TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-14 07:17:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

improve querying

Browse Source
This commit is contained in:
Livio Spring
2025-02-10 09:05:23 +01:00
parent e06d688d08
commit ccfc8fb98d
5 changed files with 222 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
proto/zitadel/authorizations/v2/authorization.proto
View File

@@ -2,39 +2,105 @@ syntax = "proto3";
package zitadel.authorizations.v2;
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/authorizations/v2;authorizations";
message Authorization {
// ID is the unique identifier of the authorization.
string id = 1;
// CreationDate is the timestamp when the authorization was created.
google.protobuf.Timestamp creation_date = 2;
// ChangeDate is the timestamp when the authorization was last updated.
// In case the authorization was not updated, this field is equal to the creation date.
google.protobuf.Timestamp change_date = 3;
// State is the current state of the authorization.
State state = 4;
// UserID represents the ID of the user who was granted the authorization.
string user_id = 5;
// UserOrganisationID represents the ID of the organisation the user is part of.
string user_organization_id = 6;
// UserPreferredLoginName represents the preferred login name of the granted user.
string user_preferred_login_name = 7;
// UserDisplayName represents the public display name of the granted user.
// By default it's the user's given name and family name, their username or their email address.
string user_display_name = 8;
// AvatarURL represents the URL to the public avatar of the granted user.
string avatar_url = 9;
// ProjectID represents the ID of the project the user was granted the authorization for.
string project_id = 10;
// ProjectName represents the name of the project the user was granted the authorization for.
string project_name = 11;
// ProjectGrantID represents the ID of the project grant the user was granted the authorization for.
// This field is only set if the authorization was granted for a project grant and not a project directly.
string project_grant_id = 12;
// OrganizationID represents the ID of the organization the authorization was granted for.
string organization_id = 13;
// OrganizationName represents the name of the organization the authorization was granted for.
string organization_name = 14;
// Roles contains the roles the user was granted for the project or project grant.
repeated Role roles = 15;
}
enum State {
STATE_UNSPECIFIED = 0;
STATE_ACTIVE = 1;
STATE_INACTIVE = 2;
}
message Role {
// Key is the unique identifier of the role.
string key = 1;
// DisplayName is the human readable name of the role.
string display_name = 2;
}
message AuthorizationQuery {
oneof query {
option (validate.required) = true;
// Search for authorizations by their ID.
AuthorizationIDQuery authorization_id_query = 1;
// Search for authorizations by their creation date.
CreationDateQuery creation_date_query = 2;
// Search for authorizations by their change date.
ChangeDateQuery change_date_query = 3;
// Search for authorizations by their state.
StateQuery state_query = 4;
// Search for authorizations by the ID of the user who was granted the authorization.
UserIDQuery user_id_query = 2;
UserIDQuery user_id_query = 5;
// Search for authorizations by the ID of the organisation the user is part of.
UserOrganizationIDQuery user_organization_id_query = 3;
UserOrganizationIDQuery user_organization_id_query = 6;
UserPreferredLoginNameQuery user_preferred_login_name_query = 7;
UserDisplayNameQuery user_display_name_query = 8;
// Search for authorizations by the ID of the project the user was granted the authorization for.
ProjectIDQuery project_id_query = 4;
ProjectIDQuery project_id_query = 9;
ProjectNameQuery project_name_query = 10;
// Search for authorizations by the ID of the project grant the user was granted the authorization for.
ProjectGrantIDQuery project_grant_id_query = 5;
ProjectGrantIDQuery project_grant_id_query = 11;
// Search for authorizations by the ID of the organization the authorization was granted for.
// This can either be the organization the project or the project grant is part of.
OrganizationIDQuery organization_id_query = 12;
OrganizationNameQuery organization_name_query = 13;
// Search for authorizations by the key of the role the user was granted.
RoleKeyQuery role_key_query = 6;
RoleKeyQuery role_key_query = 14;
// UserGrantProjectIDQuery project_id_query = 1;
// UserGrantUserIDQuery user_id_query = 2;
// UserGrantWithGrantedQuery with_granted_query = 3;
// UserGrantRoleKeyQuery role_key_query = 4;
// UserGrantProjectGrantIDQuery project_grant_id_query = 5;
// UserGrantUserNameQuery user_name_query = 6;
// Combine multiple authorization queries with an AND operation.
AndQuery and_query = 15;
// Combine multiple authorization queries with an OR operation.
// For example, to search for authorizations of multiple OrganizationIDs.
OrQuery or_query = 16;
// Negate an authorization query.
NotQuery not_query = 17;
// UserGrantWithGrantedQuery with_granted_query = 3; searched for the oauthz.OrganizationID as ro
// UserGrantUserNameQuery user_name_query = 6; ??
// UserGrantFirstNameQuery first_name_query = 7;
// UserGrantLastNameQuery last_name_query = 8;
// UserGrantEmailQuery email_query = 9;
// UserGrantOrgNameQuery org_name_query = 10;
// UserGrantOrgDomainQuery org_domain_query = 11;
// UserGrantProjectNameQuery project_name_query = 12;
// UserGrantDisplayNameQuery display_name_query = 13;
// UserGrantUserTypeQuery user_type_query = 14;
}
}
@@ -46,7 +112,31 @@ message AuthorizationIDQuery {
}];
}
message CreationDateQuery {
// Specify the creation date of the authorization to search for.
google.protobuf.Timestamp creation_date = 1;
// Specify the method to search for the creation date. Default is EQUAL.
// For example, to search for all authorizations created after a specific date, use GREATER_THAN.
// To search for all authorizations created before a specific date, use LESS_THAN.
zitadel.object.v2.TimestampQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ChangeDateQuery {
// Specify the change date of the authorization to search for.
google.protobuf.Timestamp change_date = 1;
// Specify the method to search for the change date. Default is EQUAL.
// For example, to search for all authorizations changed after a specific date, use GREATER_THAN.
// To search for all authorizations changed before a specific date, use LESS_THAN.
zitadel.object.v2.TimestampQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message StateQuery {
// Specify the state of the authorization to search for.
State state = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
message UserIDQuery {
// Specify the ID of the user who was granted the authorization to search for.
string user_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
@@ -54,51 +144,101 @@ message UserIDQuery {
}
message UserOrganizationIDQuery {
// Specify the ID of the organization the user is part of to search for.
// Note that this might not be the organization the authorization was granted for.
string user_organization_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message UserPreferredLoginNameQuery {
// Specify the preferred login name of the granted user to search for.
string user_preferred_login_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the preferred login name. Default is EQUAL.
// For example, to search for all authorizations with a preferred login name containing a specific string,
// use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message UserDisplayNameQuery {
// Specify the public display name of the granted user to search for.
string user_display_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the display name. Default is EQUAL.
// For example, to search for all authorizations with a display name containing a specific string,
// use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ProjectIDQuery {
// Specify the ID of the project the user was granted the authorization for to search for.
// Note that this will also include authorizations granted for project grants of the same project.
string project_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message ProjectNameQuery {
// Specify the name of the project the user was granted the authorization for to search for.
// Note that this will also include authorizations granted for project grants of the same project.
string project_name = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the project name. Default is EQUAL.
// For example, to search for all authorizations with a project name containing a specific string,
// use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ProjectGrantIDQuery {
// Specify the ID of the project grant the user was granted the authorization for to search for.
string project_grant_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message RoleKeyQuery {
string role_key = 1 [(validate.rules).string = {max_len: 200}];
message OrganizationIDQuery {
// Specify the ID of the organization the authorization was granted for to search for.
// This can either be the organization the project or the project grant is part of.
string organization_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message OrganizationNameQuery {
// Specify the name of the organization the authorization was granted for to search for.
// This can either be the organization the project or the project grant is part of.
string organization_name = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the organization name. Default is EQUAL.
// For example, to search for all authorizations with an organization name containing a specific string,
// use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message Authorization {
// ID is the unique identifier of the authorization.
string id = 1;
// UserID represents the ID of the user who was granted the authorization.
string user_id = 2;
// UserOrganisationID represents the ID of the organisation the user is part of.
string user_organization_id = 3;
// ProjectID represents the ID of the project the user was granted the authorization for.
string project_id = 4;
// ProjectGrantID represents the ID of the project grant the user was granted the authorization for.
// This field is only set if the authorization was granted for a project grant and not a project directly.
string project_grant_id = 5;
// Roles contains the roles the user was granted for the project or project grant.
repeated Role roles = 6;
message RoleKeyQuery {
// Specify the key of the role the user was granted to search for.
string role_key = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the role key. Default is EQUAL.
// For example, to search for all authorizations starting with a specific role key,
// use STARTS_WITH or STARTS_WITH_IGNORE_CASE.
zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message Role {
// Key is the unique identifier of the role.
string key = 1;
// DisplayName is the human readable name of the role.
string display_name = 2;
message AndQuery {
repeated AuthorizationQuery queries = 1;
}
message OrQuery {
repeated AuthorizationQuery queries = 1;
}
message NotQuery {
AuthorizationQuery query = 1;
}

