feat: user grants command side (#1191)

* fix: user grant command side * fix: user grant command side * fix: user grant command side check permissions * fix: unique constraint on user grants * fix: add usergrant * fix: add usergrant * fix: add usergrant * fix: user grant remove * Update internal/v2/command/auth_checks.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/v2/command/auth_checks.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/v2/command/project.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/v2/command/user_grant.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: project events Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-11 18:07:31 +00:00 · 2021-01-22 13:31:52 +01:00
parent 28bfe72930
commit dfcb96d6a3
30 changed files with 890 additions and 277 deletions
--- a/internal/v2/command/auth_checks.go
+++ b/internal/v2/command/auth_checks.go
@@ -0,0 +1,31 @@
+package command
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errors "github.com/caos/zitadel/internal/errors"
+)
+
+func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error {
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if authz.HasGlobalPermission(permissions) {
+		return nil
+	}
+	ids := authz.GetAllPermissionCtxIDs(permissions)
+	if grantID != "" && listContainsID(ids, grantID) {
+		return nil
+	}
+	if listContainsID(ids, projectID) {
+		return nil
+	}
+	return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+}
+
+func listContainsID(ids []string, id string) bool {
+	for _, i := range ids {
+		if i == id {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/v2/command/command.go
+++ b/internal/v2/command/command.go
@@ -12,7 +12,9 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 	"github.com/caos/zitadel/internal/v2/repository/org"
+	proj_repo "github.com/caos/zitadel/internal/v2/repository/project"
 	usr_repo "github.com/caos/zitadel/internal/v2/repository/user"
+	usr_grant_repo "github.com/caos/zitadel/internal/v2/repository/usergrant"
 	webauthn_helper "github.com/caos/zitadel/internal/webauthn"
 )

@@ -53,6 +55,8 @@ func StartCommandSide(config *Config) (repo *CommandSide, err error) {
 	iam_repo.RegisterEventMappers(repo.eventstore)
 	org.RegisterEventMappers(repo.eventstore)
 	usr_repo.RegisterEventMappers(repo.eventstore)
+	usr_grant_repo.RegisterEventMappers(repo.eventstore)
+	proj_repo.RegisterEventMappers(repo.eventstore)

 	//TODO: simplify!!!!
 	repo.idpConfigSecretCrypto, err = crypto.NewAESCrypto(config.SystemDefaults.IDPConfigVerificationKey)
--- a/internal/v2/command/project.go
+++ b/internal/v2/command/project.go
@@ -54,6 +54,17 @@ func (r *CommandSide) getProjectByID(ctx context.Context, projectID, resourceOwn
 	return projectWriteModelToProject(projectWriteModel), nil
 }

+func (r *CommandSide) checkProjectExists(ctx context.Context, projectID, resourceOwner string) error {
+	projectWriteModel, err := r.getProjectWriteModelByID(ctx, projectID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if projectWriteModel.State == domain.ProjectStateUnspecified || projectWriteModel.State == domain.ProjectStateRemoved {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0fs", "Errors.Project.NotFound")
+	}
+	return nil
+}
+
 func (r *CommandSide) getProjectWriteModelByID(ctx context.Context, projectID, resourceOwner string) (*ProjectWriteModel, error) {
 	projectWriteModel := NewProjectWriteModel(projectID, resourceOwner)
 	err := r.eventstore.FilterToQueryReducer(ctx, projectWriteModel)
--- a/internal/v2/command/project_model.go
+++ b/internal/v2/command/project_model.go
@@ -26,12 +26,6 @@ func NewProjectWriteModel(projectID string, resourceOwner string) *ProjectWriteM

 func (wm *ProjectWriteModel) AppendEvents(events ...eventstore.EventReader) {
 	wm.WriteModel.AppendEvents(events...)
-	for _, event := range events {
-		switch e := event.(type) {
-		case *project.ProjectAddedEvent:
-			wm.WriteModel.AppendEvents(e)
-		}
-	}
 }

 func (wm *ProjectWriteModel) Reduce() error {
--- a/internal/v2/command/user_grant.go
+++ b/internal/v2/command/user_grant.go
@@ -0,0 +1,236 @@
+package command
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/usergrant"
+	"reflect"
+)
+
+func (r *CommandSide) AddUserGrant(ctx context.Context, usergrant *domain.UserGrant, resourceOwner string) (_ *domain.UserGrant, err error) {
+	userGrantAgg, addedUserGrant, err := r.addUserGrant(ctx, usergrant, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	err = r.eventstore.PushAggregate(ctx, addedUserGrant, userGrantAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return userGrantWriteModelToUserGrant(addedUserGrant), nil
+}
+
+func (r *CommandSide) addUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string) (_ *usergrant.Aggregate, _ *UserGrantWriteModel, err error) {
+	err = checkExplicitProjectPermission(ctx, userGrant.ProjectGrantID, userGrant.ProjectID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !userGrant.IsValid() {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0fs", "Errors.UserGrant.Invalid")
+	}
+	exists, err := r.checkUserExists(ctx, userGrant.UserID, resourceOwner)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !exists {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0fs", "Errors.User.NotFound")
+	}
+	err = r.checkProjectExists(ctx, userGrant.ProjectID, resourceOwner)
+	if err != nil {
+		return nil, nil, err
+	}
+	userGrant.AggregateID, err = r.idGenerator.Next()
+	if err != nil {
+		return nil, nil, err
+	}
+	addedUserGrant := NewUserGrantWriteModel(userGrant.AggregateID, resourceOwner)
+	userGrantAgg := UserGrantAggregateFromWriteModel(&addedUserGrant.WriteModel)
+
+	userGrantAgg.PushEvents(
+		usergrant.NewUserGrantAddedEvent(
+			ctx,
+			resourceOwner,
+			userGrant.UserID,
+			userGrant.ProjectID,
+			userGrant.ProjectGrantID,
+			userGrant.RoleKeys,
+		),
+	)
+	return userGrantAgg, addedUserGrant, nil
+}
+
+func (r *CommandSide) ChangeUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string) (_ *domain.UserGrant, err error) {
+	userGrantAgg, addedUserGrant, err := r.changeUserGrant(ctx, userGrant, resourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+	err = r.eventstore.PushAggregate(ctx, addedUserGrant, userGrantAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return userGrantWriteModelToUserGrant(addedUserGrant), nil
+}
+
+func (r *CommandSide) changeUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string, cascade bool) (_ *usergrant.Aggregate, _ *UserGrantWriteModel, err error) {
+	err = checkExplicitProjectPermission(ctx, userGrant.ProjectGrantID, userGrant.ProjectID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if userGrant.IsValid() {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M0sd", "Errors.UserGrant.Invalid")
+	}
+
+	existingUserGrant, err := r.userGrantWriteModelByID(ctx, userGrant.AggregateID, userGrant.ResourceOwner)
+	if err != nil {
+		return nil, nil, err
+	}
+	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
+	}
+	if reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Rs8fy", "Errors.UserGrant.NotChanged")
+	}
+
+	changedUserGrant := NewUserGrantWriteModel(userGrant.AggregateID, resourceOwner)
+	userGrantAgg := UserGrantAggregateFromWriteModel(&changedUserGrant.WriteModel)
+
+	if !cascade {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantChangedEvent(ctx, userGrant.RoleKeys),
+		)
+	} else {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantCascadeChangedEvent(ctx, userGrant.RoleKeys),
+		)
+	}
+
+	return userGrantAgg, changedUserGrant, nil
+}
+
+func (r *CommandSide) DeactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
+	if grantID == "" || resourceOwner == "" {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dsf", "Errors.UserGrant.IDMissing")
+	}
+
+	existingUserGrant, err := r.userGrantWriteModelByID(ctx, grantID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+	if err != nil {
+		return err
+	}
+	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
+		return caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
+	}
+	if existingUserGrant.State != domain.UserGrantStateActive {
+		return caos_errs.ThrowNotFound(nil, "COMMAND-1S9gx", "Errors.UserGrant.NotActive")
+	}
+
+	deactivateUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
+	userGrantAgg := UserGrantAggregateFromWriteModel(&deactivateUserGrant.WriteModel)
+	userGrantAgg.PushEvents(
+		usergrant.NewUserGrantDeactivatedEvent(ctx),
+	)
+
+	return r.eventstore.PushAggregate(ctx, deactivateUserGrant, userGrantAgg)
+}
+
+func (r *CommandSide) ReactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
+	if grantID == "" || resourceOwner == "" {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Qxy8v", "Errors.UserGrant.IDMissing")
+	}
+
+	existingUserGrant, err := r.userGrantWriteModelByID(ctx, grantID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+	if err != nil {
+		return err
+	}
+	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
+		return caos_errs.ThrowNotFound(nil, "COMMAND-Lp0gs", "Errors.UserGrant.NotFound")
+	}
+	if existingUserGrant.State != domain.UserGrantStateInactive {
+		return caos_errs.ThrowNotFound(nil, "COMMAND-1ML0v", "Errors.UserGrant.NotInactive")
+	}
+
+	deactivateUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
+	userGrantAgg := UserGrantAggregateFromWriteModel(&deactivateUserGrant.WriteModel)
+	userGrantAgg.PushEvents(
+		usergrant.NewUserGrantReactivatedEvent(ctx),
+	)
+
+	return r.eventstore.PushAggregate(ctx, deactivateUserGrant, userGrantAgg)
+}
+
+func (r *CommandSide) RemoveUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
+	userGrantAgg, removeUserGrant, err := r.removeUserGrant(ctx, grantID, resourceOwner, false)
+	if err != nil {
+		return nil
+	}
+
+	return r.eventstore.PushAggregate(ctx, removeUserGrant, userGrantAgg)
+}
+
+func (r *CommandSide) BulkRemoveUserGrant(ctx context.Context, grantIDs []string, resourceOwner string) (err error) {
+	aggregates := make([]eventstore.Aggregater, len(grantIDs))
+	for i, grantID := range grantIDs {
+		userGrantAgg, _, err := r.removeUserGrant(ctx, grantID, resourceOwner, false)
+		if err != nil {
+			return nil
+		}
+		aggregates[i] = userGrantAgg
+	}
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
+}
+
+func (r *CommandSide) removeUserGrant(ctx context.Context, grantID, resourceOwner string, cascade bool) (_ *usergrant.Aggregate, _ *UserGrantWriteModel, err error) {
+	if grantID == "" || resourceOwner == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-J9sc5", "Errors.UserGrant.IDMissing")
+	}
+
+	existingUserGrant, err := r.userGrantWriteModelByID(ctx, grantID, resourceOwner)
+	if err != nil {
+		return nil, nil, err
+	}
+	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1My0t", "Errors.UserGrant.NotFound")
+	}
+
+	//TODO: Remove Uniqueness
+	removeUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
+	userGrantAgg := UserGrantAggregateFromWriteModel(&removeUserGrant.WriteModel)
+	if !cascade {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantRemovedEvent(ctx, existingUserGrant.ResourceOwner, existingUserGrant.UserID, existingUserGrant.ProjectID),
+		)
+	} else {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantCascadeRemovedEvent(ctx, existingUserGrant.ResourceOwner, existingUserGrant.UserID, existingUserGrant.ProjectID),
+		)
+	}
+
+	return userGrantAgg, removeUserGrant, nil
+}
+func (r *CommandSide) userGrantWriteModelByID(ctx context.Context, userGrantID, resourceOwner string) (writeModel *UserGrantWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewUserGrantWriteModel(userGrantID, resourceOwner)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
--- a/internal/v2/command/user_grant_converter.go
+++ b/internal/v2/command/user_grant_converter.go
@@ -0,0 +1,14 @@
+package command
+
+import "github.com/caos/zitadel/internal/v2/domain"
+
+func userGrantWriteModelToUserGrant(writeModel *UserGrantWriteModel) *domain.UserGrant {
+	return &domain.UserGrant{
+		ObjectRoot:     writeModelToObjectRoot(writeModel.WriteModel),
+		UserID:         writeModel.UserID,
+		ProjectID:      writeModel.ProjectID,
+		ProjectGrantID: writeModel.ProjectGrantID,
+		RoleKeys:       writeModel.RoleKeys,
+		State:          writeModel.State,
+	}
+}
--- a/internal/v2/command/user_grant_model.go
+++ b/internal/v2/command/user_grant_model.go
@@ -0,0 +1,74 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/usergrant"
+)
+
+type UserGrantWriteModel struct {
