feat: project roles (#843)

* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
2025-08-12 04:57:33 +00:00 · 2020-10-16 07:49:38 +02:00
parent f5a7a0a09f
commit a321d850ae
57 changed files with 10894 additions and 18297 deletions
--- a/internal/auth/repository/eventsourcing/view/application.go
+++ b/internal/auth/repository/eventsourcing/view/application.go
@@ -18,16 +18,28 @@ func (v *View) ApplicationByID(projectID, appID string) (*model.ApplicationView,
 	return view.ApplicationByID(v.Db, applicationTable, projectID, appID)
 }

+func (v *View) ApplicationsByProjectID(projectID string) ([]*model.ApplicationView, error) {
+	return view.ApplicationsByProjectID(v.Db, applicationTable, projectID)
+}
+
 func (v *View) SearchApplications(request *proj_model.ApplicationSearchRequest) ([]*model.ApplicationView, uint64, error) {
 	return view.SearchApplications(v.Db, applicationTable, request)
 }

-func (v *View) PutApplication(project *model.ApplicationView) error {
-	err := view.PutApplication(v.Db, applicationTable, project)
+func (v *View) PutApplication(app *model.ApplicationView) error {
+	err := view.PutApplication(v.Db, applicationTable, app)
 	if err != nil {
 		return err
 	}
-	return v.ProcessedApplicationSequence(project.Sequence)
+	return v.ProcessedApplicationSequence(app.Sequence)
+}
+
+func (v *View) PutApplications(apps []*model.ApplicationView, sequence uint64) error {
+	err := view.PutApplications(v.Db, applicationTable, apps...)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedApplicationSequence(sequence)
 }

 func (v *View) DeleteApplication(appID string, eventSequence uint64) error {
@@ -38,6 +50,10 @@ func (v *View) DeleteApplication(appID string, eventSequence uint64) error {
 	return v.ProcessedApplicationSequence(eventSequence)
 }

+func (v *View) DeleteApplicationsByProjectID(projectID string) error {
+	return view.DeleteApplicationsByProjectID(v.Db, applicationTable, projectID)
+}
+
 func (v *View) GetLatestApplicationSequence() (*repository.CurrentSequence, error) {
 	return v.latestSequence(applicationTable)
 }
@@ -55,24 +71,7 @@ func (v *View) ProcessedApplicationFailedEvent(failedEvent *repository.FailedEve
 }

 func (v *View) ApplicationByClientID(_ context.Context, clientID string) (*model.ApplicationView, error) {
-	req := &proj_model.ApplicationSearchRequest{
-		Limit: 1,
-		Queries: []*proj_model.ApplicationSearchQuery{
-			{
-				Key:    proj_model.AppSearchKeyOIDCClientID,
-				Method: global_model.SearchMethodEquals,
-				Value:  clientID,
-			},
-		},
-	}
-	apps, count, err := view.SearchApplications(v.Db, applicationTable, req)
-	if err != nil {
-		return nil, errors.ThrowPreconditionFailed(err, "VIEW-sd6JQ", "cannot find client")
-	}
-	if count != 1 {
-		return nil, errors.ThrowPreconditionFailed(nil, "VIEW-dfw3as", "cannot find client")
-	}
-	return apps[0], nil
+	return view.ApplicationByOIDCClientID(v.Db, applicationTable, clientID)
 }

