feat: project roles (#843)

* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
2025-08-12 03:37:34 +00:00 · 2020-10-16 07:49:38 +02:00
parent f5a7a0a09f
commit a321d850ae
57 changed files with 10894 additions and 18297 deletions
--- a/internal/auth/repository/eventsourcing/handler/application.go
+++ b/internal/auth/repository/eventsourcing/handler/application.go
@@ -52,11 +52,27 @@ func (p *Application) Reduce(event *models.Event) (err error) {
 		}
 		err = app.AppendEvent(event)
 	case es_model.ApplicationRemoved:
-		err := app.SetData(event)
+		err = app.SetData(event)
 		if err != nil {
 			return err
 		}
 		return p.view.DeleteApplication(app.ID, event.Sequence)
+	case es_model.ProjectChanged:
+		apps, err := p.view.ApplicationsByProjectID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		if len(apps) == 0 {
+			return p.view.ProcessedApplicationSequence(event.Sequence)
+		}
+		for _, app := range apps {
+			if err := app.AppendEvent(event); err != nil {
+				return err
+			}
+		}
+		return p.view.PutApplications(apps, event.Sequence)
+	case es_model.ProjectRemoved:
+		return p.view.DeleteApplicationsByProjectID(event.AggregateID)
 	default:
 		return p.view.ProcessedApplicationSequence(event.Sequence)
 	}
--- a/internal/auth/repository/eventsourcing/handler/handler.go
+++ b/internal/auth/repository/eventsourcing/handler/handler.go
@@ -60,6 +60,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, ev
 		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount}, systemDefaults: systemDefaults, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents},
 		&PasswordComplexityPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount}},
 		&OrgIAMPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount}},
+		&ProjectRole{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount}, projectEvents: repos.ProjectEvents},
 	}
 }

--- a/internal/auth/repository/eventsourcing/handler/project_role.go
+++ b/internal/auth/repository/eventsourcing/handler/project_role.go
@@ -0,0 +1,70 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	"github.com/caos/zitadel/internal/project/repository/eventsourcing"
+	proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
+	es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
+	view_model "github.com/caos/zitadel/internal/project/repository/view/model"
+)
+
+type ProjectRole struct {
+	handler
+	projectEvents *proj_event.ProjectEventstore
+}
+
+const (
+	projectRoleTable = "auth.project_roles"
+)
+
+func (p *ProjectRole) ViewModel() string {
+	return projectRoleTable
+}
+
+func (p *ProjectRole) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := p.view.GetLatestProjectRoleSequence()
+	if err != nil {
+		return nil, err
+	}
+	return eventsourcing.ProjectQuery(sequence.CurrentSequence), nil
+}
+
+func (p *ProjectRole) Reduce(event *models.Event) (err error) {
+	role := new(view_model.ProjectRoleView)
+	switch event.Type {
+	case es_model.ProjectRoleAdded:
+		err = role.AppendEvent(event)
+	case es_model.ProjectRoleChanged:
+		err = role.SetData(event)
+		if err != nil {
+			return err
+		}
+		role, err = p.view.ProjectRoleByIDs(event.AggregateID, event.ResourceOwner, role.Key)
+		if err != nil {
+			return err
+		}
+		err = role.AppendEvent(event)
+	case es_model.ProjectRoleRemoved:
+		err = role.SetData(event)
+		if err != nil {
+			return err
+		}
+		return p.view.DeleteProjectRole(event.AggregateID, event.ResourceOwner, role.Key, event.Sequence)
+	case es_model.ProjectRemoved:
+		return p.view.DeleteProjectRolesByProjectID(event.AggregateID)
+	default:
+		return p.view.ProcessedProjectRoleSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return p.view.PutProjectRole(role)
+}
+
+func (p *ProjectRole) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-lso9w", "id", event.AggregateID).WithError(err).Warn("something went wrong in project role handler")
+	return spooler.HandleError(event, err, p.view.GetLatestProjectRoleFailedEvent, p.view.ProcessedProjectRoleFailedEvent, p.view.ProcessedProjectRoleSequence, p.errorCountUntilSkip)
+}
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@@ -354,6 +354,12 @@ func (u *UserGrant) fillProjectData(grant *view_model.UserGrantView, project *pr

 func (u *UserGrant) fillOrgData(grant *view_model.UserGrantView, org *org_model.Org) {
 	grant.OrgName = org.Name
+	for _, domain := range org.Domains {
+		if domain.Primary {
+			grant.OrgPrimaryDomain = domain.Domain
+			break
+		}
+	}
 }

 func (u *UserGrant) OnError(event *models.Event, err error) error {
--- a/internal/auth/repository/eventsourcing/handler/user_membership.go
+++ b/internal/auth/repository/eventsourcing/handler/user_membership.go
@@ -107,7 +107,7 @@ func (m *UserMembership) processOrg(event *models.Event) (err error) {
 	case org_es_model.OrgMemberRemoved:
 		return m.view.DeleteUserMembership(member.UserID, event.AggregateID, event.AggregateID, usr_model.MemberTypeOrganisation, event.Sequence)
 	case org_es_model.OrgChanged:
-		err = m.updateOrgName(event)
+		return m.updateOrgName(event)
 	default:
 		return m.view.ProcessedUserMembershipSequence(event.Sequence)
 	}
@@ -178,7 +178,7 @@ func (m *UserMembership) processProject(event *models.Event) (err error) {
 	case proj_es_model.ProjectGrantMemberRemoved:
 		return m.view.DeleteUserMembership(member.UserID, event.AggregateID, member.ObjectID, usr_model.MemberTypeProjectGrant, event.Sequence)
 	case proj_es_model.ProjectChanged:
-		err = m.updateProjectDisplayName(event)
+		return m.updateProjectDisplayName(event)
 	case proj_es_model.ProjectRemoved:
 		return m.view.DeleteUserMembershipsByAggregateID(event.AggregateID, event.Sequence)
 	case proj_es_model.ProjectGrantRemoved:
@@ -227,6 +227,6 @@ func (m *UserMembership) processUser(event *models.Event) (err error) {
 }

 func (m *UserMembership) OnError(event *models.Event, err error) error {
-	logging.LogWithFields("SPOOL-Ms3fj", "id", event.AggregateID).WithError(err).Warn("something went wrong in orgmember handler")
+	logging.LogWithFields("SPOOL-Ms3fj", "id", event.AggregateID).WithError(err).Warn("something went wrong in user membership handler")
 	return spooler.HandleError(event, err, m.view.GetLatestUserMembershipFailedEvent, m.view.ProcessedUserMembershipFailedEvent, m.view.ProcessedUserMembershipSequence, m.errorCountUntilSkip)
 }