TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 20:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: User checks (#139)

Browse Source 
* check uniqueness on create and register user

* change user email, reserve release unique email

* usergrant unique aggregate

* usergrant uniqueness

* validate UserGrant

* fix tests
This commit is contained in:
Fabi 2020-05-28 06:49:22 +02:00 committed by GitHub
parent 71626f25f3
commit d447f68d78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 453 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/admin/repository/eventsourcing/eventstore/org.go
View File

@ -29,12 +29,12 @@ func (repo *OrgRepo) SetUpOrg(ctx context.Context, setUp *admin_model.SetupOrg)
return nil, err
}
user, userAggregate, err := repo.UserEventstore.PrepareCreateUser(ctx, setUp.User, org.AggregateID)
user, userAggregates, err := repo.UserEventstore.PrepareCreateUser(ctx, setUp.User, org.AggregateID)
if err != nil {
return nil, err
}
aggregates = append(aggregates, userAggregate)
aggregates = append(aggregates, userAggregates...)
setupModel := &Setup{Org: org, User: user}
member := org_model.NewOrgMemberWithRoles(org.AggregateID, user.AggregateID, "ORG_ADMIN") //TODO: role as const

2
internal/auth/repository/eventsourcing/handler/user.go
View File

@ -60,7 +60,7 @@ func (p *User) Process(event *models.Event) (err error) {
return err
}
err = user.AppendEvent(event)
case es_model.UserDeleted:
case es_model.UserRemoved:
err = p.view.DeleteUser(event.AggregateID, event.Sequence)
default:
return p.view.ProcessedUserSequence(event.Sequence)

1
internal/eventstore/eventstore.go
View File

@ -41,7 +41,6 @@ func (es *eventstore) PushAggregates(ctx context.Context, aggregates ...*models.
if err != nil {
return err
}
return nil
}

2
internal/management/repository/eventsourcing/handler/user.go
View File

@ -60,7 +60,7 @@ func (p *User) Process(event *models.Event) (err error) {
return err
}
err = user.AppendEvent(event)
case es_model.UserDeleted:
case es_model.UserRemoved:
err = p.view.DeleteUser(event.AggregateID, event.Sequence)
default:
return p.view.ProcessedUserSequence(event.Sequence)

2
internal/notification/repository/eventsourcing/handler/notify_user.go
View File

@ -52,7 +52,7 @@ func (p *NotifyUser) Process(event *models.Event) (err error) {
return err
}
err = user.AppendEvent(event)
case es_model.UserDeleted:
case es_model.UserRemoved:
err = p.view.DeleteNotifyUser(event.AggregateID, event.Sequence)
default:
return p.view.ProcessedNotifyUserSequence(event.Sequence)

1
internal/org/model/types.go
View File

@ -11,6 +11,7 @@ const (
OrgChanged models.EventType = "org.changed"
OrgDeactivated models.EventType = "org.deactivated"
OrgReactivated models.EventType = "org.reactivated"
OrgRemoved models.EventType = "org.removed"
OrgNameReserved models.EventType = "org.name.reserved"
OrgNameReleased models.EventType = "org.name.released"

2
internal/org/repository/eventsourcing/org_member.go
View File

@ -20,7 +20,7 @@ func orgMemberAddedAggregate(ctx context.Context, aggCreator *es_models.Aggregat
}
validationQuery := es_models.NewSearchQuery().
AggregateTypeFilter("org", "user").
AggregateTypeFilter(org_model.OrgAggregate, usr_model.UserAggregate).
AggregateIDsFilter(member.AggregateID, member.UserID)
validation := addMemberValidation(aggregate, member)

1
internal/project/model/project.go
View File

@ -20,6 +20,7 @@ type ProjectState int32
const (
PROJECTSTATE_ACTIVE ProjectState = iota
PROJECTSTATE_INACTIVE
PROJECTSTATE_REMOVED
)
func NewProject(id string) *Project {

7
internal/project/repository/eventsourcing/model/project.go
View File

@ -88,6 +88,8 @@ func (p *Project) AppendEvent(event *es_models.Event) error {
return p.appendDeactivatedEvent()
case ProjectReactivated:
return p.appendReactivatedEvent()
case ProjectRemoved:
return p.appendRemovedEvent()
case ProjectMemberAdded:
return p.appendAddMemberEvent(event)
case ProjectMemberChanged:
@ -150,6 +152,11 @@ func (p *Project) appendReactivatedEvent() error {
return nil
}
func (p *Project) appendRemovedEvent() error {
p.State = int32(model.PROJECTSTATE_REMOVED)
return nil
}
func (p *Project) setData(event *es_models.Event) error {
if err := json.Unmarshal(event.Data, p); err != nil {
logging.Log("EVEN-lo9sr").WithError(err).Error("could not unmarshal event data")

