Merge branch 'master' into new-eventstore

2025-08-12 01:47:33 +00:00 · 2020-11-19 17:20:09 +01:00
parent 4d6497f6c1 fcf81bed5f
commit 609c4d4f24
86 changed files with 294 additions and 113 deletions
--- a/internal/api/grpc/management/user_grant_converter.go
+++ b/internal/api/grpc/management/user_grant_converter.go
@@ -79,8 +79,8 @@ func userGrantSearchQueryToModel(query *management.UserGrantSearchQuery) *grant_

 func userGrantSearchKeyToModel(key management.UserGrantSearchKey) grant_model.UserGrantSearchKey {
 	switch key {
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_ID:
-		return grant_model.UserGrantSearchKeyResourceOwner
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_WITH_GRANTED:
+		return grant_model.UserGrantSearchKeyWithGranted
 	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_ID:
 		return grant_model.UserGrantSearchKeyProjectID
 	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_ID:
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -109,8 +109,6 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 		return nil, err
 	}
 	request.Audience = appIDs
-	projectIDAud := request.GetScopeProjectIDsForAud()
-	request.Audience = append(request.Audience, projectIDAud...)
 	request.AppendAudIfNotExisting(app.ProjectID)
 	if request.LoginHint != "" {
 		err = repo.checkLoginName(ctx, request, request.LoginHint)
@@ -624,12 +622,16 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *model.AuthRequest) (

 func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *model.AuthRequest, user *user_model.UserView) (model.NextStep, bool, error) {
 	mfaLevel := request.MfaLevel()
-	promptRequired := (user.MfaMaxSetUp < mfaLevel) || !user.HasRequiredOrgMFALevel(request.LoginPolicy)
-	if promptRequired || !repo.mfaSkippedOrSetUp(user, request.LoginPolicy) {
+	allowedProviders, required := user.MfaTypesAllowed(mfaLevel, request.LoginPolicy)
+	promptRequired := (user.MfaMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required)
+	if promptRequired || !repo.mfaSkippedOrSetUp(user) {
 		types := user.MfaTypesSetupPossible(mfaLevel, request.LoginPolicy)
 		if promptRequired && len(types) == 0 {
 			return nil, false, errors.ThrowPreconditionFailed(nil, "LOGIN-5Hm8s", "Errors.Login.LoginPolicy.MFA.ForceAndNotConfigured")
 		}
+		if len(types) == 0 {
+			return nil, true, nil
+		}
 		return &model.MfaPromptStep{
 			Required:     promptRequired,
 			MfaProviders: types,
@@ -639,7 +641,7 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
 	default:
 		fallthrough
 	case model.MFALevelNotSetUp:
-		if user.MfaMaxSetUp == model.MFALevelNotSetUp {
+		if len(allowedProviders) == 0 {
 			return nil, true, nil
 		}
 		fallthrough
@@ -658,11 +660,11 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
 		}
 	}
 	return &model.MfaVerificationStep{
-		MfaProviders: user.MfaTypesAllowed(mfaLevel, request.LoginPolicy),
+		MfaProviders: allowedProviders,
 	}, false, nil
 }

-func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView, policy *iam_model.LoginPolicyView) bool {
+func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
 	if user.MfaMaxSetUp > model.MFALevelNotSetUp {
 		return true
 	}
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -909,6 +909,25 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
 			false,
 			errors.IsPreconditionFailed,
 		},
+		{
+			"not set up, no mfas configured, no prompt and true",
+			fields{
+				MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
+			},
+			args{
+				request: &model.AuthRequest{
+					LoginPolicy: &iam_model.LoginPolicyView{},
+				},
+				user: &user_model.UserView{
+					HumanView: &user_model.HumanView{
+						MfaMaxSetUp: model.MFALevelNotSetUp,
+					},
+				},
+			},
+			nil,
+			true,
+			nil,
+		},
 		{
 			"not set up, prompt and false",
 			fields{
@@ -988,7 +1007,9 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
 			},
 			args{
 				request: &model.AuthRequest{
-					LoginPolicy: &iam_model.LoginPolicyView{},
+					LoginPolicy: &iam_model.LoginPolicyView{
+						SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
+					},
 				},
 				user: &user_model.UserView{
 					HumanView: &user_model.HumanView{
@@ -1054,8 +1075,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 		MfaInitSkippedLifeTime time.Duration
 	}
 	type args struct {
-		user   *user_model.UserView
-		policy *iam_model.LoginPolicyView
+		user *user_model.UserView
 	}
 	tests := []struct {
 		name   string
@@ -1072,9 +1092,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaMaxSetUp: model.MFALevelSecondFactor,
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			true,
 		},
@@ -1090,9 +1107,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaInitSkipped: time.Now().UTC().Add(-10 * time.Hour),
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			true,
 		},
@@ -1108,9 +1122,6 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 						MfaInitSkipped: time.Now().UTC().Add(-40 * 24 * time.Hour),
 					},
 				},
-				&iam_model.LoginPolicyView{
-					SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
-				},
 			},
 			false,
 		},
@@ -1120,7 +1131,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
 			repo := &AuthRequestRepo{
 				MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
 			}
-			if got := repo.mfaSkippedOrSetUp(tt.args.user, tt.args.policy); got != tt.want {
+			if got := repo.mfaSkippedOrSetUp(tt.args.user); got != tt.want {
 				t.Errorf("mfaSkippedOrSetUp() = %v, want %v", got, tt.want)
 			}
 		})
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@@ -3,11 +3,13 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
+	"strings"
 	"time"

 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
@@ -18,19 +20,26 @@ type TokenRepo struct {
 	View       *view.View
 }

-func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
+func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
 	preferredLanguage := ""
 	user, _ := repo.View.UserByID(userID)
 	if user != nil {
 		preferredLanguage = user.PreferredLanguage
 	}
+
+	for _, scope := range scopes {
+		if strings.HasPrefix(scope, auth_req_model.ProjectIDScope) && strings.HasSuffix(scope, auth_req_model.AudSuffix) {
+			audience = append(audience, strings.TrimSuffix(strings.TrimPrefix(scope, auth_req_model.ProjectIDScope), auth_req_model.AudSuffix))
+		}
+	}
+
 	now := time.Now().UTC()
 	token := &usr_model.Token{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: userID,
 		},
 		UserAgentID:       agentID,
-		ApplicationID:     applicationID,
+		ApplicationID:     clientID,
 		Audience:          audience,
 		Scopes:            scopes,
 		Expiration:        now.Add(lifetime),
@@ -82,3 +91,12 @@ func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*
 	}
 	return model.TokenViewToModel(token), nil
 }
+
+func AppendAudIfNotExisting(aud string, existingAud []string) []string {
+	for _, a := range existingAud {
+		if a == aud {
+			return existingAud
+		}
+	}
+	return append(existingAud, aud)
+}
--- a/internal/auth/repository/eventsourcing/handler/login_policy.go
+++ b/internal/auth/repository/eventsourcing/handler/login_policy.go
@@ -56,6 +56,8 @@ func (m *LoginPolicy) processLoginPolicy(event *models.Event) (err error) {
 			return err
 		}
 		err = policy.AppendEvent(event)
+	case model.LoginPolicyRemoved:
+		return m.view.DeleteLoginPolicy(event.AggregateID, event.Sequence)
 	default:
 		return m.view.ProcessedLoginPolicySequence(event.Sequence)
 	}
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@@ -350,6 +350,7 @@ func (u *UserGrant) fillUserData(grant *view_model.UserGrantView, user *usr_mode

 func (u *UserGrant) fillProjectData(grant *view_model.UserGrantView, project *proj_model.Project) {
 	grant.ProjectName = project.Name
+	grant.ProjectOwner = project.ResourceOwner
 }

 func (u *UserGrant) fillOrgData(grant *view_model.UserGrantView, org *org_model.Org) {
--- a/internal/auth/repository/token.go
+++ b/internal/auth/repository/token.go
@@ -7,7 +7,7 @@ import (
 )

 type TokenRepository interface {
-	CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
+	CreateToken(ctx context.Context, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
 	IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error)
 	TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
 }
--- a/internal/eventstore/models/object.go
+++ b/internal/eventstore/models/object.go
@@ -16,6 +16,9 @@ func (o *ObjectRoot) AppendEvent(event *Event) {
 	if o.AggregateID == "" {
 		o.AggregateID = event.AggregateID
 	}
+	if o.ResourceOwner == "" {
+		o.ResourceOwner = event.ResourceOwner
+	}

 	o.ChangeDate = event.CreationDate
 	if event.PreviousSequence == 0 {
@@ -23,7 +26,6 @@ func (o *ObjectRoot) AppendEvent(event *Event) {
 	}

