feat: setup (#1166)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 07:57:32 +00:00 · 2021-01-12 12:59:51 +01:00
parent ff87264f95
commit e5731b0d3b
97 changed files with 1664 additions and 698 deletions
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -23,6 +23,7 @@ type CtxData struct {
 	ProjectID         string
 	AgentID           string
 	PreferredLanguage string
+	ResourceOwner     string
 }

 func (ctxData CtxData) IsZero() bool {
@@ -47,7 +48,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 		}
 	}

-	userID, clientID, agentID, prefLang, err := verifyAccessToken(ctx, token, t, method)
+	userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
 	if err != nil {
 		return CtxData{}, err
 	}
@@ -64,6 +65,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 		ProjectID:         projectID,
 		AgentID:           agentID,
 		PreferredLanguage: prefLang,
+		ResourceOwner:     resourceOwner,
 	}, nil

 }
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -15,8 +15,8 @@ type testVerifier struct {
 	grant *Grant
 }

-func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, error) {
-	return "userID", "agentID", "de", nil
+func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) {
+	return "userID", "agentID", "de", "orgID", nil
 }

 func (v *testVerifier) ResolveGrants(ctx context.Context) (*Grant, error) {
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -20,7 +20,7 @@ type TokenVerifier struct {
 }

 type authZRepo interface {
-	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID, prefLang string, err error)
+	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID, prefLang, resourceOwner string, err error)
 	VerifierClientID(ctx context.Context, name string) (clientID string, err error)
 	ResolveGrants(ctx context.Context) (grant *Grant, err error)
 	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
@@ -31,13 +31,13 @@ func Start(authZRepo authZRepo) (v *TokenVerifier) {
 	return &TokenVerifier{authZRepo: authZRepo}
 }

-func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang string, err error) {
+func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang, resourceOwner string, err error) {
 	clientID, err = v.clientIDFromMethod(ctx, method)
 	if err != nil {
-		return "", "", "", "", err
+		return "", "", "", "", "", err
 	}
-	userID, agentID, prefLang, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID)
-	return userID, clientID, agentID, prefLang, err
+	userID, agentID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID)
+	return userID, clientID, agentID, prefLang, resourceOwner, err
 }

 type client struct {
@@ -111,13 +111,13 @@ func (v *TokenVerifier) CheckAuthMethod(method string) (Option, bool) {
 	return authOpt, ok
 }

-func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID, prefLang string, err error) {
+func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID, prefLan, resourceOwner string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	parts := strings.Split(token, BearerPrefix)
 	if len(parts) != 2 {
-		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
+		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
 	}
 	return t.VerifyAccessToken(ctx, parts[1], method)
 }
--- a/internal/api/authz/token_test.go
+++ b/internal/api/authz/token_test.go
@@ -58,7 +58,7 @@ func Test_VerifyAccessToken(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, _, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier, tt.args.method)
+			_, _, _, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier, tt.args.method)
 			if tt.wantErr && err == nil {
 				t.Errorf("got wrong result, should get err: actual: %v ", err)
 			}