9
internal/project/repository/eventsourcing/model/project_grant.go
View File

@ -31,6 +31,15 @@ func GetProjectGrant(grants []*ProjectGrant, id string) (int, *ProjectGrant) {
return -1, nil
}
func GetProjectGrantByResourceOwner(grants []*ProjectGrant, resourceOwner string) (int, *ProjectGrant) {
for i, g := range grants {
if g.ResourceOwner == resourceOwner {
return i, g
}
}
return -1, nil
}
func (g *ProjectGrant) Changes(changed *ProjectGrant) map[string]interface{} {
changes := make(map[string]interface{}, 1)
changes["grantId"] = g.GrantID

1
internal/project/repository/eventsourcing/model/types.go
View File

@ -9,6 +9,7 @@ const (
ProjectChanged models.EventType = "project.changed"
ProjectDeactivated models.EventType = "project.deactivated"
ProjectReactivated models.EventType = "project.reactivated"
ProjectRemoved models.EventType = "project.removed"
ProjectMemberAdded models.EventType = "project.member.added"
ProjectMemberChanged models.EventType = "project.member.changed"

29
internal/user/repository/eventsourcing/eventstore.go
View File

@ -90,12 +90,11 @@ func (es *UserEventstore) UserByID(ctx context.Context, id string) (*usr_model.U
return model.UserToModel(user), nil
}
func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*model.User, *es_models.Aggregate, error) {
func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
user.SetEmailAsUsername()
if !user.IsValid() {
return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "User is invalid")
}
//TODO: Check Uniqueness
id, err := es.idGenerator.NextID()
if err != nil {
return nil, nil, err
@ -119,18 +118,18 @@ func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model
repoInitCode := model.InitCodeFromModel(user.InitCode)
repoPhoneCode := model.PhoneCodeFromModel(user.PhoneCode)
createAggregate, err := UserCreateAggregate(ctx, es.AggregateCreator(), repoUser, repoInitCode, repoPhoneCode, resourceOwner)
createAggregates, err := UserCreateAggregate(ctx, es.AggregateCreator(), repoUser, repoInitCode, repoPhoneCode, resourceOwner)
return repoUser, createAggregate, err
return repoUser, createAggregates, err
}
func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
repoUser, aggregate, err := es.PrepareCreateUser(ctx, user, "")
repoUser, aggregates, err := es.PrepareCreateUser(ctx, user, "")
if err != nil {
return nil, err
}
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoUser.AppendEvents, aggregate)
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoUser.AppendEvents, aggregates...)
if err != nil {
return nil, err
}
@ -139,12 +138,11 @@ func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User)
return model.UserToModel(repoUser), nil
}
func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*model.User, *es_models.Aggregate, error) {
func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
user.SetEmailAsUsername()
if !user.IsValid() || user.Password == nil || user.SecretString == "" {
return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "user is invalid")
}
//TODO: Check Uniqueness
id, err := es.idGenerator.NextID()
if err != nil {
return nil, nil, err
@ -163,17 +161,17 @@ func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_mod
repoUser := model.UserFromModel(user)
repoEmailCode := model.EmailCodeFromModel(user.EmailCode)
aggregate, err := UserRegisterAggregate(ctx, es.AggregateCreator(), repoUser, resourceOwner, repoEmailCode)
return repoUser, aggregate, err
aggregates, err := UserRegisterAggregate(ctx, es.AggregateCreator(), repoUser, resourceOwner, repoEmailCode)
return repoUser, aggregates, err
}
func (es *UserEventstore) RegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*usr_model.User, error) {
repoUser, createAggregate, err := es.PrepareRegisterUser(ctx, user, resourceOwner)
repoUser, createAggregates, err := es.PrepareRegisterUser(ctx, user, resourceOwner)
if err != nil {
return nil, err
}
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoUser.AppendEvents, createAggregate)
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoUser.AppendEvents, createAggregates...)
if err != nil {
return nil, err
}
@ -550,8 +548,11 @@ func (es *UserEventstore) ChangeEmail(ctx context.Context, email *usr_model.Emai
repoNew := model.EmailFromModel(email)
repoEmailCode := model.EmailCodeFromModel(emailCode)
updateAggregate := EmailChangeAggregate(es.AggregateCreator(), repoExisting, repoNew, repoEmailCode)
err = es_sdk.Push(ctx, es.PushAggregates, repoExisting.AppendEvents, updateAggregate)
updateAggregates, err := EmailChangeAggregate(ctx, es.AggregateCreator(), repoExisting, repoNew, repoEmailCode)
if err != nil {
return nil, err
}
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoExisting.AppendEvents, updateAggregates...)
if err != nil {
return nil, err
}

