TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-02 12:32:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(api): move project service v2beta to GA (and deprecate v2beta) (#10844)

Browse Source 
# Which Problems Are Solved

As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.

# How the Problems Are Solved

- This PR moves project v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with `(google.api.field_behavior)
= REQUIRED` and validation rules have been added where missing.
- Name ID of the project always `project_id`
- `UpdateProjectRequest` has been updated to align with the creation and
retrieval of a project:
  - `project_role_check` has been renamed to `authorization_required`
  - `has_project_check` has been renamed to `project_access_required`
- `ListProjectRequest` has been changed:
- `project_grant_resource_owner_filter`,
`project_grant_resource_owner_filter` and
`project_organization_id_filter` have been removed and merged into a
single `organization_id_filter` where a `type` can optionally be
specified to select `owned`, `granted` or both project types within a
specified organization.
- `ListProjectGrantReques` has been changed:
- `project_resource_owner_filter` has been renamed to
`project_organization_id_filter`
- `grant_resource_owner_filter` has been renamed to
`granted_organization_id_filter`

# Additional Changes

Replaced deprecated `intergration.WithAuthorization` with
`integration.WithAuthorizationToken` in integration tests.

# Additional Context

- part of #10772 
- requires backport to v4.x
This commit is contained in:
Livio Spring
2025-10-28 13:28:45 +01:00
committed by GitHub
parent c9ac1ce344
commit 32500e3b0c
18 changed files with 7567 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/start/start.go
View File

@@ -57,6 +57,7 @@ import (
oidc_v2beta "github.com/zitadel/zitadel/internal/api/grpc/oidc/v2beta"
org_v2 "github.com/zitadel/zitadel/internal/api/grpc/org/v2"
org_v2beta "github.com/zitadel/zitadel/internal/api/grpc/org/v2beta"
project_v2 "github.com/zitadel/zitadel/internal/api/grpc/project/v2"
project_v2beta "github.com/zitadel/zitadel/internal/api/grpc/project/v2beta"
"github.com/zitadel/zitadel/internal/api/grpc/resources/debug_events/debug_events"
user_v3_alpha "github.com/zitadel/zitadel/internal/api/grpc/resources/user/v3alpha"
@@ -541,6 +542,9 @@ func startAPIs(
if err := apis.RegisterService(ctx, project_v2beta.CreateServer(config.SystemDefaults, commands, queries, permissionCheck)); err != nil {
return nil, err
}
if err := apis.RegisterService(ctx, project_v2.CreateServer(config.SystemDefaults, commands, queries, permissionCheck)); err != nil {
return nil, err
}
if err := apis.RegisterService(ctx, internal_permission_v2beta.CreateServer(config.SystemDefaults, commands, queries, permissionCheck)); err != nil {
return nil, err
}

4
docs/docusaurus.config.js
View File

@@ -391,9 +391,9 @@ module.exports = {
categoryLinkSource: "auto",
},
},
project_v2beta: {
project_v2: {
specPath:
".artifacts/openapi3/zitadel/project/v2beta/project_service.openapi.yaml",
".artifacts/openapi3/zitadel/project/v2/project_service.openapi.yaml",
outputDir: "docs/apis/resources/project_service_v2",
sidebarOptions: {
groupPathsBy: "tag",

8
docs/sidebars.js
View File

@@ -860,15 +860,13 @@ module.exports = {
},
{
type: "category",
label: "Project (Beta)",
label: "Project",
link: {
type: "generated-index",
title: "Project Service API (Beta)",
title: "Project Service API",
slug: "/apis/resources/project_service_v2",
description:
"This API is intended to manage projects and subresources for ZITADEL. \n" +
"\n" +
"This service is in beta state. It can AND will continue breaking until a stable version is released.",
"This API is intended to manage projects and subresources for ZITADEL."
},
items: sidebar_api_project_service_v2,
},

1350
internal/api/grpc/project/v2/integration_test/project_grant_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

816
internal/api/grpc/project/v2/integration_test/project_role_test.go Normal file
View File

@@ -0,0 +1,816 @@
//go:build integration
package project_test
import (
"context"
"testing"
"time"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/management"
"github.com/zitadel/zitadel/pkg/grpc/project/v2"
)
func TestServer_AddProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.ProjectName(), integration.Email())
alreadyExistingProject := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
alreadyExistingProjectRoleName := integration.RoleDisplayName()
instance.AddProjectRole(iamOwnerCtx, t, alreadyExistingProject.GetId(), alreadyExistingProjectRoleName, alreadyExistingProjectRoleName, "")
type want struct {
creationDate bool
}
tests := []struct {
name string
ctx context.Context
prepare func(t *testing.T, request *project.AddProjectRoleRequest)
req *project.AddProjectRoleRequest
want
wantErr bool
}{
{
name: "empty key",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: "",
DisplayName: integration.ProjectName(),
},
wantErr: true,
},
{
name: "empty displayname",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: "",
},
wantErr: true,
},
{
name: "already existing, error",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
request.ProjectId = alreadyExistingProject.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: alreadyExistingProjectRoleName,
DisplayName: alreadyExistingProjectRoleName,
},
wantErr: true,
},
{
name: "empty, ok",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
want: want{
creationDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.prepare != nil {
tt.prepare(t, tt.req)
}
creationDate := time.Now().UTC()
got, err := instance.Client.ProjectV2.AddProjectRole(tt.ctx, tt.req)
changeDate := time.Now().UTC()
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertAddProjectRoleResponse(t, creationDate, changeDate, tt.want.creationDate, got)
})
}
}
func TestServer_AddProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), integration.Email())
alreadyExistingProject := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
alreadyExistingProjectRoleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, alreadyExistingProject.GetId(), alreadyExistingProjectRoleName, alreadyExistingProjectRoleName, "")
type want struct {
creationDate bool
}
type test struct {
name string
ctx context.Context
prepare func(t *testing.T, request *project.AddProjectRoleRequest)
req *project.AddProjectRoleRequest
want
wantErr bool
}
tests := []*test{
{
name: "unauthenticated",
ctx: CTX,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
wantErr: true,
},
{
name: "no permission",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
wantErr: true,
},
{
name: "organization owner, other org",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
wantErr: true,
},
{
name: "organization owner, ok",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
want: want{
creationDate: true,
},
},
{
name: "instance owner, ok",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
want: want{
creationDate: true,
},
},
func() *test {
out := test{
name: "add project role as a added project admin, ok",
req: &project.AddProjectRoleRequest{
RoleKey: integration.RoleKey(),
DisplayName: integration.RoleDisplayName(),
},
want: want{
creationDate: true,
},
}
out.prepare = func(t *testing.T, request *project.AddProjectRoleRequest) {
// create project
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
// create user
userID := instance.CreateUserTypeHuman(iamOwnerCtx, integration.Email()).GetId()
loginCTX := instance.WithAuthorizationToken(iamOwnerCtx, integration.UserTypeLogin)
instance.RegisterUserPasskey(iamOwnerCtx, userID)
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
// assign user as project admin
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
ProjectId: projectResp.GetId(),
UserId: userID,
Roles: []string{"PROJECT_OWNER_GLOBAL"},
})
assert.NoError(t, err)
// set context
out.ctx = integration.WithAuthorizationToken(context.Background(), token)
request.ProjectId = projectResp.GetId()
}
return &out
}(),
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.prepare != nil {
tt.prepare(t, tt.req)
}
creationDate := time.Now().UTC()
got, err := instance.Client.ProjectV2.AddProjectRole(tt.ctx, tt.req)
changeDate := time.Now().UTC()
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertAddProjectRoleResponse(t, creationDate, changeDate, tt.want.creationDate, got)
})
}
}
func assertAddProjectRoleResponse(t *testing.T, creationDate, changeDate time.Time, expectedCreationDate bool, actualResp *project.AddProjectRoleResponse) {
if expectedCreationDate {
if !changeDate.IsZero() {
