feat: user grants command side (#1191)

* fix: user grant command side

* fix: user grant command side

* fix: user grant command side check permissions

* fix: unique constraint on user grants

* fix: add usergrant

* fix: add usergrant

* fix: add usergrant

* fix: user grant remove

* Update internal/v2/command/auth_checks.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/auth_checks.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/project.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/v2/command/user_grant.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: project events

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/management/repository/eventsourcing/eventstore/user_grant.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/api/authz"
-	caos_errors "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	global_model "github.com/caos/zitadel/internal/model"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
@@ -28,92 +27,6 @@ func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*
 	return model.UserGrantToModel(grant), nil
 }
 
-func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
-	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-	if err != nil {
-		return nil, err
-	}
-	return repo.UserGrantEvents.AddUserGrant(ctx, grant)
-}
-
-func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
-	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-	if err != nil {
-		return nil, err
-	}
-	return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
-}
-
-func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
-	grant, err := repo.UserGrantByID(ctx, grantID)
-	if err != nil {
-		return nil, err
-	}
-	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-	if err != nil {
-		return nil, err
-	}
-	return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
-}
-
-func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
-	grant, err := repo.UserGrantByID(ctx, grantID)
-	if err != nil {
-		return nil, err
-	}
-	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-	if err != nil {
-		return nil, err
-	}
-	return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
-}
-
-func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
-	grant, err := repo.UserGrantByID(ctx, grantID)
-	if err != nil {
-		return err
-	}
-	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-	if err != nil {
-		return err
-	}
-	return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
-}
-
-func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
-	for _, grant := range grants {
-		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-		if err != nil {
-			return err
-		}
-	}
-	return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
-}
-
-func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
-	for _, grant := range grants {
-		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-		if err != nil {
-			return err
-		}
-	}
-	return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
-}
-
-func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
-	for _, grantID := range grantIDs {
-		grant, err := repo.UserGrantByID(ctx, grantID)
-		if err != nil {
-			return err
-		}
-		err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
-		if err != nil {
-			return err
-		}
-	}
-	return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
-}
-
 func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_model.UserGrantSearchRequest) (*grant_model.UserGrantSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, sequenceErr := repo.View.GetLatestUserGrantSequence("")
@@ -189,34 +102,3 @@ func checkContainsPermID(ids []string, query *grant_model.UserGrantSearchQuery,
 	}
 	return nil
 }
-
-func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
-	permissions := authz.GetRequestPermissionsFromCtx(ctx)
-	if authz.HasGlobalPermission(permissions) {
-		return nil
-	}
-	ids := authz.GetAllPermissionCtxIDs(permissions)
-	containsID := false
-	if grantID != "" {
-		containsID = listContainsID(ids, grantID)
-		if containsID {
-			return nil
-		}
-	}
-	containsID = listContainsID(ids, projectID)
-	if !containsID {
-		return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
-	}
-	return nil
-}
-
-func listContainsID(ids []string, id string) bool {
-	containsID := false
-	for _, i := range ids {
-		if i == id {
-			containsID = true
-			break
-		}
-	}
-	return containsID
-}

internal/management/repository/user_grant.go

@@ -7,14 +7,5 @@ import (
 
 type UserGrantRepository interface {
 	UserGrantByID(ctx context.Context, grantID string) (*model.UserGrantView, error)
-	AddUserGrant(ctx context.Context, grant *model.UserGrant) (*model.UserGrant, error)
-	ChangeUserGrant(ctx context.Context, grant *model.UserGrant) (*model.UserGrant, error)
-	DeactivateUserGrant(ctx context.Context, grantID string) (*model.UserGrant, error)
-	ReactivateUserGrant(ctx context.Context, grantID string) (*model.UserGrant, error)
-	RemoveUserGrant(ctx context.Context, grantID string) error
 	SearchUserGrants(ctx context.Context, request *model.UserGrantSearchRequest) (*model.UserGrantSearchResponse, error)
-
-	BulkAddUserGrant(ctx context.Context, grant ...*model.UserGrant) error
-	BulkChangeUserGrant(ctx context.Context, grant ...*model.UserGrant) error
-	BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error
 }