TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: project v2beta resource API (#9742)

Browse Source 
# Which Problems Are Solved

Resource management of projects and sub-resources was before limited by
the context provided by the management API, which would mean you could
only manage resources belonging to a specific organization.

# How the Problems Are Solved

With the addition of a resource-based API, it is now possible to manage
projects and sub-resources on the basis of the resources themselves,
which means that as long as you have the permission for the resource,
you can create, read, update and delete it.

- CreateProject to create a project under an organization
- UpdateProject to update an existing project
- DeleteProject to delete an existing project
- DeactivateProject and ActivateProject to change the status of a
project
- GetProject to query for a specific project with an identifier
- ListProject to query for projects and granted projects
- CreateProjectGrant to create a project grant with project and granted
organization
- UpdateProjectGrant to update the roles of a project grant
- DeactivateProjectGrant and ActivateProjectGrant to change the status
of a project grant
- DeleteProjectGrant to delete an existing project grant
- ListProjectGrants to query for project grants
- AddProjectRole to add a role to an existing project
- UpdateProjectRole to change texts of an existing role
- RemoveProjectRole to remove an existing role
- ListProjectRoles to query for project roles

# Additional Changes

- Changes to ListProjects, which now contains granted projects as well
- Changes to messages as defined in the
[API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
- Permission checks for project functionality on query and command side
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- ListProjects now also correctly lists `granted projects`
- Permission checks for project grant and project role functionality on
query and command side
- Change existing pre checks so that they also work resource specific
without resourceowner
- Added the resourceowner to the grant and role if no resourceowner is
provided
- Corrected import tests with project grants and roles
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- Corrected some naming in the proto files to adhere to the API_DESIGN

# Additional Context

Closes #9177

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2025-05-21 14:40:47 +02:00
committed by GitHub
parent 6889d6a1da
commit 7eb45c6cfd
64 changed files with 9821 additions and 1037 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/api/grpc/action/v2beta/integration_test/execution_target_test.go
View File

@@ -580,7 +580,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
isolatedIAMCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
ctxLoginClient := instance.WithAuthorization(CTX, integration.UserTypeLogin)
client, err := instance.CreateOIDCImplicitFlowClient(isolatedIAMCtx, redirectURIImplicit, loginV2)
client, err := instance.CreateOIDCImplicitFlowClient(isolatedIAMCtx, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
type want struct {
@@ -893,7 +893,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
isolatedIAMCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
ctxLoginClient := instance.WithAuthorization(CTX, integration.UserTypeLogin)
client, err := instance.CreateOIDCImplicitFlowClient(isolatedIAMCtx, redirectURIImplicit, loginV2)
client, err := instance.CreateOIDCImplicitFlowClient(isolatedIAMCtx, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
type want struct {
@@ -1255,10 +1255,9 @@ func createSAMLSP(t *testing.T, idpMetadata *saml.EntityDescriptor, binding stri
}
func createSAMLApplication(ctx context.Context, t *testing.T, instance *integration.Instance, idpMetadata *saml.EntityDescriptor, binding string, projectRoleCheck, hasProjectCheck bool) (string, string, *samlsp.Middleware) {
project, err := instance.CreateProjectWithPermissionCheck(ctx, projectRoleCheck, hasProjectCheck)
require.NoError(t, err)
project := instance.CreateProject(ctx, t, instance.DefaultOrg.GetId(), gofakeit.AppName(), projectRoleCheck, hasProjectCheck)
rootURL, sp := createSAMLSP(t, idpMetadata, binding)
_, err = instance.CreateSAMLClient(ctx, project.GetId(), sp)
_, err := instance.CreateSAMLClient(ctx, project.GetId(), sp)
require.NoError(t, err)
return project.GetId(), rootURL, sp
}

6
internal/api/grpc/admin/export.go
View File

@@ -736,7 +736,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
if err != nil {
return nil, nil, nil, nil, nil, err
}
queriedProjects, err := s.query.SearchProjects(ctx, &query.ProjectSearchQueries{Queries: []query.SearchQuery{projectSearch}})
queriedProjects, err := s.query.SearchProjects(ctx, &query.ProjectSearchQueries{Queries: []query.SearchQuery{projectSearch}}, nil)
if err != nil {
return nil, nil, nil, nil, nil, err
}
@@ -763,7 +763,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
return nil, nil, nil, nil, nil, err
}
queriedProjectRoles, err := s.query.SearchProjectRoles(ctx, false, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectRoleSearch}})
queriedProjectRoles, err := s.query.SearchProjectRoles(ctx, false, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectRoleSearch}}, nil)
if err != nil {
return nil, nil, nil, nil, nil, err
}
@@ -945,7 +945,7 @@ func (s *Server) getNecessaryProjectGrantsForOrg(ctx context.Context, org string
if err != nil {
return nil, err
}
queriedProjectGrants, err := s.query.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectGrantSearchOrg}})
queriedProjectGrants, err := s.query.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectGrantSearchOrg}}, nil)
if err != nil {
return nil, err
}

6
internal/api/grpc/admin/import.go
View File

@@ -621,7 +621,7 @@ func importProjects(ctx context.Context, s *Server, errors *[]*admin_pb.ImportDa
}
for _, project := range org.GetProjects() {
logging.Debugf("import project: %s", project.GetProjectId())
_, err := s.command.AddProjectWithID(ctx, management.ProjectCreateToDomain(project.GetProject()), org.GetOrgId(), project.GetProjectId())
_, err := s.command.AddProject(ctx, management.ProjectCreateToCommand(project.GetProject(), project.GetProjectId(), org.GetOrgId()))
if err != nil {
*errors = append(*errors, &admin_pb.ImportDataError{Type: "project", Id: project.GetProjectId(), Message: err.Error()})
if isCtxTimeout(ctx) {
@@ -761,7 +761,7 @@ func importProjectRoles(ctx context.Context, s *Server, errors *[]*admin_pb.Impo
logging.Debugf("import projectroles: %s", role.ProjectId+"_"+role.RoleKey)
// TBD: why not command.BulkAddProjectRole?
_, err := s.command.AddProjectRole(ctx, management.AddProjectRoleRequestToDomain(role), org.GetOrgId())
_, err := s.command.AddProjectRole(ctx, management.AddProjectRoleRequestToCommand(role, org.GetOrgId()))
if err != nil {
*errors = append(*errors, &admin_pb.ImportDataError{Type: "project_role", Id: role.ProjectId + "_" + role.RoleKey, Message: err.Error()})
if isCtxTimeout(ctx) {
@@ -1023,7 +1023,7 @@ func importOrg2(ctx context.Context, s *Server, errors *[]*admin_pb.ImportDataEr
if org.ProjectGrants != nil {
for _, grant := range org.GetProjectGrants() {
logging.Debugf("import projectgrant: %s", grant.GetGrantId()+"_"+grant.GetProjectGrant().GetProjectId()+"_"+grant.GetProjectGrant().GetGrantedOrgId())
_, err := s.command.AddProjectGrantWithID(ctx, management.AddProjectGrantRequestToDomain(grant.GetProjectGrant()), grant.GetGrantId(), org.GetOrgId())
_, err := s.command.AddProjectGrant(ctx, management.AddProjectGrantRequestToCommand(grant.GetProjectGrant(), grant.GetGrantId(), org.GetOrgId()))
if err != nil {
*errors = append(*errors, &admin_pb.ImportDataError{Type: "project_grant", Id: org.GetOrgId() + "_" + grant.GetProjectGrant().GetProjectId() + "_" + grant.GetProjectGrant().GetGrantedOrgId(), Message: err.Error()})
if isCtxTimeout(ctx) {

