mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-12 02:54:20 +00:00
feat: usergrant (#489)
* fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
parent
a9f0e15e65
commit
351aac22f8
@ -48,6 +48,24 @@ InternalAuthZ:
|
||||
- "project.grant.user.grant.read"
|
||||
- "project.grant.user.grant.write"
|
||||
- "project.grant.user.grant.delete"
|
||||
- Role: 'IAM_OWNER_VIEWER'
|
||||
Permissions:
|
||||
- "iam.read"
|
||||
- "iam.policy.read"
|
||||
- "iam.member.read"
|
||||
- "org.read"
|
||||
- "org.member.read"
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- "policy.read"
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- "project.role.read"
|
||||
- "project.app.read"
|
||||
- "project.user.grant.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.user.grant.read"
|
||||
- Role: 'ORG_OWNER'
|
||||
Permissions:
|
||||
- "org.read"
|
||||
@ -87,136 +105,25 @@ InternalAuthZ:
|
||||
- "project.grant.user.grant.read"
|
||||
- "project.grant.user.grant.write"
|
||||
- "project.grant.user.grant.delete"
|
||||
- Role: 'ORG_EDITOR'
|
||||
Permissions:
|
||||
- "org.read"
|
||||
- "org.write"
|
||||
- Role: 'ORG_VIEWER'
|
||||
Permissions:
|
||||
- "org.read"
|
||||
- Role: 'ORG_MEMBER_EDITOR'
|
||||
Permissions:
|
||||
- "org.read"
|
||||
- "org.member.read"
|
||||
- "org.member.write"
|
||||
- "org.member.delete"
|
||||
- Role: 'ORG_MEMBER_VIEWER'
|
||||
- Role: 'ORG_OWNER'
|
||||
Permissions:
|
||||
- "org.read"
|
||||
- "org.member.read"
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- "policy.read"
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- "project.role.read"
|
||||
- "project.app.read"
|
||||
- "project.user.grant.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.user.grant.read"
|
||||
- Role: 'ORG_PROJECT_CREATOR'
|
||||
Permissions:
|
||||
- "project.read:self"
|
||||
- "project.write"
|
||||
- Role: 'ORG_PROJECT_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.write"
|
||||
- "project.member.read"
|
||||
- "project.member.write"
|
||||
- "project.member.delete"
|
||||
- "project.role.read"
|
||||
- "project.role.write"
|
||||
- "project.role.delete"
|
||||
- "project.app.read"
|
||||
- "project.app.write"
|
||||
- "project.app.delete"
|
||||
- "project.grant.read"
|
||||
- "project.grant.write"
|
||||
- "project.grant.delete"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'ORG_PROJECT_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- "project.role.read"
|
||||
- "project.app.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- Role: 'ORG_PROJECT_MEMBER_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- "project.member.write"
|
||||
- "project.member.delete"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'ORG_PROJECT_MEMBER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- Role: 'ORG_PROJECT_ROLE_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.role.read"
|
||||
- "project.role.write"
|
||||
- "project.role.delete"
|
||||
- Role: 'ORG_PROJECT_ROLE_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.role.read"
|
||||
- Role: 'ORG_PROJECT_APP_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.app.read"
|
||||
- "project.app.write"
|
||||
- "project.app.delete"
|
||||
- Role: 'ORG_PROJECT_APP_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.app.read"
|
||||
- Role: 'ORG_PROJECT_GRANT_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.write"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'ORG_PROJECT_GRANT_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- Role: 'ORG_PROJECT_GRANT_MEMBER_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'ORG_PROJECT_GRANT_MEMBER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- Role: 'ORG_USER_EDITOR'
|
||||
Permissions:
|
||||
- "user.read"
|
||||
- "user.write"
|
||||
- "user.delete"
|
||||
- Role: 'ORG_USER_VIEWER'
|
||||
Permissions:
|
||||
- "user.read"
|
||||
- Role: 'ORG_USER_GRANT_EDITOR'
|
||||
Permissions:
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- "user.grant.write"
|
||||
- "user.grant.delete"
|
||||
- "project.read"
|
||||
- Role: 'ORG_USER_GRANT_VIEWER'
|
||||
Permissions:
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- Role: 'ORG_POLICY_EDITOR'
|
||||
Permissions:
|
||||
- "policy.read"
|
||||
- "policy.write"
|
||||
- "policy.delete"
|
||||
- Role: 'ORG_POLICY_VIEWER'
|
||||
Permissions:
|
||||
- "policy.read"
|
||||
- Role: 'PROJECT_OWNER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
@ -237,95 +144,35 @@ InternalAuthZ:
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- "project.user.grant.read"
|
||||
- "project.user.grant.write"
|
||||
- "project.user.grant.delete"
|
||||
- Role: 'PROJECT_MEMBER_EDITOR'
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- "user.grant.write"
|
||||
- "user.grant.delete"
|
||||
- Role: 'PROJECT_OWNER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- "project.member.write"
|
||||
- "project.member.delete"
|
||||
- Role: 'PROJECT_MEMBER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.member.read"
|
||||
- Role: 'PROJECT_ROLE_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.role.read"
|
||||
- "project.role.write"
|
||||
- "project.role.delete"
|
||||
- Role: 'PROJECT_APP_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.app.read"
|
||||
- "project.app.write"
|
||||
- Role: 'PROJECT_APP_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.app.read"
|
||||
- Role: 'PROJECT_GRANT_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.write"
|
||||
- "project.grant.delete"
|
||||
- Role: 'PROJECT_GRANT_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- Role: 'PROJECT_GRANT_MEMBER_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'PROJECT_GRANT_MEMBER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- Role: 'PROJECT_USER_GRANT_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.user.grant.read"
|
||||
- "project.user.grant.write"
|
||||
- "project.user.grant.delete"
|
||||
- Role: 'PROJECT_USER_GRANT_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.user.grant.read"
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- Role: 'PROJECT_GRANT_OWNER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.write"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'PROJECT_GRANT_MEMBER_EDITOR'
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
||||
- "user.grant.write"
|
||||
- "user.grant.delete"
|
||||
- Role: 'PROJECT_GRANT_OWNER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- "project.grant.member.write"
|
||||
- "project.grant.member.delete"
|
||||
- Role: 'PROJECT_GRANT_MEMBER_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.member.read"
|
||||
- Role: 'PROJECT_GRANT_USER_GRANT_EDITOR'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.user.grant.read"
|
||||
- "project.grant.user.grant.write"
|
||||
- "project.grant.user.grant.delete"
|
||||
- Role: 'PROJECT_GRANT_USER_GRANT_VIEWER'
|
||||
Permissions:
|
||||
- "project.read"
|
||||
- "project.grant.read"
|
||||
- "project.grant.user.grant.read"
|
||||
- "user.read"
|
||||
- "user.grant.read"
|
@ -98,7 +98,19 @@ func HasGlobalPermission(perms []string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func GetPermissionCtxIDs(perms []string) []string {
|
||||
func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
|
||||
for _, perm := range perms {
|
||||
p, ctxID := SplitPermission(perm)
|
||||
if p == permToCheck {
|
||||
if ctxID == "" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func GetAllPermissionCtxIDs(perms []string) []string {
|
||||
ctxIDs := make([]string, 0)
|
||||
for _, perm := range perms {
|
||||
_, ctxID := SplitPermission(perm)
|
||||
@ -108,3 +120,16 @@ func GetPermissionCtxIDs(perms []string) []string {
|
||||
}
|
||||
return ctxIDs
|
||||
}
|
||||
|
||||
func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
|
||||
ctxIDs := make([]string, 0)
|
||||
for _, perm := range perms {
|
||||
p, ctxID := SplitPermission(perm)
|
||||
if p == searchPerm {
|
||||
if ctxID != "" {
|
||||
ctxIDs = append(ctxIDs, ctxID)
|
||||
}
|
||||
}
|
||||
}
|
||||
return ctxIDs
|
||||
}
|
||||
|
@ -269,7 +269,7 @@ func Test_GetPermissionCtxIDs(t *testing.T) {
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := GetPermissionCtxIDs(tt.args.perms)
|
||||
result := GetAllPermissionCtxIDs(tt.args.perms)
|
||||
if !equalStringArray(result, tt.result) {
|
||||
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
||||
}
|
||||
|
@ -10,8 +10,9 @@ import (
|
||||
type key int
|
||||
|
||||
const (
|
||||
permissionsKey key = 1
|
||||
dataKey key = 2
|
||||
requestPermissionsKey key = 1
|
||||
dataKey key = 2
|
||||
allPermissionsKey key = 3
|
||||
)
|
||||
|
||||
type CtxData struct {
|
||||
@ -59,7 +60,12 @@ func GetCtxData(ctx context.Context) CtxData {
|
||||
return ctxData
|
||||
}
|
||||
|
||||
func GetPermissionsFromCtx(ctx context.Context) []string {
|
||||
ctxPermission, _ := ctx.Value(permissionsKey).([]string)
|
||||
func GetRequestPermissionsFromCtx(ctx context.Context) []string {
|
||||
ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
|
||||
return ctxPermission
|
||||
}
|
||||
|
||||
func GetAllPermissionsFromCtx(ctx context.Context) []string {
|
||||
ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
|
||||
return ctxPermission
|
||||
}
|
||||
|
@ -16,34 +16,40 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
|
||||
return nil, nil, err
|
||||
}
|
||||
if grant == nil {
|
||||
return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil
|
||||
return context.WithValue(ctx, requestPermissionsKey, []string{}), []string{}, nil
|
||||
}
|
||||
permissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
|
||||
return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
|
||||
requestPermissions, allPermissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
|
||||
ctx = context.WithValue(ctx, allPermissionsKey, allPermissions)
|
||||
return context.WithValue(ctx, requestPermissionsKey, requestPermissions), requestPermissions, nil
|
||||
}
|
||||
|
||||
func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
|
||||
resolvedPermissions := make([]string, 0)
|
||||
func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) ([]string, []string) {
|
||||
requestPermissions := make([]string, 0)
|
||||
allPermissions := make([]string, 0)
|
||||
for _, role := range grant.Roles {
|
||||
resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
|
||||
requestPermissions, allPermissions = mapRoleToPerm(requiredPerm, role, authConfig, requestPermissions, allPermissions)
|
||||
}
|
||||
|
||||
return resolvedPermissions
|
||||
return requestPermissions, allPermissions
|
||||
}
|
||||
|
||||
