fix: my usermemberships (#1290)

* fix: my usermemberships * frontend Co-authored-by: Max Peintner <max@caos.ch>
2025-02-28 21:07:22 +00:00 · 2021-02-16 10:08:44 +01:00 · 2021-02-16 10:08:44 +01:00 · 8ec4a74d76
commit 8ec4a74d76
parent 33534ab006
11 changed files with 250 additions and 20 deletions
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html
@ -77,7 +77,7 @@
            </div>
        </div>
        <ng-template appHasRole [appHasRole]="['user.membership.read']">
-            <app-memberships [user]="user"></app-memberships>
+            <app-memberships [auth]="true" [user]="user"></app-memberships>
        </ng-template>

        <app-changes class="changes" [refresh]="refreshChanges$" [changeType]="ChangeType.MYUSER" [id]="user.id">
--- a/console/src/app/pages/users/user-detail/memberships/memberships.component.ts
+++ b/console/src/app/pages/users/user-detail/memberships/memberships.component.ts
@ -3,8 +3,10 @@ import { Component, Input, OnInit } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { Router } from '@angular/router';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
+import { AuthServiceClient } from 'src/app/proto/generated/auth_grpc_web_pb';
 import { MemberType, UserMembershipSearchResponse, UserView } from 'src/app/proto/generated/management_pb';
 import { AdminService } from 'src/app/services/admin.service';
+import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';

@ -33,12 +35,14 @@ export class MembershipsComponent implements OnInit {
    public loading: boolean = false;
    public memberships!: UserMembershipSearchResponse.AsObject;

+    @Input() public auth: boolean = false;
    @Input() public user!: UserView.AsObject;
    @Input() public disabled: boolean = false;

    public MemberType: any = MemberType;

    constructor(
+        private authService: GrpcAuthService,
        private mgmtService: ManagementService,
        private adminService: AdminService,
        private dialog: MatDialog,
@ -51,11 +55,18 @@ export class MembershipsComponent implements OnInit {
    }

    public async loadManager(userId: string): Promise<void> {
+        if (this.auth) {
+            this.authService.SearchUserMemberships(100, 0, []).then(response => {
+                this.memberships = response.toObject();
+                this.loading = false;
+            });
+        } else {
            this.mgmtService.SearchUserMemberships(userId, 100, 0, []).then(response => {
                this.memberships = response.toObject();
                this.loading = false;
            });
        }
+    }

    public navigateToObject(): void {
        if (!this.disabled) {
--- a/console/src/app/services/grpc-auth.service.ts
+++ b/console/src/app/services/grpc-auth.service.ts
@ -26,6 +26,9 @@ import {
    UpdateUserProfileRequest,
    UserAddress,
    UserEmail,
+    UserMembershipSearchQuery,
+    UserMembershipSearchRequest,
+    UserMembershipSearchResponse,
    UserPhone,
    UserProfile,
    UserProfileView,
@ -241,6 +244,16 @@ export class GrpcAuthService {
        );
    }

+    public SearchUserMemberships(limit: number, offset: number, queryList?: UserMembershipSearchQuery[]): Promise<UserMembershipSearchResponse> {
+        const req = new UserMembershipSearchRequest();
+        req.setLimit(limit);
+        req.setOffset(offset);
+        if (queryList) {
+            req.setQueriesList(queryList);
+        }
+        return this.grpcService.auth.searchMyUserMemberships(req);
+    }
+
    public GetMyUserEmail(): Promise<UserEmail> {
        return this.grpcService.auth.getMyUserEmail(
            new Empty(),
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@ -2,7 +2,7 @@ package auth

 import (
 	"context"
-
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/golang/protobuf/ptypes/empty"