 	o.Sequence = event.Sequence
-	o.ResourceOwner = event.ResourceOwner
 }
 func (o *ObjectRoot) IsZero() bool {
 	return o.AggregateID == ""
--- a/internal/iam/model/iam.go
+++ b/internal/iam/model/iam.go
@@ -13,6 +13,7 @@ const (
 	Step4
 	Step5
 	Step6
+	Step7
 	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
 	StepCount
 )
--- a/internal/iam/repository/eventsourcing/eventstore.go
+++ b/internal/iam/repository/eventsourcing/eventstore.go
@@ -83,10 +83,12 @@ func (es *IAMEventstore) StartSetup(ctx context.Context, iamID string, step iam_
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9so34", "Setup already started")
 	}

-	repoIAM := &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: iamID}, SetUpStarted: model.Step(step)}
-	if iam != nil {
-		repoIAM.ObjectRoot = iam.ObjectRoot
+	if iam == nil {
+		iam = &iam_model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: iamID}}
 	}
+	iam.SetUpStarted = step
+	repoIAM := model.IAMFromModel(iam)
+
 	createAggregate := IAMSetupStartedAggregate(es.AggregateCreator(), repoIAM)
 	err = es_sdk.Push(ctx, es.PushAggregates, repoIAM.AppendEvents, createAggregate)
 	if err != nil {
@@ -603,31 +605,43 @@ func (es *IAMEventstore) RemoveIDPProviderFromLoginPolicy(ctx context.Context, p
 }

 func (es *IAMEventstore) AddSecondFactorToLoginPolicy(ctx context.Context, aggregateID string, mfa iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
-	if mfa == iam_model.SecondFactorTypeUnspecified {
-		return 0, caos_errs.ThrowPreconditionFailed(nil, "EVENT-1M8Js", "Errors.IAM.LoginPolicy.MFA.Unspecified")
-	}
-	iam, err := es.IAMByID(ctx, aggregateID)
+	repoIAM, addAggregate, err := es.PrepareAddSecondFactorToLoginPolicy(ctx, aggregateID, mfa)
 	if err != nil {
 		return 0, err
 	}
-	if _, m := iam.DefaultLoginPolicy.GetSecondFactor(mfa); m != 0 {
-		return 0, caos_errs.ThrowAlreadyExists(nil, "EVENT-4Rk09", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
-	}
-	repoIam := model.IAMFromModel(iam)
-	repoMFA := model.SecondFactorFromModel(mfa)
-
-	addAggregate := LoginPolicySecondFactorAddedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoMFA)
-	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIAM.AppendEvents, addAggregate)
 	if err != nil {
 		return 0, err
 	}
-	es.iamCache.cacheIAM(repoIam)
-	if _, m := model.GetMFA(repoIam.DefaultLoginPolicy.SecondFactors, int32(mfa)); m != 0 {
+	es.iamCache.cacheIAM(repoIAM)
+	if _, m := model.GetMFA(repoIAM.DefaultLoginPolicy.SecondFactors, int32(mfa)); m != 0 {
 		return iam_model.SecondFactorType(m), nil
 	}
 	return 0, caos_errs.ThrowInternal(nil, "EVENT-5N9so", "Errors.Internal")
 }

+func (es *IAMEventstore) PrepareAddSecondFactorToLoginPolicy(ctx context.Context, aggregateID string, mfa iam_model.SecondFactorType) (*model.IAM, *models.Aggregate, error) {
+	if mfa == iam_model.SecondFactorTypeUnspecified {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-1M8Js", "Errors.IAM.LoginPolicy.MFA.Unspecified")
+	}
+	iam, err := es.IAMByID(ctx, aggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if _, m := iam.DefaultLoginPolicy.GetSecondFactor(mfa); m != 0 {
+		return nil, nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-4Rk09", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
+	}
+	repoIAM := model.IAMFromModel(iam)
+	repoMFA := model.SecondFactorFromModel(mfa)
+
+	addAggregate := LoginPolicySecondFactorAddedAggregate(es.Eventstore.AggregateCreator(), repoIAM, repoMFA)
+	aggregate, err := addAggregate(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIAM, aggregate, nil
+}
+
 func (es *IAMEventstore) RemoveSecondFactorFromLoginPolicy(ctx context.Context, aggregateID string, mfa iam_model.SecondFactorType) error {
 	if mfa == iam_model.SecondFactorTypeUnspecified {
 		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-4gJ9s", "Errors.IAM.LoginPolicy.MFA.Unspecified")
--- a/internal/management/repository/eventsourcing/eventstore/user_grant.go
+++ b/internal/management/repository/eventsourcing/eventstore/user_grant.go
@@ -2,6 +2,7 @@ package eventstore

