feat(queries): user grants (#2838)

* refactor(domain): add user type * fix(projections): start with login names * fix(login_policy): correct handling of user domain claimed event * fix(projections): add members * refactor: simplify member projections * add migration for members * add metadata to member projections * refactor: login name projection * fix: set correct suffixes on login name projections * test(projections): login name reduces * fix: correct cols in reduce member * test(projections): org, iam, project members * member additional cols and conds as opt, add project grant members * fix(migration): members * fix(migration): correct database name * migration version * migs * better naming for member cond and col * split project and project grant members * prepare member columns * feat(queries): membership query * test(queries): membership prepare * fix(queries): multiple projections for latest sequence * fix(api): use query for membership queries in auth and management * feat: org member queries * fix(api): use query for iam member calls * fix(queries): org members * fix(queries): project members * fix(queries): project grant members * fix(query): member queries and user avatar column * member cols * fix(queries): membership stmt * fix user test * fix user test * fix(projections): add user grant projection * fix(user_grant): handle state changes * add state to migration * fix(management): use query for user grant requests * merge eventstore-naming into user-grant-projection * feat(queries): user grants * fix(migrations): version * fix(api): user query for user grants * fix(query): event mappers for usergrant aggregate * fix(projection): correct aggregate for user grants * fix(queries): user grant roles as list contains * cleanup reducers * fix avater_key to avatar_key * tests * cleanup * cleanup * add resourceowner query * fix: user grant project name search query Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2025-08-12 03:57:32 +00:00 · 2022-01-14 10:45:50 +01:00
parent a63a995269
commit c542cab4f8
29 changed files with 1546 additions and 816 deletions
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@@ -8,6 +8,7 @@ import (
 	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
 	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	project_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -174,11 +175,17 @@ func (s *Server) ReactivateProject(ctx context.Context, req *mgmt_pb.ReactivateP
 }

 func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRequest) (*mgmt_pb.RemoveProjectResponse, error) {
-	grants, err := s.usergrant.UserGrantsByProjectID(ctx, req.Id)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +260,18 @@ func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProje
 }

 func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProjectRoleRequest) (*mgmt_pb.RemoveProjectRoleResponse, error) {
-	userGrants, err := s.usergrant.UserGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
+	if err != nil {
+		return nil, err
+	}
+	rolesQuery, err := query.NewUserGrantGrantIDSearchQuery(req.RoleKey)
+	if err != nil {
+		return nil, err
+	}
+	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery, rolesQuery},
+	})
+
 	if err != nil {
 		return nil, err
 	}
@@ -261,7 +279,7 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants)...)
+	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_grant.go
+++ b/internal/api/grpc/management/project_grant.go
@@ -8,6 +8,7 @@ import (
 	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
 	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	proj_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -78,11 +79,21 @@ func (s *Server) AddProjectGrant(ctx context.Context, req *mgmt_pb.AddProjectGra
 }

 func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProjectGrantRequest) (*mgmt_pb.UpdateProjectGrantResponse, error) {
-	grants, err := s.usergrant.UserGrantsByProjectAndGrantID(ctx, req.ProjectId, req.GrantId)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
 	if err != nil {
 		return nil, err
 	}
-	grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
+	grantQuery, err := query.NewUserGrantGrantIDSearchQuery(req.GrantId)
+	if err != nil {
+		return nil, err
+	}
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery, grantQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -26,7 +26,6 @@ type Server struct {
 	project        repository.ProjectRepository
 	org            repository.OrgRepository
 	user           repository.UserRepository
-	usergrant      repository.UserGrantRepository
 	iam            repository.IamRepository
 	authZ          authz.Config
 	systemDefaults systemdefaults.SystemDefaults
@@ -44,7 +43,6 @@ func CreateServer(command *command.Commands, query *query.Queries, repo reposito
 		project:        repo,
 		org:            repo,
 		user:           repo,
-		usergrant:      repo,
 		iam:            repo,
 		systemDefaults: sd,
 		assetAPIPrefix: assetAPIPrefix,
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -10,13 +10,10 @@ import (
 	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	"github.com/caos/zitadel/internal/api/grpc/metadata"
-	"github.com/caos/zitadel/internal/api/grpc/object"
 	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
-	"github.com/caos/zitadel/internal/api/grpc/user"
 	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/query"
-	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -257,21 +254,27 @@ func (s *Server) UnlockUser(ctx context.Context, req *mgmt_pb.UnlockUserRequest)
 }