assert.WithinRange(t, actualResp.GetCreationDate().AsTime(), creationDate, changeDate)
} else {
assert.WithinRange(t, actualResp.GetCreationDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.CreationDate)
}
}
func TestServer_UpdateProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), integration.Email())
type args struct {
ctx context.Context
req *project.UpdateProjectRoleRequest
}
type want struct {
change bool
changeDate bool
}
tests := []struct {
name string
prepare func(t *testing.T, request *project.UpdateProjectRoleRequest)
args args
want want
wantErr bool
}{
{
name: "missing permission",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "not existing",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
request.RoleKey = "notexisting"
return
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "no change, ok",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
request.DisplayName = gu.Ptr(roleName)
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{},
},
want: want{
change: false,
changeDate: true,
},
},
{
name: "change display name, ok",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(integration.RoleKey()),
},
},
want: want{
change: true,
changeDate: true,
},
},
{
name: "change full, ok",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(integration.RoleKey()),
Group: gu.Ptr(integration.RoleKey()),
},
},
want: want{
change: true,
changeDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
creationDate := time.Now().UTC()
tt.prepare(t, tt.args.req)
got, err := instance.Client.ProjectV2.UpdateProjectRole(tt.args.ctx, tt.args.req)
if tt.wantErr {
assert.Error(t, err)
return
}
changeDate := time.Time{}
if tt.want.change {
changeDate = time.Now().UTC()
}
assert.NoError(t, err)
assertUpdateProjectRoleResponse(t, creationDate, changeDate, tt.want.changeDate, got)
})
}
}
func TestServer_UpdateProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), integration.Email())
type args struct {
ctx context.Context
req *project.UpdateProjectRoleRequest
}
type want struct {
change bool
changeDate bool
}
type test struct {
name string
prepare func(t *testing.T, request *project.UpdateProjectRoleRequest)
args args
want want
wantErr bool
}
tests := []*test{
{
name: "unauthenicated",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: CTX,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "no permission",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "organization owner, other org",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "organization owner, ok",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(integration.RoleKey()),
},
},
want: want{
change: true,
changeDate: true,
},
},
{
name: "instance owner, ok",
prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(integration.RoleKey()),
},
},
want: want{
change: true,
changeDate: true,
},
},
func() *test {
out := test{
name: "change project role as a added project admin, ok",
args: args{
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(integration.RoleKey()),
Group: gu.Ptr(integration.RoleKey()),
},
},
want: want{
change: true,
changeDate: true,
},
}
out.prepare = func(t *testing.T, request *project.UpdateProjectRoleRequest) {
// create project
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
// create user
userID := instance.CreateUserTypeHuman(iamOwnerCtx, integration.Email()).GetId()
loginCTX := instance.WithAuthorizationToken(iamOwnerCtx, integration.UserTypeLogin)
instance.RegisterUserPasskey(iamOwnerCtx, userID)
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
// assign user as project admin
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
ProjectId: projectResp.GetId(),
UserId: userID,
Roles: []string{"PROJECT_OWNER_GLOBAL"},
})
assert.NoError(t, err)
// set context
out.args.ctx = integration.WithAuthorizationToken(context.Background(), token)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
}
return &out
}(),
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
creationDate := time.Now().UTC()
tt.prepare(t, tt.args.req)
got, err := instance.Client.ProjectV2.UpdateProjectRole(tt.args.ctx, tt.args.req)
if tt.wantErr {
assert.Error(t, err)
return
}
changeDate := time.Time{}
if tt.want.change {
changeDate = time.Now().UTC()
}
assert.NoError(t, err)
assertUpdateProjectRoleResponse(t, creationDate, changeDate, tt.want.changeDate, got)
})
}
}
func assertUpdateProjectRoleResponse(t *testing.T, creationDate, changeDate time.Time, expectedChangeDate bool, actualResp *project.UpdateProjectRoleResponse) {
if expectedChangeDate {
if !changeDate.IsZero() {
assert.WithinRange(t, actualResp.GetChangeDate().AsTime(), creationDate, changeDate)
} else {
assert.WithinRange(t, actualResp.GetChangeDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.ChangeDate)
}
}
func TestServer_DeleteProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), integration.Email())
tests := []struct {
name string
ctx context.Context
prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
req *project.RemoveProjectRoleRequest
wantDeletionDate bool
wantErr bool
}{
{
name: "empty id",
ctx: iamOwnerCtx,
req: &project.RemoveProjectRoleRequest{
ProjectId: "",
RoleKey: "notexisting",
},
wantErr: true,
},
{
name: "delete, not existing",
ctx: iamOwnerCtx,
req: &project.RemoveProjectRoleRequest{
ProjectId: "notexisting",
RoleKey: "notexisting",
},
wantDeletionDate: false,
},
{
name: "delete",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
{
name: "delete, already removed",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
instance.RemoveProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName)
return creationDate, time.Now().UTC()
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var creationDate, deletionDate time.Time
if tt.prepare != nil {
creationDate, deletionDate = tt.prepare(t, tt.req)
}
got, err := instance.Client.ProjectV2.RemoveProjectRole(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertRemoveProjectRoleResponse(t, creationDate, deletionDate, tt.wantDeletionDate, got)
})
}
}
func TestServer_DeleteProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), integration.Email())
type test struct {
name string
ctx context.Context
prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
req *project.RemoveProjectRoleRequest
wantDeletionDate bool
wantErr bool
}
tests := []*test{
{
name: "unauthenticated",
ctx: CTX,
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "no permission",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission),
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "organization owner, other org",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "organization owner, ok",
ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner),
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
{
name: "instance owner, ok",
ctx: iamOwnerCtx,
prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
func() *test {
out := test{
name: "delete project role as a added project admin, ok",
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
}
out.prepare = func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
// create project
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false)
// create user
userID := instance.CreateUserTypeHuman(iamOwnerCtx, integration.Email()).GetId()
loginCTX := instance.WithAuthorizationToken(iamOwnerCtx, integration.UserTypeLogin)
instance.RegisterUserPasskey(iamOwnerCtx, userID)
_, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID)
// assign user as project admin
_, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{
ProjectId: projectResp.GetId(),
UserId: userID,
Roles: []string{"PROJECT_OWNER_GLOBAL"},
})
assert.NoError(t, err)
// set context
out.ctx = integration.WithAuthorizationToken(context.Background(), token)
roleName := integration.RoleKey()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
}
return &out
}(),
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var creationDate, deletionDate time.Time
if tt.prepare != nil {
creationDate, deletionDate = tt.prepare(t, tt.req)
}
got, err := instance.Client.ProjectV2.RemoveProjectRole(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertRemoveProjectRoleResponse(t, creationDate, deletionDate, tt.wantDeletionDate, got)
})
}
}
func assertRemoveProjectRoleResponse(t *testing.T, creationDate, deletionDate time.Time, expectedDeletionDate bool, actualResp *project.RemoveProjectRoleResponse) {
if expectedDeletionDate {
if !deletionDate.IsZero() {
assert.WithinRange(t, actualResp.GetRemovalDate().AsTime(), creationDate, deletionDate)
} else {
assert.WithinRange(t, actualResp.GetRemovalDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.RemovalDate)
}
}

