Domain: iam: Repository: update list-grant-scope and test setup to use new model (#5679)

* implement getRoleScopeId

* move query to query.go

* improve notfound err message

* improve other err messages

* use named parameter and move getRoleScopeId implementation

* moved getRoleScopeId test

* rename getRoleScopeId to getRoleScopeType

* fix public_id ambiguous error

* undo unintended change to getUserWithAccount

* fix the correct query

* split iam_role_global_individual_grant_scope to have separate tables for org and project

* small comment change

* small comment change

* WIP: add tests

* remove grant_scope as immutable column

* add trigger to delete individual grant scope when grant_scope changes

* add a test that covers changing grant_scope

* rename function and trigger in iam_role_global

* improve assertion in sqltest for iam_role_global

* update iam_role_org to delete redundant grants scope

* minor comment fix

* no longer handle individual grant scope deletion with triggers and rename some functions

* rename test

* add all subtype definitions

* remove unnecessary baseRole subtype

* add clone, setTableName, and GetScope tests

* add ResourceType and Actions test

* add create and delete tests for globalROle

* finish create and delete tests

* add trigger for deleting base role

* add trigger to sync update_time back to base iam_role table

* add update tests

* fix missing err checks

* fix iam_role delete subtype trigger function name and use new.update_time instead of now()

* add struct documentation to role subtypes

* add version update check

* implement getRoleScopeId

* implement getRoleScopeId

* save

* remove struct embedding from iam.Role

* fix tests to use new iam.Role definition

* repository_role_test.go move to new iam.Role model

* repository_principal_role_test.go use new iam.Role model

* repository_role_grant_test.go use new iam.Role model in test

* add oplog info to sql schema

* internal/iam/testing.go use new role schema in TestRole

* add toRole helper function to all role subtype

* remove tests that are no longer relevant

* internal/iam/repository_scope.go use new iam model

* internal/iam/repository_role_grant.go use new iam model

* internal/iam/repository_principal_role.go use new iam model

* internal/iam/repository_role_test.go add test case for global scoped role

* internal/iam/repository_grant_scope.go use new iam model

* fix query

* make create and lookup role work and add tests

* add role id to getRoleScopeId error message

* make DeleteRole work with new model and add tests

* fix update

* ensure oplog.ReplayableMessage is implemented on all role subtypes

* internal/iam/repository_role_grant.go fix slugging version properly

* internal/iam/repository_role.go minor correction to error message saying org instead of scope

* internal/iam/repository_role_test.go add more update tests

* add immutable_fields tests

* fix rebase

* change error code to RecordNotFound

* refactor to use getScopeType

* fix delete test

* add getRoleScope utility function

* repository_principal_role.go: refactor to remove multiple switch statements

* repository_role_grant.go: refactor to reduce LOC

* repository_role.go small refactor to use alloc func

* repository_grant_scope.go refactor

* review comments

* implement getRoleScopeId

* move query to query.go

* improve notfound err message

* improve other err messages

* use named parameter and move getRoleScopeId implementation

* moved getRoleScopeId test

* rename getRoleScopeId to getRoleScopeType

* fix public_id ambiguous error

* undo unintended change to getUserWithAccount

* fix the correct query

* rename test

* change error code to RecordNotFound

* Update internal/iam/repository_role.go

Co-authored-by: David Kanney <[email protected]>

* switch to slice instead of counter

* fix merge mistakes

* handling special scopes in test function

* fix TestRoleWithGrants

* fix minor typo

* make gen

* fix comment typos

* Bosorawis domain iam role use new model list role (#5676)

* add and use new list roles query

* run make gen

* tweaked returned error

* replace tabs with spaces in query string

* missed one tab

* remove leading spaces

* move ListRoleGrantScopes to repository_grant_scope.go

* rename repository_grant_scope to repository_role_grant_scope

* add proto definition for global role individual grant scope tables

* fix test from removing embeded struct from RoleGrantScope

* add grant_scope to proto definition

* implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope

* update comment

* run make gen to update comment

* implement OrgRoleIndividualGrantScope and add tests

* implement part of ListRoleGrantScopes

* Add more test

* add more test cases and remove add-grants test

* unexport listRoleGrantScopes

* use reader from function parameter instead of struct method

* rename test to match actual function

* run make gen

* unexport individual grants structs

* unexport individual grants structs - missed one file

* change TestRole and TestRoleGrantScope function to support new model

* add validation for special scopes

* add role_org_individual_grant_scope.pb.go to protobuild make target

* remove dead code from listRoleGrantScopes

* fix testRoleGrantScopeSpecial not handling org role special scope properly

* add back query removed by rebase

---------

Co-authored-by: David Kanney <[email protected]>

Author: bosorawis

Makefile

@@ -155,6 +155,9 @@ protobuild:
 	@protoc-go-inject-tag -input=./internal/oplog/oplog_test/oplog_test.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/group_member.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_org_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_project_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_org_individual_grant_scope.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_global.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_org.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_project.pb.go

