feat: user api requests to resource API (#9794)

# Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-12-06 05:52:18 +00:00 · 2025-06-04 09:17:23 +02:00
parent e2a61a6002
commit 8fc11a7366
86 changed files with 7033 additions and 536 deletions
--- a/internal/query/authn_key.go
+++ b/internal/query/authn_key.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	_ "embed"
 	"errors"
+	"slices"
 	"time"

 	sq "github.com/Masterminds/squirrel"
@@ -18,6 +19,14 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

+func keysCheckPermission(ctx context.Context, keys *AuthNKeys, permissionCheck domain.PermissionCheck) {
+	keys.AuthNKeys = slices.DeleteFunc(keys.AuthNKeys,
+		func(key *AuthNKey) bool {
+			return userCheckPermission(ctx, key.ResourceOwner, key.AggregateID, permissionCheck) != nil
+		},
+	)
+}
+
 var (
 	authNKeyTable = table{
 		name:          projection.AuthNKeyTable,
@@ -84,6 +93,7 @@ type AuthNKeys struct {

 type AuthNKey struct {
 	ID            string
+	AggregateID   string
 	CreationDate  time.Time
 	ChangeDate    time.Time
 	ResourceOwner string
@@ -124,12 +134,47 @@ func (q *AuthNKeySearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder
 	return query
 }

-func (q *Queries) SearchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, withOwnerRemoved bool) (authNKeys *AuthNKeys, err error) {
+type JoinFilter int
+
+const (
+	JoinFilterUnspecified JoinFilter = iota
+	JoinFilterApp
+	JoinFilterUserMachine
+)
+
+// SearchAuthNKeys returns machine or app keys, depending on the join filter.
+// If permissionCheck is nil, the keys are not filtered.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is false, the returned keys are filtered in-memory by the given permission check.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is true, the returned keys are filtered in the database.
+func (q *Queries) SearchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, filter JoinFilter, permissionCheck domain.PermissionCheck) (authNKeys *AuthNKeys, err error) {
+	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	keys, err := q.searchAuthNKeys(ctx, queries, filter, permissionCheckV2)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+		keysCheckPermission(ctx, keys, permissionCheck)
+	}
+	return keys, nil
+}
+
+func (q *Queries) searchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, joinFilter JoinFilter, permissionCheckV2 bool) (authNKeys *AuthNKeys, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	query, scan := prepareAuthNKeysQuery()
 	query = queries.toQuery(query)
+	switch joinFilter {
+	case JoinFilterUnspecified:
+		// Select all authN keys
+	case JoinFilterApp:
+		joinCol := ProjectColumnID
+		query = query.Join(joinCol.table.identifier() + " ON " + AuthNKeyColumnIdentifier.identifier() + " = " + joinCol.identifier())
+	case JoinFilterUserMachine:
+		joinCol := MachineUserIDCol
+		query = query.Join(joinCol.table.identifier() + " ON " + AuthNKeyColumnIdentifier.identifier() + " = " + joinCol.identifier())
+		query = userPermissionCheckV2WithCustomColumns(ctx, query, permissionCheckV2, queries.Queries, AuthNKeyColumnResourceOwner, AuthNKeyColumnIdentifier)
+	}
 	eq := sq.Eq{
 		AuthNKeyColumnEnabled.identifier():    true,
 		AuthNKeyColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
@@ -249,6 +294,22 @@ func NewAuthNKeyObjectIDQuery(id string) (SearchQuery, error) {
 	return NewTextQuery(AuthNKeyColumnObjectID, id, TextEquals)
 }

+func NewAuthNKeyIDQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(AuthNKeyColumnID, id, TextEquals)
+}
+
+func NewAuthNKeyIdentifyerQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(AuthNKeyColumnIdentifier, id, TextEquals)
+}
+
+func NewAuthNKeyCreationDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(AuthNKeyColumnCreationDate, ts, compare)
+}
+
+func NewAuthNKeyExpirationDateDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(AuthNKeyColumnExpiration, ts, compare)
+}
+
 //go:embed authn_key_user.sql
 var authNKeyUserQuery string

@@ -288,49 +349,52 @@ func (q *Queries) GetAuthNKeyUser(ctx context.Context, keyID, userID string) (_
 }

 func prepareAuthNKeysQuery() (sq.SelectBuilder, func(rows *sql.Rows) (*AuthNKeys, error)) {
-	return sq.Select(
-			AuthNKeyColumnID.identifier(),
-			AuthNKeyColumnCreationDate.identifier(),
-			AuthNKeyColumnChangeDate.identifier(),
-			AuthNKeyColumnResourceOwner.identifier(),
-			AuthNKeyColumnSequence.identifier(),
-			AuthNKeyColumnExpiration.identifier(),
-			AuthNKeyColumnType.identifier(),
-			countColumn.identifier(),
-		).From(authNKeyTable.identifier()).
-			PlaceholderFormat(sq.Dollar),
-		func(rows *sql.Rows) (*AuthNKeys, error) {
-			authNKeys := make([]*AuthNKey, 0)
-			var count uint64
-			for rows.Next() {
-				authNKey := new(AuthNKey)
-				err := rows.Scan(
-					&authNKey.ID,
-					&authNKey.CreationDate,
-					&authNKey.ChangeDate,
-					&authNKey.ResourceOwner,
-					&authNKey.Sequence,
-					&authNKey.Expiration,
-					&authNKey.Type,
-					&count,
-				)
-				if err != nil {
-					return nil, err
-				}
-				authNKeys = append(authNKeys, authNKey)
-			}
+	query := sq.Select(
+		AuthNKeyColumnID.identifier(),
+		AuthNKeyColumnAggregateID.identifier(),
+		AuthNKeyColumnCreationDate.identifier(),
+		AuthNKeyColumnChangeDate.identifier(),
+		AuthNKeyColumnResourceOwner.identifier(),
+		AuthNKeyColumnSequence.identifier(),
+		AuthNKeyColumnExpiration.identifier(),
+		AuthNKeyColumnType.identifier(),
+		countColumn.identifier(),
+	).From(authNKeyTable.identifier()).
+		PlaceholderFormat(sq.Dollar)

-			if err := rows.Close(); err != nil {
-				return nil, zerrors.ThrowInternal(err, "QUERY-Dgfn3", "Errors.Query.CloseRows")
+	return query, func(rows *sql.Rows) (*AuthNKeys, error) {
+		authNKeys := make([]*AuthNKey, 0)
+		var count uint64
+		for rows.Next() {
+			authNKey := new(AuthNKey)
+			err := rows.Scan(
+				&authNKey.ID,
+				&authNKey.AggregateID,
+				&authNKey.CreationDate,
+				&authNKey.ChangeDate,
+				&authNKey.ResourceOwner,
+				&authNKey.Sequence,
+				&authNKey.Expiration,
+				&authNKey.Type,
+				&count,
+			)
+			if err != nil {
+				return nil, err
 			}
-
-			return &AuthNKeys{
-				AuthNKeys: authNKeys,
-				SearchResponse: SearchResponse{
-					Count: count,
-				},
-			}, nil
+			authNKeys = append(authNKeys, authNKey)
 		}
+
+		if err := rows.Close(); err != nil {
+			return nil, zerrors.ThrowInternal(err, "QUERY-Dgfn3", "Errors.Query.CloseRows")
+		}
+
+		return &AuthNKeys{
+			AuthNKeys: authNKeys,
+			SearchResponse: SearchResponse{
+				Count: count,
+			},
+		}, nil
+	}
 }

 func prepareAuthNKeyQuery() (sq.SelectBuilder, func(row *sql.Row) (*AuthNKey, error)) {
--- a/internal/query/authn_key_test.go
+++ b/internal/query/authn_key_test.go
@@ -19,6 +19,7 @@ import (

 var (
 	prepareAuthNKeysStmt = `SELECT projections.authn_keys2.id,` +
+		` projections.authn_keys2.aggregate_id,` +
 		` projections.authn_keys2.creation_date,` +
 		` projections.authn_keys2.change_date,` +
 		` projections.authn_keys2.resource_owner,` +
@@ -29,6 +30,7 @@ var (
 		` FROM projections.authn_keys2`
 	prepareAuthNKeysCols = []string{
 		"id",
+		"aggregate_id",
 		"creation_date",
 		"change_date",
 		"resource_owner",
@@ -120,6 +122,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 					[][]driver.Value{
 						{
 							"id",
+							"aggId",
 							testNow,
 							testNow,
 							"ro",
@@ -137,6 +140,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 				AuthNKeys: []*AuthNKey{
 					{
 						ID:            "id",
+						AggregateID:   "aggId",
 						CreationDate:  testNow,
 						ChangeDate:    testNow,
 						ResourceOwner: "ro",
@@ -157,6 +161,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 					[][]driver.Value{
 						{
 							"id-1",
+							"aggId-1",
 							testNow,
 							testNow,
 							"ro",
@@ -166,6 +171,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 						},
 						{
 							"id-2",
+							"aggId-2",
 							testNow,
 							testNow,
 							"ro",
@@ -183,6 +189,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 				AuthNKeys: []*AuthNKey{
 					{
 						ID:            "id-1",
+						AggregateID:   "aggId-1",
 						CreationDate:  testNow,
 						ChangeDate:    testNow,
 						ResourceOwner: "ro",
@@ -192,6 +199,7 @@ func Test_AuthNKeyPrepares(t *testing.T) {
 					},
 					{
 						ID:            "id-2",
+						AggregateID:   "aggId-2",
 						CreationDate:  testNow,
 						ChangeDate:    testNow,
 						ResourceOwner: "ro",
--- a/internal/query/projection/authn_key.go
+++ b/internal/query/projection/authn_key.go
@@ -62,6 +62,9 @@ func (*authNKeyProjection) Init() *old_handler.Check {
 			handler.NewPrimaryKey(AuthNKeyInstanceIDCol, AuthNKeyIDCol),
 			handler.WithIndex(handler.NewIndex("enabled", []string{AuthNKeyEnabledCol})),
 			handler.WithIndex(handler.NewIndex("identifier", []string{AuthNKeyIdentifierCol})),
+			handler.WithIndex(handler.NewIndex("resource_owner", []string{AuthNKeyResourceOwnerCol})),
+			handler.WithIndex(handler.NewIndex("creation_date", []string{AuthNKeyCreationDateCol})),
+			handler.WithIndex(handler.NewIndex("expiration_date", []string{AuthNKeyExpirationCol})),
 		),
 	)
 }
--- a/internal/query/projection/user_personal_access_token.go
+++ b/internal/query/projection/user_personal_access_token.go
@@ -56,6 +56,8 @@ func (*personalAccessTokenProjection) Init() *old_handler.Check {
 			handler.WithIndex(handler.NewIndex("user_id", []string{PersonalAccessTokenColumnUserID})),
 			handler.WithIndex(handler.NewIndex("resource_owner", []string{PersonalAccessTokenColumnResourceOwner})),
 			handler.WithIndex(handler.NewIndex("owner_removed", []string{PersonalAccessTokenColumnOwnerRemoved})),
+			handler.WithIndex(handler.NewIndex("creation_date", []string{PersonalAccessTokenColumnCreationDate})),
+			handler.WithIndex(handler.NewIndex("expiration_date", []string{PersonalAccessTokenColumnExpiration})),
 		),
 	)
 }
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -132,16 +132,20 @@ func usersCheckPermission(ctx context.Context, users *Users, permissionCheck dom
 	)
 }

-func userPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *UserSearchQueries) sq.SelectBuilder {
+func userPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, filters []SearchQuery) sq.SelectBuilder {
+	return userPermissionCheckV2WithCustomColumns(ctx, query, enabled, filters, UserResourceOwnerCol, UserIDCol)
+}
+
+func userPermissionCheckV2WithCustomColumns(ctx context.Context, query sq.SelectBuilder, enabled bool, filters []SearchQuery, userResourceOwnerCol, userID Column) sq.SelectBuilder {
 	if !enabled {
 		return query
 	}
 	join, args := PermissionClause(
 		ctx,
-		UserResourceOwnerCol,
+		userResourceOwnerCol,
 		domain.PermissionUserRead,
-		SingleOrgPermissionOption(queries.Queries),
-		OwnedRowsPermissionOption(UserIDCol),
+		SingleOrgPermissionOption(filters),
+		OwnedRowsPermissionOption(userID),
 	)
 	return query.JoinClause(join, args...)
 }
@@ -637,7 +641,7 @@ func (q *Queries) searchUsers(ctx context.Context, queries *UserSearchQueries, p
 	defer func() { span.EndWithError(err) }()

 	query, scan := prepareUsersQuery()
-	query = userPermissionCheckV2(ctx, query, permissionCheckV2, queries)
+	query = userPermissionCheckV2(ctx, query, permissionCheckV2, queries.Queries)
 	stmt, args, err := queries.toQuery(query).Where(sq.Eq{
 		UserInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
 	}).ToSql()
--- a/internal/query/user_personal_access_token.go
+++ b/internal/query/user_personal_access_token.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"errors"
+	"slices"
 	"time"

 	sq "github.com/Masterminds/squirrel"
@@ -11,12 +12,21 @@ import (

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

+func patsCheckPermission(ctx context.Context, tokens *PersonalAccessTokens, permissionCheck domain.PermissionCheck) {
+	tokens.PersonalAccessTokens = slices.DeleteFunc(tokens.PersonalAccessTokens,
+		func(token *PersonalAccessToken) bool {
+			return userCheckPermission(ctx, token.ResourceOwner, token.UserID, permissionCheck) != nil
+		},
+	)
+}
+
 var (
 	personalAccessTokensTable = table{
 		name:          projection.PersonalAccessTokenProjectionTable,
@@ -86,7 +96,7 @@ type PersonalAccessTokenSearchQueries struct {
 	Queries []SearchQuery
 }

-func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (pat *PersonalAccessToken, err error) {
+func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk bool, id string, queries ...SearchQuery) (pat *PersonalAccessToken, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -102,11 +112,9 @@ func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk
 		query = q.toQuery(query)
 	}
 	eq := sq.Eq{
-		PersonalAccessTokenColumnID.identifier():         id,
-		PersonalAccessTokenColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
-	}
-	if !withOwnerRemoved {
-		eq[PersonalAccessTokenColumnOwnerRemoved.identifier()] = false
+		PersonalAccessTokenColumnID.identifier():           id,
+		PersonalAccessTokenColumnInstanceID.identifier():   authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnOwnerRemoved.identifier(): false,
 	}
 	stmt, args, err := query.Where(eq).ToSql()
 	if err != nil {
@@ -123,18 +131,34 @@ func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk
 	return pat, nil
 }

-func (q *Queries) SearchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, withOwnerRemoved bool) (personalAccessTokens *PersonalAccessTokens, err error) {
+// SearchPersonalAccessTokens returns personal access token resources.
+// If permissionCheck is nil, the PATs are not filtered.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is false, the returned PATs are filtered in-memory by the given permission check.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is true, the returned PATs are filtered in the database.
+func (q *Queries) SearchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, permissionCheck domain.PermissionCheck) (authNKeys *PersonalAccessTokens, err error) {
+	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	keys, err := q.searchPersonalAccessTokens(ctx, queries, permissionCheckV2)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+		patsCheckPermission(ctx, keys, permissionCheck)
+	}
+	return keys, nil
+}
+
+func (q *Queries) searchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, permissionCheckV2 bool) (personalAccessTokens *PersonalAccessTokens, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	query, scan := preparePersonalAccessTokensQuery()
+	query = queries.toQuery(query)
+	query = userPermissionCheckV2WithCustomColumns(ctx, query, permissionCheckV2, queries.Queries, PersonalAccessTokenColumnResourceOwner, PersonalAccessTokenColumnUserID)
 	eq := sq.Eq{
-		PersonalAccessTokenColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnInstanceID.identifier():   authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnOwnerRemoved.identifier(): false,
 	}
-	if !withOwnerRemoved {
-		eq[PersonalAccessTokenColumnOwnerRemoved.identifier()] = false
-	}
-	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
+	stmt, args, err := query.Where(eq).ToSql()
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-Hjw2w", "Errors.Query.InvalidRequest")
 	}
@@ -160,6 +184,18 @@ func NewPersonalAccessTokenUserIDSearchQuery(value string) (SearchQuery, error)
 	return NewTextQuery(PersonalAccessTokenColumnUserID, value, TextEquals)
 }

+func NewPersonalAccessTokenIDQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(PersonalAccessTokenColumnID, id, TextEquals)
+}
+
+func NewPersonalAccessTokenCreationDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(PersonalAccessTokenColumnCreationDate, ts, compare)
+}
+
+func NewPersonalAccessTokenExpirationDateDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(PersonalAccessTokenColumnExpiration, ts, compare)
+}
+
 func (r *PersonalAccessTokenSearchQueries) AppendMyResourceOwnerQuery(orgID string) error {
 	query, err := NewPersonalAccessTokenResourceOwnerSearchQuery(orgID)
 	if err != nil {