From eb4f7c5d7c3db99e7ee4db96f75f73157e130cc2 Mon Sep 17 00:00:00 2001 From: Silvan Date: Mon, 13 Mar 2023 08:03:49 +0100 Subject: [PATCH] fix(auth): update user grants before check (#5406) --- internal/api/grpc/admin/export.go | 2 +- internal/api/grpc/auth/user.go | 6 +++--- internal/api/grpc/management/project.go | 4 ++-- internal/api/grpc/management/project_grant.go | 4 ++-- internal/api/grpc/management/user.go | 2 +- internal/api/grpc/management/user_grant.go | 2 +- internal/api/oidc/client.go | 2 +- .../eventsourcing/eventstore/auth_request.go | 6 ++---- internal/auth/repository/eventsourcing/repository.go | 2 +- internal/query/user_grant.go | 10 +++++++++- 10 files changed, 23 insertions(+), 17 deletions(-) diff --git a/internal/api/grpc/admin/export.go b/internal/api/grpc/admin/export.go index 15cf7ad313..d42df360af 100644 --- a/internal/api/grpc/admin/export.go +++ b/internal/api/grpc/admin/export.go @@ -966,7 +966,7 @@ func (s *Server) getNecessaryUserGrantsForOrg(ctx context.Context, org string, p return nil, err } - queriedUserGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantSearchOrg}}, false) + queriedUserGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantSearchOrg}}, true, false) if err != nil { return nil, err } diff --git a/internal/api/grpc/auth/user.go b/internal/api/grpc/auth/user.go index 162c8b21dc..1f15a721b5 100644 --- a/internal/api/grpc/auth/user.go +++ b/internal/api/grpc/auth/user.go @@ -31,7 +31,7 @@ func (s *Server) RemoveMyUser(ctx context.Context, _ *auth_pb.RemoveMyUserReques return nil, err } queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID}} - grants, err := s.query.UserGrants(ctx, queries, false) + grants, err := s.query.UserGrants(ctx, queries, true, false) if err != nil { return nil, err } @@ -125,7 +125,7 @@ func (s *Server) ListMyUserGrants(ctx context.Context, req *auth_pb.ListMyUserGr if err != nil { return nil, err } - res, err := s.query.UserGrants(ctx, queries, false) + res, err := s.query.UserGrants(ctx, queries, false, false) if err != nil { return nil, err } @@ -154,7 +154,7 @@ func (s *Server) ListMyProjectOrgs(ctx context.Context, req *auth_pb.ListMyProje return nil, err } - grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantProjectID, userGrantUserID}}, false) + grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantProjectID, userGrantUserID}}, false, false) if err != nil { return nil, err } diff --git a/internal/api/grpc/management/project.go b/internal/api/grpc/management/project.go index c54c13bb86..4ad7ffe97a 100644 --- a/internal/api/grpc/management/project.go +++ b/internal/api/grpc/management/project.go @@ -172,7 +172,7 @@ func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRe } grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{projectQuery}, - }, false) + }, true, false) if err != nil { return nil, err } @@ -257,7 +257,7 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje } userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{projectQuery, rolesQuery}, - }, false) + }, false, false) if err != nil { return nil, err diff --git a/internal/api/grpc/management/project_grant.go b/internal/api/grpc/management/project_grant.go index 002daeaa0d..21db4dc454 100644 --- a/internal/api/grpc/management/project_grant.go +++ b/internal/api/grpc/management/project_grant.go @@ -90,7 +90,7 @@ func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProj } grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{projectQuery, grantQuery}, - }, false) + }, true, false) if err != nil { return nil, err } @@ -138,7 +138,7 @@ func (s *Server) RemoveProjectGrant(ctx context.Context, req *mgmt_pb.RemoveProj } userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{projectQuery, grantQuery}, - }, true) + }, false, true) if err != nil { return nil, err } diff --git a/internal/api/grpc/management/user.go b/internal/api/grpc/management/user.go index e2a0ad3c5a..7fb6db5db6 100644 --- a/internal/api/grpc/management/user.go +++ b/internal/api/grpc/management/user.go @@ -342,7 +342,7 @@ func (s *Server) removeUserDependencies(ctx context.Context, userID string) ([]* } grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{userGrantUserQuery}, - }, true) + }, true, true) if err != nil { return nil, nil, err } diff --git a/internal/api/grpc/management/user_grant.go b/internal/api/grpc/management/user_grant.go index 8a71689150..a9beb328c9 100644 --- a/internal/api/grpc/management/user_grant.go +++ b/internal/api/grpc/management/user_grant.go @@ -33,7 +33,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR if err != nil { return nil, err } - res, err := s.query.UserGrants(ctx, queries, false) + res, err := s.query.UserGrants(ctx, queries, false, false) if err != nil { return nil, err } diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go index af219bf6be..08d9b4f819 100644 --- a/internal/api/oidc/client.go +++ b/internal/api/oidc/client.go @@ -649,7 +649,7 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin } grants, err := o.query.UserGrants(ctx, &query.UserGrantsQueries{ Queries: []query.SearchQuery{projectQuery, userIDQuery}, - }, false) + }, true, false) if err != nil { return nil, nil, err } diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index edbd01e98f..0ea01c10f8 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -1471,10 +1471,8 @@ func projectRequired(ctx context.Context, request *domain.AuthRequest, projectPr } _, err = projectProvider.OrgProjectMappingByIDs(request.UserOrgID, project.ID, request.InstanceID) if errors.IsNotFound(err) { + // if not found there is no error returned return true, nil } - if err != nil { - return false, err - } - return false, nil + return false, err } diff --git a/internal/auth/repository/eventsourcing/repository.go b/internal/auth/repository/eventsourcing/repository.go index 34df290c7a..b06e46a139 100644 --- a/internal/auth/repository/eventsourcing/repository.go +++ b/internal/auth/repository/eventsourcing/repository.go @@ -127,7 +127,7 @@ func (q queryViewWrapper) UserGrantsByProjectAndUserID(ctx context.Context, proj return nil, err } queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID, userGrantProjectID}} - grants, err := q.Queries.UserGrants(ctx, queries, false) + grants, err := q.Queries.UserGrants(ctx, queries, true, false) if err != nil { return nil, err } diff --git a/internal/query/user_grant.go b/internal/query/user_grant.go index 2679c5f28f..8092b43e36 100644 --- a/internal/query/user_grant.go +++ b/internal/query/user_grant.go @@ -8,6 +8,8 @@ import ( sq "github.com/Masterminds/squirrel" + "github.com/zitadel/logging" + "github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/api/call" "github.com/zitadel/zitadel/internal/database" @@ -245,10 +247,16 @@ func (q *Queries) UserGrant(ctx context.Context, shouldTriggerBulk bool, withOwn return scan(row) } -func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, withOwnerRemoved bool) (_ *UserGrants, err error) { +func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, shouldTriggerBulk, withOwnerRemoved bool) (_ *UserGrants, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() + if shouldTriggerBulk { + logging.OnError( + projection.UserGrantProjection.Trigger(ctx), + ).Debug("unable to trigger") + } + query, scan := prepareUserGrantsQuery(ctx, q.client) eq := sq.Eq{UserGrantInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()} if !withOwnerRemoved {