mirror of
https://github.com/zitadel/zitadel.git
synced 2025-11-02 03:38:46 +00:00
e4517cf15a
# Which Problems Are Solved
Authorizations (aka user grants) could not be managed correctly if they
were created on a project grant, which itself was based on a project
granted to the own organization. The error persisted if the
corresponding (potentially unintended) project grant was removed again.
# How the Problems Are Solved
Fixed checks for managing user grants: Roles from projects and project
grants get handled individually to ensure cases like project grants on
the own organization.
# Additional Changes
Additional tests for the 3 failing scenarios.
# Additional Context
Closes #10556
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 8e60cce20d)
211 lines
6.8 KiB
Go
211 lines
6.8 KiB
Go
package command
|
|
|
|
import (
|
|
"slices"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/project"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
"github.com/zitadel/zitadel/internal/repository/usergrant"
|
|
)
|
|
|
|
type UserGrantWriteModel struct {
|
|
eventstore.WriteModel
|
|
|
|
UserID string
|
|
ProjectID string
|
|
ProjectGrantID string
|
|
RoleKeys []string
|
|
State domain.UserGrantState
|
|
}
|
|
|
|
func NewUserGrantWriteModel(userGrantID string, resourceOwner string) *UserGrantWriteModel {
|
|
return &UserGrantWriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userGrantID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
}
|
|
}
|
|
|
|
func (wm *UserGrantWriteModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *usergrant.UserGrantAddedEvent:
|
|
wm.UserID = e.UserID
|
|
wm.ProjectID = e.ProjectID
|
|
wm.ProjectGrantID = e.ProjectGrantID
|
|
wm.RoleKeys = e.RoleKeys
|
|
wm.State = domain.UserGrantStateActive
|
|
wm.ResourceOwner = e.Aggregate().ResourceOwner
|
|
case *usergrant.UserGrantChangedEvent:
|
|
wm.RoleKeys = e.RoleKeys
|
|
case *usergrant.UserGrantCascadeChangedEvent:
|
|
wm.RoleKeys = e.RoleKeys
|
|
case *usergrant.UserGrantDeactivatedEvent:
|
|
if wm.State == domain.UserGrantStateRemoved {
|
|
continue
|
|
}
|
|
wm.State = domain.UserGrantStateInactive
|
|
case *usergrant.UserGrantReactivatedEvent:
|
|
if wm.State == domain.UserGrantStateRemoved {
|
|
continue
|
|
}
|
|
wm.State = domain.UserGrantStateActive
|
|
case *usergrant.UserGrantRemovedEvent:
|
|
wm.State = domain.UserGrantStateRemoved
|
|
case *usergrant.UserGrantCascadeRemovedEvent:
|
|
wm.State = domain.UserGrantStateRemoved
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (wm *UserGrantWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AddQuery().
|
|
AggregateTypes(usergrant.AggregateType).
|
|
AggregateIDs(wm.AggregateID).
|
|
EventTypes(usergrant.UserGrantAddedType,
|
|
usergrant.UserGrantChangedType,
|
|
usergrant.UserGrantCascadeChangedType,
|
|
usergrant.UserGrantDeactivatedType,
|
|
usergrant.UserGrantReactivatedType,
|
|
usergrant.UserGrantRemovedType,
|
|
usergrant.UserGrantCascadeRemovedType).
