From cfdb8c3301d89265cc20f871e7cb6e9811f7d9c2 Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Fri, 12 Nov 2021 15:06:26 +0100 Subject: [PATCH] fix: mitigate overload risk in processProject on user memberships (#2665) --- .../eventsourcing/handler/user_membership.go | 10 +++++++--- .../eventsourcing/handler/user_membership.go | 10 +++++++--- .../eventsourcing/handler/user_membership.go | 15 ++++++++++++--- .../org/repository/eventsourcing/model/org.go | 6 +++--- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/internal/auth/repository/eventsourcing/handler/user_membership.go b/internal/auth/repository/eventsourcing/handler/user_membership.go index ca3f27adbf..d18c246abb 100644 --- a/internal/auth/repository/eventsourcing/handler/user_membership.go +++ b/internal/auth/repository/eventsourcing/handler/user_membership.go @@ -2,11 +2,11 @@ package handler import ( "context" - "github.com/caos/zitadel/internal/eventstore/v1" "github.com/caos/logging" "github.com/caos/zitadel/internal/errors" + v1 "github.com/caos/zitadel/internal/eventstore/v1" es_models "github.com/caos/zitadel/internal/eventstore/v1/models" "github.com/caos/zitadel/internal/eventstore/v1/query" es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk" @@ -245,17 +245,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers } func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error { - project, err := m.getProjectByID(context.Background(), event.AggregateID) + proj := new(proj_es_model.Project) + err := proj.SetData(event) if err != nil { return err } + if proj.Name == "" { + return m.view.ProcessedUserMembershipSequence(event) + } memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID) if err != nil { return err } for _, membership := range memberships { - membership.DisplayName = project.Name + membership.DisplayName = proj.Name } return m.view.BulkPutUserMemberships(memberships, event) } diff --git a/internal/authz/repository/eventsourcing/handler/user_membership.go b/internal/authz/repository/eventsourcing/handler/user_membership.go index c6dbf9dc7e..75881d531b 100644 --- a/internal/authz/repository/eventsourcing/handler/user_membership.go +++ b/internal/authz/repository/eventsourcing/handler/user_membership.go @@ -2,11 +2,11 @@ package handler import ( "context" - "github.com/caos/zitadel/internal/eventstore/v1" "github.com/caos/logging" "github.com/caos/zitadel/internal/errors" + v1 "github.com/caos/zitadel/internal/eventstore/v1" es_models "github.com/caos/zitadel/internal/eventstore/v1/models" "github.com/caos/zitadel/internal/eventstore/v1/query" es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk" @@ -244,17 +244,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers } func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error { - project, err := m.getProjectByID(context.Background(), event.AggregateID) + proj := new(proj_es_model.Project) + err := proj.SetData(event) if err != nil { return err } + if proj.Name == "" { + return m.view.ProcessedUserMembershipSequence(event) + } memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID) if err != nil { return err } for _, membership := range memberships { - membership.DisplayName = project.Name + membership.DisplayName = proj.Name } return m.view.BulkPutUserMemberships(memberships, event) } diff --git a/internal/management/repository/eventsourcing/handler/user_membership.go b/internal/management/repository/eventsourcing/handler/user_membership.go index 838b4012e8..c55ca442fb 100644 --- a/internal/management/repository/eventsourcing/handler/user_membership.go +++ b/internal/management/repository/eventsourcing/handler/user_membership.go @@ -4,6 +4,7 @@ import ( "context" "github.com/caos/logging" + caos_errs "github.com/caos/zitadel/internal/errors" v1 "github.com/caos/zitadel/internal/eventstore/v1" es_models "github.com/caos/zitadel/internal/eventstore/v1/models" @@ -165,10 +166,14 @@ func (m *UserMembership) fillOrgDisplayName(member *usr_es_model.UserMembershipV } func (m *UserMembership) updateOrgDisplayName(event *es_models.Event) error { - org, err := m.getOrgByID(context.Background(), event.AggregateID) + org := new(org_es_model.Org) + err := org.SetData(event) if err != nil { return err } + if org.Name == "" { + return m.view.ProcessedUserMembershipSequence(event) + } memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID) if err != nil { @@ -231,17 +236,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers } func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error { - project, err := m.getProjectByID(context.Background(), event.AggregateID) + proj := new(proj_es_model.Project) + err := proj.SetData(event) if err != nil { return err } + if proj.Name == "" { + return m.view.ProcessedUserMembershipSequence(event) + } memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID) if err != nil { return err } for _, membership := range memberships { - membership.DisplayName = project.Name + membership.DisplayName = proj.Name } return m.view.BulkPutUserMemberships(memberships, event) } diff --git a/internal/org/repository/eventsourcing/model/org.go b/internal/org/repository/eventsourcing/model/org.go index 4da9dd4842..222ef035f9 100644 --- a/internal/org/repository/eventsourcing/model/org.go +++ b/internal/org/repository/eventsourcing/model/org.go @@ -87,12 +87,12 @@ func (o *Org) AppendEvents(events ...*es_models.Event) error { func (o *Org) AppendEvent(event *es_models.Event) (err error) { switch event.Type { case OrgAdded: - err = o.setData(event) + err = o.SetData(event) if err != nil { return err } case OrgChanged: - err = o.setData(event) + err = o.SetData(event) if err != nil { return err } @@ -210,7 +210,7 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) { return nil } -func (o *Org) setData(event *es_models.Event) error { +func (o *Org) SetData(event *es_models.Event) error { err := json.Unmarshal(event.Data, o) if err != nil { return errors.ThrowInternal(err, "EVENT-BpbQZ", "unable to unmarshal event")