 import (
 	"context"
+
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/api/authz"
 	caos_errors "github.com/caos/zitadel/internal/errors"
--- a/internal/management/repository/eventsourcing/handler/user_grant.go
+++ b/internal/management/repository/eventsourcing/handler/user_grant.go
@@ -176,6 +176,7 @@ func (u *UserGrant) fillUserData(grant *view_model.UserGrantView, user *usr_mode

 func (u *UserGrant) fillProjectData(grant *view_model.UserGrantView, project *proj_model.Project) {
 	grant.ProjectName = project.Name
+	grant.ProjectOwner = project.ResourceOwner
 }

 func (u *UserGrant) fillOrgData(grant *view_model.UserGrantView, org *org_model.Org) {
--- a/internal/setup/config.go
+++ b/internal/setup/config.go
@@ -12,6 +12,7 @@ type IAMSetUp struct {
 	Step4 *Step4
 	Step5 *Step5
 	Step6 *Step6
+	Step7 *Step7
 }

 func (setup *IAMSetUp) steps(currentDone iam_model.Step) ([]step, error) {
@@ -25,6 +26,7 @@ func (setup *IAMSetUp) steps(currentDone iam_model.Step) ([]step, error) {
 		setup.Step4,
 		setup.Step5,
 		setup.Step6,
+		setup.Step7,
 	} {
 		if step.step() <= currentDone {
 			continue
--- a/internal/setup/step7.go
+++ b/internal/setup/step7.go
@@ -0,0 +1,54 @@
+package setup
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+type Step7 struct {
+	DefaultSecondFactor iam_model.SecondFactorType
+
+	setup *Setup
+}
+
+func (step *Step7) isNil() bool {
+	return step == nil
+}
+
+func (step *Step7) step() iam_model.Step {
+	return iam_model.Step7
+}
+
+func (step *Step7) init(setup *Setup) {
+	step.setup = setup
+}
+
+func (step *Step7) execute(ctx context.Context) (*iam_model.IAM, error) {
+	iam, agg, err := step.add2FAToPolicy(ctx, step.DefaultSecondFactor)
+	if err != nil {
+		logging.Log("SETUP-ZTuS1").WithField("step", step.step()).WithError(err).Error("unable to finish setup (add default mfa to login policy)")
+		return nil, err
+	}
+	iam, agg, push, err := step.setup.IamEvents.PrepareSetupDone(ctx, iam, agg, step.step())
+	if err != nil {
+		logging.Log("SETUP-OkF8o").WithField("step", step.step()).WithError(err).Error("unable to finish setup (prepare setup done)")
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, push, iam.AppendEvents, agg)
+	if err != nil {
+		logging.Log("SETUP-YbQ6T").WithField("step", step.step()).WithError(err).Error("unable to finish setup")
+		return nil, err
+	}
+	return iam_es_model.IAMToModel(iam), nil
+}
+
+func (step *Step7) add2FAToPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) (*iam_es_model.IAM, *models.Aggregate, error) {
+	logging.Log("SETUP-geMGDuZ").Info("adding 2FA to loginPolicy")
+	return step.setup.IamEvents.PrepareAddSecondFactorToLoginPolicy(ctx, step.setup.iamID, secondFactor)
+}
--- a/internal/user/model/user_view.go
+++ b/internal/user/model/user_view.go
@@ -142,10 +142,12 @@ func (u *UserView) MfaTypesSetupPossible(level req_model.MFALevel, policy *iam_m
 	return types
 }

