feat: role filter while listing organization users

- raystack/proton#371 - a list of role name/ids are accepted as inputs, it can't be used when `with_roles` is toggled on. Signed-off-by: Kush Sharma <[email protected]>
raystack · Nov 4, 2024 · a75ca5c · a75ca5c
1 parent 6b4d111
commit a75ca5c
Show file tree

Hide file tree

Showing 7 changed files with 4,482 additions and 4,381 deletions.
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto ui compose-up-dev
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "145667ee53b037d636c09df0a529c351069132dc"
+PROTON_COMMIT := "5666a16e7b8a8faa5def5801d81ed22776622403"
 
 ui:
 	@echo " > generating ui build"

diff --git a/core/policy/filter.go b/core/policy/filter.go
@@ -5,6 +5,7 @@ type Filter struct {
 	ProjectID string
 	GroupID   string
 	RoleID    string
+	RoleIDs   []string
 
 	PrincipalType string
 	PrincipalID   string

diff --git a/internal/api/v1beta1/org.go b/internal/api/v1beta1/org.go
@@ -3,6 +3,8 @@ package v1beta1
 import (
 	"context"
 
+	"github.com/raystack/frontier/core/policy"
+
 	"github.com/raystack/frontier/core/authenticate"
 
 	"go.uber.org/zap"
@@ -259,9 +261,67 @@ func (h Handler) ListOrganizationUsers(ctx context.Context, request *frontierv1b
 		}
 	}
 
-	users, err := h.userService.ListByOrg(ctx, orgResp.ID, request.GetPermissionFilter())
-	if err != nil {
-		return nil, err
+	var users []user.User
+	var rolePairPBs []*frontierv1beta1.ListOrganizationUsersResponse_RolePair
+
+	if len(request.GetRoleFilters()) > 0 {
+		// convert role names to ids if needed
+		roleIDs := request.GetRoleFilters()
+		for i, roleFilter := range request.GetRoleFilters() {
+			if !utils.IsValidUUID(roleFilter) {
+				role, err := h.roleService.Get(ctx, roleFilter)
+				if err != nil {
+					return nil, err
+				}
+				roleIDs[i] = role.ID
+			}
+		}
+
+		// need to fetch users with roles assigned to them
+		policies, err := h.policyService.List(ctx, policy.Filter{
+			OrgID:         request.GetId(),
+			PrincipalType: schema.UserPrincipal,
+			ResourceType:  schema.OrganizationNamespace,
+			RoleIDs:       roleIDs,
+		})
+		if err != nil {
+			return nil, err
+		}
+		users = utils.Filter(utils.Map(policies, func(pol policy.Policy) user.User {
+			u, _ := h.userService.GetByID(ctx, pol.PrincipalID)
+			return u
+		}), func(u user.User) bool {
+			return u.ID != ""
+		})
+	} else {
+		// list all users
+		users, err = h.userService.ListByOrg(ctx, orgResp.ID, request.GetPermissionFilter())
+		if err != nil {
+			return nil, err
+		}
+		if request.GetWithRoles() {
+			for _, user := range users {
+				roles, err := h.policyService.ListRoles(ctx, schema.UserPrincipal, user.ID, schema.OrganizationNamespace, request.GetId())
+				if err != nil {
+					return nil, err
+				}
+
+				rolesPb := utils.Filter(utils.Map(roles, func(role role.Role) *frontierv1beta1.Role {
+					pb, err := transformRoleToPB(role)
+					if err != nil {
+						logger.Error("failed to transform role for group", zap.Error(err))
+						return nil
+					}
+					return &pb
+				}), func(role *frontierv1beta1.Role) bool {
+					return role != nil
+				})
+				rolePairPBs = append(rolePairPBs, &frontierv1beta1.ListOrganizationUsersResponse_RolePair{
+					UserId: user.ID,
+					Roles:  rolesPb,
+				})
+			}
+		}
 	}
 
 	var usersPB []*frontierv1beta1.User
@@ -270,35 +330,8 @@ func (h Handler) ListOrganizationUsers(ctx context.Context, request *frontierv1b
 		if err != nil {
 			return nil, err
 		}
-
 		usersPB = append(usersPB, u)
 	}
-
-	var rolePairPBs []*frontierv1beta1.ListOrganizationUsersResponse_RolePair
-	if request.GetWithRoles() {
-		for _, user := range users {
-			roles, err := h.policyService.ListRoles(ctx, schema.UserPrincipal, user.ID, schema.OrganizationNamespace, request.GetId())
-			if err != nil {
-				return nil, err
-			}
-
-			rolesPb := utils.Filter(utils.Map(roles, func(role role.Role) *frontierv1beta1.Role {
-				pb, err := transformRoleToPB(role)
-				if err != nil {
-					logger.Error("failed to transform role for group", zap.Error(err))
-					return nil
-				}
-				return &pb
-			}), func(role *frontierv1beta1.Role) bool {
-				return role != nil
-			})
-			rolePairPBs = append(rolePairPBs, &frontierv1beta1.ListOrganizationUsersResponse_RolePair{
-				UserId: user.ID,
-				Roles:  rolesPb,
-			})
-		}
-	}
-
 	return &frontierv1beta1.ListOrganizationUsersResponse{
 		Users:     usersPB,
 		RolePairs: rolePairPBs,

diff --git a/internal/store/postgres/policy_repository.go b/internal/store/postgres/policy_repository.go
@@ -118,6 +118,11 @@ func applyListFilter(stmt *goqu.SelectDataset, flt policy.Filter) *goqu.SelectDa
 			"role_id": flt.RoleID,
 		})
 	}
+	if len(flt.RoleIDs) > 0 {
+		stmt = stmt.Where(goqu.Ex{
+			"role_id": flt.RoleIDs,
+		})
+	}
 	return stmt
 }
 

diff --git a/proto/apidocs.swagger.yaml b/proto/apidocs.swagger.yaml
@@ -3074,6 +3074,13 @@ paths:
           in: query
           required: false
           type: boolean
+        - name: role_filters
+          in: query
+          required: false
+          type: array
+          items:
+            type: string
+          collectionFormat: multi
       tags:
         - Organization
     post: