|
|
|
|
@ -10,14 +10,16 @@ const (
|
|
|
|
|
// grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery gets a global app token's grants for resources
|
|
|
|
|
// applicable to all scopes.
|
|
|
|
|
grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery = `
|
|
|
|
|
select app_token_permission_global.private_id as permission_id,
|
|
|
|
|
select app_token_permission_global.private_id as permission_id,
|
|
|
|
|
app_token_permission_global.description,
|
|
|
|
|
app_token_permission_global.create_time,
|
|
|
|
|
app_token_permission_global.grant_this_scope,
|
|
|
|
|
app_token_permission_global.grant_scope,
|
|
|
|
|
app_token_global.public_id as app_token_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id)) as active_grant_scopes
|
|
|
|
|
app_token_global.public_id as app_token_id,
|
|
|
|
|
'' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id))
|
|
|
|
|
filter (where coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id) is not null) as active_grant_scopes
|
|
|
|
|
from app_token_global
|
|
|
|
|
join app_token_permission_global
|
|
|
|
|
on app_token_global.public_id = app_token_permission_global.app_token_id
|
|
|
|
|
@ -27,14 +29,14 @@ const (
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_global_individual_org_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = app_token_permission_global_individual_org_grant_scope.permission_id
|
|
|
|
|
left join app_token_permission_global_individual_org_grant_scope org_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = org_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_org
|
|
|
|
|
on app_token_permission_global_individual_org_grant_scope.scope_id = iam_scope_org.scope_id
|
|
|
|
|
left join app_token_permission_global_individual_project_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id
|
|
|
|
|
on org_grant_scope.scope_id = iam_scope_org.scope_id
|
|
|
|
|
left join app_token_permission_global_individual_project_grant_scope project_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = project_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_project
|
|
|
|
|
on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id
|
|
|
|
|
on project_grant_scope.scope_id = iam_scope_project.scope_id
|
|
|
|
|
group by app_token_permission_global.private_id,
|
|
|
|
|
app_token_permission_global.description,
|
|
|
|
|
app_token_permission_global.create_time,
|
|
|
|
|
@ -46,12 +48,13 @@ left join iam_scope_project
|
|
|
|
|
// grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery gets a global app token's grants for resources
|
|
|
|
|
// applicable to global and org scopes.
|
|
|
|
|
grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery = `
|
|
|
|
|
select app_token_permission_global.private_id as permission_id,
|
|
|
|
|
select app_token_permission_global.private_id as permission_id,
|
|
|
|
|
app_token_permission_global.description,
|
|
|
|
|
app_token_permission_global.create_time,
|
|
|
|
|
app_token_permission_global.grant_this_scope,
|
|
|
|
|
app_token_permission_global.grant_scope,
|
|
|
|
|
app_token_global.public_id as app_token_id,
|
|
|
|
|
'' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct iam_scope_org.scope_id) as active_grant_scopes
|
|
|
|
|
from app_token_global
|
|
|
|
|
@ -63,10 +66,10 @@ left join iam_scope_project
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_global_individual_org_grant_scope org_grants
|
|
|
|
|
on app_token_permission_global.private_id = org_grants.permission_id
|
|
|
|
|
left join app_token_permission_global_individual_org_grant_scope org_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = org_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_org
|
|
|
|
|
on org_grants.scope_id = iam_scope_org.scope_id
|
|
|
|
|
on org_grant_scope.scope_id = iam_scope_org.scope_id
|
|
|
|
|
group by app_token_permission_global.private_id,
|
|
|
|
|
app_token_permission_global.description,
|
|
|
|
|
app_token_permission_global.create_time,
|
|
|
|
|
@ -84,6 +87,7 @@ left join iam_scope_org
|
|
|
|
|
app_token_permission_global.grant_this_scope,
|
|
|
|
|
app_token_permission_global.grant_scope,
|
|
|
|
|
app_token_global.public_id as app_token_id,
|
|
|
|
|
'' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes
|
|
|
|
|
from app_token_global
|
|
|
|
|
@ -95,17 +99,12 @@ left join iam_scope_org
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_global_individual_project_grant_scope proj_grants
|
|
|
|
|
on app_token_permission_global.private_id = proj_grants.permission_id
|
|
|
|
|
left join app_token_permission_global_individual_project_grant_scope project_grant_scope
|
|
|
|
|
on app_token_permission_global.private_id = project_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_project
|
|
|
|
|
on proj_grants.scope_id = iam_scope_project.scope_id
|
|
|
|
|
left join app_token_permission_global_individual_org_grant_scope org_grants
|
|
|
|
|
on app_token_permission_global.private_id = org_grants.permission_id
|
|
|
|
|
where org_grants.permission_id is null
|
|
|
|
|
or (
|
|
|
|
|
app_token_permission_global.grant_scope = 'children' and
|
|
|
|
|
proj_grants.scope_id is not null
|
|
|
|
|
)
|
|
|
|
|
on project_grant_scope.scope_id = iam_scope_project.scope_id
|
|
|
|
|
where app_token_permission_global.grant_scope = 'descendants'
|
|
|
|
|
or project_grant_scope.scope_id is not null
|
|
|
|
|
group by app_token_permission_global.private_id,
|
|
|
|
|
app_token_permission_global.description,
|
|
|
|
|
app_token_permission_global.create_time,
|
|
|
|
|
@ -123,8 +122,9 @@ left join app_token_permission_global_individual_org_grant_scope org_grants
|
|
|
|
|
app_token_permission_org.grant_this_scope,
|
|
|
|
|
app_token_permission_org.grant_scope,
|
|
|
|
|
app_token_org.public_id as app_token_id,
|
|
|
|
|
'global' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct coalesce(iam_scope_project.scope_id)) as active_grant_scopes
|
|
|
|
|
array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes
|
|
|
|
|
from app_token_org
|
|
|
|
|
join app_token_permission_org
|
|
|
|
|
on app_token_org.public_id = app_token_permission_org.app_token_id
|
|
|
|
|
@ -134,10 +134,10 @@ left join app_token_permission_global_individual_org_grant_scope org_grants
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_org_individual_grant_scope individual_project_grants
|
|
|
|
|
on app_token_permission_org.private_id = individual_project_grants.permission_id
|
|
|
|
|
left join app_token_permission_org_individual_grant_scope project_grant_scope
|
|
|
|
|
on app_token_permission_org.private_id = project_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_project
|
|
|
|
|
on individual_project_grants.scope_id = iam_scope_project.scope_id
|
|
|
|
|
on project_grant_scope.scope_id = iam_scope_project.scope_id
|
|
|
|
|
group by app_token_permission_org.private_id,
|
|
|
|
|
app_token_permission_org.description,
|
|
|
|
|
app_token_permission_org.create_time,
|
|
|
|
|
@ -149,14 +149,15 @@ left join iam_scope_project
|
|
|
|
|
// grantsForOrgTokenGlobalOrgResourcesRecursiveQuery gets an org app token's grants for resources
|
|
|
|
|
// applicable to global and org scopes.
|
|
|
|
|
grantsForOrgTokenGlobalOrgResourcesRecursiveQuery = `
|
|
|
|
|
select app_token_permission_org.private_id as permission_id,
|
|
|
|
|
select app_token_permission_org.private_id as permission_id,
|
|
|
|
|
app_token_permission_org.description,
|
|
|
|
|
app_token_permission_org.create_time,
|
|
|
|
|
app_token_permission_org.grant_this_scope,
|
|
|
|
|
app_token_permission_org.grant_scope,
|
|
|
|
|
app_token_org.public_id as app_token_id,
|
|
|
|
|
'global' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes
|
|
|
|
|
array_agg(distinct app_token_org.scope_id) as active_grant_scopes
|
|
|
|
|
from app_token_org
|
|
|
|
|
join app_token_permission_org
|
|
|
|
|
on app_token_org.public_id = app_token_permission_org.app_token_id
|
|
|
|
|
@ -166,10 +167,7 @@ left join iam_scope_project
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_org_individual_grant_scope individual_project_grants
|
|
|
|
|
on app_token_permission_org.private_id = individual_project_grants.permission_id
|
|
|
|
|
left join iam_scope_project
|
|
|
|
|
on individual_project_grants.scope_id = iam_scope_project.scope_id
|
|
|
|
|
where app_token_permission_org.grant_this_scope = true
|
|
|
|
|
group by app_token_permission_org.private_id,
|
|
|
|
|
app_token_permission_org.description,
|
|
|
|
|
app_token_permission_org.create_time,
|
|
|
|
|
@ -179,7 +177,7 @@ left join iam_scope_project
|
|
|
|
|
`
|
|
|
|
|
|
|
|
|
|
// grantsForOrgTokenProjectResourcesRecursiveQuery gets an org app token's grants for resources
|
|
|
|
|
// applicable to a project scope.
|
|
|
|
|
// applicable to any project scope.
|
|
|
|
|
grantsForOrgTokenProjectResourcesRecursiveQuery = `
|
|
|
|
|
select app_token_permission_org.private_id as permission_id,
|
|
|
|
|
app_token_permission_org.description,
|
|
|
|
|
@ -187,6 +185,7 @@ left join iam_scope_project
|
|
|
|
|
app_token_permission_org.grant_this_scope,
|
|
|
|
|
app_token_permission_org.grant_scope,
|
|
|
|
|
app_token_org.public_id as app_token_id,
|
|
|
|
|
'global' as app_token_parent_scope_id,
|
|
|
|
|
array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
|
|
|
|
|
array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes
|
|
|
|
|
from app_token_org
|
|
|
|
|
@ -198,12 +197,12 @@ left join iam_scope_project
|
|
|
|
|
join iam_grant
|
|
|
|
|
on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
|
|
|
|
|
and iam_grant.resource = any(@resources)
|
|
|
|
|
left join app_token_permission_org_individual_grant_scope individual_project_grants
|
|
|
|
|
on app_token_permission_org.private_id = individual_project_grants.permission_id
|
|
|
|
|
left join app_token_permission_org_individual_grant_scope project_grant_scope
|
|
|
|
|
on app_token_permission_org.private_id = project_grant_scope.permission_id
|
|
|
|
|
left join iam_scope_project
|
|
|
|
|
on individual_project_grants.scope_id = iam_scope_project.scope_id
|
|
|
|
|
on project_grant_scope.scope_id = iam_scope_project.scope_id
|
|
|
|
|
where app_token_permission_org.grant_scope = 'children'
|
|
|
|
|
or individual_project_grants.scope_id is not null
|
|
|
|
|
or project_grant_scope.scope_id is not null
|
|
|
|
|
group by app_token_permission_org.private_id,
|
|
|
|
|
app_token_permission_org.description,
|
|
|
|
|
app_token_permission_org.create_time,
|
|
|
|
|
|
David Kanney
4 months ago
committed by
GitHub