1154
internal/api/grpc/project/v2/integration_test/project_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

2021
internal/api/grpc/project/v2/integration_test/query_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

63
internal/api/grpc/project/v2/integration_test/server_test.go Normal file
View File

@@ -0,0 +1,63 @@
//go:build integration
package project_test
import (
"context"
"os"
"testing"
"time"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
)
var (
CTX context.Context
instance *integration.Instance
instancePermissionV2 *integration.Instance
)
func TestMain(m *testing.M) {
os.Exit(func() int {
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
defer cancel()
CTX = ctx
instance = integration.NewInstance(ctx)
instancePermissionV2 = integration.NewInstance(CTX)
return m.Run()
}())
}
func ensureFeaturePermissionV2Enabled(t *testing.T, instance *integration.Instance) {
ctx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
Inheritance: true,
})
require.NoError(t, err)
if f.PermissionCheckV2.GetEnabled() {
return
}
_, err = instance.Client.FeatureV2.SetInstanceFeatures(ctx, &feature.SetInstanceFeaturesRequest{
PermissionCheckV2: gu.Ptr(true),
})
require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, 5*time.Minute)
require.EventuallyWithT(t,
func(ttt *assert.CollectT) {
f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
Inheritance: true,
})
assert.NoError(ttt, err)
if f.PermissionCheckV2.GetEnabled() {
return
}
},
retryDuration,
tick,
"timed out waiting for ensuring instance feature")
}

162
internal/api/grpc/project/v2/project.go Normal file
View File

@@ -0,0 +1,162 @@
package project
import (
"context"
"connectrpc.com/connect"
"github.com/muhlemmer/gu"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2"
)
func (s *Server) CreateProject(ctx context.Context, req *connect.Request[project_pb.CreateProjectRequest]) (*connect.Response[project_pb.CreateProjectResponse], error) {
add := projectCreateToCommand(req.Msg)
project, err := s.command.AddProject(ctx, add)
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
creationDate = timestamppb.New(project.EventDate)
}
return connect.NewResponse(&project_pb.CreateProjectResponse{
ProjectId: add.AggregateID,
CreationDate: creationDate,
}), nil
}
func projectCreateToCommand(req *project_pb.CreateProjectRequest) *command.AddProject {
var aggregateID string
if req.ProjectId != nil {
aggregateID = *req.ProjectId
}
return &command.AddProject{
ObjectRoot: models.ObjectRoot{
ResourceOwner: req.OrganizationId,
AggregateID: aggregateID,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.AuthorizationRequired,
HasProjectCheck: req.ProjectAccessRequired,
PrivateLabelingSetting: privateLabelingSettingToDomain(req.PrivateLabelingSetting),
}
}
func privateLabelingSettingToDomain(setting project_pb.PrivateLabelingSetting) domain.PrivateLabelingSetting {
switch setting {
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY:
return domain.PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY:
return domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED:
return domain.PrivateLabelingSettingUnspecified
default:
return domain.PrivateLabelingSettingUnspecified
}
}
func (s *Server) UpdateProject(ctx context.Context, req *connect.Request[project_pb.UpdateProjectRequest]) (*connect.Response[project_pb.UpdateProjectResponse], error) {
project, err := s.command.ChangeProject(ctx, projectUpdateToCommand(req.Msg))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
changeDate = timestamppb.New(project.EventDate)
}
return connect.NewResponse(&project_pb.UpdateProjectResponse{
ChangeDate: changeDate,
}), nil
}
func projectUpdateToCommand(req *project_pb.UpdateProjectRequest) *command.ChangeProject {
var labeling *domain.PrivateLabelingSetting
if req.PrivateLabelingSetting != nil {
labeling = gu.Ptr(privateLabelingSettingToDomain(*req.PrivateLabelingSetting))
}
return &command.ChangeProject{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.AuthorizationRequired,
HasProjectCheck: req.ProjectAccessRequired,
PrivateLabelingSetting: labeling,
}
}
func (s *Server) DeleteProject(ctx context.Context, req *connect.Request[project_pb.DeleteProjectRequest]) (*connect.Response[project_pb.DeleteProjectResponse], error) {
userGrantIDs, err := s.userGrantsFromProject(ctx, req.Msg.GetProjectId())
if err != nil {
return nil, err
}
deletedAt, err := s.command.DeleteProject(ctx, req.Msg.GetProjectId(), "", userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !deletedAt.IsZero() {
deletionDate = timestamppb.New(deletedAt)
}
return connect.NewResponse(&project_pb.DeleteProjectResponse{
DeletionDate: deletionDate,
}), nil
}
func (s *Server) userGrantsFromProject(ctx context.Context, projectID string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery},
}, false, nil)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}
func (s *Server) DeactivateProject(ctx context.Context, req *connect.Request[project_pb.DeactivateProjectRequest]) (*connect.Response[project_pb.DeactivateProjectResponse], error) {
details, err := s.command.DeactivateProject(ctx, req.Msg.GetProjectId(), "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.DeactivateProjectResponse{
ChangeDate: changeDate,
}), nil
}
func (s *Server) ActivateProject(ctx context.Context, req *connect.Request[project_pb.ActivateProjectRequest]) (*connect.Response[project_pb.ActivateProjectResponse], error) {
details, err := s.command.ReactivateProject(ctx, req.Msg.GetProjectId(), "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.ActivateProjectResponse{
ChangeDate: changeDate,
}), nil
}
func userGrantsToIDs(userGrants []*query.UserGrant) []string {
converted := make([]string, len(userGrants))
for i, grant := range userGrants {
converted[i] = grant.ID
}
return converted
}

