fix: check membership from projection (#3710)

* fix: check membership from projection * remove authz setup
2025-08-12 03:57:32 +00:00 · 2022-05-25 14:07:16 +02:00
parent b6deed3e34
commit 79452da7d6
15 changed files with 51 additions and 806 deletions
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -29,6 +29,10 @@ type TokenVerifierRepo struct {
 	Query                *query.Queries
 }

+func (repo *TokenVerifierRepo) Health() error {
+	return repo.View.Health()
+}
+
 func (repo *TokenVerifierRepo) tokenByID(ctx context.Context, tokenID, userID string) (_ *usr_model.TokenView, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
--- a/internal/authz/repository/eventsourcing/eventstore/user_membership.go
+++ b/internal/authz/repository/eventsourcing/eventstore/user_membership.go
@@ -4,19 +4,12 @@ import (
 	"context"

 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/view"
-	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
-	user_model "github.com/zitadel/zitadel/internal/user/model"
-	user_view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
 )

 type UserMembershipRepo struct {
-	View *view.View
-}
-
-func (repo *UserMembershipRepo) Health() error {
-	return repo.View.Health()
+	Queries *query.Queries
 }

 func (repo *UserMembershipRepo) SearchMyMemberships(ctx context.Context) (_ []*authz.Membership, err error) {
@@ -29,75 +22,61 @@ func (repo *UserMembershipRepo) SearchMyMemberships(ctx context.Context) (_ []*a
 	return userMembershipsToMemberships(memberships), nil
 }

-func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context) (_ []*user_view_model.UserMembershipView, err error) {
+func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context) (_ []*query.Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	ctxData := authz.GetCtxData(ctx)
-	instance := authz.GetInstance(ctx)
-	ctx, orgSpan := tracing.NewSpan(ctx)
-	orgMemberships, orgCount, err := repo.View.SearchUserMemberships(&user_model.UserMembershipSearchRequest{
-		Queries: []*user_model.UserMembershipSearchQuery{
-			{
-				Key:    user_model.UserMembershipSearchKeyUserID,
-				Method: domain.SearchMethodEquals,
-				Value:  ctxData.UserID,
-			},
-			{
-				Key:    user_model.UserMembershipSearchKeyResourceOwner,
-				Method: domain.SearchMethodEquals,
-				Value:  ctxData.OrgID,
-			},
-			{
-				Key:    user_model.UserMembershipSearchKeyInstanceID,
-				Method: domain.SearchMethodEquals,
-				Value:  instance.InstanceID(),
-			},
-		},
-	})
-	orgSpan.EndWithError(err)
+	userIDQuery, err := query.NewMembershipUserIDQuery(ctxData.UserID)
 	if err != nil {
 		return nil, err
 	}
-	ctx, iamSpan := tracing.NewSpan(ctx)
-	iamMemberships, iamCount, err := repo.View.SearchUserMemberships(&user_model.UserMembershipSearchRequest{
-		Queries: []*user_model.UserMembershipSearchQuery{
-			{
-				Key:    user_model.UserMembershipSearchKeyUserID,
-				Method: domain.SearchMethodEquals,
-				Value:  ctxData.UserID,
-			},
-			{
-				Key:    user_model.UserMembershipSearchKeyAggregateID,
-				Method: domain.SearchMethodEquals,
-				Value:  instance.InstanceID(),
-			},
-			{
-				Key:    user_model.UserMembershipSearchKeyInstanceID,
-				Method: domain.SearchMethodEquals,
-				Value:  instance.InstanceID(),
-			},
-		},
-	})
-	iamSpan.EndWithError(err)
+	orgIDsQuery, err := query.NewMembershipResourceOwnersSearchQuery(ctxData.OrgID, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
-	if orgCount == 0 && iamCount == 0 {
-		return []*user_view_model.UserMembershipView{}, nil
+	memberships, err := repo.Queries.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{userIDQuery, orgIDsQuery},
+	})
+	if err != nil {
+		return nil, err
 	}
-	return append(orgMemberships, iamMemberships...), nil
+	return memberships.Memberships, nil
 }

-func userMembershipToMembership(membership *user_view_model.UserMembershipView) *authz.Membership {
+func userMembershipToMembership(membership *query.Membership) *authz.Membership {
+	if membership.IAM != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeIam,
+			AggregateID: membership.IAM.IAMID,
+			ObjectID:    membership.IAM.IAMID,
+			Roles:       membership.Roles,
+		}
+	}
+	if membership.Org != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeOrganisation,
+			AggregateID: membership.Org.OrgID,
+			ObjectID:    membership.Org.OrgID,
+			Roles:       membership.Roles,
+		}
+	}
+	if membership.Project != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeProject,
+			AggregateID: membership.Project.ProjectID,
+			ObjectID:    membership.Project.ProjectID,
+			Roles:       membership.Roles,
+		}
+	}
 	return &authz.Membership{
-		MemberType:  authz.MemberType(membership.MemberType),
-		AggregateID: membership.AggregateID,
-		ObjectID:    membership.ObjectID,
+		MemberType:  authz.MemberTypeProjectGrant,
+		AggregateID: membership.ProjectGrant.ProjectID,
+		ObjectID:    membership.ProjectGrant.GrantID,
 		Roles:       membership.Roles,
 	}
 }

-func userMembershipsToMemberships(memberships []*user_view_model.UserMembershipView) []*authz.Membership {
+func userMembershipsToMemberships(memberships []*query.Membership) []*authz.Membership {
 	result := make([]*authz.Membership, len(memberships))
 	for i, m := range memberships {
 		result[i] = userMembershipToMembership(m)