-func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.LoginPolicyView) []req_model.MFAType {
+func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.LoginPolicyView) ([]req_model.MFAType, bool) {
 	types := make([]req_model.MFAType, 0)
+	required := true
 	switch level {
 	default:
+		required = policy.ForceMFA
 		fallthrough
 	case req_model.MFALevelSecondFactor:
 		if policy.HasSecondFactors() {
@@ -172,7 +174,7 @@ func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.L
 		}
 		//PLANNED: add token
 	}
-	return types
+	return types, required
 }

 func (u *UserView) HasRequiredOrgMFALevel(policy *iam_model.LoginPolicyView) bool {
--- a/internal/usergrant/model/user_grant_view.go
+++ b/internal/usergrant/model/user_grant_view.go
@@ -56,6 +56,7 @@ const (
 	UserGrantSearchKeyOrgDomain
 	UserGrantSearchKeyProjectName
 	UserGrantSearchKeyDisplayName
+	UserGrantSearchKeyWithGranted
 )

 type UserGrantSearchQuery struct {
--- a/internal/usergrant/repository/view/model/user_grant.go
+++ b/internal/usergrant/repository/view/model/user_grant.go
@@ -43,6 +43,7 @@ type UserGrantView struct {
 	DisplayName      string         `json:"-" gorm:"column:display_name"`
 	Email            string         `json:"-" gorm:"column:email"`
 	ProjectName      string         `json:"-" gorm:"column:project_name"`
+	ProjectOwner     string         `json:"-" gorm:"column:project_owner"`
 	OrgName          string         `json:"-" gorm:"column:org_name"`
 	OrgPrimaryDomain string         `json:"-" gorm:"column:org_primary_domain"`
 	RoleKeys         pq.StringArray `json:"roleKeys" gorm:"column:role_keys"`
--- a/internal/usergrant/repository/view/model/user_grant_test.go
+++ b/internal/usergrant/repository/view/model/user_grant_test.go
@@ -2,12 +2,13 @@ package model

 import (
 	"encoding/json"
+	"reflect"
+	"testing"
+
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/usergrant/model"
 	es_model "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing/model"
 	"github.com/lib/pq"
-	"reflect"
-	"testing"
 )

 func mockUserGrantData(grant *es_model.UserGrant) []byte {
--- a/internal/usergrant/repository/view/user_grant_view.go
+++ b/internal/usergrant/repository/view/user_grant_view.go
@@ -34,13 +34,39 @@ func UserGrantByIDs(db *gorm.DB, table, resourceOwnerID, projectID, userID strin
 }

 func SearchUserGrants(db *gorm.DB, table string, req *grant_model.UserGrantSearchRequest) ([]*model.UserGrantView, uint64, error) {
-	users := make([]*model.UserGrantView, 0)
+	grants := make([]*model.UserGrantView, 0)
+
+	var orgID string
+	var withGranted bool
+
+	for i := len(req.Queries) - 1; i >= 0; i-- {
+		shouldRemove := false
+		if req.Queries[i].Key == grant_model.UserGrantSearchKeyResourceOwner {
+			orgID = req.Queries[i].Value.(string)
+			shouldRemove = true
+		}
+		if req.Queries[i].Key == grant_model.UserGrantSearchKeyWithGranted {
+			withGranted = true
+			shouldRemove = true
+		}
+		if shouldRemove {
+			req.Queries[i] = req.Queries[len(req.Queries)-1]
+			req.Queries[len(req.Queries)-1] = nil
+			req.Queries = req.Queries[:len(req.Queries)-1]
+		}
+	}
+
+	if withGranted {
+		db = db.Where("resource_owner = ? OR project_owner = ?", orgID, orgID)
+	} else {
+		db = db.Where("resource_owner = ?", orgID)
+	}
 	query := repository.PrepareSearchQuery(table, model.UserGrantSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries})
-	count, err := query(db, &users)
+	count, err := query(db, &grants)
 	if err != nil {
 		return nil, 0, err
 	}
-	return users, count, nil
+	return grants, count, nil
 }

 func UserGrantsByUserID(db *gorm.DB, table, userID string) ([]*model.UserGrantView, error) {
--- a/internal/view/repository/query.go
+++ b/internal/view/repository/query.go
@@ -2,6 +2,7 @@ package repository

 import (
 	"fmt"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/model"
 	"github.com/jinzhu/gorm"
@@ -37,6 +38,7 @@ func PrepareSearchQuery(table string, request SearchRequest) func(db *gorm.DB, r
 			}
 			query = query.Order(fmt.Sprintf("%s %s", column.ToColumnName(), order))
 		}
+
 		for _, q := range request.GetQueries() {
 			var err error
 			query, err = SetQuery(query, q.GetKey(), q.GetValue(), q.GetMethod())