UpdateProjectPolicyFromRoleGrantIssue updates the project policy from a role grant issue.
(ctx context.Context, stores *store.Store, workspaceID string, issue *store.IssueMessage, roleGrant *storepb.RoleGrant)
| 79 | |
| 80 | // UpdateProjectPolicyFromRoleGrantIssue updates the project policy from a role grant issue. |
| 81 | func UpdateProjectPolicyFromRoleGrantIssue(ctx context.Context, stores *store.Store, workspaceID string, issue *store.IssueMessage, roleGrant *storepb.RoleGrant) error { |
| 82 | policyMessage, err := stores.GetProjectIamPolicy(ctx, workspaceID, issue.ProjectID) |
| 83 | if err != nil { |
| 84 | return errors.Wrapf(err, "failed to get project policy for project %s", issue.ProjectID) |
| 85 | } |
| 86 | |
| 87 | var newConditionExpr string |
| 88 | if roleGrant.Condition != nil { |
| 89 | newConditionExpr = roleGrant.Condition.Expression |
| 90 | } |
| 91 | updated := false |
| 92 | |
| 93 | email, err := extractEmailFromUserIdentifier(roleGrant.User) |
| 94 | if err != nil { |
| 95 | return err |
| 96 | } |
| 97 | newUser, err := stores.GetUserByEmail(ctx, email) |
| 98 | if err != nil { |
| 99 | return errors.Wrapf(err, "failed to find user %s", email) |
| 100 | } |
| 101 | if newUser == nil { |
| 102 | return connect.NewError(connect.CodeInternal, errors.Errorf("user %s not found", email)) |
| 103 | } |
| 104 | memberName := formatMemberNameByType(newUser) |
| 105 | for _, binding := range policyMessage.Policy.Bindings { |
| 106 | if binding.Role != roleGrant.Role { |
| 107 | continue |
| 108 | } |
| 109 | var oldConditionExpr string |
| 110 | if binding.Condition != nil { |
| 111 | oldConditionExpr = binding.Condition.Expression |
| 112 | } |
| 113 | if oldConditionExpr != newConditionExpr { |
| 114 | continue |
| 115 | } |
| 116 | // Append |
| 117 | binding.Members = append(binding.Members, memberName) |
| 118 | updated = true |
| 119 | break |
| 120 | } |
| 121 | if !updated { |
| 122 | condition := roleGrant.Condition |
| 123 | if condition == nil { |
| 124 | condition = &expr.Expr{} |
| 125 | } |
| 126 | condition.Description = fmt.Sprintf("#%d", issue.UID) |
| 127 | policyMessage.Policy.Bindings = append(policyMessage.Policy.Bindings, &storepb.Binding{ |
| 128 | Role: roleGrant.Role, |
| 129 | Members: []string{memberName}, |
| 130 | Condition: condition, |
| 131 | }) |
| 132 | } |
| 133 | |
| 134 | policyPayload, err := protojson.Marshal(policyMessage.Policy) |
| 135 | if err != nil { |
| 136 | return err |
| 137 | } |
| 138 | if _, err := stores.CreatePolicy(ctx, &store.PolicyMessage{ |
no test coverage detected