mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 11:34:26 +00:00
f3e6f3b23b
* feat(command): remove org * refactor: imports, unused code, error handling * reduce org removed in action * add org deletion to projections * add org removal to projections * add org removal to projections * org removed projection * lint import * projections * fix: table names in tests * fix: table names in tests * logging * add org state * fix(domain): add Owner removed to object details * feat(ListQuery): add with owner removed * fix(org-delete): add bool to functions to select with owner removed * fix(org-delete): add bools to user grants with events to determine if dependencies lost owner * fix(org-delete): add unit tests for owner removed and org removed events * fix(org-delete): add handling of org remove for grants and members * fix(org-delete): correction of unit tests for owner removed * fix(org-delete): update projections, unit tests and get functions * fix(org-delete): add change date to authnkeys and owner removed to org metadata * fix(org-delete): include owner removed for login names * fix(org-delete): some column fixes in projections and build for queries with owner removed * indexes * fix(org-delete): include review changes * fix(org-delete): change user projection name after merge * fix(org-delete): include review changes for project grant where no project owner is necessary * fix(org-delete): include auth and adminapi tables with owner removed information * fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed * fix(org-delete): add permissions for org.remove * remove unnecessary unique constraints * fix column order in primary keys * fix(org-delete): include review changes * fix(org-delete): add owner removed indexes and chang setup step to create tables * fix(org-delete): move PK order of instance_id and change added user_grant from review * fix(org-delete): no params for prepareUserQuery * change to step 6 * merge main * fix(org-delete): OldUserName rename to private * fix linting * cleanup * fix: remove org test * create prerelease * chore: delete org-delete as prerelease Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
332 lines
11 KiB
Go
332 lines
11 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/api/grpc/change"
|
|
"github.com/zitadel/zitadel/internal/api/grpc/metadata"
|
|
obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
|
|
"github.com/zitadel/zitadel/internal/api/grpc/org"
|
|
user_grpc "github.com/zitadel/zitadel/internal/api/grpc/user"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
auth_pb "github.com/zitadel/zitadel/pkg/grpc/auth"
|
|
)
|
|
|
|
func (s *Server) GetMyUser(ctx context.Context, _ *auth_pb.GetMyUserRequest) (*auth_pb.GetMyUserResponse, error) {
|
|
user, err := s.query.GetUserByID(ctx, true, authz.GetCtxData(ctx).UserID, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.GetMyUserResponse{User: user_grpc.UserToPb(user, s.assetsAPIDomain(ctx))}, nil
|
|
}
|
|
|
|
func (s *Server) RemoveMyUser(ctx context.Context, _ *auth_pb.RemoveMyUserRequest) (*auth_pb.RemoveMyUserResponse, error) {
|
|
ctxData := authz.GetCtxData(ctx)
|
|
userGrantUserID, err := query.NewUserGrantUserIDSearchQuery(ctxData.UserID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID}}
|
|
grants, err := s.query.UserGrants(ctx, queries, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userQuery, err := query.NewMembershipUserIDQuery(authz.GetCtxData(ctx).UserID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
|
|
Queries: []query.SearchQuery{userQuery},
|
|
}, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
details, err := s.command.RemoveUser(ctx, ctxData.UserID, ctxData.ResourceOwner, cascadingMemberships(memberships.Memberships), userGrantsToIDs(grants.UserGrants)...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.RemoveMyUserResponse{
|
|
Details: obj_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListMyUserChanges(ctx context.Context, req *auth_pb.ListMyUserChangesRequest) (*auth_pb.ListMyUserChangesResponse, error) {
|
|
sequence, limit, asc := change.ChangeQueryToQuery(req.Query)
|
|
changes, err := s.query.UserChanges(ctx, authz.GetCtxData(ctx).UserID, sequence, limit, asc, s.auditLogRetention)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.ListMyUserChangesResponse{
|
|
Result: change.ChangesToPb(changes.Changes, s.assetsAPIDomain(ctx)),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListMyMetadata(ctx context.Context, req *auth_pb.ListMyMetadataRequest) (*auth_pb.ListMyMetadataResponse, error) {
|
|
queries, err := ListUserMetadataToQuery(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
res, err := s.query.SearchUserMetadata(ctx, true, authz.GetCtxData(ctx).UserID, queries, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.ListMyMetadataResponse{
|
|
Result: metadata.UserMetadataListToPb(res.Metadata),
|
|
Details: obj_grpc.ToListDetails(res.Count, res.Sequence, res.Timestamp),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) GetMyMetadata(ctx context.Context, req *auth_pb.GetMyMetadataRequest) (*auth_pb.GetMyMetadataResponse, error) {
|
|
data, err := s.query.GetUserMetadataByKey(ctx, true, authz.GetCtxData(ctx).UserID, req.Key, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.GetMyMetadataResponse{
|
|
Metadata: metadata.UserMetadataToPb(data),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListMyUserSessions(ctx context.Context, req *auth_pb.ListMyUserSessionsRequest) (*auth_pb.ListMyUserSessionsResponse, error) {
|
|
userSessions, err := s.repo.GetMyUserSessions(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.ListMyUserSessionsResponse{
|
|
Result: user_grpc.UserSessionsToPb(userSessions, s.assetsAPIDomain(ctx)),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) UpdateMyUserName(ctx context.Context, req *auth_pb.UpdateMyUserNameRequest) (*auth_pb.UpdateMyUserNameResponse, error) {
|
|
ctxData := authz.GetCtxData(ctx)
|
|
objectDetails, err := s.command.ChangeUsername(ctx, ctxData.ResourceOwner, ctxData.UserID, req.UserName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.UpdateMyUserNameResponse{
|
|
Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
|
|
}, nil
|
|
}
|
|
|
|
func ctxToObjectRoot(ctx context.Context) models.ObjectRoot {
|
|
ctxData := authz.GetCtxData(ctx)
|
|
return models.ObjectRoot{
|
|
AggregateID: ctxData.UserID,
|
|
ResourceOwner: ctxData.ResourceOwner,
|
|
}
|
|
}
|
|
|
|
func (s *Server) ListMyUserGrants(ctx context.Context, req *auth_pb.ListMyUserGrantsRequest) (*auth_pb.ListMyUserGrantsResponse, error) {
|
|
queries, err := ListMyUserGrantsRequestToQuery(ctx, req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
res, err := s.query.UserGrants(ctx, queries, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.ListMyUserGrantsResponse{
|
|
Result: UserGrantsToPb(res.UserGrants),
|
|
Details: obj_grpc.ToListDetails(res.Count, res.Sequence, res.Timestamp),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListMyProjectOrgs(ctx context.Context, req *auth_pb.ListMyProjectOrgsRequest) (*auth_pb.ListMyProjectOrgsResponse, error) {
|
|
queries, err := ListMyProjectOrgsRequestToQuery(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ctxData := authz.GetCtxData(ctx)
|
|
|
|
//client of user is not in project of ZITADEL
|
|
if ctxData.ProjectID != authz.GetInstance(ctx).ProjectID() {
|
|
userGrantProjectID, err := query.NewUserGrantProjectIDSearchQuery(ctxData.ProjectID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userGrantUserID, err := query.NewUserGrantUserIDSearchQuery(ctxData.UserID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantProjectID, userGrantUserID}}, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ids := make([]string, 0, len(grants.UserGrants))
|
|
for _, grant := range grants.UserGrants {
|
|
ids = appendIfNotExists(ids, grant.ResourceOwner)
|
|
}
|
|
|
|
idsQuery, err := query.NewOrgIDsSearchQuery(ids...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
queries.Queries = append(queries.Queries, idsQuery)
|
|
} else {
|
|
memberships, err := s.myOrgsQuery(ctx, ctxData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !isIAMAdmin(memberships.Memberships) {
|
|
ids := make([]string, 0, len(memberships.Memberships))
|
|
for _, membership := range memberships.Memberships {
|
|
orgID := membership.ResourceOwner
|
|
if membership.ProjectGrant != nil && membership.ProjectGrant.GrantedOrgID != "" {
|
|
orgID = membership.ProjectGrant.GrantedOrgID
|
|
}
|
|
ids = appendIfNotExists(ids, orgID)
|
|
}
|
|
|
|
idsQuery, err := query.NewOrgIDsSearchQuery(ids...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
queries.Queries = append(queries.Queries, idsQuery)
|
|
}
|
|
}
|
|
|
|
orgs, err := s.query.SearchOrgs(ctx, queries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &auth_pb.ListMyProjectOrgsResponse{
|
|
Details: obj_grpc.ToListDetails(orgs.Count, orgs.Sequence, orgs.Timestamp),