 func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest) (*mgmt_pb.RemoveUserResponse, error) {
-	grants, err := s.usergrant.UserGrantsByUserID(ctx, req.Id)
+	userGrantUserQuery, err := query.NewUserGrantUserIDSearchQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
-	userQuery, err := query.NewMembershipUserIDQuery(req.Id)
-	if err != nil {
-		return nil, err
-	}
-	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
-		Queries: []query.SearchQuery{userQuery},
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{userGrantUserQuery},
 	})
 	if err != nil {
 		return nil, err
 	}
-	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships.Memberships, userGrantsToIDs(grants)...)
+	membershipsUserQuery, err := query.NewMembershipUserIDQuery(req.Id)
+	if err != nil {
+		return nil, err
+	}
+	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{membershipsUserQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships.Memberships, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
@@ -280,7 +283,7 @@ func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest)
 	}, nil
 }

-func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
+func userGrantsToIDs(userGrants []*query.UserGrant) []string {
 	converted := make([]string, len(userGrants))
 	for i, grant := range userGrants {
 		converted[i] = grant.ID
@@ -435,7 +438,7 @@ func (s *Server) RemoveHumanAvatar(ctx context.Context, req *mgmt_pb.RemoveHuman
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanAvatarResponse{
-		Details: object.DomainToChangeDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@@ -505,7 +508,7 @@ func (s *Server) ListHumanPasswordless(ctx context.Context, req *mgmt_pb.ListHum
 		return nil, err
 	}
 	return &mgmt_pb.ListHumanPasswordlessResponse{
-		Result: user.WebAuthNTokensViewToPb(tokens),
+		Result: user_grpc.WebAuthNTokensViewToPb(tokens),
 	}, nil
 }

@@ -516,7 +519,7 @@ func (s *Server) AddPasswordlessRegistration(ctx context.Context, req *mgmt_pb.A
 		return nil, err
 	}
 	return &mgmt_pb.AddPasswordlessRegistrationResponse{
-		Details:    object.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
+		Details:    obj_grpc.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
 		Link:       initCode.Link(s.systemDefaults.Notifications.Endpoints.PasswordlessRegistration),
 		Expiration: durationpb.New(initCode.Expiration),
 	}, nil
@@ -529,7 +532,7 @@ func (s *Server) SendPasswordlessRegistration(ctx context.Context, req *mgmt_pb.
 		return nil, err
 	}
 	return &mgmt_pb.SendPasswordlessRegistrationResponse{
-		Details: object.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
+		Details: obj_grpc.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
 	}, nil
 }

@@ -606,7 +609,7 @@ func (s *Server) AddMachineKey(ctx context.Context, req *mgmt_pb.AddMachineKeyRe
 	return &mgmt_pb.AddMachineKeyResponse{
 		KeyId:      key.KeyID,
 		KeyDetails: keyDetails,
-		Details: object.AddToDetailsPb(
+		Details: obj_grpc.AddToDetailsPb(
 			key.Sequence,
 			key.ChangeDate,
 			key.ResourceOwner,
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -6,31 +6,37 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/api/grpc/user"
-
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

 func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrantByIDRequest) (*mgmt_pb.GetUserGrantByIDResponse, error) {
-	grant, err := s.usergrant.UserGrantByID(ctx, req.GrantId)
+	ownerQuery, err := query.NewUserGrantResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	grant, err := s.query.UserGrantByID(ctx, req.GrantId, ownerQuery)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetUserGrantByIDResponse{
-		UserGrant: user.UserGrantToPb(grant),
+		UserGrant: user.UserGrantToPb(s.assetAPIPrefix, grant),
 	}, nil
 }

