package accountserviceimp import ( "context" "errors" "fmt" "slices" "unicode" "github.com/tech/sendico/pkg/auth" "github.com/tech/sendico/pkg/auth/management" "github.com/tech/sendico/pkg/db" "github.com/tech/sendico/pkg/db/account" "github.com/tech/sendico/pkg/db/organization" "github.com/tech/sendico/pkg/db/policy" "github.com/tech/sendico/pkg/db/transaction" "github.com/tech/sendico/pkg/merrors" "github.com/tech/sendico/pkg/mlogger" "github.com/tech/sendico/pkg/model" "github.com/tech/sendico/pkg/mutil/mzap" "github.com/tech/sendico/server/interface/middleware" "github.com/tech/sendico/server/internal/mutil/flrstring" "go.mongodb.org/mongo-driver/bson/primitive" "go.uber.org/zap" ) type service struct { logger mlogger.Logger accountDB account.DB orgDB organization.DB enforcer auth.Enforcer roleManager management.Role config *middleware.PasswordConfig tf transaction.Factory policyDB policy.DB } func validateUserRequest(u *model.Account) error { if u.Name == "" { return merrors.InvalidArgument("Name must not be empty") } if u.Login == "" { return merrors.InvalidArgument("Login must not be empty") } if u.Password == "" { return merrors.InvalidArgument("Password must not be empty") } return nil } func (s *service) ValidatePassword( password string, oldPassword *string, ) error { var hasDigit, hasUpper, hasLower, hasSpecial bool if oldPassword != nil { if *oldPassword == password { return merrors.InvalidArgument("New password cannot be the same as the old password") } } if len(password) < s.config.Check.MinLength { return merrors.InvalidArgument(fmt.Sprintf("Password must be at least %d characters long", s.config.Check.MinLength)) } // Check for digit, uppercase, lowercase, and special character for _, char := range password { switch { case unicode.IsDigit(char): hasDigit = true case unicode.IsUpper(char): hasUpper = true case unicode.IsLower(char): hasLower = true case unicode.IsPunct(char) || unicode.IsSymbol(char): hasSpecial = true } } if s.config.Check.Digit && !hasDigit { return merrors.InvalidArgument("Password must contain at least one digit") } if s.config.Check.Upper && !hasUpper { return merrors.InvalidArgument("Password must contain at least one uppercase letter") } if s.config.Check.Lower && !hasLower { return merrors.InvalidArgument("Password must contain at least one lowercase letter") } if s.config.Check.Special && !hasSpecial { return merrors.InvalidArgument("Password must contain at least one special character") } // If all checks pass, return nil (no error) return nil } func (s *service) ValidateAccount(acct *model.Account) error { if err := validateUserRequest(acct); err != nil { s.logger.Warn("Invalid signup acccount received", zap.Error(err), zap.String("account", acct.Login)) return err } if err := s.ValidatePassword(acct.Password, nil); err != nil { s.logger.Warn("Password validation failed", zap.Error(err), zap.String("account", acct.Login)) return err } if err := acct.HashPassword(); err != nil { s.logger.Warn("Failed to hash password", zap.Error(err), zap.String("account", acct.Login)) return err } acct.VerifyToken = flrstring.CreateRandString(s.config.TokenLength) return nil } func (s *service) CreateAccount( ctx context.Context, org *model.Organization, acct *model.Account, roleDescID primitive.ObjectID, ) error { if org == nil { return merrors.InvalidArgument("Organization must not be nil") } if acct == nil || len(acct.Login) == 0 { return merrors.InvalidArgument("Account must have a non-empty login") } if roleDescID == primitive.NilObjectID { return merrors.InvalidArgument("Role description must be provided") } // 1) Create the account if err := s.accountDB.Create(ctx, acct); err != nil { if errors.Is(err, merrors.ErrDataConflict) { s.logger.Info("Username is already taken", zap.String("login", acct.Login)) } else { s.logger.Warn("Failed to signup a user", zap.Error(err), zap.String("login", acct.Login)) } return err } // 2) Add to organization if err := s.JoinOrganization(ctx, org, acct, roleDescID); err != nil { s.logger.Warn("Failed to register new organization member", zap.Error(err), mzap.StorableRef(acct)) return err } return nil } func (s *service) DeleteAccount( ctx context.Context, org *model.Organization, accountRef primitive.ObjectID, ) error { // Check if this is the only member in the organization if len(org.Members) <= 1 { s.logger.Warn("Cannot delete account - it's the only member in the organization", mzap.ObjRef("account_ref", accountRef), mzap.StorableRef(org)) return merrors.InvalidArgument("Cannot delete the only member of an organization") } // 1) Remove from organization if err := s.RemoveAccountFromOrganization(ctx, org, accountRef); err != nil { s.logger.Warn("Failed to revoke account role", zap.Error(err), mzap.ObjRef("account_ref", accountRef)) return err } // 2) Delete the account document if err := s.accountDB.Delete(ctx, accountRef); err != nil { s.logger.Warn("Failed to delete account", zap.Error(err), mzap.ObjRef("account_ref", accountRef)) return err } return nil } func (s *service) RemoveAccountFromOrganization( ctx context.Context, org *model.Organization, accountRef primitive.ObjectID, ) error { if org == nil { return merrors.InvalidArgument("Organization must not be nil") } roles, err := s.enforcer.GetRoles(ctx, accountRef, org.ID) if err != nil { s.logger.Warn("Failed to fetch account permissions", zap.Error(err), mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef)) return err } for _, role := range roles { if err := s.roleManager.Revoke(ctx, role.DescriptionRef, accountRef, org.ID); err != nil { s.logger.Warn("Failed to revoke account role", zap.Error(err), mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("role_ref", role.DescriptionRef)) return err } } for i, member := range org.Members { if member == accountRef { // Remove the member by slicing it out org.Members = append(org.Members[:i], org.Members[i+1:]...) if err := s.orgDB.Update(ctx, accountRef, org); err != nil { s.logger.Warn("Failed to remove member from organization", zap.Error(err), mzap.ObjRef("account_ref", accountRef)) return err } break } } return nil } func (s *service) ResetPassword( ctx context.Context, acct *model.Account, ) error { acct.ResetPasswordToken = flrstring.CreateRandString(s.config.TokenLength) return s.accountDB.Update(ctx, acct) } func (s *service) UpdateLogin( ctx context.Context, acct *model.Account, newLogin string, ) error { acct.EmailBackup = acct.Login acct.Login = newLogin acct.VerifyToken = flrstring.CreateRandString(s.config.TokenLength) return s.accountDB.Update(ctx, acct) } func (s *service) JoinOrganization( ctx context.Context, org *model.Organization, account *model.Account, roleDescID primitive.ObjectID, ) error { if slices.Contains(org.Members, account.ID) { s.logger.Debug("Account is already a member", mzap.StorableRef(org), mzap.StorableRef(account)) return nil } org.Members = append(org.Members, account.ID) if err := s.orgDB.Update(ctx, *account.GetID(), org); err != nil { s.logger.Warn("Failed to update organization members list", zap.Error(err), mzap.StorableRef(account), mzap.StorableRef(org)) return err } role := &model.Role{ DescriptionRef: roleDescID, OrganizationRef: org.ID, AccountRef: account.ID, } if err := s.roleManager.Assign(ctx, role); err != nil { s.logger.Warn("Failed to assign role to account", zap.Error(err), mzap.StorableRef(account), mzap.StorableRef(org)) return err } return nil } func (s *service) deleteOrganizationRoles(ctx context.Context, orgRef primitive.ObjectID) error { s.logger.Info("Deleting roles for organization", mzap.ObjRef("organization_ref", orgRef)) // Get all roles for the organization roles, err := s.roleManager.List(ctx, orgRef) if err != nil && !errors.Is(err, merrors.ErrNoData) { s.logger.Warn("Failed to fetch roles for deletion", zap.Error(err), mzap.ObjRef("organization_ref", orgRef)) return err } // Delete each role for _, role := range roles { if err := s.roleManager.Delete(ctx, role.ID); err != nil { s.logger.Warn("Failed to delete