fix: memberships (#633)

* feat: add iam members to memberships * fix: search project grants * fix: rename
2025-10-18 00:42:29 +00:00 · 2020-08-25 16:08:51 +02:00
parent 568fa82d10
commit f05c5bae24
9 changed files with 86 additions and 26 deletions
--- a/internal/management/repository/eventsourcing/eventstore/permissions.go
+++ b/internal/management/repository/eventsourcing/eventstore/permissions.go
@@ -3,6 +3,7 @@ package eventstore
 const (
 	projectReadPerm            = "project.read"
 	orgMemberReadPerm          = "org.member.read"
+	iamMemberReadPerm          = "iam.member.read"
 	projectMemberReadPerm      = "project.member.read"
 	projectGrantMemberReadPerm = "project.member.read"
 )
--- a/internal/management/repository/eventsourcing/eventstore/user.go
+++ b/internal/management/repository/eventsourcing/eventstore/user.go
@@ -2,6 +2,7 @@ package eventstore

 import (
 	"context"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	global_model "github.com/caos/zitadel/internal/model"
 	"github.com/caos/zitadel/internal/view/repository"
@@ -18,11 +19,12 @@ import (
 )

 type UserRepo struct {
-	SearchLimit  uint64
-	UserEvents   *usr_event.UserEventstore
-	PolicyEvents *policy_event.PolicyEventstore
-	OrgEvents    *org_event.OrgEventstore
-	View         *view.View
+	SearchLimit    uint64
+	UserEvents     *usr_event.UserEventstore
+	PolicyEvents   *policy_event.PolicyEventstore
+	OrgEvents      *org_event.OrgEventstore
+	View           *view.View
+	SystemDefaults systemdefaults.SystemDefaults
 }

 func (repo *UserRepo) UserByID(ctx context.Context, id string) (*usr_model.UserView, error) {
@@ -220,6 +222,7 @@ func (repo *UserRepo) ChangeAddress(ctx context.Context, address *usr_model.Addr

 func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_model.UserMembershipSearchRequest) (*usr_model.UserMembershipSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
+	request.AppendResourceOwnerAndIamQuery(authz.GetCtxData(ctx).OrgID, repo.SystemDefaults.IamID)
 	sequence, err := repo.View.GetLatestUserMembershipSequence()
 	logging.Log("EVENT-Dn7sf").OnError(err).Warn("could not read latest user sequence")

@@ -235,7 +238,7 @@ func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_mo
 	result = &usr_model.UserMembershipSearchResponse{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
-		TotalResult: uint64(count),
+		TotalResult: count,
 		Result:      model.UserMembershipsToModel(memberships),
 	}
 	if err == nil {
@@ -247,13 +250,16 @@ func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_mo

 func handleSearchUserMembershipsPermissions(ctx context.Context, request *usr_model.UserMembershipSearchRequest, sequence *repository.CurrentSequence) *usr_model.UserMembershipSearchResponse {
 	permissions := authz.GetAllPermissionsFromCtx(ctx)
+	iamPerm := authz.HasGlobalExplicitPermission(permissions, iamMemberReadPerm)
 	orgPerm := authz.HasGlobalExplicitPermission(permissions, orgMemberReadPerm)
 	projectPerm := authz.HasGlobalExplicitPermission(permissions, projectMemberReadPerm)
 	projectGrantPerm := authz.HasGlobalExplicitPermission(permissions, projectGrantMemberReadPerm)
-	if orgPerm && projectPerm && projectGrantPerm {
+	if iamPerm && orgPerm && projectPerm && projectGrantPerm {
 		return nil
 	}
-
+	if !iamPerm {
+		request.Queries = append(request.Queries, &usr_model.UserMembershipSearchQuery{Key: usr_model.UserMembershipSearchKeyMemberType, Method: global_model.SearchMethodNotEquals, Value: usr_model.MemberTypeIam})
+	}
 	if !orgPerm {
 		request.Queries = append(request.Queries, &usr_model.UserMembershipSearchQuery{Key: usr_model.UserMembershipSearchKeyMemberType, Method: global_model.SearchMethodNotEquals, Value: usr_model.MemberTypeOrganisation})
 	}
--- a/internal/management/repository/eventsourcing/handler/user_membership.go
+++ b/internal/management/repository/eventsourcing/handler/user_membership.go
@@ -2,6 +2,7 @@ package handler

 import (
 	"context"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
@@ -37,12 +38,14 @@ func (m *UserMembership) EventQuery() (*models.SearchQuery, error) {
 		return nil, err
 	}
 	return es_models.NewSearchQuery().
-		AggregateTypeFilter(org_es_model.OrgAggregate, proj_es_model.ProjectAggregate).
+		AggregateTypeFilter(iam_es_model.IamAggregate, org_es_model.OrgAggregate, proj_es_model.ProjectAggregate).
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }

 func (m *UserMembership) Reduce(event *models.Event) (err error) {
 	switch event.AggregateType {
+	case iam_es_model.IamAggregate:
+		err = m.processIam(event)
 	case org_es_model.OrgAggregate:
 		err = m.processOrg(event)
 	case proj_es_model.ProjectAggregate:
@@ -51,6 +54,36 @@ func (m *UserMembership) Reduce(event *models.Event) (err error) {
 	return err
 }

+func (m *UserMembership) processIam(event *models.Event) (err error) {
+	member := new(usr_es_model.UserMembershipView)
+	err = member.AppendEvent(event)
+	if err != nil {
+		return err
+	}
+	switch event.Type {
+	case iam_es_model.IamMemberAdded:
+		m.fillIamDisplayName(member)
+	case iam_es_model.IamMemberChanged:
+		member, err = m.view.UserMembershipByIDs(member.UserID, event.AggregateID, event.AggregateID, usr_model.MemberTypeIam)
+		if err != nil {
+			return err
+		}
+		err = member.AppendEvent(event)
+	case iam_es_model.IamMemberRemoved:
+		return m.view.DeleteUserMembership(member.UserID, event.AggregateID, event.AggregateID, usr_model.MemberTypeIam, event.Sequence)
+	default:
+		return m.view.ProcessedUserMembershipSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutUserMembership(member, event.Sequence)
+}
+
+func (m *UserMembership) fillIamDisplayName(member *usr_es_model.UserMembershipView) {
+	member.DisplayName = member.AggregateID
+}
+
 func (m *UserMembership) processOrg(event *models.Event) (err error) {
 	member := new(usr_es_model.UserMembershipView)
 	err = member.AppendEvent(event)
--- a/internal/management/repository/eventsourcing/repository.go
+++ b/internal/management/repository/eventsourcing/repository.go
@@ -97,7 +97,7 @@ func Start(conf Config, systemDefaults sd.SystemDefaults, roles []string) (*EsRe
 		spooler:       spool,
 		OrgRepository: eventstore.OrgRepository{conf.SearchLimit, org, user, view, roles},
 		ProjectRepo:   eventstore.ProjectRepo{es, conf.SearchLimit, project, usergrant, user, view, roles},
-		UserRepo:      eventstore.UserRepo{conf.SearchLimit, user, policy, org, view},
+		UserRepo:      eventstore.UserRepo{conf.SearchLimit, user, policy, org, view, systemDefaults},
 		UserGrantRepo: eventstore.UserGrantRepo{conf.SearchLimit, usergrant, view},
 		PolicyRepo:    eventstore.PolicyRepo{policy},
 		IamRepository: eventstore.IamRepository{iam},