From 0efb4769cf081996e1cf23ec6f596adb3189f9d9 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 10 Feb 2025 11:05:15 +0100 Subject: [PATCH] improve querying and returned objects --- .../authorizations/v2/authorization.proto | 134 +++++++++++------- proto/zitadel/permissions/v2/manager.proto | 109 ++++++++++++-- 2 files changed, 177 insertions(+), 66 deletions(-) diff --git a/proto/zitadel/authorizations/v2/authorization.proto b/proto/zitadel/authorizations/v2/authorization.proto index 5e804ba484..3216a9bd14 100644 --- a/proto/zitadel/authorizations/v2/authorization.proto +++ b/proto/zitadel/authorizations/v2/authorization.proto @@ -18,30 +18,17 @@ message Authorization { google.protobuf.Timestamp change_date = 3; // State is the current state of the authorization. State state = 4; - // UserID represents the ID of the user who was granted the authorization. - string user_id = 5; - // UserOrganisationID represents the ID of the organisation the user is part of. - string user_organization_id = 6; - // UserPreferredLoginName represents the preferred login name of the granted user. - string user_preferred_login_name = 7; - // UserDisplayName represents the public display name of the granted user. - // By default it's the user's given name and family name, their username or their email address. - string user_display_name = 8; - // AvatarURL represents the URL to the public avatar of the granted user. - string avatar_url = 9; - // ProjectID represents the ID of the project the user was granted the authorization for. - string project_id = 10; - // ProjectName represents the name of the project the user was granted the authorization for. - string project_name = 11; - // ProjectGrantID represents the ID of the project grant the user was granted the authorization for. - // This field is only set if the authorization was granted for a project grant and not a project directly. - string project_grant_id = 12; - // OrganizationID represents the ID of the organization the authorization was granted for. - string organization_id = 13; - // OrganizationName represents the name of the organization the authorization was granted for. - string organization_name = 14; + User user = 5; + // Grant contains the project or project grant the user was granted the authorization for. + oneof grant { + // Project represents the project the user was granted the authorization for. + Project project = 6; + // ProjectGrant represents the project grant the user was granted the authorization for. + ProjectGrant project_grant = 7; + } + Organization organization = 8; // Roles contains the roles the user was granted for the project or project grant. - repeated Role roles = 15; + repeated Role roles = 9; } enum State { @@ -50,6 +37,48 @@ enum State { STATE_INACTIVE = 2; } +message User { + // ID represents the ID of the user who was granted the authorization. + string id = 1; + // PreferredLoginName represents the preferred login name of the granted user. + string preferred_login_name = 2; + // DisplayName represents the public display name of the granted user. + // By default it's the user's given name and family name, their username or their email address. + string display_name = 3; + // AvatarURL is the URL to the user's public avatar image. + string avatar_url = 4; + // The organization the user belong to. + // This must not correspond to the organization the authorization was granted for. + string organization_id = 5; +} + +message Project { + // ID is the unique identifier of the project the user was granted the authorization for. + string id = 1; + // Name is the name of the project the user was granted the authorization for. + string name = 2; + // OrganizationID is the ID of the organization the project belongs to. + string organization_id = 3; +} + +message ProjectGrant { + // ID is the unique identifier of the project grant the user was granted the authorization for. + string id = 1; + // ProjectID is the ID of the project the project grant belongs to. + string project_id = 2; + // ProjectName is the name of the project the project grant belongs to. + string project_name = 3; + // OrganizationID is the ID of the organization the project grant belongs to. + string organization_id = 4; +} + +message Organization { + // ID is the unique identifier of the organization the user was granted the authorization for. + string id = 1; + // Name is the name of the organization the user was granted the authorization for. + string name = 2; +} + message Role { // Key is the unique identifier of the role. string key = 1; @@ -62,46 +91,43 @@ message AuthorizationQuery { option (validate.required) = true; // Search for authorizations by their ID. - AuthorizationIDQuery authorization_id_query = 1; + AuthorizationIDQuery authorization_id = 1; // Search for authorizations by their creation date. - CreationDateQuery creation_date_query = 2; + CreationDateQuery creation_date = 2; // Search for authorizations by their change date. - ChangeDateQuery change_date_query = 3; + ChangeDateQuery change_date = 3; // Search for authorizations by their state. - StateQuery state_query = 4; + StateQuery state = 4; // Search for authorizations by the ID of the user who was granted the authorization. - UserIDQuery user_id_query = 5; + UserIDQuery user_id = 5; // Search for authorizations by the ID of the organisation the user is part of. - UserOrganizationIDQuery user_organization_id_query = 6; - UserPreferredLoginNameQuery user_preferred_login_name_query = 7; - UserDisplayNameQuery user_display_name_query = 8; + UserOrganizationIDQuery user_organization_id = 6; + // Search for authorizations by the preferred login name of the granted user. + UserPreferredLoginNameQuery user_preferred_login_name = 7; + // Search for authorizations by the public display name of the granted user. + UserDisplayNameQuery user_display_name = 8; // Search for authorizations by the ID of the project the user was granted the authorization for. - ProjectIDQuery project_id_query = 9; - ProjectNameQuery project_name_query = 10; + // This will also include authorizations granted for project grants of the same project. + ProjectIDQuery project_id = 9; + // Search for authorizations by the name of the project the user was granted the authorization for. + // This will also include authorizations granted for project grants of the same project. + ProjectNameQuery project_name = 10; // Search for authorizations by the ID of the project grant the user was granted the authorization for. - ProjectGrantIDQuery project_grant_id_query = 11; + ProjectGrantIDQuery project_grant_id = 11; // Search for authorizations by the ID of the organization the authorization was granted for. // This can either be the organization the project or the project grant is part of. - OrganizationIDQuery organization_id_query = 12; - OrganizationNameQuery organization_name_query = 13; + OrganizationIDQuery organization_id = 12; + OrganizationNameQuery organization_name = 13; // Search for authorizations by the key of the role the user was granted. - RoleKeyQuery role_key_query = 14; + RoleKeyQuery role_key = 14; // Combine multiple authorization queries with an AND operation. - AndQuery and_query = 15; + AndQuery and = 15; // Combine multiple authorization queries with an OR operation. // For example, to search for authorizations of multiple OrganizationIDs. - OrQuery or_query = 16; + OrQuery or = 16; // Negate an authorization query. - NotQuery not_query = 17; - - // UserGrantWithGrantedQuery with_granted_query = 3; searched for the oauthz.OrganizationID as ro - // UserGrantUserNameQuery user_name_query = 6; ?? - // UserGrantFirstNameQuery first_name_query = 7; - // UserGrantLastNameQuery last_name_query = 8; - // UserGrantEmailQuery email_query = 9; - // UserGrantOrgDomainQuery org_domain_query = 11; - // UserGrantUserTypeQuery user_type_query = 14; + NotQuery not = 17; } } @@ -159,8 +185,8 @@ message UserPreferredLoginNameQuery { max_len: 200 }]; // Specify the method to search for the preferred login name. Default is EQUAL. - // For example, to search for all authorizations with a preferred login name containing a specific string, - // use CONTAINS or CONTAINS_IGNORE_CASE. + // For example, to search for all authorizations granted to a user with + // a preferred login name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE. zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; } @@ -171,8 +197,8 @@ message UserDisplayNameQuery { max_len: 200 }]; // Specify the method to search for the display name. Default is EQUAL. - // For example, to search for all authorizations with a display name containing a specific string, - // use CONTAINS or CONTAINS_IGNORE_CASE. + // For example, to search for all authorizations granted to a user with + // a display name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE. zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; } @@ -190,8 +216,8 @@ message ProjectNameQuery { // Note that this will also include authorizations granted for project grants of the same project. string project_name = 1 [(validate.rules).string = {max_len: 200}]; // Specify the method to search for the project name. Default is EQUAL. - // For example, to search for all authorizations with a project name containing a specific string, - // use CONTAINS or CONTAINS_IGNORE_CASE. + // For example, to search for all authorizations granted on a project with + // a name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE. zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; } diff --git a/proto/zitadel/permissions/v2/manager.proto b/proto/zitadel/permissions/v2/manager.proto index cc8e59beb3..d7bfe107ab 100644 --- a/proto/zitadel/permissions/v2/manager.proto +++ b/proto/zitadel/permissions/v2/manager.proto @@ -18,11 +18,6 @@ message Manager { google.protobuf.Timestamp