24
internal/api/grpc/admin/integration_test/import_test.go
View File

@@ -259,6 +259,12 @@ func TestServer_ImportData(t *testing.T) {
Data: &admin.ImportDataRequest_DataOrgs{
DataOrgs: &admin.ImportDataOrg{
Orgs: []*admin.DataOrg{
{
OrgId: orgIDs[4],
Org: &management.AddOrgRequest{
Name: gofakeit.ProductName(),
},
},
{
OrgId: orgIDs[3],
Org: &management.AddOrgRequest{
@@ -336,6 +342,9 @@ func TestServer_ImportData(t *testing.T) {
},
Success: &admin.ImportDataSuccess{
Orgs: []*admin.ImportDataSuccessOrg{
{
OrgId: orgIDs[4],
},
{
OrgId: orgIDs[3],
ProjectIds: projectIDs[2:4],
@@ -363,6 +372,12 @@ func TestServer_ImportData(t *testing.T) {
Data: &admin.ImportDataRequest_DataOrgs{
DataOrgs: &admin.ImportDataOrg{
Orgs: []*admin.DataOrg{
{
OrgId: orgIDs[6],
Org: &management.AddOrgRequest{
Name: gofakeit.ProductName(),
},
},
{
OrgId: orgIDs[5],
Org: &management.AddOrgRequest{
@@ -383,6 +398,11 @@ func TestServer_ImportData(t *testing.T) {
RoleKey: "role1",
DisplayName: "role1",
},
{
ProjectId: projectIDs[4],
RoleKey: "role2",
DisplayName: "role2",
},
},
HumanUsers: []*v1.DataHumanUser{
{
@@ -442,11 +462,15 @@ func TestServer_ImportData(t *testing.T) {
},
Success: &admin.ImportDataSuccess{
Orgs: []*admin.ImportDataSuccessOrg{
{
OrgId: orgIDs[6],
},
{
OrgId: orgIDs[5],
ProjectIds: projectIDs[4:5],
ProjectRoles: []string{
projectIDs[4] + "_role1",
projectIDs[4] + "_role2",
},
HumanUserIds: userIDs[2:3],
ProjectGrants: []*admin.ImportDataSuccessProjectGrant{

27
internal/api/grpc/management/project.go
View File

@@ -47,7 +47,7 @@ func (s *Server) ListProjects(ctx context.Context, req *mgmt_pb.ListProjectsRequ
if err != nil {
return nil, err
}
projects, err := s.query.SearchProjects(ctx, queries)
projects, err := s.query.SearchProjects(ctx, queries, nil)
if err != nil {
return nil, err
}
@@ -109,7 +109,7 @@ func (s *Server) ListGrantedProjects(ctx context.Context, req *mgmt_pb.ListGrant
if err != nil {
return nil, err
}
projects, err := s.query.SearchProjectGrants(ctx, queries)
projects, err := s.query.SearchProjectGrants(ctx, queries, nil)
if err != nil {
return nil, err
}
@@ -175,25 +175,26 @@ func (s *Server) ListProjectChanges(ctx context.Context, req *mgmt_pb.ListProjec
}
func (s *Server) AddProject(ctx context.Context, req *mgmt_pb.AddProjectRequest) (*mgmt_pb.AddProjectResponse, error) {
project, err := s.command.AddProject(ctx, ProjectCreateToDomain(req), authz.GetCtxData(ctx).OrgID)
add := ProjectCreateToCommand(req, "", authz.GetCtxData(ctx).OrgID)
project, err := s.command.AddProject(ctx, add)
if err != nil {
return nil, err
}
return &mgmt_pb.AddProjectResponse{
Id: project.AggregateID,
Details: object_grpc.AddToDetailsPb(project.Sequence, project.ChangeDate, project.ResourceOwner),
Id: add.AggregateID,
Details: object_grpc.AddToDetailsPb(project.Sequence, project.EventDate, project.ResourceOwner),
}, nil
}
func (s *Server) UpdateProject(ctx context.Context, req *mgmt_pb.UpdateProjectRequest) (*mgmt_pb.UpdateProjectResponse, error) {
project, err := s.command.ChangeProject(ctx, ProjectUpdateToDomain(req), authz.GetCtxData(ctx).OrgID)
project, err := s.command.ChangeProject(ctx, ProjectUpdateToCommand(req, authz.GetCtxData(ctx).OrgID))
if err != nil {
return nil, err
}
return &mgmt_pb.UpdateProjectResponse{
Details: object_grpc.ChangeToDetailsPb(
project.Sequence,
project.ChangeDate,
project.EventDate,
project.ResourceOwner,
),
}, nil
@@ -252,7 +253,7 @@ func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectR
if err != nil {
return nil, err
}
roles, err := s.query.SearchProjectRoles(ctx, true, queries)
roles, err := s.query.SearchProjectRoles(ctx, true, queries, nil)
if err != nil {
return nil, err
}
@@ -263,21 +264,21 @@ func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectR
}
func (s *Server) AddProjectRole(ctx context.Context, req *mgmt_pb.AddProjectRoleRequest) (*mgmt_pb.AddProjectRoleResponse, error) {
role, err := s.command.AddProjectRole(ctx, AddProjectRoleRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
role, err := s.command.AddProjectRole(ctx, AddProjectRoleRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
if err != nil {
return nil, err
}
return &mgmt_pb.AddProjectRoleResponse{
Details: object_grpc.AddToDetailsPb(
role.Sequence,
role.ChangeDate,
role.EventDate,
role.ResourceOwner,
),
}, nil
}
func (s *Server) BulkAddProjectRoles(ctx context.Context, req *mgmt_pb.BulkAddProjectRolesRequest) (*mgmt_pb.BulkAddProjectRolesResponse, error) {
details, err := s.command.BulkAddProjectRole(ctx, req.ProjectId, authz.GetCtxData(ctx).OrgID, BulkAddProjectRolesRequestToDomain(req))
details, err := s.command.BulkAddProjectRole(ctx, req.ProjectId, authz.GetCtxData(ctx).OrgID, BulkAddProjectRolesRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
if err != nil {
return nil, err
}
@@ -287,14 +288,14 @@ func (s *Server) BulkAddProjectRoles(ctx context.Context, req *mgmt_pb.BulkAddPr
}
func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProjectRoleRequest) (*mgmt_pb.UpdateProjectRoleResponse, error) {
role, err := s.command.ChangeProjectRole(ctx, UpdateProjectRoleRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
role, err := s.command.ChangeProjectRole(ctx, UpdateProjectRoleRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
if err != nil {
return nil, err
}
return &mgmt_pb.UpdateProjectRoleResponse{
Details: object_grpc.ChangeToDetailsPb(
role.Sequence,
role.ChangeDate,
role.EventDate,
role.ResourceOwner,
),
}, nil

51
internal/api/grpc/management/project_converter.go
View File

@@ -3,10 +3,13 @@ package management
import (
"context"
"github.com/muhlemmer/gu"
"github.com/zitadel/zitadel/internal/api/authz"
member_grpc "github.com/zitadel/zitadel/internal/api/grpc/member"
"github.com/zitadel/zitadel/internal/api/grpc/object"
proj_grpc "github.com/zitadel/zitadel/internal/api/grpc/project"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
@@ -14,8 +17,12 @@ import (
proj_pb "github.com/zitadel/zitadel/pkg/grpc/project"
)
func ProjectCreateToDomain(req *mgmt_pb.AddProjectRequest) *domain.Project {
return &domain.Project{
func ProjectCreateToCommand(req *mgmt_pb.AddProjectRequest, projectID string, resourceOwner string) *command.AddProject {
return &command.AddProject{
ObjectRoot: models.ObjectRoot{
AggregateID: projectID,
ResourceOwner: resourceOwner,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.ProjectRoleCheck,
@@ -24,16 +31,17 @@ func ProjectCreateToDomain(req *mgmt_pb.AddProjectRequest) *domain.Project {
}
}
func ProjectUpdateToDomain(req *mgmt_pb.UpdateProjectRequest) *domain.Project {
return &domain.Project{
func ProjectUpdateToCommand(req *mgmt_pb.UpdateProjectRequest, resourceOwner string) *command.ChangeProject {
return &command.ChangeProject{
ObjectRoot: models.ObjectRoot{
AggregateID: req.Id,
AggregateID: req.Id,
ResourceOwner: resourceOwner,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.ProjectRoleCheck,
HasProjectCheck: req.HasProjectCheck,
PrivateLabelingSetting: privateLabelingSettingToDomain(req.PrivateLabelingSetting),
Name: gu.Ptr(req.Name),
ProjectRoleAssertion: gu.Ptr(req.ProjectRoleAssertion),
ProjectRoleCheck: gu.Ptr(req.ProjectRoleCheck),
HasProjectCheck: gu.Ptr(req.HasProjectCheck),
PrivateLabelingSetting: gu.Ptr(privateLabelingSettingToDomain(req.PrivateLabelingSetting)),
}
}
@@ -48,10 +56,11 @@ func privateLabelingSettingToDomain(setting proj_pb.PrivateLabelingSetting) doma
}
}
func AddProjectRoleRequestToDomain(req *mgmt_pb.AddProjectRoleRequest) *domain.ProjectRole {
return &domain.ProjectRole{
func AddProjectRoleRequestToCommand(req *mgmt_pb.AddProjectRoleRequest, resourceOwner string) *command.AddProjectRole {
return &command.AddProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
AggregateID: req.ProjectId,
ResourceOwner: resourceOwner,
},
Key: req.RoleKey,
DisplayName: req.DisplayName,
@@ -59,12 +68,13 @@ func AddProjectRoleRequestToDomain(req *mgmt_pb.AddProjectRoleRequest) *domain.P
}
}
func BulkAddProjectRolesRequestToDomain(req *mgmt_pb.BulkAddProjectRolesRequest) []*domain.ProjectRole {
roles := make([]*domain.ProjectRole, len(req.Roles))
func BulkAddProjectRolesRequestToCommand(req *mgmt_pb.BulkAddProjectRolesRequest, resourceOwner string) []*command.AddProjectRole {
roles := make([]*command.AddProjectRole, len(req.Roles))
for i, role := range req.Roles {
roles[i] = &domain.ProjectRole{
roles[i] = &command.AddProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
AggregateID: req.ProjectId,
ResourceOwner: resourceOwner,
},
Key: role.Key,
DisplayName: role.DisplayName,
@@ -74,10 +84,11 @@ func BulkAddProjectRolesRequestToDomain(req *mgmt_pb.BulkAddProjectRolesRequest)
return roles
}
func UpdateProjectRoleRequestToDomain(req *mgmt_pb.UpdateProjectRoleRequest) *domain.ProjectRole {
return &domain.ProjectRole{
func UpdateProjectRoleRequestToCommand(req *mgmt_pb.UpdateProjectRoleRequest, resourceOwner string) *command.ChangeProjectRole {
return &command.ChangeProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
AggregateID: req.ProjectId,
ResourceOwner: resourceOwner,
},
Key: req.RoleKey,
DisplayName: req.DisplayName,

