feat(queries): user grants (#2838)

* refactor(domain): add user type

* fix(projections): start with login names

* fix(login_policy): correct handling of user domain claimed event

* fix(projections): add members

* refactor: simplify member projections

* add migration for members

* add metadata to member projections

* refactor: login name projection

* fix: set correct suffixes on login name projections

* test(projections): login name reduces

* fix: correct cols in reduce member

* test(projections): org, iam, project members

* member additional cols and conds as opt,
add project grant members

* fix(migration): members

* fix(migration): correct database name

* migration version

* migs

* better naming for member cond and col

* split project and project grant members

* prepare member columns

* feat(queries): membership query

* test(queries): membership prepare

* fix(queries): multiple projections for latest sequence

* fix(api): use query for membership queries in auth and management

* feat: org member queries

* fix(api): use query for iam member calls

* fix(queries): org members

* fix(queries): project members

* fix(queries): project grant members

* fix(query): member queries and user avatar column

* member cols

* fix(queries): membership stmt

* fix user test

* fix user test

* fix(projections): add user grant projection

* fix(user_grant): handle state changes

* add state to migration

* fix(management): use query for user grant requests

* merge eventstore-naming into user-grant-projection

* feat(queries): user grants

* fix(migrations): version

* fix(api): user query for user grants

* fix(query): event mappers for usergrant aggregate

* fix(projection): correct aggregate for user grants

* fix(queries): user grant roles as list contains

* cleanup reducers

* fix avater_key to avatar_key

* tests

* cleanup

* cleanup

* add resourceowner query

* fix: user grant project name search query

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>

internal/api/grpc/management/project.go

@@ -8,6 +8,7 @@ import (
 	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
 	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	project_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
@@ -174,11 +175,17 @@ func (s *Server) ReactivateProject(ctx context.Context, req *mgmt_pb.ReactivateP
 }
 
 func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRequest) (*mgmt_pb.RemoveProjectResponse, error) {
-	grants, err := s.usergrant.UserGrantsByProjectID(ctx, req.Id)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +260,18 @@ func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProje
 }
 
 func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProjectRoleRequest) (*mgmt_pb.RemoveProjectRoleResponse, error) {
-	userGrants, err := s.usergrant.UserGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
+	if err != nil {
+		return nil, err
+	}
+	rolesQuery, err := query.NewUserGrantGrantIDSearchQuery(req.RoleKey)
+	if err != nil {
+		return nil, err
+	}
+	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery, rolesQuery},
+	})
+
 	if err != nil {
 		return nil, err
 	}
@@ -261,7 +279,7 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants)...)
+	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/project_grant.go

@@ -8,6 +8,7 @@ import (
 	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
 	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	proj_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
@@ -78,11 +79,21 @@ func (s *Server) AddProjectGrant(ctx context.Context, req *mgmt_pb.AddProjectGra
 }
 
 func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProjectGrantRequest) (*mgmt_pb.UpdateProjectGrantResponse, error) {
-	grants, err := s.usergrant.UserGrantsByProjectAndGrantID(ctx, req.ProjectId, req.GrantId)
+	projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
 	if err != nil {
 		return nil, err
 	}
-	grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
+	grantQuery, err := query.NewUserGrantGrantIDSearchQuery(req.GrantId)
+	if err != nil {
+		return nil, err
+	}
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{projectQuery, grantQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/server.go

@@ -26,7 +26,6 @@ type Server struct {
 	project        repository.ProjectRepository
 	org            repository.OrgRepository
 	user           repository.UserRepository
-	usergrant      repository.UserGrantRepository
 	iam            repository.IamRepository
 	authZ          authz.Config
 	systemDefaults systemdefaults.SystemDefaults
@@ -44,7 +43,6 @@ func CreateServer(command *command.Commands, query *query.Queries, repo reposito
 		project:        repo,
 		org:            repo,
 		user:           repo,
-		usergrant:      repo,
 		iam:            repo,
 		systemDefaults: sd,
 		assetAPIPrefix: assetAPIPrefix,

internal/api/grpc/management/user.go

@@ -10,13 +10,10 @@ import (
 	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	"github.com/caos/zitadel/internal/api/grpc/metadata"
-	"github.com/caos/zitadel/internal/api/grpc/object"
 	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
-	"github.com/caos/zitadel/internal/api/grpc/user"
 	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/query"
-	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
@@ -257,21 +254,27 @@ func (s *Server) UnlockUser(ctx context.Context, req *mgmt_pb.UnlockUserRequest)
 }
 
 func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest) (*mgmt_pb.RemoveUserResponse, error) {
-	grants, err := s.usergrant.UserGrantsByUserID(ctx, req.Id)
+	userGrantUserQuery, err := query.NewUserGrantUserIDSearchQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
-	userQuery, err := query.NewMembershipUserIDQuery(req.Id)
-	if err != nil {
-		return nil, err
-	}
-	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
-		Queries: []query.SearchQuery{userQuery},
+	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+		Queries: []query.SearchQuery{userGrantUserQuery},
 	})
 	if err != nil {
 		return nil, err
 	}
-	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships.Memberships, userGrantsToIDs(grants)...)
+	membershipsUserQuery, err := query.NewMembershipUserIDQuery(req.Id)
+	if err != nil {
+		return nil, err
+	}
+	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{membershipsUserQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships.Memberships, userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
@@ -280,7 +283,7 @@ func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest)
 	}, nil
 }
 
