feat: grantsForUser for Global Resources (#5612)

* feat: grantsForUser for Global Resources

add query to fetch grants for a user for resources that are only globally scoped

* Update query based on change to bifurcate individual table

* Create subtests for different resources

* Return grant.grant_scope instead of the request scope

* Remove 'individual' subquery & unused reqScope parameter

* Use sql.Named for better readability

* Fix op function name

* Remove individual grant scope logic from global resource repo function

No need to handle individual grant scopes since global resources can only be queried via 'this' grant scope at the global scope.

* Fix row scan order

* Remove data gen function

* Adjust query formatting

Remove canonical_grant filter from query. `iam_grant.canonical_grant` is a primary key, so it can't be null anyway -- no need to filter out null canonical grants

* Use the consts for u_auth and u_anon

* Specify "empty" instead of "NULL" in struct field comment

* Build query args with `pq.Array` instead of `fmt.Sprintf`

* Fix TestGrantsForUserGlobalResources

No longer using a hard-coded value for roleVersion

* Refactor grantsForUserGlobalResources tests into testcases

* go mod tidy

* Update query comment for correctness

---------

Co-authored-by: dkanney <[email protected]>
Co-authored-by: dkanney <[email protected]>

Author: elimt

go.mod

@@ -66,6 +66,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/kr/pretty v0.3.1
 	github.com/kr/text v0.2.0
+	github.com/lib/pq v1.10.9
 	github.com/mattn/go-colorable v0.1.13
 	github.com/miekg/dns v1.1.58
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
@@ -169,7 +170,6 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect

internal/iam/query.go

@@ -206,6 +206,109 @@ const (
         on grants.role_id = roles.role_id;
     `
 
+	grantsForUserGlobalResourcesQuery = `
+    with
+    users (id) as (
+      select public_id
+        from iam_user
+       where public_id = any(@user_ids)
+    ),
+    user_groups (id) as (
+      select group_id
+        from iam_group_member_user
+       where member_id in (select id
+                             from users)
+    ),
+    user_accounts (id) as (
+      select public_id
+        from auth_account
+       where iam_user_id in (select id
+                               from users)
+    ),
+    user_oidc_managed_groups (id) as (
+      select managed_group_id
+        from auth_oidc_managed_group_member_account
+       where member_id in (select id
+                             from user_accounts)
+    ),
+    user_ldap_managed_groups (id) as (
+      select managed_group_id
+        from auth_ldap_managed_group_member_account
+       where member_id in (select id
+                             from user_accounts)
+    ),
+    managed_group_roles (role_id) as (
+      select distinct role_id
+        from iam_managed_group_role
+       where principal_id in (select id
+                                from user_oidc_managed_groups)
+          or principal_id in (select id
+                                from user_ldap_managed_groups)
+    ),
+    group_roles (role_id) as (
+      select role_id
+        from iam_group_role
+       where principal_id in (select id
+                                from user_groups)
+    ),
+    user_roles (role_id) as (
+      select role_id
+        from iam_user_role
+       where principal_id in (select id
+                                from users)
+    ),
+    user_group_roles (role_id) as (
+      select role_id
+        from group_roles
+       union
+      select role_id
+        from user_roles
+       union
+      select role_id
+        from managed_group_roles
+    ),
+    roles_with_grants (role_id, canonical_grant) as (
+      select iam_role_grant.role_id,
+             iam_role_grant.canonical_grant
+        from iam_role_grant
+        join iam_role
+          on iam_role.public_id = iam_role_grant.role_id
+        join iam_grant
+          on iam_grant.canonical_grant = iam_role_grant.canonical_grant
+       where iam_role.public_id in (select role_id
+                                      from user_group_roles)
+         and iam_grant.resource = any(@resources)
+    ),
+    global_roles as (
+      select iam_role_global.public_id             as role_id,
+             iam_role_global.scope_id              as role_scope_id,
+             iam_scope.type                        as role_type,
+             'global'                              as role_parent_scope_id, -- manually set to global because we are only looking at global roles and the parent scope is always global
+             iam_role_global.grant_scope           as grant_scope,
+             iam_role_global.grant_this_role_scope as grant_this_role_scope,
+             roles_with_grants.canonical_grant     as canonical_grant
+        from iam_role_global
+        join roles_with_grants
+          on roles_with_grants.role_id = iam_role_global.public_id
+        join iam_scope
+          on iam_scope.public_id = iam_role_global.scope_id
+    )
+    select role_id,
+           role_scope_id,
+           role_parent_scope_id,
+           grant_scope,
+           grant_this_role_scope,
+           null as individual_grant_scopes, -- individual grant scopes do not apply to resources in the global scope
+           array_agg(distinct(canonical_grant)) as canonical_grants
+      from global_roles
+     where global_roles.grant_this_role_scope = true
+  group by role_id,
+           role_scope_id,
+           role_parent_scope_id,
+           grant_scope,
+           grant_this_role_scope;
+    `
+
 	estimateCountRoles = `
 		select reltuples::bigint as estimate from pg_class where oid in ('iam_role'::regclass)
 	`