2
internal/user/repository/eventsourcing/model/types.go
View File

@ -21,7 +21,7 @@ const (
UserUnlocked models.EventType = "user.unlocked"
UserDeactivated models.EventType = "user.deactivated"
UserReactivated models.EventType = "user.reactivated"
UserDeleted models.EventType = "user.deleted"
UserRemoved models.EventType = "user.removed"
UserPasswordChanged models.EventType = "user.password.changed"
UserPasswordCodeAdded models.EventType = "user.password.code.added"

199
internal/user/repository/eventsourcing/user.go
View File

@ -2,7 +2,6 @@ package eventsourcing
import (
"context"
"github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
@ -23,6 +22,22 @@ func UserQuery(latestSequence uint64) *es_models.SearchQuery {
LatestSequenceFilter(latestSequence)
}
func UserUserNameUniqueQuery(userName string) *es_models.SearchQuery {
return es_models.NewSearchQuery().
AggregateTypeFilter(model.UserUserNameAggregate).
AggregateIDFilter(userName).
OrderDesc().
SetLimit(1)
}
func UserEmailUniqueQuery(email string) *es_models.SearchQuery {
return es_models.NewSearchQuery().
AggregateTypeFilter(model.UserEmailAggregate).
AggregateIDFilter(email).
OrderDesc().
SetLimit(1)
}
func UserAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User) (*es_models.Aggregate, error) {
if user == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dis83", "existing user should not be nil")
@ -38,11 +53,12 @@ func UserAggregateOverwriteContext(ctx context.Context, aggCreator *es_models.Ag
return aggCreator.NewAggregate(ctx, user.AggregateID, model.UserAggregate, model.UserVersion, user.Sequence, es_models.OverwriteResourceOwner(resourceOwnerID), es_models.OverwriteEditorUser(userID))
}
func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, initCode *model.InitUserCode, phoneCode *model.PhoneCode, resourceOwner string) (agg *es_models.Aggregate, err error) {
func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, initCode *model.InitUserCode, phoneCode *model.PhoneCode, resourceOwner string) (_ []*es_models.Aggregate, err error) {
if user == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-duxk2", "user should not be nil")
}
var agg *es_models.Aggregate
if resourceOwner != "" {
agg, err = UserAggregateOverwriteContext(ctx, aggCreator, user, user.AggregateID, resourceOwner)
} else {
@ -80,10 +96,18 @@ func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCre
return nil, err
}
}
return agg, err
uniqueAggregates, err := getUniqueUserAggregates(ctx, aggCreator, user, resourceOwner)
if err != nil {
return nil, err
}
return []*es_models.Aggregate{
agg,
uniqueAggregates[0],
uniqueAggregates[1],
}, nil
}
func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, resourceOwner string, emailCode *model.EmailCode) (*es_models.Aggregate, error) {
func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, resourceOwner string, emailCode *model.EmailCode) ([]*es_models.Aggregate, error) {
if user == nil || resourceOwner == "" || emailCode == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-duxk2", "user, resourceowner, emailcode should not be nothing")
}
@ -97,7 +121,82 @@ func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateC
if err != nil {
return nil, err
}
return agg.AppendEvent(model.UserEmailCodeAdded, emailCode)
agg, err = agg.AppendEvent(model.UserEmailCodeAdded, emailCode)
if err != nil {
return nil, err
}
uniqueAggregates, err := getUniqueUserAggregates(ctx, aggCreator, user, resourceOwner)
if err != nil {
return nil, err
}
return []*es_models.Aggregate{
agg,
uniqueAggregates[0],
uniqueAggregates[1],
}, nil
}
func getUniqueUserAggregates(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, resourceOwner string) ([]*es_models.Aggregate, error) {
userNameAggregate, err := reservedUniqueUserNameAggregate(ctx, aggCreator, resourceOwner, user.UserName)
if err != nil {
return nil, err
}
emailAggregate, err := reservedUniqueEmailAggregate(ctx, aggCreator, resourceOwner, user.EmailAddress)
if err != nil {
return nil, err
}
return []*es_models.Aggregate{
userNameAggregate,
emailAggregate,
}, nil
}
func reservedUniqueUserNameAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, resourceOwner, userName string) (*es_models.Aggregate, error) {
aggregate, err := aggCreator.NewAggregate(ctx, userName, model.UserUserNameAggregate, model.UserVersion, 0)
if resourceOwner != "" {
aggregate, err = aggCreator.NewAggregate(ctx, userName, model.UserUserNameAggregate, model.UserVersion, 0, es_models.OverwriteResourceOwner(resourceOwner))
}
if err != nil {
return nil, err
}
aggregate, err = aggregate.AppendEvent(model.UserUserNameReserved, nil)
if err != nil {
return nil, err
}
return aggregate.SetPrecondition(UserUserNameUniqueQuery(userName), isEventValidation(aggregate, model.UserUserNameReserved)), nil
}
func reservedUniqueEmailAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, resourceOwner, email string) (aggregate *es_models.Aggregate, err error) {
