mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-13 02:53:41 +00:00
fix(auth): switch project role requests to query pkg (#2613)
This commit is contained in:
Silvan
GitHub
parent
3a7d68fccd
commit
a34ca05691
@ -14,6 +14,7 @@ import (
|
|||||||
"github.com/caos/zitadel/internal/api/http/middleware"
|
"github.com/caos/zitadel/internal/api/http/middleware"
|
||||||
"github.com/caos/zitadel/internal/errors"
|
"github.com/caos/zitadel/internal/errors"
|
||||||
proj_model "github.com/caos/zitadel/internal/project/model"
|
proj_model "github.com/caos/zitadel/internal/project/model"
|
||||||
|
"github.com/caos/zitadel/internal/query"
|
||||||
"github.com/caos/zitadel/internal/telemetry/tracing"
|
"github.com/caos/zitadel/internal/telemetry/tracing"
|
||||||
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
||||||
)
|
)
|
||||||
@ -213,11 +214,15 @@ func (o *OPStorage) assertProjectRoleScopes(app *proj_model.ApplicationView, sco
|
|||||||
return scopes, nil
|
return scopes, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
roles, err := o.repo.ProjectRolesByProjectID(app.ProjectID)
|
projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(app.ProjectID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
|
||||||
|
}
|
||||||
|
roles, err := o.query.SearchProjectRoles(context.TODO(), &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
for _, role := range roles {
|
for _, role := range roles.ProjectRoles {
|
||||||
scopes = append(scopes, ScopeProjectRolePrefix+role.Key)
|
scopes = append(scopes, ScopeProjectRolePrefix+role.Key)
|
||||||
}
|
}
|
||||||
return scopes, nil
|
return scopes, nil
|
||||||
|
|||||||
@ -17,6 +17,7 @@ import (
|
|||||||
"github.com/caos/zitadel/internal/crypto"
|
"github.com/caos/zitadel/internal/crypto"
|
||||||
"github.com/caos/zitadel/internal/errors"
|
"github.com/caos/zitadel/internal/errors"
|
||||||
proj_model "github.com/caos/zitadel/internal/project/model"
|
proj_model "github.com/caos/zitadel/internal/project/model"
|
||||||
|
"github.com/caos/zitadel/internal/query"
|
||||||
"github.com/caos/zitadel/internal/telemetry/tracing"
|
"github.com/caos/zitadel/internal/telemetry/tracing"
|
||||||
user_model "github.com/caos/zitadel/internal/user/model"
|
user_model "github.com/caos/zitadel/internal/user/model"
|
||||||
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
||||||
@ -43,12 +44,16 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl
|
|||||||
if client.State != proj_model.AppStateActive {
|
if client.State != proj_model.AppStateActive {
|
||||||
return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sdaGg", "client is not active")
|
return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sdaGg", "client is not active")
|
||||||
}
|
}
|
||||||
projectRoles, err := o.repo.ProjectRolesByProjectID(client.ProjectID)
|
projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(client.ProjectID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.ThrowInternal(err, "OIDC-mPxqP", "Errors.Internal")
|
||||||
|
}
|
||||||
|
projectRoles, err := o.query.SearchProjectRoles(context.TODO(), &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
allowedScopes := make([]string, len(projectRoles))
|
allowedScopes := make([]string, len(projectRoles.ProjectRoles))
|
||||||
for i, role := range projectRoles {
|
for i, role := range projectRoles.ProjectRoles {
|
||||||
allowedScopes[i] = ScopeProjectRolePrefix + role.Key
|
allowedScopes[i] = ScopeProjectRolePrefix + role.Key
|
||||||
}
|
}
|
||||||
return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime, allowedScopes)
|
return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime, allowedScopes)
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
package eventstore
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
|
|
||||||
"github.com/caos/zitadel/internal/project/model"
|
|
||||||
proj_view_model "github.com/caos/zitadel/internal/project/repository/view/model"
|
|
||||||
)
|
|
||||||
|
|
||||||
type ProjectRepo struct {
|
|
||||||
View *view.View
|
|
||||||
}
|
|
||||||
|
|
||||||
func (a *ApplicationRepo) ProjectRolesByProjectID(projectID string) ([]*model.ProjectRoleView, error) {
|
|
||||||
roles, err := a.View.ProjectRolesByProjectID(projectID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return proj_view_model.ProjectRolesToModel(roles), nil
|
|
||||||
}
|
|
||||||
@ -58,7 +58,6 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
|
|||||||
newExternalIDP(
|
newExternalIDP(
|
||||||
handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount, es},
|
handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount, es},
|
||||||
systemDefaults),
|
systemDefaults),
|
||||||
newProjectRole(handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount, es}),
|
|
||||||
newLabelPolicy(handler{view, bulkLimit, configs.cycleDuration("LabelPolicy"), errorCount, es}),
|
newLabelPolicy(handler{view, bulkLimit, configs.cycleDuration("LabelPolicy"), errorCount, es}),
|
||||||
newFeatures(handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}),
|
newFeatures(handler{view, bulkLimit, configs.cycleDuration("Features"), errorCount, es}),
|
||||||
newRefreshToken(handler{view, bulkLimit, configs.cycleDuration("RefreshToken"), errorCount, es}),
|
newRefreshToken(handler{view, bulkLimit, configs.cycleDuration("RefreshToken"), errorCount, es}),
|
||||||
|
|||||||
@ -1,116 +0,0 @@
|
|||||||
package handler
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/caos/logging"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1"
|
|
||||||
|
|
||||||
es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1/query"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1/spooler"
|
|
||||||
"github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
|
|
||||||
proj_view "github.com/caos/zitadel/internal/project/repository/view"
|
|
||||||
view_model "github.com/caos/zitadel/internal/project/repository/view/model"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
projectRoleTable = "auth.project_roles"
|
|
||||||
)
|
|
||||||
|
|
||||||
type ProjectRole struct {
|
|
||||||
handler
|
|
||||||
subscription *v1.Subscription
|
|
||||||
}
|
|
||||||
|
|
||||||
func newProjectRole(
|
|
||||||
handler handler,
|
|
||||||
) *ProjectRole {
|
|
||||||
h := &ProjectRole{
|
|
||||||
handler: handler,
|
|
||||||
}
|
|
||||||
|
|
||||||
h.subscribe()
|
|
||||||
|
|
||||||
return h
|
|
||||||
}
|
|
||||||
|
|
||||||
func (k *ProjectRole) subscribe() {
|
|
||||||
k.subscription = k.es.Subscribe(k.AggregateTypes()...)
|
|
||||||
go func() {
|
|
||||||
for event := range k.subscription.Events {
|
|
||||||
query.ReduceEvent(k, event)
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) ViewModel() string {
|
|
||||||
return projectRoleTable
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) Subscription() *v1.Subscription {
|
|
||||||
return p.subscription
|
|
||||||
}
|
|
||||||
|
|
||||||
func (_ *ProjectRole) AggregateTypes() []es_models.AggregateType {
|
|
||||||
return []es_models.AggregateType{model.ProjectAggregate}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) CurrentSequence() (uint64, error) {
|
|
||||||
sequence, err := p.view.GetLatestProjectRoleSequence()
|
|
||||||
if err != nil {
|
|
||||||
return 0, err
|
|
||||||
}
|
|
||||||
return sequence.CurrentSequence, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) EventQuery() (*es_models.SearchQuery, error) {
|
|
||||||
sequence, err := p.view.GetLatestProjectRoleSequence()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return proj_view.ProjectQuery(sequence.CurrentSequence), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) Reduce(event *es_models.Event) (err error) {
|
|
||||||
role := new(view_model.ProjectRoleView)
|
|
||||||
switch event.Type {
|
|
||||||
case model.ProjectRoleAdded:
|
|
||||||
err = role.AppendEvent(event)
|
|
||||||
case model.ProjectRoleChanged:
|
|
||||||
err = role.SetData(event)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
role, err = p.view.ProjectRoleByIDs(event.AggregateID, event.ResourceOwner, role.Key)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
role.ChangeDate = event.CreationDate
|
|
||||||
err = role.AppendEvent(event)
|
|
||||||
case model.ProjectRoleRemoved:
|
|
||||||
