mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-15 06:59:23 +00:00
7eb45c6cfd
# Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
389 lines
13 KiB
Go
389 lines
13 KiB
Go
package management
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
change_grpc "github.com/zitadel/zitadel/internal/api/grpc/change"
|
|
member_grpc "github.com/zitadel/zitadel/internal/api/grpc/member"
|
|
object_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
|
|
project_grpc "github.com/zitadel/zitadel/internal/api/grpc/project"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/repository/project"
|
|
mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
|
|
)
|
|
|
|
func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByIDRequest) (*mgmt_pb.GetProjectByIDResponse, error) {
|
|
project, err := s.query.ProjectByID(ctx, true, req.Id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.GetProjectByIDResponse{
|
|
Project: project_grpc.ProjectViewToPb(project),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) GetGrantedProjectByID(ctx context.Context, req *mgmt_pb.GetGrantedProjectByIDRequest) (*mgmt_pb.GetGrantedProjectByIDResponse, error) {
|
|
grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.GetGrantedProjectByIDResponse{
|
|
GrantedProject: project_grpc.GrantedProjectViewToPb(grant),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListProjects(ctx context.Context, req *mgmt_pb.ListProjectsRequest) (*mgmt_pb.ListProjectsResponse, error) {
|
|
queries, err := listProjectRequestToModel(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendPermissionQueries(authz.GetRequestPermissionsFromCtx(ctx))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
projects, err := s.query.SearchProjects(ctx, queries, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListProjectsResponse{
|
|
Result: project_grpc.ProjectViewsToPb(projects.Projects),
|
|
Details: object_grpc.ToListDetails(projects.Count, projects.Sequence, projects.LastRun),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListProjectGrantChanges(ctx context.Context, req *mgmt_pb.ListProjectGrantChangesRequest) (*mgmt_pb.ListProjectGrantChangesResponse, error) {
|
|
var (
|
|
limit uint64
|
|
sequence uint64
|
|
asc bool
|
|
)
|
|
if req.Query != nil {
|
|
limit = uint64(req.Query.Limit)
|
|
sequence = req.Query.Sequence
|
|
asc = req.Query.Asc
|
|
}
|
|
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
Limit(limit).
|
|
OrderDesc().
|
|
ResourceOwner(authz.GetCtxData(ctx).OrgID).
|
|
AwaitOpenTransactions().
|
|
SequenceGreater(sequence).
|
|
AddQuery().
|
|
AggregateTypes(project.AggregateType).
|
|
AggregateIDs(req.ProjectId).
|
|
EventData(map[string]interface{}{
|
|
"grantId": req.GrantId,
|
|
}).
|
|
Builder()
|
|
if asc {
|
|
query.OrderAsc()
|
|
}
|
|
|
|
changes, err := s.query.SearchEvents(ctx, query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &mgmt_pb.ListProjectGrantChangesResponse{
|
|
Result: change_grpc.EventsToChangesPb(changes, s.assetAPIPrefix(ctx)),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListGrantedProjects(ctx context.Context, req *mgmt_pb.ListGrantedProjectsRequest) (*mgmt_pb.ListGrantedProjectsResponse, error) {
|
|
queries, err := listGrantedProjectsRequestToModel(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendGrantedOrgQuery(authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendPermissionQueries(authz.GetRequestPermissionsFromCtx(ctx))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
projects, err := s.query.SearchProjectGrants(ctx, queries, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListGrantedProjectsResponse{
|
|
Result: project_grpc.GrantedProjectViewsToPb(projects.ProjectGrants),
|
|
Details: object_grpc.ToListDetails(projects.Count, projects.Sequence, projects.LastRun),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListGrantedProjectRoles(ctx context.Context, req *mgmt_pb.ListGrantedProjectRolesRequest) (*mgmt_pb.ListGrantedProjectRolesResponse, error) {
|
|
queries, err := listGrantedProjectRolesRequestToModel(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendProjectIDQuery(req.ProjectId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
roles, err := s.query.SearchGrantedProjectRoles(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, queries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListGrantedProjectRolesResponse{
|
|
Result: project_grpc.RoleViewsToPb(roles.ProjectRoles),
|
|
Details: object_grpc.ToListDetails(roles.Count, roles.Sequence, roles.LastRun),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListProjectChanges(ctx context.Context, req *mgmt_pb.ListProjectChangesRequest) (*mgmt_pb.ListProjectChangesResponse, error) {
|
|
var (
|
|
limit uint64
|
|
sequence uint64
|
|
asc bool
|
|
)
|
|
if req.Query != nil {
|
|
limit = uint64(req.Query.Limit)
|
|
sequence = req.Query.Sequence
|
|
asc = req.Query.Asc
|
|
}
|
|
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
Limit(limit).
|
|
AwaitOpenTransactions().
|
|
OrderDesc().
|
|
ResourceOwner(authz.GetCtxData(ctx).OrgID).
|
|
SequenceGreater(sequence).
|
|
AddQuery().
|
|
AggregateTypes(project.AggregateType).
|
|
AggregateIDs(req.ProjectId).
|
|
Builder()
|
|
if asc {
|
|
query.OrderAsc()
|
|
}
|
|
|
|
changes, err := s.query.SearchEvents(ctx, query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &mgmt_pb.ListProjectChangesResponse{
|
|
Result: change_grpc.EventsToChangesPb(changes, s.assetAPIPrefix(ctx)),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) AddProject(ctx context.Context, req *mgmt_pb.AddProjectRequest) (*mgmt_pb.AddProjectResponse, error) {
|
|
add := ProjectCreateToCommand(req, "", authz.GetCtxData(ctx).OrgID)
|
|
project, err := s.command.AddProject(ctx, add)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.AddProjectResponse{
|
|
Id: add.AggregateID,
|
|
Details: object_grpc.AddToDetailsPb(project.Sequence, project.EventDate, project.ResourceOwner),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) UpdateProject(ctx context.Context, req *mgmt_pb.UpdateProjectRequest) (*mgmt_pb.UpdateProjectResponse, error) {
|
|
project, err := s.command.ChangeProject(ctx, ProjectUpdateToCommand(req, authz.GetCtxData(ctx).OrgID))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.UpdateProjectResponse{
|
|
Details: object_grpc.ChangeToDetailsPb(
|
|
project.Sequence,
|
|
project.EventDate,
|
|
project.ResourceOwner,
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) DeactivateProject(ctx context.Context, req *mgmt_pb.DeactivateProjectRequest) (*mgmt_pb.DeactivateProjectResponse, error) {
|
|
details, err := s.command.DeactivateProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.DeactivateProjectResponse{
|
|
Details: object_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ReactivateProject(ctx context.Context, req *mgmt_pb.ReactivateProjectRequest) (*mgmt_pb.ReactivateProjectResponse, error) {
|
|
details, err := s.command.ReactivateProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ReactivateProjectResponse{
|
|
Details: object_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRequest) (*mgmt_pb.RemoveProjectResponse, error) {
|
|
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.Id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
|
|
Queries: []query.SearchQuery{projectQuery},
|
|
}, true)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants.UserGrants)...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.RemoveProjectResponse{
|
|
Details: object_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectRolesRequest) (*mgmt_pb.ListProjectRolesResponse, error) {
|
|
queries, err := listProjectRolesRequestToModel(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = queries.AppendProjectIDQuery(req.ProjectId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
roles, err := s.query.SearchProjectRoles(ctx, true, queries, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListProjectRolesResponse{
|
|
Result: project_grpc.RoleViewsToPb(roles.ProjectRoles),
|
|
Details: object_grpc.ToListDetails(roles.Count, roles.Sequence, roles.LastRun),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) AddProjectRole(ctx context.Context, req *mgmt_pb.AddProjectRoleRequest) (*mgmt_pb.AddProjectRoleResponse, error) {
|
|
role, err := s.command.AddProjectRole(ctx, AddProjectRoleRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.AddProjectRoleResponse{
|
|
Details: object_grpc.AddToDetailsPb(
|
|
role.Sequence,
|
|
role.EventDate,
|
|
role.ResourceOwner,