func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
|
||||
func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
|
||||
roleName, roleContextID := SplitPermission(actualRole)
|
||||
perms := authConfig.getPermissionsFromRole(roleName)
|
||||
|
||||
for _, p := range perms {
|
||||
permWithCtx := addRoleContextIDToPerm(p, roleContextID)
|
||||
if !ExistsPerm(allPermissions, permWithCtx) {
|
||||
allPermissions = append(allPermissions, permWithCtx)
|
||||
}
|
||||
|
||||
if p == requiredPerm {
|
||||
p = addRoleContextIDToPerm(p, roleContextID)
|
||||
if !ExistsPerm(resolvedPermissions, p) {
|
||||
resolvedPermissions = append(resolvedPermissions, p)
|
||||
if !ExistsPerm(requestPermissions, permWithCtx) {
|
||||
requestPermissions = append(requestPermissions, permWithCtx)
|
||||
}
|
||||
}
|
||||
}
|
||||
return resolvedPermissions
|
||||
return requestPermissions, allPermissions
|
||||
}
|
||||
|
||||
func addRoleContextIDToPerm(perm, roleContextID string) string {
|
||||
|
@ -157,9 +157,10 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
authConfig Config
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result []string
|
||||
name string
|
||||
args args
|
||||
requestPerms []string
|
||||
allPerms []string
|
||||
}{
|
||||
{
|
||||
name: "One Role existing perm",
|
||||
@ -179,7 +180,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
result: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
{
|
||||
name: "One Role not existing perm",
|
||||
@ -199,7 +201,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
result: []string{},
|
||||
requestPerms: []string{},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
{
|
||||
name: "Multiple Roles one existing",
|
||||
@ -219,7 +222,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
result: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
{
|
||||
name: "Multiple Roles, global and specific",
|
||||
@ -239,14 +243,18 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
result: []string{"project.read", "project.read:1"},
|
||||
requestPerms: []string{"project.read", "project.read:1"},
|
||||
allPerms: []string{"org.read", "project.read", "project.read:1"},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
|
||||
if !equalStringArray(result, tt.result) {
|
||||
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
||||
requestPerms, allPerms := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
|
||||
if !equalStringArray(requestPerms, tt.requestPerms) {
|
||||
t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
|
||||
}
|
||||
if !equalStringArray(allPerms, tt.allPerms) {
|
||||
t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
|
||||
}
|
||||
})
|
||||
}
|
||||
@ -254,15 +262,17 @@ func Test_MapGrantsToPermissions(t *testing.T) {
|
||||
|
||||
func Test_MapRoleToPerm(t *testing.T) {
|
||||
type args struct {
|
||||
requiredPerm string
|
||||
actualRole string
|
||||
authConfig Config
|
||||
resolvedPermissions []string
|
||||
requiredPerm string
|
||||
actualRole string
|
||||
authConfig Config
|
||||
requestPerms []string
|
||||
allPerms []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result []string
|
||||
name string
|
||||
args args
|
||||
requestPerms []string
|
||||
allPerms []string
|
||||
}{
|
||||
{
|
||||
name: "first perm without context id",
|
||||
@ -281,9 +291,11 @@ func Test_MapRoleToPerm(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
resolvedPermissions: []string{},
|
||||
requestPerms: []string{},
|
||||
allPerms: []string{},
|
||||
},
|
||||
result: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
{
|
||||
name: "existing perm without context id",
|
||||
@ -302,9 +314,11 @@ func Test_MapRoleToPerm(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
resolvedPermissions: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
result: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
{
|
||||
name: "first perm with context id",
|
||||
@ -323,9 +337,11 @@ func Test_MapRoleToPerm(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
resolvedPermissions: []string{},
|
||||
requestPerms: []string{},
|
||||
allPerms: []string{},
|
||||
},
|
||||
result: []string{"project.read:1"},
|
||||
requestPerms: []string{"project.read:1"},
|
||||
allPerms: []string{"project.read:1"},
|
||||
},
|
||||
{
|
||||
name: "perm with context id, existing global",
|
||||
@ -344,16 +360,21 @@ func Test_MapRoleToPerm(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
resolvedPermissions: []string{"project.read"},
|
||||
requestPerms: []string{"project.read"},
|
||||
allPerms: []string{"org.read", "project.read"},
|
||||
},
|
||||
result: []string{"project.read", "project.read:1"},
|
||||
requestPerms: []string{"project.read", "project.read:1"},
|
||||
allPerms: []string{"org.read", "project.read", "project.read:1"},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions)
|
||||
if !equalStringArray(result, tt.result) {
|
||||
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
|
||||
requestPerms, allPerms := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
|
||||
if !equalStringArray(requestPerms, tt.requestPerms) {
|
||||
t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
|
||||
}
|
||||
if !equalStringArray(allPerms, tt.allPerms) {
|
||||
t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -61,7 +61,7 @@ func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*ma
|
||||
func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
|
||||
request := grantedProjectSearchRequestsToModel(in)
|
||||
request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
|
||||
response, err := s.project.SearchProjectGrants(ctx, request)
|
||||
response, err := s.project.SearchGrantedProjects(ctx, request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -27,6 +27,22 @@ func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGran
|
||||
return userGrantViewFromModel(user), nil
|
||||
}
|
||||
|
||||
func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
|
||||
user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return usergrantFromModel(user), nil
|
||||
}
|
||||
|
||||
func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
|
||||
user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return usergrantFromModel(user), nil
|
||||
}
|
||||
|
||||
func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
|
||||
user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
|
||||
if err != nil {
|
||||
|
@ -231,7 +231,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
|
||||
return err
|
||||
}
|
||||
if roleSuffix != "" {
|
||||
roleKeys = suffixRoles(event.AggregateID, roleKeys)
|
||||
roleKeys = suffixRoles(roleSuffix, roleKeys)
|
||||
}
|
||||
if errors.IsNotFound(err) {
|
||||
grant = &view_model.UserGrantView{
|
||||
|
@ -150,7 +150,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
|
||||
return err
|
||||
}
|
||||
if roleSuffix != "" {
|
||||
roleKeys = suffixRoles(event.AggregateID, roleKeys)
|
||||
roleKeys = suffixRoles(roleSuffix, roleKeys)
|
||||
}
|
||||
if errors.IsNotFound(err) {
|
||||
grant = &view_model.UserGrantView{
|
||||
|
@ -82,15 +82,38 @@ func (repo *ProjectRepo) ReactivateProject(ctx context.Context, id string) (*pro
|
||||
|
||||
func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model.ProjectViewSearchRequest) (*proj_model.ProjectViewSearchResponse, error) {
|
||||
request.EnsureLimit(repo.SearchLimit)
|
||||
|
||||
permissions := authz.GetPermissionsFromCtx(ctx)
|
||||
if !authz.HasGlobalPermission(permissions) {
|
||||
ids := authz.GetPermissionCtxIDs(permissions)
|
||||
request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
|
||||
}
|
||||
|
||||
sequence, err := repo.View.GetLatestProjectSequence()
|
||||
logging.Log("EVENT-Edc56").OnError(err).Warn("could not read latest project sequence")
|
||||
|
||||
permissions := authz.GetRequestPermissionsFromCtx(ctx)
|
||||
if !authz.HasGlobalPermission(permissions) {
|
||||
ids := authz.GetAllPermissionCtxIDs(permissions)
|
||||
if _, q := request.GetSearchQuery(proj_model.ProjectViewSearchKeyProjectID); q != nil {
|
||||
containsID := false
|
||||
for _, id := range ids {
|
||||
if id == q.Value {
|
||||
containsID = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !containsID {
|
||||
result := &proj_model.ProjectViewSearchResponse{
|
||||
Offset: request.Offset,
|
||||
Limit: request.Limit,
|
||||
TotalResult: uint64(0),
|
||||
Result: []*proj_model.ProjectView{},
|
||||
}
|
||||
if err == nil {
|
||||
result.Sequence = sequence.CurrentSequence
|
||||
result.Timestamp = sequence.CurrentTimestamp
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
} else {
|
||||
request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
|
||||
}
|
||||
}
|
||||
|
||||
projects, count, err := repo.View.SearchProjects(request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -348,6 +371,57 @@ func (repo *ProjectRepo) SearchProjectGrants(ctx context.Context, request *proj_
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (repo *ProjectRepo) SearchGrantedProjects(ctx context.Context, request *proj_model.ProjectGrantViewSearchRequest) (*proj_model.ProjectGrantViewSearchResponse, error) {
|
||||
request.EnsureLimit(repo.SearchLimit)
|
||||
sequence, err := repo.View.GetLatestProjectGrantSequence()
|
||||
logging.Log("EVENT-Skw9f").OnError(err).Warn("could not read latest project grant sequence")
|
||||
|
||||
permissions := authz.GetRequestPermissionsFromCtx(ctx)
|
||||
if !authz.HasGlobalPermission(permissions) {
|
||||
ids := authz.GetAllPermissionCtxIDs(permissions)
|
||||
if _, q := request.GetSearchQuery(proj_model.GrantedProjectSearchKeyGrantID); q != nil {
|
||||
containsID := false
|
||||
for _, id := range ids {
|
||||
if id == q.Value {
|
||||
containsID = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !containsID {
|
||||
result := &proj_model.ProjectGrantViewSearchResponse{
|
||||
Offset: request.Offset,
|
||||
Limit: request.Limit,
|
||||
TotalResult: uint64(0),
|
||||
Result: []*proj_model.ProjectGrantView{},
|
||||
}
|
||||
if err == nil {
|
||||
result.Sequence = sequence.CurrentSequence
|
||||
result.Timestamp = sequence.CurrentTimestamp
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
} else {
|
||||
request.Queries = append(request.Queries, &proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GrantedProjectSearchKeyGrantID, Method: global_model.SearchMethodIsOneOf, Value: ids})
|
||||
}
|
||||
}
|
||||
|
||||
projects, count, err := repo.View.SearchProjectGrants(request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
result := &proj_model.ProjectGrantViewSearchResponse{
|
||||
Offset: request.Offset,
|
||||
Limit: request.Limit,
|
||||
