TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: correct permissions for projects on v2 api (#9973)

Browse Source 
# Which Problems Are Solved

Permission checks in project v2beta API did not cover projects and
granted projects correctly.

# How the Problems Are Solved

Add permission checks v1 correctly to the list queries, add correct
permission checks v2 for projects.

# Additional Changes

Correct Pre-Checks for project grants that the right resource owner is
used.

# Additional Context

Permission checks v2 for project grants is still outstanding under
#9972.
This commit is contained in:
Stefan Benz
2025-06-04 13:46:10 +02:00
committed by GitHub
parent 6aeaa89c25
commit 85e3b7449c
15 changed files with 950 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
internal/command/permission_checks.go
View File

@@ -68,6 +68,20 @@ func (c *Commands) checkPermissionUpdateProject(ctx context.Context, resourceOwn
return c.newPermissionCheck(ctx, domain.PermissionProjectWrite, project.AggregateType)(resourceOwner, projectID)
}
func (c *Commands) checkPermissionWriteProjectGrant(ctx context.Context, resourceOwner, projectGrantID string) error {
return c.newPermissionCheck(ctx, domain.PermissionProjectGrantWrite, project.AggregateType)(resourceOwner, projectGrantID)
func (c *Commands) checkPermissionUpdateProjectGrant(ctx context.Context, resourceOwner, projectID, projectGrantID string) (err error) {
if err := c.newPermissionCheck(ctx, domain.PermissionProjectGrantWrite, project.AggregateType)(resourceOwner, projectGrantID); err != nil {
if err := c.newPermissionCheck(ctx, domain.PermissionProjectGrantWrite, project.AggregateType)(resourceOwner, projectID); err != nil {
return err
}
}
return nil
}
func (c *Commands) checkPermissionDeleteProjectGrant(ctx context.Context, resourceOwner, projectID, projectGrantID string) (err error) {
if err := c.newPermissionCheck(ctx, domain.PermissionProjectGrantDelete, project.AggregateType)(resourceOwner, projectGrantID); err != nil {
if err := c.newPermissionCheck(ctx, domain.PermissionProjectGrantDelete, project.AggregateType)(resourceOwner, projectID); err != nil {
return err
}
}
return nil
}

