From 7d45ae3c6c7d276f3b77d273f0e8a5a2e9868c55 Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Mon, 29 Nov 2021 17:36:24 +0100 Subject: [PATCH] fix: filter of domain claimed users (#2752) --- internal/api/grpc/admin/org.go | 11 +++------- internal/api/grpc/management/org.go | 32 ++++++++++++++++------------- internal/ui/login/handler/login.go | 7 +------ 3 files changed, 22 insertions(+), 28 deletions(-) diff --git a/internal/api/grpc/admin/org.go b/internal/api/grpc/admin/org.go index 2753ed1938..73de7ac03f 100644 --- a/internal/api/grpc/admin/org.go +++ b/internal/api/grpc/admin/org.go @@ -3,14 +3,14 @@ package admin import ( "context" - "github.com/caos/zitadel/internal/api/authz" + "google.golang.org/protobuf/types/known/timestamppb" + "github.com/caos/zitadel/internal/api/grpc/object" org_grpc "github.com/caos/zitadel/internal/api/grpc/org" "github.com/caos/zitadel/internal/domain" usr_model "github.com/caos/zitadel/internal/user/model" admin_pb "github.com/caos/zitadel/pkg/grpc/admin" obj_pb "github.com/caos/zitadel/pkg/grpc/object" - "google.golang.org/protobuf/types/known/timestamppb" ) func (s *Server) IsOrgUnique(ctx context.Context, req *admin_pb.IsOrgUniqueRequest) (*admin_pb.IsOrgUniqueResponse, error) { @@ -68,12 +68,7 @@ func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain str { Key: usr_model.UserSearchKeyPreferredLoginName, Method: domain.SearchMethodEndsWithIgnoreCase, - Value: orgDomain, - }, - { - Key: usr_model.UserSearchKeyResourceOwner, - Method: domain.SearchMethodNotEquals, - Value: authz.GetCtxData(ctx).OrgID, + Value: "@" + orgDomain, }, }, }) diff --git a/internal/api/grpc/management/org.go b/internal/api/grpc/management/org.go index a5d8a2e55c..a800cefb7f 100644 --- a/internal/api/grpc/management/org.go +++ b/internal/api/grpc/management/org.go @@ -50,7 +50,7 @@ func (s *Server) ListOrgChanges(ctx context.Context, req *mgmt_pb.ListOrgChanges } func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_pb.AddOrgResponse, error) { - userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Name, s.systemDefaults.Domain)) + userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Name, s.systemDefaults.Domain), "") if err != nil { return nil, err } @@ -185,7 +185,7 @@ func GenerateOrgDomainValidationRequestToDomain(ctx context.Context, req *mgmt_p } func (s *Server) ValidateOrgDomain(ctx context.Context, req *mgmt_pb.ValidateOrgDomainRequest) (*mgmt_pb.ValidateOrgDomainResponse, error) { - userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, req.Domain) + userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, req.Domain, authz.GetCtxData(ctx).OrgID) if err != nil { return nil, err } @@ -284,20 +284,24 @@ func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemb }, nil } -func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain string) ([]string, error) { - users, err := s.user.SearchUsers(ctx, &usr_model.UserSearchRequest{ - Queries: []*usr_model.UserSearchQuery{ - { - Key: usr_model.UserSearchKeyPreferredLoginName, - Method: domain.SearchMethodEndsWithIgnoreCase, - Value: orgDomain, - }, - { +func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain, orgID string) ([]string, error) { + queries := []*usr_model.UserSearchQuery{ + { + Key: usr_model.UserSearchKeyPreferredLoginName, + Method: domain.SearchMethodEndsWithIgnoreCase, + Value: "@" + orgDomain, + }, + } + if orgID != "" { + queries = append(queries, + &usr_model.UserSearchQuery{ Key: usr_model.UserSearchKeyResourceOwner, Method: domain.SearchMethodNotEquals, - Value: authz.GetCtxData(ctx).OrgID, - }, - }, + Value: orgID, + }) + } + users, err := s.user.SearchUsers(ctx, &usr_model.UserSearchRequest{ + Queries: queries, }, false) if err != nil { return nil, err diff --git a/internal/ui/login/handler/login.go b/internal/ui/login/handler/login.go index 504b2ea681..8edeeaf003 100644 --- a/internal/ui/login/handler/login.go +++ b/internal/ui/login/handler/login.go @@ -168,12 +168,7 @@ func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string { Key: usr_model.UserSearchKeyPreferredLoginName, Method: domain.SearchMethodEndsWithIgnoreCase, - Value: domain.NewIAMDomainName(orgName, l.iamDomain), - }, - { - Key: usr_model.UserSearchKeyResourceOwner, - Method: domain.SearchMethodNotEquals, - Value: authz.GetCtxData(ctx).OrgID, + Value: "@" + domain.NewIAMDomainName(orgName, l.iamDomain), }, }, })