feat(query): Create query for recursive requests of global app token grants on Global/Org resources

6 months ago · 1695d13c8e
parent de8e93a26f
commit 1695d13c8e
1 changed files with 32 additions and 0 deletions
--- a/internal/apptoken/query.go
+++ b/internal/apptoken/query.go
@ -35,6 +35,38 @@ left join app_token_permission_global_individual_project_grant_scope
       on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id
 left join iam_scope_project
       on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id
+ group by app_token_permission_global.private_id,
+          app_token_permission_global.description,
+          app_token_permission_global.create_time,
+          app_token_permission_global.grant_this_scope,
+          app_token_permission_global.grant_scope,
+          app_token_global.public_id;
+    `
+
+	// grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery gets a global app token's grants for resources
+	// applicable to global and org scopes.
+	grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery = `
+  select  app_token_permission_global.private_id                         as permission_id,
+          app_token_permission_global.description,
+          app_token_permission_global.create_time,
+          app_token_permission_global.grant_this_scope,
+          app_token_permission_global.grant_scope,
+          app_token_global.public_id                                     as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
+          array_agg(distinct iam_scope_org.scope_id)                     as active_grant_scopes
+     from app_token_global
+     join app_token_permission_global
+       on app_token_global.public_id = app_token_permission_global.app_token_id
+      and app_token_global.public_id = any(@app_token_ids)
+     join app_token_permission_grant
+       on app_token_permission_global.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_global_individual_org_grant_scope org_grants
+       on app_token_permission_global.private_id = org_grants.permission_id
+left join iam_scope_org
+       on org_grants.scope_id = iam_scope_org.scope_id
 group by app_token_permission_global.private_id,
          app_token_permission_global.description,
          app_token_permission_global.create_time,