fix: cascading changes for usergrants when managing projects / projectgrants (#3035)

internal/api/grpc/management/project.go

@@ -264,7 +264,7 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje
 	if err != nil {
 		return nil, err
 	}
-	rolesQuery, err := query.NewUserGrantGrantIDSearchQuery(req.RoleKey)
+	rolesQuery, err := query.NewUserGrantRoleQuery(req.RoleKey)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/project_grant.go

@@ -27,7 +27,10 @@ func (s *Server) ListProjectGrants(ctx context.Context, req *mgmt_pb.ListProject
 	if err != nil {
 		return nil, err
 	}
-	queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
+	err = queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
 	grants, err := s.query.SearchProjectGrants(ctx, queries)
 	if err != nil {
 		return nil, err
@@ -47,8 +50,14 @@ func (s *Server) ListAllProjectGrants(ctx context.Context, req *mgmt_pb.ListAllP
 	if err != nil {
 		return nil, err
 	}
-	queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
+	err = queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
-	queries.AppendPermissionQueries(authz.GetRequestPermissionsFromCtx(ctx))
+	if err != nil {
+		return nil, err
+	}
+	err = queries.AppendPermissionQueries(authz.GetRequestPermissionsFromCtx(ctx))
+	if err != nil {
+		return nil, err
+	}
 	grants, err := s.query.SearchProjectGrants(ctx, queries)
 	if err != nil {
 		return nil, err
@@ -127,7 +136,21 @@ func (s *Server) ReactivateProjectGrant(ctx context.Context, req *mgmt_pb.Reacti
 }
 
 func (s *Server) RemoveProjectGrant(ctx context.Context, req *mgmt_pb.RemoveProjectGrantRequest) (*mgmt_pb.RemoveProjectGrantResponse, error) {
-	details, err := s.command.RemoveProjectGrant(ctx, req.ProjectId, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
+	if err != nil {
+		return nil, err
+	}
+	grantQuery, err := query.NewUserGrantGrantIDSearchQuery(req.GrantId)
+	if err != nil {
+		return nil, err
+	}
+	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery, grantQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.RemoveProjectGrant(ctx, req.ProjectId, req.GrantId, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(userGrants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}

internal/eventstore/handler/crdb/statement.go

@@ -4,6 +4,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/lib/pq"
+
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/handler"
@@ -201,6 +203,25 @@ func NewArrayRemoveCol(column string, value interface{}) handler.Column {
 	}
 }
 
+func NewArrayIntersectCol(column string, value interface{}) handler.Column {
+	var arrayType string
+	switch value.(type) {
+	case pq.StringArray:
+		arrayType = "STRING"
+	case pq.Int32Array,
+		pq.Int64Array:
+		arrayType = "INT"
+		//TODO: handle more types if necessary
+	}
+	return handler.Column{
+		Name:  column,
+		Value: value,
+		ParameterOpt: func(placeholder string) string {
+			return "SELECT ARRAY( SELECT UNNEST(" + column + ") INTERSECT SELECT UNNEST (" + placeholder + "::" + arrayType + "[]))"
+		},
+	}
+}
+
 //NewCopyStatement creates a new upsert statement which updates a column from an existing row
 // cols represent the columns which are objective to change.
 // if the value of a col is empty the data will be copied from the selected row

internal/query/projection/user_grant.go

@@ -87,6 +87,18 @@ func (p *UserGrantProjection) reducers() []handler.AggregateReducer {
 					Event:  project.GrantRemovedType,
 					Reduce: p.reduceProjectGrantRemoved,
 				},
+				{
+					Event:  project.RoleRemovedType,
+					Reduce: p.reduceRoleRemoved,
+				},
+				{
+					Event:  project.GrantChangedType,
+					Reduce: p.reduceProjectGrantChanged,
+				},
+				{
+					Event:  project.GrantCascadeChangedType,
+					Reduce: p.reduceProjectGrantChanged,
+				},
 			},
 		},
 	}
@@ -253,3 +265,47 @@ func (p *UserGrantProjection) reduceProjectGrantRemoved(event eventstore.Event)
 		},
 	), nil
 }
+
+func (p *UserGrantProjection) reduceRoleRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*project.RoleRemovedEvent)
+	if !ok {
+		logging.LogWithFields("PROJE-Edg22", "seq", event.Sequence(), "expectedType", project.RoleRemovedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJE-dswg2", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		event,
+		[]handler.Column{
+			crdb.NewArrayRemoveCol(UserGrantRoles, e.Key),
+		},
+		[]handler.Condition{
+			handler.NewCond(UserGrantProjectID, e.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *UserGrantProjection) reduceProjectGrantChanged(event eventstore.Event) (*handler.Statement, error) {
+	var grantID string
+	var keys []string
+	switch e := event.(type) {
+	case *project.GrantChangedEvent:
+		grantID = e.GrantID
+		keys = e.RoleKeys
+	case *project.GrantCascadeChangedEvent:
+		grantID = e.GrantID
+		keys = e.RoleKeys
+	default:
+		logging.LogWithFields("PROJE-FGgw2", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{project.GrantChangedType, project.GrantCascadeChangedType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJE-Fh3gw", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		event,
+		[]handler.Column{
+			crdb.NewArrayIntersectCol(UserGrantRoles, pq.StringArray(keys)),
+		},
+		[]handler.Condition{
+			handler.NewCond(UserGrantGrantID, grantID),
+		},
+	), nil
+}

internal/query/projection/user_grant_test.go

@@ -324,6 +324,62 @@ func TestUserGrantProjection_reduces(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "reduceRoleRemoved",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(project.RoleRemovedType),
+					project.AggregateType,
+					[]byte(`{"key": "key"}`),
+				), project.RoleRemovedEventMapper),
+			},
+			reduce: (&UserGrantProjection{}).reduceRoleRemoved,
+			want: wantReduce{
+				aggregateType:    project.AggregateType,
+				sequence:         15,
+				previousSequence: 10,
+				projection:       UserGrantProjectionTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.user_grants SET (roles) = (array_remove(roles, $1)) WHERE (project_id = $2)",
+							expectedArgs: []interface{}{
+								"key",
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceProjectGrantChanged",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(project.GrantChangedType),
+					project.AggregateType,
+					[]byte(`{"grantId": "grantID", "roleKeys": ["key"]}`),
+				), project.GrantChangedEventMapper),
+			},
+			reduce: (&UserGrantProjection{}).reduceProjectGrantChanged,
+			want: wantReduce{
+				aggregateType:    project.AggregateType,
+				sequence:         15,
+				previousSequence: 10,
+				projection:       UserGrantProjectionTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.user_grants SET (roles) = (SELECT ARRAY( SELECT UNNEST(roles) INTERSECT SELECT UNNEST ($1::STRING[]))) WHERE (grant_id = $2)",
+							expectedArgs: []interface{}{
+								pq.StringArray{"key"},
+								"grantID",
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {