diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 24e7b15333..65c4de0d23 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -390,5 +390,234 @@ left join iam_scope_project scopeIdFromAppTokenIdQuery = ` select scope_id from app_token - where public_id = @public_id;` + where public_id = @public_id; +` + + getAppTokenGlobalQuery = ` +with token_permissions as ( + select app_token_permission_global.private_id as permission_id, + app_token_permission_global.description as description, + app_token_permission_global.grant_this_scope as grant_this_scope, + app_token_permission_global.grant_scope as grant_scope, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + app_token_global.public_id as app_token_id, + + -- active_grant_scope_ids -> active grants with valid scopes + array_cat( + array_agg(distinct org_grants.scope_id) filter (where org_grants.scope_id is not null and org_scope.public_id is not null), + array_agg(distinct project_grants.scope_id) filter (where project_grants.scope_id is not null and project_scope.public_id is not null) + ) as active_grant_scope_ids, + + -- deleted_grant_scope_ids -> active grants with no valid scopes + array_agg(distinct coalesce(org_grants.scope_id, project_grants.scope_id)) + filter (where (org_grants.scope_id is not null and org_scope.public_id is null) + or (project_grants.scope_id is not null and project_scope.public_id is null)) + as deleted_grant_scope_ids, + + -- deleted_scope_details -> details about deleted scopes + jsonb_agg(distinct + jsonb_build_object( + 'scope_id', coalesce(org_grants.scope_id, project_grants.scope_id), + 'delete_time', ( + select upper(valid_range) as delete_time + from iam_scope_hst + where public_id = coalesce(org_grants.scope_id, project_grants.scope_id) + order by upper(valid_range) desc + limit 1 + ) + ) + ) filter (where (org_grants.scope_id is not null and org_scope.public_id is null) or + (project_grants.scope_id is not null and project_scope.public_id is null)) + as deleted_scope_details + from app_token_global + left join app_token_permission_global + on app_token_global.public_id = app_token_permission_global.app_token_id + left join app_token_permission_global_individual_org_grant_scope org_grants + on app_token_permission_global.private_id = org_grants.permission_id + left join iam_scope org_scope + on org_grants.scope_id = org_scope.public_id + left join app_token_permission_global_individual_project_grant_scope project_grants + on app_token_permission_global.private_id = project_grants.permission_id + left join iam_scope project_scope + on project_grants.scope_id = project_scope.public_id + left join app_token_permission_grant + on app_token_permission_global.private_id = app_token_permission_grant.permission_id + where app_token_global.public_id = @app_token_id + group by app_token_permission_global.private_id, + app_token_permission_global.description, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id +) + select app_token_global.public_id, + app_token_global.scope_id, + app_token_global.name, + app_token_global.description, + app_token_global.revoked, + app_token_global.create_time, + app_token_global.update_time, + app_token_global.created_by_user_id, + app_token_global.approximate_last_access_time, + app_token_global.time_to_stale_seconds, + app_token_global.expiration_time, + app_token_cipher.token, + jsonb_agg( + jsonb_build_object( + 'label', token_permissions.description, + 'grant_this_scope', token_permissions.grant_this_scope, + 'grants', token_permissions.canonical_grants, + 'grant_scope', token_permissions.grant_scope, + 'active_grant_scopes', token_permissions.active_grant_scope_ids, + 'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids, + 'deleted_scope_details', token_permissions.deleted_scope_details + ) + ) as permissions + from token_permissions + join app_token_global + on token_permissions.app_token_id = app_token_global.public_id +left join app_token_cipher + on app_token_global.public_id = app_token_cipher.app_token_id + where app_token_global.public_id = @app_token_id + group by app_token_global.public_id, + app_token_cipher.token; + ` + + getAppTokenOrgQuery = ` +with token_permissions as ( + select app_token_permission_org.private_id as permission_id, + app_token_permission_org.description as description, + app_token_permission_org.grant_this_scope as grant_this_scope, + app_token_permission_org.grant_scope as grant_scope, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + app_token_org.public_id as app_token_id, + + -- active_grant_scope_ids -> active grants with valid scopes + array_agg(distinct project_grants.scope_id) filter ( + where project_grants.scope_id is not null and project_scope.public_id is not null + ) as active_grant_scope_ids, + + -- deleted_grant_scope_ids -> active grants with no valid scopes + array_agg(distinct project_grants.scope_id) filter ( + where project_grants.scope_id is not null and project_scope.public_id is null + ) as deleted_grant_scope_ids, + + -- deleted_scope_details -> details about deleted scopes + jsonb_agg(distinct + jsonb_build_object( + 'scope_id', project_grants.scope_id, + 'delete_time', ( + select upper(valid_range) as delete_time + from iam_scope_hst + where public_id = project_grants.scope_id + order by upper(valid_range) desc + limit 1 + ) + ) + ) filter ( + where project_grants.scope_id is not null and project_scope.public_id is null + ) as deleted_scope_details + from app_token_org + left join app_token_permission_org + on app_token_org.public_id = app_token_permission_org.app_token_id + left join app_token_permission_org_individual_grant_scope project_grants + on app_token_permission_org.private_id = project_grants.permission_id + left join iam_scope project_scope + on project_grants.scope_id = project_scope.public_id + left join app_token_permission_grant + on app_token_permission_org.private_id = app_token_permission_grant.permission_id + where app_token_org.public_id = @app_token_id + group by app_token_permission_org.private_id, + app_token_permission_org.description, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id +) + select app_token_org.public_id, + app_token_org.scope_id, + app_token_org.name, + app_token_org.description, + app_token_org.revoked, + app_token_org.create_time, + app_token_org.update_time, + app_token_org.created_by_user_id, + app_token_org.approximate_last_access_time, + app_token_org.time_to_stale_seconds, + app_token_org.expiration_time, + app_token_cipher.token, + jsonb_agg( + jsonb_build_object( + 'label', token_permissions.description, + 'grant_this_scope', token_permissions.grant_this_scope, + 'grants', token_permissions.canonical_grants, + 'grant_scope', token_permissions.grant_scope, + 'active_grant_scopes', token_permissions.active_grant_scope_ids, + 'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids, + 'deleted_scope_details', token_permissions.deleted_scope_details + ) + ) as permissions + from token_permissions + join app_token_org + on token_permissions.app_token_id = app_token_org.public_id +left join app_token_cipher + on app_token_org.public_id = app_token_cipher.app_token_id + where app_token_org.public_id = @app_token_id + group by app_token_org.public_id, + app_token_cipher.token; + ` + + getAppTokenProjectQuery = ` +with token_permissions as ( + select app_token_permission_project.private_id as permission_id, + app_token_permission_project.description as description, + app_token_permission_project.grant_this_scope as grant_this_scope, + app_token_project.scope_id as grant_scope, + array_agg(app_token_permission_grant.canonical_grant) as canonical_grants, + app_token_project.public_id as app_token_id, + array_agg(app_token_project.scope_id) as active_grant_scope_ids, + '{}'::text[] as deleted_grant_scope_ids, + jsonb '[]' as deleted_scope_details + from app_token_project + left join app_token_permission_project + on app_token_project.public_id = app_token_permission_project.app_token_id + left join app_token_permission_grant + on app_token_permission_project.private_id = app_token_permission_grant.permission_id + where app_token_project.public_id = @app_token_id + group by app_token_permission_project.private_id, + app_token_permission_project.description, + app_token_permission_project.grant_this_scope, + app_token_project.scope_id, + app_token_project.public_id +) + select app_token_project.public_id, + app_token_project.scope_id, + app_token_project.name, + app_token_project.description, + app_token_project.revoked, + app_token_project.create_time, + app_token_project.update_time, + app_token_project.created_by_user_id, + app_token_project.approximate_last_access_time, + app_token_project.time_to_stale_seconds, + app_token_project.expiration_time, + app_token_cipher.token, + jsonb_agg( + jsonb_build_object( + 'label', token_permissions.description, + 'grant_this_scope', token_permissions.grant_this_scope, + 'grants', token_permissions.canonical_grants, + 'grant_scope', token_permissions.grant_scope, + 'active_grant_scopes', token_permissions.active_grant_scope_ids, + 'deleted_grant_scopes', token_permissions.deleted_grant_scope_ids, + 'deleted_scope_details', token_permissions.deleted_scope_details + ) + ) as permissions + from token_permissions + join app_token_project + on token_permissions.app_token_id = app_token_project.public_id +left join app_token_cipher + on app_token_project.public_id = app_token_cipher.app_token_id + where app_token_project.public_id = @app_token_id + group by app_token_project.public_id, + app_token_cipher.token; + ` )