2020-06-05 07:50:04 +02:00
|
|
|
package eventstore
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2021-02-15 16:26:58 +01:00
|
|
|
global_model "github.com/caos/zitadel/internal/model"
|
|
|
|
|
user_model "github.com/caos/zitadel/internal/user/model"
|
|
|
|
|
user_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
|
2020-07-08 13:56:37 +02:00
|
|
|
|
|
|
|
|
"github.com/caos/zitadel/internal/api/authz"
|
2020-06-05 07:50:04 +02:00
|
|
|
"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
|
|
|
|
|
caos_errs "github.com/caos/zitadel/internal/errors"
|
2020-09-24 11:38:28 +02:00
|
|
|
iam_model "github.com/caos/zitadel/internal/iam/model"
|
2020-06-05 07:50:04 +02:00
|
|
|
iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
|
|
|
|
|
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type UserGrantRepo struct {
|
|
|
|
|
View *view.View
|
|
|
|
|
IamID string
|
|
|
|
|
IamProjectID string
|
2020-07-08 13:56:37 +02:00
|
|
|
Auth authz.Config
|
2020-08-26 09:56:23 +02:00
|
|
|
IamEvents *iam_event.IAMEventstore
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (repo *UserGrantRepo) Health() error {
|
|
|
|
|
return repo.View.Health()
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-15 16:26:58 +01:00
|
|
|
func (repo *UserGrantRepo) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) {
|
|
|
|
|
memberships, err := repo.searchUserMemberships(ctx)
|
2020-06-05 07:50:04 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
return userMembershipsToMemberships(memberships), nil
|
|
|
|
|
}
|
2020-06-05 07:50:04 +02:00
|
|
|
|
2021-02-15 16:26:58 +01:00
|
|
|
func (repo *UserGrantRepo) SearchMyZitadelPermissions(ctx context.Context) ([]string, error) {
|
|
|
|
|
memberships, err := repo.searchUserMemberships(ctx)
|
|
|
|
|
if err != nil {
|
2020-06-05 07:50:04 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
permissions := &grant_model.Permissions{Permissions: []string{}}
|
|
|
|
|
for _, membership := range memberships {
|
|
|
|
|
for _, role := range membership.Roles {
|
|
|
|
|
permissions = repo.mapRoleToPermission(permissions, membership, role)
|
|
|
|
|
}
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
return permissions.Permissions, nil
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
|
2021-02-15 16:26:58 +01:00
|
|
|
func (repo *UserGrantRepo) searchUserMemberships(ctx context.Context) ([]*user_view_model.UserMembershipView, error) {
|
|
|
|
|
ctxData := authz.GetCtxData(ctx)
|
|
|
|
|
orgMemberships, orgCount, err := repo.View.SearchUserMemberships(&user_model.UserMembershipSearchRequest{
|
|
|
|
|
Queries: []*user_model.UserMembershipSearchQuery{
|
|
|
|
|
{
|
|
|
|
|
Key: user_model.UserMembershipSearchKeyUserID,
|
|
|
|
|
Method: global_model.SearchMethodEquals,
|
|
|
|
|
Value: ctxData.UserID,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Key: user_model.UserMembershipSearchKeyResourceOwner,
|
|
|
|
|
Method: global_model.SearchMethodEquals,
|
|
|
|
|
Value: ctxData.OrgID,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
2020-06-05 07:50:04 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
iamMemberships, iamCount, err := repo.View.SearchUserMemberships(&user_model.UserMembershipSearchRequest{
|
|
|
|
|
Queries: []*user_model.UserMembershipSearchQuery{
|
|
|
|
|
{
|
|
|
|
|
Key: user_model.UserMembershipSearchKeyUserID,
|
|
|
|
|
Method: global_model.SearchMethodEquals,
|
|
|
|
|
Value: ctxData.UserID,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Key: user_model.UserMembershipSearchKeyAggregateID,
|
|
|
|
|
Method: global_model.SearchMethodEquals,
|
|
|
|
|
Value: repo.IamID,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2020-07-08 09:53:09 +02:00
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
if orgCount == 0 && iamCount == 0 {
|
|
|
|
|
return []*user_view_model.UserMembershipView{}, nil
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
return append(orgMemberships, iamMemberships...), nil
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
|
2020-06-09 16:20:14 +02:00
|
|
|
func (repo *UserGrantRepo) FillIamProjectID(ctx context.Context) error {
|
2020-06-05 07:50:04 +02:00
|
|
|
if repo.IamProjectID != "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-08-26 09:56:23 +02:00
|
|
|
iam, err := repo.IamEvents.IAMByID(ctx, repo.IamID)
|
2020-06-05 07:50:04 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2020-09-24 11:38:28 +02:00
|
|
|
if iam.SetUpDone < iam_model.StepCount-1 {
|
2020-06-05 07:50:04 +02:00
|
|
|
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-skiwS", "Setup not done")
|
|
|
|
|
}
|
2020-08-26 09:56:23 +02:00
|
|
|
repo.IamProjectID = iam.IAMProjectID
|
2020-06-05 07:50:04 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-15 16:26:58 +01:00
|
|
|
func (repo *UserGrantRepo) mapRoleToPermission(permissions *grant_model.Permissions, membership *user_view_model.UserMembershipView, role string) *grant_model.Permissions {
|
|
|
|
|
for _, mapping := range repo.Auth.RolePermissionMappings {
|
|
|
|
|
if mapping.Role == role {
|
|
|
|
|
ctxID := ""
|
|
|
|
|
if membership.MemberType == int32(user_model.MemberTypeProject) || membership.MemberType == int32(user_model.MemberTypeProjectGrant) {
|
|
|
|
|
ctxID = membership.ObjectID
|
|
|
|
|
}
|
|
|
|
|
permissions.AppendPermissions(ctxID, mapping.Permissions...)
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
}
|
2021-02-15 16:26:58 +01:00
|
|
|
return permissions
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
|
2021-02-15 16:26:58 +01:00
|
|
|
func userMembershipToMembership(membership *user_view_model.UserMembershipView) *authz.Membership {
|
|
|
|
|
return &authz.Membership{
|
|
|
|
|
MemberType: authz.MemberType(membership.MemberType),
|
|
|
|
|
AggregateID: membership.AggregateID,
|
|
|
|
|
ObjectID: membership.ObjectID,
|
|
|
|
|
Roles: membership.Roles,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func userMembershipsToMemberships(memberships []*user_view_model.UserMembershipView) []*authz.Membership {
|
|
|
|
|
result := make([]*authz.Membership, len(memberships))
|
|
|
|
|
for i, m := range memberships {
|
|
|
|
|
result[i] = userMembershipToMembership(m)
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
return result
|
|
|
|
|
}
|
