From b007b711eab44e9cd164cb0e6bee5bc8846b25d9 Mon Sep 17 00:00:00 2001 From: David Kanney Date: Mon, 5 Jan 2026 16:13:15 -0500 Subject: [PATCH] App Token recursive query improvements (#6291) * fix(query): Add filter for null active_grant_scopes values * fix(query): Use 'descendants' for global->project relationship * fix(query): Remove unnecessary join to individual org table * fix(query): Remove redundant coalesce() * chore(query): Improve alias naming & query spacing * fix(query): Use 'this' grant scope for org token + global/org resource query * feat(query): Add 'app_token_parent_scope_id' to query results --- internal/apptoken/query.go | 77 +++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 5bc4f8c47b..84f0512820 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -10,14 +10,16 @@ const ( // grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery gets a global app token's grants for resources // applicable to all scopes. grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery = ` - select app_token_permission_global.private_id as permission_id, + select app_token_permission_global.private_id as permission_id, app_token_permission_global.description, app_token_permission_global.create_time, app_token_permission_global.grant_this_scope, app_token_permission_global.grant_scope, - app_token_global.public_id as app_token_id, - array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, - array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id)) as active_grant_scopes + app_token_global.public_id as app_token_id, + '' as app_token_parent_scope_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id)) + filter (where coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id) is not null) as active_grant_scopes from app_token_global join app_token_permission_global on app_token_global.public_id = app_token_permission_global.app_token_id @@ -27,14 +29,14 @@ const ( join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_global_individual_org_grant_scope - on app_token_permission_global.private_id = app_token_permission_global_individual_org_grant_scope.permission_id +left join app_token_permission_global_individual_org_grant_scope org_grant_scope + on app_token_permission_global.private_id = org_grant_scope.permission_id left join iam_scope_org - on app_token_permission_global_individual_org_grant_scope.scope_id = iam_scope_org.scope_id -left join app_token_permission_global_individual_project_grant_scope - on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id + on org_grant_scope.scope_id = iam_scope_org.scope_id +left join app_token_permission_global_individual_project_grant_scope project_grant_scope + on app_token_permission_global.private_id = project_grant_scope.permission_id left join iam_scope_project - on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id + on project_grant_scope.scope_id = iam_scope_project.scope_id group by app_token_permission_global.private_id, app_token_permission_global.description, app_token_permission_global.create_time, @@ -46,12 +48,13 @@ left join iam_scope_project // grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery gets a global app token's grants for resources // applicable to global and org scopes. grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery = ` - select app_token_permission_global.private_id as permission_id, + select app_token_permission_global.private_id as permission_id, app_token_permission_global.description, app_token_permission_global.create_time, app_token_permission_global.grant_this_scope, app_token_permission_global.grant_scope, app_token_global.public_id as app_token_id, + '' as app_token_parent_scope_id, array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, array_agg(distinct iam_scope_org.scope_id) as active_grant_scopes from app_token_global @@ -63,10 +66,10 @@ left join iam_scope_project join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_global_individual_org_grant_scope org_grants - on app_token_permission_global.private_id = org_grants.permission_id +left join app_token_permission_global_individual_org_grant_scope org_grant_scope + on app_token_permission_global.private_id = org_grant_scope.permission_id left join iam_scope_org - on org_grants.scope_id = iam_scope_org.scope_id + on org_grant_scope.scope_id = iam_scope_org.scope_id group by app_token_permission_global.private_id, app_token_permission_global.description, app_token_permission_global.create_time, @@ -84,6 +87,7 @@ left join iam_scope_org app_token_permission_global.grant_this_scope, app_token_permission_global.grant_scope, app_token_global.public_id as app_token_id, + '' as app_token_parent_scope_id, array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes from app_token_global @@ -95,17 +99,12 @@ left join iam_scope_org join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_global_individual_project_grant_scope proj_grants - on app_token_permission_global.private_id = proj_grants.permission_id +left join app_token_permission_global_individual_project_grant_scope project_grant_scope + on app_token_permission_global.private_id = project_grant_scope.permission_id left join iam_scope_project - on proj_grants.scope_id = iam_scope_project.scope_id -left join app_token_permission_global_individual_org_grant_scope org_grants - on app_token_permission_global.private_id = org_grants.permission_id - where org_grants.permission_id is null - or ( - app_token_permission_global.grant_scope = 'children' and - proj_grants.scope_id is not null - ) + on project_grant_scope.scope_id = iam_scope_project.scope_id + where app_token_permission_global.grant_scope = 'descendants' + or project_grant_scope.scope_id is not null group by app_token_permission_global.private_id, app_token_permission_global.description, app_token_permission_global.create_time, @@ -123,8 +122,9 @@ left join app_token_permission_global_individual_org_grant_scope org_grants app_token_permission_org.grant_this_scope, app_token_permission_org.grant_scope, app_token_org.public_id as app_token_id, + 'global' as app_token_parent_scope_id, array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, - array_agg(distinct coalesce(iam_scope_project.scope_id)) as active_grant_scopes + array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes from app_token_org join app_token_permission_org on app_token_org.public_id = app_token_permission_org.app_token_id @@ -134,10 +134,10 @@ left join app_token_permission_global_individual_org_grant_scope org_grants join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_org_individual_grant_scope individual_project_grants - on app_token_permission_org.private_id = individual_project_grants.permission_id +left join app_token_permission_org_individual_grant_scope project_grant_scope + on app_token_permission_org.private_id = project_grant_scope.permission_id left join iam_scope_project - on individual_project_grants.scope_id = iam_scope_project.scope_id + on project_grant_scope.scope_id = iam_scope_project.scope_id group by app_token_permission_org.private_id, app_token_permission_org.description, app_token_permission_org.create_time, @@ -149,14 +149,15 @@ left join iam_scope_project // grantsForOrgTokenGlobalOrgResourcesRecursiveQuery gets an org app token's grants for resources // applicable to global and org scopes. grantsForOrgTokenGlobalOrgResourcesRecursiveQuery = ` - select app_token_permission_org.private_id as permission_id, + select app_token_permission_org.private_id as permission_id, app_token_permission_org.description, app_token_permission_org.create_time, app_token_permission_org.grant_this_scope, app_token_permission_org.grant_scope, app_token_org.public_id as app_token_id, + 'global' as app_token_parent_scope_id, array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, - array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes + array_agg(distinct app_token_org.scope_id) as active_grant_scopes from app_token_org join app_token_permission_org on app_token_org.public_id = app_token_permission_org.app_token_id @@ -166,10 +167,7 @@ left join iam_scope_project join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_org_individual_grant_scope individual_project_grants - on app_token_permission_org.private_id = individual_project_grants.permission_id -left join iam_scope_project - on individual_project_grants.scope_id = iam_scope_project.scope_id + where app_token_permission_org.grant_this_scope = true group by app_token_permission_org.private_id, app_token_permission_org.description, app_token_permission_org.create_time, @@ -179,7 +177,7 @@ left join iam_scope_project ` // grantsForOrgTokenProjectResourcesRecursiveQuery gets an org app token's grants for resources - // applicable to a project scope. + // applicable to any project scope. grantsForOrgTokenProjectResourcesRecursiveQuery = ` select app_token_permission_org.private_id as permission_id, app_token_permission_org.description, @@ -187,6 +185,7 @@ left join iam_scope_project app_token_permission_org.grant_this_scope, app_token_permission_org.grant_scope, app_token_org.public_id as app_token_id, + 'global' as app_token_parent_scope_id, array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes from app_token_org @@ -198,12 +197,12 @@ left join iam_scope_project join iam_grant on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant and iam_grant.resource = any(@resources) -left join app_token_permission_org_individual_grant_scope individual_project_grants - on app_token_permission_org.private_id = individual_project_grants.permission_id +left join app_token_permission_org_individual_grant_scope project_grant_scope + on app_token_permission_org.private_id = project_grant_scope.permission_id left join iam_scope_project - on individual_project_grants.scope_id = iam_scope_project.scope_id + on project_grant_scope.scope_id = iam_scope_project.scope_id where app_token_permission_org.grant_scope = 'children' - or individual_project_grants.scope_id is not null + or project_grant_scope.scope_id is not null group by app_token_permission_org.private_id, app_token_permission_org.description, app_token_permission_org.create_time,