feat(permissions): project member permission filter (#9757)

# Which Problems Are Solved Add the possibility to filter project resources based on project member roles. # How the Problems Are Solved Extend and refactor existing Pl/PgSQL functions to implement the following: - Solve O(n) complexity in returned resources IDs by returning a boolean filter for instance level permissions. - Individually permitted orgs are returned only if there was no instance permission - Individually permitted projects are returned only if there was no instance permission - Because of the multiple filter terms, use `INNER JOIN`s instead of `WHERE` clauses. # Additional Changes - system permission function no longer query the organization view and therefore can be `immutable`, giving big performance benefits for frequently reused system users. (like our hosted login in Zitadel cloud) - The permitted org and project functions are now defined as `stable` because the don't modify on-disk data. This might give a small performance gain - The Pl/PgSQL functions are now tested using Go unit tests. # Additional Context - Depends on https://github.com/zitadel/zitadel/pull/9677 - Part of https://github.com/zitadel/zitadel/issues/9188 - Closes https://github.com/zitadel/zitadel/issues/9190
2025-08-11 19:07:30 +00:00 · 2025-04-22 11:42:59 +03:00
parent 618143931b
commit 658ca3606b
18 changed files with 1403 additions and 225 deletions
--- a/internal/query/permission_test.go
+++ b/internal/query/permission_test.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"

-	sq "github.com/Masterminds/squirrel"
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"

 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -38,30 +38,29 @@ func TestPermissionClause(t *testing.T) {
 		options    []PermissionOption
 	}
 	tests := []struct {
-		name       string
-		args       args
-		wantClause sq.Or
+		name     string
+		args     args
+		wantSql  string
+		wantArgs []any
 	}{
 		{
-			name: "no options",
+			name: "org, no options",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
 				permission: "permission1",
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
 			},
 		},
 		{
-			name: "owned rows option",
+			name: "org, owned rows option",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -70,20 +69,18 @@ func TestPermissionClause(t *testing.T) {
 					OwnedRowsPermissionOption(UserIDCol),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
-				sq.Eq{"projections.users14.id": "userID"},
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids) OR projections.users14.id = ?)",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+				"userID",
 			},
 		},
 		{
-			name: "connection rows option",
+			name: "org, connection rows option",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -93,21 +90,19 @@ func TestPermissionClause(t *testing.T) {
 					ConnectionPermissionOption(UserStateCol, "bar"),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
-				sq.Eq{"projections.users14.id": "userID"},
-				sq.Eq{"projections.users14.state": "bar"},
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids) OR projections.users14.id = ? OR projections.users14.state = ?)",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+				"userID",
+				"bar",
 			},
 		},
 		{
-			name: "single org option",
+			name: "org, with ID",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -119,22 +114,62 @@ func TestPermissionClause(t *testing.T) {
 					}),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"orgID",
-				),
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				gu.Ptr("orgID"),
+			},
+		},
+		{
+			name: "project",
+			args: args{
+				ctx:        ctx,
+				orgIDCol:   ProjectColumnResourceOwner,
+				permission: "permission1",
+				options: []PermissionOption{
+					WithProjectsPermissionOption(ProjectColumnID),
+				},
+			},
+			wantSql: "INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.projects4.resource_owner = ANY(permissions.org_ids) OR projections.projects4.id = ANY(permissions.project_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+			},
+		},
+		{
+			name: "project, single org",
+			args: args{
+				ctx:        ctx,
+				orgIDCol:   ProjectColumnResourceOwner,
+				permission: "permission1",
+				options: []PermissionOption{
+					WithProjectsPermissionOption(ProjectColumnID),
+					SingleOrgPermissionOption([]SearchQuery{
+						mustSearchQuery(NewProjectResourceOwnerSearchQuery("orgID")),
+					}),
+				},
+			},
+			wantSql: "INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.projects4.resource_owner = ANY(permissions.org_ids) OR projections.projects4.id = ANY(permissions.project_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				gu.Ptr("orgID"),
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotClause := PermissionClause(tt.args.ctx, tt.args.orgIDCol, tt.args.permission, tt.args.options...)
-			assert.Equal(t, tt.wantClause, gotClause)
+			gotSql, gotArgs := PermissionClause(tt.args.ctx, tt.args.orgIDCol, tt.args.permission, tt.args.options...)
+			assert.Equal(t, tt.wantSql, gotSql)
+			assert.Equal(t, tt.wantArgs, gotArgs)
 		})
 	}
 }