TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-07-13 17:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/query/idp_user_link.go
Tim Möhlmann 658ca3606b
feat(permissions): project member permission filter (#9757) 
# Which Problems Are Solved

Add the possibility to filter project resources based on project member
roles.

# How the Problems Are Solved

Extend and refactor existing Pl/PgSQL functions to implement the
following:

- Solve O(n) complexity in returned resources IDs by returning a boolean
filter for instance level permissions.
- Individually permitted orgs are returned only if there was no instance
permission
- Individually permitted projects are returned only if there was no
instance permission
- Because of the multiple filter terms, use `INNER JOIN`s instead of
`WHERE` clauses.

# Additional Changes

- system permission function no longer query the organization view and
therefore can be `immutable`, giving big performance benefits for
frequently reused system users. (like our hosted login in Zitadel cloud)
- The permitted org and project functions are now defined as `stable`
because the don't modify on-disk data. This might give a small
performance gain
- The Pl/PgSQL functions are now tested using Go unit tests.

# Additional Context

- Depends on https://github.com/zitadel/zitadel/pull/9677
- Part of https://github.com/zitadel/zitadel/issues/9188
- Closes https://github.com/zitadel/zitadel/issues/9190
2025-04-22 08:42:59 +00:00

241 lines
6.7 KiB
Go
Raw Blame History

package query
import (
"context"
"database/sql"
"slices"
sq "github.com/Masterminds/squirrel"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query/projection"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
type IDPUserLink struct {
IDPID string
UserID string
IDPName string
ProvidedUserID string
ProvidedUsername string
ResourceOwner string
IDPType domain.IDPType
}
type IDPUserLinks struct {
SearchResponse
Links []*IDPUserLink
}
type IDPUserLinksSearchQuery struct {
SearchRequest
Queries []SearchQuery
}
func (q *IDPUserLinksSearchQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
query = q.SearchRequest.toQuery(query)
for _, q := range q.Queries {
query = q.toQuery(query)
}
return query
}
func (q *IDPUserLinksSearchQuery) hasUserID() bool {
for _, query := range q.Queries {
if query.Col() == IDPUserLinkUserIDCol {
return true
}
}
return false
}
var (
idpUserLinkTable = table{
name: projection.IDPUserLinkTable,
instanceIDCol: projection.IDPUserLinkInstanceIDCol,
}
IDPUserLinkIDPIDCol = Column{
name: projection.IDPUserLinkIDPIDCol,
table: idpUserLinkTable,
}
IDPUserLinkUserIDCol = Column{
name: projection.IDPUserLinkUserIDCol,
table: idpUserLinkTable,
}
IDPUserLinkExternalUserIDCol = Column{
name: projection.IDPUserLinkExternalUserIDCol,
table: idpUserLinkTable,
}
IDPUserLinkCreationDateCol = Column{
name: projection.IDPUserLinkCreationDateCol,
table: idpUserLinkTable,
}
IDPUserLinkChangeDateCol = Column{
name: projection.IDPUserLinkChangeDateCol,
table: idpUserLinkTable,
}
IDPUserLinkSequenceCol = Column{
name: projection.IDPUserLinkSequenceCol,
table: idpUserLinkTable,
}
IDPUserLinkResourceOwnerCol = Column{
name: projection.IDPUserLinkResourceOwnerCol,
table: idpUserLinkTable,
}
IDPUserLinkInstanceIDCol = Column{
name: projection.IDPUserLinkInstanceIDCol,
table: idpUserLinkTable,
}
IDPUserLinkDisplayNameCol = Column{
name: projection.IDPUserLinkDisplayNameCol,
table: idpUserLinkTable,
}
IDPUserLinkOwnerRemovedCol = Column{
name: projection.IDPUserLinkOwnerRemovedCol,
table: idpUserLinkTable,
}
)
func idpLinksCheckPermission(ctx context.Context, links *IDPUserLinks, permissionCheck domain.PermissionCheck) {
links.Links = slices.DeleteFunc(links.Links,
func(link *IDPUserLink) bool {
return userCheckPermission(ctx, link.ResourceOwner, link.UserID, permissionCheck) != nil
},
)
}
func idpLinksPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *IDPUserLinksSearchQuery) sq.SelectBuilder {
if !enabled {
return query
}
join, args := PermissionClause(
ctx,
IDPUserLinkResourceOwnerCol,
domain.PermissionUserRead,
SingleOrgPermissionOption(queries.Queries),
OwnedRowsPermissionOption(IDPUserLinkUserIDCol),
)
return query.JoinClause(join, args...)
}
func (q *Queries) IDPUserLinks(ctx context.Context, queries *IDPUserLinksSearchQuery, permissionCheck domain.PermissionCheck) (idps *IDPUserLinks, err error) {
permissionCheckV2 := PermissionV2(ctx, permissionCheck)
links, err := q.idpUserLinks(ctx, queries, permissionCheckV2)
if err != nil {
return nil, err
}
if permissionCheck != nil && len(links.Links) > 0 && !permissionCheckV2 {
// when userID for query is provided, only one check has to be done
if queries.hasUserID() {
if err := userCheckPermission(ctx, links.Links[0].ResourceOwner, links.Links[0].UserID, permissionCheck); err != nil {
return nil, err
}
} else {
idpLinksCheckPermission(ctx, links, permissionCheck)
}
}
return links, nil
}
func (q *Queries) idpUserLinks(ctx context.Context, queries *IDPUserLinksSearchQuery, permissionCheckV2 bool) (idps *IDPUserLinks, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
query, scan := prepareIDPUserLinksQuery()
query = idpLinksPermissionCheckV2(ctx, query, permissionCheckV2, queries)
eq := sq.Eq{
IDPUserLinkInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
IDPUserLinkOwnerRemovedCol.identifier(): false,
}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
return nil, zerrors.ThrowInvalidArgument(err, "QUERY-4zzFK", "Errors.Query.InvalidRequest")
}
err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
idps, err = scan(rows)
return err
}, stmt, args...)
if err != nil {
return nil, zerrors.ThrowInternal(err, "QUERY-C1E4D", "Errors.Internal")
}
idps.State, err = q.latestState(ctx, idpUserLinkTable)
return idps, err
}
func NewIDPUserLinkIDPIDSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(IDPUserLinkIDPIDCol, value, TextEquals)
}
func NewIDPUserLinksUserIDSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(IDPUserLinkUserIDCol, value, TextEquals)
}
func NewIDPUserLinksResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(IDPUserLinkResourceOwnerCol, value, TextEquals)
}
func NewIDPUserLinksExternalIDSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(IDPUserLinkExternalUserIDCol, value, TextEquals)
}
func prepareIDPUserLinksQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPUserLinks, error)) {
return sq.Select(
IDPUserLinkIDPIDCol.identifier(),
IDPUserLinkUserIDCol.identifier(),
IDPTemplateNameCol.identifier(),
IDPUserLinkExternalUserIDCol.identifier(),
IDPUserLinkDisplayNameCol.identifier(),
IDPTemplateTypeCol.identifier(),
IDPUserLinkResourceOwnerCol.identifier(),
countColumn.identifier()).
From(idpUserLinkTable.identifier()).
LeftJoin(join(IDPTemplateIDCol, IDPUserLinkIDPIDCol)).
PlaceholderFormat(sq.Dollar),
func(rows *sql.Rows) (*IDPUserLinks, error) {
idps := make([]*IDPUserLink, 0)
var count uint64
for rows.Next() {
var (
idpName = sql.NullString{}
idpType = sql.NullInt16{}
idp = new(IDPUserLink)
)
err := rows.Scan(
&idp.IDPID,
&idp.UserID,
&idpName,
&idp.ProvidedUserID,
&idp.ProvidedUsername,
&idpType,
&idp.ResourceOwner,
&count,
)
if err != nil {
return nil, err
}
idp.IDPName = idpName.String
//IDPType 0 is oidc so we have to set unspecified manually
if idpType.Valid {
idp.IDPType = domain.IDPType(idpType.Int16)
} else {
idp.IDPType = domain.IDPTypeUnspecified
}
idps = append(idps, idp)
}
if err := rows.Close(); err != nil {
return nil, zerrors.ThrowInternal(err, "QUERY-nwx6U", "Errors.Query.CloseRows")
}
return &IDPUserLinks{
Links: idps,
SearchResponse: SearchResponse{
Count: count,
},
}, nil
}
}
Reference in New Issue View Git Blame Copy Permalink