mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 19:17:32 +00:00
206 lines
6.8 KiB
Go
206 lines
6.8 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"slices"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/project"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type AddProjectGrantMember struct {
|
|
ResourceOwner string
|
|
UserID string
|
|
GrantID string
|
|
ProjectID string
|
|
Roles []string
|
|
}
|
|
|
|
func (i *AddProjectGrantMember) IsValid(zitadelRoles []authz.RoleMapping) error {
|
|
if i.ProjectID == "" || i.GrantID == "" || i.UserID == "" || len(i.Roles) == 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "PROJECT-8fi7G", "Errors.Project.Grant.Member.Invalid")
|
|
}
|
|
if len(domain.CheckForInvalidRoles(i.Roles, domain.ProjectGrantRolePrefix, zitadelRoles)) > 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "PROJECT-m9gKK", "Errors.Project.Grant.Member.Invalid")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Commands) AddProjectGrantMember(ctx context.Context, member *AddProjectGrantMember) (_ *domain.ObjectDetails, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
if err := member.IsValid(c.zitadelRoles); err != nil {
|
|
return nil, err
|
|
}
|
|
_, err = c.checkUserExists(ctx, member.UserID, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
grantedOrgID, projectGrantResourceOwner, err := c.checkProjectGrantExists(ctx, member.GrantID, "", member.ProjectID, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if member.ResourceOwner == "" {
|
|
member.ResourceOwner = projectGrantResourceOwner
|
|
}
|
|
addedMember, err := c.projectGrantMemberWriteModelByID(ctx, member.ProjectID, member.UserID, member.GrantID, member.ResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// TODO: change e2e tests to use correct resourceowner, wrong resource owner is corrected through aggregate
|
|
// error if provided resourceowner is not equal to the resourceowner of the project grant
|
|
//if projectGrantResourceOwner != addedMember.ResourceOwner {
|
|
// return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-0l10S9OmZV", "Errors.Project.Grant.Invalid")
|
|
//}
|
|
if addedMember.State.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "PROJECT-37fug", "Errors.AlreadyExists")
|
|
}
|
|
if err := c.checkPermissionUpdateProjectGrantMember(ctx, grantedOrgID, addedMember.GrantID); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pushedEvents, err := c.eventstore.Push(
|
|
ctx,
|
|
project.NewProjectGrantMemberAddedEvent(ctx,
|
|
ProjectAggregateFromWriteModelWithCTX(ctx, &addedMember.WriteModel),
|
|
member.UserID,
|
|
member.GrantID,
|
|
member.Roles...,
|
|
))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = AppendAndReduce(addedMember, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return writeModelToObjectDetails(&addedMember.WriteModel), nil
|
|
}
|
|
|
|
type ChangeProjectGrantMember struct {
|
|
UserID string
|
|
GrantID string
|
|
ProjectID string
|
|
Roles []string
|
|
}
|
|
|
|
func (i *ChangeProjectGrantMember) IsValid(zitadelRoles []authz.RoleMapping) error {
|
|
if i.ProjectID == "" || i.GrantID == "" || i.UserID == "" || len(i.Roles) == 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "PROJECT-109fs", "Errors.Project.Grant.Member.Invalid")
|
|
}
|
|
if len(domain.CheckForInvalidRoles(i.Roles, domain.ProjectGrantRolePrefix, zitadelRoles)) > 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "PROJECT-m0sDf", "Errors.Project.Grant.Member.Invalid")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ChangeProjectGrantMember updates an existing member
|
|
func (c *Commands) ChangeProjectGrantMember(ctx context.Context, member *ChangeProjectGrantMember) (*domain.ObjectDetails, error) {
|
|
if err := member.IsValid(c.zitadelRoles); err != nil {
|
|
return nil, err
|
|
}
|
|
existingGrant, err := c.projectGrantWriteModelByID(ctx, member.GrantID, "", member.ProjectID, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
existingMember, err := c.projectGrantMemberWriteModelByID(ctx, member.ProjectID, member.UserID, member.GrantID, existingGrant.ResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !existingMember.State.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "PROJECT-37fug", "Errors.NotFound")
|
|
}
|
|
|
|
if err := c.checkPermissionUpdateProjectGrantMember(ctx, existingGrant.GrantedOrgID, existingMember.GrantID); err != nil {
|
|
return nil, err
|
|
}
|
|
if slices.Compare(existingMember.Roles, member.Roles) == 0 {
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
|
}
|
|
|
|
pushedEvents, err := c.eventstore.Push(
|
|
ctx,
|
|
project.NewProjectGrantMemberChangedEvent(ctx,
|
|
ProjectAggregateFromWriteModelWithCTX(ctx, &existingMember.WriteModel),
|
|
member.UserID,
|
|
member.GrantID,
|
|
member.Roles...,
|
|
))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = AppendAndReduce(existingMember, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) RemoveProjectGrantMember(ctx context.Context, projectID, userID, grantID string) (*domain.ObjectDetails, error) {
|
|
if projectID == "" || userID == "" || grantID == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-66mHd", "Errors.Project.Member.Invalid")
|
|
}
|
|
existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, "", projectID, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
existingMember, err := c.projectGrantMemberWriteModelByID(ctx, projectID, userID, grantID, existingGrant.ResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !existingMember.State.Exists() {
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
|
}
|
|
if err := c.checkPermissionDeleteProjectGrantMember(ctx, existingGrant.GrantedOrgID, existingMember.GrantID); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
removeEvent := c.removeProjectGrantMember(ctx,
|
|
ProjectAggregateFromWriteModelWithCTX(ctx, &existingMember.WriteModel),
|
|
userID,
|
|
grantID,
|
|
false,
|
|
)
|
|
pushedEvents, err := c.eventstore.Push(ctx, removeEvent)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = AppendAndReduce(existingMember, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&existingMember.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) removeProjectGrantMember(ctx context.Context, projectAgg *eventstore.Aggregate, userID, grantID string, cascade bool) eventstore.Command {
|
|
if cascade {
|
|
return project.NewProjectGrantMemberCascadeRemovedEvent(
|
|
ctx,
|
|
projectAgg,
|
|
userID,
|
|
grantID)
|
|
} else {
|
|
return project.NewProjectGrantMemberRemovedEvent(ctx, projectAgg, userID, grantID)
|
|
}
|
|
}
|
|
|
|
func (c *Commands) projectGrantMemberWriteModelByID(ctx context.Context, projectID, userID, grantID, resourceOwner string) (member *ProjectGrantMemberWriteModel, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
writeModel := NewProjectGrantMemberWriteModel(projectID, userID, grantID, resourceOwner)
|
|
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return writeModel, nil
|
|
}
|