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) BulkAddProjectRoles(ctx context.Context, req *mgmt_pb.BulkAddProjectRolesRequest) (*mgmt_pb.BulkAddProjectRolesResponse, error) {
|
|
details, err := s.command.BulkAddProjectRole(ctx, req.ProjectId, authz.GetCtxData(ctx).OrgID, BulkAddProjectRolesRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.BulkAddProjectRolesResponse{
|
|
Details: object_grpc.DomainToAddDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProjectRoleRequest) (*mgmt_pb.UpdateProjectRoleResponse, error) {
|
|
role, err := s.command.ChangeProjectRole(ctx, UpdateProjectRoleRequestToCommand(req, authz.GetCtxData(ctx).OrgID))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.UpdateProjectRoleResponse{
|
|
Details: object_grpc.ChangeToDetailsPb(
|
|
role.Sequence,
|
|
role.EventDate,
|
|
role.ResourceOwner,
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProjectRoleRequest) (*mgmt_pb.RemoveProjectRoleResponse, error) {
|
|
projectQuery, err := query.NewUserGrantProjectIDSearchQuery(req.ProjectId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rolesQuery, err := query.NewUserGrantRoleQuery(req.RoleKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
|
|
Queries: []query.SearchQuery{projectQuery, rolesQuery},
|
|
}, false)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants.UserGrants)...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.RemoveProjectRoleResponse{
|
|
Details: object_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) ListProjectMemberRoles(ctx context.Context, _ *mgmt_pb.ListProjectMemberRolesRequest) (*mgmt_pb.ListProjectMemberRolesResponse, error) {
|
|
roles, err := s.query.GetProjectMemberRoles(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListProjectMemberRolesResponse{Result: roles}, nil //TODO: details
|
|
}
|
|
|
|
func (s *Server) ListProjectMembers(ctx context.Context, req *mgmt_pb.ListProjectMembersRequest) (*mgmt_pb.ListProjectMembersResponse, error) {
|
|
queries, err := ListProjectMembersRequestToModel(ctx, req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
members, err := s.query.ProjectMembers(ctx, queries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.ListProjectMembersResponse{
|
|
Result: member_grpc.MembersToPb(s.assetAPIPrefix(ctx), members.Members),
|
|
Details: object_grpc.ToListDetails(members.Count, members.Sequence, members.LastRun),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) AddProjectMember(ctx context.Context, req *mgmt_pb.AddProjectMemberRequest) (*mgmt_pb.AddProjectMemberResponse, error) {
|
|
member, err := s.command.AddProjectMember(ctx, AddProjectMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.AddProjectMemberResponse{
|
|
Details: object_grpc.AddToDetailsPb(member.Sequence, member.ChangeDate, member.ResourceOwner),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) UpdateProjectMember(ctx context.Context, req *mgmt_pb.UpdateProjectMemberRequest) (*mgmt_pb.UpdateProjectMemberResponse, error) {
|
|
member, err := s.command.ChangeProjectMember(ctx, UpdateProjectMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.UpdateProjectMemberResponse{
|
|
Details: object_grpc.ChangeToDetailsPb(
|
|
member.Sequence,
|
|
member.ChangeDate,
|
|
member.ResourceOwner,
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) RemoveProjectMember(ctx context.Context, req *mgmt_pb.RemoveProjectMemberRequest) (*mgmt_pb.RemoveProjectMemberResponse, error) {
|
|
details, err := s.command.RemoveProjectMember(ctx, req.ProjectId, req.UserId, authz.GetCtxData(ctx).OrgID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &mgmt_pb.RemoveProjectMemberResponse{
|
|
Details: object_grpc.DomainToChangeDetailsPb(details),
|
|
}, nil
|
|
}
|