126
internal/api/grpc/project/v2/project_grant.go Normal file
View File

@@ -0,0 +1,126 @@
package project
import (
"context"
"connectrpc.com/connect"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2"
)
func (s *Server) CreateProjectGrant(ctx context.Context, req *connect.Request[project_pb.CreateProjectGrantRequest]) (*connect.Response[project_pb.CreateProjectGrantResponse], error) {
add := projectGrantCreateToCommand(req.Msg)
project, err := s.command.AddProjectGrant(ctx, add)
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
creationDate = timestamppb.New(project.EventDate)
}
return connect.NewResponse(&project_pb.CreateProjectGrantResponse{
CreationDate: creationDate,
}), nil
}
func projectGrantCreateToCommand(req *project_pb.CreateProjectGrantRequest) *command.AddProjectGrant {
return &command.AddProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
GrantedOrgID: req.GrantedOrganizationId,
RoleKeys: req.RoleKeys,
}
}
func (s *Server) UpdateProjectGrant(ctx context.Context, req *connect.Request[project_pb.UpdateProjectGrantRequest]) (*connect.Response[project_pb.UpdateProjectGrantResponse], error) {
project, err := s.command.ChangeProjectGrant(ctx, projectGrantUpdateToCommand(req.Msg))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
changeDate = timestamppb.New(project.EventDate)
}
return connect.NewResponse(&project_pb.UpdateProjectGrantResponse{
ChangeDate: changeDate,
}), nil
}
func projectGrantUpdateToCommand(req *project_pb.UpdateProjectGrantRequest) *command.ChangeProjectGrant {
return &command.ChangeProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
GrantedOrgID: req.GrantedOrganizationId,
RoleKeys: req.RoleKeys,
}
}
func (s *Server) DeactivateProjectGrant(ctx context.Context, req *connect.Request[project_pb.DeactivateProjectGrantRequest]) (*connect.Response[project_pb.DeactivateProjectGrantResponse], error) {
details, err := s.command.DeactivateProjectGrant(ctx, req.Msg.GetProjectId(), "", req.Msg.GetGrantedOrganizationId(), "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.DeactivateProjectGrantResponse{
ChangeDate: changeDate,
}), nil
}
func (s *Server) ActivateProjectGrant(ctx context.Context, req *connect.Request[project_pb.ActivateProjectGrantRequest]) (*connect.Response[project_pb.ActivateProjectGrantResponse], error) {
details, err := s.command.ReactivateProjectGrant(ctx, req.Msg.GetProjectId(), "", req.Msg.GetGrantedOrganizationId(), "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.ActivateProjectGrantResponse{
ChangeDate: changeDate,
}), nil
}
func (s *Server) DeleteProjectGrant(ctx context.Context, req *connect.Request[project_pb.DeleteProjectGrantRequest]) (*connect.Response[project_pb.DeleteProjectGrantResponse], error) {
userGrantIDs, err := s.userGrantsFromProjectGrant(ctx, req.Msg.GetProjectId(), req.Msg.GetGrantedOrganizationId())
if err != nil {
return nil, err
}
details, err := s.command.DeleteProjectGrant(ctx, req.Msg.GetProjectId(), "", req.Msg.GetGrantedOrganizationId(), "", userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
deletionDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.DeleteProjectGrantResponse{
DeletionDate: deletionDate,
}), nil
}
func (s *Server) userGrantsFromProjectGrant(ctx context.Context, projectID, grantedOrganizationID string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
grantQuery, err := query.NewUserGrantWithGrantedQuery(grantedOrganizationID)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery, grantQuery},
}, false, nil)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}

133
internal/api/grpc/project/v2/project_role.go Normal file
View File

@@ -0,0 +1,133 @@
package project
import (
"context"
"connectrpc.com/connect"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2"
)
func (s *Server) AddProjectRole(ctx context.Context, req *connect.Request[project_pb.AddProjectRoleRequest]) (*connect.Response[project_pb.AddProjectRoleResponse], error) {
role, err := s.command.AddProjectRole(ctx, addProjectRoleRequestToCommand(req.Msg))
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !role.EventDate.IsZero() {
creationDate = timestamppb.New(role.EventDate)
}
return connect.NewResponse(&project_pb.AddProjectRoleResponse{
CreationDate: creationDate,
}), nil
}
func addProjectRoleRequestToCommand(req *project_pb.AddProjectRoleRequest) *command.AddProjectRole {
group := ""
if req.Group != nil {
group = *req.Group
}
return &command.AddProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
Key: req.RoleKey,
DisplayName: req.DisplayName,
Group: group,
}
}
func (s *Server) UpdateProjectRole(ctx context.Context, req *connect.Request[project_pb.UpdateProjectRoleRequest]) (*connect.Response[project_pb.UpdateProjectRoleResponse], error) {
role, err := s.command.ChangeProjectRole(ctx, updateProjectRoleRequestToCommand(req.Msg))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !role.EventDate.IsZero() {
changeDate = timestamppb.New(role.EventDate)
}
return connect.NewResponse(&project_pb.UpdateProjectRoleResponse{
ChangeDate: changeDate,
}), nil
}
func updateProjectRoleRequestToCommand(req *project_pb.UpdateProjectRoleRequest) *command.ChangeProjectRole {
displayName := ""
if req.DisplayName != nil {
displayName = *req.DisplayName
}
group := ""
if req.Group != nil {
group = *req.Group
}
return &command.ChangeProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
Key: req.RoleKey,
DisplayName: displayName,
Group: group,
}
}
func (s *Server) RemoveProjectRole(ctx context.Context, req *connect.Request[project_pb.RemoveProjectRoleRequest]) (*connect.Response[project_pb.RemoveProjectRoleResponse], error) {
userGrantIDs, err := s.userGrantsFromProjectAndRole(ctx, req.Msg.GetProjectId(), req.Msg.GetRoleKey())
if err != nil {
return nil, err
}
projectGrantIDs, err := s.projectGrantsFromProjectAndRole(ctx, req.Msg.GetProjectId(), req.Msg.GetRoleKey())
if err != nil {
return nil, err
}
details, err := s.command.RemoveProjectRole(ctx, req.Msg.GetProjectId(), req.Msg.GetRoleKey(), "", projectGrantIDs, userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
deletionDate = timestamppb.New(details.EventDate)
}
return connect.NewResponse(&project_pb.RemoveProjectRoleResponse{
RemovalDate: deletionDate,
}), nil
}
func (s *Server) userGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
rolesQuery, err := query.NewUserGrantRoleQuery(roleKey)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery, rolesQuery},
}, false, nil)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}
func (s *Server) projectGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, projectID, roleKey)
if err != nil {
return nil, err
}
return projectGrantsToIDs(projectGrants), nil
}
func projectGrantsToIDs(projectGrants *query.ProjectGrants) []string {
converted := make([]string, len(projectGrants.ProjectGrants))
for i, grant := range projectGrants.ProjectGrants {
converted[i] = grant.GrantID
}
return converted
}