8
proto/zitadel/authorizations/v2/authorization_service.proto
View File

@@ -7,6 +7,8 @@ import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/authorizations/v2/authorization.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/authorizations/v2;authorizations";
// AuthorizationService provides methods to manage authorizations for users within your projects and applications.
//
// For managing permissions and roles for ZITADEL internal resources, like organizations, projects,
@@ -52,7 +54,7 @@ service AuthorizationsService {
}
message ListAuthorizationsRequest {
// Paginate through the results using a limit.
// Paginate through the results using a limit, offset and sorting.
zitadel.object.v2.ListQuery query = 1;
// Filter the authorizations to be returned.
repeated AuthorizationQuery queries = 2;
@@ -82,7 +84,7 @@ message CreateAuthorizationRequest {
min_len: 1
max_len: 200
}];
// Grant on either the project directly or on a project grant.
// Grant on either the project directly or on a project grant by their IDs.
oneof grant {
option (validate.required) = true;
@@ -141,7 +143,7 @@ message UpdateAuthorizationResponse {
}
message DeleteAuthorizationRequest {
// ID is the unique identifier of the authorization.
// ID is the unique identifier of the authorization that should be deleted.
string id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200

20
proto/zitadel/object/v2/object.proto
View File

@@ -30,29 +30,25 @@ message RequestContext {
}
}
// ListQuery is a general query object for lists to allow pagination and sorting.
message ListQuery {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
title: "General List Query"
description: "Object unspecific list filters like offset, limit and asc/desc."
}
};
uint64 offset = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"0\"";
}
];
// limit is the maximum amount of objects returned. The default is set to 100
// with a maximum of 1000 in the runtime configuration.
// If the limit exceeds the maximum configured ZITADEL will throw an error.
// If no limit is present the default is taken.
uint32 limit = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "100";
description: "Maximum amount of events returned. The default is set to 1000 in https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml. If the limit exceeds the maximum configured ZITADEL will throw an error. If no limit is present the default is taken.";
}
];
bool asc = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "default is descending"
}
];
// Asc is the sorting order. If true the list is sorted ascending, if false
// the list is sorted descending. The default is descending.
bool asc = 3;
}
message Details {

119
proto/zitadel/permissions/v2/manager.proto
View File

@@ -1,41 +1,23 @@
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
package zitadel.permissions.v2;
/*
message Manager2 {
// ID is the unique identifier of the manager role.
string id = 1;
// UserID is the ID of the user who was granted the manager role.
oneof user {
string user_id = 2;
User expanded = 3;
}
repeated string roles = 4;
oneof managerType {
// InstanceManager is the manager role for the instance.
InstanceManager instance_manager = 3;
// OrganizationManager is the manager role for the organization.
OrganizationManager organization_manager = 4;
// ProjectManager is the manager role for the project.
ProjectManager project_manager = 5;
// ProjectGrantManager is the manager role for the project grant.
ProjectGrantManager project_grant_manager = 6;
}
}
*/
option go_package = "github.com/zitadel/zitadel/pkg/grpc/permissions/v2;permissions";
message Manager {
// ID is the unique identifier of the manager role.
string id = 1;
// CreationDate is the timestamp when the manager role was granted.
google.protobuf.Timestamp creation_date = 2;
// ChangeDate is the timestamp when the manager role was last updated.
// In case the manager role was not updated, this field is equal to the creation date.
google.protobuf.Timestamp change_date = 3;
// User is the user who was granted the manager role.
User user = 2;
User user = 4;
// string user_id = 3;
// string user_preferred_login_name = 4;
// string user_display_name = 5;
@@ -44,22 +26,22 @@ message Manager {
// Resource is the type of the resource the manager roles were granted for.
oneof resource {
// Instance is returned if the manager roles were granted on the instance level.
bool instance = 3;
bool instance = 5;
// Organization provides information about the organization the manager roles were granted for.
Organization organization = 4;
Organization organization = 6;
// Project provides information about the project the manager roles were granted for.
Project project = 5;
Project project = 7;
// ProjectGrant provides information about the project grant the manager roles were granted for.
ProjectGrant project_grant = 6;
ProjectGrant project_grant = 8;
}
// Roles are the roles that were granted to the user for the specified resource.
repeated string roles = 7;
repeated string roles = 9;
}
message User {
// ID is the unique identifier of the user.
string id = 1;
// PreferredLoginName is the preferred login name of the user. This value is unique across the whole instance..
// PreferredLoginName is the preferred login name of the user. This value is unique across the whole instance.
string preferred_login_name = 2;
// DisplayName is the public display name of the user.
// By default it's the user's given name and family name, their username or their email address.
@@ -97,79 +79,6 @@ message ProjectGrant {
string organization_id = 4;
}
/*
message SetInstanceManager {
// Roles are the roles that should be granted to the user.
repeated string roles = 1 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
prefix: "IAM_" // TODO: do we want to limit here as well?
}
}
}];
}
message SetOrganizationManager {
// OrganizationID is the ID of the organization the user should be granted the manager role for.
string organization_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Roles are the roles that should be granted to the user within the specified organization.
repeated string roles = 2 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
prefix: "ORG_" // TODO: do we want to limit here as well?
}
}
}];
}
message SetProjectManager {
// ProjectID is the ID of the project the user should be granted the manager role for.
string project_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Roles are the roles that should be granted to the user within the specified project.
repeated string roles = 2 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
prefix: "PROJECT_" // TODO: do we want to limit here as well?
}
}
}];
}
message SetProjectGrantManager {
// ProjectGrantID is the ID of the project grant the user should be granted the manager role for.
string project_grant_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Roles are the roles that should be granted to the user within the specified project grant.
repeated string roles = 2 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
prefix: "PROJECT_GRANT_" // TODO: do we want to limit here as well?
}
}
}];
}
*/
message ManagerQuery {
oneof query {
option (validate.required) = true;

46
proto/zitadel/permissions/v2/permission_service.proto
View File

@@ -7,6 +7,8 @@ import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/permissions/v2/manager.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/permissions/v2;permissions";
// PermissionsService provides methods to manage permissions for resource
// and their management in ZITADEL itself.
//
@@ -23,6 +25,7 @@ service PermissionsService {
// - "user.membership.read" TODO: only this required?
// - no permissions required for listing own manager roles
rpc ListManagers(ListManagersRequest) returns (ListManagersResponse) {}
// GetManager returns the manager role by its ID.
//
// Required permissions depend on the resource type:
@@ -33,7 +36,12 @@ service PermissionsService {
// - "user.membership.read" TODO: only this required?
// - no permissions required for getting own manager roles
rpc GetManager(GetManagerRequest) returns (GetManagerResponse) {}
// CreateManager grants a manager role to a user.
// CreateManager grants a manager role to a user for a specific resource.
//
// Note that the roles are specific to the resource type.
// This means that if you want to grant a user the manager role for an organization and a project,
// you need to create two manager roles.
//
// Required permissions depend on the resource type:
// - "iam.member.write" for instance managers
@@ -41,7 +49,8 @@ service PermissionsService {
// - "project.member.write" for project managers
// - "project.grant.member.write" for project grant managers
rpc CreateManager(CreateManagerRequest) returns (CreateManagerResponse) {}
// UpdateManager updates the manager role.
// UpdateManager updates the specific manager role.
//
// Note that any role previously granted to the user and not present in the request will be revoked.
//
@@ -51,9 +60,12 @@ service PermissionsService {
// - "project.member.write" for project managers
// - "project.grant.member.write" for project grant managers
rpc UpdateManager(UpdateManagerRequest) returns (UpdateManagerResponse) {}
// DeleteManager revokes a manager role from a user.
//
// Note that the deletion is only guaranteed to be successful if the user has the required permissions.
// In case the manager role is not found, the request will return a successful response as
// the desired state is already achieved.
// You can check the deletion date in the response to verify if the manager role was deleted during the request.
//
// Required permissions depend on the resource type:
// - "iam.member.delete" for instance managers
@@ -64,17 +76,10 @@ service PermissionsService {
}
message ListManagersRequest {
// Paginate through the results using a limit.
// Paginate through the results using a limit, offset and sorting.
zitadel.object.v2.ListQuery query = 1;
// Filter the manager roles to be returned.
repeated ManagerQuery queries = 2;
repeated Expand expand = 3; // TODO: ?
}
enum Expand {
EXPAND_UNSPECIFIED = 0;
EXPAND_USER = 1;
EXPAND_RESOURCE = 2;
}
message ListManagersResponse {
@@ -95,22 +100,6 @@ message GetManagerResponse {
Manager manager = 1;
}
/*
message CreateManagerRequest {
// UserID is the ID of the user who should be granted the manager role.
string user_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
oneof managerType {
SetInstanceManager instance_manager = 2;
SetOrganizationManager organization_manager = 3;
SetProjectManager project_manager = 4;
SetProjectGrantManager project_grant_manager = 5;
}
}
*/
message CreateManagerRequest {
// UserID is the ID of the user who should be granted the manager role.
string user_id = 1 [(validate.rules).string = {
@@ -131,6 +120,9 @@ message CreateManagerRequest {
string project_grant_id = 5;
}
// Roles are the roles that should be granted to the user for the specified resource.
// Note that roles are currently specific to the resource type.
// This means that if you want to grant a user the manager role for an organization and a project,
// you need to create two manager roles.
repeated string roles = 6 [(validate.rules).repeated = {
unique: true
items: {