From fd036dd5b72dc46f66aedcf48f754e1820f13d7e Mon Sep 17 00:00:00 2001 From: dkanney Date: Wed, 26 Nov 2025 17:11:38 -0500 Subject: [PATCH 1/3] feat(query): Create query for recursive requests of org app token grants on Global/Org/Project resources --- internal/apptoken/query.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 9d9ed3d139..8daa278b19 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -113,4 +113,36 @@ left join app_token_permission_global_individual_org_grant_scope org_grants app_token_permission_global.grant_scope, app_token_global.public_id; ` + + // grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery gets an org app token's grants for resources + // applicable to all scopes. + grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery = ` + select app_token_permission_org.private_id as permission_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct coalesce(iam_scope_project.scope_id)) as active_grant_scopes + from app_token_org + join app_token_permission_org + on app_token_org.public_id = app_token_permission_org.app_token_id + and app_token_org.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_org.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_org_individual_grant_scope individual_project_grants + on app_token_permission_org.private_id = individual_project_grants.permission_id +left join iam_scope_project + on individual_project_grants.scope_id = iam_scope_project.scope_id + group by app_token_permission_org.private_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id; + ` ) From 640e14dfff081f972dd66df0191117f3130f2e16 Mon Sep 17 00:00:00 2001 From: dkanney Date: Wed, 26 Nov 2025 17:25:59 -0500 Subject: [PATCH 2/3] feat(query): Create query for recursive requests of org app token grants on Global/Org resources --- internal/apptoken/query.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index 8daa278b19..dd40f2a8fe 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -136,6 +136,38 @@ left join app_token_permission_global_individual_org_grant_scope org_grants and iam_grant.resource = any(@resources) left join app_token_permission_org_individual_grant_scope individual_project_grants on app_token_permission_org.private_id = individual_project_grants.permission_id +left join iam_scope_project + on individual_project_grants.scope_id = iam_scope_project.scope_id + group by app_token_permission_org.private_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id; + ` + + // grantsForOrgTokenGlobalOrgResourcesRecursiveQuery gets an org app token's grants for resources + // applicable to global and org scopes. + grantsForOrgTokenGlobalOrgResourcesRecursiveQuery = ` + select app_token_permission_org.private_id as permission_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes + from app_token_org + join app_token_permission_org + on app_token_org.public_id = app_token_permission_org.app_token_id + and app_token_org.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_org.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_org_individual_grant_scope individual_project_grants + on app_token_permission_org.private_id = individual_project_grants.permission_id left join iam_scope_project on individual_project_grants.scope_id = iam_scope_project.scope_id group by app_token_permission_org.private_id, From 63f9deb013f56cf589572cce6b06094d1d7629cb Mon Sep 17 00:00:00 2001 From: dkanney Date: Wed, 26 Nov 2025 18:24:02 -0500 Subject: [PATCH 3/3] feat(query): Create query for recursive requests of org app token grants on Project resources --- internal/apptoken/query.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/internal/apptoken/query.go b/internal/apptoken/query.go index dd40f2a8fe..9ae8338bdb 100644 --- a/internal/apptoken/query.go +++ b/internal/apptoken/query.go @@ -170,6 +170,40 @@ left join app_token_permission_org_individual_grant_scope individual_project_gra on app_token_permission_org.private_id = individual_project_grants.permission_id left join iam_scope_project on individual_project_grants.scope_id = iam_scope_project.scope_id + group by app_token_permission_org.private_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id; + ` + + // grantsForOrgTokenProjectResourcesRecursiveQuery gets an org app token's grants for resources + // applicable to a project scope. + grantsForOrgTokenProjectResourcesRecursiveQuery = ` + select app_token_permission_org.private_id as permission_id, + app_token_permission_org.description, + app_token_permission_org.create_time, + app_token_permission_org.grant_this_scope, + app_token_permission_org.grant_scope, + app_token_org.public_id as app_token_id, + array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants, + array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes + from app_token_org + join app_token_permission_org + on app_token_org.public_id = app_token_permission_org.app_token_id + and app_token_org.public_id = any(@app_token_ids) + join app_token_permission_grant + on app_token_permission_org.private_id = app_token_permission_grant.permission_id + join iam_grant + on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant + and iam_grant.resource = any(@resources) +left join app_token_permission_org_individual_grant_scope individual_project_grants + on app_token_permission_org.private_id = individual_project_grants.permission_id +left join iam_scope_project + on individual_project_grants.scope_id = iam_scope_project.scope_id + where app_token_permission_org.grant_scope = 'children' + or individual_project_grants.scope_id is not null group by app_token_permission_org.private_id, app_token_permission_org.description, app_token_permission_org.create_time,