feat(query): Create query for recursive requests of org app token grants on Global/Org/Project resources

6 months ago · fd036dd5b7
parent 155d0afcb7
commit fd036dd5b7
1 changed files with 32 additions and 0 deletions
--- a/internal/apptoken/query.go
+++ b/internal/apptoken/query.go
@ -113,4 +113,36 @@ left join app_token_permission_global_individual_org_grant_scope org_grants
          app_token_permission_global.grant_scope,
          app_token_global.public_id;
    `
+
+	// grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery gets an org app token's grants for resources
+	// applicable to all scopes.
+	grantsForOrgTokenGlobalOrgProjectResourcesRecursiveQuery = `
+   select app_token_permission_org.private_id                            as permission_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id                                        as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
+          array_agg(distinct coalesce(iam_scope_project.scope_id))       as active_grant_scopes
+     from app_token_org
+     join app_token_permission_org
+       on app_token_org.public_id = app_token_permission_org.app_token_id
+      and app_token_org.public_id = any(@app_token_ids)
+     join app_token_permission_grant
+       on app_token_permission_org.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_org_individual_grant_scope individual_project_grants
+       on app_token_permission_org.private_id = individual_project_grants.permission_id
+left join iam_scope_project
+       on individual_project_grants.scope_id = iam_scope_project.scope_id
+ group by app_token_permission_org.private_id,
+          app_token_permission_org.description,
+          app_token_permission_org.create_time,
+          app_token_permission_org.grant_this_scope,
+          app_token_permission_org.grant_scope,
+          app_token_org.public_id;
+    `
 )