fix: mitigate overload risk in processProject on user grant (#2662)

2025-01-13 02:03:40 +00:00 · 2021-11-12 12:11:37 +01:00 · 2021-11-12 12:11:37 +01:00 · 4fc2582b4c
commit 4fc2582b4c
parent 7324e776cf
3 changed files with 42 additions and 20 deletions
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@ -177,27 +177,37 @@ func (u *UserGrant) processUser(event *es_models.Event) (err error) {
 func (u *UserGrant) processProject(event *es_models.Event) (err error) {
 	switch event.Type {
 	case proj_es_model.ProjectChanged:
+		proj := new(proj_es_model.Project)
+		err := proj.SetData(event)
+		if err != nil {
+			return err
+		}
+		if proj.Name == "" {
+			return u.view.ProcessedUserGrantSequence(event)
+		}
 		grants, err := u.view.UserGrantsByProjectID(event.AggregateID)
 		if err != nil {
 			return err
 		}
-		project, err := u.getProjectByID(context.Background(), event.AggregateID)
-		if err != nil {
-			return err
-		}
 		for _, grant := range grants {
-			u.fillProjectData(grant, project)
+			grant.ProjectName = proj.Name
 		}
 		return u.view.PutUserGrants(grants, event)
 	case proj_es_model.ProjectMemberAdded, proj_es_model.ProjectMemberChanged,
 		proj_es_model.ProjectMemberRemoved, proj_es_model.ProjectMemberCascadeRemoved:
 		member := new(proj_es_model.ProjectMember)
-		member.SetData(event)
+		err := member.SetData(event)
+		if err != nil {
+			return err
+		}
 		return u.processMember(event, "PROJECT", event.AggregateID, member.UserID, member.Roles)
 	case proj_es_model.ProjectGrantMemberAdded, proj_es_model.ProjectGrantMemberChanged,
 		proj_es_model.ProjectGrantMemberRemoved, proj_es_model.ProjectGrantMemberCascadeRemoved:
 		member := new(proj_es_model.ProjectGrantMember)
-		member.SetData(event)
+		err := member.SetData(event)
+		if err != nil {
+			return err
+		}
 		return u.processMember(event, "PROJECT_GRANT", member.GrantID, member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event)
--- a/internal/authz/repository/eventsourcing/handler/user_grant.go
+++ b/internal/authz/repository/eventsourcing/handler/user_grant.go
@ -2,11 +2,12 @@ package handler

 import (
 	"context"
-	"github.com/caos/zitadel/internal/eventstore/v1"
+	"strings"
+
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_view "github.com/caos/zitadel/internal/iam/repository/view"
-	"strings"

 	"github.com/caos/logging"

@ -109,13 +110,19 @@ func (u *UserGrant) processProject(event *es_models.Event) (err error) {
 	case proj_es_model.ProjectMemberAdded, proj_es_model.ProjectMemberChanged,
 		proj_es_model.ProjectMemberRemoved, proj_es_model.ProjectMemberCascadeRemoved:
 		member := new(proj_es_model.ProjectMember)
-		member.SetData(event)
+		err := member.SetData(event)
+		if err != nil {
+			return err
+		}
 		return u.processMember(event, "PROJECT", event.AggregateID, member.UserID, member.Roles)
 	case proj_es_model.ProjectGrantMemberAdded, proj_es_model.ProjectGrantMemberChanged,
 		proj_es_model.ProjectGrantMemberRemoved,
 		proj_es_model.ProjectGrantMemberCascadeRemoved:
 		member := new(proj_es_model.ProjectGrantMember)
-		member.SetData(event)
+		err := member.SetData(event)
+		if err != nil {
+			return err
+		}
 		return u.processMember(event, "PROJECT_GRANT", member.GrantID, member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event)
@ -127,7 +134,10 @@ func (u *UserGrant) processOrg(event *es_models.Event) (err error) {
 	case org_es_model.OrgMemberAdded, org_es_model.OrgMemberChanged,
 		org_es_model.OrgMemberRemoved, org_es_model.OrgMemberCascadeRemoved:
 		member := new(org_es_model.OrgMember)
-		member.SetData(event)
+		err := member.SetData(event)
+		if err != nil {
+			return err
+		}
 		return u.processMember(event, "ORG", "", member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event)
--- a/internal/management/repository/eventsourcing/handler/user_grant.go
+++ b/internal/management/repository/eventsourcing/handler/user_grant.go
@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/caos/logging"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
@ -159,19 +160,20 @@ func (u *UserGrant) processUser(event *es_models.Event) (err error) {
 func (u *UserGrant) processProject(event *es_models.Event) (err error) {
 	switch event.Type {
 	case proj_es_model.ProjectChanged:
+		proj := new(proj_es_model.Project)
+		err := proj.SetData(event)
+		if err != nil {
+			return err
+		}
+		if proj.Name == "" {
+			return u.view.ProcessedUserGrantSequence(event)
+		}
 		grants, err := u.view.UserGrantsByProjectID(event.AggregateID)
 		if err != nil {
 			return err
 		}
-		if len(grants) == 0 {
-			return u.view.ProcessedUserGrantSequence(event)
-		}
-		project, err := u.getProjectByID(context.Background(), event.AggregateID)
-		if err != nil {
-			return err
-		}
 		for _, grant := range grants {
-			u.fillProjectData(grant, project)
+			grant.ProjectName = proj.Name
 		}
 		return u.view.PutUserGrants(grants, event)
 	default: