feat: add tenant column to eventstore (#3314)

* feat: add tenant column to eventstore * feat: read tenant from context on push and filter * Update 07_events_table.sql * pass tenant to queryFactory * fix some query tests * init in tests * add missing sql files Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-11 18:07:31 +00:00 · 2022-03-15 07:19:02 +01:00
parent 5463244376
commit 5132ebe07c
51 changed files with 414 additions and 479 deletions
--- a/cmd/admin/initialise/init.go
+++ b/cmd/admin/initialise/init.go
@@ -5,12 +5,13 @@ import (
 	_ "embed"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/database"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"

 	//sql import
 	_ "github.com/lib/pq"
+
+	"github.com/caos/zitadel/internal/database"
 )

 func New() *cobra.Command {
@@ -33,9 +34,9 @@ The user provided by flags needs priviledge to
 				return err
 			}
 			if err := initialise(config,
-				verifyUser(config.Database),
-				verifyDatabase(config.Database),
-				verifyGrant(config.Database),
+				VerifyUser(config.Database.User.Username, config.Database.User.Password),
+				VerifyDatabase(config.Database.Database),
+				VerifyGrant(config.Database.Database, config.Database.User.Username),
 			); err != nil {
 				return err
 			}
@@ -55,12 +56,18 @@ func initialise(config Config, steps ...func(*sql.DB) error) error {
 	if err != nil {
 		return err
 	}
+	err = Initialise(db, steps...)
+	if err != nil {
+		return err
+	}
+	return db.Close()
+}

+func Initialise(db *sql.DB, steps ...func(*sql.DB) error) error {
 	for _, step := range steps {
-		if err = step(db); err != nil {
+		if err := step(db); err != nil {
 			return err
 		}
 	}
-
-	return db.Close()
+	return nil
 }
--- a/cmd/admin/initialise/sql/09_events_table.sql
+++ b/cmd/admin/initialise/sql/09_events_table.sql
@@ -12,13 +12,14 @@ CREATE TABLE eventstore.events (
 	, editor_user TEXT NOT NULL 
 	, editor_service TEXT NOT NULL
 	, resource_owner TEXT NOT NULL
+	, tenant TEXT

 	, PRIMARY KEY (event_sequence DESC) USING HASH WITH BUCKET_COUNT = 10
 	, INDEX agg_type_agg_id (aggregate_type, aggregate_id)
 	, INDEX agg_type (aggregate_type)
 	, INDEX agg_type_seq (aggregate_type, event_sequence DESC) 
-		STORING (id, event_type, aggregate_id, aggregate_version, previous_aggregate_sequence, creation_date, event_data, editor_user, editor_service, resource_owner, previous_aggregate_type_sequence)
+		STORING (id, event_type, aggregate_id, aggregate_version, previous_aggregate_sequence, creation_date, event_data, editor_user, editor_service, resource_owner, tenant, previous_aggregate_type_sequence)
 	, INDEX max_sequence (aggregate_type, aggregate_id, event_sequence DESC)
 	, CONSTRAINT previous_sequence_unique UNIQUE (previous_aggregate_sequence DESC)
 	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence)
-)
+)
--- a/cmd/admin/initialise/sql/10_system_sequence.sql
+++ b/cmd/admin/initialise/sql/10_system_sequence.sql
@@ -0,0 +1 @@
+CREATE SEQUENCE eventstore.system_seq
--- a/cmd/admin/initialise/sql/11_unique_constraints_table.sql
+++ b/cmd/admin/initialise/sql/11_unique_constraints_table.sql
@@ -0,0 +1,5 @@
+CREATE TABLE eventstore.unique_constraints (
+    unique_type TEXT,
+    unique_field TEXT,
+    PRIMARY KEY (unique_type, unique_field)
+)
--- a/cmd/admin/initialise/verify_database.go
+++ b/cmd/admin/initialise/verify_database.go
@@ -5,7 +5,6 @@ import (
 	_ "embed"
 	"fmt"

-	"github.com/caos/zitadel/internal/database"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -36,16 +35,16 @@ The user provided by flags needs priviledge to
 			if err := viper.Unmarshal(&config); err != nil {
 				return err
 			}
-			return initialise(config, verifyDatabase(config.Database))
+			return initialise(config, VerifyDatabase(config.Database.Database))
 		},
 	}
 }

-func verifyDatabase(config database.Config) func(*sql.DB) error {
+func VerifyDatabase(database string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
 		return verify(db,
-			exists(searchDatabase, config.Database),
-			exec(fmt.Sprintf(databaseStmt, config.Database)),
+			exists(searchDatabase, database),
+			exec(fmt.Sprintf(databaseStmt, database)),
 		)
 	}
 }
--- a/cmd/admin/initialise/verify_database_test.go
+++ b/cmd/admin/initialise/verify_database_test.go
@@ -4,14 +4,12 @@ import (
 	"database/sql"
 	"errors"
 	"testing"
-
-	"github.com/caos/zitadel/internal/database"
 )

 func Test_verifyDB(t *testing.T) {
 	type args struct {
-		db     db
-		config database.Config
+		db       db
+		database string
 	}
 	tests := []struct {
 		name      string
@@ -21,10 +19,8 @@ func Test_verifyDB(t *testing.T) {
 		{
 			name: "exists fails",
 			args: args{
-				db: prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", sql.ErrConnDone, "zitadel")),
-				config: database.Config{
-					Database: "zitadel",
-				},
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", sql.ErrConnDone, "zitadel")),
+				database: "zitadel",
 			},
 			targetErr: sql.ErrConnDone,
 		},
@@ -35,9 +31,7 @@ func Test_verifyDB(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
 					expectExec("CREATE DATABASE zitadel", sql.ErrTxDone),
 				),
-				config: database.Config{
-					Database: "zitadel",
-				},
+				database: "zitadel",
 			},
 			targetErr: sql.ErrTxDone,
 		},
@@ -48,9 +42,7 @@ func Test_verifyDB(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
 					expectExec("CREATE DATABASE zitadel", nil),
 				),
-				config: database.Config{
-					Database: "zitadel",
-				},
+				database: "zitadel",
 			},
 			targetErr: nil,
 		},
@@ -60,16 +52,14 @@ func Test_verifyDB(t *testing.T) {
 				db: prepareDB(t,
 					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", true, "zitadel"),
 				),
-				config: database.Config{
-					Database: "zitadel",
-				},
+				database: "zitadel",
 			},
 			targetErr: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := verifyDatabase(tt.args.config)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+			if err := VerifyDatabase(tt.args.database)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
 				t.Errorf("verifyDB() error = %v, want: %v", err, tt.targetErr)
 			}
 			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
--- a/cmd/admin/initialise/verify_grant.go
+++ b/cmd/admin/initialise/verify_grant.go
@@ -6,7 +6,6 @@ import (
 	"fmt"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/database"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -31,17 +30,17 @@ Prereqesits:
 			if err := viper.Unmarshal(&config); err != nil {
 				return err
 			}
-			return initialise(config, verifyGrant(config.Database))
+			return initialise(config, VerifyGrant(config.Database.Database, config.Database.User.Username))
 		},
 	}
 }

-func verifyGrant(config database.Config) func(*sql.DB) error {
+func VerifyGrant(database, username string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
-		logging.WithFields("user", config.Username).Info("verify grant")
+		logging.WithFields("user", username).Info("verify grant")
 		return verify(db,
-			exists(fmt.Sprintf(searchGrant, config.Database), config.Username),
-			exec(fmt.Sprintf(grantStmt, config.Database, config.Username)),
+			exists(fmt.Sprintf(searchGrant, database), username),
+			exec(fmt.Sprintf(grantStmt, database, username)),
 		)
 	}
 }
--- a/cmd/admin/initialise/verify_grant_test.go
+++ b/cmd/admin/initialise/verify_grant_test.go
@@ -4,14 +4,13 @@ import (
 	"database/sql"
 	"errors"
 	"testing"
-
-	"github.com/caos/zitadel/internal/database"
 )

 func Test_verifyGrant(t *testing.T) {
 	type args struct {
-		db     db
-		config database.Config
+		db       db
+		database string
+		username string
 	}
 	tests := []struct {
 		name      string
@@ -21,13 +20,9 @@ func Test_verifyGrant(t *testing.T) {
 		{
 			name: "exists fails",
 			args: args{
-				db: prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", sql.ErrConnDone, "zitadel-user")),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", sql.ErrConnDone, "zitadel-user")),
+				database: "zitadel",
+				username: "zitadel-user",
 			},
 			targetErr: sql.ErrConnDone,
 		},
@@ -38,12 +33,8 @@ func Test_verifyGrant(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
 					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", sql.ErrTxDone),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				database: "zitadel",
+				username: "zitadel-user",
 			},
 			targetErr: sql.ErrTxDone,
 		},
@@ -54,12 +45,8 @@ func Test_verifyGrant(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
 					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", nil),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				database: "zitadel",
+				username: "zitadel-user",
 			},
 			targetErr: nil,
 		},
@@ -69,20 +56,16 @@ func Test_verifyGrant(t *testing.T) {
 				db: prepareDB(t,
 					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", true, "zitadel-user"),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				database: "zitadel",
+				username: "zitadel-user",
 			},
 			targetErr: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := verifyGrant(tt.args.config)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
-				t.Errorf("verifyGrant() error = %v, want: %v", err, tt.targetErr)
+			if err := VerifyGrant(tt.args.database, tt.args.username)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
 			}
 			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
 				t.Error(err)
--- a/cmd/admin/initialise/verify_user.go
+++ b/cmd/admin/initialise/verify_user.go
@@ -5,7 +5,6 @@ import (
 	_ "embed"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/database"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -35,17 +34,17 @@ The user provided by flags needs priviledge to
 			if err := viper.Unmarshal(&config); err != nil {
 				return err
 			}
-			return initialise(config, verifyUser(config.Database))
+			return initialise(config, VerifyUser(config.Database.User.Username, config.Database.User.Password))
 		},
 	}
 }

-func verifyUser(config database.Config) func(*sql.DB) error {
+func VerifyUser(username, password string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
-		logging.WithFields("username", config.Username).Info("verify user")
+		logging.WithFields("username", username).Info("verify user")
 		return verify(db,
-			exists(searchUser, config.Username),
-			exec(createUserStmt, config.Username, &sql.NullString{String: config.Password, Valid: config.Password != ""}),
+			exists(searchUser, username),
+			exec(createUserStmt, username, &sql.NullString{String: password, Valid: password != ""}),
 		)
 	}
 }
--- a/cmd/admin/initialise/verify_user_test.go
+++ b/cmd/admin/initialise/verify_user_test.go
@@ -4,14 +4,13 @@ import (
 	"database/sql"
 	"errors"
 	"testing"
-
-	"github.com/caos/zitadel/internal/database"
 )

 func Test_verifyUser(t *testing.T) {
 	type args struct {
-		db     db
-		config database.Config
+		db       db
+		username string
+		password string
 	}
 	tests := []struct {
 		name      string
@@ -21,13 +20,9 @@ func Test_verifyUser(t *testing.T) {
 		{
 			name: "exists fails",
 			args: args{
-				db: prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", sql.ErrConnDone, "zitadel-user")),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", sql.ErrConnDone, "zitadel-user")),
+				username: "zitadel-user",
+				password: "",
 			},
 			targetErr: sql.ErrConnDone,
 		},
@@ -38,12 +33,8 @@ func Test_verifyUser(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
 					expectExec("CREATE USER $1 WITH PASSWORD $2", sql.ErrTxDone, "zitadel-user", nil),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				username: "zitadel-user",
+				password: "",
 			},
 			targetErr: sql.ErrTxDone,
 		},
@@ -54,12 +45,8 @@ func Test_verifyUser(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
 					expectExec("CREATE USER $1 WITH PASSWORD $2", nil, "zitadel-user", nil),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				username: "zitadel-user",
+				password: "",
 			},
 			targetErr: nil,
 		},
@@ -70,13 +57,8 @@ func Test_verifyUser(t *testing.T) {
 					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
 					expectExec("CREATE USER $1 WITH PASSWORD $2", nil, "zitadel-user", "password"),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-						Password: "password",
-					},
-				},
+				username: "zitadel-user",
+				password: "password",
 			},
 			targetErr: nil,
 		},
@@ -86,20 +68,16 @@ func Test_verifyUser(t *testing.T) {
 				db: prepareDB(t,
 					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", true, "zitadel-user"),
 				),
-				config: database.Config{
-					Database: "zitadel",
-					User: database.User{
-						Username: "zitadel-user",
-					},
-				},
+				username: "zitadel-user",
+				password: "",
 			},
 			targetErr: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := verifyUser(tt.args.config)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
-				t.Errorf("verifyGrant() error = %v, want: %v", err, tt.targetErr)
+			if err := VerifyUser(tt.args.username, tt.args.password)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
 			}
 			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
 				t.Error(err)
--- a/cmd/admin/initialise/verify_zitadel.go
+++ b/cmd/admin/initialise/verify_zitadel.go
@@ -12,16 +12,19 @@ import (
 )

 const (
-	eventstoreSchema    = "eventstore"
-	eventsTable         = "events"
-	projectionsSchema   = "projections"
-	systemSchema        = "system"
-	encryptionKeysTable = "encryption_key"
+	eventstoreSchema       = "eventstore"
+	eventsTable            = "events"
+	uniqueConstraintsTable = "unique_constraints"
+	projectionsSchema      = "projections"
+	systemSchema           = "system"
+	encryptionKeysTable    = "encryption_keys"
 )

 var (
-	searchTable  = "SELECT table_name FROM [SHOW TABLES] WHERE table_name = $1"
-	searchSchema = "SELECT schema_name FROM [SHOW SCHEMAS] WHERE schema_name = $1"
+	searchSchema         = "SELECT schema_name FROM [SHOW SCHEMAS] WHERE schema_name = $1"
+	searchTable          = "SELECT table_name FROM [SHOW TABLES] WHERE table_name = $1"
+	searchSystemSequence = "SELECT sequence_name FROM [SHOW SEQUENCES] WHERE sequence_name = 'system_seq'"
+
 	//go:embed sql/04_eventstore.sql
 	createEventstoreStmt string
 	//go:embed sql/05_projections.sql
@@ -34,6 +37,10 @@ var (
 	enableHashShardedIdx string
 	//go:embed sql/09_events_table.sql
 	createEventsStmt string
+	//go:embed sql/10_system_sequence.sql
+	createSystemSequenceStmt string
+	//go:embed sql/11_unique_constraints_table.sql
+	createUniqueConstraints string
 )

 func newZitadel() *cobra.Command {
@@ -55,13 +62,7 @@ Prereqesits:
 	}
 }

-func verifyZitadel(config database.Config) error {
-	logging.WithFields("database", config.Database).Info("verify database")
-	db, err := database.Connect(config)
-	if err != nil {
-		return err
-	}
-
+func VerifyZitadel(db *sql.DB) error {
 	if err := verify(db, exists(searchSchema, systemSchema), exec(createSystemStmt)); err != nil {
 		return err
 	}
@@ -82,6 +83,26 @@ func verifyZitadel(config database.Config) error {
 		return err
 	}

+	if err := verify(db, exists(searchSystemSequence), exec(createSystemSequenceStmt)); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchTable, uniqueConstraintsTable), exec(createUniqueConstraints)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func verifyZitadel(config database.Config) error {
+	logging.WithFields("database", config.Database).Info("verify database")
+	db, err := database.Connect(config)
+	if err != nil {
+		return err
+	}
+	if err := VerifyZitadel(db); err != nil {
+		return nil
+	}
+
 	return db.Close()
 }