 func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*mgmt_pb.ListUserGrantResponse, error) {
-	r := ListUserGrantsRequestToModel(ctx, req)
-	r.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	res, err := s.usergrant.SearchUserGrants(ctx, r)
+	queries, err := ListUserGrantsRequestToQuery(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	res, err := s.query.UserGrants(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.ListUserGrantResponse{
-		Result: user.UserGrantsToPb(res.Result),
+		Result: user.UserGrantsToPb(s.assetAPIPrefix, res.UserGrants),
 		Details: obj_grpc.ToListDetails(
-			res.TotalResult,
+			res.Count,
 			res.Sequence,
 			res.Timestamp,
 		),
--- a/internal/api/grpc/management/user_grant_converter.go
+++ b/internal/api/grpc/management/user_grant_converter.go
@@ -2,29 +2,51 @@ package management

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/user"
 )

-func ListUserGrantsRequestToModel(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) *model.UserGrantSearchRequest {
-	offset, limit, asc := object.ListQueryToModel(req.Query)
-	request := &model.UserGrantSearchRequest{
-		Offset:  offset,
-		Limit:   limit,
-		Asc:     asc,
-		Queries: user_grpc.UserGrantQueriesToModel(req.Queries),
+func ListUserGrantsRequestToQuery(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*query.UserGrantsQueries, error) {
+	queries, err := user_grpc.UserGrantQueriesToQuery(ctx, req.Queries)
+	if err != nil {
+		return nil, err
 	}
-	request.Queries = append(request.Queries, &model.UserGrantSearchQuery{
-		Key:    model.UserGrantSearchKeyResourceOwner,
-		Method: domain.SearchMethodEquals,
-		Value:  authz.GetCtxData(ctx).OrgID,
-	})
-	return request
+
+	if shouldAppendUserGrantOwnerQuery(req.Queries) {
+		ownerQuery, err := query.NewUserGrantResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
+		if err != nil {
+			return nil, err
+		}
+		queries = append(queries, ownerQuery)
+	}
+
+	offset, limit, asc := object.ListQueryToModel(req.Query)
+	request := &query.UserGrantsQueries{
+		SearchRequest: query.SearchRequest{
+			Offset: offset,
+			Limit:  limit,
+			Asc:    asc,
+		},
+		Queries: queries,
+	}
+
+	return request, nil
+}
+
+func shouldAppendUserGrantOwnerQuery(queries []*user.UserGrantQuery) bool {
+	for _, query := range queries {
+		if _, ok := query.Query.(*user.UserGrantQuery_WithGrantedQuery); ok {
+			return false
+		}
+	}
+	return true
 }

 func AddUserGrantRequestToDomain(req *mgmt_pb.AddUserGrantRequest) *domain.UserGrant {
--- a/internal/api/grpc/user/user_grant.go
+++ b/internal/api/grpc/user/user_grant.go
@@ -1,38 +1,42 @@
 package user

 import (
+	"context"
+	"errors"
+
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/domain"
-	usr_grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/internal/query"
 	user_pb "github.com/caos/zitadel/pkg/grpc/user"
 )

-func UserGrantsToPb(grants []*usr_grant_model.UserGrantView) []*user_pb.UserGrant {
+func UserGrantsToPb(assetPrefix string, grants []*query.UserGrant) []*user_pb.UserGrant {
 	u := make([]*user_pb.UserGrant, len(grants))
 	for i, grant := range grants {
-		u[i] = UserGrantToPb(grant)
+		u[i] = UserGrantToPb(assetPrefix, grant)
 	}
 	return u
 }

