fix: missing org ids in service user tokens

Signed-off-by: Kush Sharma <[email protected]>

core/authenticate/authenticate.go

@@ -128,7 +128,10 @@ type RegistrationFinishResponse struct {
 }
 
 type Principal struct {
-	ID   string
+	// ID is the unique identifier of principal
+	ID string
+	// Type is the namespace of principal
+	// E.g. app/user, app/serviceuser
 	Type string
 
 	User        *user.User

core/deleter/service.go

@@ -5,6 +5,8 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/raystack/frontier/core/authenticate"
+
 	"github.com/raystack/frontier/billing/invoice"
 
 	"github.com/raystack/frontier/billing/customer"
@@ -39,7 +41,7 @@ type OrganizationService interface {
 	Get(ctx context.Context, id string) (organization.Organization, error)
 	DeleteModel(ctx context.Context, id string) error
 	RemoveUsers(ctx context.Context, orgID string, userIDs []string) error
-	ListByUser(ctx context.Context, userID string, f organization.Filter) ([]organization.Organization, error)
+	ListByUser(ctx context.Context, principal authenticate.Principal, f organization.Filter) ([]organization.Organization, error)
 }
 
 type RoleService interface {
@@ -320,7 +322,10 @@ func (d Service) RemoveUsersFromOrg(ctx context.Context, orgID string, userIDs [
 }
 
 func (d Service) DeleteUser(ctx context.Context, userID string) error {
-	userOrgs, err := d.orgService.ListByUser(ctx, userID, organization.Filter{})
+	userOrgs, err := d.orgService.ListByUser(ctx, authenticate.Principal{
+		ID:   userID,
+		Type: schema.UserPrincipal,
+	}, organization.Filter{})
 	if err != nil {
 		return err
 	}

core/domain/service.go

@@ -25,7 +25,7 @@ type UserService interface {
 }
 
 type OrgService interface {
-	ListByUser(ctx context.Context, userID string, filter organization.Filter) ([]organization.Organization, error)
+	ListByUser(ctx context.Context, principal authenticate.Principal, filter organization.Filter) ([]organization.Organization, error)
 	AddMember(ctx context.Context, orgID, relationName string, principal authenticate.Principal) error
 	Get(ctx context.Context, id string) (organization.Organization, error)
 }
@@ -134,7 +134,10 @@ func (s Service) Join(ctx context.Context, orgID string, userId string) error {
 	}
 
 	// check if user is already a member of the organization. if yes, do nothing and return nil
-	userOrgs, err := s.orgService.ListByUser(ctx, currUser.ID, organization.Filter{})
+	userOrgs, err := s.orgService.ListByUser(ctx, authenticate.Principal{
+		ID:   currUser.ID,
+		Type: schema.UserPrincipal,
+	}, organization.Filter{})
 	if err != nil {
 		return err
 	}
@@ -190,7 +193,10 @@ func (s Service) ListJoinableOrgsByDomain(ctx context.Context, email string) ([]
 		return nil, err
 	}
 
-	userOrgs, err := s.orgService.ListByUser(ctx, currUser.ID, organization.Filter{})
+	userOrgs, err := s.orgService.ListByUser(ctx, authenticate.Principal{
+		ID:   currUser.ID,
+		Type: schema.UserPrincipal,
+	}, organization.Filter{})
 	if err != nil {
 		return nil, err
 	}

core/invitation/service.go

@@ -45,7 +45,7 @@ type UserService interface {
 type OrganizationService interface {
 	Get(ctx context.Context, id string) (organization.Organization, error)
 	AddMember(ctx context.Context, orgID, relationName string, principal authenticate.Principal) error
-	ListByUser(ctx context.Context, userID string, f organization.Filter) ([]organization.Organization, error)
+	ListByUser(ctx context.Context, p authenticate.Principal, f organization.Filter) ([]organization.Organization, error)
 }
 
 type GroupService interface {
@@ -263,7 +263,10 @@ func (s Service) isUserOrgMember(ctx context.Context, orgID, userID string) (use
 		return userOb, false, err
 	}
 
-	orgs, err := s.orgSvc.ListByUser(ctx, userOb.ID, organization.Filter{})
+	orgs, err := s.orgSvc.ListByUser(ctx, authenticate.Principal{
+		ID:   userOb.ID,
+		Type: schema.UserPrincipal,
+	}, organization.Filter{})
 	if err != nil {
 		return userOb, false, err
 	}

core/organization/service.go

@@ -206,7 +206,10 @@ func (s Service) AttachToPlatform(ctx context.Context, orgID string) error {
 
 func (s Service) List(ctx context.Context, f Filter) ([]Organization, error) {
 	if f.UserID != "" {
-		return s.ListByUser(ctx, f.UserID, f)
+		return s.ListByUser(ctx, authenticate.Principal{
+			ID:   f.UserID,
+			Type: schema.UserPrincipal,
+		}, f)
 	}
 
 	// state gets filtered in db
@@ -220,14 +223,14 @@ func (s Service) Update(ctx context.Context, org Organization) (Organization, er
 	return s.repository.UpdateByName(ctx, org)
 }
 
