feat: project roles (#843)

* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
2025-08-12 06:07:33 +00:00 · 2020-10-16 07:49:38 +02:00
parent f5a7a0a09f
commit a321d850ae
57 changed files with 10894 additions and 18297 deletions
--- a/internal/project/repository/eventsourcing/model/project.go
+++ b/internal/project/repository/eventsourcing/model/project.go
@@ -2,7 +2,9 @@ package model

 import (
 	"encoding/json"
+
 	"github.com/caos/logging"
+
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/project/model"
 )
@@ -13,12 +15,14 @@ const (

 type Project struct {
 	es_models.ObjectRoot
-	Name         string           `json:"name,omitempty"`
-	State        int32            `json:"-"`
-	Members      []*ProjectMember `json:"-"`
-	Roles        []*ProjectRole   `json:"-"`
-	Applications []*Application   `json:"-"`
-	Grants       []*ProjectGrant  `json:"-"`
+	Name                 string           `json:"name,omitempty"`
+	ProjectRoleAssertion bool             `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     bool             `json:"projectRoleCheck,omitempty"`
+	State                int32            `json:"-"`
+	Members              []*ProjectMember `json:"-"`
+	Roles                []*ProjectRole   `json:"-"`
+	Applications         []*Application   `json:"-"`
+	Grants               []*ProjectGrant  `json:"-"`
 }

 func GetProject(projects []*Project, id string) (int, *Project) {
@@ -35,6 +39,12 @@ func (p *Project) Changes(changed *Project) map[string]interface{} {
 	if changed.Name != "" && p.Name != changed.Name {
 		changes["name"] = changed.Name
 	}
+	if p.ProjectRoleAssertion != changed.ProjectRoleAssertion {
+		changes["projectRoleAssertion"] = changed.ProjectRoleAssertion
+	}
+	if p.ProjectRoleCheck != changed.ProjectRoleCheck {
+		changes["projectRoleCheck"] = changed.ProjectRoleCheck
+	}
 	return changes
 }

@@ -44,13 +54,15 @@ func ProjectFromModel(project *model.Project) *Project {
 	apps := AppsFromModel(project.Applications)
 	grants := GrantsFromModel(project.Grants)
 	return &Project{
-		ObjectRoot:   project.ObjectRoot,
-		Name:         project.Name,
-		State:        int32(project.State),
-		Members:      members,
-		Roles:        roles,
-		Applications: apps,
-		Grants:       grants,
+		ObjectRoot:           project.ObjectRoot,
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+		State:                int32(project.State),
+		Members:              members,
+		Roles:                roles,
+		Applications:         apps,
+		Grants:               grants,
 	}
 }

@@ -60,13 +72,15 @@ func ProjectToModel(project *Project) *model.Project {
 	apps := AppsToModel(project.Applications)
 	grants := GrantsToModel(project.Grants)
 	return &model.Project{
-		ObjectRoot:   project.ObjectRoot,
-		Name:         project.Name,
-		State:        model.ProjectState(project.State),
-		Members:      members,
-		Roles:        roles,
-		Applications: apps,
-		Grants:       grants,
+		ObjectRoot:           project.ObjectRoot,
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+		State:                model.ProjectState(project.State),
+		Members:              members,
+		Roles:                roles,
+		Applications:         apps,
+		Grants:               grants,
 	}
 }