feat: add personal access tokens for service users (#2974)

* feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 04:57:33 +00:00 · 2022-02-08 09:37:28 +01:00
parent 3bf9adece5
commit 699fdaf68e
32 changed files with 1838 additions and 30 deletions
--- a/internal/query/projection/user_personal_access_token.go
+++ b/internal/query/projection/user_personal_access_token.go
@@ -0,0 +1,112 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+	"github.com/lib/pq"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/handler"
+	"github.com/caos/zitadel/internal/eventstore/handler/crdb"
+	"github.com/caos/zitadel/internal/repository/user"
+)
+
+type PersonalAccessTokenProjection struct {
+	crdb.StatementHandler
+}
+
+const (
+	PersonalAccessTokenProjectionTable = "zitadel.projections.personal_access_tokens"
+)
+
+func NewPersonalAccessTokenProjection(ctx context.Context, config crdb.StatementHandlerConfig) *PersonalAccessTokenProjection {
+	p := &PersonalAccessTokenProjection{}
+	config.ProjectionName = PersonalAccessTokenProjectionTable
+	config.Reducers = p.reducers()
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	return p
+}
+
+func (p *PersonalAccessTokenProjection) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: user.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  user.PersonalAccessTokenAddedType,
+					Reduce: p.reducePersonalAccessTokenAdded,
+				},
+				{
+					Event:  user.PersonalAccessTokenRemovedType,
+					Reduce: p.reducePersonalAccessTokenRemoved,
+				},
+				{
+					Event:  user.UserRemovedType,
+					Reduce: p.reduceUserRemoved,
+				},
+			},
+		},
+	}
+}
+
+const (
+	PersonalAccessTokenColumnID            = "id"
+	PersonalAccessTokenColumnCreationDate  = "creation_date"
+	PersonalAccessTokenColumnChangeDate    = "change_date"
+	PersonalAccessTokenColumnResourceOwner = "resource_owner"
+	PersonalAccessTokenColumnSequence      = "sequence"
+	PersonalAccessTokenColumnUserID        = "user_id"
+	PersonalAccessTokenColumnExpiration    = "expiration"
+	PersonalAccessTokenColumnScopes        = "scopes"
+)
+
+func (p *PersonalAccessTokenProjection) reducePersonalAccessTokenAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.PersonalAccessTokenAddedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-Dbfg2", "seq", event.Sequence(), "expectedType", user.PersonalAccessTokenAddedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-DVgf7", "reduce.wrong.event.type")
+	}
+	return crdb.NewCreateStatement(
+		e,
+		[]handler.Column{
+			handler.NewCol(PersonalAccessTokenColumnID, e.TokenID),
+			handler.NewCol(PersonalAccessTokenColumnCreationDate, e.CreationDate()),
+			handler.NewCol(PersonalAccessTokenColumnChangeDate, e.CreationDate()),
+			handler.NewCol(PersonalAccessTokenColumnResourceOwner, e.Aggregate().ResourceOwner),
+			handler.NewCol(PersonalAccessTokenColumnSequence, e.Sequence()),
+			handler.NewCol(PersonalAccessTokenColumnUserID, e.Aggregate().ID),
+			handler.NewCol(PersonalAccessTokenColumnExpiration, e.Expiration),
+			handler.NewCol(PersonalAccessTokenColumnScopes, pq.StringArray(e.Scopes)),
+		},
+	), nil
+}
+
+func (p *PersonalAccessTokenProjection) reducePersonalAccessTokenRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.PersonalAccessTokenRemovedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-Edf32", "seq", event.Sequence(), "expectedType", user.PersonalAccessTokenRemovedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-g7u3F", "reduce.wrong.event.type")
+	}
+	return crdb.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(PersonalAccessTokenColumnID, e.TokenID),
+		},
+	), nil
+}
+
+func (p *PersonalAccessTokenProjection) reduceUserRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.UserRemovedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-GEg43", "seq", event.Sequence(), "expectedType", user.UserRemovedType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-Dff3h", "reduce.wrong.event.type")
+	}
+	return crdb.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(PersonalAccessTokenColumnUserID, e.Aggregate().ID),
+		},
+	), nil
+}