feat(query): create query for global app token grants

dkanney · dkanney · commit 82c164debfcb · 2025-11-12T03:07:40.000-05:00
Retrieves grant info for recursive requests for resources that can live in any scope (Global, Org, and Project)
diff --git a/internal/iam/query.go b/internal/iam/query.go
@@ -564,6 +564,42 @@ const (
            grant_this_role_scope;
     `
 
+	// grantsForTokenGlobalOrgProjectResourcesRecursiveQuery gets a app token's grants for resources
+	// applicable to all scopes at the global request scope.
+	grantsForTokenGlobalOrgProjectResourcesRecursiveQuery = `
+   select app_token_permission_global.private_id                                           as permission_id,
+          app_token_permission_global.description,
+          app_token_permission_global.create_time,
+          app_token_permission_global.grant_this_scope,
+          app_token_permission_global.grant_scope,
+          app_token_global.public_id                                                       as app_token_id,
+          array_agg(distinct app_token_permission_grant.canonical_grant)                   as canonical_grants,
+          array_agg(distinct coalesce(iam_scope_org.scope_id, iam_scope_project.scope_id)) as active_grant_scopes
+     from app_token_global
+     join app_token_permission_global
+       on app_token_global.public_id = app_token_permission_global.app_token_id
+      and app_token_global.public_id = any(@token_ids)
+     join app_token_permission_grant
+       on app_token_permission_global.private_id = app_token_permission_grant.permission_id
+     join iam_grant
+       on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
+      and iam_grant.resource = any(@resources)
+left join app_token_permission_global_individual_org_grant_scope
+       on app_token_permission_global.private_id = app_token_permission_global_individual_org_grant_scope.permission_id
+left join iam_scope_org
+       on app_token_permission_global_individual_org_grant_scope.scope_id = iam_scope_org.scope_id
+left join app_token_permission_global_individual_project_grant_scope
+       on app_token_permission_global.private_id = app_token_permission_global_individual_project_grant_scope.permission_id
+left join iam_scope_project
+       on app_token_permission_global_individual_project_grant_scope.scope_id = iam_scope_project.scope_id
+ group by app_token_permission_global.private_id,
+          app_token_permission_global.description,
+          app_token_permission_global.create_time,
+          app_token_permission_global.grant_this_scope,
+          app_token_permission_global.grant_scope,
+          app_token_global.public_id;
+    `
+
 	estimateCountRoles = `
 		select reltuples::bigint as estimate from pg_class where oid in ('iam_role'::regclass)
 	`
