aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(query): Full read queries for AppToken global, org, and project

Browse Source
pull/6420/merge^2
dkanney 2 weeks ago
parent 61bd9407ab
commit 5a2c1462c7
1 changed files with 230 additions and 1 deletions
Show Stats Download Patch File Download Diff File

231
internal/apptoken/query.go
Unescape View File

@ -390,5 +390,234 @@ left join iam_scope_project
scopeIdFromAppTokenIdQuery = `
select scope_id
from app_token
where public_id = @public_id;`
where public_id = @public_id;
`
getAppTokenGlobalQuery = `
with token_permissions as (
select app_token_permission_global.private_id as permission_id,
app_token_permission_global.description as description,
app_token_permission_global.grant_this_scope as grant_this_scope,
app_token_permission_global.grant_scope as grant_scope,
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
app_token_global.public_id as app_token_id,
-- active_grant_scope_ids -> active grants with valid scopes
array_cat(
array_agg(distinct org_grants.scope_id) filter (where org_grants.scope_id is not null and org_scope.public_id is not null),
array_agg(distinct project_grants.scope_id) filter (where project_grants.scope_id is not null and project_scope.public_id is not null)
) as active_grant_scope_ids,
-- deleted_grant_scope_ids -> active grants with no valid scopes
array_agg(distinct coalesce(org_grants.scope_id, project_grants.scope_id))
filter (where (org_grants.scope_id is not null and org_scope.public_id is null)
or (project_grants.scope_id is not null and project_scope.public_id is null))
as deleted_grant_scope_ids,
-- deleted_scope_details -> details about deleted scopes
jsonb_agg(distinct
jsonb_build_object(
'scope_id', coalesce(org_grants.scope_id, project_grants.scope_id),
'delete_time', (
select upper(valid_range) as delete_time
from iam_scope_hst
where public_id = coalesce(org_grants.scope_id, project_grants.scope_id)
order by upper(valid_range) desc
limit 1
)
)
) filter (where (org_grants.scope_id is not null and org_scope.public_id is null) or
(project_grants.scope_id is not null and project_scope.public_id is null))
as deleted_scope_details
from app_token_global
left join app_token_permission_global
on app_token_global.public_id = app_token_permission_global.app_token_id
left join app_token_permission_global_individual_org_grant_scope org_grants
on app_token_permission_global.private_id = org_grants.permission_id
left join iam_scope org_scope
on org_grants.scope_id = org_scope.public_id
left join app_token_permission_global_individual_project_grant_scope project_grants
on app_token_permission_global.private_id = project_grants.permission_id
left join iam_scope project_scope
on project_grants.scope_id = project_scope.public_id
left join app_token_permission_grant
on app_token_permission_global.private_id = app_token_permission_grant.permission_id
where app_token_global.public_id = @app_token_id
group by app_token_permission_global.private_id,
app_token_permission_global.description,
app_token_permission_global.grant_this_scope,
app_token_permission_global.grant_scope,
app_token_global.public_id
)
select app_token_global.public_id,
app_token_global.scope_id,
app_token_global.name,
app_token_global.description,
app_token_global.revoked,
app_token_global.create_time,
app_token_global.update_time,
app_token_global.created_by_user_id,
app_token_global.approximate_last_access_time,
app_token_global.time_to_stale_seconds,
app_token_global.expiration_time,
app_token_cipher.token,
jsonb_agg(
jsonb_build_object(
'label', token_permissions.description,
'grant_this_scope', token_permissions.grant_this_scope,
'grants', token_permissions.canonical_grants,
'grant_scope', token_permissions.grant_scope,
'active_grant_scopes', token_permissions.active_grant_scope_ids,
'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids,
'deleted_scope_details', token_permissions.deleted_scope_details
)
) as permissions
from token_permissions
join app_token_global
on token_permissions.app_token_id = app_token_global.public_id
left join app_token_cipher
on app_token_global.public_id = app_token_cipher.app_token_id
where app_token_global.public_id = @app_token_id
group by app_token_global.public_id,
app_token_cipher.token;
`
getAppTokenOrgQuery = `
with token_permissions as (
select app_token_permission_org.private_id as permission_id,
app_token_permission_org.description as description,
app_token_permission_org.grant_this_scope as grant_this_scope,
app_token_permission_org.grant_scope as grant_scope,
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
app_token_org.public_id as app_token_id,
-- active_grant_scope_ids -> active grants with valid scopes
array_agg(distinct project_grants.scope_id) filter (
where project_grants.scope_id is not null and project_scope.public_id is not null
) as active_grant_scope_ids,
-- deleted_grant_scope_ids -> active grants with no valid scopes
array_agg(distinct project_grants.scope_id) filter (
where project_grants.scope_id is not null and project_scope.public_id is null
) as deleted_grant_scope_ids,
-- deleted_scope_details -> details about deleted scopes
jsonb_agg(distinct
jsonb_build_object(
'scope_id', project_grants.scope_id,
'delete_time', (
select upper(valid_range) as delete_time
from iam_scope_hst
where public_id = project_grants.scope_id
order by upper(valid_range) desc
limit 1
)
)
) filter (
where project_grants.scope_id is not null and project_scope.public_id is null
) as deleted_scope_details
from app_token_org
left join app_token_permission_org
on app_token_org.public_id = app_token_permission_org.app_token_id
left join app_token_permission_org_individual_grant_scope project_grants
on app_token_permission_org.private_id = project_grants.permission_id
left join iam_scope project_scope
on project_grants.scope_id = project_scope.public_id
left join app_token_permission_grant
on app_token_permission_org.private_id = app_token_permission_grant.permission_id
where app_token_org.public_id = @app_token_id
group by app_token_permission_org.private_id,
app_token_permission_org.description,
app_token_permission_org.grant_this_scope,
app_token_permission_org.grant_scope,
app_token_org.public_id
)
select app_token_org.public_id,
app_token_org.scope_id,
app_token_org.name,
app_token_org.description,
app_token_org.revoked,
app_token_org.create_time,
app_token_org.update_time,
app_token_org.created_by_user_id,
app_token_org.approximate_last_access_time,
app_token_org.time_to_stale_seconds,
app_token_org.expiration_time,
app_token_cipher.token,
jsonb_agg(
jsonb_build_object(
'label', token_permissions.description,
'grant_this_scope', token_permissions.grant_this_scope,
'grants', token_permissions.canonical_grants,
'grant_scope', token_permissions.grant_scope,
'active_grant_scopes', token_permissions.active_grant_scope_ids,
'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids,
'deleted_scope_details', token_permissions.deleted_scope_details
)
) as permissions
from token_permissions
join app_token_org
on token_permissions.app_token_id = app_token_org.public_id
left join app_token_cipher
on app_token_org.public_id = app_token_cipher.app_token_id
where app_token_org.public_id = @app_token_id
group by app_token_org.public_id,
app_token_cipher.token;
`
getAppTokenProjectQuery = `
with token_permissions as (
select app_token_permission_project.private_id as permission_id,
app_token_permission_project.description as description,
app_token_permission_project.grant_this_scope as grant_this_scope,
app_token_project.scope_id as grant_scope,
array_agg(app_token_permission_grant.canonical_grant) as canonical_grants,
app_token_project.public_id as app_token_id,
array_agg(app_token_project.scope_id) as active_grant_scope_ids,
'{}'::text[] as deleted_grant_scope_ids,
jsonb '[]' as deleted_scope_details
from app_token_project
left join app_token_permission_project
on app_token_project.public_id = app_token_permission_project.app_token_id
left join app_token_permission_grant
on app_token_permission_project.private_id = app_token_permission_grant.permission_id
where app_token_project.public_id = @app_token_id
group by app_token_permission_project.private_id,
app_token_permission_project.description,
app_token_permission_project.grant_this_scope,
app_token_project.scope_id,
app_token_project.public_id
)
select app_token_project.public_id,
app_token_project.scope_id,
app_token_project.name,
app_token_project.description,
app_token_project.revoked,
app_token_project.create_time,
app_token_project.update_time,
app_token_project.created_by_user_id,
app_token_project.approximate_last_access_time,
app_token_project.time_to_stale_seconds,
app_token_project.expiration_time,
app_token_cipher.token,
jsonb_agg(
jsonb_build_object(
'label', token_permissions.description,
'grant_this_scope', token_permissions.grant_this_scope,
'grants', token_permissions.canonical_grants,
'grant_scope', token_permissions.grant_scope,
'active_grant_scopes', token_permissions.active_grant_scope_ids,
'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids,
'deleted_scope_details', token_permissions.deleted_scope_details
)
) as permissions
from token_permissions
join app_token_project
on token_permissions.app_token_id = app_token_project.public_id
left join app_token_cipher
on app_token_project.public_id = app_token_cipher.app_token_id
where app_token_project.public_id = @app_token_id
group by app_token_project.public_id,
app_token_cipher.token;
`
)

Write Preview
Loading…
Cancel
Save