Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(users): add tenant id reads in user roles #6661

Merged
merged 8 commits into from
Nov 29, 2024
Merged

feat(users): add tenant id reads in user roles #6661

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3fa7de1
feat(users): add tenant id reads in user roles
apoorvdixit88 Nov 26, 2024
c125cff
fix: resolve review comments
apoorvdixit88 Nov 26, 2024
d2065f3
fix: v2 check
apoorvdixit88 Nov 26, 2024
92f5791
Merge branch 'main' into add-tenant-id-in-user-roles-queries
apoorvdixit88 Nov 26, 2024
19301fd
fix: v2 with main
apoorvdixit88 Nov 26, 2024
1ccef95
chore: run formatter
hyperswitch-bot[bot] Nov 26, 2024
f5365b1
Merge branch 'main' into add-tenant-id-in-user-roles-queries
apoorvdixit88 Nov 27, 2024
998f369
fix: new check changes
apoorvdixit88 Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
208 changes: 102 additions & 106 deletions crates/diesel_models/src/query/user_role.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
use async_bb8_diesel::AsyncRunQueryDsl;
use common_utils::id_type;
use diesel::{
associations::HasTable, debug_query, pg::Pg, result::Error as DieselError,
associations::HasTable,
debug_query,
pg::Pg,
result::Error as DieselError,
sql_types::{Bool, Nullable},
BoolExpressionMethods, ExpressionMethods, QueryDsl,
};
use error_stack::{report, ResultExt};
Expand All @@ -22,89 +26,70 @@ impl UserRoleNew {
}

impl UserRole {
pub async fn find_by_user_id(
conn: &PgPooledConn,
user_id: String,
version: UserRoleVersion,
) -> StorageResult<Self> {
generics::generic_find_one::<<Self as HasTable>::Table, _, _>(
conn,
dsl::user_id.eq(user_id).and(dsl::version.eq(version)),
)
.await
}

pub async fn find_by_user_id_merchant_id(
conn: &PgPooledConn,
user_id: String,
merchant_id: id_type::MerchantId,
version: UserRoleVersion,
) -> StorageResult<Self> {
generics::generic_find_one::<<Self as HasTable>::Table, _, _>(
conn,
dsl::user_id
.eq(user_id)
.and(dsl::merchant_id.eq(merchant_id))
.and(dsl::version.eq(version)),
)
.await
}

pub async fn list_by_user_id(
conn: &PgPooledConn,
user_id: String,
version: UserRoleVersion,
) -> StorageResult<Vec<Self>> {
generics::generic_filter::<<Self as HasTable>::Table, _, _, _>(
conn,
dsl::user_id.eq(user_id).and(dsl::version.eq(version)),
None,
None,
Some(dsl::created_at.asc()),
)
.await
}

pub async fn list_by_merchant_id(
conn: &PgPooledConn,
merchant_id: id_type::MerchantId,
version: UserRoleVersion,
) -> StorageResult<Vec<Self>> {
generics::generic_filter::<<Self as HasTable>::Table, _, _, _>(
conn,
dsl::merchant_id
.eq(merchant_id)
.and(dsl::version.eq(version)),
None,
None,
Some(dsl::created_at.asc()),
fn check_user_in_lineage(
tenant_id: id_type::TenantId,
org_id: Option<id_type::OrganizationId>,
merchant_id: Option<id_type::MerchantId>,
profile_id: Option<id_type::ProfileId>,
) -> Box<
dyn diesel::BoxableExpression<<Self as HasTable>::Table, Pg, SqlType = Nullable<Bool>>
+ 'static,
> {
// Checking in user roles, for a user in token hierarchy, only one of the relations will be true:
// either tenant level, org level, merchant level, or profile level
// Tenant-level: (tenant_id = ? && org_id = null && merchant_id = null && profile_id = null)
// Org-level: (org_id = ? && merchant_id = null && profile_id = null)
// Merchant-level: (org_id = ? && merchant_id = ? && profile_id = null)
// Profile-level: (org_id = ? && merchant_id = ? && profile_id = ?)
Box::new(
// Tenant-level condition
dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.is_null())
.and(dsl::merchant_id.is_null())
.and(dsl::profile_id.is_null())
.or(
// Org-level condition
dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.eq(org_id.clone()))
.and(dsl::merchant_id.is_null())
.and(dsl::profile_id.is_null()),
)
.or(
// Merchant-level condition
dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.eq(org_id.clone()))
.and(dsl::merchant_id.eq(merchant_id.clone()))
.and(dsl::profile_id.is_null()),
)
.or(
// Profile-level condition
dsl::tenant_id
.eq(tenant_id)
.and(dsl::org_id.eq(org_id))
.and(dsl::merchant_id.eq(merchant_id))
.and(dsl::profile_id.eq(profile_id)),
),
)
.await
}