428
internal/api/grpc/project/v2/query.go Normal file
View File

@@ -0,0 +1,428 @@
package project
import (
"context"
"connectrpc.com/connect"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/zerrors"
filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2"
)
func (s *Server) GetProject(ctx context.Context, req *connect.Request[project_pb.GetProjectRequest]) (*connect.Response[project_pb.GetProjectResponse], error) {
project, err := s.query.GetProjectByIDWithPermission(ctx, true, req.Msg.GetProjectId(), s.checkPermission)
if err != nil {
return nil, err
}
return connect.NewResponse(&project_pb.GetProjectResponse{
Project: projectToPb(project),
}), nil
}
func (s *Server) ListProjects(ctx context.Context, req *connect.Request[project_pb.ListProjectsRequest]) (*connect.Response[project_pb.ListProjectsResponse], error) {
queries, err := s.listProjectRequestToModel(req.Msg)
if err != nil {
return nil, err
}
resp, err := s.query.SearchGrantedProjects(ctx, queries, s.checkPermission)
if err != nil {
return nil, err
}
return connect.NewResponse(&project_pb.ListProjectsResponse{
Projects: grantedProjectsToPb(resp.GrantedProjects),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
}), nil
}
func (s *Server) listProjectRequestToModel(req *project_pb.ListProjectsRequest) (*query.ProjectAndGrantedProjectSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := projectFiltersToQuery(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectAndGrantedProjectSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: grantedProjectFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func grantedProjectFieldNameToSortingColumn(field *project_pb.ProjectFieldName) query.Column {
if field == nil {
return query.GrantedProjectColumnCreationDate
}
switch *field {
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_CREATION_DATE:
return query.GrantedProjectColumnCreationDate
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_ID:
return query.GrantedProjectColumnID
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_NAME:
return query.GrantedProjectColumnName
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_CHANGE_DATE:
return query.GrantedProjectColumnChangeDate
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_UNSPECIFIED:
return query.GrantedProjectColumnCreationDate
default:
return query.GrantedProjectColumnCreationDate
}
}
func projectFiltersToQuery(queries []*project_pb.ProjectSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, qry := range queries {
q[i], err = projectFilterToModel(qry)
if err != nil {
return nil, err
}
}
return q, nil
}
func projectFilterToModel(filter *project_pb.ProjectSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *project_pb.ProjectSearchFilter_ProjectNameFilter:
return projectNameFilterToQuery(q.ProjectNameFilter)
case *project_pb.ProjectSearchFilter_InProjectIdsFilter:
return projectInIDsFilterToQuery(q.InProjectIdsFilter)
case *project_pb.ProjectSearchFilter_OrganizationIdFilter:
return projectOrganizationIDFilterToQuery(q.OrganizationIdFilter)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "ORG-vR9nC", "List.Query.Invalid")
}
}
func projectNameFilterToQuery(q *project_pb.ProjectNameFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectNameSearchQuery(filter.TextMethodPbToQuery(q.Method), q.GetProjectName())
}
func projectInIDsFilterToQuery(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectIDSearchQuery(q.Ids)
}
func projectOrganizationIDFilterToQuery(q *project_pb.ProjectOrganizationIDFilter) (query.SearchQuery, error) {
switch q.GetType() {
case project_pb.ProjectOrganizationIDFilter_OWNED:
return query.NewGrantedProjectResourceOwnerSearchQuery(q.GetOrganizationId())
case project_pb.ProjectOrganizationIDFilter_GRANTED:
return query.NewGrantedProjectGrantedOrganizationIDSearchQuery(q.GetOrganizationId())
case project_pb.ProjectOrganizationIDFilter_OWNED_OR_GRANTED:
return query.NewGrantedProjectOrganizationIDSearchQuery(q.GetOrganizationId())
case project_pb.ProjectOrganizationIDFilter_TYPE_UNSPECIFIED:
return query.NewGrantedProjectOrganizationIDSearchQuery(q.GetOrganizationId())
default:
return nil, zerrors.ThrowInvalidArgument(nil, "ORG-Sk3sd", "List.Query.Invalid")
}
}
func grantedProjectsToPb(projects []*query.GrantedProject) []*project_pb.Project {
o := make([]*project_pb.Project, len(projects))
for i, org := range projects {
o[i] = grantedProjectToPb(org)
}
return o
}
func projectToPb(project *query.Project) *project_pb.Project {
return &project_pb.Project{
ProjectId: project.ID,
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
State: projectStateToPb(project.State),
Name: project.Name,
PrivateLabelingSetting: privateLabelingSettingToPb(project.PrivateLabelingSetting),
ProjectAccessRequired: project.HasProjectCheck,
ProjectRoleAssertion: project.ProjectRoleAssertion,
AuthorizationRequired: project.ProjectRoleCheck,
}
}
func grantedProjectToPb(project *query.GrantedProject) *project_pb.Project {
var grantedOrganizationID, grantedOrganizationName *string
if project.GrantedOrgID != "" {
grantedOrganizationID = &project.GrantedOrgID
}
if project.OrgName != "" {
grantedOrganizationName = &project.OrgName
}
return &project_pb.Project{
ProjectId: project.ProjectID,
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
State: projectStateToPb(project.ProjectState),
Name: project.ProjectName,
PrivateLabelingSetting: privateLabelingSettingToPb(project.PrivateLabelingSetting),
ProjectAccessRequired: project.HasProjectCheck,
ProjectRoleAssertion: project.ProjectRoleAssertion,
AuthorizationRequired: project.ProjectRoleCheck,
GrantedOrganizationId: grantedOrganizationID,
GrantedOrganizationName: grantedOrganizationName,
GrantedState: grantedProjectStateToPb(project.ProjectGrantState),
}
}
func projectStateToPb(state domain.ProjectState) project_pb.ProjectState {
switch state {
case domain.ProjectStateActive:
return project_pb.ProjectState_PROJECT_STATE_ACTIVE
case domain.ProjectStateInactive:
return project_pb.ProjectState_PROJECT_STATE_INACTIVE
case domain.ProjectStateUnspecified, domain.ProjectStateRemoved:
return project_pb.ProjectState_PROJECT_STATE_UNSPECIFIED
default:
return project_pb.ProjectState_PROJECT_STATE_UNSPECIFIED
}
}
func grantedProjectStateToPb(state domain.ProjectGrantState) project_pb.GrantedProjectState {
switch state {
case domain.ProjectGrantStateActive:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_ACTIVE
case domain.ProjectGrantStateInactive:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_INACTIVE
case domain.ProjectGrantStateUnspecified, domain.ProjectGrantStateRemoved:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_UNSPECIFIED
default:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_UNSPECIFIED
}
}
func privateLabelingSettingToPb(setting domain.PrivateLabelingSetting) project_pb.PrivateLabelingSetting {
switch setting {
case domain.PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
case domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
case domain.PrivateLabelingSettingUnspecified:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED
default:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED
}
}
func (s *Server) ListProjectGrants(ctx context.Context, req *connect.Request[project_pb.ListProjectGrantsRequest]) (*connect.Response[project_pb.ListProjectGrantsResponse], error) {
queries, err := s.listProjectGrantsRequestToModel(req.Msg)
if err != nil {
return nil, err
}
resp, err := s.query.SearchProjectGrants(ctx, queries, s.checkPermission)
if err != nil {
return nil, err
}
return connect.NewResponse(&project_pb.ListProjectGrantsResponse{
ProjectGrants: projectGrantsToPb(resp.ProjectGrants),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
}), nil
}
func (s *Server) listProjectGrantsRequestToModel(req *project_pb.ListProjectGrantsRequest) (*query.ProjectGrantSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := projectGrantFiltersToModel(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectGrantSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: projectGrantFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func projectGrantFieldNameToSortingColumn(field *project_pb.ProjectGrantFieldName) query.Column {
if field == nil {
return query.ProjectGrantColumnCreationDate
}
switch *field {
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_PROJECT_ID:
return query.ProjectGrantColumnProjectID
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_CREATION_DATE:
return query.ProjectGrantColumnCreationDate
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_CHANGE_DATE:
return query.ProjectGrantColumnChangeDate
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_UNSPECIFIED:
return query.ProjectGrantColumnCreationDate
default:
return query.ProjectGrantColumnCreationDate
}
}
func projectGrantFiltersToModel(queries []*project_pb.ProjectGrantSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, qry := range queries {
q[i], err = projectGrantFilterToModel(qry)
if err != nil {
return nil, err
}
}
return q, nil
}
func projectGrantFilterToModel(filter *project_pb.ProjectGrantSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *project_pb.ProjectGrantSearchFilter_ProjectNameFilter:
return projectNameFilterToQuery(q.ProjectNameFilter)
case *project_pb.ProjectGrantSearchFilter_RoleKeyFilter:
return query.NewProjectGrantRoleKeySearchQuery(q.RoleKeyFilter.Key)
case *project_pb.ProjectGrantSearchFilter_InProjectIdsFilter:
return query.NewProjectGrantProjectIDsSearchQuery(q.InProjectIdsFilter.Ids)
case *project_pb.ProjectGrantSearchFilter_OrganizationIdFilter:
return query.NewProjectGrantResourceOwnerSearchQuery(q.OrganizationIdFilter.Id)
case *project_pb.ProjectGrantSearchFilter_GrantedOrganizationIdFilter:
return query.NewProjectGrantGrantedOrgIDSearchQuery(q.GrantedOrganizationIdFilter.Id)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-M099f", "List.Query.Invalid")
}
}
func projectGrantsToPb(projects []*query.ProjectGrant) []*project_pb.ProjectGrant {
p := make([]*project_pb.ProjectGrant, len(projects))
for i, project := range projects {
p[i] = projectGrantToPb(project)
}
return p
}
func projectGrantToPb(project *query.ProjectGrant) *project_pb.ProjectGrant {
return &project_pb.ProjectGrant{
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
GrantedOrganizationId: project.GrantedOrgID,
GrantedOrganizationName: project.OrgName,
GrantedRoleKeys: project.GrantedRoleKeys,
ProjectId: project.ProjectID,
ProjectName: project.ProjectName,
State: projectGrantStateToPb(project.State),
}
}
func projectGrantStateToPb(state domain.ProjectGrantState) project_pb.ProjectGrantState {
switch state {
case domain.ProjectGrantStateActive:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_ACTIVE
case domain.ProjectGrantStateInactive:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_INACTIVE
case domain.ProjectGrantStateUnspecified, domain.ProjectGrantStateRemoved:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_UNSPECIFIED
default:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_UNSPECIFIED
}
}
func (s *Server) ListProjectRoles(ctx context.Context, req *connect.Request[project_pb.ListProjectRolesRequest]) (*connect.Response[project_pb.ListProjectRolesResponse], error) {
queries, err := s.listProjectRolesRequestToModel(req.Msg)
if err != nil {
return nil, err
}
err = queries.AppendProjectIDQuery(req.Msg.GetProjectId())
if err != nil {
return nil, err
}
roles, err := s.query.SearchProjectRoles(ctx, true, queries, s.checkPermission)
if err != nil {
return nil, err
}
return connect.NewResponse(&project_pb.ListProjectRolesResponse{
ProjectRoles: roleViewsToPb(roles.ProjectRoles),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, roles.SearchResponse),
}), nil
}
func (s *Server) listProjectRolesRequestToModel(req *project_pb.ListProjectRolesRequest) (*query.ProjectRoleSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := roleQueriesToModel(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectRoleSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: projectRoleFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func projectRoleFieldNameToSortingColumn(field *project_pb.ProjectRoleFieldName) query.Column {
if field == nil {
return query.ProjectRoleColumnCreationDate
}
switch *field {
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_KEY:
return query.ProjectRoleColumnKey
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_CREATION_DATE:
return query.ProjectRoleColumnCreationDate
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_CHANGE_DATE:
return query.ProjectRoleColumnChangeDate
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_UNSPECIFIED:
return query.ProjectRoleColumnCreationDate
default:
return query.ProjectRoleColumnCreationDate
}
}
func roleQueriesToModel(queries []*project_pb.ProjectRoleSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, query := range queries {
q[i], err = roleQueryToModel(query)
if err != nil {
return nil, err
}
}
return q, nil
}
func roleQueryToModel(apiQuery *project_pb.ProjectRoleSearchFilter) (query.SearchQuery, error) {
switch q := apiQuery.Filter.(type) {
case *project_pb.ProjectRoleSearchFilter_RoleKeyFilter:
return query.NewProjectRoleKeySearchQuery(filter.TextMethodPbToQuery(q.RoleKeyFilter.Method), q.RoleKeyFilter.Key)
case *project_pb.ProjectRoleSearchFilter_DisplayNameFilter:
return query.NewProjectRoleDisplayNameSearchQuery(filter.TextMethodPbToQuery(q.DisplayNameFilter.Method), q.DisplayNameFilter.DisplayName)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-fms0e", "List.Query.Invalid")
}
}
func roleViewsToPb(roles []*query.ProjectRole) []*project_pb.ProjectRole {
o := make([]*project_pb.ProjectRole, len(roles))
for i, org := range roles {
o[i] = roleViewToPb(org)
}
return o
}
func roleViewToPb(role *query.ProjectRole) *project_pb.ProjectRole {
return &project_pb.ProjectRole{
ProjectId: role.ProjectID,
Key: role.Key,
CreationDate: timestamppb.New(role.CreationDate),
ChangeDate: timestamppb.New(role.ChangeDate),
DisplayName: role.DisplayName,
Group: role.Group,
}
}

