feat: usergrant (#489)

* fix: search usergrants only for allowed projects

* fix: check permissions

* fix: check permissions

* fix: check permissions

* Update internal/management/repository/eventsourcing/eventstore/project.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: merge request changes

* fix: variable name

Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Fabi 2020-07-22 14:00:29 +02:00 committed by GitHub
parent a9f0e15e65
commit 351aac22f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 1522 additions and 1017 deletions

View File

@ -48,6 +48,24 @@ InternalAuthZ:
- "project.grant.user.grant.read" - "project.grant.user.grant.read"
- "project.grant.user.grant.write" - "project.grant.user.grant.write"
- "project.grant.user.grant.delete" - "project.grant.user.grant.delete"
- Role: 'IAM_OWNER_VIEWER'
Permissions:
- "iam.read"
- "iam.policy.read"
- "iam.member.read"
- "org.read"
- "org.member.read"
- "user.read"
- "user.grant.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.user.grant.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.user.grant.read"
- Role: 'ORG_OWNER' - Role: 'ORG_OWNER'
Permissions: Permissions:
- "org.read" - "org.read"
@ -87,136 +105,25 @@ InternalAuthZ:
- "project.grant.user.grant.read" - "project.grant.user.grant.read"
- "project.grant.user.grant.write" - "project.grant.user.grant.write"
- "project.grant.user.grant.delete" - "project.grant.user.grant.delete"
- Role: 'ORG_EDITOR' - Role: 'ORG_OWNER'
Permissions:
- "org.read"
- "org.write"
- Role: 'ORG_VIEWER'
Permissions:
- "org.read"
- Role: 'ORG_MEMBER_EDITOR'
Permissions:
- "org.read"
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- Role: 'ORG_MEMBER_VIEWER'
Permissions: Permissions:
- "org.read" - "org.read"
- "org.member.read" - "org.member.read"
- "user.read"
- "user.grant.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.user.grant.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.user.grant.read"
- Role: 'ORG_PROJECT_CREATOR' - Role: 'ORG_PROJECT_CREATOR'
Permissions: Permissions:
- "project.read:self" - "project.read:self"
- "project.write" - "project.write"
- Role: 'ORG_PROJECT_EDITOR'
Permissions:
- "project.read"
- "project.write"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- Role: 'ORG_PROJECT_VIEWER'
Permissions:
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- Role: 'ORG_PROJECT_MEMBER_EDITOR'
Permissions:
- "project.read"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.grant.member.delete"
- Role: 'ORG_PROJECT_MEMBER_VIEWER'
Permissions:
- "project.read"
- "project.member.read"
- Role: 'ORG_PROJECT_ROLE_EDITOR'
Permissions:
- "project.read"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- Role: 'ORG_PROJECT_ROLE_VIEWER'
Permissions:
- "project.read"
- "project.role.read"
- Role: 'ORG_PROJECT_APP_EDITOR'
Permissions:
- "project.read"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- Role: 'ORG_PROJECT_APP_VIEWER'
Permissions:
- "project.read"
- "project.app.read"
- Role: 'ORG_PROJECT_GRANT_EDITOR'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- Role: 'ORG_PROJECT_GRANT_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- Role: 'ORG_PROJECT_GRANT_MEMBER_EDITOR'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- Role: 'ORG_PROJECT_GRANT_MEMBER_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- Role: 'ORG_USER_EDITOR'
Permissions:
- "user.read"
- "user.write"
- "user.delete"
- Role: 'ORG_USER_VIEWER'
Permissions:
- "user.read"
- Role: 'ORG_USER_GRANT_EDITOR'
Permissions:
- "user.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "project.read"
- Role: 'ORG_USER_GRANT_VIEWER'
Permissions:
- "user.read"
- "user.grant.read"
- Role: 'ORG_POLICY_EDITOR'
Permissions:
- "policy.read"
- "policy.write"
- "policy.delete"
- Role: 'ORG_POLICY_VIEWER'
Permissions:
- "policy.read"
- Role: 'PROJECT_OWNER' - Role: 'PROJECT_OWNER'
Permissions: Permissions:
- "project.read" - "project.read"
@ -237,95 +144,35 @@ InternalAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "project.grant.member.delete" - "project.grant.member.delete"
- "project.user.grant.read" - "user.read"
- "project.user.grant.write" - "user.grant.read"
- "project.user.grant.delete" - "user.grant.write"
- Role: 'PROJECT_MEMBER_EDITOR' - "user.grant.delete"
- Role: 'PROJECT_OWNER_VIEWER'
Permissions: Permissions:
- "project.read" - "project.read"
- "project.member.read" - "project.member.read"
- "project.member.write"
- "project.member.delete"
- Role: 'PROJECT_MEMBER_VIEWER'
Permissions:
- "project.read"
- "project.member.read"
- Role: 'PROJECT_ROLE_EDITOR'
Permissions:
- "project.read"
- "project.role.read" - "project.role.read"
- "project.role.write"
- "project.role.delete"
- Role: 'PROJECT_APP_EDITOR'
Permissions:
- "project.read"
- "project.app.read" - "project.app.read"
- "project.app.write"
- Role: 'PROJECT_APP_VIEWER'
Permissions:
- "project.read"
- "project.app.read"
- Role: 'PROJECT_GRANT_EDITOR'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- Role: 'PROJECT_GRANT_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- Role: 'PROJECT_GRANT_MEMBER_EDITOR'
Permissions:
- "project.read"
- "project.grant.read" - "project.grant.read"
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "user.read"
- "project.grant.member.delete" - "user.grant.read"
- Role: 'PROJECT_GRANT_MEMBER_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- Role: 'PROJECT_USER_GRANT_EDITOR'
Permissions:
- "project.read"
- "project.user.grant.read"
- "project.user.grant.write"
- "project.user.grant.delete"
- Role: 'PROJECT_USER_GRANT_VIEWER'
Permissions:
- "project.read"
- "project.user.grant.read"
- Role: 'PROJECT_GRANT_OWNER' - Role: 'PROJECT_GRANT_OWNER'
Permissions: Permissions:
- "project.read" - "project.read"
- "project.grant.read" - "project.grant.read"
- "project.grant.write"
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "project.grant.member.delete" - "project.grant.member.delete"
- Role: 'PROJECT_GRANT_MEMBER_EDITOR' - "user.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- Role: 'PROJECT_GRANT_OWNER'
Permissions: Permissions:
- "project.read" - "project.read"
- "project.grant.read" - "project.grant.read"
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "user.read"
- "project.grant.member.delete" - "user.grant.read"
- Role: 'PROJECT_GRANT_MEMBER_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- Role: 'PROJECT_GRANT_USER_GRANT_EDITOR'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.user.grant.read"
- "project.grant.user.grant.write"
- "project.grant.user.grant.delete"
- Role: 'PROJECT_GRANT_USER_GRANT_VIEWER'
Permissions:
- "project.read"
- "project.grant.read"
- "project.grant.user.grant.read"

View File

@ -98,7 +98,19 @@ func HasGlobalPermission(perms []string) bool {
return false return false
} }
func GetPermissionCtxIDs(perms []string) []string { func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
for _, perm := range perms {
p, ctxID := SplitPermission(perm)
if p == permToCheck {
if ctxID == "" {
return true
}
}
}
return false
}
func GetAllPermissionCtxIDs(perms []string) []string {
ctxIDs := make([]string, 0) ctxIDs := make([]string, 0)
for _, perm := range perms { for _, perm := range perms {
_, ctxID := SplitPermission(perm) _, ctxID := SplitPermission(perm)
@ -108,3 +120,16 @@ func GetPermissionCtxIDs(perms []string) []string {
} }
return ctxIDs return ctxIDs
} }
func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
ctxIDs := make([]string, 0)
for _, perm := range perms {
p, ctxID := SplitPermission(perm)
if p == searchPerm {
if ctxID != "" {
ctxIDs = append(ctxIDs, ctxID)
}
}
}
return ctxIDs
}

View File

@ -269,7 +269,7 @@ func Test_GetPermissionCtxIDs(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
result := GetPermissionCtxIDs(tt.args.perms) result := GetAllPermissionCtxIDs(tt.args.perms)
if !equalStringArray(result, tt.result) { if !equalStringArray(result, tt.result) {
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result) t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
} }

View File

@ -10,8 +10,9 @@ import (
type key int type key int
const ( const (
permissionsKey key = 1 requestPermissionsKey key = 1
dataKey key = 2 dataKey key = 2
allPermissionsKey key = 3
) )
type CtxData struct { type CtxData struct {
@ -59,7 +60,12 @@ func GetCtxData(ctx context.Context) CtxData {
return ctxData return ctxData
} }
func GetPermissionsFromCtx(ctx context.Context) []string { func GetRequestPermissionsFromCtx(ctx context.Context) []string {
ctxPermission, _ := ctx.Value(permissionsKey).([]string) ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
return ctxPermission
}
func GetAllPermissionsFromCtx(ctx context.Context) []string {
ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
return ctxPermission return ctxPermission
} }

View File

@ -16,34 +16,40 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
return nil, nil, err return nil, nil, err
} }
if grant == nil { if grant == nil {
return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil return context.WithValue(ctx, requestPermissionsKey, []string{}), []string{}, nil
} }
permissions := mapGrantToPermissions(requiredPerm, grant, authConfig) requestPermissions, allPermissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
return context.WithValue(ctx, permissionsKey, permissions), permissions, nil ctx = context.WithValue(ctx, allPermissionsKey, allPermissions)
return context.WithValue(ctx, requestPermissionsKey, requestPermissions), requestPermissions, nil
} }
func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string { func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) ([]string, []string) {
resolvedPermissions := make([]string, 0) requestPermissions := make([]string, 0)
allPermissions := make([]string, 0)
for _, role := range grant.Roles { for _, role := range grant.Roles {
resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions) requestPermissions, allPermissions = mapRoleToPerm(requiredPerm, role, authConfig, requestPermissions, allPermissions)
} }
return resolvedPermissions return requestPermissions, allPermissions
} }
func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string { func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
roleName, roleContextID := SplitPermission(actualRole) roleName, roleContextID := SplitPermission(actualRole)
perms := authConfig.getPermissionsFromRole(roleName) perms := authConfig.getPermissionsFromRole(roleName)
for _, p := range perms { for _, p := range perms {
permWithCtx := addRoleContextIDToPerm(p, roleContextID)
if !ExistsPerm(allPermissions, permWithCtx) {
allPermissions = append(allPermissions, permWithCtx)
}
if p == requiredPerm { if p == requiredPerm {
p = addRoleContextIDToPerm(p, roleContextID) if !ExistsPerm(requestPermissions, permWithCtx) {
if !ExistsPerm(resolvedPermissions, p) { requestPermissions = append(requestPermissions, permWithCtx)
resolvedPermissions = append(resolvedPermissions, p)
} }
} }
} }
return resolvedPermissions return requestPermissions, allPermissions
} }
func addRoleContextIDToPerm(perm, roleContextID string) string { func addRoleContextIDToPerm(perm, roleContextID string) string {

View File

@ -159,7 +159,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
args args args args
result []string requestPerms []string
allPerms []string
}{ }{
{ {
name: "One Role existing perm", name: "One Role existing perm",
@ -179,7 +180,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
}, },
}, },
}, },
result: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
{ {
name: "One Role not existing perm", name: "One Role not existing perm",
@ -199,7 +201,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
}, },
}, },
}, },
result: []string{}, requestPerms: []string{},
allPerms: []string{"org.read", "project.read"},
}, },
{ {
name: "Multiple Roles one existing", name: "Multiple Roles one existing",
@ -219,7 +222,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
}, },
}, },
}, },
result: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
{ {
name: "Multiple Roles, global and specific", name: "Multiple Roles, global and specific",
@ -239,14 +243,18 @@ func Test_MapGrantsToPermissions(t *testing.T) {
}, },
}, },
}, },
result: []string{"project.read", "project.read:1"}, requestPerms: []string{"project.read", "project.read:1"},
allPerms: []string{"org.read", "project.read", "project.read:1"},
}, },
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
result := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig) requestPerms, allPerms := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
if !equalStringArray(result, tt.result) { if !equalStringArray(requestPerms, tt.requestPerms) {
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result) t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
}
if !equalStringArray(allPerms, tt.allPerms) {
t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
} }
}) })
} }
@ -257,12 +265,14 @@ func Test_MapRoleToPerm(t *testing.T) {
requiredPerm string requiredPerm string
actualRole string actualRole string
authConfig Config authConfig Config
resolvedPermissions []string requestPerms []string
allPerms []string
} }
tests := []struct { tests := []struct {
name string name string
args args args args
result []string requestPerms []string
allPerms []string
}{ }{
{ {
name: "first perm without context id", name: "first perm without context id",
@ -281,9 +291,11 @@ func Test_MapRoleToPerm(t *testing.T) {
}, },
}, },
}, },
resolvedPermissions: []string{}, requestPerms: []string{},
allPerms: []string{},
}, },
result: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
{ {
name: "existing perm without context id", name: "existing perm without context id",
@ -302,9 +314,11 @@ func Test_MapRoleToPerm(t *testing.T) {
}, },
}, },
}, },
resolvedPermissions: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
result: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
{ {
name: "first perm with context id", name: "first perm with context id",
@ -323,9 +337,11 @@ func Test_MapRoleToPerm(t *testing.T) {
}, },
}, },
}, },
resolvedPermissions: []string{}, requestPerms: []string{},
allPerms: []string{},
}, },
result: []string{"project.read:1"}, requestPerms: []string{"project.read:1"},
allPerms: []string{"project.read:1"},
}, },
{ {
name: "perm with context id, existing global", name: "perm with context id, existing global",
@ -344,16 +360,21 @@ func Test_MapRoleToPerm(t *testing.T) {
}, },
}, },
}, },
resolvedPermissions: []string{"project.read"}, requestPerms: []string{"project.read"},
allPerms: []string{"org.read", "project.read"},
}, },
result: []string{"project.read", "project.read:1"}, requestPerms: []string{"project.read", "project.read:1"},
allPerms: []string{"org.read", "project.read", "project.read:1"},
}, },
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions) requestPerms, allPerms := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
if !equalStringArray(result, tt.result) { if !equalStringArray(requestPerms, tt.requestPerms) {
t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result) t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
}
if !equalStringArray(allPerms, tt.allPerms) {
t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
} }
}) })
} }

View File

@ -61,7 +61,7 @@ func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*ma
func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) { func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
request := grantedProjectSearchRequestsToModel(in) request := grantedProjectSearchRequestsToModel(in)
request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID)) request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
response, err := s.project.SearchProjectGrants(ctx, request) response, err := s.project.SearchGrantedProjects(ctx, request)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -27,6 +27,22 @@ func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGran
return userGrantViewFromModel(user), nil return userGrantViewFromModel(user), nil
} }
func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
if err != nil {
return nil, err
}
return usergrantFromModel(user), nil
}
func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) { func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id) user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
if err != nil { if err != nil {

View File

@ -231,7 +231,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
return err return err
} }
if roleSuffix != "" { if roleSuffix != "" {
roleKeys = suffixRoles(event.AggregateID, roleKeys) roleKeys = suffixRoles(roleSuffix, roleKeys)
} }
if errors.IsNotFound(err) { if errors.IsNotFound(err) {
grant = &view_model.UserGrantView{ grant = &view_model.UserGrantView{

View File

@ -150,7 +150,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
return err return err
} }
if roleSuffix != "" { if roleSuffix != "" {
roleKeys = suffixRoles(event.AggregateID, roleKeys) roleKeys = suffixRoles(roleSuffix, roleKeys)
} }
if errors.IsNotFound(err) { if errors.IsNotFound(err) {
grant = &view_model.UserGrantView{ grant = &view_model.UserGrantView{

View File

@ -82,15 +82,38 @@ func (repo *ProjectRepo) ReactivateProject(ctx context.Context, id string) (*pro
func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model.ProjectViewSearchRequest) (*proj_model.ProjectViewSearchResponse, error) { func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model.ProjectViewSearchRequest) (*proj_model.ProjectViewSearchResponse, error) {
request.EnsureLimit(repo.SearchLimit) request.EnsureLimit(repo.SearchLimit)
permissions := authz.GetPermissionsFromCtx(ctx)
if !authz.HasGlobalPermission(permissions) {
ids := authz.GetPermissionCtxIDs(permissions)
request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
}
sequence, err := repo.View.GetLatestProjectSequence() sequence, err := repo.View.GetLatestProjectSequence()
logging.Log("EVENT-Edc56").OnError(err).Warn("could not read latest project sequence") logging.Log("EVENT-Edc56").OnError(err).Warn("could not read latest project sequence")
permissions := authz.GetRequestPermissionsFromCtx(ctx)
if !authz.HasGlobalPermission(permissions) {
ids := authz.GetAllPermissionCtxIDs(permissions)
if _, q := request.GetSearchQuery(proj_model.ProjectViewSearchKeyProjectID); q != nil {
containsID := false
for _, id := range ids {
if id == q.Value {
containsID = true
break
}
}
if !containsID {
result := &proj_model.ProjectViewSearchResponse{
Offset: request.Offset,
Limit: request.Limit,
TotalResult: uint64(0),
Result: []*proj_model.ProjectView{},
}
if err == nil {
result.Sequence = sequence.CurrentSequence
result.Timestamp = sequence.CurrentTimestamp
}
return result, nil
}
} else {
request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
}
}
projects, count, err := repo.View.SearchProjects(request) projects, count, err := repo.View.SearchProjects(request)
if err != nil { if err != nil {
return nil, err return nil, err
@ -348,6 +371,57 @@ func (repo *ProjectRepo) SearchProjectGrants(ctx context.Context, request *proj_
return result, nil return result, nil
} }
func (repo *ProjectRepo) SearchGrantedProjects(ctx context.Context, request *proj_model.ProjectGrantViewSearchRequest) (*proj_model.ProjectGrantViewSearchResponse, error) {
request.EnsureLimit(repo.SearchLimit)
sequence, err := repo.View.GetLatestProjectGrantSequence()
logging.Log("EVENT-Skw9f").OnError(err).Warn("could not read latest project grant sequence")
permissions := authz.GetRequestPermissionsFromCtx(ctx)
if !authz.HasGlobalPermission(permissions) {
ids := authz.GetAllPermissionCtxIDs(permissions)
if _, q := request.GetSearchQuery(proj_model.GrantedProjectSearchKeyGrantID); q != nil {
containsID := false
for _, id := range ids {
if id == q.Value {
containsID = true
break
}
}
if !containsID {
result := &proj_model.ProjectGrantViewSearchResponse{
Offset: request.Offset,
Limit: request.Limit,
TotalResult: uint64(0),
Result: []*proj_model.ProjectGrantView{},
}
if err == nil {
result.Sequence = sequence.CurrentSequence
result.Timestamp = sequence.CurrentTimestamp
}
return result, nil
}
} else {
request.Queries = append(request.Queries, &proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GrantedProjectSearchKeyGrantID, Method: global_model.SearchMethodIsOneOf, Value: ids})
}
}
projects, count, err := repo.View.SearchProjectGrants(request)
if err != nil {
return nil, err
}
result := &proj_model.ProjectGrantViewSearchResponse{
Offset: request.Offset,
Limit: request.Limit,
TotalResult: uint64(count),
Result: model.ProjectGrantsToModel(projects),
}
if err == nil {
result.Sequence = sequence.CurrentSequence
result.Timestamp = sequence.CurrentTimestamp
}
return result, nil
}
func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) { func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
return repo.ProjectEvents.AddProjectGrant(ctx, grant) return repo.ProjectEvents.AddProjectGrant(ctx, grant)
} }

View File

@ -3,10 +3,18 @@ package eventstore
import ( import (
"context" "context"
"github.com/caos/logging" "github.com/caos/logging"
"github.com/caos/zitadel/internal/api/authz"
caos_errors "github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/management/repository/eventsourcing/view" "github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
global_model "github.com/caos/zitadel/internal/model"
grant_model "github.com/caos/zitadel/internal/usergrant/model" grant_model "github.com/caos/zitadel/internal/usergrant/model"
grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing" grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
"github.com/caos/zitadel/internal/usergrant/repository/view/model" "github.com/caos/zitadel/internal/usergrant/repository/view/model"
"github.com/caos/zitadel/internal/view/repository"
)
const (
projectReadPerm = "project.read"
) )
type UserGrantRepo struct { type UserGrantRepo struct {
@ -24,34 +32,88 @@ func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*
} }
func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) { func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return nil, err
}
return repo.UserGrantEvents.AddUserGrant(ctx, grant) return repo.UserGrantEvents.AddUserGrant(ctx, grant)
} }
func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) { func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return nil, err
}
return repo.UserGrantEvents.ChangeUserGrant(ctx, grant) return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
} }
func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) { func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
grant, err := repo.UserGrantByID(ctx, grantID)
if err != nil {
return nil, err
}
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return nil, err
}
return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID) return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
} }
func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) { func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
grant, err := repo.UserGrantByID(ctx, grantID)
if err != nil {
return nil, err
}
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return nil, err
}
return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID) return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
} }
func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error { func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
grant, err := repo.UserGrantByID(ctx, grantID)
if err != nil {
return err
}
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return err
}
return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID) return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
} }
func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error { func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
for _, grant := range grants {
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return err
}
}
return repo.UserGrantEvents.AddUserGrants(ctx, grants...) return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
} }
func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error { func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
for _, grant := range grants {
err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return err
}
}
return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...) return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
} }
func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error { func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
for _, grantID := range grantIDs {
grant, err := repo.UserGrantByID(ctx, grantID)
if err != nil {
return err
}
err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
if err != nil {
return err
}
}
return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...) return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
} }
@ -59,11 +121,18 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
request.EnsureLimit(repo.SearchLimit) request.EnsureLimit(repo.SearchLimit)
sequence, err := repo.View.GetLatestUserGrantSequence() sequence, err := repo.View.GetLatestUserGrantSequence()
logging.Log("EVENT-5Viwf").OnError(err).Warn("could not read latest user grant sequence") logging.Log("EVENT-5Viwf").OnError(err).Warn("could not read latest user grant sequence")
result := handleSearchUserGrantPermissions(ctx, request, sequence)
if result != nil {
return result, nil
}
grants, count, err := repo.View.SearchUserGrants(request) grants, count, err := repo.View.SearchUserGrants(request)
if err != nil { if err != nil {
return nil, err return nil, err
} }
result := &grant_model.UserGrantSearchResponse{
result = &grant_model.UserGrantSearchResponse{
Offset: request.Offset, Offset: request.Offset,
Limit: request.Limit, Limit: request.Limit,
TotalResult: uint64(count), TotalResult: uint64(count),
@ -75,3 +144,67 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
} }
return result, nil return result, nil
} }
func handleSearchUserGrantPermissions(ctx context.Context, request *grant_model.UserGrantSearchRequest, sequence *repository.CurrentSequence) *grant_model.UserGrantSearchResponse {
permissions := authz.GetAllPermissionsFromCtx(ctx)
if authz.HasGlobalExplicitPermission(permissions, projectReadPerm) {
return nil
}
ids := authz.GetExplicitPermissionCtxIDs(permissions, projectReadPerm)
if _, q := request.GetSearchQuery(grant_model.UserGrantSearchKeyProjectID); q != nil {
containsID := false
for _, id := range ids {
if id == q.Value {
containsID = true
break
}
}
if !containsID {
result := &grant_model.UserGrantSearchResponse{
Offset: request.Offset,
Limit: request.Limit,
TotalResult: uint64(0),
Result: []*grant_model.UserGrantView{},
}
if sequence != nil {
result.Sequence = sequence.CurrentSequence
result.Timestamp = sequence.CurrentTimestamp
}
return result
}
}
request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
return nil
}
func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
permissions := authz.GetRequestPermissionsFromCtx(ctx)
if authz.HasGlobalPermission(permissions) {
return nil
}
ids := authz.GetAllPermissionCtxIDs(permissions)
containsID := false
if grantID != "" {
containsID = listContainsID(ids, grantID)
if containsID {
return nil
}
}
containsID = listContainsID(ids, projectID)
if !containsID {
return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
}
return nil
}
func listContainsID(ids []string, id string) bool {
containsID := false
for _, i := range ids {
if i == id {
containsID = true
break
}
}
return containsID
}

View File

@ -14,6 +14,7 @@ type ProjectRepository interface {
ReactivateProject(ctx context.Context, id string) (*model.Project, error) ReactivateProject(ctx context.Context, id string) (*model.Project, error)
SearchProjects(ctx context.Context, request *model.ProjectViewSearchRequest) (*model.ProjectViewSearchResponse, error) SearchProjects(ctx context.Context, request *model.ProjectViewSearchRequest) (*model.ProjectViewSearchResponse, error)
SearchProjectGrants(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error) SearchProjectGrants(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
SearchGrantedProjects(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
ProjectGrantViewByID(ctx context.Context, grantID string) (*model.ProjectGrantView, error) ProjectGrantViewByID(ctx context.Context, grantID string) (*model.ProjectGrantView, error)
ProjectMemberByID(ctx context.Context, projectID, userID string) (*model.ProjectMemberView, error) ProjectMemberByID(ctx context.Context, projectID, userID string) (*model.ProjectMemberView, error)

View File

@ -56,6 +56,15 @@ type ProjectGrantViewSearchResponse struct {
Timestamp time.Time Timestamp time.Time
} }
func (r *ProjectGrantViewSearchRequest) GetSearchQuery(key ProjectGrantViewSearchKey) (int, *ProjectGrantViewSearchQuery) {
for i, q := range r.Queries {
if q.Key == key {
return i, q
}
}
return -1, nil
}
func (r *ProjectGrantViewSearchRequest) AppendMyOrgQuery(orgID string) { func (r *ProjectGrantViewSearchRequest) AppendMyOrgQuery(orgID string) {
r.Queries = append(r.Queries, &ProjectGrantViewSearchQuery{Key: GrantedProjectSearchKeyOrgID, Method: model.SearchMethodEquals, Value: orgID}) r.Queries = append(r.Queries, &ProjectGrantViewSearchQuery{Key: GrantedProjectSearchKeyOrgID, Method: model.SearchMethodEquals, Value: orgID})
} }

View File

@ -47,6 +47,15 @@ type ProjectViewSearchResponse struct {
Timestamp time.Time Timestamp time.Time
} }
func (r *ProjectViewSearchRequest) GetSearchQuery(key ProjectViewSearchKey) (int, *ProjectViewSearchQuery) {
for i, q := range r.Queries {
if q.Key == key {
return i, q
}
}
return -1, nil
}
func (r *ProjectViewSearchRequest) AppendMyResourceOwnerQuery(orgID string) { func (r *ProjectViewSearchRequest) AppendMyResourceOwnerQuery(orgID string) {
r.Queries = append(r.Queries, &ProjectViewSearchQuery{Key: ProjectViewSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID}) r.Queries = append(r.Queries, &ProjectViewSearchQuery{Key: ProjectViewSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
} }

View File

@ -109,6 +109,7 @@ Errors:
IDMissing: Id fehlt IDMissing: Id fehlt
NotActive: Benutzer Berechtigung ist nicht aktiv NotActive: Benutzer Berechtigung ist nicht aktiv
NotInactive: Benutzer Berechtigung ist nicht deaktiviert NotInactive: Benutzer Berechtigung ist nicht deaktiviert
NoPermissionForProject: Benutzer hat keine Rechte auf diesem Projekt
Changes: Changes:
NotFound: Es konnte kein Änderungsverlauf gefunden werden NotFound: Es konnte kein Änderungsverlauf gefunden werden
Token: Token:

View File

@ -109,6 +109,7 @@ Errors:
IDMissing: Id missing IDMissing: Id missing
NotActive: User grant is not active NotActive: User grant is not active
NotInactive: User grant is not deactivated NotInactive: User grant is not deactivated
NoPermissionForProject: User has no permissions on this project
Changes: Changes:
NotFound: No history found NotFound: No history found
Token: Token:

View File

@ -71,6 +71,15 @@ func (r *UserGrantSearchRequest) EnsureLimit(limit uint64) {
} }
} }
func (r *UserGrantSearchRequest) GetSearchQuery(key UserGrantSearchKey) (int, *UserGrantSearchQuery) {
for i, q := range r.Queries {
if q.Key == key {
return i, q
}
}
return -1, nil
}
func (r *UserGrantSearchRequest) AppendMyOrgQuery(orgID string) { func (r *UserGrantSearchRequest) AppendMyOrgQuery(orgID string) {
r.Queries = append(r.Queries, &UserGrantSearchQuery{Key: UserGrantSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID}) r.Queries = append(r.Queries, &UserGrantSearchQuery{Key: UserGrantSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
} }

View File

@ -76,7 +76,7 @@ func SetQuery(query *gorm.DB, key ColumnKey, value interface{}, method model.Sea
case model.SearchMethodStartsWith: case model.SearchMethodStartsWith:
valueText, ok := value.(string) valueText, ok := value.(string)
if !ok { if !ok {
return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-idu8e", "Starts with only possible for strings") return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-SLj7s", "Starts with only possible for strings")
} }
query = query.Where(column+" LIKE ?", valueText+"%") query = query.Where(column+" LIKE ?", valueText+"%")
case model.SearchMethodStartsWithIgnoreCase: case model.SearchMethodStartsWithIgnoreCase:

View File

@ -321,7 +321,7 @@ var ManagementService_AuthMethods = authz.MethodMapping{
"/caos.zitadel.management.api.v1.ManagementService/SearchGrantedProjects": authz.Option{ "/caos.zitadel.management.api.v1.ManagementService/SearchGrantedProjects": authz.Option{
Permission: "project.read", Permission: "project.read",
CheckParam: "ProjectId", CheckParam: "",
}, },
"/caos.zitadel.management.api.v1.ManagementService/GetGrantedProjectByID": authz.Option{ "/caos.zitadel.management.api.v1.ManagementService/GetGrantedProjectByID": authz.Option{
@ -494,6 +494,16 @@ var ManagementService_AuthMethods = authz.MethodMapping{
CheckParam: "", CheckParam: "",
}, },
"/caos.zitadel.management.api.v1.ManagementService/CreateUserGrant": authz.Option{
Permission: "user.grant.write",
CheckParam: "",
},
"/caos.zitadel.management.api.v1.ManagementService/UpdateUserGrant": authz.Option{
Permission: "user.grant.write",
CheckParam: "",
},
"/caos.zitadel.management.api.v1.ManagementService/DeactivateUserGrant": authz.Option{ "/caos.zitadel.management.api.v1.ManagementService/DeactivateUserGrant": authz.Option{
Permission: "user.grant.write", Permission: "user.grant.write",
CheckParam: "", CheckParam: "",

File diff suppressed because it is too large Load Diff

View File

@ -2839,6 +2839,87 @@ func request_ManagementService_UserGrantByID_0(ctx context.Context, marshaler ru
} }
func request_ManagementService_CreateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
var protoReq UserGrantCreate
var metadata runtime.ServerMetadata
newReader, berr := utilities.IOReaderFactory(req.Body)
if berr != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
}
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
}
var (
val string
ok bool
err error
_ = err
)
val, ok = pathParams["user_id"]
if !ok {
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
}
protoReq.UserId, err = runtime.String(val)
if err != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
}
msg, err := client.CreateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
return msg, metadata, err
}
func request_ManagementService_UpdateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
var protoReq UserGrantUpdate
var metadata runtime.ServerMetadata
newReader, berr := utilities.IOReaderFactory(req.Body)
if berr != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
}
if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
}
var (
val string
ok bool
err error
_ = err
)
val, ok = pathParams["user_id"]
if !ok {
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
}
protoReq.UserId, err = runtime.String(val)
if err != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
}
val, ok = pathParams["id"]
if !ok {
return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "id")
}
protoReq.Id, err = runtime.String(val)
if err != nil {
return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
}
msg, err := client.UpdateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
return msg, metadata, err
}
func request_ManagementService_DeactivateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) { func request_ManagementService_DeactivateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
var protoReq UserGrantID var protoReq UserGrantID
var metadata runtime.ServerMetadata var metadata runtime.ServerMetadata
@ -5606,6 +5687,46 @@ func RegisterManagementServiceHandlerClient(ctx context.Context, mux *runtime.Se
}) })
mux.Handle("POST", pattern_ManagementService_CreateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
ctx, cancel := context.WithCancel(req.Context())
defer cancel()
inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
rctx, err := runtime.AnnotateContext(ctx, mux, req)
if err != nil {
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
return
}
resp, md, err := request_ManagementService_CreateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
ctx = runtime.NewServerMetadataContext(ctx, md)
if err != nil {
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
return
}
forward_ManagementService_CreateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
})
mux.Handle("PUT", pattern_ManagementService_UpdateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
ctx, cancel := context.WithCancel(req.Context())
defer cancel()
inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
rctx, err := runtime.AnnotateContext(ctx, mux, req)
if err != nil {
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
return
}
resp, md, err := request_ManagementService_UpdateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
ctx = runtime.NewServerMetadataContext(ctx, md)
if err != nil {
runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
return
}
forward_ManagementService_UpdateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
})
mux.Handle("PUT", pattern_ManagementService_DeactivateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) { mux.Handle("PUT", pattern_ManagementService_DeactivateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
ctx, cancel := context.WithCancel(req.Context()) ctx, cancel := context.WithCancel(req.Context())
defer cancel() defer cancel()
@ -6128,6 +6249,10 @@ var (
pattern_ManagementService_UserGrantByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, "")) pattern_ManagementService_UserGrantByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))
pattern_ManagementService_CreateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"users", "user_id", "grants"}, ""))
pattern_ManagementService_UpdateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))
pattern_ManagementService_DeactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_deactivate"}, "")) pattern_ManagementService_DeactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_deactivate"}, ""))
pattern_ManagementService_ReactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_reactivate"}, "")) pattern_ManagementService_ReactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_reactivate"}, ""))
@ -6360,6 +6485,10 @@ var (
forward_ManagementService_UserGrantByID_0 = runtime.ForwardResponseMessage forward_ManagementService_UserGrantByID_0 = runtime.ForwardResponseMessage
forward_ManagementService_CreateUserGrant_0 = runtime.ForwardResponseMessage
forward_ManagementService_UpdateUserGrant_0 = runtime.ForwardResponseMessage
forward_ManagementService_DeactivateUserGrant_0 = runtime.ForwardResponseMessage forward_ManagementService_DeactivateUserGrant_0 = runtime.ForwardResponseMessage
forward_ManagementService_ReactivateUserGrant_0 = runtime.ForwardResponseMessage forward_ManagementService_ReactivateUserGrant_0 = runtime.ForwardResponseMessage