|
|
Builder()
|
|
|
|
if wm.ResourceOwner != "" {
|
|
query.ResourceOwner(wm.ResourceOwner)
|
|
}
|
|
return query
|
|
}
|
|
|
|
func UserGrantAggregateFromWriteModel(wm *eventstore.WriteModel) *eventstore.Aggregate {
|
|
return eventstore.AggregateFromWriteModel(wm, usergrant.AggregateType, usergrant.AggregateVersion)
|
|
}
|
|
|
|
type UserGrantPreConditionReadModel struct {
|
|
eventstore.WriteModel
|
|
|
|
UserID string
|
|
ProjectID string
|
|
ProjectResourceOwner string
|
|
ProjectGrantID string
|
|
FoundGrantID string
|
|
ResourceOwner string
|
|
UserExists bool
|
|
ProjectExists bool
|
|
ExistingRoleKeysProject []string
|
|
ExistingRoleKeysGrant []string
|
|
}
|
|
|
|
func NewUserGrantPreConditionReadModel(userID, projectID, projectGrantID string, resourceOwner string) *UserGrantPreConditionReadModel {
|
|
return &UserGrantPreConditionReadModel{
|
|
UserID: userID,
|
|
ProjectID: projectID,
|
|
// ProjectGrantID can be empty, if grantedOrgID is in the resourceowner
|
|
ProjectGrantID: projectGrantID,
|
|
// resourceowner is either empty to use the project organization
|
|
// or filled with the project organization
|
|
// or filled with the organization the project is granted to
|
|
ResourceOwner: resourceOwner,
|
|
ExistingRoleKeysGrant: make([]string, 0),
|
|
ExistingRoleKeysProject: make([]string, 0),
|
|
}
|
|
}
|
|
|
|
func (wm *UserGrantPreConditionReadModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanAddedEvent:
|
|
wm.UserExists = true
|
|
case *user.HumanRegisteredEvent:
|
|
wm.UserExists = true
|
|
case *user.MachineAddedEvent:
|
|
wm.UserExists = true
|
|
case *user.UserRemovedEvent:
|
|
wm.UserExists = false
|
|
case *project.ProjectAddedEvent:
|
|
if projectExistsOnOrganization(wm.ResourceOwner, e.Aggregate().ResourceOwner) {
|
|
wm.ProjectExists = true
|
|
}
|
|
// We store the organization of the project for later checks, e.g. in case of a project grant
|
|
wm.ProjectResourceOwner = e.Aggregate().ResourceOwner
|
|
case *project.ProjectRemovedEvent:
|
|
wm.ProjectExists = false
|
|
case *project.GrantAddedEvent:
|
|
if projectGrantExistsOnOrganization(wm.ProjectGrantID, wm.ResourceOwner, e.GrantID, e.GrantedOrgID) {
|
|
wm.ExistingRoleKeysGrant = e.RoleKeys
|
|
wm.FoundGrantID = e.GrantID
|
|
}
|
|
case *project.GrantChangedEvent:
|
|
if wm.FoundGrantID == e.GrantID {
|
|
wm.ExistingRoleKeysGrant = e.RoleKeys
|
|
}
|
|
case *project.GrantRemovedEvent:
|
|
if wm.FoundGrantID == e.GrantID {
|
|
wm.ExistingRoleKeysGrant = []string{}
|
|
wm.FoundGrantID = ""
|
|
}
|
|
case *project.RoleAddedEvent:
|
|
wm.ExistingRoleKeysProject = append(wm.ExistingRoleKeysProject, e.Key)
|
|
case *project.RoleRemovedEvent:
|
|
wm.ExistingRoleKeysProject = slices.DeleteFunc(wm.ExistingRoleKeysProject, func(key string) bool {
|
|
return key == e.Key
|
|
})
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func projectExistsOnOrganization(requiredOrganization, projectResourceOwner string) bool {
|
|
// Depending on the API, a request can either require a project to be part of a specific organization
|
|
// or not. In the former case, the project must belong to the required organization.
|
|
// In the latter case, it is sufficient that the project exists at all, since the user will be granted
|
|
// automatically in the organization the project belongs to.
|
|
return requiredOrganization == "" || requiredOrganization == projectResourceOwner
|
|
}
|
|
|
|
func projectGrantExistsOnOrganization(requiredGrantID, requiredOrganization, projectGrantID, grantedOrganization string) bool {
|
|
// Depending on the API, a request can either require a project grant (ID) and/or an organization (ID),
|
|
// where the project must be granted to.
|
|
return (requiredGrantID == "" || requiredGrantID == projectGrantID) &&
|
|
(requiredOrganization == "" || requiredOrganization == grantedOrganization)
|
|
}
|
|
|
|
func (wm *UserGrantPreConditionReadModel) existingRoles() []string {
|
|
if wm.FoundGrantID != "" {
|
|
return wm.ExistingRoleKeysGrant
|
|
}
|
|
return wm.ExistingRoleKeysProject
|
|
}
|
|
|
|
func (wm *UserGrantPreConditionReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(wm.UserID).
|
|
EventTypes(
|
|
user.UserV1AddedType,
|
|
user.HumanAddedType,
|
|
user.UserV1RegisteredType,
|
|
user.HumanRegisteredType,
|
|
user.MachineAddedEventType,
|
|
user.UserRemovedType).
|
|
Or().
|
|
AggregateTypes(project.AggregateType).
|
|
AggregateIDs(wm.ProjectID).
|
|
EventTypes(
|
|
project.ProjectAddedType,
|
|
project.ProjectRemovedType,
|
|
project.GrantAddedType,
|
|
project.GrantChangedType,
|
|
project.GrantRemovedType,
|
|
project.RoleAddedType,
|
|
project.RoleRemovedType).
|
|
Builder()
|
|
return query
|
|
}
|