17
internal/api/grpc/management/project_grant.go
View File

@@ -31,7 +31,7 @@ func (s *Server) ListProjectGrants(ctx context.Context, req *mgmt_pb.ListProject
if err != nil {
return nil, err
}
grants, err := s.query.SearchProjectGrants(ctx, queries)
grants, err := s.query.SearchProjectGrants(ctx, queries, nil)
if err != nil {
return nil, err
}
@@ -54,7 +54,7 @@ func (s *Server) ListAllProjectGrants(ctx context.Context, req *mgmt_pb.ListAllP
if err != nil {
return nil, err
}
grants, err := s.query.SearchProjectGrants(ctx, queries)
grants, err := s.query.SearchProjectGrants(ctx, queries, nil)
if err != nil {
return nil, err
}
@@ -65,16 +65,17 @@ func (s *Server) ListAllProjectGrants(ctx context.Context, req *mgmt_pb.ListAllP
}
func (s *Server) AddProjectGrant(ctx context.Context, req *mgmt_pb.AddProjectGrantRequest) (*mgmt_pb.AddProjectGrantResponse, error) {
grant, err := s.command.AddProjectGrant(ctx, AddProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
grant := AddProjectGrantRequestToCommand(req, "", authz.GetCtxData(ctx).OrgID)
details, err := s.command.AddProjectGrant(ctx, grant)
if err != nil {
return nil, err
}
return &mgmt_pb.AddProjectGrantResponse{
GrantId: grant.GrantID,
Details: object_grpc.AddToDetailsPb(
grant.Sequence,
grant.ChangeDate,
grant.ResourceOwner,
details.Sequence,
details.EventDate,
details.ResourceOwner,
),
}, nil
}
@@ -94,14 +95,14 @@ func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProj
if err != nil {
return nil, err
}
grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToCommand(req, authz.GetCtxData(ctx).OrgID), userGrantsToIDs(grants.UserGrants)...)
if err != nil {
return nil, err
}
return &mgmt_pb.UpdateProjectGrantResponse{
Details: object_grpc.ChangeToDetailsPb(
grant.Sequence,
grant.ChangeDate,
grant.EventDate,
grant.ResourceOwner,
),
}, nil

16
internal/api/grpc/management/project_grant_converter.go
View File

@@ -6,6 +6,7 @@ import (
"github.com/zitadel/zitadel/internal/api/authz"
member_grpc "github.com/zitadel/zitadel/internal/api/grpc/member"
"github.com/zitadel/zitadel/internal/api/grpc/object"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
@@ -100,20 +101,23 @@ func AllProjectGrantQueryToModel(apiQuery *proj_pb.AllProjectGrantQuery) (query.
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-M099f", "List.Query.Invalid")
}
}
func AddProjectGrantRequestToDomain(req *mgmt_pb.AddProjectGrantRequest) *domain.ProjectGrant {
return &domain.ProjectGrant{
func AddProjectGrantRequestToCommand(req *mgmt_pb.AddProjectGrantRequest, grantID string, resourceOwner string) *command.AddProjectGrant {
return &command.AddProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
AggregateID: req.ProjectId,
ResourceOwner: resourceOwner,
},
GrantID: grantID,
GrantedOrgID: req.GrantedOrgId,
RoleKeys: req.RoleKeys,
}
}
func UpdateProjectGrantRequestToDomain(req *mgmt_pb.UpdateProjectGrantRequest) *domain.ProjectGrant {
return &domain.ProjectGrant{
func UpdateProjectGrantRequestToCommand(req *mgmt_pb.UpdateProjectGrantRequest, resourceOwner string) *command.ChangeProjectGrant {
return &command.ChangeProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
AggregateID: req.ProjectId,
ResourceOwner: resourceOwner,
},
GrantID: req.GrantId,
RoleKeys: req.RoleKeys,

35
internal/api/grpc/oidc/v2/integration_test/oidc_test.go
View File

@@ -24,8 +24,7 @@ import (
)
func TestServer_GetAuthRequest(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
require.NoError(t, err)
@@ -98,8 +97,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
}
func TestServer_CreateCallback(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
@@ -288,7 +286,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
require.NoError(t, err)
@@ -315,7 +313,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2)
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err)
@@ -371,7 +369,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID2, _ := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID2, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID2, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -386,7 +384,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -407,9 +405,9 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
@@ -544,9 +542,9 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
@@ -564,7 +562,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
@@ -606,7 +604,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
@@ -639,8 +637,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}
func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
require.NoError(t, err)
@@ -697,8 +694,7 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
}
func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
@@ -895,8 +891,7 @@ func createSessionAndAuthRequestForCallback(ctx context.Context, t *testing.T, c
}
func createOIDCApplication(ctx context.Context, t *testing.T, projectRoleCheck, hasProjectCheck bool) (string, string) {
project, err := Instance.CreateProjectWithPermissionCheck(ctx, projectRoleCheck, hasProjectCheck)
require.NoError(t, err)
project := Instance.CreateProject(ctx, t, "", gofakeit.AppName(), projectRoleCheck, hasProjectCheck)
clientV2, err := Instance.CreateOIDCClientLoginVersion(ctx, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
return project.GetId(), clientV2.GetClientId()

29
internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go
View File

@@ -23,8 +23,7 @@ import (
)
func TestServer_GetAuthRequest(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
require.NoError(t, err)
@@ -97,8 +96,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
}
func TestServer_CreateCallback(t *testing.T) {
project, err := Instance.CreateProject(CTX)
require.NoError(t, err)
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
@@ -289,7 +287,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
require.NoError(t, err)
@@ -316,7 +314,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2)
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err)
@@ -372,7 +370,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID2, _ := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID2, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID2, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -387,7 +385,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -408,9 +406,9 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
@@ -545,9 +543,9 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
@@ -565,7 +563,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
},
@@ -607,7 +605,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectID, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
@@ -669,8 +667,7 @@ func createSessionAndAuthRequestForCallback(ctx context.Context, t *testing.T, c
}
func createOIDCApplication(ctx context.Context, t *testing.T, projectRoleCheck, hasProjectCheck bool) (string, string) {
project, err := Instance.CreateProjectWithPermissionCheck(ctx, projectRoleCheck, hasProjectCheck)
require.NoError(t, err)
project := Instance.CreateProject(ctx, t, "", gofakeit.AppName(), projectRoleCheck, hasProjectCheck)
clientV2, err := Instance.CreateOIDCClientLoginVersion(ctx, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
return project.GetId(), clientV2.GetClientId()

1292
internal/api/grpc/project/v2beta/integration/project_grant_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

698
internal/api/grpc/project/v2beta/integration/project_role_test.go Normal file
View File

@@ -0,0 +1,698 @@
//go:build integration
package project_test
import (
"context"
"testing"
"time"
"github.com/brianvoe/gofakeit/v6"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"github.com/zitadel/zitadel/internal/integration"
project "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
func TestServer_AddProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
alreadyExistingProject := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
alreadyExistingProjectRoleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, alreadyExistingProject.GetId(), alreadyExistingProjectRoleName, alreadyExistingProjectRoleName, "")
type want struct {
creationDate bool
}
tests := []struct {
name string
ctx context.Context
prepare func(request *project.AddProjectRoleRequest)
req *project.AddProjectRoleRequest
want
wantErr bool
}{
{
name: "empty key",
ctx: iamOwnerCtx,
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: "",
DisplayName: gofakeit.AppName(),
},
wantErr: true,
},
{
name: "empty displayname",
ctx: iamOwnerCtx,
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: "",
},
wantErr: true,
},
{
name: "already existing, error",
ctx: iamOwnerCtx,
prepare: func(request *project.AddProjectRoleRequest) {
request.ProjectId = alreadyExistingProject.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: alreadyExistingProjectRoleName,
DisplayName: alreadyExistingProjectRoleName,
},
wantErr: true,
},
{
name: "empty, ok",
ctx: iamOwnerCtx,
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.Name(),
DisplayName: gofakeit.Name(),
},
want: want{
creationDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.prepare != nil {
tt.prepare(tt.req)
}
creationDate := time.Now().UTC()
got, err := instance.Client.Projectv2Beta.AddProjectRole(tt.ctx, tt.req)
changeDate := time.Now().UTC()
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertAddProjectRoleResponse(t, creationDate, changeDate, tt.want.creationDate, got)
})
}
}
func TestServer_AddProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
alreadyExistingProject := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
alreadyExistingProjectRoleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, alreadyExistingProject.GetId(), alreadyExistingProjectRoleName, alreadyExistingProjectRoleName, "")
type want struct {
creationDate bool
}
tests := []struct {
name string
ctx context.Context
prepare func(request *project.AddProjectRoleRequest)
req *project.AddProjectRoleRequest
want
wantErr bool
}{
{
name: "unauthenticated",
ctx: CTX,
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: gofakeit.AppName(),
},
wantErr: true,
},
{
name: "no permission",
ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: gofakeit.AppName(),
},
wantErr: true,
},
{
name: "organization owner, other org",
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: gofakeit.AppName(),
},
wantErr: true,
},
{
name: "organization owner, ok",
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: gofakeit.AppName(),
},
want: want{
creationDate: true,
},
},
{
name: "instance owner, ok",
ctx: iamOwnerCtx,
prepare: func(request *project.AddProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
request.ProjectId = projectResp.GetId()
},
req: &project.AddProjectRoleRequest{
RoleKey: gofakeit.AppName(),
DisplayName: gofakeit.AppName(),
},
want: want{
creationDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.prepare != nil {
tt.prepare(tt.req)
}
creationDate := time.Now().UTC()
got, err := instance.Client.Projectv2Beta.AddProjectRole(tt.ctx, tt.req)
changeDate := time.Now().UTC()
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertAddProjectRoleResponse(t, creationDate, changeDate, tt.want.creationDate, got)
})
}
}
func assertAddProjectRoleResponse(t *testing.T, creationDate, changeDate time.Time, expectedCreationDate bool, actualResp *project.AddProjectRoleResponse) {
if expectedCreationDate {
if !changeDate.IsZero() {
assert.WithinRange(t, actualResp.GetCreationDate().AsTime(), creationDate, changeDate)
} else {
assert.WithinRange(t, actualResp.GetCreationDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.CreationDate)
}
}
func TestServer_UpdateProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
type args struct {
ctx context.Context
req *project.UpdateProjectRoleRequest
}
type want struct {
change bool
changeDate bool
}
tests := []struct {
name string
prepare func(request *project.UpdateProjectRoleRequest)
args args
want want
wantErr bool
}{
{
name: "missing permission",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "not existing",
prepare: func(request *project.UpdateProjectRoleRequest) {
request.RoleKey = "notexisting"
return
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "no change, ok",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
request.DisplayName = gu.Ptr(roleName)
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{},
},
want: want{
change: false,
changeDate: true,
},
},
{
name: "change display name, ok",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(gofakeit.AppName()),
},
},
want: want{
change: true,
changeDate: true,
},
},
{
name: "change full, ok",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(gofakeit.AppName()),
Group: gu.Ptr(gofakeit.AppName()),
},
},
want: want{
change: true,
changeDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
creationDate := time.Now().UTC()
tt.prepare(tt.args.req)
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
if tt.wantErr {
assert.Error(t, err)
return
}
changeDate := time.Time{}
if tt.want.change {
changeDate = time.Now().UTC()
}
assert.NoError(t, err)
assertUpdateProjectRoleResponse(t, creationDate, changeDate, tt.want.changeDate, got)
})
}
}
func TestServer_UpdateProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
type args struct {
ctx context.Context
req *project.UpdateProjectRoleRequest
}
type want struct {
change bool
changeDate bool
}
tests := []struct {
name string
prepare func(request *project.UpdateProjectRoleRequest)
args args
want want
wantErr bool
}{
{
name: "unauthenicated",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: CTX,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "no permission",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "organization owner, other org",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr("changed"),
},
},
wantErr: true,
},
{
name: "organization owner, ok",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(gofakeit.AppName()),
},
},
want: want{
change: true,
changeDate: true,
},
},
{
name: "instance owner, ok",
prepare: func(request *project.UpdateProjectRoleRequest) {
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
},
args: args{
ctx: iamOwnerCtx,
req: &project.UpdateProjectRoleRequest{
DisplayName: gu.Ptr(gofakeit.AppName()),
},
},
want: want{
change: true,
changeDate: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
creationDate := time.Now().UTC()
tt.prepare(tt.args.req)
got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req)
if tt.wantErr {
assert.Error(t, err)
return
}
changeDate := time.Time{}
if tt.want.change {
changeDate = time.Now().UTC()
}
assert.NoError(t, err)
assertUpdateProjectRoleResponse(t, creationDate, changeDate, tt.want.changeDate, got)
})
}
}
func assertUpdateProjectRoleResponse(t *testing.T, creationDate, changeDate time.Time, expectedChangeDate bool, actualResp *project.UpdateProjectRoleResponse) {
if expectedChangeDate {
if !changeDate.IsZero() {
assert.WithinRange(t, actualResp.GetChangeDate().AsTime(), creationDate, changeDate)
} else {
assert.WithinRange(t, actualResp.GetChangeDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.ChangeDate)
}
}
func TestServer_DeleteProjectRole(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
tests := []struct {
name string
ctx context.Context
prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
req *project.RemoveProjectRoleRequest
wantDeletionDate bool
wantErr bool
}{
{
name: "empty id",
ctx: iamOwnerCtx,
req: &project.RemoveProjectRoleRequest{
ProjectId: "",
RoleKey: "notexisting",
},
wantErr: true,
},
{
name: "delete, not existing",
ctx: iamOwnerCtx,
req: &project.RemoveProjectRoleRequest{
ProjectId: "notexisting",
RoleKey: "notexisting",
},
wantDeletionDate: false,
},
{
name: "delete",
ctx: iamOwnerCtx,
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
{
name: "delete, already removed",
ctx: iamOwnerCtx,
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
instance.RemoveProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName)
return creationDate, time.Now().UTC()
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var creationDate, deletionDate time.Time
if tt.prepare != nil {
creationDate, deletionDate = tt.prepare(tt.req)
}
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertRemoveProjectRoleResponse(t, creationDate, deletionDate, tt.wantDeletionDate, got)
})
}
}
func TestServer_DeleteProjectRole_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
tests := []struct {
name string
ctx context.Context
prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time)
req *project.RemoveProjectRoleRequest
wantDeletionDate bool
wantErr bool
}{
{
name: "unauthenticated",
ctx: CTX,
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "no permission",
ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "organization owner, other org",
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantErr: true,
},
{
name: "organization owner, ok",
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
{
name: "instance owner, ok",
ctx: iamOwnerCtx,
prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false)
roleName := gofakeit.AppName()
instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "")
request.ProjectId = projectResp.GetId()
request.RoleKey = roleName
return creationDate, time.Time{}
},
req: &project.RemoveProjectRoleRequest{},
wantDeletionDate: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var creationDate, deletionDate time.Time
if tt.prepare != nil {
creationDate, deletionDate = tt.prepare(tt.req)
}
got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assertRemoveProjectRoleResponse(t, creationDate, deletionDate, tt.wantDeletionDate, got)
})
}
}
func assertRemoveProjectRoleResponse(t *testing.T, creationDate, deletionDate time.Time, expectedDeletionDate bool, actualResp *project.RemoveProjectRoleResponse) {
if expectedDeletionDate {
if !deletionDate.IsZero() {
assert.WithinRange(t, actualResp.GetRemovalDate().AsTime(), creationDate, deletionDate)
} else {
assert.WithinRange(t, actualResp.GetRemovalDate().AsTime(), creationDate, time.Now().UTC())
}
} else {
assert.Nil(t, actualResp.RemovalDate)
}
}

1013
internal/api/grpc/project/v2beta/integration/project_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

1738
internal/api/grpc/project/v2beta/integration/query_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

63
internal/api/grpc/project/v2beta/integration/server_test.go Normal file
View File

@@ -0,0 +1,63 @@
//go:build integration
package project_test
import (
"context"
"os"
"testing"
"time"
"github.com/muhlemmer/gu"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
)
var (
CTX context.Context
instance *integration.Instance
instancePermissionV2 *integration.Instance
)
func TestMain(m *testing.M) {
os.Exit(func() int {
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
defer cancel()
CTX = ctx
instance = integration.NewInstance(ctx)
instancePermissionV2 = integration.NewInstance(CTX)
return m.Run()
}())
}
func ensureFeaturePermissionV2Enabled(t *testing.T, instance *integration.Instance) {
ctx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
Inheritance: true,
})
require.NoError(t, err)
if f.PermissionCheckV2.GetEnabled() {
return
}
_, err = instance.Client.FeatureV2.SetInstanceFeatures(ctx, &feature.SetInstanceFeaturesRequest{
PermissionCheckV2: gu.Ptr(true),
})
require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, 5*time.Minute)
require.EventuallyWithT(t,
func(ttt *assert.CollectT) {
f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
Inheritance: true,
})
assert.NoError(ttt, err)
if f.PermissionCheckV2.GetEnabled() {
return
}
},
retryDuration,
tick,
"timed out waiting for ensuring instance feature")
}

161
internal/api/grpc/project/v2beta/project.go Normal file
View File

@@ -0,0 +1,161 @@
package project
import (
"context"
"github.com/muhlemmer/gu"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
func (s *Server) CreateProject(ctx context.Context, req *project_pb.CreateProjectRequest) (*project_pb.CreateProjectResponse, error) {
add := projectCreateToCommand(req)
project, err := s.command.AddProject(ctx, add)
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
creationDate = timestamppb.New(project.EventDate)
}
return &project_pb.CreateProjectResponse{
Id: add.AggregateID,
CreationDate: creationDate,
}, nil
}
func projectCreateToCommand(req *project_pb.CreateProjectRequest) *command.AddProject {
var aggregateID string
if req.Id != nil {
aggregateID = *req.Id
}
return &command.AddProject{
ObjectRoot: models.ObjectRoot{
ResourceOwner: req.OrganizationId,
AggregateID: aggregateID,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.AuthorizationRequired,
HasProjectCheck: req.ProjectAccessRequired,
PrivateLabelingSetting: privateLabelingSettingToDomain(req.PrivateLabelingSetting),
}
}
func privateLabelingSettingToDomain(setting project_pb.PrivateLabelingSetting) domain.PrivateLabelingSetting {
switch setting {
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY:
return domain.PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY:
return domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy
case project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED:
return domain.PrivateLabelingSettingUnspecified
default:
return domain.PrivateLabelingSettingUnspecified
}
}
func (s *Server) UpdateProject(ctx context.Context, req *project_pb.UpdateProjectRequest) (*project_pb.UpdateProjectResponse, error) {
project, err := s.command.ChangeProject(ctx, projectUpdateToCommand(req))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
changeDate = timestamppb.New(project.EventDate)
}
return &project_pb.UpdateProjectResponse{
ChangeDate: changeDate,
}, nil
}
func projectUpdateToCommand(req *project_pb.UpdateProjectRequest) *command.ChangeProject {
var labeling *domain.PrivateLabelingSetting
if req.PrivateLabelingSetting != nil {
labeling = gu.Ptr(privateLabelingSettingToDomain(*req.PrivateLabelingSetting))
}
return &command.ChangeProject{
ObjectRoot: models.ObjectRoot{
AggregateID: req.Id,
},
Name: req.Name,
ProjectRoleAssertion: req.ProjectRoleAssertion,
ProjectRoleCheck: req.ProjectRoleCheck,
HasProjectCheck: req.HasProjectCheck,
PrivateLabelingSetting: labeling,
}
}
func (s *Server) DeleteProject(ctx context.Context, req *project_pb.DeleteProjectRequest) (*project_pb.DeleteProjectResponse, error) {
userGrantIDs, err := s.userGrantsFromProject(ctx, req.Id)
if err != nil {
return nil, err
}
deletedAt, err := s.command.DeleteProject(ctx, req.Id, "", userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !deletedAt.IsZero() {
deletionDate = timestamppb.New(deletedAt)
}
return &project_pb.DeleteProjectResponse{
DeletionDate: deletionDate,
}, nil
}
func (s *Server) userGrantsFromProject(ctx context.Context, projectID string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery},
}, false)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}
func (s *Server) DeactivateProject(ctx context.Context, req *project_pb.DeactivateProjectRequest) (*project_pb.DeactivateProjectResponse, error) {
details, err := s.command.DeactivateProject(ctx, req.Id, "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return &project_pb.DeactivateProjectResponse{
ChangeDate: changeDate,
}, nil
}
func (s *Server) ActivateProject(ctx context.Context, req *project_pb.ActivateProjectRequest) (*project_pb.ActivateProjectResponse, error) {
details, err := s.command.ReactivateProject(ctx, req.Id, "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return &project_pb.ActivateProjectResponse{
ChangeDate: changeDate,
}, nil
}
func userGrantsToIDs(userGrants []*query.UserGrant) []string {
converted := make([]string, len(userGrants))
for i, grant := range userGrants {
converted[i] = grant.ID
}
return converted
}

126
internal/api/grpc/project/v2beta/project_grant.go Normal file
View File

@@ -0,0 +1,126 @@
package project
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
func (s *Server) CreateProjectGrant(ctx context.Context, req *project_pb.CreateProjectGrantRequest) (*project_pb.CreateProjectGrantResponse, error) {
add := projectGrantCreateToCommand(req)
project, err := s.command.AddProjectGrant(ctx, add)
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
creationDate = timestamppb.New(project.EventDate)
}
return &project_pb.CreateProjectGrantResponse{
CreationDate: creationDate,
}, nil
}
func projectGrantCreateToCommand(req *project_pb.CreateProjectGrantRequest) *command.AddProjectGrant {
return &command.AddProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
GrantID: req.GrantedOrganizationId,
GrantedOrgID: req.GrantedOrganizationId,
RoleKeys: req.RoleKeys,
}
}
func (s *Server) UpdateProjectGrant(ctx context.Context, req *project_pb.UpdateProjectGrantRequest) (*project_pb.UpdateProjectGrantResponse, error) {
project, err := s.command.ChangeProjectGrant(ctx, projectGrantUpdateToCommand(req))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !project.EventDate.IsZero() {
changeDate = timestamppb.New(project.EventDate)
}
return &project_pb.UpdateProjectGrantResponse{
ChangeDate: changeDate,
}, nil
}
func projectGrantUpdateToCommand(req *project_pb.UpdateProjectGrantRequest) *command.ChangeProjectGrant {
return &command.ChangeProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
GrantID: req.GrantedOrganizationId,
RoleKeys: req.RoleKeys,
}
}
func (s *Server) DeactivateProjectGrant(ctx context.Context, req *project_pb.DeactivateProjectGrantRequest) (*project_pb.DeactivateProjectGrantResponse, error) {
details, err := s.command.DeactivateProjectGrant(ctx, req.ProjectId, req.GrantedOrganizationId, "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return &project_pb.DeactivateProjectGrantResponse{
ChangeDate: changeDate,
}, nil
}
func (s *Server) ActivateProjectGrant(ctx context.Context, req *project_pb.ActivateProjectGrantRequest) (*project_pb.ActivateProjectGrantResponse, error) {
details, err := s.command.ReactivateProjectGrant(ctx, req.ProjectId, req.GrantedOrganizationId, "")
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
changeDate = timestamppb.New(details.EventDate)
}
return &project_pb.ActivateProjectGrantResponse{
ChangeDate: changeDate,
}, nil
}
func (s *Server) DeleteProjectGrant(ctx context.Context, req *project_pb.DeleteProjectGrantRequest) (*project_pb.DeleteProjectGrantResponse, error) {
userGrantIDs, err := s.userGrantsFromProjectGrant(ctx, req.ProjectId, req.GrantedOrganizationId)
if err != nil {
return nil, err
}
details, err := s.command.RemoveProjectGrant(ctx, req.ProjectId, req.GrantedOrganizationId, "", userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
deletionDate = timestamppb.New(details.EventDate)
}
return &project_pb.DeleteProjectGrantResponse{
DeletionDate: deletionDate,
}, nil
}
func (s *Server) userGrantsFromProjectGrant(ctx context.Context, projectID, grantedOrganizationID string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
grantQuery, err := query.NewUserGrantGrantIDSearchQuery(grantedOrganizationID)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery, grantQuery},
}, false)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}

132
internal/api/grpc/project/v2beta/project_role.go Normal file
View File

@@ -0,0 +1,132 @@
package project
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/query"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
func (s *Server) AddProjectRole(ctx context.Context, req *project_pb.AddProjectRoleRequest) (*project_pb.AddProjectRoleResponse, error) {
role, err := s.command.AddProjectRole(ctx, addProjectRoleRequestToCommand(req))
if err != nil {
return nil, err
}
var creationDate *timestamppb.Timestamp
if !role.EventDate.IsZero() {
creationDate = timestamppb.New(role.EventDate)
}
return &project_pb.AddProjectRoleResponse{
CreationDate: creationDate,
}, nil
}
func addProjectRoleRequestToCommand(req *project_pb.AddProjectRoleRequest) *command.AddProjectRole {
group := ""
if req.Group != nil {
group = *req.Group
}
return &command.AddProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
Key: req.RoleKey,
DisplayName: req.DisplayName,
Group: group,
}
}
func (s *Server) UpdateProjectRole(ctx context.Context, req *project_pb.UpdateProjectRoleRequest) (*project_pb.UpdateProjectRoleResponse, error) {
role, err := s.command.ChangeProjectRole(ctx, updateProjectRoleRequestToCommand(req))
if err != nil {
return nil, err
}
var changeDate *timestamppb.Timestamp
if !role.EventDate.IsZero() {
changeDate = timestamppb.New(role.EventDate)
}
return &project_pb.UpdateProjectRoleResponse{
ChangeDate: changeDate,
}, nil
}
func updateProjectRoleRequestToCommand(req *project_pb.UpdateProjectRoleRequest) *command.ChangeProjectRole {
displayName := ""
if req.DisplayName != nil {
displayName = *req.DisplayName
}
group := ""
if req.Group != nil {
group = *req.Group
}
return &command.ChangeProjectRole{
ObjectRoot: models.ObjectRoot{
AggregateID: req.ProjectId,
},
Key: req.RoleKey,
DisplayName: displayName,
Group: group,
}
}
func (s *Server) RemoveProjectRole(ctx context.Context, req *project_pb.RemoveProjectRoleRequest) (*project_pb.RemoveProjectRoleResponse, error) {
userGrantIDs, err := s.userGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)
if err != nil {
return nil, err
}
projectGrantIDs, err := s.projectGrantsFromProjectAndRole(ctx, req.ProjectId, req.RoleKey)
if err != nil {
return nil, err
}
details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, "", projectGrantIDs, userGrantIDs...)
if err != nil {
return nil, err
}
var deletionDate *timestamppb.Timestamp
if !details.EventDate.IsZero() {
deletionDate = timestamppb.New(details.EventDate)
}
return &project_pb.RemoveProjectRoleResponse{
RemovalDate: deletionDate,
}, nil
}
func (s *Server) userGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(projectID)
if err != nil {
return nil, err
}
rolesQuery, err := query.NewUserGrantRoleQuery(roleKey)
if err != nil {
return nil, err
}
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
Queries: []query.SearchQuery{projectQuery, rolesQuery},
}, false)
if err != nil {
return nil, err
}
return userGrantsToIDs(userGrants.UserGrants), nil
}
func (s *Server) projectGrantsFromProjectAndRole(ctx context.Context, projectID, roleKey string) ([]string, error) {
projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, projectID, roleKey)
if err != nil {
return nil, err
}
return projectGrantsToIDs(projectGrants), nil
}
func projectGrantsToIDs(projectGrants *query.ProjectGrants) []string {
converted := make([]string, len(projectGrants.ProjectGrants))
for i, grant := range projectGrants.ProjectGrants {
converted[i] = grant.GrantID
}
return converted
}

427
internal/api/grpc/project/v2beta/query.go Normal file
View File

@@ -0,0 +1,427 @@
package project
import (
"context"
"google.golang.org/protobuf/types/known/timestamppb"
filter "github.com/zitadel/zitadel/internal/api/grpc/filter/v2beta"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/zerrors"
project_pb "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
func (s *Server) GetProject(ctx context.Context, req *project_pb.GetProjectRequest) (*project_pb.GetProjectResponse, error) {
project, err := s.query.GetProjectByIDWithPermission(ctx, true, req.Id, s.checkPermission)
if err != nil {
return nil, err
}
return &project_pb.GetProjectResponse{
Project: projectToPb(project),
}, nil
}
func (s *Server) ListProjects(ctx context.Context, req *project_pb.ListProjectsRequest) (*project_pb.ListProjectsResponse, error) {
queries, err := s.listProjectRequestToModel(req)
if err != nil {
return nil, err
}
resp, err := s.query.SearchGrantedProjects(ctx, queries, s.checkPermission)
if err != nil {
return nil, err
}
return &project_pb.ListProjectsResponse{
Projects: grantedProjectsToPb(resp.GrantedProjects),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
}, nil
}
func (s *Server) listProjectRequestToModel(req *project_pb.ListProjectsRequest) (*query.ProjectAndGrantedProjectSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := projectFiltersToQuery(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectAndGrantedProjectSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: grantedProjectFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func grantedProjectFieldNameToSortingColumn(field *project_pb.ProjectFieldName) query.Column {
if field == nil {
return query.GrantedProjectColumnCreationDate
}
switch *field {
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_CREATION_DATE:
return query.GrantedProjectColumnCreationDate
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_ID:
return query.GrantedProjectColumnID
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_NAME:
return query.GrantedProjectColumnName
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_CHANGE_DATE:
return query.GrantedProjectColumnChangeDate
case project_pb.ProjectFieldName_PROJECT_FIELD_NAME_UNSPECIFIED:
return query.GrantedProjectColumnCreationDate
default:
return query.GrantedProjectColumnCreationDate
}
}
func projectFiltersToQuery(queries []*project_pb.ProjectSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, qry := range queries {
q[i], err = projectFilterToModel(qry)
if err != nil {
return nil, err
}
}
return q, nil
}
func projectFilterToModel(filter *project_pb.ProjectSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *project_pb.ProjectSearchFilter_ProjectNameFilter:
return projectNameFilterToQuery(q.ProjectNameFilter)
case *project_pb.ProjectSearchFilter_InProjectIdsFilter:
return projectInIDsFilterToQuery(q.InProjectIdsFilter)
case *project_pb.ProjectSearchFilter_ProjectResourceOwnerFilter:
return projectResourceOwnerFilterToQuery(q.ProjectResourceOwnerFilter)
case *project_pb.ProjectSearchFilter_ProjectOrganizationIdFilter:
return projectOrganizationIDFilterToQuery(q.ProjectOrganizationIdFilter)
case *project_pb.ProjectSearchFilter_ProjectGrantResourceOwnerFilter:
return projectGrantResourceOwnerFilterToQuery(q.ProjectGrantResourceOwnerFilter)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "ORG-vR9nC", "List.Query.Invalid")
}
}
func projectNameFilterToQuery(q *project_pb.ProjectNameFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectNameSearchQuery(filter.TextMethodPbToQuery(q.Method), q.GetProjectName())
}
func projectInIDsFilterToQuery(q *project_pb.InProjectIDsFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectIDSearchQuery(q.ProjectIds)
}
func projectResourceOwnerFilterToQuery(q *project_pb.ProjectResourceOwnerFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectResourceOwnerSearchQuery(q.ProjectResourceOwner)
}
func projectOrganizationIDFilterToQuery(q *project_pb.ProjectOrganizationIDFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectOrganizationIDSearchQuery(q.ProjectOrganizationId)
}
func projectGrantResourceOwnerFilterToQuery(q *project_pb.ProjectGrantResourceOwnerFilter) (query.SearchQuery, error) {
return query.NewGrantedProjectGrantResourceOwnerSearchQuery(q.ProjectGrantResourceOwner)
}
func grantedProjectsToPb(projects []*query.GrantedProject) []*project_pb.Project {
o := make([]*project_pb.Project, len(projects))
for i, org := range projects {
o[i] = grantedProjectToPb(org)
}
return o
}
func projectToPb(project *query.Project) *project_pb.Project {
return &project_pb.Project{
Id: project.ID,
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
State: projectStateToPb(project.State),
Name: project.Name,
PrivateLabelingSetting: privateLabelingSettingToPb(project.PrivateLabelingSetting),
ProjectAccessRequired: project.HasProjectCheck,
ProjectRoleAssertion: project.ProjectRoleAssertion,
AuthorizationRequired: project.ProjectRoleCheck,
}
}
func grantedProjectToPb(project *query.GrantedProject) *project_pb.Project {
var grantedOrganizationID, grantedOrganizationName *string
if project.GrantedOrgID != "" {
grantedOrganizationID = &project.GrantedOrgID
}
if project.OrgName != "" {
grantedOrganizationName = &project.OrgName
}
return &project_pb.Project{
Id: project.ProjectID,
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
State: projectStateToPb(project.ProjectState),
Name: project.ProjectName,
PrivateLabelingSetting: privateLabelingSettingToPb(project.PrivateLabelingSetting),
ProjectAccessRequired: project.HasProjectCheck,
ProjectRoleAssertion: project.ProjectRoleAssertion,
AuthorizationRequired: project.ProjectRoleCheck,
GrantedOrganizationId: grantedOrganizationID,
GrantedOrganizationName: grantedOrganizationName,
GrantedState: grantedProjectStateToPb(project.ProjectGrantState),
}
}
func projectStateToPb(state domain.ProjectState) project_pb.ProjectState {
switch state {
case domain.ProjectStateActive:
return project_pb.ProjectState_PROJECT_STATE_ACTIVE
case domain.ProjectStateInactive:
return project_pb.ProjectState_PROJECT_STATE_INACTIVE
case domain.ProjectStateUnspecified, domain.ProjectStateRemoved:
return project_pb.ProjectState_PROJECT_STATE_UNSPECIFIED
default:
return project_pb.ProjectState_PROJECT_STATE_UNSPECIFIED
}
}
func grantedProjectStateToPb(state domain.ProjectGrantState) project_pb.GrantedProjectState {
switch state {
case domain.ProjectGrantStateActive:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_ACTIVE
case domain.ProjectGrantStateInactive:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_INACTIVE
case domain.ProjectGrantStateUnspecified, domain.ProjectGrantStateRemoved:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_UNSPECIFIED
default:
return project_pb.GrantedProjectState_GRANTED_PROJECT_STATE_UNSPECIFIED
}
}
func privateLabelingSettingToPb(setting domain.PrivateLabelingSetting) project_pb.PrivateLabelingSetting {
switch setting {
case domain.PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
case domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
case domain.PrivateLabelingSettingUnspecified:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED
default:
return project_pb.PrivateLabelingSetting_PRIVATE_LABELING_SETTING_UNSPECIFIED
}
}
func (s *Server) ListProjectGrants(ctx context.Context, req *project_pb.ListProjectGrantsRequest) (*project_pb.ListProjectGrantsResponse, error) {
queries, err := s.listProjectGrantsRequestToModel(req)
if err != nil {
return nil, err
}
resp, err := s.query.SearchProjectGrants(ctx, queries, s.checkPermission)
if err != nil {
return nil, err
}
return &project_pb.ListProjectGrantsResponse{
ProjectGrants: projectGrantsToPb(resp.ProjectGrants),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
}, nil
}
func (s *Server) listProjectGrantsRequestToModel(req *project_pb.ListProjectGrantsRequest) (*query.ProjectGrantSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := projectGrantFiltersToModel(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectGrantSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: projectGrantFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func projectGrantFieldNameToSortingColumn(field *project_pb.ProjectGrantFieldName) query.Column {
if field == nil {
return query.ProjectGrantColumnCreationDate
}
switch *field {
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_PROJECT_ID:
return query.ProjectGrantColumnProjectID
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_CREATION_DATE:
return query.ProjectGrantColumnCreationDate
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_CHANGE_DATE:
return query.ProjectGrantColumnChangeDate
case project_pb.ProjectGrantFieldName_PROJECT_GRANT_FIELD_NAME_UNSPECIFIED:
return query.ProjectGrantColumnCreationDate
default:
return query.ProjectGrantColumnCreationDate
}
}
func projectGrantFiltersToModel(queries []*project_pb.ProjectGrantSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, qry := range queries {
q[i], err = projectGrantFilterToModel(qry)
if err != nil {
return nil, err
}
}
return q, nil
}
func projectGrantFilterToModel(filter *project_pb.ProjectGrantSearchFilter) (query.SearchQuery, error) {
switch q := filter.Filter.(type) {
case *project_pb.ProjectGrantSearchFilter_ProjectNameFilter:
return projectNameFilterToQuery(q.ProjectNameFilter)
case *project_pb.ProjectGrantSearchFilter_RoleKeyFilter:
return query.NewProjectGrantRoleKeySearchQuery(q.RoleKeyFilter.Key)
case *project_pb.ProjectGrantSearchFilter_InProjectIdsFilter:
return query.NewProjectGrantProjectIDsSearchQuery(q.InProjectIdsFilter.ProjectIds)
case *project_pb.ProjectGrantSearchFilter_ProjectResourceOwnerFilter:
return query.NewProjectGrantResourceOwnerSearchQuery(q.ProjectResourceOwnerFilter.ProjectResourceOwner)
case *project_pb.ProjectGrantSearchFilter_ProjectGrantResourceOwnerFilter:
return query.NewProjectGrantGrantedOrgIDSearchQuery(q.ProjectGrantResourceOwnerFilter.ProjectGrantResourceOwner)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-M099f", "List.Query.Invalid")
}
}
func projectGrantsToPb(projects []*query.ProjectGrant) []*project_pb.ProjectGrant {
p := make([]*project_pb.ProjectGrant, len(projects))
for i, project := range projects {
p[i] = projectGrantToPb(project)
}
return p
}
func projectGrantToPb(project *query.ProjectGrant) *project_pb.ProjectGrant {
return &project_pb.ProjectGrant{
OrganizationId: project.ResourceOwner,
CreationDate: timestamppb.New(project.CreationDate),
ChangeDate: timestamppb.New(project.ChangeDate),
GrantedOrganizationId: project.GrantedOrgID,
GrantedOrganizationName: project.OrgName,
GrantedRoleKeys: project.GrantedRoleKeys,
ProjectId: project.ProjectID,
ProjectName: project.ProjectName,
State: projectGrantStateToPb(project.State),
}
}
func projectGrantStateToPb(state domain.ProjectGrantState) project_pb.ProjectGrantState {
switch state {
case domain.ProjectGrantStateActive:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_ACTIVE
case domain.ProjectGrantStateInactive:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_INACTIVE
case domain.ProjectGrantStateUnspecified, domain.ProjectGrantStateRemoved:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_UNSPECIFIED
default:
return project_pb.ProjectGrantState_PROJECT_GRANT_STATE_UNSPECIFIED
}
}
func (s *Server) ListProjectRoles(ctx context.Context, req *project_pb.ListProjectRolesRequest) (*project_pb.ListProjectRolesResponse, error) {
queries, err := s.listProjectRolesRequestToModel(req)
if err != nil {
return nil, err
}
err = queries.AppendProjectIDQuery(req.ProjectId)
if err != nil {
return nil, err
}
roles, err := s.query.SearchProjectRoles(ctx, true, queries, s.checkPermission)
if err != nil {
return nil, err
}
return &project_pb.ListProjectRolesResponse{
ProjectRoles: roleViewsToPb(roles.ProjectRoles),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, roles.SearchResponse),
}, nil
}
func (s *Server) listProjectRolesRequestToModel(req *project_pb.ListProjectRolesRequest) (*query.ProjectRoleSearchQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := roleQueriesToModel(req.Filters)
if err != nil {
return nil, err
}
return &query.ProjectRoleSearchQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: projectRoleFieldNameToSortingColumn(req.SortingColumn),
},
Queries: queries,
}, nil
}
func projectRoleFieldNameToSortingColumn(field *project_pb.ProjectRoleFieldName) query.Column {
if field == nil {
return query.ProjectRoleColumnCreationDate
}
switch *field {
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_KEY:
return query.ProjectRoleColumnKey
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_CREATION_DATE:
return query.ProjectRoleColumnCreationDate
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_CHANGE_DATE:
return query.ProjectRoleColumnChangeDate
case project_pb.ProjectRoleFieldName_PROJECT_ROLE_FIELD_NAME_UNSPECIFIED:
return query.ProjectRoleColumnCreationDate
default:
return query.ProjectRoleColumnCreationDate
}
}
func roleQueriesToModel(queries []*project_pb.ProjectRoleSearchFilter) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries))
for i, query := range queries {
q[i], err = roleQueryToModel(query)
if err != nil {
return nil, err
}
}
return q, nil
}
func roleQueryToModel(apiQuery *project_pb.ProjectRoleSearchFilter) (query.SearchQuery, error) {
switch q := apiQuery.Filter.(type) {
case *project_pb.ProjectRoleSearchFilter_RoleKeyFilter:
return query.NewProjectRoleKeySearchQuery(filter.TextMethodPbToQuery(q.RoleKeyFilter.Method), q.RoleKeyFilter.Key)
case *project_pb.ProjectRoleSearchFilter_DisplayNameFilter:
return query.NewProjectRoleDisplayNameSearchQuery(filter.TextMethodPbToQuery(q.DisplayNameFilter.Method), q.DisplayNameFilter.DisplayName)
default:
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-fms0e", "List.Query.Invalid")
}
}
func roleViewsToPb(roles []*query.ProjectRole) []*project_pb.ProjectRole {
o := make([]*project_pb.ProjectRole, len(roles))
for i, org := range roles {
o[i] = roleViewToPb(org)
}
return o
}
func roleViewToPb(role *query.ProjectRole) *project_pb.ProjectRole {
return &project_pb.ProjectRole{
ProjectId: role.ProjectID,
Key: role.Key,
CreationDate: timestamppb.New(role.CreationDate),
ChangeDate: timestamppb.New(role.ChangeDate),
DisplayName: role.DisplayName,
Group: role.Group,
}
}

60
internal/api/grpc/project/v2beta/server.go Normal file
View File

@@ -0,0 +1,60 @@
package project
import (
"google.golang.org/grpc"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/api/grpc/server"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/config/systemdefaults"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
project "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
)
var _ project.ProjectServiceServer = (*Server)(nil)
type Server struct {
project.UnimplementedProjectServiceServer
systemDefaults systemdefaults.SystemDefaults
command *command.Commands
query *query.Queries
checkPermission domain.PermissionCheck
}
type Config struct{}
func CreateServer(
systemDefaults systemdefaults.SystemDefaults,
command *command.Commands,
query *query.Queries,
checkPermission domain.PermissionCheck,
) *Server {
return &Server{
systemDefaults: systemDefaults,
command: command,
query: query,
checkPermission: checkPermission,
}
}
func (s *Server) RegisterServer(grpcServer *grpc.Server) {
project.RegisterProjectServiceServer(grpcServer, s)
}
func (s *Server) AppName() string {
return project.ProjectService_ServiceDesc.ServiceName
}
func (s *Server) MethodPrefix() string {
return project.ProjectService_ServiceDesc.ServiceName
}
func (s *Server) AuthMethods() authz.MethodMapping {
return project.ProjectService_AuthMethods
}
func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
return project.RegisterProjectServiceHandler
}

21
internal/api/grpc/saml/v2/integration/saml_test.go
View File

@@ -332,7 +332,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
projectID2, _, _ := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
orgResp := Instance.CreateOrganization(ctx, "saml-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID2, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID2, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -346,7 +346,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
orgResp := Instance.CreateOrganization(ctx, "saml-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
@@ -368,9 +368,9 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
orgResp := Instance.CreateOrganization(ctx, "saml-permission-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
@@ -502,9 +502,9 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
orgResp := Instance.CreateOrganization(ctx, "saml-permissison-"+gofakeit.AppName(), gofakeit.Email())
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
@@ -523,7 +523,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
orgResp := Instance.CreateOrganization(ctx, "saml-permissison-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
@@ -563,7 +563,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
orgResp := Instance.CreateOrganization(ctx, "saml-permissison-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
@@ -640,10 +640,9 @@ func createSAMLSP(t *testing.T, idpMetadata *saml.EntityDescriptor, binding stri
}
func createSAMLApplication(ctx context.Context, t *testing.T, idpMetadata *saml.EntityDescriptor, binding string, projectRoleCheck, hasProjectCheck bool) (string, string, *samlsp.Middleware) {
project, err := Instance.CreateProjectWithPermissionCheck(ctx, projectRoleCheck, hasProjectCheck)
require.NoError(t, err)
project := Instance.CreateProject(ctx, t, "", gofakeit.AppName(), projectRoleCheck, hasProjectCheck)
rootURL, sp := createSAMLSP(t, idpMetadata, binding)
_, err = Instance.CreateSAMLClient(ctx, project.GetId(), sp)
_, err := Instance.CreateSAMLClient(ctx, project.GetId(), sp)
require.NoError(t, err)
return project.GetId(), rootURL, sp
}

4
internal/api/grpc/user/v2/integration_test/user_test.go
View File

@@ -1753,8 +1753,8 @@ func TestServer_ReactivateUser(t *testing.T) {
}
func TestServer_DeleteUser(t *testing.T) {
projectResp, err := Instance.CreateProject(CTX)
require.NoError(t, err)
projectResp := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
type args struct {
req *user.DeleteUserRequest
prepare func(*testing.T, *user.DeleteUserRequest) context.Context

21
internal/api/grpc/user/v2beta/integration_test/user_test.go
View File

@@ -1706,12 +1706,11 @@ func TestServer_ReactivateUser(t *testing.T) {
}
func TestServer_DeleteUser(t *testing.T) {
projectResp, err := Instance.CreateProject(CTX)
require.NoError(t, err)
projectResp := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
type args struct {
ctx context.Context
req *user.DeleteUserRequest
prepare func(request *user.DeleteUserRequest) error
prepare func(request *user.DeleteUserRequest)
}
tests := []struct {
name string
@@ -1726,7 +1725,7 @@ func TestServer_DeleteUser(t *testing.T) {
&user.DeleteUserRequest{
UserId: "notexisting",
},
func(request *user.DeleteUserRequest) error { return nil },
nil,
},
wantErr: true,
},
@@ -1735,10 +1734,9 @@ func TestServer_DeleteUser(t *testing.T) {
args: args{
ctx: CTX,
req: &user.DeleteUserRequest{},
prepare: func(request *user.DeleteUserRequest) error {
prepare: func(request *user.DeleteUserRequest) {
resp := Instance.CreateHumanUser(CTX)
request.UserId = resp.GetUserId()
return err
},
},
want: &user.DeleteUserResponse{
@@ -1753,10 +1751,9 @@ func TestServer_DeleteUser(t *testing.T) {
args: args{
ctx: CTX,
req: &user.DeleteUserRequest{},
prepare: func(request *user.DeleteUserRequest) error {
prepare: func(request *user.DeleteUserRequest) {
resp := Instance.CreateMachineUser(CTX)
request.UserId = resp.GetUserId()
return err
},
},
want: &user.DeleteUserResponse{
@@ -1771,13 +1768,12 @@ func TestServer_DeleteUser(t *testing.T) {
args: args{
ctx: CTX,
req: &user.DeleteUserRequest{},
prepare: func(request *user.DeleteUserRequest) error {
prepare: func(request *user.DeleteUserRequest) {
resp := Instance.CreateHumanUser(CTX)
request.UserId = resp.GetUserId()
Instance.CreateProjectUserGrant(t, CTX, projectResp.GetId(), request.UserId)
Instance.CreateProjectMembership(t, CTX, projectResp.GetId(), request.UserId)
Instance.CreateOrgMembership(t, CTX, request.UserId)
return err
},
},
want: &user.DeleteUserResponse{
@@ -1790,8 +1786,9 @@ func TestServer_DeleteUser(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := tt.args.prepare(tt.args.req)
require.NoError(t, err)
if tt.args.prepare != nil {
tt.args.prepare(tt.args.req)
}
got, err := Client.DeleteUser(tt.args.ctx, tt.args.req)
if tt.wantErr {