View File

@ -517,6 +517,26 @@ func (mr *MockManagementServiceClientMockRecorder) CreateUser(arg0, arg1 interfa
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUser), varargs...) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUser), varargs...)
} }
// CreateUserGrant mocks base method
func (m *MockManagementServiceClient) CreateUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "CreateUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// CreateUserGrant indicates an expected call of CreateUserGrant
func (mr *MockManagementServiceClientMockRecorder) CreateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUserGrant), varargs...)
}
// DeactivateApplication mocks base method // DeactivateApplication mocks base method
func (m *MockManagementServiceClient) DeactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) { func (m *MockManagementServiceClient) DeactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
m.ctrl.T.Helper() m.ctrl.T.Helper()
@ -2257,6 +2277,26 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateUserAddress(arg0, arg1
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserAddress), varargs...) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserAddress), varargs...)
} }
// UpdateUserGrant mocks base method
func (m *MockManagementServiceClient) UpdateUserGrant(arg0 context.Context, arg1 *management.UserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "UpdateUserGrant", varargs...)
ret0, _ := ret[0].(*management.UserGrant)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// UpdateUserGrant indicates an expected call of UpdateUserGrant
func (mr *MockManagementServiceClientMockRecorder) UpdateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserGrant), varargs...)
}
// UpdateUserProfile mocks base method // UpdateUserProfile mocks base method
func (m *MockManagementServiceClient) UpdateUserProfile(arg0 context.Context, arg1 *management.UpdateUserProfileRequest, arg2 ...grpc.CallOption) (*management.UserProfile, error) { func (m *MockManagementServiceClient) UpdateUserProfile(arg0 context.Context, arg1 *management.UpdateUserProfileRequest, arg2 ...grpc.CallOption) (*management.UserProfile, error) {
m.ctrl.T.Helper() m.ctrl.T.Helper()

View File

@ -722,7 +722,6 @@ service ManagementService {
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "project.read" permission: "project.read"
check_field_name: "ProjectId"
}; };
} }
@ -1112,6 +1111,28 @@ service ManagementService {
}; };
} }
rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
option (google.api.http) = {
post: "/users/{user_id}/grants"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "user.grant.write"
};
}
rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
option (google.api.http) = {
put: "/users/{user_id}/grants/{id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "user.grant.write"
};
}
rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) { rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) {
option (google.api.http) = { option (google.api.http) = {
put: "/users/{user_id}/grants/{id}/_deactivate" put: "/users/{user_id}/grants/{id}/_deactivate"
@ -1159,6 +1180,7 @@ service ManagementService {
// search user grants based on a project // search user grants based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) { rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
post: "/projects/{project_id}/users/grants/_search" post: "/projects/{project_id}/users/grants/_search"
body: "*" body: "*"
@ -1173,6 +1195,7 @@ service ManagementService {
// get user grant based on a project // get user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) { rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
get: "/projects/{project_id}/users/{user_id}/grants/{id}" get: "/projects/{project_id}/users/{user_id}/grants/{id}"
}; };
@ -1186,6 +1209,7 @@ service ManagementService {
// create user grant based on a project // create user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) { rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
post: "/projects/{project_id}/users/{user_id}/grants" post: "/projects/{project_id}/users/{user_id}/grants"
body: "*" body: "*"
@ -1200,6 +1224,7 @@ service ManagementService {
// update user grant based on a project // update user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) { rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}" put: "/projects/{project_id}/users/{user_id}/grants/{id}"
body: "*" body: "*"
@ -1214,6 +1239,7 @@ service ManagementService {
// deactivate user grant based on a project // deactivate user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) { rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate" put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
body: "*" body: "*"
@ -1228,6 +1254,7 @@ service ManagementService {
// reactivate user grant based on a project // reactivate user grant based on a project
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) { rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate" put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
body: "*" body: "*"
@ -1242,6 +1269,7 @@ service ManagementService {
// search user grants based on a projectgrant // search user grants based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) { rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
post: "/projectgrants/{project_grant_id}/users/grants/_search" post: "/projectgrants/{project_grant_id}/users/grants/_search"
body: "*" body: "*"
@ -1256,6 +1284,7 @@ service ManagementService {
// get user grant based on a projectgrant // get user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) { rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}" get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
}; };
@ -1269,6 +1298,7 @@ service ManagementService {
// create user grant based on a projectgrant // create user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) { rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
post: "/projectgrants/{project_grant_id}/users/{user_id}/grants" post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
body: "*" body: "*"
@ -1283,6 +1313,7 @@ service ManagementService {
// update user grant based on a projectgrant // update user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) { rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}" put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
body: "*" body: "*"
@ -1297,6 +1328,7 @@ service ManagementService {
// deactivate user grant based on a projectgrant // deactivate user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) { rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate" put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
body: "*" body: "*"
@ -1311,6 +1343,7 @@ service ManagementService {
// reactivate user grant based on a projectgrant // reactivate user grant based on a projectgrant
// This request is required that the user authorizations of zitadel can be differentiated // This request is required that the user authorizations of zitadel can be differentiated
rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) { rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
option deprecated = true;
option (google.api.http) = { option (google.api.http) = {
put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate" put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
body: "*" body: "*"