change_date = 3; // User is the user who was granted the manager role. User user = 4; -// string user_id = 3; -// string user_preferred_login_name = 4; -// string user_display_name = 5; -// string user_avatar_url = 6; -// string user_organization_id = 7; // Resource is the type of the resource the manager roles were granted for. oneof resource { // Instance is returned if the manager roles were granted on the instance level. @@ -50,8 +45,6 @@ message User { string avatar_url = 4; // The organization the user belong to. string organization_id = 5; - - // zitadel.user.v1.Type user_type = 10 TODO: peintner? } message Organization { @@ -83,15 +76,61 @@ message ManagerQuery { oneof query { option (validate.required) = true; - // Search for managers roles granted to a specific user. - UserIDQuery user_id_query = 1; + // Search for manager roles by their ID. + ManagerIDQuery manager_id = 1; + // Search for manager roles by their creation date. + CreationDateQuery creation_date = 2; + // Search for manager roles by their change date. + ChangeDateQuery change_date = 3; + // Search for managers roles by the ID of the user who was granted the manager role. + UserIDQuery user_id = 4; + // Search for managers roles by the ID of the organization the user is part of. + UserOrganizationIDQuery user_organization_id = 5; + // Search for managers roles by the preferred login name of the user. + UserPreferredLoginNameQuery user_preferred_login_name = 6; + // Search for managers roles by the display name of the user. + UserDisplayNameQuery user_display_name = 7; // Search for managers roles granted for a specific resource. - ResourceQuery resource_query = 2; + ResourceQuery resource = 8; // Search for managers roles granted with a specific role. - RoleQuery role_query = 3; + RoleQuery role = 9; + + // Combine multiple authorization queries with an AND operation. + AndQuery and = 10; + // Combine multiple authorization queries with an OR operation. + // For example, to search for authorizations of multiple OrganizationIDs. + OrQuery or = 11; + // Negate an authorization query. + NotQuery not = 12; } } +message ManagerIDQuery { + // Search for managers by their ID. + string manager_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message CreationDateQuery { + // Specify the creation date of the manager role to search for. + google.protobuf.Timestamp creation_date = 1; + // Specify the method to search for the creation date. Default is EQUAL. + // For example, to search for all manager roles created after a specific date, use GREATER_THAN. + // To search for all manager roles created before a specific date, use LESS_THAN. + zitadel.object.v2.TimestampQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; +} + +message ChangeDateQuery { + // Specify the change date of the manager role to search for. + google.protobuf.Timestamp change_date = 1; + // Specify the method to search for the change date. Default is EQUAL. + // For example, to search for all manager roles changed after a specific date, use GREATER_THAN. + // To search for all manager roles changed before a specific date, use LESS_THAN. + zitadel.object.v2.TimestampQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; +} + message UserIDQuery { // Search for managers by user ID. string user_id = 1 [(validate.rules).string = { @@ -100,6 +139,39 @@ message UserIDQuery { }]; } +message UserOrganizationIDQuery { + // Search for managers by the organization ID of the user. + // Note that this might not be the organization the manager role was granted for. + string organization_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message UserPreferredLoginNameQuery { + // Search for managers by the preferred login name of the user. + string preferred_login_name = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Specify the method to search for the preferred login name. Default is EQUAL. + // For example, to search for all manager roles of a user with a preferred login name + // containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE. + zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; +} + +message UserDisplayNameQuery { + // Search for managers by the display name of the user. + string display_name = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Specify the method to search for the display name. Default is EQUAL. + // For example, to search for all manager roles of a user with a display name + // containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE. + zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; +} + message ResourceQuery { // Search for managers by the granted resource. oneof resource { @@ -120,4 +192,17 @@ message RoleQuery { min_len: 1 max_len: 200 }]; -} \ No newline at end of file +} + + +message AndQuery { + repeated ManagerQuery queries = 1; +} + +message OrQuery { + repeated ManagerQuery queries = 1; +} + +message NotQuery { + ManagerQuery query = 1; +}