ae15e1887b
Some checks failed
ci/woodpecker/push/billing_fees Pipeline was successful
ci/woodpecker/push/bff Pipeline was successful
ci/woodpecker/push/db Pipeline was successful
ci/woodpecker/push/fx_ingestor Pipeline is pending
ci/woodpecker/push/fx_oracle Pipeline is pending
ci/woodpecker/push/ledger Pipeline is pending
ci/woodpecker/push/nats Pipeline is pending
ci/woodpecker/push/notification Pipeline is pending
ci/woodpecker/push/payments_orchestrator Pipeline is pending
ci/woodpecker/push/frontend Pipeline failed
ci/woodpecker/push/bump_version unknown status
ci/woodpecker/push/chain_gateway Pipeline failed
412 lines
12 KiB
Go
412 lines
12 KiB
Go
package accountserviceimp
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"slices"
|
|
"unicode"
|
|
|
|
"github.com/tech/sendico/pkg/auth"
|
|
"github.com/tech/sendico/pkg/auth/management"
|
|
"github.com/tech/sendico/pkg/db"
|
|
"github.com/tech/sendico/pkg/db/account"
|
|
"github.com/tech/sendico/pkg/db/organization"
|
|
"github.com/tech/sendico/pkg/db/policy"
|
|
"github.com/tech/sendico/pkg/db/transaction"
|
|
"github.com/tech/sendico/pkg/merrors"
|
|
"github.com/tech/sendico/pkg/mlogger"
|
|
"github.com/tech/sendico/pkg/model"
|
|
"github.com/tech/sendico/pkg/mutil/mzap"
|
|
"github.com/tech/sendico/server/interface/middleware"
|
|
"github.com/tech/sendico/server/internal/mutil/flrstring"
|
|
"go.mongodb.org/mongo-driver/bson/primitive"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
type service struct {
|
|
logger mlogger.Logger
|
|
accountDB account.DB
|
|
orgDB organization.DB
|
|
enforcer auth.Enforcer
|
|
roleManager management.Role
|
|
config *middleware.PasswordConfig
|
|
tf transaction.Factory
|
|
|
|
policyDB policy.DB
|
|
}
|
|
|
|
func validateUserRequest(u *model.Account) error {
|
|
if u.Name == "" {
|
|
return merrors.InvalidArgument("Name must not be empty")
|
|
}
|
|
if u.Login == "" {
|
|
return merrors.InvalidArgument("Login must not be empty")
|
|
}
|
|
if u.Password == "" {
|
|
return merrors.InvalidArgument("Password must not be empty")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *service) ValidatePassword(
|
|
password string,
|
|
oldPassword *string,
|
|
) error {
|
|
var hasDigit, hasUpper, hasLower, hasSpecial bool
|
|
|
|
if oldPassword != nil {
|
|
if *oldPassword == password {
|
|
return merrors.InvalidArgument("New password cannot be the same as the old password")
|
|
}
|
|
}
|
|
|
|
if len(password) < s.config.Check.MinLength {
|
|
return merrors.InvalidArgument(fmt.Sprintf("Password must be at least %d characters long", s.config.Check.MinLength))
|
|
}
|
|
|
|
// Check for digit, uppercase, lowercase, and special character
|
|
for _, char := range password {
|
|
switch {
|
|
case unicode.IsDigit(char):
|
|
hasDigit = true
|
|
case unicode.IsUpper(char):
|
|
hasUpper = true
|
|
case unicode.IsLower(char):
|
|
hasLower = true
|
|
case unicode.IsPunct(char) || unicode.IsSymbol(char):
|
|
hasSpecial = true
|
|
}
|
|
}
|
|
|
|
if s.config.Check.Digit && !hasDigit {
|
|
return merrors.InvalidArgument("Password must contain at least one digit")
|
|
}
|
|
if s.config.Check.Upper && !hasUpper {
|
|
return merrors.InvalidArgument("Password must contain at least one uppercase letter")
|
|
}
|
|
if s.config.Check.Lower && !hasLower {
|
|
return merrors.InvalidArgument("Password must contain at least one lowercase letter")
|
|
}
|
|
if s.config.Check.Special && !hasSpecial {
|
|
return merrors.InvalidArgument("Password must contain at least one special character")
|
|
}
|
|
|
|
// If all checks pass, return nil (no error)
|
|
return nil
|
|
}
|
|
|
|
func (s *service) ValidateAccount(acct *model.Account) error {