aggregate, err = aggCreator.NewAggregate(ctx, email, model.UserEmailAggregate, model.UserVersion, 0)
if resourceOwner != "" {
aggregate, err = aggCreator.NewAggregate(ctx, email, model.UserEmailAggregate, model.UserVersion, 0, es_models.OverwriteResourceOwner(resourceOwner))
}
if err != nil {
return nil, err
}
aggregate, err = aggregate.AppendEvent(model.UserEmailReserved, nil)
if err != nil {
return nil, err
}
return aggregate.SetPrecondition(UserEmailUniqueQuery(email), isEventValidation(aggregate, model.UserEmailReserved)), nil
}
func releasedUniqueEmailAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, resourceOwner, email string) (aggregate *es_models.Aggregate, err error) {
aggregate, err = aggCreator.NewAggregate(ctx, email, model.UserEmailAggregate, model.UserVersion, 0)
if resourceOwner != "" {
aggregate, err = aggCreator.NewAggregate(ctx, email, model.UserEmailAggregate, model.UserVersion, 0, es_models.OverwriteResourceOwner(resourceOwner))
}
if err != nil {
return nil, err
}
aggregate, err = aggregate.AppendEvent(model.UserEmailReleased, nil)
if err != nil {
return nil, err
}
return aggregate.SetPrecondition(UserEmailUniqueQuery(email), isEventValidation(aggregate, model.UserEmailReleased)), nil
}
func UserDeactivateAggregate(aggCreator *es_models.AggregateCreator, user *model.User) func(ctx context.Context) (*es_models.Aggregate, error) {
@ -231,38 +330,54 @@ func ProfileChangeAggregate(aggCreator *es_models.AggregateCreator, existing *mo
}
}
func EmailChangeAggregate(aggCreator *es_models.AggregateCreator, existing *model.User, email *model.Email, code *model.EmailCode) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if email == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dki8s", "email should not be nil")
}
if (!email.IsEmailVerified && code == nil) || (email.IsEmailVerified && code != nil) {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-id934", "email has to be verified or code must be sent")
}
agg, err := UserAggregate(ctx, aggCreator, existing)
if err != nil {
return nil, err
}
changes := existing.Email.Changes(email)
if len(changes) == 0 {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-s90pw", "no changes found")
}
agg, err = agg.AppendEvent(model.UserEmailChanged, changes)
if err != nil {
return nil, err
}
if existing.Email == nil {
existing.Email = new(model.Email)
}
if email.IsEmailVerified {
return agg.AppendEvent(model.UserEmailVerified, code)
}
if code != nil {
return agg.AppendEvent(model.UserEmailCodeAdded, code)
}
return agg, nil
func EmailChangeAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.User, email *model.Email, code *model.EmailCode) ([]*es_models.Aggregate, error) {
if email == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dki8s", "email should not be nil")
}
if (!email.IsEmailVerified && code == nil) || (email.IsEmailVerified && code != nil) {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-id934", "email has to be verified or code must be sent")
}
changes := existing.Email.Changes(email)
if len(changes) == 0 {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-s90pw", "no changes found")
}
aggregates := make([]*es_models.Aggregate, 0, 4)
reserveEmailAggregate, err := reservedUniqueEmailAggregate(ctx, aggCreator, "", email.EmailAddress)
if err != nil {
return nil, err
}
aggregates = append(aggregates, reserveEmailAggregate)
releaseEmailAggregate, err := releasedUniqueEmailAggregate(ctx, aggCreator, "", existing.EmailAddress)
if err != nil {
return nil, err
}
aggregates = append(aggregates, releaseEmailAggregate)
agg, err := UserAggregate(ctx, aggCreator, existing)
if err != nil {
return nil, err
}
agg, err = agg.AppendEvent(model.UserEmailChanged, changes)
if err != nil {
return nil, err
}
if existing.Email == nil {
existing.Email = new(model.Email)
}
if email.IsEmailVerified {
agg, err = agg.AppendEvent(model.UserEmailVerified, code)
if err != nil {
return nil, err
}
}
if code != nil {
agg, err = agg.AppendEvent(model.UserEmailCodeAdded, code)
if err != nil {
return nil, err
}
}
return append(aggregates, agg), nil
}
func EmailVerifiedAggregate(aggCreator *es_models.AggregateCreator, existing *model.User) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
agg, err := UserAggregate(ctx, aggCreator, existing)
@ -449,3 +564,17 @@ func SignOutAggregate(aggCreator *es_models.AggregateCreator, existing *model.Us
return agg.AppendEvent(model.SignedOut, map[string]interface{}{"agentID": agentID})
}
}
func isEventValidation(aggregate *es_models.Aggregate, eventType es_models.EventType) func(...*es_models.Event) error {
return func(events ...*es_models.Event) error {
if len(events) == 0 {
aggregate.PreviousSequence = 0
return nil
}
if events[0].Type == eventType {
return errors.ThrowPreconditionFailedf(nil, "EVENT-eJQqe", "user is already %v", eventType)
}
aggregate.PreviousSequence = events[0].Sequence
return nil
}
}

98
internal/user/repository/eventsourcing/user_test.go
View File

@ -108,11 +108,12 @@ func TestUserCreateAggregate(t *testing.T) {
aggCreator *models.AggregateCreator
}
type res struct {
eventLen int
eventTypes []models.EventType
checkData []bool
wantErr bool
errFunc func(err error) bool
eventLen int
eventTypes []models.EventType
aggregatesLen int
checkData []bool
wantErr bool
errFunc func(err error) bool
}
tests := []struct {
name string
@ -125,13 +126,15 @@ func TestUserCreateAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
aggCreator: models.NewAggregateCreator("Test"),
},
res: res{
eventLen: 1,
eventTypes: []models.EventType{model.UserAdded},
checkData: []bool{true},
eventLen: 1,
eventTypes: []models.EventType{model.UserAdded},
checkData: []bool{true},
aggregatesLen: 3,
},
},
{
@ -152,14 +155,16 @@ func TestUserCreateAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
initCode: &model.InitUserCode{},
aggCreator: models.NewAggregateCreator("Test"),
},
res: res{
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.InitializedUserCodeAdded},
checkData: []bool{true, true},
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.InitializedUserCodeAdded},
checkData: []bool{true, true},
aggregatesLen: 3,
},
},
{
@ -168,14 +173,16 @@ func TestUserCreateAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
phoneCode: &model.PhoneCode{},
aggCreator: models.NewAggregateCreator("Test"),
},
res: res{
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserPhoneCodeAdded},
checkData: []bool{true, true},
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserPhoneCodeAdded},
checkData: []bool{true, true},
aggregatesLen: 3,
},
},
{
@ -189,9 +196,10 @@ func TestUserCreateAggregate(t *testing.T) {
aggCreator: models.NewAggregateCreator("Test"),
},
res: res{
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserEmailVerified},
checkData: []bool{true, false},
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserEmailVerified},
checkData: []bool{true, false},
aggregatesLen: 3,
},
},
{
@ -200,32 +208,38 @@ func TestUserCreateAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
Phone: &model.Phone{PhoneNumber: "PhoneNumber", IsPhoneVerified: true},
},
aggCreator: models.NewAggregateCreator("Test"),
},
res: res{
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserPhoneVerified},
checkData: []bool{true, false},
eventLen: 2,
eventTypes: []models.EventType{model.UserAdded, model.UserPhoneVerified},
checkData: []bool{true, false},
aggregatesLen: 3,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := UserCreateAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.initCode, tt.args.phoneCode, "")
aggregates, err := UserCreateAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.initCode, tt.args.phoneCode, "")
if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
if !tt.res.wantErr && len(aggregates) != tt.res.aggregatesLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.aggregatesLen, len(aggregates))
}
if !tt.res.wantErr && len(aggregates[0].Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
}
for i := 0; i < tt.res.eventLen; i++ {
if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
if !tt.res.wantErr && aggregates[0].Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], aggregates[0].Events[i].Type.String())
}
if !tt.res.wantErr && tt.res.checkData[i] && agg.Events[i].Data == nil {
if !tt.res.wantErr && tt.res.checkData[i] && aggregates[0].Events[i].Data == nil {
t.Errorf("should have data in event")
}
if !tt.res.wantErr && !tt.res.checkData[i] && agg.Events[i].Data != nil {
if !tt.res.wantErr && !tt.res.checkData[i] && aggregates[0].Events[i].Data != nil {
t.Errorf("should not have data in event")
}
}
@ -257,9 +271,10 @@ func TestUserRegisterAggregate(t *testing.T) {
{
name: "user register aggregate ok",
args: args{
ctx: auth.NewMockContext("", ""),
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
emailCode: &model.EmailCode{},
resourceOwner: "newResourceowner",
@ -290,6 +305,7 @@ func TestUserRegisterAggregate(t *testing.T) {
resourceOwner: "newResourceowner",
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
aggCreator: models.NewAggregateCreator("Test"),
},
@ -303,6 +319,7 @@ func TestUserRegisterAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
resourceOwner: "newResourceowner",
emailCode: &model.EmailCode{},
@ -319,6 +336,7 @@ func TestUserRegisterAggregate(t *testing.T) {
ctx: auth.NewMockContext("orgID", "userID"),
new: &model.User{ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
Profile: &model.Profile{UserName: "UserName"},
Email: &model.Email{EmailAddress: "EmailAddress"},
},
emailCode: &model.EmailCode{},
aggCreator: models.NewAggregateCreator("Test"),
@ -330,16 +348,16 @@ func TestUserRegisterAggregate(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := UserRegisterAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.resourceOwner, tt.args.emailCode)
aggregates, err := UserRegisterAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.resourceOwner, tt.args.emailCode)
if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
if tt.res.errFunc == nil && len(aggregates[0].Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
}
for i := 0; i < tt.res.eventLen; i++ {
if tt.res.errFunc == nil && agg.Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
if tt.res.errFunc == nil && aggregates[0].Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], aggregates[0].Events[i].Type.String())
}
if tt.res.errFunc == nil && agg.Events[i].Data == nil {
if tt.res.errFunc == nil && aggregates[0].Events[i].Data == nil {
t.Errorf("should have data in event")
}
}
@ -1075,16 +1093,16 @@ func TestChangeEmailAggregate(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := EmailChangeAggregate(tt.args.aggCreator, tt.args.existing, tt.args.email, tt.args.code)(tt.args.ctx)
aggregates, err := EmailChangeAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existing, tt.args.email, tt.args.code)
if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
if tt.res.errFunc == nil && len(aggregates[2].Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[1].Events))
}
for i := 0; i < tt.res.eventLen; i++ {
if tt.res.errFunc == nil && agg.Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
if tt.res.errFunc == nil && aggregates[2].Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], aggregates[1].Events[i].Type.String())
}
if tt.res.errFunc == nil && agg.Events[i].Data == nil {
if tt.res.errFunc == nil && aggregates[2].Events[i].Data == nil {
t.Errorf("should have data in event")
}
}

