TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: project v2beta resource API (#9742)

Browse Source 
# Which Problems Are Solved

Resource management of projects and sub-resources was before limited by
the context provided by the management API, which would mean you could
only manage resources belonging to a specific organization.

# How the Problems Are Solved

With the addition of a resource-based API, it is now possible to manage
projects and sub-resources on the basis of the resources themselves,
which means that as long as you have the permission for the resource,
you can create, read, update and delete it.

- CreateProject to create a project under an organization
- UpdateProject to update an existing project
- DeleteProject to delete an existing project
- DeactivateProject and ActivateProject to change the status of a
project
- GetProject to query for a specific project with an identifier
- ListProject to query for projects and granted projects
- CreateProjectGrant to create a project grant with project and granted
organization
- UpdateProjectGrant to update the roles of a project grant
- DeactivateProjectGrant and ActivateProjectGrant to change the status
of a project grant
- DeleteProjectGrant to delete an existing project grant
- ListProjectGrants to query for project grants
- AddProjectRole to add a role to an existing project
- UpdateProjectRole to change texts of an existing role
- RemoveProjectRole to remove an existing role
- ListProjectRoles to query for project roles

# Additional Changes

- Changes to ListProjects, which now contains granted projects as well
- Changes to messages as defined in the
[API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
- Permission checks for project functionality on query and command side
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- ListProjects now also correctly lists `granted projects`
- Permission checks for project grant and project role functionality on
query and command side
- Change existing pre checks so that they also work resource specific
without resourceowner
- Added the resourceowner to the grant and role if no resourceowner is
provided
- Corrected import tests with project grants and roles
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- Corrected some naming in the proto files to adhere to the API_DESIGN

# Additional Context

Closes #9177

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2025-05-21 14:40:47 +02:00
committed by GitHub
parent 6889d6a1da
commit 7eb45c6cfd
64 changed files with 9821 additions and 1037 deletions
Download Patch File Download Diff File Expand all files Collapse all files

372
internal/query/project.go
View File

@@ -4,6 +4,7 @@ import (
"context"
"database/sql"
"errors"
"slices"
"time"
sq "github.com/Masterminds/squirrel"
@@ -72,11 +73,104 @@ var (
}
)
var (
grantedProjectsAlias = table{
name: "granted_projects",
instanceIDCol: projection.ProjectColumnInstanceID,
}
GrantedProjectColumnID = Column{
name: projection.ProjectColumnID,
table: grantedProjectsAlias,
}
GrantedProjectColumnCreationDate = Column{
name: projection.ProjectColumnCreationDate,
table: grantedProjectsAlias,
}
GrantedProjectColumnChangeDate = Column{
name: projection.ProjectColumnChangeDate,
table: grantedProjectsAlias,
}
grantedProjectColumnResourceOwner = Column{
name: projection.ProjectColumnResourceOwner,
table: grantedProjectsAlias,
}
grantedProjectColumnInstanceID = Column{
name: projection.ProjectGrantColumnInstanceID,
table: grantedProjectsAlias,
}
grantedProjectColumnState = Column{
name: "project_state",
table: grantedProjectsAlias,
}
GrantedProjectColumnName = Column{
name: "project_name",
table: grantedProjectsAlias,
}
grantedProjectColumnProjectRoleAssertion = Column{
name: projection.ProjectColumnProjectRoleAssertion,
table: grantedProjectsAlias,
}
grantedProjectColumnProjectRoleCheck = Column{
name: projection.ProjectColumnProjectRoleCheck,
table: grantedProjectsAlias,
}
grantedProjectColumnHasProjectCheck = Column{
name: projection.ProjectColumnHasProjectCheck,
table: grantedProjectsAlias,
}
grantedProjectColumnPrivateLabelingSetting = Column{
name: projection.ProjectColumnPrivateLabelingSetting,
table: grantedProjectsAlias,
}
grantedProjectColumnGrantResourceOwner = Column{
name: "project_grant_resource_owner",
table: grantedProjectsAlias,
}
grantedProjectColumnGrantedOrganization = Column{
name: projection.ProjectGrantColumnGrantedOrgID,
table: grantedProjectsAlias,
}
grantedProjectColumnGrantedOrganizationName = Column{
name: "granted_org_name",
table: grantedProjectsAlias,
}
grantedProjectColumnGrantState = Column{
name: "project_grant_state",
table: grantedProjectsAlias,
}
)
type Projects struct {
SearchResponse
Projects []*Project
}
func projectsCheckPermission(ctx context.Context, projects *Projects, permissionCheck domain.PermissionCheck) {
projects.Projects = slices.DeleteFunc(projects.Projects,
func(project *Project) bool {
return projectCheckPermission(ctx, project.ResourceOwner, project.ID, permissionCheck) != nil
},
)
}
func projectCheckPermission(ctx context.Context, resourceOwner string, projectID string, permissionCheck domain.PermissionCheck) error {
return permissionCheck(ctx, domain.PermissionProjectRead, resourceOwner, projectID)
}
func projectPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *ProjectAndGrantedProjectSearchQueries) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
grantedProjectColumnResourceOwner,
domain.PermissionProjectRead,
SingleOrgPermissionOption(queries.Queries),
OwnedRowsPermissionOption(GrantedProjectColumnID),
)
return query.JoinClause(join, args...)
}
type Project struct {
ID string
CreationDate time.Time
@@ -94,7 +188,19 @@ type Project struct {
type ProjectSearchQueries struct {
SearchRequest
Queries []SearchQuery
Queries []SearchQuery
GrantQueries []SearchQuery
}
func (q *Queries) GetProjectByIDWithPermission(ctx context.Context, shouldTriggerBulk bool, id string, permissionCheck domain.PermissionCheck) (*Project, error) {
project, err := q.ProjectByID(ctx, shouldTriggerBulk, id)
if err != nil {
return nil, err
}
if err := projectCheckPermission(ctx, project.ResourceOwner, project.ID, permissionCheck); err != nil {
return nil, err
}
return project, nil
}
func (q *Queries) ProjectByID(ctx context.Context, shouldTriggerBulk bool, id string) (project *Project, err error) {
@@ -125,7 +231,18 @@ func (q *Queries) ProjectByID(ctx context.Context, shouldTriggerBulk bool, id st
return project, err
}
func (q *Queries) SearchProjects(ctx context.Context, queries *ProjectSearchQueries) (projects *Projects, err error) {
func (q *Queries) SearchProjects(ctx context.Context, queries *ProjectSearchQueries, permissionCheck domain.PermissionCheck) (*Projects, error) {
projects, err := q.searchProjects(ctx, queries)
if err != nil {
return nil, err
}
if permissionCheck != nil {
projectsCheckPermission(ctx, projects, permissionCheck)
}
return projects, nil
}
func (q *Queries) searchProjects(ctx context.Context, queries *ProjectSearchQueries) (projects *Projects, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -147,6 +264,89 @@ func (q *Queries) SearchProjects(ctx context.Context, queries *ProjectSearchQuer
return projects, err
}
type ProjectAndGrantedProjectSearchQueries struct {
SearchRequest
Queries []SearchQuery
}
func (q *ProjectAndGrantedProjectSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
query = q.SearchRequest.toQuery(query)
for _, q := range q.Queries {
query = q.toQuery(query)
}
return query
}
func (q *Queries) SearchGrantedProjects(ctx context.Context, queries *ProjectAndGrantedProjectSearchQueries, permissionCheck domain.PermissionCheck) (*GrantedProjects, error) {
permissionCheckV2 := PermissionV2(ctx, permissionCheck)
projects, err := q.searchGrantedProjects(ctx, queries, permissionCheckV2)
if err != nil {
return nil, err
}
if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
grantedProjectsCheckPermission(ctx, projects, permissionCheck)
}
return projects, nil
}
func (q *Queries) searchGrantedProjects(ctx context.Context, queries *ProjectAndGrantedProjectSearchQueries, permissionCheckV2 bool) (grantedProjects *GrantedProjects, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
query, scan := prepareGrantedProjectsQuery()
query = projectPermissionCheckV2(ctx, query, permissionCheckV2, queries)
eq := sq.Eq{grantedProjectColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
return nil, zerrors.ThrowInvalidArgument(err, "QUERY-T84X9", "Errors.Query.InvalidRequest")
}
err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
grantedProjects, err = scan(rows)
return err
}, stmt, args...)
if err != nil {
return nil, err
}
return grantedProjects, nil
}
func NewGrantedProjectNameSearchQuery(method TextComparison, value string) (SearchQuery, error) {
return NewTextQuery(GrantedProjectColumnName, value, method)
}
func NewGrantedProjectResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(grantedProjectColumnResourceOwner, value, TextEquals)
}
func NewGrantedProjectIDSearchQuery(ids []string) (SearchQuery, error) {
list := make([]interface{}, len(ids))
for i, value := range ids {
list[i] = value
}
return NewListQuery(GrantedProjectColumnID, list, ListIn)
}
func NewGrantedProjectOrganizationIDSearchQuery(value string) (SearchQuery, error) {
project, err := NewTextQuery(grantedProjectColumnResourceOwner, value, TextEquals)
if err != nil {
return nil, err
}
grant, err := NewTextQuery(grantedProjectColumnGrantedOrganization, value, TextEquals)
if err != nil {
return nil, err
}
return NewOrQuery(project, grant)
}
func NewGrantedProjectGrantResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(grantedProjectColumnGrantResourceOwner, value, TextEquals)
}
func NewGrantedProjectGrantedOrganizationIDSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(grantedProjectColumnGrantedOrganization, value, TextEquals)
}
func NewProjectNameSearchQuery(method TextComparison, value string) (SearchQuery, error) {
return NewTextQuery(ProjectColumnName, value, method)
}
@@ -285,3 +485,171 @@ func prepareProjectsQuery() (sq.SelectBuilder, func(*sql.Rows) (*Projects, error
}, nil
}
}
type GrantedProjects struct {
SearchResponse
GrantedProjects []*GrantedProject
}
func grantedProjectsCheckPermission(ctx context.Context, grantedProjects *GrantedProjects, permissionCheck domain.PermissionCheck) {
grantedProjects.GrantedProjects = slices.DeleteFunc(grantedProjects.GrantedProjects,
func(grantedProject *GrantedProject) bool {
return projectCheckPermission(ctx, grantedProject.ResourceOwner, grantedProject.ProjectID, permissionCheck) != nil
},
)
}
type GrantedProject struct {
ProjectID string
CreationDate time.Time
ChangeDate time.Time
ResourceOwner string
InstanceID string
ProjectState domain.ProjectState
ProjectName string
ProjectRoleAssertion bool
ProjectRoleCheck bool
HasProjectCheck bool
PrivateLabelingSetting domain.PrivateLabelingSetting
GrantedOrgID string
OrgName string
ProjectGrantState domain.ProjectGrantState
}
func prepareGrantedProjectsQuery() (sq.SelectBuilder, func(*sql.Rows) (*GrantedProjects, error)) {
return sq.Select(
GrantedProjectColumnID.identifier(),
GrantedProjectColumnCreationDate.identifier(),
GrantedProjectColumnChangeDate.identifier(),
grantedProjectColumnResourceOwner.identifier(),
grantedProjectColumnInstanceID.identifier(),
grantedProjectColumnState.identifier(),
GrantedProjectColumnName.identifier(),
grantedProjectColumnProjectRoleAssertion.identifier(),
grantedProjectColumnProjectRoleCheck.identifier(),
grantedProjectColumnHasProjectCheck.identifier(),
grantedProjectColumnPrivateLabelingSetting.identifier(),
grantedProjectColumnGrantedOrganization.identifier(),
grantedProjectColumnGrantedOrganizationName.identifier(),
grantedProjectColumnGrantState.identifier(),
countColumn.identifier(),
).From(getProjectsAndGrantedProjectsFromQuery()).
