feat: adds projectID prop in IAM user account

Closes #1621

These changes introduce the `projectID` field in IAM user accounts. The field has been added across all IAM systems: internal, IPA, LDAP, Vault, and S3 object. Support has also been added to the admin CLI commands to create, update, and list users with the `projectID` included.

auth/iam.go

@@ -45,11 +45,12 @@ func (r Role) IsValid() bool {
 
 // Account is a gateway IAM account
 type Account struct {
-	Access  string `json:"access"`
-	Secret  string `json:"secret"`
-	Role    Role   `json:"role"`
-	UserID  int    `json:"userID"`
-	GroupID int    `json:"groupID"`
+	Access    string `json:"access"`
+	Secret    string `json:"secret"`
+	Role      Role   `json:"role"`
+	UserID    int    `json:"userID"`
+	GroupID   int    `json:"groupID"`
+	ProjectID int    `json:"projectID"`
 }
 
 type ListUserAccountsResult struct {
@@ -58,10 +59,11 @@ type ListUserAccountsResult struct {
 
 // Mutable props, which could be changed when updating an IAM account
 type MutableProps struct {
-	Secret  *string `json:"secret"`
-	Role    Role    `json:"role"`
-	UserID  *int    `json:"userID"`
-	GroupID *int    `json:"groupID"`
+	Secret    *string `json:"secret"`
+	Role      Role    `json:"role"`
+	UserID    *int    `json:"userID"`
+	GroupID   *int    `json:"groupID"`
+	ProjectID *int    `json:"projectID"`
 }
 
 func (m MutableProps) Validate() error {
@@ -82,6 +84,9 @@ func updateAcc(acc *Account, props MutableProps) {
 	if props.UserID != nil {
 		acc.UserID = *props.UserID
 	}
+	if props.ProjectID != nil {
+		acc.ProjectID = *props.ProjectID
+	}
 	if props.Role != "" {
 		acc.Role = props.Role
 	}
@@ -119,6 +124,7 @@ type Opts struct {
 	LDAPRoleAtr                 string
 	LDAPUserIdAtr               string
 	LDAPGroupIdAtr              string
+	LDAPProjectIdAtr            string
 	LDAPTLSSkipVerify           bool
 	VaultEndpointURL            string
 	VaultNamespace              string
@@ -160,7 +166,7 @@ func New(o *Opts) (IAMService, error) {
 	case o.LDAPServerURL != "":
 		svc, err = NewLDAPService(o.RootAccount, o.LDAPServerURL, o.LDAPBindDN, o.LDAPPassword,
 			o.LDAPQueryBase, o.LDAPAccessAtr, o.LDAPSecretAtr, o.LDAPRoleAtr, o.LDAPUserIdAtr,
-			o.LDAPGroupIdAtr, o.LDAPObjClasses, o.LDAPTLSSkipVerify)
+			o.LDAPGroupIdAtr, o.LDAPProjectIdAtr, o.LDAPObjClasses, o.LDAPTLSSkipVerify)
 		fmt.Printf("initializing LDAP IAM with %q\n", o.LDAPServerURL)
 	case o.S3Endpoint != "":
 		svc, err = NewS3(o.RootAccount, o.S3Access, o.S3Secret, o.S3Region, o.S3Bucket,

auth/iam_internal.go

@@ -194,11 +194,12 @@ func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:  k,
-			Secret:  conf.AccessAccounts[k].Secret,
-			Role:    conf.AccessAccounts[k].Role,
-			UserID:  conf.AccessAccounts[k].UserID,
-			GroupID: conf.AccessAccounts[k].GroupID,
+			Access:    k,
+			Secret:    conf.AccessAccounts[k].Secret,
+			Role:      conf.AccessAccounts[k].Role,
+			UserID:    conf.AccessAccounts[k].UserID,
+			GroupID:   conf.AccessAccounts[k].GroupID,
+			ProjectID: conf.AccessAccounts[k].ProjectID,
 		})
 	}
 

auth/iam_ipa.go

@@ -132,6 +132,7 @@ func (ipa *IpaIAMService) GetUserAccount(access string) (Account, error) {
 	userResult := struct {
 		Gidnumber []string
 		Uidnumber []string
+		PidNumber []string
 	}{}
 
 	err = ipa.rpc(req, &userResult)
@@ -147,12 +148,17 @@ func (ipa *IpaIAMService) GetUserAccount(access string) (Account, error) {
 	if err != nil {
 		return Account{}, fmt.Errorf("ipa gid invalid: %w", err)
 	}
+	pId, err := strconv.Atoi(userResult.PidNumber[0])
+	if err != nil {
+		return Account{}, fmt.Errorf("ipa pid invalid: %w", err)
+	}
 
 	account := Account{
-		Access:  access,
-		Role:    RoleUser,
-		UserID:  uid,
-		GroupID: gid,
+		Access:    access,
+		Role:      RoleUser,
+		UserID:    uid,
+		GroupID:   gid,
+		ProjectID: pId,
 	}
 
 	session_key := make([]byte, 16)

auth/iam_ldap.go

@@ -36,6 +36,7 @@ type LdapIAMService struct {
 	roleAtr       string
 	groupIdAtr    string
 	userIdAtr     string
+	projectIdAtr  string
 	rootAcc       Account
 	url           string
 	bindDN        string
@@ -46,9 +47,9 @@ type LdapIAMService struct {
 
 var _ IAMService = &LdapIAMService{}
 
-func NewLDAPService(rootAcc Account, ldapURL, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, userIdAtr, groupIdAtr, objClasses string, tlsSkipVerify bool) (IAMService, error) {
+func NewLDAPService(rootAcc Account, ldapURL, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, userIdAtr, groupIdAtr, projectIdAtr, objClasses string, tlsSkipVerify bool) (IAMService, error) {
 	if ldapURL == "" || bindDN == "" || pass == "" || queryBase == "" || accAtr == "" ||
-		secAtr == "" || roleAtr == "" || userIdAtr == "" || groupIdAtr == "" || objClasses == "" {
+		secAtr == "" || roleAtr == "" || userIdAtr == "" || groupIdAtr == "" || projectIdAtr == "" || objClasses == "" {
 		return nil, fmt.Errorf("required parameters list not fully provided")
 	}
 
@@ -71,6 +72,7 @@ func NewLDAPService(rootAcc Account, ldapURL, bindDN, pass, queryBase, accAtr, s
 		roleAtr:       roleAtr,
 		userIdAtr:     userIdAtr,
 		groupIdAtr:    groupIdAtr,
+		projectIdAtr:  projectIdAtr,
 		rootAcc:       rootAcc,
 		url:           ldapURL,
 		bindDN:        bindDN,
@@ -142,6 +144,7 @@ func (ld *LdapIAMService) CreateAccount(account Account) error {
 	userEntry.Attribute(ld.roleAtr, []string{string(account.Role)})
 	userEntry.Attribute(ld.groupIdAtr, []string{fmt.Sprint(account.GroupID)})
 	userEntry.Attribute(ld.userIdAtr, []string{fmt.Sprint(account.UserID)})
+	userEntry.Attribute(ld.projectIdAtr, []string{fmt.Sprint(account.ProjectID)})
 
 	err := ld.execute(func(c *ldap.Conn) error {
 		return c.Add(userEntry)
@@ -177,7 +180,7 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 		0,
 		false,
 		ld.buildSearchFilter(access),
-		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.userIdAtr, ld.groupIdAtr},
+		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.userIdAtr, ld.groupIdAtr, ld.projectIdAtr},
 		nil,
 	)
 
@@ -216,12 +219,19 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 		return Account{}, fmt.Errorf("invalid entry value for user-id %q: %w",
 			entry.GetAttributeValue(ld.userIdAtr), err)
 	}
+	projectID, err := strconv.Atoi(entry.GetAttributeValue(ld.projectIdAtr))
+	if err != nil {
+		return Account{}, fmt.Errorf("invalid entry value for project-id %q: %w",
+			entry.GetAttributeValue(ld.projectIdAtr), err)
+	}
+
 	return Account{
-		Access:  entry.GetAttributeValue(ld.accessAtr),
-		Secret:  entry.GetAttributeValue(ld.secretAtr),
-		Role:    Role(entry.GetAttributeValue(ld.roleAtr)),
-		GroupID: groupId,
-		UserID:  userId,
+		Access:    entry.GetAttributeValue(ld.accessAtr),
+		Secret:    entry.GetAttributeValue(ld.secretAtr),
+		Role:      Role(entry.GetAttributeValue(ld.roleAtr)),
+		GroupID:   groupId,
+		UserID:    userId,
+		ProjectID: projectID,
 	}, nil
 }
 
@@ -236,6 +246,9 @@ func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) e
 	if props.UserID != nil {
 		req.Replace(ld.userIdAtr, []string{fmt.Sprint(*props.UserID)})
 	}
+	if props.ProjectID != nil {
+		req.Replace(ld.projectIdAtr, []string{fmt.Sprint(*props.ProjectID)})
+	}
 	if props.Role != "" {
 		req.Replace(ld.roleAtr, []string{string(props.Role)})
 	}
@@ -273,7 +286,7 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 		0,
 		false,
 		ld.buildSearchFilter(""),
-		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.groupIdAtr, ld.userIdAtr},
+		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.groupIdAtr, ld.projectIdAtr, ld.userIdAtr},
 		nil,
 	)
 
@@ -298,12 +311,19 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 			return nil, fmt.Errorf("invalid entry value for user-id %q: %w",
 				el.GetAttributeValue(ld.userIdAtr), err)
 		}
+		projectID, err := strconv.Atoi(el.GetAttributeValue(ld.projectIdAtr))
+		if err != nil {
+			return nil, fmt.Errorf("invalid entry value for project-id %q: %w",
+				el.GetAttributeValue(ld.groupIdAtr), err)
+		}
+
 		result = append(result, Account{
-			Access:  el.GetAttributeValue(ld.accessAtr),
-			Secret:  el.GetAttributeValue(ld.secretAtr),
-			Role:    Role(el.GetAttributeValue(ld.roleAtr)),
-			GroupID: groupId,
-			UserID:  userId,
+			Access:    el.GetAttributeValue(ld.accessAtr),
+			Secret:    el.GetAttributeValue(ld.secretAtr),
+			Role:      Role(el.GetAttributeValue(ld.roleAtr)),
+			GroupID:   groupId,
+			ProjectID: projectID,
+			UserID:    userId,
 		})
 	}
 

auth/iam_s3_object.go

@@ -205,11 +205,12 @@ func (s *IAMServiceS3) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:  k,
-			Secret:  conf.AccessAccounts[k].Secret,
-			Role:    conf.AccessAccounts[k].Role,
-			UserID:  conf.AccessAccounts[k].UserID,
-			GroupID: conf.AccessAccounts[k].GroupID,
+			Access:    k,
+			Secret:    conf.AccessAccounts[k].Secret,
+			Role:      conf.AccessAccounts[k].Role,
+			UserID:    conf.AccessAccounts[k].UserID,
+			GroupID:   conf.AccessAccounts[k].GroupID,
+			ProjectID: conf.AccessAccounts[k].ProjectID,
 		})
 	}
 

auth/iam_vault.go

@@ -369,12 +369,21 @@ func parseVaultUserAccount(data map[string]any, access string) (acc Account, err
 	if err != nil {
 		return acc, errInvalidUser
 	}
+	projectIdJson, ok := usrAcc["projectID"].(json.Number)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	projectID, err := projectIdJson.Int64()
+	if err != nil {
+		return acc, errInvalidUser
+	}
 
 	return Account{
-		Access:  acss,
-		Secret:  secret,
-		Role:    Role(role),
-		UserID:  int(userId),
-		GroupID: int(groupId),
+		Access:    acss,
+		Secret:    secret,
+		Role:      Role(role),
+		UserID:    int(userId),
+		GroupID:   int(groupId),
+		ProjectID: int(projectID),
 	}, nil
 }