-func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
+func userGrantsToIDs(userGrants []*query.UserGrant) []string {
 	converted := make([]string, len(userGrants))
 	for i, grant := range userGrants {
 		converted[i] = grant.ID
@@ -435,7 +438,7 @@ func (s *Server) RemoveHumanAvatar(ctx context.Context, req *mgmt_pb.RemoveHuman
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanAvatarResponse{
-		Details: object.DomainToChangeDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
 
@@ -505,7 +508,7 @@ func (s *Server) ListHumanPasswordless(ctx context.Context, req *mgmt_pb.ListHum
 		return nil, err
 	}
 	return &mgmt_pb.ListHumanPasswordlessResponse{
-		Result: user.WebAuthNTokensViewToPb(tokens),
+		Result: user_grpc.WebAuthNTokensViewToPb(tokens),
 	}, nil
 }
 
@@ -516,7 +519,7 @@ func (s *Server) AddPasswordlessRegistration(ctx context.Context, req *mgmt_pb.A
 		return nil, err
 	}
 	return &mgmt_pb.AddPasswordlessRegistrationResponse{
-		Details:    object.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
+		Details:    obj_grpc.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
 		Link:       initCode.Link(s.systemDefaults.Notifications.Endpoints.PasswordlessRegistration),
 		Expiration: durationpb.New(initCode.Expiration),
 	}, nil
@@ -529,7 +532,7 @@ func (s *Server) SendPasswordlessRegistration(ctx context.Context, req *mgmt_pb.
 		return nil, err
 	}
 	return &mgmt_pb.SendPasswordlessRegistrationResponse{
-		Details: object.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
+		Details: obj_grpc.AddToDetailsPb(initCode.Sequence, initCode.ChangeDate, initCode.ResourceOwner),
 	}, nil
 }
 
@@ -606,7 +609,7 @@ func (s *Server) AddMachineKey(ctx context.Context, req *mgmt_pb.AddMachineKeyRe
 	return &mgmt_pb.AddMachineKeyResponse{
 		KeyId:      key.KeyID,
 		KeyDetails: keyDetails,
-		Details: object.AddToDetailsPb(
+		Details: obj_grpc.AddToDetailsPb(
 			key.Sequence,
 			key.ChangeDate,
 			key.ResourceOwner,

internal/api/grpc/management/user_grant.go

@@ -6,31 +6,37 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/api/grpc/user"
-
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
 func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrantByIDRequest) (*mgmt_pb.GetUserGrantByIDResponse, error) {
-	grant, err := s.usergrant.UserGrantByID(ctx, req.GrantId)
+	ownerQuery, err := query.NewUserGrantResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	grant, err := s.query.UserGrantByID(ctx, req.GrantId, ownerQuery)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetUserGrantByIDResponse{
-		UserGrant: user.UserGrantToPb(grant),
+		UserGrant: user.UserGrantToPb(s.assetAPIPrefix, grant),
 	}, nil
 }
 
 func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*mgmt_pb.ListUserGrantResponse, error) {
-	r := ListUserGrantsRequestToModel(ctx, req)
-	r.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	res, err := s.usergrant.SearchUserGrants(ctx, r)
+	queries, err := ListUserGrantsRequestToQuery(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	res, err := s.query.UserGrants(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.ListUserGrantResponse{
-		Result: user.UserGrantsToPb(res.Result),
+		Result: user.UserGrantsToPb(s.assetAPIPrefix, res.UserGrants),
 		Details: obj_grpc.ToListDetails(
-			res.TotalResult,
+			res.Count,
 			res.Sequence,
 			res.Timestamp,
 		),

internal/api/grpc/management/user_grant_converter.go

@@ -2,29 +2,51 @@ package management
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/user"
 )
 
-func ListUserGrantsRequestToModel(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) *model.UserGrantSearchRequest {
-	offset, limit, asc := object.ListQueryToModel(req.Query)
-	request := &model.UserGrantSearchRequest{
-		Offset:  offset,
-		Limit:   limit,
-		Asc:     asc,
-		Queries: user_grpc.UserGrantQueriesToModel(req.Queries),
+func ListUserGrantsRequestToQuery(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*query.UserGrantsQueries, error) {
+	queries, err := user_grpc.UserGrantQueriesToQuery(ctx, req.Queries)
+	if err != nil {
+		return nil, err
 	}
-	request.Queries = append(request.Queries, &model.UserGrantSearchQuery{
-		Key:    model.UserGrantSearchKeyResourceOwner,
-		Method: domain.SearchMethodEquals,
-		Value:  authz.GetCtxData(ctx).OrgID,
-	})
-	return request
+
+	if shouldAppendUserGrantOwnerQuery(req.Queries) {
+		ownerQuery, err := query.NewUserGrantResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
+		if err != nil {
+			return nil, err
+		}
+		queries = append(queries, ownerQuery)
+	}
+
+	offset, limit, asc := object.ListQueryToModel(req.Query)
+	request := &query.UserGrantsQueries{
+		SearchRequest: query.SearchRequest{
+			Offset: offset,
+			Limit:  limit,
+			Asc:    asc,
+		},
+		Queries: queries,
+	}
+
+	return request, nil
+}
+
+func shouldAppendUserGrantOwnerQuery(queries []*user.UserGrantQuery) bool {
+	for _, query := range queries {
+		if _, ok := query.Query.(*user.UserGrantQuery_WithGrantedQuery); ok {
+			return false
+		}
+	}
+	return true
 }
 
 func AddUserGrantRequestToDomain(req *mgmt_pb.AddUserGrantRequest) *domain.UserGrant {