-func (s Service) ListByUser(ctx context.Context, userID string, filter Filter) ([]Organization, error) {
+func (s Service) ListByUser(ctx context.Context, principal authenticate.Principal, filter Filter) ([]Organization, error) {
 	subjectIDs, err := s.relationService.LookupResources(ctx, relation.Relation{
 		Object: relation.Object{
 			Namespace: schema.OrganizationNamespace,
 		},
 		Subject: relation.Subject{
-			ID:        userID,
-			Namespace: schema.UserPrincipal,
+			ID:        principal.ID,
+			Namespace: principal.Type,
 		},
 		RelationName: schema.MembershipPermission,
 	})

internal/api/v1beta1/authenticate.go

@@ -277,7 +277,7 @@ func (h Handler) getAccessToken(ctx context.Context, principal authenticate.Prin
 
 	if h.authConfig.Token.Claims.AddOrgIDsClaim {
 		// get orgs a user belongs to
-		orgs, err := h.orgService.ListByUser(ctx, principal.ID, organization.Filter{})
+		orgs, err := h.orgService.ListByUser(ctx, principal, organization.Filter{})
 		if err != nil {
 			return nil, err
 		}

internal/api/v1beta1/org.go

@@ -3,6 +3,8 @@ package v1beta1
 import (
 	"context"
 
+	"github.com/raystack/frontier/core/authenticate"
+
 	"go.uber.org/zap"
 
 	"github.com/raystack/frontier/core/audit"
@@ -41,7 +43,7 @@ type OrganizationService interface {
 	Create(ctx context.Context, org organization.Organization) (organization.Organization, error)
 	List(ctx context.Context, f organization.Filter) ([]organization.Organization, error)
 	Update(ctx context.Context, toUpdate organization.Organization) (organization.Organization, error)
-	ListByUser(ctx context.Context, userID string, flt organization.Filter) ([]organization.Organization, error)
+	ListByUser(ctx context.Context, principal authenticate.Principal, flt organization.Filter) ([]organization.Organization, error)
 	AddUsers(ctx context.Context, orgID string, userID []string) error
 	Enable(ctx context.Context, id string) error
 	Disable(ctx context.Context, id string) error

internal/api/v1beta1/user.go

@@ -450,7 +450,10 @@ func (h Handler) ListCurrentUserGroups(ctx context.Context, request *frontierv1b
 }
 
 func (h Handler) ListOrganizationsByUser(ctx context.Context, request *frontierv1beta1.ListOrganizationsByUserRequest) (*frontierv1beta1.ListOrganizationsByUserResponse, error) {
-	orgList, err := h.orgService.ListByUser(ctx, request.GetId(), organization.Filter{})
+	orgList, err := h.orgService.ListByUser(ctx, authenticate.Principal{
+		ID:   request.GetId(),
+		Type: schema.UserPrincipal,
+	}, organization.Filter{})
 	if err != nil {
 		return nil, err
 	}
@@ -497,7 +500,7 @@ func (h Handler) ListOrganizationsByCurrentUser(ctx context.Context, request *fr
 	if request.GetState() != "" {
 		orgFilter.State = organization.State(request.GetState())
 	}
-	orgList, err := h.orgService.ListByUser(ctx, principal.ID, orgFilter)
+	orgList, err := h.orgService.ListByUser(ctx, principal, orgFilter)
 	if err != nil {
 		return nil, err
 	}

test/e2e/regression/api_test.go

@@ -42,6 +42,7 @@ import (
 const (
 	fixturesDir           = "testdata"
 	computeOrderNamespace = "compute/order"
+	computeDiskNamespace  = "compute/disk"
 	computeViewerRoleName = "compute_order_viewer"
 )
 
@@ -1460,12 +1461,32 @@ func (s *APIRegressionTestSuite) TestResourceAPI() {
 		})
 		s.Assert().NoError(err)
 		s.Assert().NotNil(createResourceResp)
+		createResourceResp2, err := s.testBench.Client.CreateProjectResource(ctxOrgAdminAuth, &frontierv1beta1.CreateProjectResourceRequest{
+			ProjectId: createProjResp.GetProject().GetId(),
+			Body: &frontierv1beta1.ResourceRequestBody{
+				Name:      "res-2",
+				Namespace: computeDiskNamespace,
+				Principal: userResp.GetUser().GetId(),
+				Metadata:  &structpb.Struct{},
+			},
+		})
+		s.Assert().NoError(err)
+		s.Assert().NotNil(createResourceResp2)
 
 		listResourcesResp, err := s.testBench.Client.ListProjectResources(ctxOrgAdminAuth, &frontierv1beta1.ListProjectResourcesRequest{
 			ProjectId: createProjResp.GetProject().GetId(),
 		})
 		s.Assert().NoError(err)
 		s.Assert().Equal("res-1", listResourcesResp.GetResources()[0].GetName())
+
+		// filter user by namespace
+		listAllResourcesResp, err := s.testBench.AdminClient.ListResources(ctxOrgAdminAuth, &frontierv1beta1.ListResourcesRequest{
+			ProjectId: createProjResp.GetProject().GetId(),
+			Namespace: computeDiskNamespace,
+		})
+		s.Assert().NoError(err)
+		s.Assert().Len(listAllResourcesResp.GetResources(), 1)
+		s.Assert().Equal("res-2", listAllResourcesResp.GetResources()[0].GetName())
 	})
 }
 

test/e2e/regression/testdata/resource/compute.yml

@@ -8,6 +8,12 @@ permissions:
   - name: create
     namespace: compute/order
   - key: compute.order.configure
+  - name: get
+    namespace: compute/disk
+  - name: create
+    namespace: compute/disk
+  - name: delete
+    namespace: compute/disk
 roles:
   - name: compute_order_manager
     permissions: