feat: add personal access tokens for service users (#2974)

* feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 03:57:32 +00:00 · 2022-02-08 09:37:28 +01:00
parent 3bf9adece5
commit 699fdaf68e
32 changed files with 1838 additions and 30 deletions
--- a/internal/query/projection/projection.go
+++ b/internal/query/projection/projection.go
@@ -64,6 +64,7 @@ func Start(ctx context.Context, sqlClient *sql.DB, es *eventstore.Eventstore, co
 	NewProjectMemberProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["project_members"]))
 	NewProjectGrantMemberProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["project_grant_members"]))
 	NewAuthNKeyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["authn_keys"]))
+	NewPersonalAccessTokenProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["personal_access_tokens"]))
 	NewUserGrantProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["user_grants"]))
 	NewUserMetadataProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["user_metadata"]))
 	NewUserAuthMethodProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["user_auth_method"]))
--- a/internal/query/projection/user_personal_access_token.go
+++ b/internal/query/projection/user_personal_access_token.go
@@ -0,0 +1,112 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+	"github.com/lib/pq"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/handler"
+	"github.com/caos/zitadel/internal/eventstore/handler/crdb"
+	"github.com/caos/zitadel/internal/repository/user"
+)
+
+type PersonalAccessTokenProjection struct {
+	crdb.StatementHandler
+}
+
+const (
+	PersonalAccessTokenProjectionTable = "zitadel.projections.personal_access_tokens"
+)
+
+func NewPersonalAccessTokenProjection(ctx context.Context, config crdb.StatementHandlerConfig) *PersonalAccessTokenProjection {
+	p := &PersonalAccessTokenProjection{}
+	config.ProjectionName = PersonalAccessTokenProjectionTable
+	config.Reducers = p.reducers()
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	return p
+}
+
+func (p *PersonalAccessTokenProjection) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: user.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  user.PersonalAccessTokenAddedType,
+					Reduce: p.reducePersonalAccessTokenAdded,
+				},
+				{
+					Event:  user.PersonalAccessTokenRemovedType,
+					Reduce: p.reducePersonalAccessTokenRemoved,
+				},
+				{
+					Event:  user.UserRemovedType,
+					Reduce: p.reduceUserRemoved,
+				},
+			},
+		},
+	}
+}
+
+const (
+	PersonalAccessTokenColumnID            = "id"
+	PersonalAccessTokenColumnCreationDate  = "creation_date"
+	PersonalAccessTokenColumnChangeDate    = "change_date"
+	PersonalAccessTokenColumnResourceOwner = "resource_owner"
+	PersonalAccessTokenColumnSequence      = "sequence"
+	PersonalAccessTokenColumnUserID        = "user_id"
+	PersonalAccessTokenColumnExpiration    = "expiration"
+	PersonalAccessTokenColumnScopes        = "scopes"
+)
+
+func (p *PersonalAccessTokenProjection) reducePersonalAccessTokenAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.PersonalAccessTokenAddedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-Dbfg2", "seq", event.Sequence(), "expectedType", user.PersonalAccessTokenAddedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-DVgf7", "reduce.wrong.event.type")
+	}
+	return crdb.NewCreateStatement(
+		e,
+		[]handler.Column{
+			handler.NewCol(PersonalAccessTokenColumnID, e.TokenID),
+			handler.NewCol(PersonalAccessTokenColumnCreationDate, e.CreationDate()),
+			handler.NewCol(PersonalAccessTokenColumnChangeDate, e.CreationDate()),
+			handler.NewCol(PersonalAccessTokenColumnResourceOwner, e.Aggregate().ResourceOwner),
+			handler.NewCol(PersonalAccessTokenColumnSequence, e.Sequence()),
+			handler.NewCol(PersonalAccessTokenColumnUserID, e.Aggregate().ID),
+			handler.NewCol(PersonalAccessTokenColumnExpiration, e.Expiration),
+			handler.NewCol(PersonalAccessTokenColumnScopes, pq.StringArray(e.Scopes)),
+		},
+	), nil
+}
+
+func (p *PersonalAccessTokenProjection) reducePersonalAccessTokenRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.PersonalAccessTokenRemovedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-Edf32", "seq", event.Sequence(), "expectedType", user.PersonalAccessTokenRemovedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-g7u3F", "reduce.wrong.event.type")
+	}
+	return crdb.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(PersonalAccessTokenColumnID, e.TokenID),
+		},
+	), nil
+}
+
+func (p *PersonalAccessTokenProjection) reduceUserRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.UserRemovedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-GEg43", "seq", event.Sequence(), "expectedType", user.UserRemovedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-Dff3h", "reduce.wrong.event.type")
+	}
+	return crdb.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(PersonalAccessTokenColumnUserID, e.Aggregate().ID),
+		},
+	), nil
+}
--- a/internal/query/projection/user_personal_access_token_test.go
+++ b/internal/query/projection/user_personal_access_token_test.go
@@ -0,0 +1,128 @@
+package projection
+
+import (
+	"testing"
+	"time"
+
+	"github.com/lib/pq"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/handler"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/user"
+)
+
+func TestPersonalAccessTokenProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.Event) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "reducePersonalAccessTokenAdded",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(user.PersonalAccessTokenAddedType),
+					user.AggregateType,
+					[]byte(`{"tokenId": "tokenID", "expiration": "9999-12-31T23:59:59Z", "scopes": ["openid"]}`),
+				), user.PersonalAccessTokenAddedEventMapper),
+			},
+			reduce: (&PersonalAccessTokenProjection{}).reducePersonalAccessTokenAdded,
+			want: wantReduce{
+				projection:       PersonalAccessTokenProjectionTable,
+				aggregateType:    eventstore.AggregateType("user"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO zitadel.projections.personal_access_tokens (id, creation_date, change_date, resource_owner, sequence, user_id, expiration, scopes) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
+							expectedArgs: []interface{}{
+								"tokenID",
+								anyArg{},
+								anyArg{},
+								"ro-id",
+								uint64(15),
+								"agg-id",
+								time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+								pq.StringArray{"openid"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reducePersonalAccessTokenRemoved",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(user.PersonalAccessTokenRemovedType),
+					user.AggregateType,
+					[]byte(`{"tokenId": "tokenID"}`),
+				), user.PersonalAccessTokenRemovedEventMapper),
+			},
+			reduce: (&PersonalAccessTokenProjection{}).reducePersonalAccessTokenRemoved,
+			want: wantReduce{
+				projection:       PersonalAccessTokenProjectionTable,
+				aggregateType:    eventstore.AggregateType("user"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM zitadel.projections.personal_access_tokens WHERE (id = $1)",
+							expectedArgs: []interface{}{
+								"tokenID",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceUserRemoved",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(user.PersonalAccessTokenRemovedType),
+					user.AggregateType,
+					nil,
+				), user.UserRemovedEventMapper),
+			},
+			reduce: (&PersonalAccessTokenProjection{}).reduceUserRemoved,
+			want: wantReduce{
+				projection:       PersonalAccessTokenProjectionTable,
+				aggregateType:    eventstore.AggregateType("user"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM zitadel.projections.personal_access_tokens WHERE (user_id = $1)",
+							expectedArgs: []interface{}{
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if _, ok := err.(errors.InvalidArgument); !ok {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, tt.want)
+		})
+	}
+}
--- a/internal/query/user_personal_access_token.go
+++ b/internal/query/user_personal_access_token.go
@@ -0,0 +1,219 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	errs "errors"
+	"time"
+
+	sq "github.com/Masterminds/squirrel"
+	"github.com/lib/pq"
+
+	"github.com/caos/zitadel/internal/query/projection"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+var (
+	personalAccessTokensTable = table{
+		name: projection.PersonalAccessTokenProjectionTable,
+	}
+	PersonalAccessTokenColumnID = Column{
+		name:  projection.PersonalAccessTokenColumnID,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnUserID = Column{
+		name:  projection.PersonalAccessTokenColumnUserID,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnExpiration = Column{
+		name:  projection.PersonalAccessTokenColumnExpiration,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnScopes = Column{
+		name:  projection.PersonalAccessTokenColumnScopes,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnCreationDate = Column{
+		name:  projection.PersonalAccessTokenColumnCreationDate,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnChangeDate = Column{
+		name:  projection.PersonalAccessTokenColumnChangeDate,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnResourceOwner = Column{
+		name:  projection.PersonalAccessTokenColumnResourceOwner,
+		table: personalAccessTokensTable,
+	}
+	PersonalAccessTokenColumnSequence = Column{
+		name:  projection.PersonalAccessTokenColumnSequence,
+		table: personalAccessTokensTable,
+	}
+)
+
+type PersonalAccessTokens struct {
+	SearchResponse
+	PersonalAccessTokens []*PersonalAccessToken
+}
+
+type PersonalAccessToken struct {
+	ID            string
+	CreationDate  time.Time
+	ChangeDate    time.Time
+	ResourceOwner string
+	Sequence      uint64
+
+	UserID     string
+	Expiration time.Time
+	Scopes     []string
+}
+
+type PersonalAccessTokenSearchQueries struct {
+	SearchRequest
+	Queries []SearchQuery
+}
+
+func (q *Queries) PersonalAccessTokenByID(ctx context.Context, id string, queries ...SearchQuery) (*PersonalAccessToken, error) {
+	query, scan := preparePersonalAccessTokenQuery()
+	for _, q := range queries {
+		query = q.toQuery(query)
+	}
+	stmt, args, err := query.Where(sq.Eq{
+		PersonalAccessTokenColumnID.identifier(): id,
+	}).ToSql()
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "QUERY-Dgfb4", "Errors.Query.SQLStatment")
+	}
+
+	row := q.client.QueryRowContext(ctx, stmt, args...)
+	return scan(row)
+}
+
+func (q *Queries) SearchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries) (personalAccessTokens *PersonalAccessTokens, err error) {
+	query, scan := preparePersonalAccessTokensQuery()
+	stmt, args, err := queries.toQuery(query).ToSql()
+	if err != nil {
+		return nil, errors.ThrowInvalidArgument(err, "QUERY-Hjw2w", "Errors.Query.InvalidRequest")
+	}
+
+	rows, err := q.client.QueryContext(ctx, stmt, args...)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "QUERY-Bmz63", "Errors.Internal")
+	}
+	personalAccessTokens, err = scan(rows)
+	if err != nil {
+		return nil, err
+	}
+	personalAccessTokens.LatestSequence, err = q.latestSequence(ctx, personalAccessTokensTable)
+	return personalAccessTokens, err
+}
+
+func NewPersonalAccessTokenResourceOwnerSearchQuery(value string) (SearchQuery, error) {
+	return NewTextQuery(PersonalAccessTokenColumnResourceOwner, value, TextEquals)
+}
+
+func NewPersonalAccessTokenUserIDSearchQuery(value string) (SearchQuery, error) {
+	return NewTextQuery(PersonalAccessTokenColumnUserID, value, TextEquals)
+}
+
+func (r *PersonalAccessTokenSearchQueries) AppendMyResourceOwnerQuery(orgID string) error {
+	query, err := NewPersonalAccessTokenResourceOwnerSearchQuery(orgID)
+	if err != nil {
+		return err
+	}
+	r.Queries = append(r.Queries, query)
+	return nil
+}
+
+func (q *PersonalAccessTokenSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
+	query = q.SearchRequest.toQuery(query)
+	for _, q := range q.Queries {
+		query = q.toQuery(query)
+	}
+	return query
+}
+
+func preparePersonalAccessTokenQuery() (sq.SelectBuilder, func(*sql.Row) (*PersonalAccessToken, error)) {
+	return sq.Select(
+			PersonalAccessTokenColumnID.identifier(),
+			PersonalAccessTokenColumnCreationDate.identifier(),
+			PersonalAccessTokenColumnChangeDate.identifier(),
+			PersonalAccessTokenColumnResourceOwner.identifier(),
+			PersonalAccessTokenColumnSequence.identifier(),
+			PersonalAccessTokenColumnUserID.identifier(),
+			PersonalAccessTokenColumnExpiration.identifier(),
+			PersonalAccessTokenColumnScopes.identifier()).
+			From(personalAccessTokensTable.identifier()).PlaceholderFormat(sq.Dollar),
+		func(row *sql.Row) (*PersonalAccessToken, error) {
+			p := new(PersonalAccessToken)
+			scopes := pq.StringArray{}
+			err := row.Scan(
+				&p.ID,
+				&p.CreationDate,
+				&p.ChangeDate,
+				&p.ResourceOwner,
+				&p.Sequence,
+				&p.UserID,
+				&p.Expiration,
+				&scopes,
+			)
+			p.Scopes = scopes
+			if err != nil {
+				if errs.Is(err, sql.ErrNoRows) {
+					return nil, errors.ThrowNotFound(err, "QUERY-fk2fs", "Errors.PersonalAccessToken.NotFound")
+				}
+				return nil, errors.ThrowInternal(err, "QUERY-dj2FF", "Errors.Internal")
+			}
+			return p, nil
+		}
+}
+
+func preparePersonalAccessTokensQuery() (sq.SelectBuilder, func(*sql.Rows) (*PersonalAccessTokens, error)) {
+	return sq.Select(
+			PersonalAccessTokenColumnID.identifier(),
+			PersonalAccessTokenColumnCreationDate.identifier(),
+			PersonalAccessTokenColumnChangeDate.identifier(),
+			PersonalAccessTokenColumnResourceOwner.identifier(),
+			PersonalAccessTokenColumnSequence.identifier(),
+			PersonalAccessTokenColumnUserID.identifier(),
+			PersonalAccessTokenColumnExpiration.identifier(),
+			PersonalAccessTokenColumnScopes.identifier(),
+			countColumn.identifier()).