 	"github.com/caos/zitadel/pkg/grpc/auth"
@ -212,3 +212,13 @@ func (s *Server) GetMyUserChanges(ctx context.Context, request *auth.ChangesRequ
 	}
 	return userChangesToResponse(changes, request.GetSequenceOffset(), request.GetLimit()), nil
 }
+
+func (s *Server) SearchMyUserMemberships(ctx context.Context, in *auth.UserMembershipSearchRequest) (*auth.UserMembershipSearchResponse, error) {
+	request := userMembershipSearchRequestsToModel(in)
+	request.AppendUserIDQuery(authz.GetCtxData(ctx).UserID)
+	response, err := s.repo.SearchMyUserMemberships(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return userMembershipSearchResponseFromModel(response), nil
+}
--- a/internal/api/grpc/auth/user_converter.go
+++ b/internal/api/grpc/auth/user_converter.go
@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
@ -452,3 +451,93 @@ func webAuthNTokenFromModel(token *usr_model.WebAuthNToken) *auth.WebAuthNToken
 		State: mfaStateFromModel(token.State),
 	}
 }
+
+func userMembershipSearchResponseFromModel(response *usr_model.UserMembershipSearchResponse) *auth.UserMembershipSearchResponse {
+	timestamp, err := ptypes.TimestampProto(response.Timestamp)
+	logging.Log("GRPC-Hs8jd").OnError(err).Debug("unable to parse timestamp")
+	return &auth.UserMembershipSearchResponse{
+		Offset:            response.Offset,
+		Limit:             response.Limit,
+		TotalResult:       response.TotalResult,
+		Result:            userMembershipViewsFromModel(response.Result),
+		ProcessedSequence: response.Sequence,
+		ViewTimestamp:     timestamp,
+	}
+}
+
+func userMembershipViewsFromModel(memberships []*usr_model.UserMembershipView) []*auth.UserMembershipView {
+	converted := make([]*auth.UserMembershipView, len(memberships))
+	for i, membership := range memberships {
+		converted[i] = userMembershipViewFromModel(membership)
+	}
+	return converted
+}
+
+func userMembershipViewFromModel(membership *usr_model.UserMembershipView) *auth.UserMembershipView {
+	creationDate, err := ptypes.TimestampProto(membership.CreationDate)
+	logging.Log("GRPC-Msnu8").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(membership.ChangeDate)
+	logging.Log("GRPC-Slco9").OnError(err).Debug("unable to parse timestamp")
+
+	return &auth.UserMembershipView{
+		UserId:        membership.UserID,
+		AggregateId:   membership.AggregateID,
+		ObjectId:      membership.ObjectID,
+		MemberType:    memberTypeFromModel(membership.MemberType),
+		DisplayName:   membership.DisplayName,
+		Roles:         membership.Roles,
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Sequence:      membership.Sequence,
+		ResourceOwner: membership.ResourceOwner,
+	}
+}
+
+func userMembershipSearchRequestsToModel(request *auth.UserMembershipSearchRequest) *usr_model.UserMembershipSearchRequest {
+	return &usr_model.UserMembershipSearchRequest{
+		Offset:  request.Offset,
+		Limit:   request.Limit,
+		Queries: userMembershipSearchQueriesToModel(request.Queries),
+	}
+}
+
+func userMembershipSearchQueriesToModel(queries []*auth.UserMembershipSearchQuery) []*usr_model.UserMembershipSearchQuery {
+	converted := make([]*usr_model.UserMembershipSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = userMembershipSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func userMembershipSearchQueryToModel(query *auth.UserMembershipSearchQuery) *usr_model.UserMembershipSearchQuery {
+	return &usr_model.UserMembershipSearchQuery{
+		Key:    userMembershipSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func userMembershipSearchKeyToModel(key auth.UserMembershipSearchKey) usr_model.UserMembershipSearchKey {
+	switch key {
+	case auth.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_TYPE:
+		return usr_model.UserMembershipSearchKeyMemberType
+	case auth.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_OBJECT_ID:
+		return usr_model.UserMembershipSearchKeyObjectID
+	default:
+		return usr_model.UserMembershipSearchKeyUnspecified
+	}
+}
+
+func memberTypeFromModel(memberType usr_model.MemberType) auth.MemberType {
+	switch memberType {
+	case usr_model.MemberTypeOrganisation:
+		return auth.MemberType_MEMBERTYPE_ORGANISATION
+	case usr_model.MemberTypeProject:
+		return auth.MemberType_MEMBERTYPE_PROJECT
+	case usr_model.MemberTypeProjectGrant:
+		return auth.MemberType_MEMBERTYPE_PROJECT_GRANT
+	default:
+		return auth.MemberType_MEMBERTYPE_UNSPECIFIED
+	}
+}
--- a/internal/api/grpc/auth/user_human_converter.go
+++ b/internal/api/grpc/auth/user_human_converter.go
@ -3,7 +3,7 @@ package auth
 import (
 	"github.com/caos/logging"
 	usr_model "github.com/caos/zitadel/internal/user/model"
-	auth "github.com/caos/zitadel/pkg/grpc/auth"
+	"github.com/caos/zitadel/pkg/grpc/auth"
 	"github.com/golang/protobuf/ptypes"
 )

--- a/internal/auth/repository/eventsourcing/eventstore/user_grant.go
+++ b/internal/auth/repository/eventsourcing/eventstore/user_grant.go
@ -2,7 +2,6 @@ package eventstore

 import (
 	"context"
-
 	"github.com/caos/logging"

 	"github.com/caos/zitadel/internal/api/authz"
@ -94,7 +93,43 @@ func membershipsToOrgResp(memberships []*user_view_model.UserMembershipView, cou
 	}
 }

+func (repo *UserGrantRepo) SearchMyUserMemberships(ctx context.Context, request *user_model.UserMembershipSearchRequest) (*user_model.UserMembershipSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, sequenceErr := repo.View.GetLatestUserMembershipSequence()
+	logging.Log("EVENT-Dn7sf").OnError(sequenceErr).Warn("could not read latest user sequence")
+
+	memberships, count, err := repo.View.SearchUserMemberships(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &user_model.UserMembershipSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      user_view_model.UserMembershipsToModel(memberships),
+	}
+	if sequenceErr == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.LastSuccessfulSpoolerRun
+	}
+	return result, nil
+}
+
 func (repo *UserGrantRepo) SearchMyZitadelPermissions(ctx context.Context) ([]string, error) {
+	memberships, err := repo.searchUserMemberships(ctx)
+	if err != nil {
+		return nil, err
+	}
+	permissions := &grant_model.Permissions{Permissions: []string{}}
+	for _, membership := range memberships {
+		for _, role := range membership.Roles {
+			permissions = repo.mapRoleToPermission(permissions, membership, role)
+		}
+	}
+	return permissions.Permissions, nil
+}
+
+func (repo *UserGrantRepo) searchUserMemberships(ctx context.Context) ([]*user_view_model.UserMembershipView, error) {
 	ctxData := authz.GetCtxData(ctx)
 	orgMemberships, orgCount, err := repo.View.SearchUserMemberships(&user_model.UserMembershipSearchRequest{
 		Queries: []*user_model.UserMembershipSearchQuery{
@ -131,16 +166,9 @@ func (repo *UserGrantRepo) SearchMyZitadelPermissions(ctx context.Context) ([]st
 		return nil, err
 	}
 	if orgCount == 0 && iamCount == 0 {
-		return []string{}, nil
+		return []*user_view_model.UserMembershipView{}, nil
 	}
-	orgMemberships = append(orgMemberships, iamMemberships...)
-	permissions := &grant_model.Permissions{Permissions: []string{}}
-	for _, membership := range orgMemberships {
-		for _, role := range membership.Roles {
-			permissions = repo.mapRoleToPermission(permissions, membership, role)
-		}
-	}
-	return permissions.Permissions, nil
+	return append(orgMemberships, iamMemberships...), nil
 }

 func (repo *UserGrantRepo) SearchMyProjectPermissions(ctx context.Context) ([]string, error) {
@ -275,3 +303,20 @@ func containsOrg(orgs []*grant_model.Org, resourceOwner string) bool {
 	}
 	return false
 }
+
+func userMembershipToMembership(membership *user_view_model.UserMembershipView) *authz.Membership {
+	return &authz.Membership{
+		MemberType:  authz.MemberType(membership.MemberType),
+		AggregateID: membership.AggregateID,
+		ObjectID:    membership.ObjectID,
+		Roles:       membership.Roles,
+	}
+}
+
+func userMembershipsToMemberships(memberships []*user_view_model.UserMembershipView) []*authz.Membership {
+	result := make([]*authz.Membership, len(memberships))
+	for i, m := range memberships {
+		result[i] = userMembershipToMembership(m)
+	}
+	return result
+}
--- a/internal/auth/repository/user.go
+++ b/internal/auth/repository/user.go
@ -89,4 +89,6 @@ type myUserRepo interface {
 	ChangeMyUsername(ctx context.Context, username string) error

 	MyUserChanges(ctx context.Context, lastSequence uint64, limit uint64, sortAscending bool) (*model.UserChanges, error)
+
+	SearchMyUserMemberships(ctx context.Context, request *model.UserMembershipSearchRequest) (*model.UserMembershipSearchResponse, error)
 }
--- a/internal/management/repository/eventsourcing/eventstore/permissions.go
+++ b/internal/management/repository/eventsourcing/eventstore/permissions.go
@ -5,5 +5,5 @@ const (
 	orgMemberReadPerm          = "org.member.read"
 	iamMemberReadPerm          = "iam.member.read"
 	projectMemberReadPerm      = "project.member.read"
-	projectGrantMemberReadPerm = "project.member.read"
+	projectGrantMemberReadPerm = "project.grant.member.read"
 )
--- a/pkg/grpc/auth/proto/auth.proto
+++ b/pkg/grpc/auth/proto/auth.proto
@ -418,6 +418,17 @@ service AuthService {
      permission: "authenticated"
    };
  }
+
+  rpc SearchMyUserMemberships(UserMembershipSearchRequest) returns (UserMembershipSearchResponse) {
+    option (google.api.http) = {
+      post: "/users/me/memberships/_search"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
 }

 message UserSessionViews {
@ -857,3 +868,51 @@ message ExternalIDPView {
  google.protobuf.Timestamp creation_date = 6;
  google.protobuf.Timestamp change_date = 7;
 }
+
+
+message UserMembershipSearchResponse {
+  uint64 offset = 1;
+  uint64 limit = 2;
+  uint64 total_result = 3;
+  repeated UserMembershipView result = 4;
+  uint64 processed_sequence = 5;
+  google.protobuf.Timestamp view_timestamp = 6;
+}
+
+message UserMembershipSearchRequest {
+  uint64 offset = 1;
+  uint64 limit = 2;
+  repeated UserMembershipSearchQuery queries = 3;
+}
+
+message UserMembershipSearchQuery {
+  UserMembershipSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
+  SearchMethod method = 2 [(validate.rules).enum = {in: [0]}];
+  string value = 3;
+}
+
+enum UserMembershipSearchKey {
+  USERMEMBERSHIPSEARCHKEY_UNSPECIFIED = 0;
+  USERMEMBERSHIPSEARCHKEY_TYPE = 1;
+  USERMEMBERSHIPSEARCHKEY_OBJECT_ID = 2;
+}
+
+message UserMembershipView {
+  string user_id = 1;
+  MemberType member_type = 2;
+  string aggregate_id = 3;
+  string object_id = 4;
+  repeated string roles = 5;
+  string display_name = 6;
+  google.protobuf.Timestamp creation_date = 7;
+  google.protobuf.Timestamp change_date = 8;
+  uint64 sequence = 9;
+  string resource_owner = 10;
+}
+
+enum MemberType {
+  MEMBERTYPE_UNSPECIFIED = 0;
+  MEMBERTYPE_ORGANISATION = 1;
+  MEMBERTYPE_PROJECT = 2;
+  MEMBERTYPE_PROJECT_GRANT = 3;
+}
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@ -778,6 +778,7 @@ service ManagementService {

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
+      check_field_name: "Id"
    };
  }