116
internal/command/project_grant.go
View File

@@ -58,11 +58,11 @@ func (c *Commands) AddProjectGrant(ctx context.Context, grant *AddProjectGrant)
if grant.ResourceOwner == "" {
grant.ResourceOwner = projectResourceOwner
}
if err := c.checkPermissionWriteProjectGrant(ctx, grant.ResourceOwner, grant.GrantID); err != nil {
if err := c.checkPermissionUpdateProjectGrant(ctx, grant.ResourceOwner, grant.AggregateID, grant.GrantID); err != nil {
return nil, err
}
wm := NewProjectGrantWriteModel(grant.GrantID, grant.AggregateID, grant.ResourceOwner)
wm := NewProjectGrantWriteModel(grant.GrantID, grant.GrantedOrgID, grant.AggregateID, grant.ResourceOwner)
// error if provided resourceowner is not equal to the resourceowner of the project or the project grant is for the same organization
if projectResourceOwner != wm.ResourceOwner || wm.ResourceOwner == grant.GrantedOrgID {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-ckUpbvboAH", "Errors.Project.Grant.Invalid")
@@ -83,19 +83,24 @@ func (c *Commands) AddProjectGrant(ctx context.Context, grant *AddProjectGrant)
type ChangeProjectGrant struct {
es_models.ObjectRoot
GrantID string
RoleKeys []string
GrantID string
GrantedOrgID string
RoleKeys []string
}
func (c *Commands) ChangeProjectGrant(ctx context.Context, grant *ChangeProjectGrant, cascadeUserGrantIDs ...string) (_ *domain.ObjectDetails, err error) {
if grant.GrantID == "" {
if grant.GrantID == "" && grant.GrantedOrgID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-1j83s", "Errors.IDMissing")
}
existingGrant, err := c.projectGrantWriteModelByID(ctx, grant.GrantID, grant.AggregateID, grant.ResourceOwner)
existingGrant, err := c.projectGrantWriteModelByID(ctx, grant.GrantID, grant.GrantedOrgID, grant.AggregateID, grant.ResourceOwner)
if err != nil {
return nil, err
}
if err := c.checkPermissionWriteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.GrantID); err != nil {
if !existingGrant.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
if err := c.checkPermissionUpdateProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.AggregateID, existingGrant.GrantID); err != nil {
return nil, err
}
projectResourceOwner, err := c.checkProjectGrantPreCondition(ctx, existingGrant.AggregateID, existingGrant.GrantedOrgID, existingGrant.ResourceOwner, grant.RoleKeys)
@@ -152,12 +157,12 @@ func (c *Commands) ChangeProjectGrant(ctx context.Context, grant *ChangeProjectG
}
func (c *Commands) removeRoleFromProjectGrant(ctx context.Context, projectAgg *eventstore.Aggregate, projectID, projectGrantID, roleKey string, cascade bool) (_ eventstore.Command, _ *ProjectGrantWriteModel, err error) {
existingProjectGrant, err := c.projectGrantWriteModelByID(ctx, projectGrantID, projectID, "")
existingProjectGrant, err := c.projectGrantWriteModelByID(ctx, projectGrantID, "", projectID, "")
if err != nil {
return nil, nil, err
}
if existingProjectGrant.State == domain.ProjectGrantStateUnspecified || existingProjectGrant.State == domain.ProjectGrantStateRemoved {
return nil, nil, zerrors.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.Grant.NotFound")
if !existingProjectGrant.State.Exists() {
return nil, nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
keyExists := false
for i, key := range existingProjectGrant.RoleKeys {
@@ -172,7 +177,7 @@ func (c *Commands) removeRoleFromProjectGrant(ctx context.Context, projectAgg *e
if !keyExists {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-5m8g9", "Errors.Project.Grant.RoleKeyNotFound")
}
changedProjectGrant := NewProjectGrantWriteModel(projectGrantID, projectID, existingProjectGrant.ResourceOwner)
changedProjectGrant := NewProjectGrantWriteModel(projectGrantID, projectID, "", existingProjectGrant.ResourceOwner)
if cascade {
return project.NewGrantCascadeChangedEvent(ctx, projectAgg, projectGrantID, existingProjectGrant.RoleKeys), changedProjectGrant, nil
@@ -181,8 +186,8 @@ func (c *Commands) removeRoleFromProjectGrant(ctx context.Context, projectAgg *e
return project.NewGrantChangedEvent(ctx, projectAgg, projectGrantID, existingProjectGrant.RoleKeys), changedProjectGrant, nil
}
func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (details *domain.ObjectDetails, err error) {
if grantID == "" || projectID == "" {
func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantID, grantedOrgID, resourceOwner string) (details *domain.ObjectDetails, err error) {
if (grantID == "" && grantedOrgID == "") || projectID == "" {
return details, zerrors.ThrowInvalidArgument(nil, "PROJECT-p0s4V", "Errors.IDMissing")
}
@@ -191,10 +196,13 @@ func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantI
return nil, err
}
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, grantedOrgID, projectID, resourceOwner)
if err != nil {
return details, err
}
if !existingGrant.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
// error if provided resourceowner is not equal to the resourceowner of the project
if projectResourceOwner != existingGrant.ResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-0l10S9OmZV", "Errors.Project.Grant.Invalid")
@@ -207,13 +215,13 @@ func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantI
if existingGrant.State != domain.ProjectGrantStateActive {
return details, zerrors.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotActive")
}
if err := c.checkPermissionWriteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.GrantID); err != nil {
if err := c.checkPermissionUpdateProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.AggregateID, existingGrant.GrantID); err != nil {
return nil, err
}
pushedEvents, err := c.eventstore.Push(ctx,
project.NewGrantDeactivateEvent(ctx,
ProjectAggregateFromWriteModelWithCTX(ctx, &existingGrant.WriteModel),
grantID,
existingGrant.GrantID,
),
)
if err != nil {
@@ -226,8 +234,8 @@ func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantI
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
}
func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (details *domain.ObjectDetails, err error) {
if grantID == "" || projectID == "" {
func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantID, grantedOrgID, resourceOwner string) (details *domain.ObjectDetails, err error) {
if (grantID == "" && grantedOrgID == "") || projectID == "" {
return details, zerrors.ThrowInvalidArgument(nil, "PROJECT-p0s4V", "Errors.IDMissing")
}
@@ -236,10 +244,13 @@ func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantI
return nil, err
}
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, grantedOrgID, projectID, resourceOwner)
if err != nil {
return details, err
}
if !existingGrant.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
// error if provided resourceowner is not equal to the resourceowner of the project
if projectResourceOwner != existingGrant.ResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-byscAarAST", "Errors.Project.Grant.Invalid")
@@ -252,13 +263,13 @@ func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantI
if existingGrant.State != domain.ProjectGrantStateInactive {
return details, zerrors.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotInactive")
}
if err := c.checkPermissionWriteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.GrantID); err != nil {
if err := c.checkPermissionUpdateProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.AggregateID, existingGrant.GrantID); err != nil {
return nil, err
}
pushedEvents, err := c.eventstore.Push(ctx,
project.NewGrantReactivatedEvent(ctx,
ProjectAggregateFromWriteModelWithCTX(ctx, &existingGrant.WriteModel),
grantID,
existingGrant.GrantID,
),
)
if err != nil {
@@ -271,25 +282,25 @@ func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantI
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
}
// Deprecated: use commands.DeleteProjectGrant
func (c *Commands) RemoveProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
if grantID == "" || projectID == "" {
return details, zerrors.ThrowInvalidArgument(nil, "PROJECT-1m9fJ", "Errors.IDMissing")
}