PlaceholderFormat(sq.Dollar),
func(rows *sql.Rows) (*GrantedProjects, error) {
projects := make([]*GrantedProject, 0)
var (
count uint64
orgID = sql.NullString{}
orgName = sql.NullString{}
projectGrantState = sql.NullInt16{}
)
for rows.Next() {
grantedProject := new(GrantedProject)
err := rows.Scan(
&grantedProject.ProjectID,
&grantedProject.CreationDate,
&grantedProject.ChangeDate,
&grantedProject.ResourceOwner,
&grantedProject.InstanceID,
&grantedProject.ProjectState,
&grantedProject.ProjectName,
&grantedProject.ProjectRoleAssertion,
&grantedProject.ProjectRoleCheck,
&grantedProject.HasProjectCheck,
&grantedProject.PrivateLabelingSetting,
&orgID,
&orgName,
&projectGrantState,
&count,
)
if err != nil {
return nil, err
}
if orgID.Valid {
grantedProject.GrantedOrgID = orgID.String
}
if orgName.Valid {
grantedProject.OrgName = orgName.String
}
if projectGrantState.Valid {
grantedProject.ProjectGrantState = domain.ProjectGrantState(projectGrantState.Int16)
}
projects = append(projects, grantedProject)
}
if err := rows.Close(); err != nil {
return nil, zerrors.ThrowInternal(err, "QUERY-K9gEE", "Errors.Query.CloseRows")
}
return &GrantedProjects{
GrantedProjects: projects,
SearchResponse: SearchResponse{
Count: count,
},
}, nil
}
}
func getProjectsAndGrantedProjectsFromQuery() string {
return "(" +
prepareProjects() +
" UNION ALL " +
prepareGrantedProjects() +
") AS " + grantedProjectsAlias.identifier()
}
func prepareProjects() string {
builder := sq.Select(
ProjectColumnID.identifier()+" AS "+GrantedProjectColumnID.name,
ProjectColumnCreationDate.identifier()+" AS "+GrantedProjectColumnCreationDate.name,
ProjectColumnChangeDate.identifier()+" AS "+GrantedProjectColumnChangeDate.name,
ProjectColumnResourceOwner.identifier()+" AS "+grantedProjectColumnResourceOwner.name,
ProjectColumnInstanceID.identifier()+" AS "+grantedProjectColumnInstanceID.name,
ProjectColumnState.identifier()+" AS "+grantedProjectColumnState.name,
ProjectColumnName.identifier()+" AS "+GrantedProjectColumnName.name,
ProjectColumnProjectRoleAssertion.identifier()+" AS "+grantedProjectColumnProjectRoleAssertion.name,
ProjectColumnProjectRoleCheck.identifier()+" AS "+grantedProjectColumnProjectRoleCheck.name,
ProjectColumnHasProjectCheck.identifier()+" AS "+grantedProjectColumnHasProjectCheck.name,
ProjectColumnPrivateLabelingSetting.identifier()+" AS "+grantedProjectColumnPrivateLabelingSetting.name,
"NULL::TEXT AS "+grantedProjectColumnGrantResourceOwner.name,
"NULL::TEXT AS "+grantedProjectColumnGrantedOrganization.name,
"NULL::TEXT AS "+grantedProjectColumnGrantedOrganizationName.name,
"NULL::SMALLINT AS "+grantedProjectColumnGrantState.name,
countColumn.identifier()).
From(projectsTable.identifier()).
PlaceholderFormat(sq.Dollar)
stmt, _ := builder.MustSql()
return stmt
}
func prepareGrantedProjects() string {
grantedOrgTable := orgsTable.setAlias(ProjectGrantGrantedOrgTableAlias)
grantedOrgIDColumn := OrgColumnID.setTable(grantedOrgTable)
builder := sq.Select(
ProjectGrantColumnProjectID.identifier()+" AS "+GrantedProjectColumnID.name,
ProjectGrantColumnCreationDate.identifier()+" AS "+GrantedProjectColumnCreationDate.name,
ProjectGrantColumnChangeDate.identifier()+" AS "+GrantedProjectColumnChangeDate.name,
ProjectColumnResourceOwner.identifier()+" AS "+grantedProjectColumnResourceOwner.name,
ProjectGrantColumnInstanceID.identifier()+" AS "+grantedProjectColumnInstanceID.name,
ProjectColumnState.identifier()+" AS "+grantedProjectColumnState.name,
ProjectColumnName.identifier()+" AS "+GrantedProjectColumnName.name,
ProjectColumnProjectRoleAssertion.identifier()+" AS "+grantedProjectColumnProjectRoleAssertion.name,
ProjectColumnProjectRoleCheck.identifier()+" AS "+grantedProjectColumnProjectRoleCheck.name,
ProjectColumnHasProjectCheck.identifier()+" AS "+grantedProjectColumnHasProjectCheck.name,
ProjectColumnPrivateLabelingSetting.identifier()+" AS "+grantedProjectColumnPrivateLabelingSetting.name,
ProjectGrantColumnResourceOwner.identifier()+" AS "+grantedProjectColumnGrantResourceOwner.name,
ProjectGrantColumnGrantedOrgID.identifier()+" AS "+grantedProjectColumnGrantedOrganization.name,
ProjectGrantColumnGrantedOrgName.identifier()+" AS "+grantedProjectColumnGrantedOrganizationName.name,
ProjectGrantColumnState.identifier()+" AS "+grantedProjectColumnGrantState.name,
countColumn.identifier()).
From(projectGrantsTable.identifier()).
PlaceholderFormat(sq.Dollar).
LeftJoin(join(ProjectColumnID, ProjectGrantColumnProjectID)).
LeftJoin(join(grantedOrgIDColumn, ProjectGrantColumnGrantedOrgID))
stmt, _ := builder.MustSql()
return stmt
}