-func UserGrantToPb(grant *usr_grant_model.UserGrantView) *user_pb.UserGrant {
+func UserGrantToPb(assetPrefix string, grant *query.UserGrant) *user_pb.UserGrant {
 	return &user_pb.UserGrant{
 		Id:             grant.ID,
 		UserId:         grant.UserID,
-		State:          ModelUserGrantStateToPb(grant.State),
-		RoleKeys:       grant.RoleKeys,
-		UserName:       grant.UserName,
+		State:          user_pb.UserGrantState_USER_GRANT_STATE_ACTIVE,
+		RoleKeys:       grant.Roles,
+		ProjectId:      grant.ProjectID,
+		OrgId:          grant.ResourceOwner,
+		ProjectGrantId: grant.GrantID,
+		UserName:       grant.Username,
 		FirstName:      grant.FirstName,
 		LastName:       grant.LastName,
 		Email:          grant.Email,
 		DisplayName:    grant.DisplayName,
-		OrgId:          grant.ResourceOwner,
 		OrgDomain:      grant.OrgPrimaryDomain,
 		OrgName:        grant.OrgName,
-		ProjectId:      grant.ProjectID,
 		ProjectName:    grant.ProjectName,
-		ProjectGrantId: grant.GrantID,
-		AvatarUrl:      grant.AvatarURL,
+		AvatarUrl:      domain.AvatarURL(assetPrefix, grant.UserResourceOwner, grant.AvatarURL),
 		Details: object.ToViewDetailsPb(
 			grant.Sequence,
 			grant.CreationDate,
@@ -42,15 +46,18 @@ func UserGrantToPb(grant *usr_grant_model.UserGrantView) *user_pb.UserGrant {
 	}
 }

-func UserGrantQueriesToModel(queries []*user_pb.UserGrantQuery) []*usr_grant_model.UserGrantSearchQuery {
-	q := make([]*usr_grant_model.UserGrantSearchQuery, len(queries))
+func UserGrantQueriesToQuery(ctx context.Context, queries []*user_pb.UserGrantQuery) (q []query.SearchQuery, err error) {
+	q = make([]query.SearchQuery, len(queries))
 	for i, query := range queries {
-		q[i] = UserGrantQueryToModel(query)
+		q[i], err = UserGrantQueryToQuery(ctx, query)
+		if err != nil {
+			return nil, err
+		}
 	}
-	return q
+	return q, nil
 }

-func UserGrantQueryToModel(query *user_pb.UserGrantQuery) *usr_grant_model.UserGrantSearchQuery {
+func UserGrantQueryToQuery(ctx context.Context, query *user_pb.UserGrantQuery) (query.SearchQuery, error) {
 	switch q := query.Query.(type) {
 	case *user_pb.UserGrantQuery_DisplayNameQuery:
 		return UserGrantDisplayNameQueryToModel(q.DisplayNameQuery)
@@ -77,112 +84,77 @@ func UserGrantQueryToModel(query *user_pb.UserGrantQuery) *usr_grant_model.UserG
 	case *user_pb.UserGrantQuery_UserNameQuery:
 		return UserGrantUserNameQueryToModel(q.UserNameQuery)
 	case *user_pb.UserGrantQuery_WithGrantedQuery:
-		return UserGrantWithGrantedQueryToModel(q.WithGrantedQuery)
+		return UserGrantWithGrantedQueryToModel(ctx, q.WithGrantedQuery)
+	case *user_pb.UserGrantQuery_UserTypeQuery:
+		return UserGrantUserTypeQueryToModel(q.UserTypeQuery)
 	default:
-		return nil
+		return nil, errors.New("invalid query")
 	}
 }

-func UserGrantDisplayNameQueryToModel(q *user_pb.UserGrantDisplayNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyDisplayName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.DisplayName,
-	}
+func UserGrantDisplayNameQueryToModel(q *user_pb.UserGrantDisplayNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantDisplayNameQuery(q.DisplayName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantEmailQueryToModel(q *user_pb.UserGrantEmailQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyEmail,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.Email,
-	}
+func UserGrantEmailQueryToModel(q *user_pb.UserGrantEmailQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantEmailQuery(q.Email, object.TextMethodToQuery(q.Method))
 }