TotalResult: uint64(count),
|
||||
Result: model.ProjectGrantsToModel(projects),
|
||||
}
|
||||
if err == nil {
|
||||
result.Sequence = sequence.CurrentSequence
|
||||
result.Timestamp = sequence.CurrentTimestamp
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
|
||||
return repo.ProjectEvents.AddProjectGrant(ctx, grant)
|
||||
}
|
||||
|
@ -3,10 +3,18 @@ package eventstore
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/logging"
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
caos_errors "github.com/caos/zitadel/internal/errors"
|
||||
"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
|
||||
global_model "github.com/caos/zitadel/internal/model"
|
||||
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
||||
grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
|
||||
"github.com/caos/zitadel/internal/usergrant/repository/view/model"
|
||||
"github.com/caos/zitadel/internal/view/repository"
|
||||
)
|
||||
|
||||
const (
|
||||
projectReadPerm = "project.read"
|
||||
)
|
||||
|
||||
type UserGrantRepo struct {
|
||||
@ -24,34 +32,88 @@ func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
|
||||
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserGrantEvents.AddUserGrant(ctx, grant)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
|
||||
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
|
||||
grant, err := repo.UserGrantByID(ctx, grantID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
|
||||
grant, err := repo.UserGrantByID(ctx, grantID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
|
||||
grant, err := repo.UserGrantByID(ctx, grantID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
|
||||
for _, grant := range grants {
|
||||
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
|
||||
for _, grant := range grants {
|
||||
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
|
||||
}
|
||||
|
||||
func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
|
||||
for _, grantID := range grantIDs {
|
||||
grant, err := repo.UserGrantByID(ctx, grantID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
|
||||
}
|
||||
|
||||
@ -59,11 +121,18 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
|
||||
request.EnsureLimit(repo.SearchLimit)
|
||||
sequence, err := repo.View.GetLatestUserGrantSequence()
|
||||
logging.Log("EVENT-5Viwf").OnError(err).Warn("could not read latest user grant sequence")
|
||||
|
||||
result := handleSearchUserGrantPermissions(ctx, request, sequence)
|
||||
if result != nil {
|
||||
return result, nil
|
||||
}
|
||||
|
||||
grants, count, err := repo.View.SearchUserGrants(request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
result := &grant_model.UserGrantSearchResponse{
|
||||
|
||||
result = &grant_model.UserGrantSearchResponse{
|
||||
Offset: request.Offset,
|
||||
Limit: request.Limit,
|
||||
TotalResult: uint64(count),
|
||||
@ -75,3 +144,67 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func handleSearchUserGrantPermissions(ctx context.Context, request *grant_model.UserGrantSearchRequest, sequence *repository.CurrentSequence) *grant_model.UserGrantSearchResponse {
|
||||
permissions := authz.GetAllPermissionsFromCtx(ctx)
|
||||
if authz.HasGlobalExplicitPermission(permissions, projectReadPerm) {
|
||||
return nil
|
||||
}
|
||||
|
||||
ids := authz.GetExplicitPermissionCtxIDs(permissions, projectReadPerm)
|
||||
if _, q := request.GetSearchQuery(grant_model.UserGrantSearchKeyProjectID); q != nil {
|
||||
containsID := false
|
||||
for _, id := range ids {
|
||||
if id == q.Value {
|
||||
containsID = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !containsID {
|
||||
result := &grant_model.UserGrantSearchResponse{
|
||||
Offset: request.Offset,
|
||||
Limit: request.Limit,
|
||||
TotalResult: uint64(0),
|
||||
Result: []*grant_model.UserGrantView{},
|
||||
}
|
||||
if sequence != nil {
|
||||
result.Sequence = sequence.CurrentSequence
|
||||
result.Timestamp = sequence.CurrentTimestamp
|
||||
}
|
||||
return result
|
||||
}
|
||||
}
|
||||
request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
|
||||
return nil
|
||||
}
|
||||
|
||||
func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
|
||||
permissions := authz.GetRequestPermissionsFromCtx(ctx)
|
||||
if authz.HasGlobalPermission(permissions) {
|
||||
return nil
|
||||
}
|
||||
ids := authz.GetAllPermissionCtxIDs(permissions)
|
||||
containsID := false
|
||||
if grantID != "" {
|
||||
containsID = listContainsID(ids, grantID)
|
||||
if containsID {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
containsID = listContainsID(ids, projectID)
|
||||
if !containsID {
|
||||
return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func listContainsID(ids []string, id string) bool {
|
||||
containsID := false
|
||||
for _, i := range ids {
|
||||
if i == id {
|
||||
containsID = true
|
||||
break
|
||||
}
|
||||
}
|
||||
return containsID
|
||||
}
|
||||
|
@ -14,6 +14,7 @@ type ProjectRepository interface {
|
||||
ReactivateProject(ctx context.Context, id string) (*model.Project, error)
|
||||
SearchProjects(ctx context.Context, request *model.ProjectViewSearchRequest) (*model.ProjectViewSearchResponse, error)
|
||||
SearchProjectGrants(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
|
||||
SearchGrantedProjects(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