pub async fn find_by_user_id_org_id_merchant_id_profile_id(
pub async fn find_by_user_id_tenant_id_org_id_merchant_id_profile_id(
conn: &PgPooledConn,
user_id: String,
tenant_id: id_type::TenantId,
org_id: id_type::OrganizationId,
merchant_id: id_type::MerchantId,
profile_id: id_type::ProfileId,
version: UserRoleVersion,
) -> StorageResult<Self> {
// Checking in user roles, for a user in token hierarchy, only one of the relation will be true, either org level, merchant level or profile level
// (org_id = ? && merchant_id = null && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = ?)
let check_lineage = dsl::org_id
.eq(org_id.clone())
.and(dsl::merchant_id.is_null().and(dsl::profile_id.is_null()))
.or(dsl::org_id.eq(org_id.clone()).and(
dsl::merchant_id
.eq(merchant_id.clone())
.and(dsl::profile_id.is_null()),
))
.or(dsl::org_id.eq(org_id).and(
dsl::merchant_id
.eq(merchant_id)
.and(dsl::profile_id.eq(profile_id)),
));
let check_lineage = Self::check_user_in_lineage(
tenant_id,
Some(org_id),
Some(merchant_id),
Some(profile_id),
);

let predicate = dsl::user_id
.eq(user_id)
Expand All @@ -114,30 +99,46 @@ impl UserRole {
generics::generic_find_one::<<Self as HasTable>::Table, _, _>(conn, predicate).await
}

pub async fn update_by_user_id_org_id_merchant_id_profile_id(
#[allow(clippy::too_many_arguments)]
pub async fn update_by_user_id_tenant_id_org_id_merchant_id_profile_id(
conn: &PgPooledConn,
user_id: String,
tenant_id: id_type::TenantId,
org_id: id_type::OrganizationId,
merchant_id: Option<id_type::MerchantId>,
profile_id: Option<id_type::ProfileId>,
update: UserRoleUpdate,
version: UserRoleVersion,
) -> StorageResult<Self> {
// Checking in user roles, for a user in token hierarchy, only one of the relation will be true, either org level, merchant level or profile level
// (org_id = ? && merchant_id = null && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = ?)
let check_lineage = dsl::org_id
.eq(org_id.clone())
.and(dsl::merchant_id.is_null().and(dsl::profile_id.is_null()))
.or(dsl::org_id.eq(org_id.clone()).and(
dsl::merchant_id
.eq(merchant_id.clone())
let check_lineage = dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.is_null())
.and(dsl::merchant_id.is_null())
.and(dsl::profile_id.is_null())
.or(
// Org-level condition
dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.eq(org_id.clone()))
.and(dsl::merchant_id.is_null())
.and(dsl::profile_id.is_null()),
)
.or(
// Merchant-level condition
dsl::tenant_id
.eq(tenant_id.clone())
.and(dsl::org_id.eq(org_id.clone()))
.and(dsl::merchant_id.eq(merchant_id.clone()))
.and(dsl::profile_id.is_null()),
))
.or(dsl::org_id.eq(org_id).and(
dsl::merchant_id
.eq(merchant_id)
)
.or(
// Profile-level condition
dsl::tenant_id
.eq(tenant_id)
.and(dsl::org_id.eq(org_id))
.and(dsl::merchant_id.eq(merchant_id))
.and(dsl::profile_id.eq(profile_id)),
));
);

let predicate = dsl::user_id
.eq(user_id)
Expand All @@ -153,29 +154,21 @@ impl UserRole {
.await
}

