From de8e93a26f5a5811ff1c3685efc5780019903d37 Mon Sep 17 00:00:00 2001 From: dkanney Date: Wed, 12 Nov 2025 03:07:40 -0500 Subject: [PATCH 1/3] feat(query): Create query for recursive requests of global app token grants on Global/Org/Project resources --- internal/apptoken/query.go | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 internal/apptoken/query.go diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go new file mode 100644 index 0000000000..72b3821df9 --- /dev/null +++ b/internal/apptoken/query.go @@ -0,0 +1,45 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package apptoken + +// query.go contains "raw sql" for the apptoken package that goes directly against +// the db via sql.DB vs the standard pattern of using the internal/db package to +// interact with the db. +const ( + // grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery gets a global app token's grants for resources + // applicable to all scopes. + grantsForGlobalTokenGlobalOrgProjectResourcesRecursiveQuery = ` + select app_token_permission_global.private_id as permission_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id)) as active_grant_scopes + from app_token_global + join app_token_permission_global + on app_token_global.public_id = app_token_permission_global.app_token_id + and app_token_global.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_global.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_global_individual_org_grant_scope + on app_token_permission_global.private_id = app_token_permission_global_individual_org_grant_scope.permission_id +left join iam_scope_org + on app_token_permission_global_individual_org_grant_scope.scope_id = iam_scope_org.scope_id +left join app_token_permission_global_individual_project_grant_scope + on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id +left join iam_scope_project + on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id + group by app_token_permission_global.private_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id; + ` +) From 1695d13c8e24425e791ecd117407f33d70ea7052 Mon Sep 17 00:00:00 2001 From: dkanney Date: Wed, 12 Nov 2025 16:50:24 -0500 Subject: [PATCH 2/3] feat(query): Create query for recursive requests of global app token grants on Global/Org resources --- internal/apptoken/query.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 72b3821df9..89a65d0674 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -35,6 +35,38 @@ left join app_token_permission_global_individual_project_grant_scope on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id left join iam_scope_project on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id + group by app_token_permission_global.private_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id; + ` + + // grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery gets a global app token's grants for resources + // applicable to global and org scopes. + grantsForGlobalTokenGlobalOrgResourcesRecursiveQuery = ` + select app_token_permission_global.private_id as permission_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct iam_scope_org.scope_id) as active_grant_scopes + from app_token_global + join app_token_permission_global + on app_token_global.public_id = app_token_permission_global.app_token_id + and app_token_global.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_global.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_global_individual_org_grant_scope org_grants + on app_token_permission_global.private_id = org_grants.permission_id +left join iam_scope_org + on org_grants.scope_id = iam_scope_org.scope_id group by app_token_permission_global.private_id, app_token_permission_global.description, app_token_permission_global.create_time, From 155d0afcb72f1a1edc5c0168a640000f747f7515 Mon Sep 17 00:00:00 2001 From: dkanney Date: Thu, 13 Nov 2025 11:31:00 -0500 Subject: [PATCH 3/3] feat(query): Create query for recursive requests of global app token grants on Project resources --- internal/apptoken/query.go | 39 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 89a65d0674..9d9ed3d139 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -67,6 +67,45 @@ left join app_token_permission_global_individual_org_grant_scope org_grants on app_token_permission_global.private_id = org_grants.permission_id left join iam_scope_org on org_grants.scope_id = iam_scope_org.scope_id + group by app_token_permission_global.private_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id; + ` + + // grantsForGlobalTokenProjectResourcesRecursiveQuery gets a global app token's grants for resources + // applicable to the project scope. + grantsForGlobalTokenProjectResourcesRecursiveQuery = ` + select app_token_permission_global.private_id as permission_id, + app_token_permission_global.description, + app_token_permission_global.create_time, + app_token_permission_global.grant_this_scope, + app_token_permission_global.grant_scope, + app_token_global.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes + from app_token_global + join app_token_permission_global + on app_token_global.public_id = app_token_permission_global.app_token_id + and app_token_global.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_global.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_global_individual_project_grant_scope proj_grants + on app_token_permission_global.private_id = proj_grants.permission_id +left join iam_scope_project + on proj_grants.scope_id = iam_scope_project.scope_id +left join app_token_permission_global_individual_org_grant_scope org_grants + on app_token_permission_global.private_id = org_grants.permission_id + where org_grants.permission_id is null + or ( + app_token_permission_global.grant_scope = 'children' and + proj_grants.scope_id is not null + ) group by app_token_permission_global.private_id, app_token_permission_global.description, app_token_permission_global.create_time,