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, "", projectID, resourceOwner)
if err != nil {
return details, err
}
// return if project grant does not exist, or was removed already
if !existingGrant.State.Exists() {
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
return nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
if err := c.checkPermissionDeleteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.GrantID); err != nil {
if err := c.checkPermissionDeleteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.AggregateID, existingGrant.GrantID); err != nil {
return nil, err
}
events := make([]eventstore.Command, 0)
events = append(events, project.NewGrantRemovedEvent(ctx,
ProjectAggregateFromWriteModelWithCTX(ctx, &existingGrant.WriteModel),
grantID,
existingGrant.GrantID,
existingGrant.GrantedOrgID,
),
)
@@ -297,7 +308,7 @@ func (c *Commands) RemoveProjectGrant(ctx context.Context, projectID, grantID, r
for _, userGrantID := range cascadeUserGrantIDs {
event, _, err := c.removeUserGrant(ctx, userGrantID, "", true)
if err != nil {
logging.LogWithFields("COMMAND-3m8sG", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
logging.WithFields("id", "COMMAND-3m8sG", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
continue
}
events = append(events, event)
@@ -313,24 +324,57 @@ func (c *Commands) RemoveProjectGrant(ctx context.Context, projectID, grantID, r
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
}
func (c *Commands) checkPermissionDeleteProjectGrant(ctx context.Context, resourceOwner, projectGrantID string) error {
return c.checkPermission(ctx, domain.PermissionProjectGrantDelete, resourceOwner, projectGrantID)
func (c *Commands) DeleteProjectGrant(ctx context.Context, projectID, grantID, grantedOrgID, resourceOwner string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
if (grantID == "" && grantedOrgID == "") || projectID == "" {
return details, zerrors.ThrowInvalidArgument(nil, "PROJECT-1m9fJ", "Errors.IDMissing")
}
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, grantedOrgID, projectID, resourceOwner)
if err != nil {
return details, err
}
// return if project grant does not exist, or was removed already
if !existingGrant.State.Exists() {
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
}
if err := c.checkPermissionDeleteProjectGrant(ctx, existingGrant.ResourceOwner, existingGrant.AggregateID, existingGrant.GrantID); err != nil {
return nil, err
}
events := make([]eventstore.Command, 0)
events = append(events, project.NewGrantRemovedEvent(ctx,
ProjectAggregateFromWriteModelWithCTX(ctx, &existingGrant.WriteModel),
existingGrant.GrantID,
existingGrant.GrantedOrgID,
),
)
for _, userGrantID := range cascadeUserGrantIDs {
event, _, err := c.removeUserGrant(ctx, userGrantID, "", true)
if err != nil {
logging.WithFields("id", "COMMAND-3m8sG", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
continue
}
events = append(events, event)
}
pushedEvents, err := c.eventstore.Push(ctx, events...)
if err != nil {
return nil, err
}
err = AppendAndReduce(existingGrant, pushedEvents...)
if err != nil {
return nil, err
}
return writeModelToObjectDetails(&existingGrant.WriteModel), nil
}
func (c *Commands) projectGrantWriteModelByID(ctx context.Context, grantID, projectID, resourceOwner string) (member *ProjectGrantWriteModel, err error) {
func (c *Commands) projectGrantWriteModelByID(ctx context.Context, grantID, grantedOrgID, projectID, resourceOwner string) (member *ProjectGrantWriteModel, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
writeModel := NewProjectGrantWriteModel(grantID, projectID, resourceOwner)
writeModel := NewProjectGrantWriteModel(grantID, grantedOrgID, projectID, resourceOwner)
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
if err != nil {
return nil, err
}
if writeModel.State == domain.ProjectGrantStateUnspecified || writeModel.State == domain.ProjectGrantStateRemoved {
return nil, zerrors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.Project.Grant.NotFound")
}
return writeModel, nil
}

