TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-23 10:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
999e81b74b8552a7d355ba2c68bb46ac2518443a
zitadel/internal/api/grpc/authorization/v2/query.go
Livio Spring 999e81b74b feat(api): move authorization service to v2 (#10914) 
# Which Problems Are Solved

As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.

# How the Problems Are Solved

- This PR moves the authorization v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- The `organization_id` to create an authorization is now required to be
always passed. There's no implicit fallback to the project's
organization anymore.
- The `user_id` filter has been removed in favor of the recently added
`in_user_ids` filter.
- The returned `Authorization` object has been reworked to return
`project`, `organization` and `roles` as objects like the granted `user`
already was.
- Additionally the `roles` now not only contain the granted `role_keys`,
but also the `display_name` and `group`. To implement this the query has
been updated internally. Existing APIs are unchanged and still return
just the keys.

# Additional Changes

None

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/10772
- closes #10746
- requires backport to v4.x

(cherry picked from commit c9ac1ce344)
2025-10-28 15:09:54 +01:00

217 lines
8.1 KiB
Go
Raw Blame History

package authorization
import (
"context"
"errors"
"connectrpc.com/connect"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/pkg/grpc/authorization/v2"
filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
)
func (s *Server) ListAuthorizations(ctx context.Context, req *connect.Request[authorization.ListAuthorizationsRequest]) (*connect.Response[authorization.ListAuthorizationsResponse], error) {
queries, err := s.listAuthorizationsRequestToModel(req.Msg)
if err != nil {
return nil, err
}
resp, err := s.query.UserGrants(ctx, queries, false, s.checkPermission)
if err != nil {
return nil, err
}
return connect.NewResponse(&authorization.ListAuthorizationsResponse{
Authorizations: userGrantsToPb(resp.UserGrants),
Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
}), nil
}
func (s *Server) listAuthorizationsRequestToModel(req *authorization.ListAuthorizationsRequest) (*query.UserGrantsQueries, error) {
offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
if err != nil {
return nil, err
}
queries, err := AuthorizationQueriesToQuery(req.Filters)
if err != nil {
return nil, err
}
return &query.UserGrantsQueries{
SearchRequest: query.SearchRequest{
Offset: offset,
Limit: limit,
Asc: asc,
SortingColumn: authorizationFieldNameToSortingColumn(req.GetSortingColumn()),
},
Queries: queries,
}, nil
}
func authorizationFieldNameToSortingColumn(field authorization.AuthorizationFieldName) query.Column {
switch field {
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_UNSPECIFIED:
return query.UserGrantCreationDate
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_CREATED_DATE:
return query.UserGrantCreationDate
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_CHANGED_DATE:
return query.UserGrantChangeDate
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_ID:
return query.UserGrantID
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_USER_ID:
return query.UserGrantUserID
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_PROJECT_ID:
return query.UserGrantProjectID
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_ORGANIZATION_ID:
return query.UserGrantResourceOwner
case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_USER_ORGANIZATION_ID:
return query.UserResourceOwnerCol
default:
return query.UserGrantCreationDate
}
}
func AuthorizationQueriesToQuery(queries []*authorization.AuthorizationsSearchFilter) (q []query.SearchQuery, err error) {
q = make([]query.SearchQuery, len(queries))
for i, query := range queries {
q[i], err = AuthorizationSearchFilterToQuery(query)
if err != nil {
return nil, err
}
}
return q, nil
}
func AuthorizationSearchFilterToQuery(query *authorization.AuthorizationsSearchFilter) (query.SearchQuery, error) {
switch q := query.Filter.(type) {
case *authorization.AuthorizationsSearchFilter_AuthorizationIds:
return AuthorizationIDQueryToModel(q.AuthorizationIds)
case *authorization.AuthorizationsSearchFilter_OrganizationId:
return AuthorizationOrganizationIDQueryToModel(q.OrganizationId)
case *authorization.AuthorizationsSearchFilter_State:
return AuthorizationStateQueryToModel(q.State)
case *authorization.AuthorizationsSearchFilter_InUserIds:
return AuthorizationInUserIDsQueryToModel(q.InUserIds)
case *authorization.AuthorizationsSearchFilter_UserOrganizationId:
return AuthorizationUserOrganizationIDQueryToModel(q.UserOrganizationId)
case *authorization.AuthorizationsSearchFilter_UserPreferredLoginName:
return AuthorizationUserNameQueryToModel(q.UserPreferredLoginName)
case *authorization.AuthorizationsSearchFilter_UserDisplayName:
return AuthorizationDisplayNameQueryToModel(q.UserDisplayName)
case *authorization.AuthorizationsSearchFilter_ProjectId:
return AuthorizationProjectIDQueryToModel(q.ProjectId)
case *authorization.AuthorizationsSearchFilter_ProjectName:
return AuthorizationProjectNameQueryToModel(q.ProjectName)
case *authorization.AuthorizationsSearchFilter_RoleKey:
return AuthorizationRoleKeyQueryToModel(q.RoleKey)
case *authorization.AuthorizationsSearchFilter_ProjectGrantId:
return AuthorizationProjectGrantIDQueryToModel(q.ProjectGrantId)
default:
return nil, errors.New("invalid query")
}
}
func AuthorizationIDQueryToModel(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
return query.NewUserGrantInIDsSearchQuery(q.Ids)
}
func AuthorizationDisplayNameQueryToModel(q *authorization.UserDisplayNameQuery) (query.SearchQuery, error) {
return query.NewUserGrantDisplayNameQuery(q.DisplayName, filter.TextMethodPbToQuery(q.Method))
}
func AuthorizationOrganizationIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewUserGrantResourceOwnerSearchQuery(q.Id)
}
func AuthorizationProjectIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewUserGrantProjectIDSearchQuery(q.Id)
}
func AuthorizationProjectNameQueryToModel(q *authorization.ProjectNameQuery) (query.SearchQuery, error) {
return query.NewUserGrantProjectNameQuery(q.Name, filter.TextMethodPbToQuery(q.Method))
}
func AuthorizationProjectGrantIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewUserGrantGrantIDSearchQuery(q.Id)
}
func AuthorizationRoleKeyQueryToModel(q *authorization.RoleKeyQuery) (query.SearchQuery, error) {
return query.NewUserGrantRoleQuery(q.Key)
}
func AuthorizationUserNameQueryToModel(q *authorization.UserPreferredLoginNameQuery) (query.SearchQuery, error) {
return query.NewUserGrantUsernameQuery(q.LoginName, filter.TextMethodPbToQuery(q.Method))
}
func AuthorizationInUserIDsQueryToModel(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
return query.NewUserGrantInUserIDsSearchQuery(q.Ids)
}
func AuthorizationUserOrganizationIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
return query.NewUserGrantUserResourceOwnerSearchQuery(q.Id)
}
func AuthorizationStateQueryToModel(q *authorization.StateQuery) (query.SearchQuery, error) {
return query.NewUserGrantStateQuery(domain.UserGrantState(q.State))
}
func userGrantsToPb(userGrants []*query.UserGrant) []*authorization.Authorization {
o := make([]*authorization.Authorization, len(userGrants))
for i, grant := range userGrants {
o[i] = userGrantToPb(grant)
}
return o
}
func userGrantToPb(userGrant *query.UserGrant) *authorization.Authorization {
return &authorization.Authorization{
Id: userGrant.ID,
CreationDate: timestamppb.New(userGrant.CreationDate),
ChangeDate: timestamppb.New(userGrant.ChangeDate),
Project: &authorization.Project{
Id: userGrant.ProjectID,
Name: userGrant.ProjectName,
OrganizationId: userGrant.ProjectResourceOwner,
},
Organization: &authorization.Organization{
Id: userGrant.ResourceOwner,
Name: userGrant.OrgName,
},
User: &authorization.User{
Id: userGrant.UserID,
PreferredLoginName: userGrant.PreferredLoginName,
DisplayName: userGrant.DisplayName,
AvatarUrl: userGrant.AvatarURL,
OrganizationId: userGrant.UserResourceOwner,
},
State: userGrantStateToPb(userGrant.State),
Roles: rolesToPb(userGrant.RoleInformation),
}
}
func rolesToPb(roles []query.Role) []*authorization.Role {
r := make([]*authorization.Role, len(roles))
for i, role := range roles {
r[i] = &authorization.Role{
Key: role.Key,
DisplayName: role.DisplayName,
Group: role.GroupName,
}
}
return r
}
func userGrantStateToPb(state domain.UserGrantState) authorization.State {
switch state {
case domain.UserGrantStateActive:
return authorization.State_STATE_ACTIVE
case domain.UserGrantStateInactive:
return authorization.State_STATE_INACTIVE
case domain.UserGrantStateUnspecified, domain.UserGrantStateRemoved:
return authorization.State_STATE_UNSPECIFIED
default:
return authorization.State_STATE_UNSPECIFIED
}
}
Reference in New Issue View Git Blame Copy Permalink