60
internal/api/grpc/project/v2/server.go Normal file
View File

@@ -0,0 +1,60 @@
package project
import (
"net/http"
"connectrpc.com/connect"
"google.golang.org/protobuf/reflect/protoreflect"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/config/systemdefaults"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/pkg/grpc/project/v2"
"github.com/zitadel/zitadel/pkg/grpc/project/v2/projectconnect"
)
var _ projectconnect.ProjectServiceHandler = (*Server)(nil)
type Server struct {
systemDefaults systemdefaults.SystemDefaults
command *command.Commands
query *query.Queries
checkPermission domain.PermissionCheck
}
func CreateServer(
systemDefaults systemdefaults.SystemDefaults,
command *command.Commands,
query *query.Queries,
checkPermission domain.PermissionCheck,
) *Server {
return &Server{
systemDefaults: systemDefaults,
command: command,
query: query,
checkPermission: checkPermission,
}
}
func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {
return projectconnect.NewProjectServiceHandler(s, connect.WithInterceptors(interceptors...))
}
func (s *Server) FileDescriptor() protoreflect.FileDescriptor {
return project.File_zitadel_project_v2_project_service_proto
}
func (s *Server) AppName() string {
return project.ProjectService_ServiceDesc.ServiceName
}
func (s *Server) MethodPrefix() string {
return project.ProjectService_ServiceDesc.ServiceName
}
func (s *Server) AuthMethods() authz.MethodMapping {
return project.ProjectService_AuthMethods
}

3
internal/integration/client.go
View File

@@ -44,6 +44,7 @@ import (
oidc_pb_v2beta "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
"github.com/zitadel/zitadel/pkg/grpc/org/v2"
org_v2beta "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
project_v2 "github.com/zitadel/zitadel/pkg/grpc/project/v2"
project_v2beta "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
user_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
userschema_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/userschema/v3alpha"
@@ -86,6 +87,7 @@ type Client struct {
SAMLv2 saml_pb.SAMLServiceClient
SCIM *scim.Client
Projectv2Beta project_v2beta.ProjectServiceClient
ProjectV2 project_v2.ProjectServiceClient
InstanceV2Beta instance.InstanceServiceClient
AppV2Beta app_v2beta.AppServiceClient
ApplicationV2 application.ApplicationServiceClient
@@ -134,6 +136,7 @@ func newClient(ctx context.Context, target string) (*Client, error) {
SAMLv2: saml_pb.NewSAMLServiceClient(cc),
SCIM: scim.NewScimClient(target),
Projectv2Beta: project_v2beta.NewProjectServiceClient(cc),
ProjectV2: project_v2.NewProjectServiceClient(cc),
InstanceV2Beta: instance.NewInstanceServiceClient(cc),
AppV2Beta: app_v2beta.NewAppServiceClient(cc),
ApplicationV2: application.NewApplicationServiceClient(cc),

46
proto/zitadel/management.proto
View File

@@ -2922,7 +2922,7 @@ service ManagementService {
// Get Project By ID
//
// Deprecated: use [project v2 service GetProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-get-project.api.mdx) instead.
// Deprecated: use [project v2 service GetProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-get-project.api.mdx) instead.
//
// Returns a project owned by the organization (no granted projects). A Project is a vessel for different applications sharing the same role context.
rpc GetProjectByID(GetProjectByIDRequest) returns (GetProjectByIDResponse) {
@@ -2951,7 +2951,7 @@ service ManagementService {
// Get Granted Project By ID
//
// Deprecated: use [project v2 service ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-grants.api.mdx) instead.
// Deprecated: use [project v2 service ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-grants.api.mdx) instead.
//
// Returns a project owned by another organization and granted to my organization. A Project is a vessel for different applications sharing the same role context.
rpc GetGrantedProjectByID(GetGrantedProjectByIDRequest) returns (GetGrantedProjectByIDResponse) {
@@ -2980,7 +2980,7 @@ service ManagementService {
// Search Project
//
// Deprecated: use [project v2 service ListProjects](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-projects.api.mdx) instead.
// Deprecated: use [project v2 service ListProjects](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-projects.api.mdx) instead.
//
// Lists projects my organization is the owner of (no granted projects). A Project is a vessel for different applications sharing the same role context.
rpc ListProjects(ListProjectsRequest) returns (ListProjectsResponse) {
@@ -3009,7 +3009,7 @@ service ManagementService {
// Search Granted Project
//
// Deprecated: use [project v2 service ListProjects](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-projects.api.mdx) instead.
// Deprecated: use [project v2 service ListProjects](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-projects.api.mdx) instead.
//
// Lists projects my organization got granted from another organization. A Project is a vessel for different applications sharing the same role context.
rpc ListGrantedProjects(ListGrantedProjectsRequest) returns (ListGrantedProjectsResponse) {
@@ -3038,7 +3038,7 @@ service ManagementService {
// Search Granted Project Roles
//
// Deprecated: use [project v2 service ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-grants.api.mdx) instead.
// Deprecated: use [project v2 service ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-grants.api.mdx) instead.
//
// Lists the roles a granted projects has. These are the roles, that have been granted by the owner organization to my organization.
rpc ListGrantedProjectRoles(ListGrantedProjectRolesRequest) returns (ListGrantedProjectRolesResponse) {
@@ -3092,7 +3092,7 @@ service ManagementService {
// Create Project
//
// Deprecated: use [project v2 service CreateProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-create-project.api.mdx) instead.
// Deprecated: use [project v2 service CreateProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-create-project.api.mdx) instead.
//
// Create a new project. A Project is a vessel for different applications sharing the same role context.
rpc AddProject(AddProjectRequest) returns (AddProjectResponse) {
@@ -3121,7 +3121,7 @@ service ManagementService {
// Update Project
//
// Deprecated: use [project v2 service UpdateProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-update-project.api.mdx) instead.
// Deprecated: use [project v2 service UpdateProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-update-project.api.mdx) instead.
//
// Update a project and its settings. A Project is a vessel for different applications sharing the same role context.
rpc UpdateProject(UpdateProjectRequest) returns (UpdateProjectResponse) {
@@ -3151,7 +3151,7 @@ service ManagementService {
// Deactivate Project
//
// Deprecated: use [project v2 service DeactivateProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-deactivate-project.api.mdx) instead.
// Deprecated: use [project v2 service DeactivateProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-deactivate-project.api.mdx) instead.
//
// Set the state of a project to deactivated. Request returns an error if the project is already deactivated.
rpc DeactivateProject(DeactivateProjectRequest) returns (DeactivateProjectResponse) {
@@ -3181,7 +3181,7 @@ service ManagementService {
// Reactivate Project
//
// Deprecated: use [project v2 service ActivateProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-activate-project.api.mdx) instead.
// Deprecated: use [project v2 service ActivateProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-activate-project.api.mdx) instead.
//
// Set the state of a project to active. Request returns an error if the project is not deactivated.
rpc ReactivateProject(ReactivateProjectRequest) returns (ReactivateProjectResponse) {
@@ -3211,7 +3211,7 @@ service ManagementService {
// Remove Project
//
// Deprecated: use [project v2 service DeleteProject](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-delete-project.api.mdx) instead.
// Deprecated: use [project v2 service DeleteProject](apis/resources/project_service_v2/zitadel-project-v-2-project-service-delete-project.api.mdx) instead.
//
// Set the state of a project to active. Request returns an error if the project is not deactivated.
rpc RemoveProject(RemoveProjectRequest) returns (RemoveProjectResponse) {
@@ -3240,7 +3240,7 @@ service ManagementService {
// Search Project Roles
//
// Deprecated: use [project v2 service ListProjectRoles](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-roles.api.mdx) instead.
// Deprecated: use [project v2 service ListProjectRoles](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-roles.api.mdx) instead.
//
// Returns all roles of a project matching the search query.
rpc ListProjectRoles(ListProjectRolesRequest) returns (ListProjectRolesResponse) {
@@ -3270,7 +3270,7 @@ service ManagementService {
// Add Project Role
//
// Deprecated: use [project v2 service AddProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-add-project-role.api.mdx) instead.
// Deprecated: use [project v2 service AddProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-project-service-add-project-role.api.mdx) instead.
//
// Add a new project role to a project. The key must be unique within the project.
rpc AddProjectRole(AddProjectRoleRequest) returns (AddProjectRoleResponse) {
@@ -3300,7 +3300,7 @@ service ManagementService {
// Bulk Add Project Role
//
// Deprecated: use [project v2 service AddProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-add-project-role.api.mdx) instead.
// Deprecated: use [project v2 service AddProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-project-service-add-project-role.api.mdx) instead.
//
// Add a list of roles to a project. The keys must be unique within the project.
rpc BulkAddProjectRoles(BulkAddProjectRolesRequest) returns (BulkAddProjectRolesResponse) {
@@ -3330,7 +3330,7 @@ service ManagementService {
// Change Project Role
//
// Deprecated: use [project v2 service UpdateProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-update-project-role.api.mdx) instead.
// Deprecated: use [project v2 service UpdateProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-project-service-update-project-role.api.mdx) instead.
//
// Change a project role. The key is not editable. If a key should change, remove the role and create a new one.
rpc UpdateProjectRole(UpdateProjectRoleRequest) returns (UpdateProjectRoleResponse) {
@@ -3360,7 +3360,7 @@ service ManagementService {
// Remove Project Role
//
// Deprecated: use [project v2 service RemoveProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-remove-project-role.api.mdx) instead.
// Deprecated: use [project v2 service RemoveProjectRole](apis/resources/project_service_v2/zitadel-project-v-2-project-service-remove-project-role.api.mdx) instead.
//
// Removes the role from the project and on every resource it has a dependency. This includes project grants and user grants.
rpc RemoveProjectRole(RemoveProjectRoleRequest) returns (RemoveProjectRoleResponse) {
@@ -4129,7 +4129,7 @@ service ManagementService {
// Project Grant By ID
//
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-grants.api.mdx) instead.
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-grants.api.mdx) instead.
//
// Returns a project grant. A project grant is when the organization grants its project to another organization.
rpc GetProjectGrantByID(GetProjectGrantByIDRequest) returns (GetProjectGrantByIDResponse) {
@@ -4157,7 +4157,7 @@ service ManagementService {
// Search Project Grants from Project
//
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-grants.api.mdx) instead.
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-grants.api.mdx) instead.
//
// Returns a list of project grants for a specific project. A project grant is when the organization grants its project to another organization.
rpc ListProjectGrants(ListProjectGrantsRequest) returns (ListProjectGrantsResponse) {
@@ -4187,7 +4187,7 @@ service ManagementService {
// Search Project Grants
//
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-list-project-grants.api.mdx) instead.
// Deprecated: use [ListProjectGrants](apis/resources/project_service_v2/zitadel-project-v-2-project-service-list-project-grants.api.mdx) instead.
//
// Returns a list of project grants. A project grant is when the organization grants its project to another organization.
rpc ListAllProjectGrants(ListAllProjectGrantsRequest) returns (ListAllProjectGrantsResponse) {
@@ -4216,7 +4216,7 @@ service ManagementService {
// Add Project Grant
//
// Deprecated: use [CreateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-create-project-grant.api.mdx) instead.
// Deprecated: use [CreateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-project-service-create-project-grant.api.mdx) instead.
//
// Grant a project to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization.
rpc AddProjectGrant(AddProjectGrantRequest) returns (AddProjectGrantResponse) {
@@ -4245,7 +4245,7 @@ service ManagementService {
// Change Project Grant
//
// Deprecated: use [UpdateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-update-project-grant.api.mdx) instead.
// Deprecated: use [UpdateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-project-service-update-project-grant.api.mdx) instead.
//
// Change the roles of the project that is granted to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization.
rpc UpdateProjectGrant(UpdateProjectGrantRequest) returns (UpdateProjectGrantResponse) {
@@ -4274,7 +4274,7 @@ service ManagementService {
// Deactivate Project Grant
//
// Deprecated: use [DeactivateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-deactivate-project-grant.api.mdx) instead.
// Deprecated: use [DeactivateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-project-service-deactivate-project-grant.api.mdx) instead.
//
// Set the state of the project grant to deactivated. The grant has to be active to be able to deactivate.
rpc DeactivateProjectGrant(DeactivateProjectGrantRequest) returns (DeactivateProjectGrantResponse) {
@@ -4303,7 +4303,7 @@ service ManagementService {
// Reactivate Project Grant
//
// Deprecated: use [ActivateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-activate-project-grant.api.mdx) instead.
// Deprecated: use [ActivateProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-project-service-activate-project-grant.api.mdx) instead.
//
// Set the state of the project grant to active. The grant has to be deactivated to be able to reactivate.
rpc ReactivateProjectGrant(ReactivateProjectGrantRequest) returns (ReactivateProjectGrantResponse) {
@@ -4332,7 +4332,7 @@ service ManagementService {
// Remove Project Grant
//
// Deprecated: use [DeleteProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-beta-project-service-delete-project-grant.api.mdx) instead.
// Deprecated: use [DeleteProjectGrant](apis/resources/project_service_v2/zitadel-project-v-2-project-service-delete-project-grant.api.mdx) instead.
//
// Remove a project grant. All user grants for this project grant will also be removed. A user will not have access to the project afterward (if permissions are checked).
rpc RemoveProjectGrant(RemoveProjectGrantRequest) returns (RemoveProjectGrantResponse) {