62
internal/command/project_grant_model.go
View File

@@ -16,13 +16,14 @@ type ProjectGrantWriteModel struct {
State domain.ProjectGrantState
}
func NewProjectGrantWriteModel(grantID, projectID, resourceOwner string) *ProjectGrantWriteModel {
func NewProjectGrantWriteModel(grantID, grantedOrgID, projectID, resourceOwner string) *ProjectGrantWriteModel {
return &ProjectGrantWriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: projectID,
ResourceOwner: resourceOwner,
},
GrantID: grantID,
GrantID: grantID,
GrantedOrgID: grantedOrgID,
}
}
@@ -30,27 +31,28 @@ func (wm *ProjectGrantWriteModel) AppendEvents(events ...eventstore.Event) {
for _, event := range events {
switch e := event.(type) {
case *project.GrantAddedEvent:
if e.GrantID == wm.GrantID {
if (wm.GrantID != "" && e.GrantID == wm.GrantID) ||
(wm.GrantedOrgID != "" && e.GrantedOrgID == wm.GrantedOrgID) {
wm.WriteModel.AppendEvents(e)
}
case *project.GrantChangedEvent:
if e.GrantID == wm.GrantID {
if wm.GrantID != "" && e.GrantID == wm.GrantID {
wm.WriteModel.AppendEvents(e)
}
case *project.GrantCascadeChangedEvent:
if e.GrantID == wm.GrantID {
if wm.GrantID != "" && e.GrantID == wm.GrantID {
wm.WriteModel.AppendEvents(e)
}
case *project.GrantDeactivateEvent:
if e.GrantID == wm.GrantID {
if wm.GrantID != "" && e.GrantID == wm.GrantID {
wm.WriteModel.AppendEvents(e)
}
case *project.GrantReactivatedEvent:
if e.GrantID == wm.GrantID {
if wm.GrantID != "" && e.GrantID == wm.GrantID {
wm.WriteModel.AppendEvents(e)
}
case *project.GrantRemovedEvent:
if e.GrantID == wm.GrantID {
if wm.GrantID != "" && e.GrantID == wm.GrantID {
wm.WriteModel.AppendEvents(e)
}
case *project.ProjectRemovedEvent:
@@ -114,18 +116,20 @@ func (wm *ProjectGrantWriteModel) Query() *eventstore.SearchQueryBuilder {
type ProjectGrantPreConditionReadModel struct {
eventstore.WriteModel
ProjectID string
GrantedOrgID string
ProjectExists bool
GrantedOrgExists bool
ExistingRoleKeys []string
ProjectResourceOwner string
ProjectID string
GrantedOrgID string
ProjectExists bool
GrantedOrgExists bool
ExistingRoleKeys []string
}
func NewProjectGrantPreConditionReadModel(projectID, grantedOrgID, resourceOwner string) *ProjectGrantPreConditionReadModel {
return &ProjectGrantPreConditionReadModel{
WriteModel: eventstore.WriteModel{ResourceOwner: resourceOwner},
ProjectID: projectID,
GrantedOrgID: grantedOrgID,
WriteModel: eventstore.WriteModel{},
ProjectResourceOwner: resourceOwner,
ProjectID: projectID,
GrantedOrgID: grantedOrgID,
}
}
@@ -133,26 +137,26 @@ func (wm *ProjectGrantPreConditionReadModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *project.ProjectAddedEvent:
if wm.ResourceOwner == "" {
wm.ResourceOwner = e.Aggregate().ResourceOwner
if wm.ProjectResourceOwner == "" {
wm.ProjectResourceOwner = e.Aggregate().ResourceOwner
}
if wm.ResourceOwner != e.Aggregate().ResourceOwner {
if wm.ProjectResourceOwner != e.Aggregate().ResourceOwner {
continue
}
wm.ProjectExists = true
case *project.ProjectRemovedEvent:
if wm.ResourceOwner != e.Aggregate().ResourceOwner {
if wm.ProjectResourceOwner != e.Aggregate().ResourceOwner {
continue
}
wm.ResourceOwner = ""
wm.ProjectResourceOwner = ""
wm.ProjectExists = false
case *project.RoleAddedEvent:
if e.Aggregate().ResourceOwner != wm.ResourceOwner {
if e.Aggregate().ResourceOwner != wm.ProjectResourceOwner {
continue
}
wm.ExistingRoleKeys = append(wm.ExistingRoleKeys, e.Key)
case *project.RoleRemovedEvent:
if e.Aggregate().ResourceOwner != wm.ResourceOwner {
if e.Aggregate().ResourceOwner != wm.ProjectResourceOwner {
continue
}
for i, key := range wm.ExistingRoleKeys {
@@ -175,12 +179,6 @@ func (wm *ProjectGrantPreConditionReadModel) Reduce() error {
func (wm *ProjectGrantPreConditionReadModel) Query() *eventstore.SearchQueryBuilder {
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
AddQuery().
AggregateTypes(org.AggregateType).
AggregateIDs(wm.GrantedOrgID).
EventTypes(
org.OrgAddedEventType,
org.OrgRemovedEventType).
Or().
AggregateTypes(project.AggregateType).
AggregateIDs(wm.ProjectID).
EventTypes(
@@ -188,6 +186,12 @@ func (wm *ProjectGrantPreConditionReadModel) Query() *eventstore.SearchQueryBuil
project.ProjectRemovedType,
project.RoleAddedType,
project.RoleRemovedType).
Or().
AggregateTypes(org.AggregateType).
AggregateIDs(wm.GrantedOrgID).
EventTypes(
org.OrgAddedEventType,
org.OrgRemovedEventType).
Builder()
return query

