feat: user api requests to resource API (#9794)

# Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 20:37:30 +00:00 · 2025-06-04 09:17:23 +02:00
parent e2a61a6002
commit 8fc11a7366
86 changed files with 7033 additions and 536 deletions
--- a/internal/query/authn_key.go
+++ b/internal/query/authn_key.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	_ "embed"
 	"errors"
+	"slices"
 	"time"

 	sq "github.com/Masterminds/squirrel"
@@ -18,6 +19,14 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

+func keysCheckPermission(ctx context.Context, keys *AuthNKeys, permissionCheck domain.PermissionCheck) {
+	keys.AuthNKeys = slices.DeleteFunc(keys.AuthNKeys,
+		func(key *AuthNKey) bool {
+			return userCheckPermission(ctx, key.ResourceOwner, key.AggregateID, permissionCheck) != nil
+		},
+	)
+}
+
 var (
 	authNKeyTable = table{
 		name:          projection.AuthNKeyTable,
@@ -84,6 +93,7 @@ type AuthNKeys struct {

 type AuthNKey struct {
 	ID            string
+	AggregateID   string
 	CreationDate  time.Time
 	ChangeDate    time.Time
 	ResourceOwner string
@@ -124,12 +134,47 @@ func (q *AuthNKeySearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder
 	return query
 }

-func (q *Queries) SearchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, withOwnerRemoved bool) (authNKeys *AuthNKeys, err error) {
+type JoinFilter int
+
+const (
+	JoinFilterUnspecified JoinFilter = iota
+	JoinFilterApp
+	JoinFilterUserMachine
+)
+
+// SearchAuthNKeys returns machine or app keys, depending on the join filter.
+// If permissionCheck is nil, the keys are not filtered.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is false, the returned keys are filtered in-memory by the given permission check.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is true, the returned keys are filtered in the database.
+func (q *Queries) SearchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, filter JoinFilter, permissionCheck domain.PermissionCheck) (authNKeys *AuthNKeys, err error) {
+	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	keys, err := q.searchAuthNKeys(ctx, queries, filter, permissionCheckV2)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+		keysCheckPermission(ctx, keys, permissionCheck)
+	}
+	return keys, nil
+}
+
+func (q *Queries) searchAuthNKeys(ctx context.Context, queries *AuthNKeySearchQueries, joinFilter JoinFilter, permissionCheckV2 bool) (authNKeys *AuthNKeys, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	query, scan := prepareAuthNKeysQuery()
 	query = queries.toQuery(query)
+	switch joinFilter {
+	case JoinFilterUnspecified:
+		// Select all authN keys
+	case JoinFilterApp:
+		joinCol := ProjectColumnID
+		query = query.Join(joinCol.table.identifier() + " ON " + AuthNKeyColumnIdentifier.identifier() + " = " + joinCol.identifier())
+	case JoinFilterUserMachine:
+		joinCol := MachineUserIDCol
+		query = query.Join(joinCol.table.identifier() + " ON " + AuthNKeyColumnIdentifier.identifier() + " = " + joinCol.identifier())
+		query = userPermissionCheckV2WithCustomColumns(ctx, query, permissionCheckV2, queries.Queries, AuthNKeyColumnResourceOwner, AuthNKeyColumnIdentifier)
+	}
 	eq := sq.Eq{
 		AuthNKeyColumnEnabled.identifier():    true,
 		AuthNKeyColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
@@ -249,6 +294,22 @@ func NewAuthNKeyObjectIDQuery(id string) (SearchQuery, error) {
 	return NewTextQuery(AuthNKeyColumnObjectID, id, TextEquals)
 }

+func NewAuthNKeyIDQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(AuthNKeyColumnID, id, TextEquals)
+}
+
+func NewAuthNKeyIdentifyerQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(AuthNKeyColumnIdentifier, id, TextEquals)
+}
+
+func NewAuthNKeyCreationDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(AuthNKeyColumnCreationDate, ts, compare)
+}
+
+func NewAuthNKeyExpirationDateDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(AuthNKeyColumnExpiration, ts, compare)
+}
+
 //go:embed authn_key_user.sql
 var authNKeyUserQuery string

