feat: project v2beta resource API (#9742)

# Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:33:28 +00:00 · 2025-05-21 14:40:47 +02:00
parent 6889d6a1da
commit 7eb45c6cfd
64 changed files with 9821 additions and 1037 deletions
--- a/internal/domain/permission.go
+++ b/internal/domain/permission.go
@@ -38,6 +38,15 @@ const (
 	PermissionOrgRead             = "org.read"
 	PermissionIDPRead             = "iam.idp.read"
 	PermissionOrgIDPRead          = "org.idp.read"
+	PermissionProjectWrite        = "project.write"
+	PermissionProjectRead         = "project.read"
+	PermissionProjectDelete       = "project.delete"
+	PermissionProjectGrantWrite   = "project.grant.write"
+	PermissionProjectGrantRead    = "project.grant.read"
+	PermissionProjectGrantDelete  = "project.grant.delete"
+	PermissionProjectRoleWrite    = "project.role.write"
+	PermissionProjectRoleRead     = "project.role.read"
+	PermissionProjectRoleDelete   = "project.role.delete"
 )

 // ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.
--- a/internal/domain/project_grant.go
+++ b/internal/domain/project_grant.go
@@ -26,17 +26,12 @@ func (s ProjectGrantState) Valid() bool {
 	return s > ProjectGrantStateUnspecified && s < projectGrantStateMax
 }

-func (p *ProjectGrant) IsValid() bool {
-	return p.GrantedOrgID != ""
+func (s ProjectGrantState) Exists() bool {
+	return s != ProjectGrantStateUnspecified && s != ProjectGrantStateRemoved
 }

-func (g *ProjectGrant) HasInvalidRoles(validRoles []string) bool {
-	for _, roleKey := range g.RoleKeys {
-		if !containsRoleKey(roleKey, validRoles) {
-			return true
-		}
-	}
-	return false
+func (p *ProjectGrant) IsValid() bool {
+	return p.GrantedOrgID != ""
 }

 func GetRemovedRoles(existingRoles, newRoles []string) []string {
--- a/internal/domain/project_role.go
+++ b/internal/domain/project_role.go
@@ -20,14 +20,23 @@ const (
 	ProjectRoleStateRemoved
 )

-func NewProjectRole(projectID, key string) *ProjectRole {
-	return &ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, Key: key}
+func (s ProjectRoleState) Exists() bool {
+	return s != ProjectRoleStateUnspecified && s != ProjectRoleStateRemoved
 }

 func (p *ProjectRole) IsValid() bool {
 	return p.AggregateID != "" && p.Key != ""
 }

+func HasInvalidRoles(validRoles, roles []string) bool {
+	for _, roleKey := range roles {
+		if !containsRoleKey(roleKey, validRoles) {
+			return true
+		}
+	}
+	return false
+}
+
 func containsRoleKey(roleKey string, validRoles []string) bool {
 	for _, validRole := range validRoles {
 		if roleKey == validRole {