+	eventstore.WriteModel
+
+	UserID         string
+	ProjectID      string
+	ProjectGrantID string
+	RoleKeys       []string
+	State          domain.UserGrantState
+}
+
+func NewUserGrantWriteModel(userGrantID string, resourceOwner string) *UserGrantWriteModel {
+	return &UserGrantWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   userGrantID,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (wm *UserGrantWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+}
+
+func (wm *UserGrantWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *usergrant.UserGrantAddedEvent:
+			wm.UserID = e.UserID
+			wm.ProjectID = e.ProjectID
+			wm.ProjectGrantID = e.ProjectGrantID
+			wm.RoleKeys = e.RoleKeys
+			wm.State = domain.UserGrantStateActive
+		case *usergrant.UserGrantChangedEvent:
+			wm.RoleKeys = e.RoleKeys
+		case *usergrant.UserGrantCascadeChangedEvent:
+			wm.RoleKeys = e.RoleKeys
+		case *usergrant.UserGrantDeactivatedEvent:
+			if wm.State == domain.UserGrantStateRemoved {
+				continue
+			}
+			wm.State = domain.UserGrantStateInactive
+		case *usergrant.UserGrantReactivatedEvent:
+			if wm.State == domain.UserGrantStateRemoved {
+				continue
+			}
+			wm.State = domain.UserGrantStateActive
+		case *usergrant.UserGrantRemovedEvent:
+			wm.State = domain.UserGrantStateRemoved
+		case *usergrant.UserGrantCascadeRemovedEvent:
+			wm.State = domain.UserGrantStateRemoved
+		}
+	}
+	return nil
+}
+
+func (wm *UserGrantWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, usergrant.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
+
+func UserGrantAggregateFromWriteModel(wm *eventstore.WriteModel) *usergrant.Aggregate {
+	return &usergrant.Aggregate{
+		Aggregate: *eventstore.AggregateFromWriteModel(wm, usergrant.AggregateType, usergrant.AggregateVersion),
+	}
+}
--- a/internal/v2/domain/user_grant.go
+++ b/internal/v2/domain/user_grant.go
@@ -0,0 +1,26 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type UserGrant struct {
+	es_models.ObjectRoot
+
+	State          UserGrantState
+	UserID         string
+	ProjectID      string
+	ProjectGrantID string
+	RoleKeys       []string
+}
+
+type UserGrantState int32
+
+const (
+	UserGrantStateUnspecified UserGrantState = iota
+	UserGrantStateActive
+	UserGrantStateInactive
+	UserGrantStateRemoved
+)
+
+func (u *UserGrant) IsValid() bool {
+	return u.ProjectID != "" && u.UserID != ""
+}
--- a/internal/v2/repository/project/eventstore.go
+++ b/internal/v2/repository/project/eventstore.go
@@ -0,0 +1,9 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(ProjectAddedType, ProjectAddedEventMapper)
+}
--- a/internal/v2/repository/project/project.go
+++ b/internal/v2/repository/project/project.go
@@ -12,7 +12,7 @@ import (
 const (
 	uniqueProjectnameTable = "project_names"
 	projectEventTypePrefix = eventstore.EventType("project.")
-	ProjectAdded           = projectEventTypePrefix + "added"
+	ProjectAddedType       = projectEventTypePrefix + "added"
 	ProjectChanged         = projectEventTypePrefix + "changed"
 	ProjectDeactivated     = projectEventTypePrefix + "deactivated"
 	ProjectReactivated     = projectEventTypePrefix + "reactivated"
@@ -52,7 +52,7 @@ func NewProjectAddedEvent(ctx context.Context, name, resourceOwner string) *Proj
 	return &ProjectAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
 			ctx,
-			ProjectAdded,
+			ProjectAddedType,
 			resourceOwner,
 		),
 		Name: name,
--- a/internal/v2/repository/usergrant/aggregate.go
+++ b/internal/v2/repository/usergrant/aggregate.go
@@ -0,0 +1,14 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+const (
+	AggregateType    = "usergrant"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/v2/repository/usergrant/eventstore.go
+++ b/internal/v2/repository/usergrant/eventstore.go
@@ -0,0 +1,15 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(UserGrantAddedType, UserGrantAddedEventMapper).
+		RegisterFilterEventMapper(UserGrantChangedType, UserGrantChangedEventMapper).
+		RegisterFilterEventMapper(UserGrantCascadeChangedType, UserGrantCascadeChangedEventMapper).
+		RegisterFilterEventMapper(UserGrantRemovedType, UserGrantRemovedEventMapper).
+		RegisterFilterEventMapper(UserGrantCascadeRemovedType, UserGrantCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(UserGrantDeactivatedType, UserGrantDeactivatedEventMapper).
+		RegisterFilterEventMapper(UserGrantReactivatedType, UserGrantReactivatedEventMapper)
+}
--- a/internal/v2/repository/usergrant/user_grant.go
+++ b/internal/v2/repository/usergrant/user_grant.go
@@ -0,0 +1,307 @@
+package usergrant
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	uniqueUserGrant             = "user_grant"
+	userGrantEventTypePrefix    = eventstore.EventType("user.grant")
+	UserGrantAddedType          = userGrantEventTypePrefix + "added"
+	UserGrantChangedType        = userGrantEventTypePrefix + "changed"
+	UserGrantCascadeChangedType = userGrantEventTypePrefix + "cascade.changed"
+	UserGrantRemovedType        = userGrantEventTypePrefix + "removed"
+	UserGrantCascadeRemovedType = userGrantEventTypePrefix + "cascade.removed"
+	UserGrantDeactivatedType    = userGrantEventTypePrefix + "deactivated"
+	UserGrantReactivatedType    = userGrantEventTypePrefix + "reactivated"
+)
+
+func NewAddUserGrantUniqueConstraint(resourceOwner, userID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueUserGrant,
+		fmt.Sprintf("%s:%s:%s", resourceOwner, userID, projectID),
+		"Errors.UserGrant.AlreadyExists")
+}
+
+func NewRemoveUserGrantUniqueConstraint(resourceOwner, userID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueUserGrant,
+		fmt.Sprintf("%s:%s:%s", resourceOwner, userID, projectID))
+}
+
+type UserGrantAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID         string   `json:"userId,omitempty"`
+	ProjectID      string   `json:"projectId,omitempty"`
+	ProjectGrantID string   `json:"grantId,omitempty"`
+	RoleKeys       []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUserGrantUniqueConstraint(e.ResourceOwner(), e.UserID, e.ProjectID)}
+}
+
+func NewUserGrantAddedEvent(
+	ctx context.Context,
+	resourceOwner,
+	userID,
+	projectID,
+	projectGrantID string,
+	roleKeys []string) *UserGrantAddedEvent {
+	return &UserGrantAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
+			ctx,
+			UserGrantAddedType,
+			resourceOwner,
+		),
+		UserID:         userID,
+		ProjectID:      projectID,
+		ProjectGrantID: projectGrantID,
+		RoleKeys:       roleKeys,
+	}
+}
+
+func UserGrantAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-2M9fs", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	RoleKeys             []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantChangedEvent(
+	ctx context.Context,
+	roleKeys []string) *UserGrantChangedEvent {
+	return &UserGrantChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			UserGrantChangedType,
+		),
+		RoleKeys: roleKeys,
+	}
+}
+
+func UserGrantChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-4M0sd", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantCascadeChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	RoleKeys             []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantCascadeChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantCascadeChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantCascadeChangedEvent(
+	ctx context.Context,
+	roleKeys []string) *UserGrantCascadeChangedEvent {
+	return &UserGrantCascadeChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			UserGrantCascadeChangedType,
+		),
+		RoleKeys: roleKeys,
+	}
+}
+
+func UserGrantCascadeChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-Gs9df", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	userID               string
+	projectID            string
+}
+
+func (e *UserGrantRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUserGrantUniqueConstraint(e.ResourceOwner(), e.userID, e.projectID)}
+}
+
+func NewUserGrantRemovedEvent(ctx context.Context, resourceOwner, userID, projectID string) *UserGrantRemovedEvent {
+	return &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
+			ctx,
+			UserGrantRemovedType,
+			resourceOwner,
+		),
+		userID:    userID,
+		projectID: projectID,
+	}
+}
+
+func UserGrantRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-M0sdf", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantCascadeRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	userID               string
+	projectID            string
+}
+
+func (e *UserGrantCascadeRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUserGrantUniqueConstraint(e.ResourceOwner(), e.userID, e.projectID)}
+}
+
+func NewUserGrantCascadeRemovedEvent(ctx context.Context, resourceOwner, userID, projectID string) *UserGrantRemovedEvent {
+	return &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
+			ctx,
+			UserGrantRemovedType,
+			resourceOwner,
+		),
+		userID:    userID,
+		projectID: projectID,
+	}
+}
+
+func UserGrantCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-E7urs", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserGrantDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantDeactivatedEvent(ctx context.Context) *UserGrantDeactivatedEvent {
+	return &UserGrantDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			UserGrantDeactivatedType,
+		),
+	}
+}
+
+func UserGrantDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-pL0ds", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserGrantReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantReactivatedEvent(ctx context.Context) *UserGrantReactivatedEvent {
+	return &UserGrantReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			UserGrantReactivatedType,
+		),
+	}
+}
+
+func UserGrantReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-M0sdf", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}