err = role.SetData(event)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return p.view.DeleteProjectRole(event.AggregateID, event.ResourceOwner, role.Key, event)
|
|
||||||
case model.ProjectRemoved:
|
|
||||||
err := p.view.DeleteProjectRolesByProjectID(event.AggregateID)
|
|
||||||
if err == nil {
|
|
||||||
return p.view.ProcessedProjectRoleSequence(event)
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
return p.view.ProcessedProjectRoleSequence(event)
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return p.view.PutProjectRole(role, event)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) OnError(event *es_models.Event, err error) error {
|
|
||||||
logging.LogWithFields("SPOOL-lso9w", "id", event.AggregateID).WithError(err).Warn("something went wrong in project role handler")
|
|
||||||
return spooler.HandleError(event, err, p.view.GetLatestProjectRoleFailedEvent, p.view.ProcessedProjectRoleFailedEvent, p.view.ProcessedProjectRoleSequence, p.errorCountUntilSkip)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) OnSuccess() error {
|
|
||||||
return spooler.HandleSuccess(p.view.UpdateProjectRoleSpoolerRunTimestamp)
|
|
||||||
}
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
package repository
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/caos/zitadel/internal/project/model"
|
|
||||||
)
|
|
||||||
|
|
||||||
type ProjectRepository interface {
|
|
||||||
ProjectRolesByProjectID(projectID string) ([]*model.ProjectRoleView, error)
|
|
||||||
}
|
|
||||||
@ -10,7 +10,6 @@ type Repository interface {
|
|||||||
AuthRequestRepository
|
AuthRequestRepository
|
||||||
TokenRepository
|
TokenRepository
|
||||||
ApplicationRepository
|
ApplicationRepository
|
||||||
ProjectRepository
|
|
||||||
KeyRepository
|
KeyRepository
|
||||||
UserSessionRepository
|
UserSessionRepository
|
||||||
UserGrantRepository
|
UserGrantRepository
|
||||||
|
|||||||
@ -33,7 +33,6 @@ func (h *handler) Eventstore() v1.Eventstore {
|
|||||||
|
|
||||||
func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, staticStorage static.Storage) []query.Handler {
|
func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, staticStorage static.Storage) []query.Handler {
|
||||||
return []query.Handler{
|
return []query.Handler{
|
||||||
newProjectRole(handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount, es}),
|
|
||||||
newProjectMember(handler{view, bulkLimit, configs.cycleDuration("ProjectMember"), errorCount, es}),
|
newProjectMember(handler{view, bulkLimit, configs.cycleDuration("ProjectMember"), errorCount, es}),
|
||||||
newProjectGrantMember(handler{view, bulkLimit, configs.cycleDuration("ProjectGrantMember"), errorCount, es}),
|
newProjectGrantMember(handler{view, bulkLimit, configs.cycleDuration("ProjectGrantMember"), errorCount, es}),
|
||||||
newApplication(handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount, es}),
|
newApplication(handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount, es}),
|
||||||
|
|||||||
@ -1,112 +0,0 @@
|
|||||||
package handler
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/caos/logging"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1"
|
|
||||||
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1/models"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1/query"
|
|
||||||
"github.com/caos/zitadel/internal/eventstore/v1/spooler"
|
|
||||||
es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
|
|
||||||
proj_view "github.com/caos/zitadel/internal/project/repository/view"
|
|
||||||
view_model "github.com/caos/zitadel/internal/project/repository/view/model"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
projectRoleTable = "management.project_roles"
|
|
||||||
)
|
|
||||||
|
|
||||||
type ProjectRole struct {
|
|
||||||
handler
|
|
||||||
subscription *v1.Subscription
|
|
||||||
}
|
|
||||||
|
|
||||||
func newProjectRole(
|
|
||||||
handler handler,
|
|
||||||
) *ProjectRole {
|
|
||||||
h := &ProjectRole{
|
|
||||||
handler: handler,
|
|
||||||
}
|
|
||||||
|
|
||||||
h.subscribe()
|
|
||||||
|
|
||||||
return h
|
|
||||||
}
|
|
||||||
|
|
||||||
func (m *ProjectRole) subscribe() {
|
|
||||||
m.subscription = m.es.Subscribe(m.AggregateTypes()...)
