMember(ctx context.Context, instanceAgg *eventstore.Aggregate, userID string, cascade bool) eventstore.Command {
|
|
|
|
|
if cascade {
|
|
|
|
|
return instance.NewMemberCascadeRemovedEvent(
|
|
|
|
|
ctx,
|
|
|
|
|
instanceAgg,
|
|
|
|
|
userID)
|
|
|
|
|
} else {
|
|
|
|
|
return instance.NewMemberRemovedEvent(ctx, instanceAgg, userID)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
func (c *Commands) instanceMemberWriteModelByID(ctx context.Context, instanceID, userID string) (member *InstanceMemberWriteModel, err error) {
|
2022-03-24 17:21:34 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
2025-07-04 18:12:59 +02:00
|
|
|
writeModel := NewInstanceMemberWriteModel(instanceID, userID)
|
2022-03-24 17:21:34 +01:00
|
|
|
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return writeModel, nil
|
|
|
|
|
}
|