15
internal/usergrant/repository/eventsourcing/eventstore.go
View File

@ -59,7 +59,6 @@ func (es *UserGrantEventStore) AddUserGrant(ctx context.Context, grant *grant_mo
if grant == nil || !grant.IsValid() {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-sdiw3", "User grant invalid")
}
//TODO: Check Uniqueness
id, err := es.idGenerator.NextID()
if err != nil {
return nil, err
@ -68,8 +67,11 @@ func (es *UserGrantEventStore) AddUserGrant(ctx context.Context, grant *grant_mo
repoGrant := model.UserGrantFromModel(grant)
addAggregate := UserGrantAddedAggregate(es.Eventstore.AggregateCreator(), repoGrant)
err = es_sdk.Push(ctx, es.PushAggregates, repoGrant.AppendEvents, addAggregate)
addAggregates, err := UserGrantAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoGrant)
if err != nil {
return nil, err
}
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoGrant.AppendEvents, addAggregates...)
if err != nil {
return nil, err
}
@ -103,8 +105,11 @@ func (es *UserGrantEventStore) RemoveUserGrant(ctx context.Context, grantID stri
}
repoExisting := model.UserGrantFromModel(existing)
repoGrant := &model.UserGrant{ObjectRoot: models.ObjectRoot{AggregateID: grantID}}
projectAggregate := UserGrantRemovedAggregate(es.Eventstore.AggregateCreator(), repoExisting, repoGrant)
err = es_sdk.Push(ctx, es.PushAggregates, repoExisting.AppendEvents, projectAggregate)
projectAggregates, err := UserGrantRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoExisting, repoGrant)
if err != nil {
return err
}
err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoExisting.AppendEvents, projectAggregates...)
if err != nil {
return err
}

4
internal/usergrant/repository/eventsourcing/model/types.go
View File

@ -4,11 +4,13 @@ import "github.com/caos/zitadel/internal/eventstore/models"
const (
UserGrantAggregate models.AggregateType = "usergrant"
UserGrantUniqueAggregate models.AggregateType = "usergrant-unique"
UserGrantUniqueAggregate models.AggregateType = "usergrant.unique"
UserGrantAdded models.EventType = "user.grant.added"
UserGrantChanged models.EventType = "user.grant.changed"
UserGrantRemoved models.EventType = "user.grant.removed"
UserGrantDeactivated models.EventType = "user.grant.deactivated"
UserGrantReactivated models.EventType = "user.grant.reactivated"
UserGrantReserved models.EventType = "user.grant.reserved"
UserGrantReleased models.EventType = "user.grant.released"
)

181
internal/usergrant/repository/eventsourcing/user_grant.go
View File

@ -2,8 +2,13 @@ package eventsourcing
import (
"context"
"github.com/caos/zitadel/internal/api/auth"
"github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
org_model "github.com/caos/zitadel/internal/org/model"
proj_model "github.com/caos/zitadel/internal/project/model"
proj_es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
usr_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
"github.com/caos/zitadel/internal/usergrant/repository/eventsourcing/model"
)
@ -21,6 +26,15 @@ func UserGrantQuery(latestSequence uint64) *es_models.SearchQuery {
LatestSequenceFilter(latestSequence)
}
func UserGrantUniqueQuery(resourceOwner, projectID, userID string) *es_models.SearchQuery {
grantID := resourceOwner + projectID + userID
return es_models.NewSearchQuery().
AggregateTypeFilter(model.UserGrantUniqueAggregate).
AggregateIDFilter(grantID).
OrderDesc().
SetLimit(1)
}
func UserGrantAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, grant *model.UserGrant) (*es_models.Aggregate, error) {
if grant == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dis83", "existing grant should not be nil")
@ -28,14 +42,57 @@ func UserGrantAggregate(ctx context.Context, aggCreator *es_models.AggregateCrea
return aggCreator.NewAggregate(ctx, grant.AggregateID, model.UserGrantAggregate, model.UserGrantVersion, grant.Sequence)
}
func UserGrantAddedAggregate(aggCreator *es_models.AggregateCreator, grant *model.UserGrant) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
agg, err := UserGrantAggregate(ctx, aggCreator, grant)
if err != nil {
return nil, err
}
return agg.AppendEvent(model.UserGrantAdded, grant)
func UserGrantAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, grant *model.UserGrant) ([]*es_models.Aggregate, error) {
agg, err := UserGrantAggregate(ctx, aggCreator, grant)
if err != nil {
return nil, err
}
validationQuery := es_models.NewSearchQuery().
AggregateTypeFilter(usr_model.UserAggregate, org_model.OrgAggregate, proj_es_model.ProjectAggregate).
AggregateIDsFilter(grant.UserID, auth.GetCtxData(ctx).OrgID, grant.ProjectID)
validation := addUserGrantValidation(auth.GetCtxData(ctx).OrgID, grant)
agg, err = agg.SetPrecondition(validationQuery, validation).AppendEvent(model.UserGrantAdded, grant)
if err != nil {
return nil, err
}
uniqueAggregate, err := reservedUniqueUserGrantAggregate(ctx, aggCreator, grant)
if err != nil {
return nil, err
}
return []*es_models.Aggregate{
agg,
uniqueAggregate,
}, nil
}
func reservedUniqueUserGrantAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, grant *model.UserGrant) (*es_models.Aggregate, error) {
grantID := auth.GetCtxData(ctx).OrgID + grant.ProjectID + grant.UserID
aggregate, err := aggCreator.NewAggregate(ctx, grantID, model.UserGrantUniqueAggregate, model.UserGrantVersion, 0)
if err != nil {
return nil, err
}
aggregate, err = aggregate.AppendEvent(model.UserGrantReserved, nil)
if err != nil {
return nil, err
}
return aggregate.SetPrecondition(UserGrantUniqueQuery(auth.GetCtxData(ctx).OrgID, grant.ProjectID, grant.UserID), isEventValidation(aggregate, model.UserGrantReserved)), nil
}
func releasedUniqueUserGrantAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, grant *model.UserGrant) (aggregate *es_models.Aggregate, err error) {
grantID := grant.ResourceOwner + grant.ProjectID + grant.UserID
aggregate, err = aggCreator.NewAggregate(ctx, grantID, model.UserGrantUniqueAggregate, model.UserGrantVersion, 0)
if err != nil {
return nil, err
}
aggregate, err = aggregate.AppendEvent(model.UserGrantReleased, nil)
if err != nil {
return nil, err
}
return aggregate.SetPrecondition(UserGrantUniqueQuery(grant.ResourceOwner, grant.ProjectID, grant.UserID), isEventValidation(aggregate, model.UserGrantReleased)), nil
}
func UserGrantChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant) func(ctx context.Context) (*es_models.Aggregate, error) {
@ -78,15 +135,109 @@ func UserGrantReactivatedAggregate(aggCreator *es_models.AggregateCreator, exist
}
}
func UserGrantRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if grant == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-lo21s", "grant should not be nil")
func UserGrantRemovedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant) ([]*es_models.Aggregate, error) {
if grant == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-lo21s", "grant should not be nil")
}
agg, err := UserGrantAggregate(ctx, aggCreator, existing)
if err != nil {
return nil, err
}
agg, err = agg.AppendEvent(model.UserGrantRemoved, nil)
if err != nil {
return nil, err
}
uniqueAggregate, err := releasedUniqueUserGrantAggregate(ctx, aggCreator, existing)
if err != nil {
return nil, err
}
return []*es_models.Aggregate{
agg,
uniqueAggregate,
}, nil
}
func isEventValidation(aggregate *es_models.Aggregate, eventType es_models.EventType) func(...*es_models.Event) error {
return func(events ...*es_models.Event) error {
if len(events) == 0 {
aggregate.PreviousSequence = 0
return nil
}
agg, err := UserGrantAggregate(ctx, aggCreator, existing)
if err != nil {
return nil, err
if events[0].Type == eventType {
return errors.ThrowPreconditionFailedf(nil, "EVENT-eJQqe", "user_grant is already %v", eventType)
}
return agg.AppendEvent(model.UserGrantRemoved, nil)
aggregate.PreviousSequence = events[0].Sequence
return nil
}
}
func addUserGrantValidation(resourceOwner string, grant *model.UserGrant) func(...*es_models.Event) error {
return func(events ...*es_models.Event) error {
existsOrg := false
existsUser := false
project := new(proj_es_model.Project)
for _, event := range events {
switch event.AggregateType {
case usr_model.UserAggregate:
switch event.Type {
case usr_model.UserAdded, usr_model.UserRegistered:
existsUser = true
case usr_model.UserRemoved:
existsUser = false
}
case org_model.OrgAggregate:
switch event.Type {
case org_model.OrgAdded:
existsOrg = true
case org_model.OrgRemoved:
existsOrg = false
}
case proj_es_model.ProjectAggregate:
project.AppendEvent(event)
}
}
if existsOrg && existsUser && checkProjectConditions(resourceOwner, grant, project) {
return nil
}
return errors.ThrowPreconditionFailed(nil, "EVENT-3OfIm", "conditions not met")
}
}
func checkProjectConditions(resourceOwner string, grant *model.UserGrant, project *proj_es_model.Project) bool {
if project.State == int32(proj_model.PROJECTSTATE_REMOVED) {
return false
}
if resourceOwner == project.ResourceOwner {
return checkIfProjectHasRoles(grant.RoleKeys, project.Roles)
}
if _, projectGrant := proj_es_model.GetProjectGrantByResourceOwner(project.Grants, resourceOwner); projectGrant != nil {
return checkIfProjectGrantHasRoles(grant.RoleKeys, projectGrant.RoleKeys)
}
return false
}
func checkIfProjectHasRoles(roles []string, existing []*proj_es_model.ProjectRole) bool {
for _, roleKey := range roles {
if _, role := proj_es_model.GetProjectRole(existing, roleKey); role == nil {
return false
}
}
return true
}
func checkIfProjectGrantHasRoles(roles []string, existing []string) bool {
roleExists := false
for _, roleKey := range roles {
for _, existingRoleKey := range existing {
if roleKey == existingRoleKey {
roleExists = true
continue
}
}
if !roleExists {
return false
}
}
return true
}

