fix(app): move queries to query package (#2612)

* fix: move queries to query package * fix(auth): switch project role requests to query pkg * refactor: delete unused project role code * remove repo * implement sql queries * fix(database): oidc config change type to int2 * fix(queries): implement app queries * refactor: simplify code * fix: correct app query * Update app.go * fix token check * fix mock * test: app prepares * test: oidc compliance * test: OIDCOriginAllowList * fix: converter * resolve unsupported oidc version Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:07:31 +00:00 · 2021-11-26 07:57:05 +01:00
parent a9035def0f
commit 3473156c7e
39 changed files with 3150 additions and 1066 deletions
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -15,7 +15,7 @@ type testVerifier struct {
 	memberships []*Membership
 }

-func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, string, error) {
+func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID, projectID string) (string, string, string, string, string, error) {
 	return "userID", "agentID", "clientID", "de", "orgID", nil
 }
 func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*Membership, error) {
@@ -30,8 +30,8 @@ func (v *testVerifier) ExistsOrg(ctx context.Context, orgID string) error {
 	return nil
 }

-func (v *testVerifier) VerifierClientID(ctx context.Context, appName string) (string, error) {
-	return "clientID", nil
+func (v *testVerifier) VerifierClientID(ctx context.Context, appName string) (string, string, error) {
+	return "clientID", "projectID", nil
 }

 func (v *testVerifier) CheckOrgFeatures(context.Context, string, ...string) error {
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -20,8 +20,8 @@ type TokenVerifier struct {
 }

 type authZRepo interface {
-	VerifyAccessToken(ctx context.Context, token, verifierClientID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error)
-	VerifierClientID(ctx context.Context, name string) (clientID string, err error)
+	VerifyAccessToken(ctx context.Context, token, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error)
+	VerifierClientID(ctx context.Context, name string) (clientID, projectID string, err error)
 	SearchMyMemberships(ctx context.Context) ([]*Membership, error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
 	ExistsOrg(ctx context.Context, orgID string) error
@@ -33,17 +33,18 @@ func Start(authZRepo authZRepo) (v *TokenVerifier) {
 }

 func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang, resourceOwner string, err error) {
-	verifierClientID, err := v.clientIDFromMethod(ctx, method)
+	verifierClientID, projectID, err := v.clientIDAndProjectIDFromMethod(ctx, method)
 	if err != nil {
 		return "", "", "", "", "", err
 	}
-	userID, agentID, clientID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, verifierClientID)
+	userID, agentID, clientID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, verifierClientID, projectID)
 	return userID, clientID, agentID, prefLang, resourceOwner, err
 }

 type client struct {
-	id   string
-	name string
+	id        string
+	projectID string
+	name      string
 }

 func (v *TokenVerifier) RegisterServer(appName, methodPrefix string, mappings MethodMapping) {
@@ -64,28 +65,28 @@ func prefixFromMethod(method string) (string, bool) {
 	return parts[1], true
 }

-func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (_ string, err error) {
+func (v *TokenVerifier) clientIDAndProjectIDFromMethod(ctx context.Context, method string) (clientID, projectID string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	prefix, ok := prefixFromMethod(method)
 	if !ok {
-		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-GRD2Q", "Errors.Internal")
+		return "", "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-GRD2Q", "Errors.Internal")
 	}
 	app, ok := v.clients.Load(prefix)
 	if !ok {
-		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-G2qrh", "Errors.Internal")
+		return "", "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-G2qrh", "Errors.Internal")
 	}
 	c := app.(*client)
 	if c.id != "" {
-		return c.id, nil
+		return c.id, c.projectID, nil
 	}
-	c.id, err = v.authZRepo.VerifierClientID(ctx, c.name)
+	c.id, c.projectID, err = v.authZRepo.VerifierClientID(ctx, c.name)
 	if err != nil {
-		return "", caos_errs.ThrowPermissionDenied(err, "AUTHZ-ptTIF2", "Errors.Internal")
+		return "", "", caos_errs.ThrowPermissionDenied(err, "AUTHZ-ptTIF2", "Errors.Internal")
 	}
 	v.clients.Store(prefix, c)
-	return c.id, nil
+	return c.id, c.projectID, nil
 }
 func (v *TokenVerifier) SearchMyMemberships(ctx context.Context) (_ []*Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)