fix: internal grant view (#239)

* fix: internal grant view * feat: add orgiam policy in management * fix: roleSuffix
2025-08-12 01:37:31 +00:00 · 2020-06-19 07:27:16 +02:00
parent 5e39a5f813
commit add4c103cf
12 changed files with 13991 additions and 13137 deletions
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@@ -150,11 +150,11 @@ func (u *UserGrant) processProject(event *models.Event) (err error) {
 	case proj_es_model.ProjectMemberAdded, proj_es_model.ProjectMemberChanged, proj_es_model.ProjectMemberRemoved:
 		member := new(proj_es_model.ProjectMember)
 		member.SetData(event)
-		return u.processMember(event, "PROJECT", true, member.UserID, member.Roles)
+		return u.processMember(event, "PROJECT", event.AggregateID, member.UserID, member.Roles)
 	case proj_es_model.ProjectGrantMemberAdded, proj_es_model.ProjectGrantMemberChanged, proj_es_model.ProjectGrantMemberRemoved:
 		member := new(proj_es_model.ProjectGrantMember)
 		member.SetData(event)
-		return u.processMember(event, "PROJECT_GRANT", true, member.UserID, member.Roles)
+		return u.processMember(event, "PROJECT_GRANT", member.GrantID, member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
@@ -166,7 +166,7 @@ func (u *UserGrant) processOrg(event *models.Event) (err error) {
 	case org_es_model.OrgMemberAdded, org_es_model.OrgMemberChanged, org_es_model.OrgMemberRemoved:
 		member := new(org_es_model.OrgMember)
 		member.SetData(event)
-		return u.processMember(event, "ORG", false, member.UserID, member.Roles)
+		return u.processMember(event, "ORG", "", member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
@@ -200,7 +200,7 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 		} else {
 			newRoles := member.Roles
 			if grant.RoleKeys != nil {
-				grant.RoleKeys = mergeExistingRoles(rolePrefix, grant.RoleKeys, newRoles)
+				grant.RoleKeys = mergeExistingRoles(rolePrefix, "", grant.RoleKeys, newRoles)
 			} else {
 				grant.RoleKeys = newRoles
 			}
@@ -221,7 +221,7 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 	}
 }

-func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix bool, userID string, roleKeys []string) error {
+func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix string, userID string, roleKeys []string) error {
 	switch event.Type {
 	case org_es_model.OrgMemberAdded, proj_es_model.ProjectMemberAdded, proj_es_model.ProjectGrantMemberAdded,
 		org_es_model.OrgMemberChanged, proj_es_model.ProjectMemberChanged, proj_es_model.ProjectGrantMemberChanged:
@@ -230,7 +230,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix
 		if err != nil && !errors.IsNotFound(err) {
 			return err
 		}
-		if suffix {
+		if roleSuffix != "" {
 			roleKeys = suffixRoles(event.AggregateID, roleKeys)
 		}
 		if errors.IsNotFound(err) {
@@ -246,7 +246,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix
 		} else {
 			newRoles := roleKeys
 			if grant.RoleKeys != nil {
-				grant.RoleKeys = mergeExistingRoles(rolePrefix, grant.RoleKeys, newRoles)
+				grant.RoleKeys = mergeExistingRoles(rolePrefix, roleSuffix, grant.RoleKeys, newRoles)
 			} else {
 				grant.RoleKeys = newRoles
 			}
@@ -276,11 +276,15 @@ func suffixRoles(suffix string, roles []string) []string {
 	return suffixedRoles
 }