internal/iam/repository_role_grant.go

@@ -5,6 +5,7 @@ package iam
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"sort"
 	"strings"
@@ -15,7 +16,9 @@ import (
 	"github.com/hashicorp/boundary/internal/kms"
 	"github.com/hashicorp/boundary/internal/oplog"
 	"github.com/hashicorp/boundary/internal/perms"
+	"github.com/hashicorp/boundary/internal/types/resource"
 	"github.com/hashicorp/boundary/internal/types/scope"
+	"github.com/lib/pq"
 )
 
 // AddRoleGrants will add role grants associated with the role ID in the
@@ -437,6 +440,29 @@ type MultiGrantTuple struct {
 	Grants            string
 }
 
+type grantsForUserResults struct {
+	// roleId is the public ID of the role.
+	roleId string
+	// roleScopeId is the scope ID of the role.
+	roleScopeId string
+	// roleParentScopeId is the parent scope ID of the role.
+	roleParentScopeId string
+	// grantScope is the grant scope of the role.
+	// The valid values are: "individual", "children" and "descendants".
+	grantScope string
+	// grantThisRoleScope is a boolean that indicates if the role has a grant
+	// for itself aka "this" or "individual" scope.
+	grantThisRoleScope bool
+	// individualGrantScopes represents the individual grant scopes for the role.
+	// This is a slice of strings that may be empty if the role does
+	// not have individual grants.
+	individualGrantScopes []string
+	// canonicalGrants represents the canonical grants for the role.
+	// This is a slice of strings that may be empty if the role does
+	// not have canonical grants associated with it.
+	canonicalGrants []string
+}
+
 func (r *Repository) GrantsForUser(ctx context.Context, userId string, opt ...Option) (perms.GrantTuples, error) {
 	const op = "iam.(Repository).GrantsForUser"
 	if userId == "" {
@@ -511,3 +537,76 @@ func (m *MultiGrantTuple) TestStableSort() {
 	sort.Strings(gts)
 	m.Grants = strings.Join(gts, "^")
 }
+
+// grantsForUserGlobalResources returns the grants for the user for resources that can
+// only be globally scoped.
+func (r *Repository) grantsForUserGlobalResources(
+	ctx context.Context,
+	userId string,
+	res resource.Type,
+	opt ...Option,
+) (perms.GrantTuples, error) {
+	const op = "iam.(Repository).grantsForUserGlobalResources"
+	if userId == "" {
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing user id")
+	}
+
+	var (
+		args      []any
+		userIds   []string
+		resources []string
+	)
+	switch userId {
+	case globals.AnonymousUserId:
+		userIds = []string{globals.AnonymousUserId}
+	default:
+		userIds = []string{globals.AnonymousUserId, globals.AnyAuthenticatedUserId, userId}
+	}
+	resources = []string{res.String(), "unknown", "*"}
+
+	args = append(args,
+		sql.Named("user_ids", pq.Array(userIds)),
+		sql.Named("resources", pq.Array(resources)),
+	)
+
+	var grants []grantsForUserResults
+	rows, err := r.reader.Query(ctx, grantsForUserGlobalResourcesQuery, args)
+	if err != nil {
+		return nil, errors.Wrap(ctx, err, op)
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var g grantsForUserResults
+		if err := rows.Scan(
+			&g.roleId,
+			&g.roleScopeId,
+			&g.roleParentScopeId,
+			&g.grantScope,
+			&g.grantThisRoleScope,
+			pq.Array(&g.individualGrantScopes),
+			pq.Array(&g.canonicalGrants),
+		); err != nil {
+			return nil, errors.Wrap(ctx, err, op)
+		}
+		grants = append(grants, g)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, errors.Wrap(ctx, err, op)
+	}
+
+	ret := make(perms.GrantTuples, 0)
+	for _, grant := range grants {
+		for _, canonicalGrant := range grant.canonicalGrants {
+			gt := perms.GrantTuple{
+				RoleId:            grant.roleId,
+				RoleScopeId:       grant.roleScopeId,
+				RoleParentScopeId: grant.roleParentScopeId,
+				GrantScopeId:      grant.roleScopeId, // use "global" for all global grants
+				Grant:             canonicalGrant,
+			}
+			ret = append(ret, gt)
+		}
+	}
+
+	return ret, nil
+}