 func (v *View) AppIDsFromProjectByClientID(ctx context.Context, clientID string) ([]string, error) {
@@ -102,3 +101,27 @@ func (v *View) AppIDsFromProjectByClientID(ctx context.Context, clientID string)
 	}
 	return ids, nil
 }
+
+func (v *View) AppIDsFromProjectID(ctx context.Context, projectID string) ([]string, error) {
+	req := &proj_model.ApplicationSearchRequest{
+		Queries: []*proj_model.ApplicationSearchQuery{
+			{
+				Key:    proj_model.AppSearchKeyProjectID,
+				Method: global_model.SearchMethodEquals,
+				Value:  projectID,
+			},
+		},
+	}
+	apps, _, err := view.SearchApplications(v.Db, applicationTable, req)
+	if err != nil {
+		return nil, errors.ThrowPreconditionFailed(err, "VIEW-Gd24q", "cannot find applications")
+	}
+	ids := make([]string, 0, len(apps))
+	for _, app := range apps {
+		if !app.IsOIDC {
+			continue
+		}
+		ids = append(ids, app.OIDCClientID)
+	}
+	return ids, nil
+}
--- a/internal/auth/repository/eventsourcing/view/project_role.go
+++ b/internal/auth/repository/eventsourcing/view/project_role.go
@@ -0,0 +1,68 @@
+package view
+
+import (
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/internal/project/repository/view"
+	"github.com/caos/zitadel/internal/project/repository/view/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	projectRoleTable = "auth.project_roles"
+)
+
+func (v *View) ProjectRoleByIDs(projectID, orgID, key string) (*model.ProjectRoleView, error) {
+	return view.ProjectRoleByIDs(v.Db, projectRoleTable, projectID, orgID, key)
+}
+
+func (v *View) ProjectRolesByProjectID(projectID string) ([]*model.ProjectRoleView, error) {
+	return view.ProjectRolesByProjectID(v.Db, projectRoleTable, projectID)
+}
+
+func (v *View) ResourceOwnerProjectRolesByKey(projectID, resourceowner, key string) ([]*model.ProjectRoleView, error) {
+	return view.ResourceOwnerProjectRolesByKey(v.Db, projectRoleTable, projectID, resourceowner, key)
+}
+
+func (v *View) ResourceOwnerProjectRoles(projectID, resourceowner string) ([]*model.ProjectRoleView, error) {
+	return view.ResourceOwnerProjectRoles(v.Db, projectRoleTable, projectID, resourceowner)
+}
+
+func (v *View) SearchProjectRoles(request *proj_model.ProjectRoleSearchRequest) ([]*model.ProjectRoleView, uint64, error) {
+	return view.SearchProjectRoles(v.Db, projectRoleTable, request)
+}
+
+func (v *View) PutProjectRole(project *model.ProjectRoleView) error {
+	err := view.PutProjectRole(v.Db, projectRoleTable, project)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedProjectRoleSequence(project.Sequence)
+}
+
+func (v *View) DeleteProjectRole(projectID, orgID, key string, eventSequence uint64) error {
+	err := view.DeleteProjectRole(v.Db, projectRoleTable, projectID, orgID, key)
+	if err != nil {
+		return nil
+	}
+	return v.ProcessedProjectRoleSequence(eventSequence)
+}
+
+func (v *View) DeleteProjectRolesByProjectID(projectID string) error {
+	return view.DeleteProjectRolesByProjectID(v.Db, projectRoleTable, projectID)
+}
+
+func (v *View) GetLatestProjectRoleSequence() (*repository.CurrentSequence, error) {
+	return v.latestSequence(projectRoleTable)
+}
+
+func (v *View) ProcessedProjectRoleSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(projectRoleTable, eventSequence)
+}
+
+func (v *View) GetLatestProjectRoleFailedEvent(sequence uint64) (*repository.FailedEvent, error) {
+	return v.latestFailedEvent(projectRoleTable, sequence)
+}
+
+func (v *View) ProcessedProjectRoleFailedEvent(failedEvent *repository.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/user_membership.go
+++ b/internal/auth/repository/eventsourcing/view/user_membership.go
@@ -36,7 +36,7 @@ func (v *View) PutUserMembership(membership *model.UserMembershipView, sequence
 }

 func (v *View) BulkPutUserMemberships(memberships []*model.UserMembershipView, sequence uint64) error {
-	err := view.PutUserMemberships(v.Db, userTable, memberships...)
+	err := view.PutUserMemberships(v.Db, userMembershipTable, memberships...)
 	if err != nil {
 		return err
 	}