-func mergeExistingRoles(rolePrefix string, existingRoles, newRoles []string) []string {
+func mergeExistingRoles(rolePrefix, suffix string, existingRoles, newRoles []string) []string {
 	mergedRoles := make([]string, 0)
 	for _, existing := range existingRoles {
 		if !strings.HasPrefix(existing, rolePrefix) {
 			mergedRoles = append(mergedRoles, existing)
+			continue
+		}
+		if suffix != "" && !strings.HasSuffix(existing, suffix) {
+			mergedRoles = append(mergedRoles, existing)
 		}
 	}
 	return append(mergedRoles, newRoles...)
--- a/internal/authz/repository/eventsourcing/handler/user_grant.go
+++ b/internal/authz/repository/eventsourcing/handler/user_grant.go
@@ -69,11 +69,11 @@ func (u *UserGrant) processProject(event *models.Event) (err error) {
 	case proj_es_model.ProjectMemberAdded, proj_es_model.ProjectMemberChanged, proj_es_model.ProjectMemberRemoved:
 		member := new(proj_es_model.ProjectMember)
 		member.SetData(event)
-		return u.processMember(event, "PROJECT", true, member.UserID, member.Roles)
+		return u.processMember(event, "PROJECT", event.AggregateID, member.UserID, member.Roles)
 	case proj_es_model.ProjectGrantMemberAdded, proj_es_model.ProjectGrantMemberChanged, proj_es_model.ProjectGrantMemberRemoved:
 		member := new(proj_es_model.ProjectGrantMember)
 		member.SetData(event)
-		return u.processMember(event, "PROJECT_GRANT", true, member.UserID, member.Roles)
+		return u.processMember(event, "PROJECT_GRANT", member.GrantID, member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
@@ -85,7 +85,7 @@ func (u *UserGrant) processOrg(event *models.Event) (err error) {
 	case org_es_model.OrgMemberAdded, org_es_model.OrgMemberChanged, org_es_model.OrgMemberRemoved:
 		member := new(org_es_model.OrgMember)
 		member.SetData(event)
-		return u.processMember(event, "ORG", false, member.UserID, member.Roles)
+		return u.processMember(event, "ORG", "", member.UserID, member.Roles)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
@@ -119,7 +119,7 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 		} else {
 			newRoles := member.Roles
 			if grant.RoleKeys != nil {
-				grant.RoleKeys = mergeExistingRoles(rolePrefix, grant.RoleKeys, newRoles)
+				grant.RoleKeys = mergeExistingRoles(rolePrefix, "", grant.RoleKeys, newRoles)
 			} else {
 				grant.RoleKeys = newRoles
 			}
@@ -140,7 +140,7 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 	}
 }

-func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix bool, userID string, roleKeys []string) error {
+func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix string, userID string, roleKeys []string) error {
 	switch event.Type {
 	case org_es_model.OrgMemberAdded, proj_es_model.ProjectMemberAdded, proj_es_model.ProjectGrantMemberAdded,
 		org_es_model.OrgMemberChanged, proj_es_model.ProjectMemberChanged, proj_es_model.ProjectGrantMemberChanged:
@@ -149,7 +149,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix
 		if err != nil && !errors.IsNotFound(err) {
 			return err
 		}
-		if suffix {
+		if roleSuffix != "" {
 			roleKeys = suffixRoles(event.AggregateID, roleKeys)
 		}
 		if errors.IsNotFound(err) {
@@ -164,7 +164,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix string, suffix
 		} else {
 			newRoles := roleKeys
 			if grant.RoleKeys != nil {
-				grant.RoleKeys = mergeExistingRoles(rolePrefix, grant.RoleKeys, newRoles)
+				grant.RoleKeys = mergeExistingRoles(rolePrefix, roleSuffix, grant.RoleKeys, newRoles)
 			} else {
 				grant.RoleKeys = newRoles
 			}
@@ -194,11 +194,15 @@ func suffixRoles(suffix string, roles []string) []string {
 	return suffixedRoles
 }

-func mergeExistingRoles(rolePrefix string, existingRoles, newRoles []string) []string {
+func mergeExistingRoles(rolePrefix, suffix string, existingRoles, newRoles []string) []string {
 	mergedRoles := make([]string, 0)
 	for _, existing := range existingRoles {
 		if !strings.HasPrefix(existing, rolePrefix) {
 			mergedRoles = append(mergedRoles, existing)
+			continue
+		}
+		if suffix != "" && !strings.HasSuffix(existing, suffix) {
+			mergedRoles = append(mergedRoles, existing)
 		}
 	}
 	return append(mergedRoles, newRoles...)
--- a/internal/management/repository/eventsourcing/eventstore/org.go
+++ b/internal/management/repository/eventsourcing/eventstore/org.go
@@ -45,6 +45,10 @@ func (repo *OrgRepository) ReactivateOrg(ctx context.Context, id string) (*org_m
 	return repo.OrgEventstore.ReactivateOrg(ctx, id)
 }

+func (repo *OrgRepository) GetMyOrgIamPolicy(ctx context.Context) (*org_model.OrgIamPolicy, error) {
+	return repo.OrgEventstore.GetOrgIamPolicy(ctx, auth.GetCtxData(ctx).OrgID)
+}
+
 func (repo *OrgRepository) SearchMyOrgDomains(ctx context.Context, request *org_model.OrgDomainSearchRequest) (*org_model.OrgDomainSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	request.Queries = append(request.Queries, &org_model.OrgDomainSearchQuery{Key: org_model.ORGDOMAINSEARCHKEY_ORG_ID, Method: global_model.SEARCHMETHOD_EQUALS, Value: auth.GetCtxData(ctx).OrgID})
--- a/internal/management/repository/org.go
+++ b/internal/management/repository/org.go
@@ -24,4 +24,6 @@ type OrgRepository interface {
 	RemoveMyOrgMember(ctx context.Context, userID string) error

 	GetOrgMemberRoles() []string
+
+	GetMyOrgIamPolicy(ctx context.Context) (*org_model.OrgIamPolicy, error)
 }