|
||||
ProjectGrantViewByID(ctx context.Context, grantID string) (*model.ProjectGrantView, error)
|
||||
|
||||
ProjectMemberByID(ctx context.Context, projectID, userID string) (*model.ProjectMemberView, error)
|
||||
|
@ -56,6 +56,15 @@ type ProjectGrantViewSearchResponse struct {
|
||||
Timestamp time.Time
|
||||
}
|
||||
|
||||
func (r *ProjectGrantViewSearchRequest) GetSearchQuery(key ProjectGrantViewSearchKey) (int, *ProjectGrantViewSearchQuery) {
|
||||
for i, q := range r.Queries {
|
||||
if q.Key == key {
|
||||
return i, q
|
||||
}
|
||||
}
|
||||
return -1, nil
|
||||
}
|
||||
|
||||
func (r *ProjectGrantViewSearchRequest) AppendMyOrgQuery(orgID string) {
|
||||
r.Queries = append(r.Queries, &ProjectGrantViewSearchQuery{Key: GrantedProjectSearchKeyOrgID, Method: model.SearchMethodEquals, Value: orgID})
|
||||
}
|
||||
|
@ -47,6 +47,15 @@ type ProjectViewSearchResponse struct {
|
||||
Timestamp time.Time
|
||||
}
|
||||
|
||||
func (r *ProjectViewSearchRequest) GetSearchQuery(key ProjectViewSearchKey) (int, *ProjectViewSearchQuery) {
|
||||
for i, q := range r.Queries {
|
||||
if q.Key == key {
|
||||
return i, q
|
||||
}
|
||||
}
|
||||
return -1, nil
|
||||
}
|
||||
|
||||
func (r *ProjectViewSearchRequest) AppendMyResourceOwnerQuery(orgID string) {
|
||||
r.Queries = append(r.Queries, &ProjectViewSearchQuery{Key: ProjectViewSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
|
||||
}
|
||||
|
@ -109,6 +109,7 @@ Errors:
|
||||
IDMissing: Id fehlt
|
||||
NotActive: Benutzer Berechtigung ist nicht aktiv
|
||||
NotInactive: Benutzer Berechtigung ist nicht deaktiviert
|
||||
NoPermissionForProject: Benutzer hat keine Rechte auf diesem Projekt
|
||||
Changes:
|
||||
NotFound: Es konnte kein Änderungsverlauf gefunden werden
|
||||
Token:
|
||||
|
@ -109,6 +109,7 @@ Errors:
|
||||
IDMissing: Id missing
|
||||
NotActive: User grant is not active
|
||||
NotInactive: User grant is not deactivated
|
||||
NoPermissionForProject: User has no permissions on this project
|
||||
Changes:
|
||||
NotFound: No history found
|
||||
Token:
|
||||
|
@ -71,6 +71,15 @@ func (r *UserGrantSearchRequest) EnsureLimit(limit uint64) {
|
||||
}
|
||||
}
|
||||
|
||||
func (r *UserGrantSearchRequest) GetSearchQuery(key UserGrantSearchKey) (int, *UserGrantSearchQuery) {
|
||||
for i, q := range r.Queries {
|
||||
if q.Key == key {
|
||||
return i, q
|
||||
}
|
||||
}
|
||||
return -1, nil
|
||||
}
|
||||
|
||||
func (r *UserGrantSearchRequest) AppendMyOrgQuery(orgID string) {
|
||||
r.Queries = append(r.Queries, &UserGrantSearchQuery{Key: UserGrantSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
|
||||
}
|
||||
|
@ -76,7 +76,7 @@ func SetQuery(query *gorm.DB, key ColumnKey, value interface{}, method model.Sea
|
||||
case model.SearchMethodStartsWith:
|
||||
valueText, ok := value.(string)
|
||||
if !ok {
|
||||
return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-idu8e", "Starts with only possible for strings")
|
||||
return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-SLj7s", "Starts with only possible for strings")
|
||||
}
|
||||
query = query.Where(column+" LIKE ?", valueText+"%")
|
||||
case model.SearchMethodStartsWithIgnoreCase:
|
||||
|
@ -321,7 +321,7 @@ var ManagementService_AuthMethods = authz.MethodMapping{
|
||||
|
||||
"/caos.zitadel.management.api.v1.ManagementService/SearchGrantedProjects": authz.Option{
|
||||
Permission: "project.read",
|
||||
CheckParam: "ProjectId",
|
||||
CheckParam: "",
|
||||
},
|
||||
|
||||
"/caos.zitadel.management.api.v1.ManagementService/GetGrantedProjectByID": authz.Option{
|
||||
@ -494,6 +494,16 @@ var ManagementService_AuthMethods = authz.MethodMapping{
|
||||
CheckParam: "",
|
||||
},
|
||||
|
||||
"/caos.zitadel.management.api.v1.ManagementService/CreateUserGrant": authz.Option{
|
||||
Permission: "user.grant.write",
|
||||
CheckParam: "",
|
||||
},
|
||||
|
||||
"/caos.zitadel.management.api.v1.ManagementService/UpdateUserGrant": authz.Option{
|
||||
Permission: "user.grant.write",
|
||||
CheckParam: "",
|
||||
},
|
||||
|
||||
"/caos.zitadel.management.api.v1.ManagementService/DeactivateUserGrant": authz.Option{
|
||||
Permission: "user.grant.write",
|
||||
CheckParam: "",
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2839,6 +2839,87 @@ func request_ManagementService_UserGrantByID_0(ctx context.Context, marshaler ru
|
||||
|
||||
}
|
||||
|
||||
func request_ManagementService_CreateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
|
||||
var protoReq UserGrantCreate
|
||||
var metadata runtime.ServerMetadata
|
||||
|
||||
newReader, berr := utilities.IOReaderFactory(req.Body)
|
||||
if berr != nil {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
|
||||
}
|
||||
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
|
||||
}
|
||||
|
||||
var (
|
||||
val string
|
||||
ok bool
|
||||
err error
|
||||
_ = err
|
||||
)
|
||||
|
||||
val, ok = pathParams["user_id"]
|
||||
if !ok {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
|
||||
}
|
||||
|
||||
protoReq.UserId, err = runtime.String(val)
|
||||
|
||||
if err != nil {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
|
||||
}
|
||||
|
||||
msg, err := client.CreateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
|
||||
return msg, metadata, err
|
||||
|
||||
}
|
||||
|
||||