444
internal/command/project_grant_test.go
View File

@@ -720,6 +720,76 @@ func TestCommandSide_ChangeProjectGrant(t *testing.T) {
},
},
},
{
name: "projectgrant only added roles, grantedOrgID, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectFilter(
eventFromEventPusher(
project.NewProjectAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectname1", true, true, true,
domain.PrivateLabelingSettingUnspecified,
),
),
eventFromEventPusher(
org.NewOrgAddedEvent(context.Background(),
&org.NewAggregate("grantedorg1").Aggregate,
"granted org",
),
),
eventFromEventPusher(
project.NewRoleAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"key1",
"key",
"",
),
),
eventFromEventPusher(
project.NewRoleAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"key2",
"key2",
"",
),
),
),
expectPush(
project.NewGrantChangedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
[]string{"key1", "key2"},
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectGrant: &ChangeProjectGrant{
ObjectRoot: models.ObjectRoot{
AggregateID: "project1",
ResourceOwner: "org1",
},
GrantedOrgID: "grantedorg1",
RoleKeys: []string{"key1", "key2"},
},
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant remove roles, usergrant not found, ok",
fields: fields{
@@ -907,6 +977,7 @@ func TestCommandSide_DeactivateProjectGrant(t *testing.T) {
ctx context.Context
projectID string
grantID string
grantedOrgID string
resourceOwner string
}
type res struct {
@@ -1076,6 +1147,48 @@ func TestCommandSide_DeactivateProjectGrant(t *testing.T) {
},
},
},
{
name: "projectgrant deactivate, grantedOrgID, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
project.NewProjectAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectname1", true, true, true,
domain.PrivateLabelingSettingUnspecified,
),
),
),
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectPush(
project.NewGrantDeactivateEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantedOrgID: "grantedorg1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -1083,7 +1196,7 @@ func TestCommandSide_DeactivateProjectGrant(t *testing.T) {
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
got, err := r.DeactivateProjectGrant(tt.args.ctx, tt.args.projectID, tt.args.grantID, tt.args.resourceOwner)
got, err := r.DeactivateProjectGrant(tt.args.ctx, tt.args.projectID, tt.args.grantID, tt.args.grantedOrgID, tt.args.resourceOwner)
if tt.res.err == nil {
assert.NoError(t, err)
}
@@ -1106,6 +1219,7 @@ func TestCommandSide_ReactivateProjectGrant(t *testing.T) {
ctx context.Context
projectID string
grantID string
grantedOrgID string
resourceOwner string
}
type res struct {
@@ -1275,6 +1389,52 @@ func TestCommandSide_ReactivateProjectGrant(t *testing.T) {
},
},
},
{
name: "projectgrant reactivate, grantedOrgID, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
project.NewProjectAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectname1", true, true, true,
domain.PrivateLabelingSettingUnspecified,
),
),
),
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
eventFromEventPusher(project.NewGrantDeactivateEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
)),
),
expectPush(
project.NewGrantReactivatedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantedOrgID: "grantedorg1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -1282,7 +1442,7 @@ func TestCommandSide_ReactivateProjectGrant(t *testing.T) {
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
got, err := r.ReactivateProjectGrant(tt.args.ctx, tt.args.projectID, tt.args.grantID, tt.args.resourceOwner)
got, err := r.ReactivateProjectGrant(tt.args.ctx, tt.args.projectID, tt.args.grantID, tt.args.grantedOrgID, tt.args.resourceOwner)
if tt.res.err == nil {
assert.NoError(t, err)
}
@@ -1536,3 +1696,283 @@ func TestCommandSide_RemoveProjectGrant(t *testing.T) {
})
}
}
func TestCommandSide_DeleteProjectGrant(t *testing.T) {
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
projectID string
grantID string
grantedOrgID string
resourceOwner string
cascadeUserGrantIDs []string
}
type res struct {
want *domain.ObjectDetails
err func(error) bool
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
name: "missing projectid, invalid error",
fields: fields{
eventstore: expectEventstore(),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
grantID: "projectgrant1",
resourceOwner: "org1",
},
res: res{
err: zerrors.IsErrorInvalidArgument,
},
},
{
name: "missing grantid, invalid error",
fields: fields{
eventstore: expectEventstore(),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
resourceOwner: "org1",
},
res: res{
err: zerrors.IsErrorInvalidArgument,
},
},
{
name: "project already removed, precondition failed error",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
eventFromEventPusher(
project.NewProjectRemovedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectname1",
nil,
),
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantID: "projectgrant1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant not existing, precondition error",
fields: fields{
eventstore: expectEventstore(
expectFilter(),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantID: "projectgrant1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant remove, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectPush(
project.NewGrantRemovedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantID: "projectgrant1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant remove, grantedOrgID, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectPush(
project.NewGrantRemovedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantedOrgID: "grantedorg1",
resourceOwner: "org1",
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant remove, cascading usergrant not found, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectFilter(),
expectPush(
project.NewGrantRemovedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantID: "projectgrant1",
resourceOwner: "org1",
cascadeUserGrantIDs: []string{"usergrant1"},
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
name: "projectgrant remove with cascading usergrants, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(project.NewGrantAddedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
[]string{"key1"},
)),
),
expectFilter(
eventFromEventPusher(usergrant.NewUserGrantAddedEvent(context.Background(),
&usergrant.NewAggregate("usergrant1", "org1").Aggregate,
"user1",
"project1",
"projectgrant1",
[]string{"key1"}))),
expectPush(
project.NewGrantRemovedEvent(context.Background(),
&project.NewAggregate("project1", "org1").Aggregate,
"projectgrant1",
"grantedorg1",
),
usergrant.NewUserGrantCascadeRemovedEvent(context.Background(),
&usergrant.NewAggregate("usergrant1", "org1").Aggregate,
"user1",
"project1",
"projectgrant1",
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
projectID: "project1",
grantID: "projectgrant1",
resourceOwner: "org1",
cascadeUserGrantIDs: []string{"usergrant1"},
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
r := &Commands{
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
got, err := r.DeleteProjectGrant(tt.args.ctx, tt.args.projectID, tt.args.grantID, tt.args.grantedOrgID, tt.args.resourceOwner, tt.args.cascadeUserGrantIDs...)
if tt.res.err == nil {
assert.NoError(t, err)
}
if tt.res.err != nil && !tt.res.err(err) {
t.Errorf("got wrong err: %v ", err)
}
if tt.res.err == nil {
assertObjectDetails(t, tt.res.want, got)
}
})
}
}

2
internal/command/project_old.go
View File

@@ -94,5 +94,5 @@ func (c *Commands) checkProjectGrantPreConditionOld(ctx context.Context, project
if domain.HasInvalidRoles(preConditions.ExistingRoleKeys, roles) {
return "", zerrors.ThrowPreconditionFailed(err, "COMMAND-6m9gd", "Errors.Project.Role.NotFound")
}
return preConditions.ResourceOwner, nil
return preConditions.ProjectResourceOwner, nil
}