TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:57:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
move-go
zitadel/apps/api/internal/command/project_role.go
Florian Forster cd2921de26 chore: move the go code into a subfolder
2025-08-05 15:20:32 -07:00

219 lines
7.7 KiB
Go
Raw Permalink Blame History

package command
import (
"context"
"github.com/zitadel/logging"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
"github.com/zitadel/zitadel/internal/repository/project"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
type AddProjectRole struct {
models.ObjectRoot
Key string
DisplayName string
Group string
}
func (p *AddProjectRole) IsValid() bool {
return p.AggregateID != "" && p.Key != ""
}
func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRole) (_ *domain.ObjectDetails, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
projectResourceOwner, err := c.checkProjectExists(ctx, projectRole.AggregateID, projectRole.ResourceOwner)
if err != nil {
return nil, err
}
if projectRole.ResourceOwner == "" {
projectRole.ResourceOwner = projectResourceOwner
}
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
return nil, err
}
roleWriteModel := NewProjectRoleWriteModelWithKey(projectRole.Key, projectRole.AggregateID, projectRole.ResourceOwner)
if roleWriteModel.ResourceOwner != projectResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-RLB4UpqQSd", "Errors.Project.Role.Invalid")
}
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &roleWriteModel.WriteModel)
events, err := c.addProjectRoles(ctx, projectAgg, projectRole)
if err != nil {
return nil, err
}
pushedEvents, err := c.eventstore.Push(ctx, events...)
if err != nil {
return nil, err
}
err = AppendAndReduce(roleWriteModel, pushedEvents...)
if err != nil {
return nil, err
}
return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
}
func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, resourceOwner, roleKey)
}
func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*AddProjectRole) (details *domain.ObjectDetails, err error) {
projectResourceOwner, err := c.checkProjectExists(ctx, projectID, resourceOwner)
if err != nil {
return nil, err
}
for _, projectRole := range projectRoles {
if projectRole.ResourceOwner == "" {
projectRole.ResourceOwner = projectResourceOwner
}
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
return nil, err
}
if projectRole.ResourceOwner != projectResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-9ZXtdaJKJJ", "Errors.Project.Role.Invalid")
}
}
roleWriteModel := NewProjectRoleWriteModel(projectID, resourceOwner)
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &roleWriteModel.WriteModel)
events, err := c.addProjectRoles(ctx, projectAgg, projectRoles...)
if err != nil {
return details, err
}
return c.pushAppendAndReduceDetails(ctx, roleWriteModel, events...)
}
func (c *Commands) addProjectRoles(ctx context.Context, projectAgg *eventstore.Aggregate, projectRoles ...*AddProjectRole) ([]eventstore.Command, error) {
var events []eventstore.Command
for _, projectRole := range projectRoles {
if projectRole.ResourceOwner != projectAgg.ResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-4Q2WjlbHvc", "Errors.Project.Role.Invalid")
}
if !projectRole.IsValid() {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-4m9vS", "Errors.Project.Role.Invalid")
}
events = append(events, project.NewRoleAddedEvent(
ctx,
projectAgg,
projectRole.Key,
projectRole.DisplayName,
projectRole.Group,
))
}
return events, nil
}
type ChangeProjectRole struct {
models.ObjectRoot
Key string
DisplayName string
Group string
}
func (p *ChangeProjectRole) IsValid() bool {
return p.AggregateID != "" && p.Key != ""
}
func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *ChangeProjectRole) (_ *domain.ObjectDetails, err error) {
if !projectRole.IsValid() {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-2ilfW", "Errors.Project.Invalid")
}
projectResourceOwner, err := c.checkProjectExists(ctx, projectRole.AggregateID, projectRole.ResourceOwner)
if err != nil {
return nil, err
}
if projectRole.ResourceOwner == "" {
projectRole.ResourceOwner = projectResourceOwner
}
if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
return nil, err
}
existingRole, err := c.getProjectRoleWriteModelByID(ctx, projectRole.Key, projectRole.AggregateID, projectRole.ResourceOwner)
if err != nil {
return nil, err
}
if !existingRole.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-vv8M9", "Errors.Project.Role.NotExisting")
}
if existingRole.ResourceOwner != projectResourceOwner {
return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-3MizLWveMf", "Errors.Project.Role.Invalid")
}
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
changeEvent, changed, err := existingRole.NewProjectRoleChangedEvent(ctx, projectAgg, projectRole.Key, projectRole.DisplayName, projectRole.Group)
if err != nil {
return nil, err
}
if !changed {
return writeModelToObjectDetails(&existingRole.WriteModel), nil
}
return c.pushAppendAndReduceDetails(ctx, existingRole, changeEvent)
}
func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string, cascadingProjectGrantIds []string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
if projectID == "" || key == "" {
return details, zerrors.ThrowInvalidArgument(nil, "COMMAND-fl9eF", "Errors.Project.Role.Invalid")
}
existingRole, err := c.getProjectRoleWriteModelByID(ctx, key, projectID, resourceOwner)
if err != nil {
return details, err
}
// return if project role is not existing
if !existingRole.State.Exists() {
return writeModelToObjectDetails(&existingRole.WriteModel), nil
}
if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, existingRole.Key); err != nil {
return nil, err
}
projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
events := []eventstore.Command{
project.NewRoleRemovedEvent(ctx, projectAgg, key),
}
for _, projectGrantID := range cascadingProjectGrantIds {
event, _, err := c.removeRoleFromProjectGrant(ctx, projectAgg, projectID, projectGrantID, key, true)
if err != nil {
logging.LogWithFields("COMMAND-6n77g", "projectgrantid", projectGrantID).WithError(err).Warn("could not cascade remove role from project grant")
continue
}
events = append(events, event)
}
for _, grantID := range cascadeUserGrantIDs {
event, err := c.removeRoleFromUserGrant(ctx, grantID, []string{key}, true)
if err != nil {
logging.LogWithFields("COMMAND-mK0of", "usergrantid", grantID).WithError(err).Warn("could not cascade remove role on user grant")
continue
}
events = append(events, event)
}
return c.pushAppendAndReduceDetails(ctx, existingRole, events...)
}
func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, resourceOwner, roleKey)
}
func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {
projectRoleWriteModel := NewProjectRoleWriteModelWithKey(key, projectID, resourceOwner)
err := c.eventstore.FilterToQueryReducer(ctx, projectRoleWriteModel)
if err != nil {
return nil, err
}
return projectRoleWriteModel, nil
}
Reference in New Issue View Git Blame Copy Permalink