@@ -288,49 +349,52 @@ func (q *Queries) GetAuthNKeyUser(ctx context.Context, keyID, userID string) (_
 }

 func prepareAuthNKeysQuery() (sq.SelectBuilder, func(rows *sql.Rows) (*AuthNKeys, error)) {
-	return sq.Select(
-			AuthNKeyColumnID.identifier(),
-			AuthNKeyColumnCreationDate.identifier(),
-			AuthNKeyColumnChangeDate.identifier(),
-			AuthNKeyColumnResourceOwner.identifier(),
-			AuthNKeyColumnSequence.identifier(),
-			AuthNKeyColumnExpiration.identifier(),
-			AuthNKeyColumnType.identifier(),
-			countColumn.identifier(),
-		).From(authNKeyTable.identifier()).
-			PlaceholderFormat(sq.Dollar),
-		func(rows *sql.Rows) (*AuthNKeys, error) {
-			authNKeys := make([]*AuthNKey, 0)
-			var count uint64
-			for rows.Next() {
-				authNKey := new(AuthNKey)
-				err := rows.Scan(
-					&authNKey.ID,
-					&authNKey.CreationDate,
-					&authNKey.ChangeDate,
-					&authNKey.ResourceOwner,
-					&authNKey.Sequence,
-					&authNKey.Expiration,
-					&authNKey.Type,
-					&count,
-				)
-				if err != nil {
-					return nil, err
-				}
-				authNKeys = append(authNKeys, authNKey)
-			}
+	query := sq.Select(
+		AuthNKeyColumnID.identifier(),
+		AuthNKeyColumnAggregateID.identifier(),
+		AuthNKeyColumnCreationDate.identifier(),
+		AuthNKeyColumnChangeDate.identifier(),
+		AuthNKeyColumnResourceOwner.identifier(),
+		AuthNKeyColumnSequence.identifier(),
+		AuthNKeyColumnExpiration.identifier(),
+		AuthNKeyColumnType.identifier(),
+		countColumn.identifier(),
+	).From(authNKeyTable.identifier()).
+		PlaceholderFormat(sq.Dollar)

-			if err := rows.Close(); err != nil {
-				return nil, zerrors.ThrowInternal(err, "QUERY-Dgfn3", "Errors.Query.CloseRows")
+	return query, func(rows *sql.Rows) (*AuthNKeys, error) {
+		authNKeys := make([]*AuthNKey, 0)
+		var count uint64
+		for rows.Next() {
+			authNKey := new(AuthNKey)
+			err := rows.Scan(
+				&authNKey.ID,
+				&authNKey.AggregateID,
+				&authNKey.CreationDate,
+				&authNKey.ChangeDate,
+				&authNKey.ResourceOwner,
+				&authNKey.Sequence,
+				&authNKey.Expiration,
+				&authNKey.Type,
+				&count,
+			)
+			if err != nil {
+				return nil, err
 			}
-
-			return &AuthNKeys{
-				AuthNKeys: authNKeys,
-				SearchResponse: SearchResponse{
-					Count: count,
-				},
-			}, nil
+			authNKeys = append(authNKeys, authNKey)
 		}
+
+		if err := rows.Close(); err != nil {
+			return nil, zerrors.ThrowInternal(err, "QUERY-Dgfn3", "Errors.Query.CloseRows")
+		}
+
+		return &AuthNKeys{
+			AuthNKeys: authNKeys,
+			SearchResponse: SearchResponse{
+				Count: count,
+			},
+		}, nil
+	}
 }

 func prepareAuthNKeyQuery() (sq.SelectBuilder, func(row *sql.Row) (*AuthNKey, error)) {