fix: add InUserIDs query to query of user grants (#10741)

# Which Problems Are Solved Currently there is only the option to either filter for all usergrants of an organization or the usergrants of a singluar user. # How the Problems Are Solved Add the option to provide a list of userIDs to query user grants. # Additional Changes Fixed internal typo for function. # Additional Context Closes #9675 (cherry picked from commit 6da380628d)
2025-10-29 21:46:05 +00:00 · 2025-10-07 06:56:20 +02:00
parent b3d9a7108d
commit 826935577c
6 changed files with 67 additions and 2 deletions
--- a/internal/api/grpc/authorization/v2beta/integration_test/query_test.go
+++ b/internal/api/grpc/authorization/v2beta/integration_test/query_test.go
@@ -284,6 +284,39 @@ func TestServer_ListAuthorizations(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "list single id in ids, project and project grant, multiple",
+			args: args{
+				ctx: iamOwnerCtx,
+				dep: func(request *authorization.ListAuthorizationsRequest, response *authorization.ListAuthorizationsResponse) {
+					userResp := Instance.CreateUserTypeHuman(iamOwnerCtx, integration.Email())
+
+					request.Filters[0].Filter = &authorization.AuthorizationsSearchFilter_InUserIds{
+						InUserIds: &filter.InIDsFilter{
+							Ids: []string{userResp.GetId()},
+						},
+					}
+					response.Authorizations[5] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), false)
+					response.Authorizations[4] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), false)
+					response.Authorizations[3] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), false)
+					response.Authorizations[2] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), true)
+					response.Authorizations[1] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), true)
+					response.Authorizations[0] = createAuthorization(iamOwnerCtx, Instance, t, Instance.DefaultOrg.GetId(), userResp.GetId(), true)
+				},
+				req: &authorization.ListAuthorizationsRequest{
+					Filters: []*authorization.AuthorizationsSearchFilter{{}},
+				},
+			},
+			want: &authorization.ListAuthorizationsResponse{
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  6,
+					AppliedLimit: 100,
+				},
+				Authorizations: []*authorization.Authorization{
+					{}, {}, {}, {}, {}, {},
+				},
+			},
+		},
 		{
 			name: "list single id, project and project grant, multiple",
 			args: args{
--- a/internal/api/grpc/authorization/v2beta/query.go
+++ b/internal/api/grpc/authorization/v2beta/query.go
@@ -92,7 +92,7 @@ func AuthorizationSearchFilterToQuery(query *authorization.AuthorizationsSearchF
 	case *authorization.AuthorizationsSearchFilter_State:
 		return AuthorizationStateQueryToModel(q.State)
 	case *authorization.AuthorizationsSearchFilter_UserId:
-		return AuthorizationUserUserIDQueryToModel(q.UserId)
+		return AuthorizationUserIDQueryToModel(q.UserId)
 	case *authorization.AuthorizationsSearchFilter_UserOrganizationId:
 		return AuthorizationUserOrganizationIDQueryToModel(q.UserOrganizationId)
 	case *authorization.AuthorizationsSearchFilter_UserPreferredLoginName:
@@ -107,6 +107,8 @@ func AuthorizationSearchFilterToQuery(query *authorization.AuthorizationsSearchF
 		return AuthorizationRoleKeyQueryToModel(q.RoleKey)
 	case *authorization.AuthorizationsSearchFilter_ProjectGrantId:
 		return AuthorizationProjectGrantIDQueryToModel(q.ProjectGrantId)
+	case *authorization.AuthorizationsSearchFilter_InUserIds:
+		return AuthorizationInUserIDsQueryToModel(q.InUserIds)
 	default:
 		return nil, errors.New("invalid query")
 	}
@@ -144,10 +146,14 @@ func AuthorizationUserNameQueryToModel(q *authorization.UserPreferredLoginNameQu
 	return query.NewUserGrantUsernameQuery(q.LoginName, filter.TextMethodPbToQuery(q.Method))
 }

-func AuthorizationUserUserIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
+func AuthorizationUserIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
 	return query.NewUserGrantUserIDSearchQuery(q.Id)
 }

+func AuthorizationInUserIDsQueryToModel(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantInUserIDsSearchQuery(q.Ids)
+}
+
 func AuthorizationUserOrganizationIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
 	return query.NewUserGrantUserResourceOwnerSearchQuery(q.Id)
 }
--- a/internal/api/grpc/user/user_grant.go
+++ b/internal/api/grpc/user/user_grant.go
@@ -107,6 +107,8 @@ func UserGrantQueryToQuery(ctx context.Context, query *user_pb.UserGrantQuery) (
 		return UserGrantWithGrantedQueryToModel(ctx, q.WithGrantedQuery)
 	case *user_pb.UserGrantQuery_UserTypeQuery:
 		return UserGrantUserTypeQueryToModel(q.UserTypeQuery)
+	case *user_pb.UserGrantQuery_InUserIdsQuery:
+		return UserGrantInUserIDsQueryToModel(q.InUserIdsQuery)
 	default:
 		return nil, errors.New("invalid query")
 	}
@@ -156,6 +158,10 @@ func UserGrantUserIDQueryToModel(q *user_pb.UserGrantUserIDQuery) (query.SearchQ
 	return query.NewUserGrantUserIDSearchQuery(q.UserId)
 }

+func UserGrantInUserIDsQueryToModel(q *user_pb.UserGrantInUserIDsQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantInUserIDsSearchQuery(q.InUserIds)
+}
+
 func UserGrantUserNameQueryToModel(q *user_pb.UserGrantUserNameQuery) (query.SearchQuery, error) {
 	return query.NewUserGrantUsernameQuery(q.UserName, object.TextMethodToQuery(q.Method))
 }
--- a/internal/query/user_grant.go
+++ b/internal/query/user_grant.go
@@ -114,6 +114,14 @@ func NewUserGrantUserIDSearchQuery(id string) (SearchQuery, error) {
 	return NewTextQuery(UserGrantUserID, id, TextEquals)
 }

+func NewUserGrantInUserIDsSearchQuery(ids []string) (SearchQuery, error) {
+	list := make([]interface{}, len(ids))
+	for i, value := range ids {
+		list[i] = value
+	}
+	return NewListQuery(UserGrantUserID, list, ListIn)
+}
+
 func NewUserGrantProjectIDSearchQuery(id string) (SearchQuery, error) {
 	return NewTextQuery(UserGrantProjectID, id, TextEquals)
 }
--- a/proto/zitadel/authorization/v2beta/authorization.proto
+++ b/proto/zitadel/authorization/v2beta/authorization.proto
@@ -108,6 +108,8 @@ message AuthorizationsSearchFilter {
    // Search for authorizations by the ID of the project grant the user was granted the authorization for.
    // This will also include authorizations granted for project grants of the same project.
    zitadel.filter.v2beta.IDFilter project_grant_id = 11;
+    // Search for authorizations by the IDs of the users who were granted the authorizations.
+    zitadel.filter.v2beta.InIDsFilter in_user_ids = 12;
  }
 }

--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -829,6 +829,7 @@ message UserGrantQuery {
        UserGrantProjectNameQuery project_name_query = 12;
        UserGrantDisplayNameQuery display_name_query = 13;
        UserGrantUserTypeQuery user_type_query = 14;
+        UserGrantInUserIDsQuery in_user_ids_query = 15;
    }
 }

@@ -850,6 +851,15 @@ message UserGrantUserIDQuery {
    ];
 }

+message UserGrantInUserIDsQuery {
+    repeated string in_user_ids = 1 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "the IDs of the users to include"
+            example: "[\"69629023906488334\",\"69629023906488335\"]";
+        }
+    ];
+}
+
 message UserGrantWithGrantedQuery {
    bool with_granted = 1;
 }