|
|
if err := validateUserRequest(acct); err != nil {
|
|
s.logger.Warn("Invalid signup acccount received", zap.Error(err), zap.String("account", acct.Login))
|
|
return err
|
|
}
|
|
|
|
if err := s.ValidatePassword(acct.Password, nil); err != nil {
|
|
s.logger.Warn("Password validation failed", zap.Error(err), zap.String("account", acct.Login))
|
|
return err
|
|
}
|
|
|
|
if err := acct.HashPassword(); err != nil {
|
|
s.logger.Warn("Failed to hash password", zap.Error(err), zap.String("account", acct.Login))
|
|
return err
|
|
}
|
|
|
|
acct.VerifyToken = flrstring.CreateRandString(s.config.TokenLength)
|
|
return nil
|
|
}
|
|
|
|
func (s *service) CreateAccount(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
acct *model.Account,
|
|
roleDescID primitive.ObjectID,
|
|
) error {
|
|
if org == nil {
|
|
return merrors.InvalidArgument("Organization must not be nil")
|
|
}
|
|
if acct == nil || len(acct.Login) == 0 {
|
|
return merrors.InvalidArgument("Account must have a non-empty login")
|
|
}
|
|
if roleDescID == primitive.NilObjectID {
|
|
return merrors.InvalidArgument("Role description must be provided")
|
|
}
|
|
// 1) Create the account
|
|
if err := s.accountDB.Create(ctx, acct); err != nil {
|
|
if errors.Is(err, merrors.ErrDataConflict) {
|
|
s.logger.Info("Username is already taken", zap.String("login", acct.Login))
|
|
} else {
|
|
s.logger.Warn("Failed to signup a user", zap.Error(err), zap.String("login", acct.Login))
|
|
}
|
|
return err
|
|
}
|
|
|
|
// 2) Add to organization
|
|
if err := s.JoinOrganization(ctx, org, acct, roleDescID); err != nil {
|
|
s.logger.Warn("Failed to register new organization member", zap.Error(err), mzap.StorableRef(acct))
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *service) DeleteAccount(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
accountRef primitive.ObjectID,
|
|
) error {
|
|
// Check if this is the only member in the organization
|
|
if len(org.Members) <= 1 {
|
|
s.logger.Warn("Cannot delete account - it's the only member in the organization",
|
|
mzap.ObjRef("account_ref", accountRef), mzap.StorableRef(org))
|
|
return merrors.InvalidArgument("Cannot delete the only member of an organization")
|
|
}
|
|
|
|
// 1) Remove from organization
|
|
if err := s.RemoveAccountFromOrganization(ctx, org, accountRef); err != nil {
|
|
s.logger.Warn("Failed to revoke account role", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
|
return err
|
|
}
|
|
|
|
// 2) Delete the account document
|
|
if err := s.accountDB.Delete(ctx, accountRef); err != nil {
|
|
s.logger.Warn("Failed to delete account", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *service) RemoveAccountFromOrganization(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
accountRef primitive.ObjectID,
|
|
) error {
|
|
if org == nil {
|
|
return merrors.InvalidArgument("Organization must not be nil")
|
|
}
|
|
roles, err := s.enforcer.GetRoles(ctx, accountRef, org.ID)
|
|
if err != nil {
|
|
s.logger.Warn("Failed to fetch account permissions", zap.Error(err), mzap.StorableRef(org),
|
|
mzap.ObjRef("account_ref", accountRef))
|
|
return err
|
|
}
|
|
for _, role := range roles {
|
|
if err := s.roleManager.Revoke(ctx, role.DescriptionRef, accountRef, org.ID); err != nil {
|
|
s.logger.Warn("Failed to revoke account role", zap.Error(err),
|
|
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("role_ref", role.DescriptionRef))
|
|
return err
|
|
}
|
|
}
|
|
for i, member := range org.Members {
|
|
if member == accountRef {
|
|
// Remove the member by slicing it out
|
|
org.Members = append(org.Members[:i], org.Members[i+1:]...)