func request_ManagementService_UpdateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
|
||||
var protoReq UserGrantUpdate
|
||||
var metadata runtime.ServerMetadata
|
||||
|
||||
newReader, berr := utilities.IOReaderFactory(req.Body)
|
||||
if berr != nil {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
|
||||
}
|
||||
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
|
||||
}
|
||||
|
||||
var (
|
||||
val string
|
||||
ok bool
|
||||
err error
|
||||
_ = err
|
||||
)
|
||||
|
||||
val, ok = pathParams["user_id"]
|
||||
if !ok {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
|
||||
}
|
||||
|
||||
protoReq.UserId, err = runtime.String(val)
|
||||
|
||||
if err != nil {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
|
||||
}
|
||||
|
||||
val, ok = pathParams["id"]
|
||||
if !ok {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "id")
|
||||
}
|
||||
|
||||
protoReq.Id, err = runtime.String(val)
|
||||
|
||||
if err != nil {
|
||||
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
|
||||
}
|
||||
|
||||
msg, err := client.UpdateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
|
||||
return msg, metadata, err
|
||||
|
||||
}
|
||||
|
||||
func request_ManagementService_DeactivateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
|
||||
var protoReq UserGrantID
|
||||
var metadata runtime.ServerMetadata
|
||||
@ -5606,6 +5687,46 @@ func RegisterManagementServiceHandlerClient(ctx context.Context, mux *runtime.Se
|
||||
|
||||
})
|
||||
|
||||
mux.Handle("POST", pattern_ManagementService_CreateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
|
||||
ctx, cancel := context.WithCancel(req.Context())
|
||||
defer cancel()
|
||||
inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
|
||||
rctx, err := runtime.AnnotateContext(ctx, mux, req)
|
||||
if err != nil {
|
||||
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
|
||||
return
|
||||
}
|
||||
resp, md, err := request_ManagementService_CreateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
|
||||
ctx = runtime.NewServerMetadataContext(ctx, md)
|
||||
if err != nil {
|
||||
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
|
||||
return
|
||||
}
|
||||
|
||||
forward_ManagementService_CreateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
|
||||
|
||||
})
|
||||
|
||||
mux.Handle("PUT", pattern_ManagementService_UpdateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
|
||||
ctx, cancel := context.WithCancel(req.Context())
|
||||
defer cancel()
|
||||
inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
|
||||
rctx, err := runtime.AnnotateContext(ctx, mux, req)
|
||||
if err != nil {
|
||||
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
|
||||
return
|
||||
}
|
||||
resp, md, err := request_ManagementService_UpdateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
|
||||
ctx = runtime.NewServerMetadataContext(ctx, md)
|
||||
if err != nil {
|
||||
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
|
||||
return
|
||||
}
|
||||
|
||||
forward_ManagementService_UpdateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
|
||||
|
||||
})
|
||||
|
||||
mux.Handle("PUT", pattern_ManagementService_DeactivateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
|
||||
ctx, cancel := context.WithCancel(req.Context())
|
||||
defer cancel()
|
||||
@ -6128,6 +6249,10 @@ var (
|
||||
|
||||
pattern_ManagementService_UserGrantByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))
|
||||
|
||||
pattern_ManagementService_CreateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"users", "user_id", "grants"}, ""))
|
||||
|
||||
pattern_ManagementService_UpdateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))
|
||||
|
||||
pattern_ManagementService_DeactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_deactivate"}, ""))
|
||||
|
||||
pattern_ManagementService_ReactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_reactivate"}, ""))
|
||||
@ -6360,6 +6485,10 @@ var (
|
||||
|
||||
forward_ManagementService_UserGrantByID_0 = runtime.ForwardResponseMessage
|
||||
|
||||
forward_ManagementService_CreateUserGrant_0 = runtime.ForwardResponseMessage
|
||||
|
||||
forward_ManagementService_UpdateUserGrant_0 = runtime.ForwardResponseMessage
|
||||
|
||||
forward_ManagementService_DeactivateUserGrant_0 = runtime.ForwardResponseMessage
|
||||
|
||||
forward_ManagementService_ReactivateUserGrant_0 = runtime.ForwardResponseMessage
|
||||
|
@ -517,6 +517,26 @@ func (mr *MockManagementServiceClientMockRecorder) CreateUser(arg0, arg1 interfa
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUser), varargs...)
|
||||
}
|
||||
|
||||
// CreateUserGrant mocks base method
|
||||
func (m *MockManagementServiceClient) CreateUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
|
||||
m.ctrl.T.Helper()
|
||||
varargs := []interface{}{arg0, arg1}
|
||||
for _, a := range arg2 {
|
||||
varargs = append(varargs, a)
|
||||
}
|
||||
ret := m.ctrl.Call(m, "CreateUserGrant", varargs...)
|
||||
ret0, _ := ret[0].(*management.UserGrant)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// CreateUserGrant indicates an expected call of CreateUserGrant
|
||||
func (mr *MockManagementServiceClientMockRecorder) CreateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
varargs := append([]interface{}{arg0, arg1}, arg2...)