-func UserGrantFirstNameQueryToModel(q *user_pb.UserGrantFirstNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyFirstName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.FirstName,
-	}
+func UserGrantFirstNameQueryToModel(q *user_pb.UserGrantFirstNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantFirstNameQuery(q.FirstName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantLastNameQueryToModel(q *user_pb.UserGrantLastNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyLastName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.LastName,
-	}
+func UserGrantLastNameQueryToModel(q *user_pb.UserGrantLastNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantLastNameQuery(q.LastName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantOrgDomainQueryToModel(q *user_pb.UserGrantOrgDomainQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyOrgDomain,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.OrgDomain,
-	}
+func UserGrantOrgDomainQueryToModel(q *user_pb.UserGrantOrgDomainQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantDomainQuery(q.OrgDomain, object.TextMethodToQuery(q.Method))
 }

-func UserGrantOrgNameQueryToModel(q *user_pb.UserGrantOrgNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyOrgName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.OrgName,
-	}
+func UserGrantOrgNameQueryToModel(q *user_pb.UserGrantOrgNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantOrgNameQuery(q.OrgName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantProjectIDQueryToModel(q *user_pb.UserGrantProjectIDQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyProjectID,
-		Method: domain.SearchMethodEquals,
-		Value:  q.ProjectId,
-	}
+func UserGrantProjectIDQueryToModel(q *user_pb.UserGrantProjectIDQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantProjectIDSearchQuery(q.ProjectId)
 }

-func UserGrantProjectGrantIDQueryToModel(q *user_pb.UserGrantProjectGrantIDQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyGrantID,
-		Method: domain.SearchMethodEquals,
-		Value:  q.ProjectGrantId,
-	}
+func UserGrantProjectGrantIDQueryToModel(q *user_pb.UserGrantProjectGrantIDQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantGrantIDSearchQuery(q.ProjectGrantId)
 }

-func UserGrantProjectNameQueryToModel(q *user_pb.UserGrantProjectNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyProjectName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.ProjectName,
-	}
+func UserGrantProjectNameQueryToModel(q *user_pb.UserGrantProjectNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantProjectNameQuery(q.ProjectName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantRoleKeyQueryToModel(q *user_pb.UserGrantRoleKeyQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyRoleKey,
-		Method: domain.SearchMethodListContains,
-		Value:  q.RoleKey,
-	}
+func UserGrantRoleKeyQueryToModel(q *user_pb.UserGrantRoleKeyQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantRoleQuery(q.RoleKey)
 }

-func UserGrantUserIDQueryToModel(q *user_pb.UserGrantUserIDQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyUserID,
-		Method: domain.SearchMethodEquals,
-		Value:  q.UserId,
-	}
+func UserGrantUserIDQueryToModel(q *user_pb.UserGrantUserIDQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantUserIDSearchQuery(q.UserId)
 }

-func UserGrantUserNameQueryToModel(q *user_pb.UserGrantUserNameQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyUserName,
-		Method: object.TextMethodToModel(q.Method),
-		Value:  q.UserName,
-	}
+func UserGrantUserNameQueryToModel(q *user_pb.UserGrantUserNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantUsernameQuery(q.UserName, object.TextMethodToQuery(q.Method))
 }

-func UserGrantWithGrantedQueryToModel(q *user_pb.UserGrantWithGrantedQuery) *usr_grant_model.UserGrantSearchQuery {
-	return &usr_grant_model.UserGrantSearchQuery{
-		Key:    usr_grant_model.UserGrantSearchKeyWithGranted,
-		Method: domain.SearchMethodEquals,
-		Value:  q.WithGranted,
+func UserGrantWithGrantedQueryToModel(ctx context.Context, q *user_pb.UserGrantWithGrantedQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantWithGrantedQuery(authz.GetCtxData(ctx).OrgID)
+}
+
+func UserGrantUserTypeQueryToModel(q *user_pb.UserGrantUserTypeQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantUserTypeQuery(grantTypeToDomain(q.Type))
+}
+
+func grantTypeToDomain(typ user_pb.Type) domain.UserType {
+	switch typ {
+	case user_pb.Type_TYPE_HUMAN:
+		return domain.UserTypeHuman
+	case user_pb.Type_TYPE_MACHINE:
+		return domain.UserTypeMachine
+	default:
+		return domain.UserTypeUnspecified
 	}
 }