|
|
Result: org.OrgsToPb(orgs.Orgs),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) myOrgsQuery(ctx context.Context, ctxData authz.CtxData) (*query.Memberships, error) {
|
|
userQuery, err := query.NewMembershipUserIDQuery(ctxData.UserID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return s.query.Memberships(ctx, &query.MembershipSearchQuery{
|
|
Queries: []query.SearchQuery{userQuery},
|
|
}, false)
|
|
}
|
|
|
|
func isIAMAdmin(memberships []*query.Membership) bool {
|
|
for _, m := range memberships {
|
|
if m.IAM != nil {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func appendIfNotExists(array []string, value string) []string {
|
|
for _, a := range array {
|
|
if a == value {
|
|
return array
|
|
}
|
|
}
|
|
return append(array, value)
|
|
}
|
|
|
|
func ListMyProjectOrgsRequestToQuery(req *auth_pb.ListMyProjectOrgsRequest) (*query.OrgSearchQueries, error) {
|
|
offset, limit, asc := obj_grpc.ListQueryToModel(req.Query)
|
|
queries, err := org.OrgQueriesToQuery(req.Queries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &query.OrgSearchQueries{
|
|
SearchRequest: query.SearchRequest{
|
|
Offset: offset,
|
|
Limit: limit,
|
|
Asc: asc,
|
|
},
|
|
Queries: queries,
|
|
}, nil
|
|
}
|
|
|
|
func membershipToDomain(memberships []*query.Membership) []*domain.UserMembership {
|
|
result := make([]*domain.UserMembership, len(memberships))
|
|
for i, membership := range memberships {
|
|
typ, displayName, aggID, objID := MemberTypeToDomain(membership)
|
|
result[i] = &domain.UserMembership{
|
|
UserID: membership.UserID,
|
|
MemberType: typ,
|
|
AggregateID: aggID,
|
|
ObjectID: objID,
|
|
Roles: membership.Roles,
|
|
DisplayName: displayName,
|
|
CreationDate: membership.CreationDate,
|
|
ChangeDate: membership.ChangeDate,
|
|
ResourceOwner: membership.ResourceOwner,
|
|
//TODO: implement
|
|
// ResourceOwnerName: membership.ResourceOwnerName,
|
|
Sequence: membership.Sequence,
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
func MemberTypeToDomain(m *query.Membership) (_ domain.MemberType, displayName, aggID, objID string) {
|
|
if m.Org != nil {
|
|
return domain.MemberTypeOrganisation, m.Org.Name, m.Org.OrgID, ""
|
|
} else if m.IAM != nil {
|
|
return domain.MemberTypeIam, m.IAM.Name, m.IAM.IAMID, ""
|
|
} else if m.Project != nil {
|
|
return domain.MemberTypeProject, m.Project.Name, m.Project.ProjectID, ""
|
|
} else if m.ProjectGrant != nil {
|
|
return domain.MemberTypeProjectGrant, m.ProjectGrant.ProjectName, m.ProjectGrant.ProjectID, m.ProjectGrant.GrantID
|
|
}
|
|
return domain.MemberTypeUnspecified, "", "", ""
|
|
}
|
|
|
|
func cascadingMemberships(memberships []*query.Membership) []*command.CascadingMembership {
|
|
cascades := make([]*command.CascadingMembership, len(memberships))
|
|
for i, membership := range memberships {
|
|
cascades[i] = &command.CascadingMembership{
|
|
UserID: membership.UserID,
|
|
ResourceOwner: membership.ResourceOwner,
|
|
IAM: cascadingIAMMembership(membership.IAM),
|
|
Org: cascadingOrgMembership(membership.Org),
|
|
Project: cascadingProjectMembership(membership.Project),
|
|
ProjectGrant: cascadingProjectGrantMembership(membership.ProjectGrant),
|
|
}
|
|
}
|
|
return cascades
|
|
}
|
|
|
|
func cascadingIAMMembership(membership *query.IAMMembership) *command.CascadingIAMMembership {
|
|
if membership == nil {
|
|
return nil
|
|
}
|
|
return &command.CascadingIAMMembership{IAMID: membership.IAMID}
|
|
}
|
|
func cascadingOrgMembership(membership *query.OrgMembership) *command.CascadingOrgMembership {
|
|
if membership == nil {
|
|
return nil
|
|
}
|
|
return &command.CascadingOrgMembership{OrgID: membership.OrgID}
|
|
}
|
|
func cascadingProjectMembership(membership *query.ProjectMembership) *command.CascadingProjectMembership {
|
|
if membership == nil {
|
|
return nil
|
|
}
|
|
return &command.CascadingProjectMembership{ProjectID: membership.ProjectID}
|
|
}
|
|
func cascadingProjectGrantMembership(membership *query.ProjectGrantMembership) *command.CascadingProjectGrantMembership {
|
|
if membership == nil {
|
|
return nil
|
|
}
|
|
return &command.CascadingProjectGrantMembership{ProjectID: membership.ProjectID, GrantID: membership.GrantID}
|
|
}
|
|
|
|
func userGrantsToIDs(userGrants []*query.UserGrant) []string {
|
|
converted := make([]string, len(userGrants))
|
|
for i, grant := range userGrants {
|
|
converted[i] = grant.ID
|
|
}
|
|
return converted
|
|
}
|