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUserGrant), varargs...)
|
||||
}
|
||||
|
||||
// DeactivateApplication mocks base method
|
||||
func (m *MockManagementServiceClient) DeactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
|
||||
m.ctrl.T.Helper()
|
||||
@ -2257,6 +2277,26 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateUserAddress(arg0, arg1
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserAddress), varargs...)
|
||||
}
|
||||
|
||||
// UpdateUserGrant mocks base method
|
||||
func (m *MockManagementServiceClient) UpdateUserGrant(arg0 context.Context, arg1 *management.UserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
|
||||
m.ctrl.T.Helper()
|
||||
varargs := []interface{}{arg0, arg1}
|
||||
for _, a := range arg2 {
|
||||
varargs = append(varargs, a)
|
||||
}
|
||||
ret := m.ctrl.Call(m, "UpdateUserGrant", varargs...)
|
||||
ret0, _ := ret[0].(*management.UserGrant)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// UpdateUserGrant indicates an expected call of UpdateUserGrant
|
||||
func (mr *MockManagementServiceClientMockRecorder) UpdateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
varargs := append([]interface{}{arg0, arg1}, arg2...)
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserGrant), varargs...)
|
||||
}
|
||||
|
||||
// UpdateUserProfile mocks base method
|
||||
func (m *MockManagementServiceClient) UpdateUserProfile(arg0 context.Context, arg1 *management.UpdateUserProfileRequest, arg2 ...grpc.CallOption) (*management.UserProfile, error) {
|
||||
m.ctrl.T.Helper()
|
||||
|
@ -722,7 +722,6 @@ service ManagementService {
|
||||
|
||||
option (caos.zitadel.utils.v1.auth_option) = {
|
||||
permission: "project.read"
|
||||
check_field_name: "ProjectId"
|
||||
};
|
||||
}
|
||||
|
||||
@ -1112,6 +1111,28 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
|
||||
option (google.api.http) = {
|
||||
post: "/users/{user_id}/grants"
|
||||
body: "*"
|
||||
};
|
||||
|
||||
option (caos.zitadel.utils.v1.auth_option) = {
|
||||
permission: "user.grant.write"
|
||||
};
|
||||
}
|
||||
|
||||
rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
|
||||
option (google.api.http) = {
|
||||
put: "/users/{user_id}/grants/{id}"
|
||||
body: "*"
|
||||
};
|
||||
|
||||
option (caos.zitadel.utils.v1.auth_option) = {
|
||||
permission: "user.grant.write"
|
||||
};
|
||||
}
|
||||
|
||||
rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) {
|
||||
option (google.api.http) = {
|
||||
put: "/users/{user_id}/grants/{id}/_deactivate"
|
||||
@ -1159,6 +1180,7 @@ service ManagementService {
|
||||
// search user grants based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
post: "/projects/{project_id}/users/grants/_search"
|
||||
body: "*"
|
||||
@ -1173,6 +1195,7 @@ service ManagementService {
|
||||
// get user grant based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
get: "/projects/{project_id}/users/{user_id}/grants/{id}"
|
||||
};
|
||||
@ -1186,6 +1209,7 @@ service ManagementService {
|
||||
// create user grant based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
post: "/projects/{project_id}/users/{user_id}/grants"
|
||||
body: "*"
|
||||
@ -1200,6 +1224,7 @@ service ManagementService {
|
||||
// update user grant based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projects/{project_id}/users/{user_id}/grants/{id}"
|
||||
body: "*"
|
||||
@ -1214,6 +1239,7 @@ service ManagementService {
|
||||
// deactivate user grant based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
|
||||
body: "*"
|
||||
@ -1228,6 +1254,7 @@ service ManagementService {
|
||||
// reactivate user grant based on a project
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
|
||||
body: "*"
|
||||
@ -1242,6 +1269,7 @@ service ManagementService {
|
||||
// search user grants based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
post: "/projectgrants/{project_grant_id}/users/grants/_search"
|
||||
body: "*"
|
||||
@ -1256,6 +1284,7 @@ service ManagementService {
|
||||
// get user grant based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
|
||||
};
|
||||
@ -1269,6 +1298,7 @@ service ManagementService {
|
||||
// create user grant based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
|
||||
body: "*"
|
||||
@ -1283,6 +1313,7 @@ service ManagementService {
|
||||
// update user grant based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
|
||||
body: "*"
|
||||
@ -1297,6 +1328,7 @@ service ManagementService {
|
||||
// deactivate user grant based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
|
||||
body: "*"
|
||||
@ -1311,6 +1343,7 @@ service ManagementService {
|
||||
// reactivate user grant based on a projectgrant
|
||||
// This request is required that the user authorizations of zitadel can be differentiated
|
||||
rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
|
||||
option deprecated = true;
|
||||
option (google.api.http) = {
|
||||
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
|
||||
body: "*"
|
||||
|
Loading…
Reference in New Issue
Block a user