fix(app): move queries to query package (#2612)

* fix: move queries to query package * fix(auth): switch project role requests to query pkg * refactor: delete unused project role code * remove repo * implement sql queries * fix(database): oidc config change type to int2 * fix(queries): implement app queries * refactor: simplify code * fix: correct app query * Update app.go * fix token check * fix mock * test: app prepares * test: oidc compliance * test: OIDCOriginAllowList * fix: converter * resolve unsupported oidc version Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 11:47:34 +00:00 · 2021-11-26 07:57:05 +01:00
parent a9035def0f
commit 3473156c7e
39 changed files with 3150 additions and 1066 deletions
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -66,7 +66,7 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st
 	return model.TokenViewToModel(token), nil
 }

-func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
+func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID, projectID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	tokenData, err := base64.RawURLEncoding.DecodeString(tokenString)
@@ -90,10 +90,6 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin
 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
 	}

-	projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, verifierClientID)
-	if err != nil {
-		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
-	}
 	for _, aud := range token.Audience {
 		if verifierClientID == aud || projectID == aud {
 			return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
@@ -107,7 +103,7 @@ func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context
 	if err != nil {
 		return "", nil, err
 	}
-	return app.ProjectID, app.OriginAllowList, nil
+	return app.ProjectID, app.OIDCConfig.AllowedOrigins, nil
 }

 func (repo *TokenVerifierRepo) CheckOrgFeatures(ctx context.Context, orgID string, requiredFeatures ...string) error {
@@ -237,19 +233,24 @@ func MissingFeatureErr(feature string) error {
 	return caos_errs.ThrowPermissionDeniedf(nil, "AUTH-Dvgsf", "missing feature %v", feature)
 }

-func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (_ string, err error) {
+func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (clientID, projectID string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	iam, err := repo.getIAMByID(ctx)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 	app, err := repo.View.ApplicationByProjecIDAndAppName(ctx, iam.IAMProjectID, appName)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
-	return app.OIDCClientID, nil
+	if app.OIDCConfig != nil {
+		clientID = app.OIDCConfig.ClientID
+	} else if app.APIConfig != nil {
+		clientID = app.APIConfig.ClientID
+	}
+	return clientID, app.ProjectID, nil
 }

 func (r *TokenVerifierRepo) getUserEvents(ctx context.Context, userID string, sequence uint64) ([]*models.Event, error) {