feat(oidc): optimize the userinfo endpoint (#7706)

* feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f239. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id
2025-08-11 21:27:42 +00:00 · 2024-04-09 16:15:35 +03:00
parent c8e0b30e17
commit 6a51c4b0f5
25 changed files with 528 additions and 159 deletions
--- a/internal/query/userinfo_test.go
+++ b/internal/query/userinfo_test.go
@@ -338,3 +338,50 @@ func TestQueries_GetOIDCUserInfo(t *testing.T) {
 		})
 	}
 }
+
+func TestQueries_GetOIDCUserinfoClientByID(t *testing.T) {
+	expQuery := regexp.QuoteMeta(oidcUserinfoClientQuery)
+	cols := []string{"project_id", "project_role_assertion"}
+
+	tests := []struct {
+		name                     string
+		mock                     sqlExpectation
+		wantProjectID            string
+		wantProjectRoleAssertion bool
+		wantErr                  error
+	}{
+		{
+			name:    "no rows",
+			mock:    mockQueryErr(expQuery, sql.ErrNoRows, "instanceID", "clientID"),
+			wantErr: zerrors.ThrowNotFound(sql.ErrNoRows, "QUERY-beeW8", "Errors.App.NotFound"),
+		},
+		{
+			name:    "internal error",
+			mock:    mockQueryErr(expQuery, sql.ErrConnDone, "instanceID", "clientID"),
+			wantErr: zerrors.ThrowInternal(sql.ErrConnDone, "QUERY-Ais4r", "Errors.Internal"),
+		},
+		{
+			name:                     "found",
+			mock:                     mockQuery(expQuery, cols, []driver.Value{"projectID", true}, "instanceID", "clientID"),
+			wantProjectID:            "projectID",
+			wantProjectRoleAssertion: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			execMock(t, tt.mock, func(db *sql.DB) {
+				q := &Queries{
+					client: &database.DB{
+						DB:       db,
+						Database: &prepareDB{},
+					},
+				}
+				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")
+				gotProjectID, gotProjectRoleAssertion, err := q.GetOIDCUserinfoClientByID(ctx, "clientID")
+				require.ErrorIs(t, err, tt.wantErr)
+				assert.Equal(t, tt.wantProjectID, gotProjectID)
+				assert.Equal(t, tt.wantProjectRoleAssertion, gotProjectRoleAssertion)
+			})
+		})
+	}
+}