901
proto/zitadel/project/v2/project_service.proto Normal file
View File

@@ -0,0 +1,901 @@
syntax = "proto3";
package zitadel.project.v2;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/project/v2/query.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/filter/v2/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/project/v2;project";
// Service to manage projects.
service ProjectService {
// Create Project
//
// Create a new project. A project is a vessel to group applications, roles and
// authorizations. Every project belongs to exactly one organization, but
// can be granted to other organizations for self-management of their authorizations.
//
// Required permission:
// - `project.create`
rpc CreateProject (CreateProjectRequest) returns (CreateProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Update Project
//
// Update an existing project.
//
// Required permission:
// - `project.write`
rpc UpdateProject (UpdateProjectRequest) returns (UpdateProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Delete Project
//
// Delete an existing project.
// In case the project is not found, the request will return a successful response as
// the desired state is already achieved.
//
// Required permission:
// - `project.delete`
rpc DeleteProject (DeleteProjectRequest) returns (DeleteProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Get Project
//
// Returns the project identified by the requested ID.
//
// Required permission:
// - `project.read`
rpc GetProject (GetProjectRequest) returns (GetProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "project.read"
}
};
}
// List Projects
//
// List all matching projects. By default all projects of the instance that the caller
// has permission to read are returned.
// Make sure to include a limit and sorting for pagination.
//
// Required permission:
// - `project.read`
rpc ListProjects (ListProjectsRequest) returns (ListProjectsResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "project.read"
}
};
}
// Deactivate Project
//
// Set the state of a project to deactivated. Request returns no error if the project is already deactivated.
// Applications under deactivated projects are not able to login anymore.
//
// Required permission:
// - `project.write`
rpc DeactivateProject (DeactivateProjectRequest) returns (DeactivateProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Activate Project
//
// Set the state of a project to active. Request returns no error if the project is already activated.
//
// Required permission:
// - `project.write`
rpc ActivateProject (ActivateProjectRequest) returns (ActivateProjectResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Add Project Role
//
// Add a new project role to a project. The key must be unique within the project.
//
// Required permission:
// - `project.role.write`
rpc AddProjectRole (AddProjectRoleRequest) returns (AddProjectRoleResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Update Project Role
//
// Change a project role. The key is not editable. If a key should change, remove the role and create a new one.
//
// Required permission:
// - `project.role.write`
rpc UpdateProjectRole (UpdateProjectRoleRequest) returns (UpdateProjectRoleResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Remove Project Role
//
// Removes the role from the project and on every resource it has a dependency.
// This includes project grants and user grants.
//
// Required permission:
// - `project.role.write`
rpc RemoveProjectRole (RemoveProjectRoleRequest) returns (RemoveProjectRoleResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// List Project Roles
//
// Returns all roles of a project matching the search query.
//
// Required permission:
// - `project.role.read`
rpc ListProjectRoles (ListProjectRolesRequest) returns (ListProjectRolesResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "project.role.read"
}
};
}
// Create Project Grant
//
// Grant a project to another organization.
// The project grant will allow the granted organization to access the project and manage
// the authorizations for its users.
//
// Required permission:
// - `project.grant.create`
rpc CreateProjectGrant (CreateProjectGrantRequest) returns (CreateProjectGrantResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Update Project Grant
//
// Change the roles of the project that is granted to another organization.
// The project grant will allow the granted organization to access the project and manage
// the authorizations for its users.
//
// Required permission:
// - `project.grant.write`
rpc UpdateProjectGrant (UpdateProjectGrantRequest) returns (UpdateProjectGrantResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Delete Project Grant
//
// Delete a project grant. All user grants for this project grant will also be removed.
// A user will not have access to the project afterward (if permissions are checked).
// In case the project grant is not found, the request will return a successful response as
// the desired state is already achieved.
//
// Required permission:
// - `project.grant.delete`
rpc DeleteProjectGrant (DeleteProjectGrantRequest) returns (DeleteProjectGrantResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Deactivate Project Grant
//
// Set the state of the project grant to deactivated.
// Applications under deactivated projects grants are not able to login anymore.
//
// Required permission:
// - `project.grant.write`
rpc DeactivateProjectGrant(DeactivateProjectGrantRequest) returns (DeactivateProjectGrantResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Activate Project Grant
//
// Set the state of the project grant to activated.
//
// Required permission:
// - `project.grant.write`
rpc ActivateProjectGrant(ActivateProjectGrantRequest) returns (ActivateProjectGrantResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// List Project Grants
//
// Returns a list of project grants. A project grant is when the organization grants its project
// to another organization.
//
// Required permission:
// - `project.grant.read`
rpc ListProjectGrants(ListProjectGrantsRequest) returns (ListProjectGrantsResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "project.grant.read"
}
};
}
}
message CreateProjectRequest {
// OrganizationID is the unique identifier of the organization the project belongs to.
string organization_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
// ProjectID is the unique identifier of the new project. This field is optional.
// If omitted, the system will generate a unique ID for you. This is the
// recommended way. The generated ID will be returned in the response.
optional string project_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
// Name of the project. This might be presented to users, e.g. in sign-in flows.
string name = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"MyProject\"";
}
];
// ProjectRoleAssertion is a setting that can be enabled to have role information
// included in the user info endpoint.
// It is also dependent on your application settings to include it in tokens and other types.
bool project_role_assertion = 4;
// AuthorizationRequired is a boolean flag that can be enabled to check if a user has
// an authorization to use this project assigned when login into an application of this project.
bool authorization_required = 5;
// ProjectAccessRequired is a boolean flag that can be enabled to check if the organization
// of the user, that is trying to log in,
// has access to this project (either owns the project or is granted).
bool project_access_required = 6;
// PrivateLabelingSetting is a setting that defines which private labeling/branding should
// trigger when getting to a login of this project.
PrivateLabelingSetting private_labeling_setting = 7 [
(validate.rules).enum = {defined_only: true}
];
}
message CreateProjectResponse {
// ProjectID is the unique identifier of the newly created project.
string project_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// CreationDate is the timestamp of the project creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message UpdateProjectRequest {
// ProjectID is the unique identifier of the project to be updated.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
// Name is used to update the name of the project. This field is optional.
// If omitted, the name will remain unchanged.
optional string name = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"MyProject-Updated\"";
}
];
// ProjectRoleAssertion is a setting that can be enabled to have role information
// included in the user info endpoint.
// It is also dependent on your application settings to include it in tokens and other types.
// If omitted, the setting will remain unchanged.
optional bool project_role_assertion = 3;
// AuthorizationRequired is a boolean flag that can be enabled to check if a user has
// a role of this project assigned when logging into an application of this project.
// If omitted, the setting will remain unchanged.
optional bool authorization_required = 4;
// ProjectAccessRequired is a boolean flag that can be enabled to check if the organization
// of the user has a grant to this project.
// If omitted, the setting will remain unchanged.
optional bool project_access_required = 5;
// PrivateLabelingSetting is a setting that defines which private labeling/branding should
// trigger when getting to a login of this project.
// If omitted, the setting will remain unchanged.
optional PrivateLabelingSetting private_labeling_setting = 6 [
(validate.rules).enum = {defined_only: true}
];
}
message UpdateProjectResponse {
// ChangeDate is the timestamp of the change of the project.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeleteProjectRequest {
// ProjectID is the unique identifier of the project to be deleted.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteProjectResponse {
// DeletionDate is the timestamp of the deletion of the project.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might be empty.
google.protobuf.Timestamp deletion_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message GetProjectRequest {
// ProjectID is the unique identifier of the project to be retrieved.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message GetProjectResponse {
// Project is the project that matches the project ID used in the request.
Project project = 1;
}
message ListProjectsRequest {
// Pagination can be used to list limitations and ordering.
optional zitadel.filter.v2.PaginationRequest pagination = 1;
// SortingColumn is the field the result is sorted by. The default is the creation date.
// Beware that if you change this, your result pagination might be inconsistent.
optional ProjectFieldName sorting_column = 2;
// Filters define the criteria to query for.
repeated ProjectSearchFilter filters = 3;
}
message ListProjectsResponse {
// Pagination contains the total number of projects matching the query and the applied limit.
zitadel.filter.v2.PaginationResponse pagination = 1;
// Projects is a list of projects matching the query.
repeated Project projects = 2;
}
message DeactivateProjectRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeactivateProjectResponse {
// ChangeDate is the timestamp of the change of the project.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ActivateProjectRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message ActivateProjectResponse {
// ChangeDate is the timestamp of the change of the project.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message AddProjectRoleRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// RoleKey identifies the role. It's the only relevant attribute for ZITADEL and
// will be used for authorization checks and as claim in tokens and user info responses.
string role_key = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"ADMIN\"";
}
];
// DisplayName is a human readable name for the role, which might be displayed to users.
string display_name = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Administrator\"";
}
];
// Group allows grouping roles for display purposes. Zitadel will not handle it in any way.
// It can be used to group roles in a UI to allow easier management for administrators.
// This attribute is not to be confused with groups as a collection of users.
optional string group = 4 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Admins\"";
}
];
}
message AddProjectRoleResponse {
// CreationDate is the timestamp of the project role creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message UpdateProjectRoleRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// RoleKey identifies the role. It's the only relevant attribute for ZITADEL and
// will be used for authorization checks and as claim in tokens and user info responses.
// It cannot be changed. If you need a different key, remove the role and create a new one.
string role_key = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"ADMIN\"";
}
];
// DisplayName is the human readable name for the role, which might be displayed to users.
// If omitted, the name will remain unchanged.
optional string display_name = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Administrator\"";
}
];
// Group allows grouping roles for display purposes. Zitadel will not handle it in any way.
// It can be used to group roles in a UI to allow easier management for administrators.
// If omitted, the group will remain unchanged.
// This attribute is not to be confused with groups as a collection of users.
optional string group = 4 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Admins\"";
}
];
}
message UpdateProjectRoleResponse {
// ChangeDate is the timestamp of the change of the project role.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message RemoveProjectRoleRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// RoleKey is the key of the role to be removed.
// All dependencies of this role will be removed as well, including project grants and user grants.
// If the role is not found, the request will return a successful response as the desired state is already achieved.
string role_key = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"ADMIN\"";
}
];
}
message RemoveProjectRoleResponse {
// RemovalDate is the timestamp of the removal of the project role.
// Note that the removal date is only guaranteed to be set if the removal was successful during the request.
// In case the removal occurred in a previous request, the removal date might be empty.
google.protobuf.Timestamp removal_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListProjectRolesRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// Pagination can be used to list limitations and ordering.
optional zitadel.filter.v2.PaginationRequest pagination = 2;
// SortingColumn is the field the result is sorted by. The default is the creation date.
// Beware that if you change this, your result pagination might be inconsistent.
optional ProjectRoleFieldName sorting_column = 3;
// Filters define the criteria to query for.
repeated ProjectRoleSearchFilter filters = 4;
}
message ListProjectRolesResponse {
// Pagination contains the total number of project roles matching the query and the applied limit.
zitadel.filter.v2.PaginationResponse pagination = 1;
// ProjectRoles is a list of roles matching the query.
repeated ProjectRole project_roles = 2;
}
message CreateProjectGrantRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// GrantedOrganizationID is the unique identifier of the organization the project will be granted to.
string granted_organization_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"28746028909593987\""
}
];
// RoleKeys is a list of roles to be granted to the organization for self management.
// The roles are identified by their keys.
repeated string role_keys = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"RoleKey1\", \"RoleKey2\"]";
}
];
}
message CreateProjectGrantResponse {
// CreationDate is the timestamp of the project grant creation.
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message UpdateProjectGrantRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// GrantedOrganizationID is the unique identifier of the organization the project was granted to.
string granted_organization_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"28746028909593987\""
}
];
// RoleKeys is a list of roles to be granted to the organization for self management.
// The roles are identified by their keys.
// Any roles not included in this list will be removed from the project grant.
// If you want to add a role, make sure to include all other existing roles as well.
// If any previous role is removed, all user grants for this project grant with this role will be removed as well.
repeated string role_keys = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"RoleKey1\", \"RoleKey2\"]";
}
];
}
message UpdateProjectGrantResponse {
// ChangeDate is the timestamp of the change of the project grant.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeleteProjectGrantRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// GrantedOrganizationID is the unique identifier of the organization the project was granted to.
string granted_organization_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"28746028909593987\""
}
];
}
message DeleteProjectGrantResponse {
// DeletionDate is the timestamp of the deletion of the project grant.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might be empty.
google.protobuf.Timestamp deletion_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeactivateProjectGrantRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// GrantedOrganizationID is the unique identifier of the organization the project was granted to.
string granted_organization_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"28746028909593987\""
}
];
}
message DeactivateProjectGrantResponse {
// ChangeDate is the timestamp of the change of the project grant.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ActivateProjectGrantRequest {
// ProjectID is the unique identifier of the project.
string project_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629026806489455\"";
}
];
// GrantedOrganizationID is the unique identifier of the organization the project was granted to.
string granted_organization_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"28746028909593987\""
}
];
}
message ActivateProjectGrantResponse {
// ChangeDate is the timestamp of the change of the project grant.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListProjectGrantsRequest {
// Pagination can be used to list limitations and ordering.
optional zitadel.filter.v2.PaginationRequest pagination = 1;
// SortingColumn is the field the result is sorted by. The default is the creation date.
// Beware that if you change this, your result pagination might be inconsistent.
optional ProjectGrantFieldName sorting_column = 2;
// Filters define the criteria to query for.
repeated ProjectGrantSearchFilter filters = 3;
}
message ListProjectGrantsResponse {
// Pagination contains the total number of project grants matching the query and the applied limit.
zitadel.filter.v2.PaginationResponse pagination = 1;
// ProjectGrants is a list of project grants matching the query.
repeated ProjectGrant project_grants = 2;
}