+			From(personalAccessTokensTable.identifier()).PlaceholderFormat(sq.Dollar),
+		func(rows *sql.Rows) (*PersonalAccessTokens, error) {
+			personalAccessTokens := make([]*PersonalAccessToken, 0)
+			var count uint64
+			for rows.Next() {
+				token := new(PersonalAccessToken)
+				scopes := pq.StringArray{}
+				err := rows.Scan(
+					&token.ID,
+					&token.CreationDate,
+					&token.ChangeDate,
+					&token.ResourceOwner,
+					&token.Sequence,
+					&token.UserID,
+					&token.Expiration,
+					&scopes,
+					&count,
+				)
+				if err != nil {
+					return nil, err
+				}
+				token.Scopes = scopes
+				personalAccessTokens = append(personalAccessTokens, token)
+			}
+
+			if err := rows.Close(); err != nil {
+				return nil, errors.ThrowInternal(err, "QUERY-QMXJv", "Errors.Query.CloseRows")
+			}
+
+			return &PersonalAccessTokens{
+				PersonalAccessTokens: personalAccessTokens,
+				SearchResponse: SearchResponse{
+					Count: count,
+				},
+			}, nil
+		}
+}
--- a/internal/query/user_personal_access_token_test.go
+++ b/internal/query/user_personal_access_token_test.go
@@ -0,0 +1,271 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/lib/pq"
+
+	errs "github.com/caos/zitadel/internal/errors"
+)
+
+var (
+	personalAccessTokenStmt = regexp.QuoteMeta(
+		"SELECT zitadel.projections.personal_access_tokens.id," +
+			" zitadel.projections.personal_access_tokens.creation_date," +
+			" zitadel.projections.personal_access_tokens.change_date," +
+			" zitadel.projections.personal_access_tokens.resource_owner," +
+			" zitadel.projections.personal_access_tokens.sequence," +
+			" zitadel.projections.personal_access_tokens.user_id," +
+			" zitadel.projections.personal_access_tokens.expiration," +
+			" zitadel.projections.personal_access_tokens.scopes" +
+			" FROM zitadel.projections.personal_access_tokens")
+	personalAccessTokenCols = []string{
+		"id",
+		"creation_date",
+		"change_date",
+		"resource_owner",
+		"sequence",
+		"user_id",
+		"expiration",
+		"scopes",
+	}
+	personalAccessTokensStmt = regexp.QuoteMeta(
+		"SELECT zitadel.projections.personal_access_tokens.id," +
+			" zitadel.projections.personal_access_tokens.creation_date," +
+			" zitadel.projections.personal_access_tokens.change_date," +
+			" zitadel.projections.personal_access_tokens.resource_owner," +
+			" zitadel.projections.personal_access_tokens.sequence," +
+			" zitadel.projections.personal_access_tokens.user_id," +
+			" zitadel.projections.personal_access_tokens.expiration," +
+			" zitadel.projections.personal_access_tokens.scopes," +
+			" COUNT(*) OVER ()" +
+			" FROM zitadel.projections.personal_access_tokens")
+	personalAccessTokensCols = []string{
+		"id",
+		"creation_date",
+		"change_date",
+		"resource_owner",
+		"sequence",
+		"user_id",
+		"expiration",
+		"scopes",
+		"count",
+	}
+)
+
+func Test_PersonalAccessTokenPrepares(t *testing.T) {
+	type want struct {
+		sqlExpectations sqlExpectation
+		err             checkErr
+	}
+	tests := []struct {
+		name    string
+		prepare interface{}
+		want    want
+		object  interface{}
+	}{
+		{
+			name:    "preparePersonalAccessTokenQuery no result",
+			prepare: preparePersonalAccessTokenQuery,
+			want: want{
+				sqlExpectations: mockQuery(
+					personalAccessTokenStmt,
+					nil,
+					nil,
+				),
+				err: func(err error) (error, bool) {
+					if !errs.IsNotFound(err) {
+						return fmt.Errorf("err should be zitadel.NotFoundError got: %w", err), false
+					}
+					return nil, true
+				},
+			},
+			object: (*PersonalAccessToken)(nil),
+		},
+		{
+			name:    "preparePersonalAccessTokenQuery found",
+			prepare: preparePersonalAccessTokenQuery,
+			want: want{
+				sqlExpectations: mockQuery(
+					personalAccessTokenStmt,
+					personalAccessTokenCols,
+					[]driver.Value{
+						"token-id",
+						testNow,
+						testNow,
+						"ro",
+						uint64(20211202),
+						"user-id",
+						time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+						pq.StringArray{"openid"},
+					},
+				),
+			},
+			object: &PersonalAccessToken{
+				ID:            "token-id",
+				CreationDate:  testNow,
+				ChangeDate:    testNow,
+				ResourceOwner: "ro",
+				Sequence:      20211202,
+				UserID:        "user-id",
+				Expiration:    time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+				Scopes:        []string{"openid"},
+			},
+		},
+		{
+			name:    "preparePersonalAccessTokenQuery sql err",
+			prepare: preparePersonalAccessTokenQuery,
+			want: want{
+				sqlExpectations: mockQueryErr(
+					personalAccessTokenStmt,
+					sql.ErrConnDone,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrConnDone) {
+						return fmt.Errorf("err should be sql.ErrConnDone got: %w", err), false
+					}
+					return nil, true
+				},
+			},
+			object: nil,
+		},
+		{
+			name:    "preparePersonalAccessTokensQuery no result",
+			prepare: preparePersonalAccessTokensQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					personalAccessTokensStmt,
+					nil,
+					nil,
+				),
+			},
+			object: &PersonalAccessTokens{PersonalAccessTokens: []*PersonalAccessToken{}},
+		},
+		{
+			name:    "preparePersonalAccessTokensQuery one token",
+			prepare: preparePersonalAccessTokensQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					personalAccessTokensStmt,
+					personalAccessTokensCols,
+					[][]driver.Value{
+						{
+							"token-id",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211202),
+							"user-id",
+							time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+							pq.StringArray{"openid"},
+						},
+					},
+				),
+			},
+			object: &PersonalAccessTokens{
+				SearchResponse: SearchResponse{
+					Count: 1,
+				},
+				PersonalAccessTokens: []*PersonalAccessToken{
+					{
+						ID:            "token-id",
+						CreationDate:  testNow,
+						ChangeDate:    testNow,
+						ResourceOwner: "ro",
+						Sequence:      20211202,
+						UserID:        "user-id",
+						Expiration:    time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+						Scopes:        []string{"openid"},
+					},
+				},
+			},
+		},
+		{
+			name:    "preparePersonalAccessTokensQuery multiple tokens",
+			prepare: preparePersonalAccessTokensQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					personalAccessTokensStmt,
+					personalAccessTokensCols,
+					[][]driver.Value{
+						{
+							"token-id",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211202),
+							"user-id",
+							time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+							pq.StringArray{"openid"},
+						},
+						{
+							"token-id2",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211202),
+							"user-id",
+							time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+							pq.StringArray{"openid"},
+						},
+					},
+				),
+			},
+			object: &PersonalAccessTokens{
+				SearchResponse: SearchResponse{
+					Count: 2,
+				},
+				PersonalAccessTokens: []*PersonalAccessToken{
+					{
+						ID:            "token-id",
+						CreationDate:  testNow,
+						ChangeDate:    testNow,
+						ResourceOwner: "ro",
+						Sequence:      20211202,
+						UserID:        "user-id",
+						Expiration:    time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+						Scopes:        []string{"openid"},
+					},
+					{
+						ID:            "token-id2",
+						CreationDate:  testNow,
+						ChangeDate:    testNow,
+						ResourceOwner: "ro",
+						Sequence:      20211202,
+						UserID:        "user-id",
+						Expiration:    time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
+						Scopes:        []string{"openid"},
+					},
+				},
+			},
+		},
+		{
+			name:    "preparePersonalAccessTokensQuery sql err",
+			prepare: preparePersonalAccessTokensQuery,
+			want: want{
+				sqlExpectations: mockQueryErr(
+					personalAccessTokensStmt,
+					sql.ErrConnDone,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrConnDone) {
+						return fmt.Errorf("err should be sql.ErrConnDone got: %w", err), false
+					}
+					return nil, true
+				},
+			},
+			object: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assertPrepare(t, tt.prepare, tt.object, tt.want.sqlExpectations, tt.want.err)
+		})
+	}
+}