22
internal/usergrant/repository/eventsourcing/user_grant_test.go
View File

@ -51,15 +51,15 @@ func TestUserGrantAddedAggregate(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := UserGrantAddedAggregate(tt.args.aggCreator, tt.args.grant)(tt.args.ctx)
aggregates, err := UserGrantAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.grant)
if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
if tt.res.errFunc == nil && len(aggregates[0].Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
}
if tt.res.errFunc == nil && agg.Events[0].Type != tt.res.eventType {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventType, agg.Events[0].Type.String())
if tt.res.errFunc == nil && aggregates[0].Events[0].Type != tt.res.eventType {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventType, aggregates[0].Events[0].Type.String())
}
if tt.res.errFunc == nil && agg.Events[0].Data == nil {
if tt.res.errFunc == nil && aggregates[0].Events[0].Data == nil {
t.Errorf("should have data in event")
}
if tt.res.errFunc != nil && !tt.res.errFunc(err) {
@ -230,14 +230,14 @@ func TestUserGrantRemovedAggregate(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := UserGrantRemovedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
aggregates, err := UserGrantRemovedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existing, tt.args.new)
if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
if tt.res.errFunc == nil && len(aggregates[0].Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
}
for i := 0; i < tt.res.eventLen; i++ {
if tt.res.errFunc == nil && agg.Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
if tt.res.errFunc == nil && aggregates[0].Events[i].Type != tt.res.eventTypes[i] {
t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], aggregates[0].Events[i].Type.String())
}
}