feat: add personal access tokens for service users (#2974)

* feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 00:27:31 +00:00 · 2022-02-08 09:37:28 +01:00
parent 3bf9adece5
commit 699fdaf68e
32 changed files with 1838 additions and 30 deletions
--- a/internal/command/user_personal_access_token.go
+++ b/internal/command/user_personal_access_token.go
@@ -0,0 +1,92 @@
+package command
+
+import (
+	"context"
+	"time"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/repository/user"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+)
+
+func (c *Commands) AddPersonalAccessToken(ctx context.Context, userID, resourceOwner string, expirationDate time.Time, scopes []string, allowedUserType domain.UserType) (*domain.Token, string, error) {
+	userWriteModel, err := c.userWriteModelByID(ctx, userID, resourceOwner)
+	if err != nil {
+		return nil, "", err
+	}
+	if !isUserStateExists(userWriteModel.UserState) {
+		return nil, "", errors.ThrowPreconditionFailed(nil, "COMMAND-Dggw2", "Errors.User.NotFound")
+	}
+	if allowedUserType != domain.UserTypeUnspecified && userWriteModel.UserType != allowedUserType {
+		return nil, "", errors.ThrowPreconditionFailed(nil, "COMMAND-Df2f1", "Errors.User.WrongType")
+	}
+	tokenID, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, "", err
+	}
+	tokenWriteModel := NewPersonalAccessTokenWriteModel(userID, tokenID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, tokenWriteModel)
+	if err != nil {
+		return nil, "", err
+	}
+
+	expirationDate, err = domain.ValidateExpirationDate(expirationDate)
+	if err != nil {
+		return nil, "", err
+	}
+
+	events, err := c.eventstore.Push(ctx,
+		user.NewPersonalAccessTokenAddedEvent(
+			ctx,
+			UserAggregateFromWriteModel(&tokenWriteModel.WriteModel),
+			tokenID,
+			expirationDate,
+			scopes,
+		),
+	)
+	if err != nil {
+		return nil, "", err
+	}
+	err = AppendAndReduce(tokenWriteModel, events...)
+	if err != nil {
+		return nil, "", err
+	}
+	return personalTokenWriteModelToToken(tokenWriteModel, c.keyAlgorithm)
+}
+
+func (c *Commands) RemovePersonalAccessToken(ctx context.Context, userID, tokenID, resourceOwner string) (*domain.ObjectDetails, error) {
+	tokenWriteModel, err := c.personalAccessTokenWriteModelByID(ctx, userID, tokenID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if !tokenWriteModel.Exists() {
+		return nil, errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.User.PAT.NotFound")
+	}
+
+	pushedEvents, err := c.eventstore.Push(ctx,
+		user.NewPersonalAccessTokenRemovedEvent(ctx, UserAggregateFromWriteModel(&tokenWriteModel.WriteModel), tokenID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(tokenWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&tokenWriteModel.WriteModel), nil
+}
+
+func (c *Commands) personalAccessTokenWriteModelByID(ctx context.Context, userID, tokenID, resourceOwner string) (writeModel *PersonalAccessTokenWriteModel, err error) {
+	if userID == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-4n8vs", "Errors.User.UserIDMissing")
+	}
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewPersonalAccessTokenWriteModel(userID, tokenID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}