internal/daemon/controller/handlers/roles/role_service_test.go

@@ -220,7 +220,7 @@ func TestList(t *testing.T) {
 	var totalRoles []*pb.Role
 	for i := 0; i < 10; i++ {
 		or := iam.TestRole(t, conn, oWithRoles.GetPublicId())
-		_ = iam.TestRoleGrantScope(t, conn, or.GetPublicId(), globals.GrantScopeChildren)
+		_ = iam.TestRoleGrantScope(t, conn, or, globals.GrantScopeChildren)
 		wantOrgRoles = append(wantOrgRoles, &pb.Role{
 			Id:                or.GetPublicId(),
 			ScopeId:           or.GetScopeId(),
@@ -2791,7 +2791,7 @@ func TestAddGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.AddRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),
@@ -3129,7 +3129,7 @@ func TestSetGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.SetRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),
@@ -3326,7 +3326,7 @@ func TestRemoveGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.RemoveRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),

internal/daemon/controller/handlers/targets/tcp/target_service_test.go

@@ -1295,7 +1295,7 @@ func TestCreate(t *testing.T) {
 	r := iam.TestRole(t, conn, "global")
 	_ = iam.TestUserRole(t, conn, r.GetPublicId(), at.GetIamUserId())
 	_ = iam.TestRoleGrant(t, conn, r.GetPublicId(), "ids=*;type=*;actions=*")
-	_ = iam.TestRoleGrantScope(t, conn, r.GetPublicId(), globals.GrantScopeDescendants)
+	_ = iam.TestRoleGrantScope(t, conn, r, globals.GrantScopeDescendants)
 
 	// Ensure we are using the OSS worker filter function. This prevents us from
 	// running tests in parallel.

internal/db/schema/migrations/oss/postgres/100/02_iam_role_org.up.sql

@@ -96,7 +96,7 @@ begin;
         on delete cascade
         on update cascade,
     scope_id wt_scope_id not null
-      constraint iam_scope_org_scope_id_fkey
+      constraint iam_scope_project_fkey
         references iam_scope_project(scope_id)
         on delete cascade
         on update cascade,
@@ -119,7 +119,7 @@ begin;
     primary key(role_id, scope_id)
   );
   comment on table iam_role_org_individual_grant_scope is
-    'iam_role_global_individual_grant_scope is the subtype table for the org role with grant_scope as individual.';
+    'iam_role_org_individual_grant_scope is the subtype table for the org role with grant_scope as individual.';
 
   create trigger default_create_time_column before insert on iam_role_org_individual_grant_scope
     for each row execute procedure default_create_time();

internal/iam/query.go

@@ -267,4 +267,112 @@ select public_id,
  where public_id = any(select role_id from combined_role_types)
  order by update_time desc, public_id desc
 `
+
+	roleGrantsScopeQuery = `
+with
+global_roles (role_id) as (
+  select public_id as role_id
+    from iam_role_global
+   where public_id = any($1)
+),
+org_roles (role_id) as (
+  select public_id as role_id
+    from iam_role_org
+   where public_id = any($1)
+),
+proj_roles (role_id) as (
+  select public_id as role_id
+    from iam_role_project
+   where public_id = any($1)
+),
+global_role_this_grants (role_id, scope_id_or_special, create_time) as (
+  select public_id as role_id,
+         'this' as scope_id_or_special,
+         grant_this_role_scope_update_time as create_time
+    from iam_role_global
+   where public_id = any (select role_id from global_roles)
+     and grant_this_role_scope = true
+),
+org_role_this_grants (role_id, scope_id_or_special, create_time) as (
+  select public_id as role_id,
+         'this' as scope_id_or_special,
+         grant_this_role_scope_update_time as create_time
+    from iam_role_org
+   where public_id = any (select role_id from org_roles)
+     and grant_this_role_scope = true
+),
+proj_role_this_grants (role_id, scope_id_or_special, create_time) as (
+  select public_id as role_id,
+         'this' as scope_id_or_special,
+         create_time as create_time
+    from iam_role_project
+   where public_id = any (select role_id from proj_roles)
+),
+global_role_special_grants (role_id, scope_id_or_special, create_time) as (
+  select public_id as role_id,
+         grant_scope as scope_id_or_special,
+         grant_this_role_scope_update_time as create_time
+    from iam_role_global
+   where public_id = any (select role_id from global_roles)
+     and grant_scope != 'individual'
+),
+org_role_special_grants (role_id, scope_id_or_special, create_time) as (
+  select public_id as role_id,
+         grant_scope as scope_id_or_special,
+         grant_this_role_scope_update_time as create_time
+    from iam_role_org
+   where public_id = any (select role_id from org_roles)
+     and grant_scope != 'individual'
+),
+global_role_individual_org_grants (role_id, scope_id_or_special, create_time) as (
+  select role_id as role_id,
+         scope_id as scope_id_or_special,
+         create_time as create_time
+    from iam_role_global_individual_org_grant_scope
+   where role_id = any (select role_id from global_roles)
+),
+global_role_individual_proj_grants (role_id, scope_id_or_special, create_time) as (
+  select role_id as role_id,
+         scope_id as scope_id_or_special,
+         create_time as create_time
+    from iam_role_global_individual_project_grant_scope
+   where role_id = any (select role_id from global_roles)
+),
+org_role_individual_grants (role_id, scope_id_or_special, create_time) as (
+  select role_id as role_id,
+         scope_id as scope_id_or_special,
+         create_time as create_time
+    from iam_role_org_individual_grant_scope
+   where role_id = any (select role_id from org_roles)
+),
+final (role_id, scope_id_or_special, create_time) as (
+  select role_id, scope_id_or_special, create_time
+    from global_role_this_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from org_role_this_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from proj_role_this_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from global_role_special_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from org_role_special_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from global_role_individual_org_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from global_role_individual_proj_grants
+   union
+  select role_id, scope_id_or_special, create_time
+  	from org_role_individual_grants
+)
+select role_id,
+       scope_id_or_special,
+       create_time
+  from final;
+`
 )

internal/iam/repository_role.go

@@ -279,7 +279,7 @@ func (r *Repository) LookupRole(ctx context.Context, withPublicId string, opt ..
 		if err != nil {
 			return errors.Wrap(ctx, err, op)
 		}
-		rgs, err = repo.ListRoleGrantScopes(ctx, []string{withPublicId})
+		rgs, err = listRoleGrantScopes(ctx, read, []string{withPublicId})
 		if err != nil {
 			return errors.Wrap(ctx, err, op)
 		}
@@ -441,7 +441,7 @@ func (r *Repository) queryRoles(ctx context.Context, whereClause string, args []
 			for _, retRole := range retRoles {
 				roleIds = append(roleIds, retRole.PublicId)
 			}
-			retRoleGrantScopes, err = r.ListRoleGrantScopes(ctx, roleIds, WithReaderWriter(rd, w))
+			retRoleGrantScopes, err = listRoleGrantScopes(ctx, r.reader, roleIds)
 			if err != nil {
 				return errors.Wrap(ctx, err, op)
 			}

internal/iam/repository_role_grant.go

@@ -429,31 +429,6 @@ func (r *Repository) ListRoleGrants(ctx context.Context, roleId string, opt ...O
 	return roleGrants, nil
 }
 
-// ListRoleGrantScopes returns the grant scopes for the roleId and supports the WithLimit
-// option.
-func (r *Repository) ListRoleGrantScopes(ctx context.Context, roleIds []string, opt ...Option) ([]*RoleGrantScope, error) {
-	const op = "iam.(Repository).ListRoleGrantScopes"
-	if len(roleIds) == 0 {
-		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing role ids")
-	}
-	query := "?"
-	var args []any
-	for i, roleId := range roleIds {
-		if roleId == "" {
-			return nil, errors.New(ctx, errors.InvalidParameter, op, "missing role ids")
-		}
-		if i > 0 {
-			query = query + ", ?"
-		}
-		args = append(args, roleId)
-	}
-	var roleGrantScopes []*RoleGrantScope
-	if err := r.list(ctx, &roleGrantScopes, fmt.Sprintf("role_id in (%s)", query), args, opt...); err != nil {
-		return nil, errors.Wrap(ctx, err, op, errors.WithMsg("unable to lookup role grant scopes"))
-	}
-	return roleGrantScopes, nil
-}
-
 type MultiGrantTuple struct {
 	RoleId            string
 	RoleScopeId       string

internal/iam/repository_grant_scope.go renamed to internal/iam/repository_role_grant_scope.go

@@ -425,3 +425,30 @@ func (r *Repository) SetRoleGrantScopes(ctx context.Context, roleId string, role
 	}
 	return currentRoleGrantScopes, totalRowsDeleted, nil
 }
+
+// listRoleGrantScopes returns the grant scopes for the roleId
+func listRoleGrantScopes(ctx context.Context, reader db.Reader, roleIds []string) ([]*RoleGrantScope, error) {
+	const op = "iam.(Repository).listRoleGrantScopes"
+	if len(roleIds) == 0 {
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing role ids")
+	}
+	rows, err := reader.Query(ctx, roleGrantsScopeQuery, []any{roleIds})
+	if err != nil {
+		return nil, errors.Wrap(ctx, err, op, errors.WithMsg("failed to query role grant scopes"))
+	}
+
+	if rows.Err() != nil {
+		return nil, errors.Wrap(ctx, rows.Err(), op, errors.WithMsg("role grant scope rows error"))
+	}
+	var result []*RoleGrantScope
+	for rows.Next() {
+		if err := reader.ScanRows(ctx, rows, &result); err != nil {
+			return nil, errors.Wrap(ctx, err, op, errors.WithMsg(fmt.Sprintf("failed scan results from querying role scope for: %s", roleIds)))
+		}
+	}
+	if err := rows.Err(); err != nil {
+		return nil, errors.Wrap(ctx, err, op, errors.WithMsg(fmt.Sprintf("unexpected error scanning results from querying role scope for: %s", roleIds)))
+	}
+
+	return result, nil
+}