265
proto/zitadel/project/v2/query.proto Normal file
View File

@@ -0,0 +1,265 @@
syntax = "proto3";
package zitadel.project.v2;
import "google/api/field_behavior.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/filter/v2/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/project/v2;project";
message ProjectGrant {
// The unique identifier of the organization which granted the project to the granted_organization_id.
string organization_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629012906488334\""}];
// The timestamp of the granted project creation.
google.protobuf.Timestamp creation_date = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2024-12-18T07:50:47.492Z\""}];
// The timestamp of the last change to the granted project (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2025-01-23T10:34:18.051Z\""}];
// The ID of the organization the project is granted to.
string granted_organization_id = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629023906488334\""}];
// The name of the organization the project is granted to.
string granted_organization_name = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"Some Organization\""}];
// The roles granted to the organization for self-management of the project.
repeated string granted_role_keys = 6 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "[\"role.super.man\"]"}];
// The ID of the granted project.
string project_id = 7 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629023906488334\""}];
// The name of the granted project.
string project_name = 8 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"ZITADEL\""}];
// Describes the current state of the granted project.
ProjectGrantState state = 9;
}
enum ProjectGrantState {
PROJECT_GRANT_STATE_UNSPECIFIED = 0;
PROJECT_GRANT_STATE_ACTIVE = 1;
PROJECT_GRANT_STATE_INACTIVE = 2;
}
message Project {
// ProjectID is the unique identifier of the project.
string project_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629012906488334\""}];
// OrganizationID is the unique identifier of the organization the project belongs to.
string organization_id = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629012906488334\""}];
// CreationDate is the timestamp of the project creation.
google.protobuf.Timestamp creation_date = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2024-12-18T07:50:47.492Z\""}];
// ChangeDate is the timestamp of the last change to the project (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2025-01-23T10:34:18.051Z\""}];
// Name is the name of the project. This might be presented to users, e.g. in sign-in flows.
string name = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"ip_allow_list\""}];
// State describes the current state of the project.
ProjectState state = 6;
// ProjectRoleAssertion is a boolean flag that describes if the roles of the user should be added to the token.
bool project_role_assertion = 7;
// AuthorizationRequired is a boolean flag that can be enabled to check if a user has
// an authorization to use this project assigned when login into an application of this project.
bool authorization_required = 8;
// ProjectAccessRequired is a boolean flag that can be enabled to check if the organization of the user,
// that is trying to log in, has access to this project (either owns the project or is granted).
bool project_access_required = 9;
// PrivateLabelingSetting defines from where the private labeling should be triggered.
PrivateLabelingSetting private_labeling_setting = 10;
// GrantedOrganizationID is the ID of the organization the project is granted to.
// In case the project is not granted, this field is unset.
optional string granted_organization_id = 12 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629023906488334\""}];
// GrantedOrganizationName is the name of the organization the project is granted to.
// In case the project is not granted, this field is unset.
optional string granted_organization_name = 13 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"Some Organization\""}];
// GrantedProjectState describes the current state of the granted project.
// In case the project is not granted, this field is set to GrantedProjectState.GRANTED_PROJECT_STATE_UNSPECIFIED.
GrantedProjectState granted_state = 14;
}
enum ProjectState {
PROJECT_STATE_UNSPECIFIED = 0;
PROJECT_STATE_ACTIVE = 1;
PROJECT_STATE_INACTIVE = 2;
}
enum GrantedProjectState {
GRANTED_PROJECT_STATE_UNSPECIFIED = 0;
GRANTED_PROJECT_STATE_ACTIVE = 1;
GRANTED_PROJECT_STATE_INACTIVE = 2;
}
enum PrivateLabelingSetting {
PRIVATE_LABELING_SETTING_UNSPECIFIED = 0;
PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY = 1;
PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY = 2;
}
enum ProjectFieldName {
PROJECT_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_FIELD_NAME_ID = 1;
PROJECT_FIELD_NAME_CREATION_DATE = 2;
PROJECT_FIELD_NAME_CHANGE_DATE = 3;
PROJECT_FIELD_NAME_NAME = 4;
}
enum ProjectGrantFieldName {
PROJECT_GRANT_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_GRANT_FIELD_NAME_PROJECT_ID = 1;
PROJECT_GRANT_FIELD_NAME_CREATION_DATE = 2;
PROJECT_GRANT_FIELD_NAME_CHANGE_DATE = 3;
}
enum ProjectRoleFieldName {
PROJECT_ROLE_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_ROLE_FIELD_NAME_KEY = 1;
PROJECT_ROLE_FIELD_NAME_CREATION_DATE = 2;
PROJECT_ROLE_FIELD_NAME_CHANGE_DATE = 3;
}
message ProjectSearchFilter {
oneof filter {
option (validate.required) = true;
// Filter for projects with a specific name.
ProjectNameFilter project_name_filter = 1;
// Filter for projects with a specific ID.
zitadel.filter.v2.InIDsFilter in_project_ids_filter = 2;
// Filter for projects that are owned by or granted to a specific organization.
// You can specify whether to search for owned, granted or both types of projects.
ProjectOrganizationIDFilter organization_id_filter = 3;
}
}
message ProjectNameFilter {
// Defines the name of the project to query for.
string project_name = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200
example: "\"ip_allow_list\""
}
];
// Defines which text comparison method used for the name query.
zitadel.filter.v2.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ProjectOrganizationIDFilter {
// OrganizationID Is the ID of the organization to query for.
string organization_id = 1 [
(validate.rules).string = {max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629012906488334\""}
];
enum Type {
TYPE_UNSPECIFIED = 0;
// Filter for projects that are owned by the organization.
OWNED = 1;
// Filter for projects that are granted to the organization.
GRANTED = 2;
// Filter for projects that are either owned by or granted to the organization.
OWNED_OR_GRANTED = 3;
}
// Defines whether to filter for owned, granted or both types of projects.
// If not specified, defaults to OWNED_OR_GRANTED and will return both owned and granted projects.
Type type = 2 [
(validate.rules).enum = {defined_only: true}
];
}
message ProjectGrantSearchFilter {
oneof filter {
option (validate.required) = true;
// Filter for project grants with a specific project name.
ProjectNameFilter project_name_filter = 1;
// Filter for project grants where a specific role is granted.
ProjectRoleKeyFilter role_key_filter = 2;
// Filter for project grants of a specific project ID.
zitadel.filter.v2.InIDsFilter in_project_ids_filter = 3;
// Filter for project grants that were granted from a specific organization.
zitadel.filter.v2.IDFilter organization_id_filter = 4;
// Filter for project grants that were granted to a specific organization.
zitadel.filter.v2.IDFilter granted_organization_id_filter = 5;
}
}
message ProjectRole {
// ProjectID is the ID of the project the role belongs to.
string project_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"69629026806489455\""}];
// Key of the project role. The key identifies the role. It's the only relevant attribute for ZITADEL and
// will be used for authorization checks and as claim in tokens and user info responses.
string key = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"role.super.man\""}];
// CreationDate is the timestamp of the project role creation.
google.protobuf.Timestamp creation_date = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2024-12-18T07:50:47.492Z\""}];
// ChangeDate is the timestamp of the last change to the project role.
google.protobuf.Timestamp change_date = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"2025-01-23T10:34:18.051Z\""}];
// DisplayName is a human readable name for the role, which might be displayed to users.
string display_name = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"Super man\""}];
// Group allows grouping roles for display purposes. Zitadel will not handle it in any way.
// It can be used to group roles in a UI to allow easier management for administrators.
// This attribute is not to be confused with groups as a collection of users.
string group = 6 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"people\""}];
}
message ProjectRoleSearchFilter {
oneof filter {
option (validate.required) = true;
// Filter for project roles with a specific key.
ProjectRoleKeyFilter role_key_filter = 1;
// Filter for project roles with a specific display name.
ProjectRoleDisplayNameFilter display_name_filter = 2;
}
}
message ProjectRoleKeyFilter {
// The key of the project role to query for.
string key = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"role.super.man\""}
];
// Defines which text comparison method used for the key query.
zitadel.filter.v2.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ProjectRoleDisplayNameFilter {
// The display name of the project role to query for.
string display_name = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"SUPER\""}
];
// Defines which text comparison method used for the name query.
zitadel.filter.v2.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}

53
proto/zitadel/project/v2beta/project_service.proto
View File

@@ -106,10 +106,14 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
};
// Service to manage projects.
//
// Deprecated: use project service v2 instead. This service will be removed in the next major version of ZITADEL.
service ProjectService {
// Create Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Create a new Project.
//
// Required permission:
@@ -127,6 +131,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -144,6 +149,8 @@ service ProjectService {
// Update Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Update an existing project.
//
// Required permission:
@@ -161,6 +168,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -178,6 +186,8 @@ service ProjectService {
// Delete Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Delete an existing project.
// In case the project is not found, the request will return a successful response as
// the desired state is already achieved.
@@ -196,6 +206,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -207,6 +218,8 @@ service ProjectService {
// Get Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Returns the project identified by the requested ID.
//
// Required permission:
@@ -223,6 +236,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200"
value: {
@@ -240,6 +254,8 @@ service ProjectService {
// List Projects
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// List all matching projects. By default all projects of the instance that the caller has permission to read are returned.
// Make sure to include a limit and sorting for pagination.
//
@@ -258,6 +274,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -275,6 +292,8 @@ service ProjectService {
// Deactivate Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Set the state of a project to deactivated. Request returns no error if the project is already deactivated.
// Applications under deactivated projects are not able to login anymore.
//
@@ -293,6 +312,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -310,6 +330,8 @@ service ProjectService {
// Activate Project
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Set the state of a project to active. Request returns no error if the project is already activated.
//
// Required permission:
@@ -327,6 +349,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -344,6 +367,8 @@ service ProjectService {
// Add Project Role
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Add a new project role to a project. The key must be unique within the project.
//
// Required permission:
@@ -361,6 +386,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -378,6 +404,8 @@ service ProjectService {
// Update Project Role
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Change a project role. The key is not editable. If a key should change, remove the role and create a new one.
//
// Required permission:
@@ -395,6 +423,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -412,6 +441,8 @@ service ProjectService {
// Remove Project Role
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Removes the role from the project and on every resource it has a dependency. This includes project grants and user grants.
//
// Required permission:
@@ -428,6 +459,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -445,6 +477,8 @@ service ProjectService {
// List Project Roles
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Returns all roles of a project matching the search query.
//
// Required permission:
@@ -461,6 +495,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -478,6 +513,8 @@ service ProjectService {
// Create Project Grant
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Grant a project to another organization.
// The project grant will allow the granted organization to access the project and manage the authorizations for its users.
//
@@ -496,6 +533,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -513,6 +551,8 @@ service ProjectService {
// Update Project Grant
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Change the roles of the project that is granted to another organization.
// The project grant will allow the granted organization to access the project and manage the authorizations for its users.
//
@@ -531,6 +571,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -548,6 +589,8 @@ service ProjectService {
// Delete Project Grant
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Delete a project grant. All user grants for this project grant will also be removed.
// A user will not have access to the project afterward (if permissions are checked).
// In case the project grant is not found, the request will return a successful response as
@@ -567,6 +610,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -578,6 +622,8 @@ service ProjectService {
// Deactivate Project Grant
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Set the state of the project grant to deactivated.
// Applications under deactivated projects grants are not able to login anymore.
//
@@ -596,6 +642,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -607,6 +654,8 @@ service ProjectService {
// Activate Project Grant
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Set the state of the project grant to activated.
//
// Required permission:
@@ -624,6 +673,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {
@@ -635,6 +685,8 @@ service ProjectService {
// List Project Grants
//
// Deprecated: please move to the corresponding endpoint under project service v2. This endpoint will be removed with the next major version of ZITADEL.
//
// Returns a list of project grants. A project grant is when the organization grants its project to another organization.
//
// Required permission:
@@ -652,6 +704,7 @@ service ProjectService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200";
value: {