fix(app): move queries to query package (#2612)

* fix: move queries to query package

* fix(auth): switch project role requests to query pkg

* refactor: delete unused project role code

* remove repo

* implement sql queries

* fix(database): oidc config change type to int2

* fix(queries): implement app queries

* refactor: simplify code

* fix: correct app query

* Update app.go

* fix token check

* fix mock

* test: app prepares

* test: oidc compliance

* test: OIDCOriginAllowList

* fix: converter

* resolve unsupported oidc version

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/authz/repository/eventsourcing/eventstore/token_verifier.go

@@ -66,7 +66,7 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st
 	return model.TokenViewToModel(token), nil
 }
 
-func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
+func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID, projectID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	tokenData, err := base64.RawURLEncoding.DecodeString(tokenString)
@@ -90,10 +90,6 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin
 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
 	}
 
-	projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, verifierClientID)
-	if err != nil {
-		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
-	}
 	for _, aud := range token.Audience {
 		if verifierClientID == aud || projectID == aud {
 			return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
@@ -107,7 +103,7 @@ func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context
 	if err != nil {
 		return "", nil, err
 	}
-	return app.ProjectID, app.OriginAllowList, nil
+	return app.ProjectID, app.OIDCConfig.AllowedOrigins, nil
 }
 
 func (repo *TokenVerifierRepo) CheckOrgFeatures(ctx context.Context, orgID string, requiredFeatures ...string) error {
@@ -237,19 +233,24 @@ func MissingFeatureErr(feature string) error {
 	return caos_errs.ThrowPermissionDeniedf(nil, "AUTH-Dvgsf", "missing feature %v", feature)
 }
 
-func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (_ string, err error) {
+func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (clientID, projectID string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	iam, err := repo.getIAMByID(ctx)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 	app, err := repo.View.ApplicationByProjecIDAndAppName(ctx, iam.IAMProjectID, appName)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
-	return app.OIDCClientID, nil
+	if app.OIDCConfig != nil {
+		clientID = app.OIDCConfig.ClientID
+	} else if app.APIConfig != nil {
+		clientID = app.APIConfig.ClientID
+	}
+	return clientID, app.ProjectID, nil
 }
 
 func (r *TokenVerifierRepo) getUserEvents(ctx context.Context, userID string, sequence uint64) ([]*models.Event, error) {

internal/authz/repository/eventsourcing/handler/application.go

@@ -1,114 +0,0 @@
-package handler
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore/v1"
-
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/eventstore/v1/query"
-	"github.com/caos/zitadel/internal/eventstore/v1/spooler"
-	es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
-	"github.com/caos/zitadel/internal/project/repository/view"
-	view_model "github.com/caos/zitadel/internal/project/repository/view/model"
-)
-
-const (
-	applicationTable = "authz.applications"
-)
-
-type Application struct {
-	handler
-	subscription *v1.Subscription
-}
-
-func newApplication(handler handler) *Application {
-	h := &Application{
-		handler: handler,
-	}
-
-	h.subscribe()
-
-	return h
-}
-
-func (k *Application) subscribe() {
-	k.subscription = k.es.Subscribe(k.AggregateTypes()...)
-	go func() {
-		for event := range k.subscription.Events {
-			query.ReduceEvent(k, event)
-		}
-	}()
-}
-
-func (a *Application) ViewModel() string {
-	return applicationTable
-}
-
-func (p *Application) Subscription() *v1.Subscription {
-	return p.subscription
-}
-
-func (a *Application) AggregateTypes() []models.AggregateType {
-	return []models.AggregateType{es_model.ProjectAggregate}
-}
-
-func (a *Application) CurrentSequence() (uint64, error) {
-	sequence, err := a.view.GetLatestApplicationSequence()
-	if err != nil {
-		return 0, err
-	}
-	return sequence.CurrentSequence, nil
-}
-
-func (a *Application) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := a.view.GetLatestApplicationSequence()
-	if err != nil {
-		return nil, err
-	}
-	return view.ProjectQuery(sequence.CurrentSequence), nil
-}
-
-func (a *Application) Reduce(event *models.Event) (err error) {
-	app := new(view_model.ApplicationView)
-	switch event.Type {
-	case es_model.ApplicationAdded:
-		app.AppendEvent(event)
-	case es_model.ApplicationChanged,
-		es_model.OIDCConfigAdded,
-		es_model.OIDCConfigChanged,
-		es_model.APIConfigAdded,
-		es_model.APIConfigChanged,
-		es_model.ApplicationDeactivated,
-		es_model.ApplicationReactivated:
-		err := app.SetData(event)
-		if err != nil {
-			return err
-		}
-		app, err = a.view.ApplicationByID(event.AggregateID, app.ID)
-		if err != nil {
-			return err
-		}
-		app.AppendEvent(event)
-	case es_model.ApplicationRemoved:
-		err := app.SetData(event)
-		if err != nil {
-			return err
-		}
-		return a.view.DeleteApplication(app.ID, event)
-	default:
-		return a.view.ProcessedApplicationSequence(event)
-	}
-	if err != nil {
-		return err
-	}
-	return a.view.PutApplication(app, event)
-}
-
-func (a *Application) OnError(event *models.Event, spoolerError error) error {
-	logging.LogWithFields("SPOOL-sjZw", "id", event.AggregateID).WithError(spoolerError).Warn("something went wrong in project app handler")
-	return spooler.HandleError(event, spoolerError, a.view.GetLatestApplicationFailedEvent, a.view.ProcessedApplicationFailedEvent, a.view.ProcessedApplicationSequence, a.errorCountUntilSkip)
-}
-
-func (a *Application) OnSuccess() error {
-	return spooler.HandleSuccess(a.view.UpdateApplicationSpoolerRunTimestamp)
-}

internal/authz/repository/eventsourcing/handler/handler.go

@@ -36,8 +36,6 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			systemDefaults.IamID),
 		newUserMembership(
 			handler{view, bulkLimit, configs.cycleDuration("UserMemberships"), errorCount, es}),
-		newApplication(
-			handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount, es}),
 	}
 }
 

internal/authz/repository/eventsourcing/repository.go

@@ -4,7 +4,7 @@ import (
 	"context"
 