|
|
if err := s.orgDB.Update(ctx, accountRef, org); err != nil {
|
|
s.logger.Warn("Failed to remove member from organization", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
|
return err
|
|
}
|
|
break
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *service) ResetPassword(
|
|
ctx context.Context,
|
|
acct *model.Account,
|
|
) error {
|
|
acct.ResetPasswordToken = flrstring.CreateRandString(s.config.TokenLength)
|
|
return s.accountDB.Update(ctx, acct)
|
|
}
|
|
|
|
func (s *service) UpdateLogin(
|
|
ctx context.Context,
|
|
acct *model.Account,
|
|
newLogin string,
|
|
) error {
|
|
acct.EmailBackup = acct.Login
|
|
acct.Login = newLogin
|
|
acct.VerifyToken = flrstring.CreateRandString(s.config.TokenLength)
|
|
return s.accountDB.Update(ctx, acct)
|
|
}
|
|
|
|
func (s *service) JoinOrganization(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
account *model.Account,
|
|
roleDescID primitive.ObjectID,
|
|
) error {
|
|
if slices.Contains(org.Members, account.ID) {
|
|
s.logger.Debug("Account is already a member", mzap.StorableRef(org), mzap.StorableRef(account))
|
|
return nil
|
|
}
|
|
org.Members = append(org.Members, account.ID)
|
|
if err := s.orgDB.Update(ctx, *account.GetID(), org); err != nil {
|
|
s.logger.Warn("Failed to update organization members list",
|
|
zap.Error(err), mzap.StorableRef(account), mzap.StorableRef(org))
|
|
return err
|
|
}
|
|
|
|
role := &model.Role{
|
|
DescriptionRef: roleDescID,
|
|
OrganizationRef: org.ID,
|
|
AccountRef: account.ID,
|
|
}
|
|
if err := s.roleManager.Assign(ctx, role); err != nil {
|
|
s.logger.Warn("Failed to assign role to account", zap.Error(err), mzap.StorableRef(account),
|
|
mzap.StorableRef(org), mzap.ObjRef("role_description_ref", roleDescID))
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *service) deleteOrganizationRoles(ctx context.Context, orgRef primitive.ObjectID) error {
|
|
s.logger.Info("Deleting roles for organization", mzap.ObjRef("organization_ref", orgRef))
|
|
|
|
// Get all roles for the organization
|
|
roles, err := s.roleManager.List(ctx, orgRef)
|
|
if err != nil && !errors.Is(err, merrors.ErrNoData) {
|
|
s.logger.Warn("Failed to fetch roles for deletion", zap.Error(err), mzap.ObjRef("organization_ref", orgRef))
|
|
return err
|
|
}
|
|
|
|
// Delete each role
|
|
for _, role := range roles {
|
|
if err := s.roleManager.Delete(ctx, role.ID); err != nil {
|
|
s.logger.Warn("Failed to delete role", zap.Error(err), mzap.ObjRef("role_ref", role.ID))
|
|
return err
|
|
}
|
|
}
|
|
|
|
s.logger.Info("Successfully deleted roles", zap.Int("count", len(roles)), mzap.ObjRef("organization_ref", orgRef))
|
|
return nil
|
|
}
|
|
|
|
func (s *service) deleteOrganizationPolicies(ctx context.Context, orgRef primitive.ObjectID) error {
|
|
s.logger.Info("Deleting policies for organization", mzap.ObjRef("organization_ref", orgRef))
|
|
|
|
// Get all policies for the organization
|
|
policies, err := s.policyDB.All(ctx, orgRef)
|
|
if err != nil && !errors.Is(err, merrors.ErrNoData) {
|
|
s.logger.Warn("Failed to fetch policies for deletion", zap.Error(err), mzap.ObjRef("organization_ref", orgRef))
|
|
return err
|
|
}
|
|
|
|
// Delete each policy
|
|
for _, policy := range policies {
|
|
if err := s.policyDB.Delete(ctx, policy.ID); err != nil {
|
|
s.logger.Warn("Failed to delete policy", zap.Error(err), mzap.ObjRef("policy_ref", policy.ID))
|
|
return err
|
|
}
|
|
}
|
|
|
|
s.logger.Info("Successfully deleted policies", zap.Int("count", len(policies)), mzap.ObjRef("organization_ref", orgRef))
|
|
return nil
|
|
}
|
|
|
|
func (s *service) DeleteOrganization(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
) error {
|
|
s.logger.Info("Starting organization deletion", mzap.StorableRef(org))
|
|
|
|
// Use transaction to ensure atomicity
|
|
_, err := s.tf.CreateTransaction().Execute(ctx, func(ctx context.Context) (any, error) {
|
|
// 8. Delete all roles and role descriptions in the organization
|
|
if err := s.deleteOrganizationRoles(ctx, org.ID); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// 9. Delete all policies in the organization
|
|
if err := s.deleteOrganizationPolicies(ctx, org.ID); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// 10. Finally, delete the organization itself
|
|
if err := s.orgDB.Delete(ctx, primitive.NilObjectID, org.ID); err != nil {
|
|
s.logger.Warn("Failed to delete organization", zap.Error(err), mzap.StorableRef(org))
|
|
return nil, err
|
|
}
|
|
|
|
return nil, nil
|
|
})
|
|
if err != nil {
|
|
s.logger.Error("Failed to delete organization", zap.Error(err), mzap.StorableRef(org))
|
|
return err
|
|
}
|
|
|
|
s.logger.Info("Organization deleted successfully", mzap.StorableRef(org))
|
|
return nil
|
|
}
|
|
|
|
func (s *service) DeleteAll(
|
|
ctx context.Context,
|
|
org *model.Organization,
|
|
accountRef primitive.ObjectID,
|
|
) error {
|
|
s.logger.Info("Starting complete deletion (organization + account)",
|
|
mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef))
|
|
|
|
// Use transaction to ensure atomicity
|
|
_, err := s.tf.CreateTransaction().Execute(ctx, func(ctx context.Context) (any, error) {
|
|
// 1. First delete the organization and all its data
|
|
if err := s.DeleteOrganization(ctx, org); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// 2. Then delete the account
|
|
if err := s.accountDB.Delete(ctx, accountRef); err != nil {
|
|
s.logger.Warn("Failed to delete account", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
|
return nil, err
|
|
}
|
|
|
|
return nil, nil
|
|
})
|
|
if err != nil {
|
|
s.logger.Error("Failed to delete all data", zap.Error(err), mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef))
|
|
return err
|
|
}
|
|
|
|
s.logger.Info("Complete deletion successful", mzap.StorableRef(org), mzap.ObjRef("account_ref", accountRef))
|
|
return nil
|
|
}
|
|
|
|
// NewAccountService wires in your logger plus the three dependencies.
|
|
func NewAccountService(
|
|
l mlogger.Logger,
|
|
dbf db.Factory,
|
|
enforcer auth.Enforcer,
|
|
ra management.Role,
|
|
config *middleware.PasswordConfig,
|
|
) (*service, error) {
|
|
logger := l.Named("account_service")
|
|
|
|
if config == nil {
|
|
return nil, merrors.Internal("Invalid account service configuration provides")
|
|
}
|
|
|
|
res := &service{
|
|
logger: logger,
|
|
enforcer: enforcer,
|
|
roleManager: ra,
|
|
config: config,
|
|
tf: dbf.TransactionFactory(),
|
|
}
|
|
var err error
|
|
if res.accountDB, err = dbf.NewAccountDB(); err != nil {
|
|
logger.Warn("Failed to create accounts database", zap.Error(err))
|
|
return nil, err
|
|
}
|
|
if res.orgDB, err = dbf.NewOrganizationDB(); err != nil {
|
|
logger.Warn("Failed to create organizations database", zap.Error(err))
|
|
return nil, err
|
|
}
|
|
|
|
// Initialize database dependencies for cascade deletion
|
|
if res.policyDB, err = dbf.NewPoliciesDB(); err != nil {
|
|
logger.Warn("Failed to create policies database", zap.Error(err))
|
|
return nil, err
|
|
}
|
|
|
|
return res, nil
|
|
}
|