pub async fn delete_by_user_id_org_id_merchant_id_profile_id(
pub async fn delete_by_user_id_tenant_id_org_id_merchant_id_profile_id(
conn: &PgPooledConn,
user_id: String,
tenant_id: id_type::TenantId,
org_id: id_type::OrganizationId,
merchant_id: id_type::MerchantId,
profile_id: id_type::ProfileId,
version: UserRoleVersion,
) -> StorageResult<Self> {
// Checking in user roles, for a user in token hierarchy, only one of the relation will be true, either org level, merchant level or profile level
// (org_id = ? && merchant_id = null && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = null) || (org_id = ? && merchant_id = ? && profile_id = ?)
let check_lineage = dsl::org_id
.eq(org_id.clone())
.and(dsl::merchant_id.is_null().and(dsl::profile_id.is_null()))
.or(dsl::org_id.eq(org_id.clone()).and(
dsl::merchant_id
.eq(merchant_id.clone())
.and(dsl::profile_id.is_null()),
))
.or(dsl::org_id.eq(org_id).and(
dsl::merchant_id
.eq(merchant_id)
.and(dsl::profile_id.eq(profile_id)),
));
let check_lineage = Self::check_user_in_lineage(
tenant_id,
Some(org_id),
Some(merchant_id),
Some(profile_id),
);

let predicate = dsl::user_id
.eq(user_id)
Expand All @@ -190,6 +183,7 @@ impl UserRole {
pub async fn generic_user_roles_list_for_user(
conn: &PgPooledConn,
user_id: String,
tenant_id: id_type::TenantId,
org_id: Option<id_type::OrganizationId>,
merchant_id: Option<id_type::MerchantId>,
profile_id: Option<id_type::ProfileId>,
Expand All @@ -199,7 +193,7 @@ impl UserRole {
limit: Option<u32>,
) -> StorageResult<Vec<Self>> {
let mut query = <Self as HasTable>::table()
.filter(dsl::user_id.eq(user_id))
.filter(dsl::user_id.eq(user_id).and(dsl::tenant_id.eq(tenant_id)))
.into_boxed();

if let Some(org_id) = org_id {
Expand Down Expand Up @@ -248,17 +242,19 @@ impl UserRole {
}
}

#[allow(clippy::too_many_arguments)]
pub async fn generic_user_roles_list_for_org_and_extra(
conn: &PgPooledConn,
user_id: Option<String>,
tenant_id: id_type::TenantId,
org_id: id_type::OrganizationId,
merchant_id: Option<id_type::MerchantId>,
profile_id: Option<id_type::ProfileId>,
version: Option<UserRoleVersion>,
limit: Option<u32>,
) -> StorageResult<Vec<Self>> {
let mut query = <Self as HasTable>::table()
.filter(dsl::org_id.eq(org_id))
.filter(dsl::org_id.eq(org_id).and(dsl::tenant_id.eq(tenant_id)))
.into_boxed();

if let Some(user_id) = user_id {
Expand Down
2 changes: 2 additions & 0 deletions crates/router/src/analytics.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1864,6 +1864,7 @@ pub mod routes {
.global_store
.list_user_roles_by_user_id(ListUserRolesByUserIdPayload {
user_id: &auth.user_id,
tenant_id: auth.tenant_id.as_ref().unwrap_or(&state.tenant.tenant_id),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If default value if taken for tenant id not being present in auth token, then won't a user be able to access any tenancy if user gets access to a token with tenant_id: None.
Are we ensuring tenant_id will never be null ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tenant_id will always be present in token, i kept it option just for backward compatibility. We will be making it non option after one two deployments.
Also token tenant's id and state tenant id should be same, so we can use any. We are checking for this only in authentication part.
Moreover currently the feature is disabled, so we won't be having different tenancy support.

org_id: Some(&auth.org_id),
merchant_id: None,
profile_id: None,
Expand Down Expand Up @@ -1987,6 +1988,7 @@ pub mod routes {
.global_store
.list_user_roles_by_user_id(ListUserRolesByUserIdPayload {
user_id: &auth.user_id,
tenant_id: auth.tenant_id.as_ref().unwrap_or(&state.tenant.tenant_id),
org_id: Some(&auth.org_id),
merchant_id: None,
profile_id: None,
Expand Down
Loading
Loading