Merge pull request #6279 from hashicorp/dkanney-recursive-org-token-queries

feat(query): Create queries for recursive requests of org app token grants
5 months ago · f04481c162
parent ed0340bbc6 63f9deb013
commit f04481c162
1 changed files with 98 additions and 0 deletions
--- a/internal/apptoken/query.go
+++ b/internal/apptoken/query.go
@ -113,4 +113,102 @@ left join app_token_permission_global_individual_org_grant_scope org_grants
          app_token_permission_global.grant_scope,
          app_token_global.public_id;
    `
+
+	// grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery gets an org app token's grants for resources
+	// applicable to all scopes.
+	grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery = `
+   select app_token_permission_org.private_id                            as permission_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id                                        as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
+          array_agg(distinct coalesce(iam_scope_project.scope_id))       as active_grant_scopes
+     from app_token_org
+     join app_token_permission_org
+       on app_token_org.public_id = app_token_permission_org.app_token_id
+      and app_token_org.public_id = any(@app_token_ids)
+     join app_token_permission_grant
+       on app_token_permission_org.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_org_individual_grant_scope individual_project_grants
+       on app_token_permission_org.private_id = individual_project_grants.permission_id
+left join iam_scope_project
+       on individual_project_grants.scope_id = iam_scope_project.scope_id
+ group by app_token_permission_org.private_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id;
+    `
+
+	// grantsForOrgTokenGlobalOrgResourcesRecursiveQuery gets an org app token's grants for resources
+	// applicable to global and org scopes.
+	grantsForOrgTokenGlobalOrgResourcesRecursiveQuery = `
+  select  app_token_permission_org.private_id                            as permission_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id                                        as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
+          array_agg(distinct iam_scope_project.scope_id)                 as active_grant_scopes
+     from app_token_org
+     join app_token_permission_org
+       on app_token_org.public_id = app_token_permission_org.app_token_id
+      and app_token_org.public_id = any(@app_token_ids)
+     join app_token_permission_grant
+       on app_token_permission_org.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_org_individual_grant_scope individual_project_grants
+       on app_token_permission_org.private_id = individual_project_grants.permission_id
+left join iam_scope_project
+       on individual_project_grants.scope_id = iam_scope_project.scope_id
+ group by app_token_permission_org.private_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id;
+    `
+
+	// grantsForOrgTokenProjectResourcesRecursiveQuery gets an org app token's grants for resources
+	// applicable to a project scope.
+	grantsForOrgTokenProjectResourcesRecursiveQuery = `
+   select app_token_permission_org.private_id                            as permission_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id                                        as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
+          array_agg(distinct iam_scope_project.scope_id)                 as active_grant_scopes
+     from app_token_org
+     join app_token_permission_org
+       on app_token_org.public_id = app_token_permission_org.app_token_id
+      and app_token_org.public_id = any(@app_token_ids)
+     join app_token_permission_grant
+       on app_token_permission_org.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_org_individual_grant_scope individual_project_grants
+       on app_token_permission_org.private_id = individual_project_grants.permission_id
+left join iam_scope_project
+       on individual_project_grants.scope_id = iam_scope_project.scope_id
+    where app_token_permission_org.grant_scope = 'children'
+       or individual_project_grants.scope_id is not null
+ group by app_token_permission_org.private_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id;
+    `
 )