|
|
||||||
go func() {
|
|
||||||
for event := range m.subscription.Events {
|
|
||||||
query.ReduceEvent(m, event)
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) ViewModel() string {
|
|
||||||
return projectRoleTable
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) Subscription() *v1.Subscription {
|
|
||||||
return p.subscription
|
|
||||||
}
|
|
||||||
|
|
||||||
func (_ *ProjectRole) AggregateTypes() []models.AggregateType {
|
|
||||||
return []models.AggregateType{es_model.ProjectAggregate}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) CurrentSequence() (uint64, error) {
|
|
||||||
sequence, err := p.view.GetLatestProjectRoleSequence()
|
|
||||||
if err != nil {
|
|
||||||
return 0, err
|
|
||||||
}
|
|
||||||
return sequence.CurrentSequence, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) EventQuery() (*models.SearchQuery, error) {
|
|
||||||
sequence, err := p.view.GetLatestProjectRoleSequence()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return proj_view.ProjectQuery(sequence.CurrentSequence), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) Reduce(event *models.Event) (err error) {
|
|
||||||
role := new(view_model.ProjectRoleView)
|
|
||||||
switch event.Type {
|
|
||||||
case es_model.ProjectRoleAdded:
|
|
||||||
err = role.AppendEvent(event)
|
|
||||||
case es_model.ProjectRoleChanged:
|
|
||||||
err = role.SetData(event)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
role, err = p.view.ProjectRoleByIDs(event.AggregateID, event.ResourceOwner, role.Key)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
err = role.AppendEvent(event)
|
|
||||||
case es_model.ProjectRoleRemoved:
|
|
||||||
err = role.SetData(event)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return p.view.DeleteProjectRole(event.AggregateID, event.ResourceOwner, role.Key, event)
|
|
||||||
case es_model.ProjectRemoved:
|
|
||||||
return p.view.DeleteProjectRolesByProjectID(event.AggregateID)
|
|
||||||
default:
|
|
||||||
return p.view.ProcessedProjectRoleSequence(event)
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return p.view.PutProjectRole(role, event)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) OnError(event *models.Event, err error) error {
|
|
||||||
logging.LogWithFields("SPOOL-lso9w", "id", event.AggregateID).WithError(err).Warn("something went wrong in project role handler")
|
|
||||||
return spooler.HandleError(event, err, p.view.GetLatestProjectRoleFailedEvent, p.view.ProcessedProjectRoleFailedEvent, p.view.ProcessedProjectRoleSequence, p.errorCountUntilSkip)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *ProjectRole) OnSuccess() error {
|
|
||||||
return spooler.HandleSuccess(p.view.UpdateProjectRoleSpoolerRunTimestamp)
|
|
||||||
}
|
|
||||||
@ -141,8 +141,8 @@ func (q *Queries) SearchGrantedProjectRoles(ctx context.Context, grantID, grante
|
|||||||
return projects, err
|
return projects, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProjectRoleProjectIDSearchQuery(method TextComparison, value string) (SearchQuery, error) {
|
func NewProjectRoleProjectIDSearchQuery(value string) (SearchQuery, error) {
|
||||||
return NewTextQuery(ProjectRoleColumnProjectID, value, method)
|
return NewTextQuery(ProjectRoleColumnProjectID, value, TextEquals)
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProjectRoleResourceOwnerSearchQuery(value string) (SearchQuery, error) {
|
func NewProjectRoleResourceOwnerSearchQuery(value string) (SearchQuery, error) {
|
||||||
@ -170,7 +170,7 @@ func NewProjectRoleGroupSearchQuery(method TextComparison, value string) (Search
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (r *ProjectRoleSearchQueries) AppendProjectIDQuery(projectID string) error {
|
func (r *ProjectRoleSearchQueries) AppendProjectIDQuery(projectID string) error {
|
||||||
query, err := NewProjectRoleProjectIDSearchQuery(TextEquals, projectID)
|
query, err := NewProjectRoleProjectIDSearchQuery(projectID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user