role", zap.Error(err), mzap.ObjRef("role_ref", role.ID)) return err } } s.logger.Info("Successfully deleted roles", zap.Int("count", len(roles)), mzap.ObjRef("organization_ref", orgRef)) return nil } func (s *service) deleteOrganizationPolicies(ctx context.Context, orgRef primitive.ObjectID) error { s.logger.Info("Deleting policies for organization", mzap.ObjRef("organization_ref", orgRef)) // Get all policies for the organization policies, err := s.policyDB.All(ctx, orgRef) if err != nil && !errors.Is(err, merrors.ErrNoData) { s.logger.Warn("Failed to fetch policies for deletion", zap.Error(err), mzap.ObjRef("organization_ref", orgRef)) return err } // Delete each policy for _, policy := range policies { if err := s.policyDB.Delete(ctx, policy.ID); err != nil { s.logger.Warn("Failed to delete policy", zap.Error(err), mzap.ObjRef("policy_ref", policy.ID)) return err } } s.logger.Info("Successfully deleted policies", zap.Int("count", len(policies)), mzap.ObjRef("organization_ref", orgRef)) return nil } func (s *service) DeleteOrganization( ctx context.Context, org *model.Organization, ) error { s.logger.Info("Starting organization deletion", mzap.StorableRef(org)) // Use transaction to ensure atomicity _, err := s.tf.CreateTransaction().Execute(ctx, func(ctx context.Context) (any, error) { // 8. Delete all roles and role descriptions in the organization if err := s.deleteOrganizationRoles(ctx, org.ID); err != nil { return nil, err } // 9. Delete all policies in the organization if err := s.deleteOrganizationPolicies(ctx, org.ID); err != nil { return nil, err } // 10. Finally, delete the organization itself if err := s.orgDB.Delete(ctx, primitive.NilObjectID, org.ID); err != nil { s.logger.Warn("Failed to delete organization", zap.Error(err), mzap.StorableRef(org)) return nil, err } return nil, nil }) if err != nil { s.logger.Error("Failed to delete organization", zap.Error(err), mzap.StorableRef(org)) return err } s.logger.Info("Organization deleted successfully", mzap.StorableRef(org)) return nil } func (s *service) DeleteAll( ctx context.Context, org *model.Organization, accountRef primitive.ObjectID, ) error { s.logger.Info("Starting complete deletion (organization + account)", mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef)) // Use transaction to ensure atomicity _, err := s.tf.CreateTransaction().Execute(ctx, func(ctx context.Context) (any, error) { // 1. First delete the organization and all its data if err := s.DeleteOrganization(ctx, org); err != nil { return nil, err } // 2. Then delete the account if err := s.accountDB.Delete(ctx, accountRef); err != nil { s.logger.Warn("Failed to delete account", zap.Error(err), mzap.ObjRef("account_ref", accountRef)) return nil, err } return nil, nil }) if err != nil { s.logger.Error("Failed to delete all data", zap.Error(err), mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef)) return err } s.logger.Info("Complete deletion successful", mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef)) return nil } // NewAccountService wires in your logger plus the three dependencies. func NewAccountService( l mlogger.Logger, dbf db.Factory, enforcer auth.Enforcer, ra management.Role, config *middleware.PasswordConfig, ) (*service, error) { logger := l.Named("account_service") if config == nil { return nil, merrors.Internal("Invalid account service configuration provides") } res := &service{ logger: logger, enforcer: enforcer, roleManager: ra, config: config, tf: dbf.TransactionFactory(), } var err error if res.accountDB, err = dbf.NewAccountDB(); err != nil { logger.Warn("Failed to create accounts database", zap.Error(err)) return nil, err } if res.orgDB, err = dbf.NewOrganizationDB(); err != nil { logger.Warn("Failed to create organizations database", zap.Error(err)) return nil, err } // Initialize database dependencies for cascade deletion if res.policyDB, err = dbf.NewPoliciesDB(); err != nil { logger.Warn("Failed to create policies database", zap.Error(err)) return nil, err } return res, nil }