 	"github.com/caos/zitadel/internal/crypto"
-	"github.com/caos/zitadel/internal/eventstore/v1"
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 
 	"github.com/caos/zitadel/internal/query"
 
@@ -43,7 +43,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, qu
 	}
 
 	idGenerator := id.SonyFlakeGenerator
-	view, err := authz_view.StartView(sqlClient, idGenerator)
+	view, err := authz_view.StartView(sqlClient, idGenerator, queries)
 	if err != nil {
 		return nil, err
 	}

internal/authz/repository/eventsourcing/view/application.go

@@ -4,69 +4,45 @@ import (
 	"context"
 
 	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/internal/project/repository/view"
-	"github.com/caos/zitadel/internal/project/repository/view/model"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
-	"github.com/caos/zitadel/internal/view/repository"
 )
 
-const (
-	applicationTable = "authz.applications"
-)
-
-func (v *View) ApplicationByID(projectID, appID string) (*model.ApplicationView, error) {
-	return view.ApplicationByID(v.Db, applicationTable, projectID, appID)
+func (v *View) ApplicationByOIDCClientID(clientID string) (*query.App, error) {
+	return v.Query.AppByOIDCClientID(context.TODO(), clientID)
 }
 
-func (v *View) ApplicationByOIDCClientID(clientID string) (*model.ApplicationView, error) {
-	return view.ApplicationByOIDCClientID(v.Db, applicationTable, clientID)
-}
-
-func (v *View) ApplicationByProjecIDAndAppName(ctx context.Context, projectID, appName string) (_ *model.ApplicationView, err error) {
+func (v *View) ApplicationByProjecIDAndAppName(ctx context.Context, projectID, appName string) (_ *query.App, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	return view.ApplicationByProjectIDAndAppName(v.Db, applicationTable, projectID, appName)
-}
-
-func (v *View) SearchApplications(request *proj_model.ApplicationSearchRequest) ([]*model.ApplicationView, uint64, error) {
-	return view.SearchApplications(v.Db, applicationTable, request)
-}
-
-func (v *View) PutApplication(project *model.ApplicationView, event *models.Event) error {
-	err := view.PutApplication(v.Db, applicationTable, project)
+	nameQuery, err := query.NewAppNameSearchQuery(query.TextEquals, appName)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return v.ProcessedApplicationSequence(event)
-}
-
-func (v *View) DeleteApplication(appID string, event *models.Event) error {
-	err := view.DeleteApplication(v.Db, applicationTable, appID)
-	if err != nil && !errors.IsNotFound(err) {
-		return err
+	projectQuery, err := query.NewAppProjectIDSearchQuery(projectID)
+	if err != nil {
+		return nil, err
 	}
-	return v.ProcessedApplicationSequence(event)
+
+	queries := &query.AppSearchQueries{
+		Queries: []query.SearchQuery{
+			nameQuery,
+			projectQuery,
+		},
+	}
+
+	apps, err := v.Query.SearchApps(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	if len(apps.Apps) != 1 {
+		return nil, errors.ThrowNotFound(nil, "VIEW-svLQq", "app not found")
+	}
+
+	return apps.Apps[0], nil
 }
 
-func (v *View) GetLatestApplicationSequence() (*repository.CurrentSequence, error) {
-	return v.latestSequence(applicationTable)
-}
-
-func (v *View) ProcessedApplicationSequence(event *models.Event) error {
-	return v.saveCurrentSequence(applicationTable, event)
-}
-
-func (v *View) UpdateApplicationSpoolerRunTimestamp() error {
-	return v.updateSpoolerRunSequence(applicationTable)
-}
-
-func (v *View) GetLatestApplicationFailedEvent(sequence uint64) (*repository.FailedEvent, error) {
-	return v.latestFailedEvent(applicationTable, sequence)
-}
-
-func (v *View) ProcessedApplicationFailedEvent(failedEvent *repository.FailedEvent) error {
-	return v.saveFailedEvent(failedEvent)
+func (v *View) SearchApplications(request *query.AppSearchQueries) (*query.Apps, error) {
+	return v.Query.SearchApps(context.TODO(), request)
 }

internal/authz/repository/eventsourcing/view/view.go

@@ -2,17 +2,20 @@ package view
 
 import (
 	"database/sql"
+
 	"github.com/caos/zitadel/internal/id"
+	"github.com/caos/zitadel/internal/query"
 
 	"github.com/jinzhu/gorm"
 )
 
 type View struct {
 	Db          *gorm.DB
+	Query       *query.Queries
 	idGenerator id.Generator
 }
 
-func StartView(sqlClient *sql.DB, idGenerator id.Generator) (*View, error) {
+func StartView(sqlClient *sql.DB, idGenerator id.Generator, queries *query.Queries) (*View, error) {
 	gorm, err := gorm.Open("postgres", sqlClient)
 	if err != nil {
 		return nil, err
@@ -20,6 +23,7 @@ func StartView(sqlClient *sql.DB, idGenerator id.Generator) (*View, error) {
 	return &View{
 		Db:          gorm,
 		idGenerator: idGenerator,
+		Query:       queries,
 	}, nil
 }