TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: user profile requests in resource APIs (#10151)

Browse Source 
# Which Problems Are Solved

The commands for the resource based v2beta AuthorizationService API are
added.
Authorizations, previously knows as user grants, give a user in a
specific organization and project context roles.
The project can be owned or granted.
The given roles can be used to restrict access within the projects
applications.

The commands for the resource based v2beta InteralPermissionService API
are added.
Administrators, previously knows as memberships, give a user in a
specific organization and project context roles.
The project can be owned or granted.
The give roles give the user permissions to manage different resources
in Zitadel.

API definitions from https://github.com/zitadel/zitadel/issues/9165 are
implemented.

Contains endpoints for user metadata.

# How the Problems Are Solved

### New Methods

- CreateAuthorization
- UpdateAuthorization
- DeleteAuthorization
- ActivateAuthorization
- DeactivateAuthorization
- ListAuthorizations
- CreateAdministrator
- UpdateAdministrator
- DeleteAdministrator
- ListAdministrators
- SetUserMetadata to set metadata on a user
- DeleteUserMetadata to delete metadata on a user
- ListUserMetadata to query for metadata of a user

## Deprecated Methods

### v1.ManagementService
- GetUserGrantByID
- ListUserGrants
- AddUserGrant
- UpdateUserGrant
- DeactivateUserGrant
- ReactivateUserGrant
- RemoveUserGrant
- BulkRemoveUserGrant

### v1.AuthService
- ListMyUserGrants
- ListMyProjectPermissions

# Additional Changes

- Permission checks for metadata functionality on query and command side
- correct existence checks for resources, for example you can only be an
administrator on an existing project
- combined all member tables to singular query for the administrators
- add permission checks for command an query side functionality
- combined functions on command side where necessary for easier
maintainability

# Additional Context

Closes #9165

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2025-07-04 18:12:59 +02:00
committed by GitHub
parent 9ebf2316c6
commit 5403be7c4b
142 changed files with 13223 additions and 2497 deletions
Download Patch File Download Diff File Expand all files Collapse all files

347
internal/query/administrators.go Normal file
View File

@@ -0,0 +1,347 @@
package query
import (
"context"
"database/sql"
"slices"
"time"
sq "github.com/Masterminds/squirrel"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/database"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
type Administrators struct {
SearchResponse
Administrators []*Administrator
}
type Administrator struct {
Roles database.TextArray[string]
CreationDate time.Time
ChangeDate time.Time
ResourceOwner string
User *UserAdministrator
Org *OrgAdministrator
Instance *InstanceAdministrator
Project *ProjectAdministrator
ProjectGrant *ProjectGrantAdministrator
}
type UserAdministrator struct {
UserID string
LoginName string
DisplayName string
ResourceOwner string
}
type OrgAdministrator struct {
OrgID string
Name string
}
type InstanceAdministrator struct {
InstanceID string
Name string
}
type ProjectAdministrator struct {
ProjectID string
Name string
ResourceOwner string
}
type ProjectGrantAdministrator struct {
ProjectID string
ProjectName string
GrantID string
GrantedOrgID string
ResourceOwner string
}
func NewAdministratorUserResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(UserResourceOwnerCol, value, TextEquals)
}
func NewAdministratorUserLoginNameSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(LoginNameNameCol, value, TextEquals)
}
func NewAdministratorUserDisplayNameSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(HumanDisplayNameCol, value, TextEquals)
}
func administratorInstancePermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
InstanceMemberResourceOwner,
domain.PermissionInstanceMemberRead,
OwnedRowsPermissionOption(InstanceMemberUserID),
)
return query.JoinClause(join, args...)
}
func administratorOrgPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
OrgMemberResourceOwner,
domain.PermissionOrgMemberRead,
OwnedRowsPermissionOption(OrgMemberUserID),
)
return query.JoinClause(join, args...)
}
func administratorProjectPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
ProjectMemberResourceOwner,
domain.PermissionProjectMemberRead,
WithProjectsPermissionOption(ProjectMemberProjectID),
OwnedRowsPermissionOption(ProjectMemberUserID),
)
return query.JoinClause(join, args...)
}
func administratorProjectGrantPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
ProjectGrantMemberResourceOwner,
domain.PermissionProjectGrantMemberRead,
WithProjectsPermissionOption(ProjectMemberProjectID),
OwnedRowsPermissionOption(ProjectGrantMemberUserID),
)
return query.JoinClause(join, args...)
}
func administratorsCheckPermission(ctx context.Context, administrators *Administrators, permissionCheck domain.PermissionCheck) {
selfUserID := authz.GetCtxData(ctx).UserID
administrators.Administrators = slices.DeleteFunc(administrators.Administrators,
func(administrator *Administrator) bool {
if administrator.User != nil && administrator.User.UserID == selfUserID {
return false
}
if administrator.ProjectGrant != nil {
return administratorProjectGrantCheckPermission(ctx, administrator.ProjectGrant.ResourceOwner, administrator.ProjectGrant.ProjectID, administrator.ProjectGrant.GrantID, administrator.ProjectGrant.GrantedOrgID, permissionCheck) != nil
}
if administrator.Project != nil {
return permissionCheck(ctx, domain.PermissionProjectMemberRead, administrator.Project.ResourceOwner, administrator.Project.ProjectID) != nil
}
if administrator.Org != nil {
return permissionCheck(ctx, domain.PermissionOrgMemberRead, administrator.Org.OrgID, administrator.Org.OrgID) != nil
}
if administrator.Instance != nil {
return permissionCheck(ctx, domain.PermissionInstanceMemberRead, administrator.Instance.InstanceID, administrator.Instance.InstanceID) != nil
}
return true
},
)
}
func administratorProjectGrantCheckPermission(ctx context.Context, resourceOwner, projectID, grantID, grantedOrgID string, permissionCheck domain.PermissionCheck) error {
if err := permissionCheck(ctx, domain.PermissionProjectGrantMemberRead, resourceOwner, grantID); err != nil {
if err := permissionCheck(ctx, domain.PermissionProjectGrantMemberRead, grantedOrgID, grantID); err != nil {
if err := permissionCheck(ctx, domain.PermissionProjectGrantMemberRead, resourceOwner, projectID); err != nil {
return err
}
}
}
return nil
}
func (q *Queries) SearchAdministrators(ctx context.Context, queries *MembershipSearchQuery, permissionCheck domain.PermissionCheck) (*Administrators, error) {
permissionCheckV2 := PermissionV2(ctx, permissionCheck)
admins, err := q.searchAdministrators(ctx, queries, permissionCheckV2)
if err != nil {
return nil, err
}
if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
administratorsCheckPermission(ctx, admins, permissionCheck)
}
return admins, nil
}
func (q *Queries) searchAdministrators(ctx context.Context, queries *MembershipSearchQuery, permissionCheckV2 bool) (administrators *Administrators, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
query, queryArgs, scan := prepareAdministratorsQuery(ctx, queries, permissionCheckV2)
eq := sq.Eq{membershipInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
return nil, zerrors.ThrowInvalidArgument(err, "QUERY-TODO", "Errors.Query.InvalidRequest")
}
latestState, err := q.latestState(ctx, orgMemberTable, instanceMemberTable, projectMemberTable, projectGrantMemberTable)
if err != nil {
return nil, err
}
queryArgs = append(queryArgs, args...)
err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
administrators, err = scan(rows)
return err
}, stmt, queryArgs...)
if err != nil {
return nil, err
}
administrators.State = latestState
return administrators, nil
}
func prepareAdministratorsQuery(ctx context.Context, queries *MembershipSearchQuery, permissionV2 bool) (sq.SelectBuilder, []interface{}, func(*sql.Rows) (*Administrators, error)) {
query, args := getMembershipFromQuery(ctx, queries, permissionV2)
return sq.Select(
MembershipUserID.identifier(),
membershipRoles.identifier(),
MembershipCreationDate.identifier(),
MembershipChangeDate.identifier(),
membershipResourceOwner.identifier(),
membershipOrgID.identifier(),
membershipIAMID.identifier(),
membershipProjectID.identifier(),
membershipGrantID.identifier(),
ProjectGrantColumnGrantedOrgID.identifier(),
ProjectColumnResourceOwner.identifier(),
ProjectColumnName.identifier(),
OrgColumnName.identifier(),
InstanceColumnName.identifier(),
LoginNameNameCol.identifier(),
HumanDisplayNameCol.identifier(),
MachineNameCol.identifier(),
HumanAvatarURLCol.identifier(),
UserTypeCol.identifier(),
UserResourceOwnerCol.identifier(),
countColumn.identifier(),
).From(query).
LeftJoin(join(ProjectColumnID, membershipProjectID)).
LeftJoin(join(ProjectGrantColumnGrantID, membershipGrantID)).
LeftJoin(join(OrgColumnID, membershipOrgID)).
LeftJoin(join(InstanceColumnID, membershipInstanceID)).
LeftJoin(join(HumanUserIDCol, OrgMemberUserID)).
LeftJoin(join(MachineUserIDCol, OrgMemberUserID)).
LeftJoin(join(UserIDCol, OrgMemberUserID)).
LeftJoin(join(LoginNameUserIDCol, OrgMemberUserID)).
Where(
sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
).PlaceholderFormat(sq.Dollar),
args,
func(rows *sql.Rows) (*Administrators, error) {
administrators := make([]*Administrator, 0)
var count uint64
for rows.Next() {
var (
administrator = new(Administrator)
userID = sql.NullString{}
orgID = sql.NullString{}
instanceID = sql.NullString{}
projectID = sql.NullString{}
grantID = sql.NullString{}
grantedOrgID = sql.NullString{}
projectName = sql.NullString{}
orgName = sql.NullString{}
instanceName = sql.NullString{}
projectResourceOwner = sql.NullString{}
loginName = sql.NullString{}
displayName = sql.NullString{}
machineName = sql.NullString{}
avatarURL = sql.NullString{}
userType = sql.NullInt32{}
userResourceOwner = sql.NullString{}
)
err := rows.Scan(
&userID,
&administrator.Roles,
&administrator.CreationDate,
&administrator.ChangeDate,
&administrator.ResourceOwner,
&orgID,
&instanceID,
&projectID,
&grantID,
&grantedOrgID,
&projectResourceOwner,
&projectName,
&orgName,
&instanceName,
&loginName,
&displayName,
&machineName,
&avatarURL,
&userType,
&userResourceOwner,
&count,
)
if err != nil {
return nil, err
}
if userID.Valid {
administrator.User = &UserAdministrator{
UserID: userID.String,
LoginName: loginName.String,
DisplayName: displayName.String,
ResourceOwner: userResourceOwner.String,
}
}
if orgID.Valid {
administrator.Org = &OrgAdministrator{
OrgID: orgID.String,
Name: orgName.String,
}
}
if instanceID.Valid {
administrator.Instance = &InstanceAdministrator{
InstanceID: instanceID.String,
Name: instanceName.String,
}
}
if projectID.Valid && grantID.Valid && grantedOrgID.Valid {
administrator.ProjectGrant = &ProjectGrantAdministrator{
ProjectID: projectID.String,
ProjectName: projectName.String,
GrantID: grantID.String,
GrantedOrgID: grantedOrgID.String,
ResourceOwner: projectResourceOwner.String,
}
} else if projectID.Valid {
administrator.Project = &ProjectAdministrator{
ProjectID: projectID.String,
Name: projectName.String,
ResourceOwner: projectResourceOwner.String,
}
}
administrators = append(administrators, administrator)
}
if err := rows.Close(); err != nil {
return nil, zerrors.ThrowInternal(err, "QUERY-TODO", "Errors.Query.CloseRows")
}
return &Administrators{
Administrators: administrators,
SearchResponse: SearchResponse{
Count: count,
},
}, nil
}
}

11
internal/query/member.go
View File

@@ -35,8 +35,17 @@ func NewMemberLastNameSearchQuery(method TextComparison, value string) (SearchQu
}
func NewMemberUserIDSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(membershipUserID, value, TextEquals)
return NewTextQuery(MembershipUserID, value, TextEquals)
}
func NewMemberInUserIDsSearchQuery(ids []string) (SearchQuery, error) {
list := make([]interface{}, len(ids))
for i, value := range ids {
list[i] = value
}
return NewListQuery(MembershipUserID, list, ListIn)
}
func NewMemberResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(membershipResourceOwner, value, TextEquals)
}

2
internal/query/project_grant_member.go
View File

@@ -128,7 +128,7 @@ func prepareProjectGrantMembersQuery() (sq.SelectBuilder, func(*sql.Rows) (*Memb
LeftJoin(join(MachineUserIDCol, ProjectGrantMemberUserID)).
LeftJoin(join(UserIDCol, ProjectGrantMemberUserID)).
LeftJoin(join(LoginNameUserIDCol, ProjectGrantMemberUserID)).
LeftJoin(join(ProjectGrantColumnGrantID, ProjectGrantMemberGrantID)).
LeftJoin(join(ProjectGrantColumnGrantID, ProjectGrantMemberGrantID) + " AND " + ProjectGrantMemberProjectID.identifier() + " = " + ProjectGrantColumnProjectID.identifier()).
Where(
sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
).PlaceholderFormat(sq.Dollar),

1
internal/query/project_grant_member_test.go
View File

@@ -46,6 +46,7 @@ var (
"LEFT JOIN projections.project_grants4 " +
"ON members.grant_id = projections.project_grants4.grant_id " +
"AND members.instance_id = projections.project_grants4.instance_id " +
"AND members.project_id = projections.project_grants4.project_id " +
"WHERE projections.login_names3.is_primary = $1")
projectGrantMembersColumns = []string{
"creation_date",

87
internal/query/user_grant.go
View File

@@ -4,6 +4,7 @@ import (
"context"
"database/sql"
"errors"
"slices"
"time"
sq "github.com/Masterminds/squirrel"
@@ -44,8 +45,9 @@ type UserGrant struct {
OrgName string `json:"org_name,omitempty"`
OrgPrimaryDomain string `json:"org_primary_domain,omitempty"`
ProjectID string `json:"project_id,omitempty"`
ProjectName string `json:"project_name,omitempty"`
ProjectResourceOwner string `json:"project_resource_owner,omitempty"`
ProjectID string `json:"project_id,omitempty"`
ProjectName string `json:"project_name,omitempty"`
GrantedOrgID string `json:"granted_org_id,omitempty"`
GrantedOrgName string `json:"granted_org_name,omitempty"`
@@ -57,6 +59,27 @@ type UserGrants struct {
UserGrants []*UserGrant
}
func userGrantsCheckPermission(ctx context.Context, grants *UserGrants, permissionCheck domain.PermissionCheck) {
grants.UserGrants = slices.DeleteFunc(grants.UserGrants,
func(grant *UserGrant) bool {
return userGrantCheckPermission(ctx, grant.ResourceOwner, grant.ProjectID, grant.GrantID, grant.UserID, permissionCheck) != nil
},
)
}
func userGrantCheckPermission(ctx context.Context, resourceOwner, projectID, grantID, userID string, permissionCheck domain.PermissionCheck) error {
// you should always be able to read your own permissions
if authz.GetCtxData(ctx).UserID == userID {
return nil
}
// check permission on the project grant
if grantID != "" {
return permissionCheck(ctx, domain.PermissionUserGrantRead, resourceOwner, grantID)
}
// check on project
return permissionCheck(ctx, domain.PermissionUserGrantRead, resourceOwner, projectID)
}
type UserGrantsQueries struct {
SearchRequest
Queries []SearchQuery
@@ -70,6 +93,21 @@ func (q *UserGrantsQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
return query
}
func userGrantPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *UserGrantsQueries) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
UserGrantResourceOwner,
domain.PermissionUserGrantRead,
SingleOrgPermissionOption(queries.Queries),
WithProjectsPermissionOption(UserGrantProjectID),
OwnedRowsPermissionOption(UserGrantUserID),
)
return query.JoinClause(join, args...)
}
func NewUserGrantUserIDSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(UserGrantUserID, id, TextEquals)
}
@@ -86,6 +124,10 @@ func NewUserGrantResourceOwnerSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(UserGrantResourceOwner, id, TextEquals)
}
func NewUserGrantUserResourceOwnerSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(UserResourceOwnerCol, id, TextEquals)
}
func NewUserGrantGrantIDSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(UserGrantGrantID, id, TextEquals)
}
@@ -94,6 +136,14 @@ func NewUserGrantIDSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(UserGrantID, id, TextEquals)
}
func NewUserGrantInIDsSearchQuery(ids []string) (SearchQuery, error) {
list := make([]interface{}, len(ids))
for i, value := range ids {
list[i] = value
}
return NewListQuery(UserGrantID, list, ListIn)
}
func NewUserGrantUserTypeQuery(typ domain.UserType) (SearchQuery, error) {
return NewNumberQuery(UserTypeCol, typ, NumberEquals)
}
@@ -254,7 +304,19 @@ func (q *Queries) UserGrant(ctx context.Context, shouldTriggerBulk bool, queries
return grant, err
}
func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, shouldTriggerBulk bool) (grants *UserGrants, err error) {
func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, shouldTriggerBulk bool, permissionCheck domain.PermissionCheck) (*UserGrants, error) {
permissionCheckV2 := PermissionV2(ctx, permissionCheck)
grants, err := q.userGrants(ctx, queries, shouldTriggerBulk, permissionCheckV2)
if err != nil {
return nil, err
}
if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
userGrantsCheckPermission(ctx, grants, permissionCheck)
}
return grants, nil
}
func (q *Queries) userGrants(ctx context.Context, queries *UserGrantsQueries, shouldTriggerBulk bool, permissionCheckV2 bool) (grants *UserGrants, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -266,6 +328,7 @@ func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, sh
}
query, scan := prepareUserGrantsQuery()
query = userGrantPermissionCheckV2(ctx, query, permissionCheckV2, queries)
eq := sq.Eq{UserGrantInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
@@ -316,6 +379,7 @@ func prepareUserGrantQuery() (sq.SelectBuilder, func(*sql.Row) (*UserGrant, erro
UserGrantProjectID.identifier(),
ProjectColumnName.identifier(),
ProjectColumnResourceOwner.identifier(),
GrantedOrgColumnId.identifier(),
GrantedOrgColumnName.identifier(),
@@ -326,7 +390,8 @@ func prepareUserGrantQuery() (sq.SelectBuilder, func(*sql.Row) (*UserGrant, erro
LeftJoin(join(HumanUserIDCol, UserGrantUserID)).
LeftJoin(join(OrgColumnID, UserGrantResourceOwner)).
LeftJoin(join(ProjectColumnID, UserGrantProjectID)).
LeftJoin(join(GrantedOrgColumnId, UserResourceOwnerCol)).
LeftJoin(join(ProjectGrantColumnGrantID, UserGrantGrantID) + " AND " + ProjectGrantColumnProjectID.identifier() + " = " + UserGrantProjectID.identifier()).
LeftJoin(join(GrantedOrgColumnId, ProjectGrantColumnGrantedOrgID)).
LeftJoin(join(LoginNameUserIDCol, UserGrantUserID)).
Where(
sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
@@ -348,7 +413,8 @@ func prepareUserGrantQuery() (sq.SelectBuilder, func(*sql.Row) (*UserGrant, erro
orgName sql.NullString
orgDomain sql.NullString
projectName sql.NullString
projectName sql.NullString
projectResourceOwner sql.NullString
grantedOrgID sql.NullString
grantedOrgName sql.NullString
@@ -381,6 +447,7 @@ func prepareUserGrantQuery() (sq.SelectBuilder, func(*sql.Row) (*UserGrant, erro
&g.ProjectID,
&projectName,
&projectResourceOwner,
&grantedOrgID,
&grantedOrgName,
@@ -405,6 +472,7 @@ func prepareUserGrantQuery() (sq.SelectBuilder, func(*sql.Row) (*UserGrant, erro
g.OrgName = orgName.String
g.OrgPrimaryDomain = orgDomain.String
g.ProjectName = projectName.String
g.ProjectResourceOwner = projectResourceOwner.String
g.GrantedOrgID = grantedOrgID.String
g.GrantedOrgName = grantedOrgName.String
g.GrantedOrgDomain = grantedOrgDomain.String
@@ -439,6 +507,7 @@ func prepareUserGrantsQuery() (sq.SelectBuilder, func(*sql.Rows) (*UserGrants, e
UserGrantProjectID.identifier(),
ProjectColumnName.identifier(),
ProjectColumnResourceOwner.identifier(),
GrantedOrgColumnId.identifier(),
GrantedOrgColumnName.identifier(),
@@ -451,7 +520,8 @@ func prepareUserGrantsQuery() (sq.SelectBuilder, func(*sql.Rows) (*UserGrants, e
LeftJoin(join(HumanUserIDCol, UserGrantUserID)).
LeftJoin(join(OrgColumnID, UserGrantResourceOwner)).
LeftJoin(join(ProjectColumnID, UserGrantProjectID)).
LeftJoin(join(GrantedOrgColumnId, UserResourceOwnerCol)).
LeftJoin(join(ProjectGrantColumnGrantID, UserGrantGrantID) + " AND " + ProjectGrantColumnProjectID.identifier() + " = " + UserGrantProjectID.identifier()).
LeftJoin(join(GrantedOrgColumnId, ProjectGrantColumnGrantedOrgID)).
LeftJoin(join(LoginNameUserIDCol, UserGrantUserID)).
Where(
sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
@@ -480,7 +550,8 @@ func prepareUserGrantsQuery() (sq.SelectBuilder, func(*sql.Rows) (*UserGrants, e
grantedOrgName sql.NullString
grantedOrgDomain sql.NullString
projectName sql.NullString
projectName sql.NullString
projectResourceOwner sql.NullString
)
err := rows.Scan(
@@ -509,6 +580,7 @@ func prepareUserGrantsQuery() (sq.SelectBuilder, func(*sql.Rows) (*UserGrants, e
&g.ProjectID,
&projectName,
&projectResourceOwner,
&grantedOrgID,
&grantedOrgName,
@@ -532,6 +604,7 @@ func prepareUserGrantsQuery() (sq.SelectBuilder, func(*sql.Rows) (*UserGrants, e
g.OrgName = orgName.String
g.OrgPrimaryDomain = orgDomain.String
g.ProjectName = projectName.String
g.ProjectResourceOwner = projectResourceOwner.String
g.GrantedOrgID = grantedOrgID.String
g.GrantedOrgName = grantedOrgName.String
g.GrantedOrgDomain = grantedOrgDomain.String

633
internal/query/user_grant_test.go
View File

@@ -37,6 +37,7 @@ var (
", projections.orgs1.primary_domain" +
", projections.user_grants5.project_id" +
", projections.projects4.name" +
", projections.projects4.resource_owner" +
", granted_orgs.id" +
", granted_orgs.name" +
", granted_orgs.primary_domain" +
@@ -45,7 +46,8 @@ var (
" LEFT JOIN projections.users14_humans ON projections.user_grants5.user_id = projections.users14_humans.user_id AND projections.user_grants5.instance_id = projections.users14_humans.instance_id" +
" LEFT JOIN projections.orgs1 ON projections.user_grants5.resource_owner = projections.orgs1.id AND projections.user_grants5.instance_id = projections.orgs1.instance_id" +
" LEFT JOIN projections.projects4 ON projections.user_grants5.project_id = projections.projects4.id AND projections.user_grants5.instance_id = projections.projects4.instance_id" +
" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.users14.resource_owner = granted_orgs.id AND projections.users14.instance_id = granted_orgs.instance_id" +
" LEFT JOIN projections.project_grants4 ON projections.user_grants5.grant_id = projections.project_grants4.grant_id AND projections.user_grants5.instance_id = projections.project_grants4.instance_id AND projections.project_grants4.project_id = projections.user_grants5.project_id" +
" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.project_grants4.granted_org_id = granted_orgs.id AND projections.project_grants4.instance_id = granted_orgs.instance_id" +
" LEFT JOIN projections.login_names3 ON projections.user_grants5.user_id = projections.login_names3.user_id AND projections.user_grants5.instance_id = projections.login_names3.instance_id" +
" WHERE projections.login_names3.is_primary = $1")
userGrantCols = []string{
@@ -71,6 +73,7 @@ var (
"primary_domain",
"project_id",
"name", // project name
"resource_owner", // project_grant resource owner
"id", // granted org id
"name", // granted org name
"primary_domain", // granted org domain
@@ -98,6 +101,7 @@ var (
", projections.orgs1.primary_domain" +
", projections.user_grants5.project_id" +
", projections.projects4.name" +
", projections.projects4.resource_owner" +
", granted_orgs.id" +
", granted_orgs.name" +
", granted_orgs.primary_domain" +
@@ -107,7 +111,8 @@ var (
" LEFT JOIN projections.users14_humans ON projections.user_grants5.user_id = projections.users14_humans.user_id AND projections.user_grants5.instance_id = projections.users14_humans.instance_id" +
" LEFT JOIN projections.orgs1 ON projections.user_grants5.resource_owner = projections.orgs1.id AND projections.user_grants5.instance_id = projections.orgs1.instance_id" +
" LEFT JOIN projections.projects4 ON projections.user_grants5.project_id = projections.projects4.id AND projections.user_grants5.instance_id = projections.projects4.instance_id" +
" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.users14.resource_owner = granted_orgs.id AND projections.users14.instance_id = granted_orgs.instance_id" +
" LEFT JOIN projections.project_grants4 ON projections.user_grants5.grant_id = projections.project_grants4.grant_id AND projections.user_grants5.instance_id = projections.project_grants4.instance_id AND projections.project_grants4.project_id = projections.user_grants5.project_id" +
" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.project_grants4.granted_org_id = granted_orgs.id AND projections.project_grants4.instance_id = granted_orgs.instance_id" +
" LEFT JOIN projections.login_names3 ON projections.user_grants5.user_id = projections.login_names3.user_id AND projections.user_grants5.instance_id = projections.login_names3.instance_id" +
" WHERE projections.login_names3.is_primary = $1")
userGrantsCols = append(
@@ -175,6 +180,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -182,31 +188,32 @@ func Test_UserGrantPrepares(t *testing.T) {
),
},
object: &UserGrant{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
{
@@ -239,6 +246,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -246,31 +254,32 @@ func Test_UserGrantPrepares(t *testing.T) {
),
},
object: &UserGrant{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "",
LastName: "",
Email: "",
DisplayName: "",
AvatarURL: "",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "",
LastName: "",
Email: "",
DisplayName: "",
AvatarURL: "",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
{
@@ -303,6 +312,7 @@ func Test_UserGrantPrepares(t *testing.T) {
nil,
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -310,31 +320,32 @@ func Test_UserGrantPrepares(t *testing.T) {
),
},
object: &UserGrant{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "",
OrgPrimaryDomain: "",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "",
OrgPrimaryDomain: "",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
{
@@ -367,6 +378,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
nil,
nil,
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -374,31 +386,32 @@ func Test_UserGrantPrepares(t *testing.T) {
),
},
object: &UserGrant{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "",
ProjectResourceOwner: "",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
{
@@ -431,6 +444,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -438,31 +452,32 @@ func Test_UserGrantPrepares(t *testing.T) {
),
},
object: &UserGrant{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
{
@@ -525,6 +540,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -538,31 +554,32 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},
@@ -598,6 +615,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -611,31 +629,32 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "",
LastName: "",
Email: "",
DisplayName: "",
AvatarURL: "",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "",
LastName: "",
Email: "",
DisplayName: "",
AvatarURL: "",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},
@@ -671,6 +690,7 @@ func Test_UserGrantPrepares(t *testing.T) {
nil,
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -684,31 +704,32 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "",
OrgPrimaryDomain: "",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeMachine,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "",
OrgPrimaryDomain: "",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},
@@ -744,6 +765,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
nil,
nil,
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -757,31 +779,32 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "",
ProjectResourceOwner: "",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},
@@ -817,6 +840,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -830,31 +854,32 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},
@@ -890,6 +915,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -917,6 +943,7 @@ func Test_UserGrantPrepares(t *testing.T) {
"primary-domain",
"project-id",
"project-name",
"project-resource-owner",
"granted-org-id",
"granted-org-name",
"granted-org-domain",
@@ -930,58 +957,60 @@ func Test_UserGrantPrepares(t *testing.T) {
},
UserGrants: []*UserGrant{
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
{
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
ID: "id",
CreationDate: testNow,
ChangeDate: testNow,
Sequence: 20211111,
Roles: database.TextArray[string]{"role-key"},
GrantID: "grant-id",
State: domain.UserGrantStateActive,
UserID: "user-id",
Username: "username",
UserType: domain.UserTypeHuman,
UserResourceOwner: "resource-owner",
FirstName: "first-name",
LastName: "last-name",
Email: "email",
DisplayName: "display-name",
AvatarURL: "avatar-key",
PreferredLoginName: "login-name",
ResourceOwner: "ro",
OrgName: "org-name",
OrgPrimaryDomain: "primary-domain",
ProjectID: "project-id",
ProjectName: "project-name",
ProjectResourceOwner: "project-resource-owner",
GrantedOrgID: "granted-org-id",
GrantedOrgName: "granted-org-name",
GrantedOrgDomain: "granted-org-domain",
},
},
},

52
internal/query/user_membership.go
View File

@@ -63,7 +63,15 @@ type MembershipSearchQuery struct {
}
func NewMembershipUserIDQuery(userID string) (SearchQuery, error) {
return NewTextQuery(membershipUserID.setTable(membershipAlias), userID, TextEquals)
return NewTextQuery(MembershipUserID.setTable(membershipAlias), userID, TextEquals)
}
func NewMembershipCreationDateQuery(timestamp time.Time, comparison TimestampComparison) (SearchQuery, error) {
return NewTimestampQuery(MembershipCreationDate.setTable(membershipAlias), timestamp, comparison)
}
func NewMembershipChangeDateQuery(timestamp time.Time, comparison TimestampComparison) (SearchQuery, error) {
return NewTimestampQuery(MembershipChangeDate.setTable(membershipAlias), timestamp, comparison)
}
func NewMembershipOrgIDQuery(value string) (SearchQuery, error) {
@@ -137,7 +145,7 @@ func (q *Queries) Memberships(ctx context.Context, queries *MembershipSearchQuer
wg.Wait()
}
query, queryArgs, scan := prepareMembershipsQuery(queries)
query, queryArgs, scan := prepareMembershipsQuery(ctx, queries, false)
eq := sq.Eq{membershipInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
@@ -166,7 +174,7 @@ var (
name: "members",
instanceIDCol: projection.MemberInstanceID,
}
membershipUserID = Column{
MembershipUserID = Column{
name: projection.MemberUserIDCol,
table: membershipAlias,
}
@@ -174,11 +182,11 @@ var (
name: projection.MemberRolesCol,
table: membershipAlias,
}
membershipCreationDate = Column{
MembershipCreationDate = Column{
name: projection.MemberCreationDate,
table: membershipAlias,
}
membershipChangeDate = Column{
MembershipChangeDate = Column{
name: projection.MemberChangeDate,
table: membershipAlias,
}
@@ -216,11 +224,11 @@ var (
}
)
func getMembershipFromQuery(queries *MembershipSearchQuery) (string, []interface{}) {
orgMembers, orgMembersArgs := prepareOrgMember(queries)
iamMembers, iamMembersArgs := prepareIAMMember(queries)
projectMembers, projectMembersArgs := prepareProjectMember(queries)
projectGrantMembers, projectGrantMembersArgs := prepareProjectGrantMember(queries)
func getMembershipFromQuery(ctx context.Context, queries *MembershipSearchQuery, permissionV2 bool) (string, []interface{}) {
orgMembers, orgMembersArgs := prepareOrgMember(ctx, queries, permissionV2)
iamMembers, iamMembersArgs := prepareIAMMember(ctx, queries, permissionV2)
projectMembers, projectMembersArgs := prepareProjectMember(ctx, queries, permissionV2)
projectGrantMembers, projectGrantMembersArgs := prepareProjectGrantMember(ctx, queries, permissionV2)
args := make([]interface{}, 0)
args = append(append(append(append(args, orgMembersArgs...), iamMembersArgs...), projectMembersArgs...), projectGrantMembersArgs...)
@@ -236,13 +244,13 @@ func getMembershipFromQuery(queries *MembershipSearchQuery) (string, []interface
args
}
func prepareMembershipsQuery(queries *MembershipSearchQuery) (sq.SelectBuilder, []interface{}, func(*sql.Rows) (*Memberships, error)) {
query, args := getMembershipFromQuery(queries)
func prepareMembershipsQuery(ctx context.Context, queries *MembershipSearchQuery, permissionV2 bool) (sq.SelectBuilder, []interface{}, func(*sql.Rows) (*Memberships, error)) {
query, args := getMembershipFromQuery(ctx, queries, permissionV2)
return sq.Select(
membershipUserID.identifier(),
MembershipUserID.identifier(),
membershipRoles.identifier(),
membershipCreationDate.identifier(),
membershipChangeDate.identifier(),
MembershipCreationDate.identifier(),
MembershipChangeDate.identifier(),
membershipSequence.identifier(),
membershipResourceOwner.identifier(),
membershipOrgID.identifier(),
@@ -257,7 +265,7 @@ func prepareMembershipsQuery(queries *MembershipSearchQuery) (sq.SelectBuilder,
).From(query).
LeftJoin(join(ProjectColumnID, membershipProjectID)).
LeftJoin(join(OrgColumnID, membershipOrgID)).
LeftJoin(join(ProjectGrantColumnGrantID, membershipGrantID)).
LeftJoin(join(ProjectGrantColumnGrantID, membershipGrantID) + " AND " + membershipProjectID.identifier() + " = " + ProjectGrantColumnProjectID.identifier()).
LeftJoin(join(InstanceColumnID, membershipInstanceID)).
PlaceholderFormat(sq.Dollar),
args,
@@ -340,7 +348,7 @@ func prepareMembershipsQuery(queries *MembershipSearchQuery) (sq.SelectBuilder,
}
}
func prepareOrgMember(query *MembershipSearchQuery) (string, []interface{}) {
func prepareOrgMember(ctx context.Context, query *MembershipSearchQuery, permissionV2 bool) (string, []interface{}) {
builder := sq.Select(
OrgMemberUserID.identifier(),
OrgMemberRoles.identifier(),
@@ -354,6 +362,7 @@ func prepareOrgMember(query *MembershipSearchQuery) (string, []interface{}) {
"NULL::TEXT AS "+membershipProjectID.name,
"NULL::TEXT AS "+membershipGrantID.name,
).From(orgMemberTable.identifier())
builder = administratorOrgPermissionCheckV2(ctx, builder, permissionV2)
for _, q := range query.Queries {
if q.Col().table.name == membershipAlias.name || q.Col().table.name == orgMemberTable.name {
@@ -363,7 +372,7 @@ func prepareOrgMember(query *MembershipSearchQuery) (string, []interface{}) {
return builder.MustSql()
}
func prepareIAMMember(query *MembershipSearchQuery) (string, []interface{}) {
func prepareIAMMember(ctx context.Context, query *MembershipSearchQuery, permissionV2 bool) (string, []interface{}) {
builder := sq.Select(
InstanceMemberUserID.identifier(),
InstanceMemberRoles.identifier(),
@@ -377,6 +386,7 @@ func prepareIAMMember(query *MembershipSearchQuery) (string, []interface{}) {
"NULL::TEXT AS "+membershipProjectID.name,
"NULL::TEXT AS "+membershipGrantID.name,
).From(instanceMemberTable.identifier())
builder = administratorInstancePermissionCheckV2(ctx, builder, permissionV2)
for _, q := range query.Queries {
if q.Col().table.name == membershipAlias.name || q.Col().table.name == instanceMemberTable.name {
@@ -386,7 +396,7 @@ func prepareIAMMember(query *MembershipSearchQuery) (string, []interface{}) {
return builder.MustSql()
}
func prepareProjectMember(query *MembershipSearchQuery) (string, []interface{}) {
func prepareProjectMember(ctx context.Context, query *MembershipSearchQuery, permissionV2 bool) (string, []interface{}) {
builder := sq.Select(
ProjectMemberUserID.identifier(),
ProjectMemberRoles.identifier(),
@@ -400,6 +410,7 @@ func prepareProjectMember(query *MembershipSearchQuery) (string, []interface{})
ProjectMemberProjectID.identifier(),
"NULL::TEXT AS "+membershipGrantID.name,
).From(projectMemberTable.identifier())
builder = administratorProjectPermissionCheckV2(ctx, builder, permissionV2)
for _, q := range query.Queries {
if q.Col().table.name == membershipAlias.name || q.Col().table.name == projectMemberTable.name {
@@ -410,7 +421,7 @@ func prepareProjectMember(query *MembershipSearchQuery) (string, []interface{})
return builder.MustSql()
}
func prepareProjectGrantMember(query *MembershipSearchQuery) (string, []interface{}) {
func prepareProjectGrantMember(ctx context.Context, query *MembershipSearchQuery, permissionV2 bool) (string, []interface{}) {
builder := sq.Select(
ProjectGrantMemberUserID.identifier(),
ProjectGrantMemberRoles.identifier(),
@@ -424,6 +435,7 @@ func prepareProjectGrantMember(query *MembershipSearchQuery) (string, []interfac
ProjectGrantMemberProjectID.identifier(),
ProjectGrantMemberGrantID.identifier(),
).From(projectGrantMemberTable.identifier())
builder = administratorProjectGrantPermissionCheckV2(ctx, builder, permissionV2)
for _, q := range query.Queries {
if q.Col().table.name == membershipAlias.name || q.Col().table.name == projectMemberTable.name || q.Col().table.name == projectGrantMemberTable.name {

5
internal/query/user_membership_test.go
View File

@@ -1,6 +1,7 @@
package query
import (
"context"
"database/sql"
"database/sql/driver"
"errors"
@@ -85,7 +86,7 @@ var (
") AS members" +
" LEFT JOIN projections.projects4 ON members.project_id = projections.projects4.id AND members.instance_id = projections.projects4.instance_id" +
" LEFT JOIN projections.orgs1 ON members.org_id = projections.orgs1.id AND members.instance_id = projections.orgs1.instance_id" +
" LEFT JOIN projections.project_grants4 ON members.grant_id = projections.project_grants4.grant_id AND members.instance_id = projections.project_grants4.instance_id" +
" LEFT JOIN projections.project_grants4 ON members.grant_id = projections.project_grants4.grant_id AND members.instance_id = projections.project_grants4.instance_id AND members.project_id = projections.project_grants4.project_id" +
" LEFT JOIN projections.instances ON members.instance_id = projections.instances.id")
membershipCols = []string{
"user_id",
@@ -461,7 +462,7 @@ func Test_MembershipPrepares(t *testing.T) {
func prepareMembershipWrapper() func() (sq.SelectBuilder, func(*sql.Rows) (*Memberships, error)) {
return func() (sq.SelectBuilder, func(*sql.Rows) (*Memberships, error)) {
builder, _, fun := prepareMembershipsQuery(&MembershipSearchQuery{})
builder, _, fun := prepareMembershipsQuery(context.Background(), &MembershipSearchQuery{}, false)
return builder, fun
}
}

39
internal/query/user_metadata.go
View File

@@ -4,12 +4,14 @@ import (
"context"
"database/sql"
"errors"
"slices"
"time"
sq "github.com/Masterminds/squirrel"
"github.com/zitadel/logging"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
"github.com/zitadel/zitadel/internal/query/projection"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -36,6 +38,28 @@ type UserMetadataSearchQueries struct {
Queries []SearchQuery
}
func userMetadataCheckPermission(ctx context.Context, userMetadataList *UserMetadataList, permissionCheck domain.PermissionCheck) {
userMetadataList.Metadata = slices.DeleteFunc(userMetadataList.Metadata,
func(userMetadata *UserMetadata) bool {
return userCheckPermission(ctx, userMetadata.ResourceOwner, userMetadata.UserID, permissionCheck) != nil
},
)
}
func userMetadataPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *UserMetadataSearchQueries) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
UserMetadataResourceOwnerCol,
domain.PermissionUserRead,
SingleOrgPermissionOption(queries.Queries),
OwnedRowsPermissionOption(UserMetadataUserIDCol),
)
return query.JoinClause(join, args...)
}
var (
userMetadataTable = table{
name: projection.UserMetadataProjectionTable,
@@ -139,7 +163,19 @@ func (q *Queries) SearchUserMetadataForUsers(ctx context.Context, shouldTriggerB
return metadata, err
}
func (q *Queries) SearchUserMetadata(ctx context.Context, shouldTriggerBulk bool, userID string, queries *UserMetadataSearchQueries, withOwnerRemoved bool) (metadata *UserMetadataList, err error) {
func (q *Queries) SearchUserMetadata(ctx context.Context, shouldTriggerBulk bool, userID string, queries *UserMetadataSearchQueries, permissionCheck domain.PermissionCheck) (metadata *UserMetadataList, err error) {
permissionCheckV2 := PermissionV2(ctx, permissionCheck)
users, err := q.searchUserMetadata(ctx, shouldTriggerBulk, userID, queries, permissionCheckV2)
if err != nil {
return nil, err
}
if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
userMetadataCheckPermission(ctx, users, permissionCheck)
}
return users, nil
}
func (q *Queries) searchUserMetadata(ctx context.Context, shouldTriggerBulk bool, userID string, queries *UserMetadataSearchQueries, permissionCheckV2 bool) (metadata *UserMetadataList, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -151,6 +187,7 @@ func (q *Queries) SearchUserMetadata(ctx context.Context, shouldTriggerBulk bool
}
query, scan := prepareUserMetadataListQuery()
query = userMetadataPermissionCheckV2(ctx, query, permissionCheckV2, queries)
eq := sq.Eq{
UserMetadataUserIDCol.identifier(): userID,
UserMetadataInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),