fix: delete org project mapping by grant id (#5607)

* fix: delete org project mapping by grant id

* fix: check for project on authentication using projections

* fix tests

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -18,7 +18,6 @@ import (
 	v1 "github.com/zitadel/zitadel/internal/eventstore/v1"
 	es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
 	"github.com/zitadel/zitadel/internal/id"
-	project_view_model "github.com/zitadel/zitadel/internal/project/repository/view/model"
 	"github.com/zitadel/zitadel/internal/query"
 	user_repo "github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -106,7 +105,7 @@ type userGrantProvider interface {
 
 type projectProvider interface {
 	ProjectByClientID(context.Context, string, bool) (*query.Project, error)
-	OrgProjectMappingByIDs(orgID, projectID, instanceID string) (*project_view_model.OrgProjectMapping, error)
+	SearchProjectGrants(ctx context.Context, queries *query.ProjectGrantSearchQueries, withOwnerRemoved bool) (projects *query.ProjectGrants, err error)
 }
 
 type applicationProvider interface {
@@ -1153,11 +1152,11 @@ func privacyPolicyToDomain(p *query.PrivacyPolicy) *domain.PrivacyPolicy {
 			CreationDate:  p.CreationDate,
 			ChangeDate:    p.ChangeDate,
 		},
-		State:       p.State,
-		Default:     p.IsDefault,
-		TOSLink:     p.TOSLink,
-		PrivacyLink: p.PrivacyLink,
-		HelpLink:    p.HelpLink,
+		State:        p.State,
+		Default:      p.IsDefault,
+		TOSLink:      p.TOSLink,
+		PrivacyLink:  p.PrivacyLink,
+		HelpLink:     p.HelpLink,
 		SupportEmail: p.SupportEmail,
 	}
 }
@@ -1465,7 +1464,7 @@ func userGrantRequired(ctx context.Context, request *domain.AuthRequest, user *u
 	return len(grants) == 0, nil
 }
 
-func projectRequired(ctx context.Context, request *domain.AuthRequest, projectProvider projectProvider) (_ bool, err error) {
+func projectRequired(ctx context.Context, request *domain.AuthRequest, projectProvider projectProvider) (missingGrant bool, err error) {
 	var project *query.Project
 	switch request.Request.Type() {
 	case domain.AuthRequestTypeOIDC, domain.AuthRequestTypeSAML:
@@ -1476,13 +1475,23 @@ func projectRequired(ctx context.Context, request *domain.AuthRequest, projectPr
 	default:
 		return false, errors.ThrowPreconditionFailed(nil, "EVENT-dfrw2", "Errors.AuthRequest.RequestTypeNotSupported")
 	}
-	if !project.HasProjectCheck {
+	// if the user and project are part of the same organisation we do not need to check if the project exists on that org
+	if !project.HasProjectCheck || project.ResourceOwner == request.UserOrgID {
 		return false, nil
 	}
-	_, err = projectProvider.OrgProjectMappingByIDs(request.UserOrgID, project.ID, request.InstanceID)
-	if errors.IsNotFound(err) {
-		// if not found there is no error returned
-		return true, nil
+
+	// else just check if there is a project grant for that org
+	projectID, err := query.NewProjectGrantProjectIDSearchQuery(project.ID)
+	if err != nil {
+		return false, err
 	}
-	return false, err
+	grantedOrg, err := query.NewProjectGrantGrantedOrgIDSearchQuery(request.UserOrgID)
+	if err != nil {
+		return false, err
+	}
+	grants, err := projectProvider.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectID, grantedOrg}}, false)
+	if err != nil {
+		return false, err
+	}
+	return len(grants.ProjectGrants) != 1, nil
 }

internal/auth/repository/eventsourcing/eventstore/auth_request_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
-	proj_view_model "github.com/zitadel/zitadel/internal/project/repository/view/model"
 	"github.com/zitadel/zitadel/internal/query"
 	user_repo "github.com/zitadel/zitadel/internal/repository/user"
 	user_model "github.com/zitadel/zitadel/internal/user/model"
@@ -208,19 +207,21 @@ func (m *mockUserGrants) UserGrantsByProjectAndUserID(ctx context.Context, s str
 }
 
 type mockProject struct {
-	hasProject   bool
-	projectCheck bool
+	hasProject    bool
+	projectCheck  bool
+	resourceOwner string
 }
 
 func (m *mockProject) ProjectByClientID(ctx context.Context, s string, _ bool) (*query.Project, error) {
-	return &query.Project{HasProjectCheck: m.projectCheck}, nil
+	return &query.Project{ResourceOwner: m.resourceOwner, HasProjectCheck: m.projectCheck}, nil
 }
 
-func (m *mockProject) OrgProjectMappingByIDs(orgID, projectID, instanceID string) (*proj_view_model.OrgProjectMapping, error) {
+func (m *mockProject) SearchProjectGrants(ctx context.Context, queries *query.ProjectGrantSearchQueries, _ bool) (*query.ProjectGrants, error) {
 	if m.hasProject {
-		return &proj_view_model.OrgProjectMapping{OrgID: orgID, ProjectID: projectID}, nil
+		mockProjectGrant := new(query.ProjectGrant)
+		return &query.ProjectGrants{ProjectGrants: []*query.ProjectGrant{mockProjectGrant}}, nil
 	}
-	return nil, errors.ThrowNotFound(nil, "ERROR", "error")
+	return &query.ProjectGrants{}, nil
 }
 
 type mockApp struct {
@@ -1258,8 +1259,9 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				orgViewProvider:   &mockViewOrg{State: domain.OrgStateActive},
 				userGrantProvider: &mockUserGrants{},
 				projectProvider: &mockProject{
-					projectCheck: true,
-					hasProject:   false,
+					projectCheck:  true,
+					hasProject:    false,
+					resourceOwner: "other-org",
 				},
 				lockoutPolicyProvider: &mockLockoutPolicy{
 					policy: &query.LockoutPolicy{
@@ -1297,8 +1299,9 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				orgViewProvider:   &mockViewOrg{State: domain.OrgStateActive},
 				userGrantProvider: &mockUserGrants{},
 				projectProvider: &mockProject{
-					projectCheck: true,
-					hasProject:   true,
+					projectCheck:  true,
+					hasProject:    true,
+					resourceOwner: "other-org",
 				},
 				applicationProvider: &mockApp{app: &query.App{OIDCConfig: &query.OIDCApp{AppType: domain.OIDCApplicationTypeWeb}}},
 				lockoutPolicyProvider: &mockLockoutPolicy{