feat(controlplane): organization invite system

[migmartri]

First cut of an invite system where a user can invite others to join a given organization. Closes #401

• Senders can create, revoke, and list sent invitations.
• Receivers, on login, will get added to their invited organization automatically.

NOTE: The auto-acceptance mechanism is just a first pass to simplify the implementation. In the future, we'll give control to the receiver to accept or decline offers explicitly #401. For now, we think this is okay because users are usually invited withing their own Chainloop instance

CLI Changes

Org Invite commands

$ chainloop org invite
User Invitations management

Usage:
  chainloop organization invite [command]

Aliases:
  invite, invitations

Available Commands:
  create      Invite a User to an Organization
  revoke      Revoke a pending invitation
  sent        List sent invitations

$ chainloop org invite sent
┌──────────────────────────────────────┬────────────────────┬───────────────────────┬──────────┬─────────────────────┐
│ ID                                   │ ORG NAME           │ RECEIVER EMAIL        │ STATUS   │ CREATED AT          │
├──────────────────────────────────────┼────────────────────┼───────────────────────┼──────────┼─────────────────────┤
│ 19c33588-ab57-4251-8518-e48f99d70472 │ flamboyant_jemison │ sarah@chainloop.local │ accepted │ 30 Oct 23 20:44 UTC │
├──────────────────────────────────────┼────────────────────┼───────────────────────┼──────────┼─────────────────────┤
│ 880da13c-3ae1-4ec0-9e87-0ae4eafe8e09 │ flamboyant_jemison │ foo@gmail.com         │ pending  │ 31 Oct 23 11:20 UTC │
└──────────────────────────────────────┴────────────────────┴───────────────────────┴──────────┴─────────────────────┘

$ chainloop org invite create --receiver dyson@cyberdyne.io --organization 1ac42a05-b909-4c0d-bb98-14c532e42dfc 
┌──────────────────────────────────────┬────────────────────┬────────────────────┬─────────┬─────────────────────┐
│ ID                                   │ ORG NAME           │ RECEIVER EMAIL     │ STATUS  │ CREATED AT          │
├──────────────────────────────────────┼────────────────────┼────────────────────┼─────────┼─────────────────────┤
│ a91f36eb-ff94-453b-ba15-d05385697aea │ flamboyant_jemison │ dyson@cyberdyne.io │ pending │ 31 Oct 23 11:28 UTC │
└──────────────────────────────────────┴────────────────────┴────────────────────┴─────────┴─────────────────────┘

$ chainloop org invite revoke --id 880da13c-3ae1-4ec0-9e87-0ae4eafe8e09
INF Invite Revoked!

biz layer

Creation logic

The handler implementation will a) run static validations, b) check if the user has permission to invite to the given org, c) check that an invitation doesn't exist already, and 4) create an entry in the DB in a pending state.

Revocation logic, in fact, will soft-delete the item by setting a deleted_at timestamp.

Auto-acceptance logic

An user, on login will get automatically added to the organizations they have been invited to. These will appear in the org list command

$ chainloop org ls                                                                              
┌──────────────────────────────────────┬────────────────────┬─────────┬─────────────────────┐
│ ORG ID                               │ ORG NAME           │ CURRENT │ JOINED AT           │
├──────────────────────────────────────┼────────────────────┼─────────┼─────────────────────┤
│ 46c1ae14-5c64-4e87-8f7f-cff4de9cfca5 │ magical_solomon    │ true    │ 30 Oct 23 20:44 UTC │
├──────────────────────────────────────┼────────────────────┼─────────┼─────────────────────┤
│ 1ac42a05-b909-4c0d-bb98-14c532e42dfc │ flamboyant_jemison │ false   │ 30 Oct 23 20:44 UTC │
└──────────────────────────────────────┴────────────────────┴─────────┴─────────────────────┘

Which then can be chosen using chainloop org set --id ...

data layer

It adds an org_invites persistence table.

[migmartri]

Note for reviewers. I left some comments in the PR as guidance of what's worth reviewing and not autogenerated.

[danlishka]

Please make sure we validate deleted_at before creating a membership. Apart from that LGTM!

[danlishka]

why not just list like we do in other places?

[migmartri]

The reason I didn't want to put list is so it doesn't get confused with listing all invitations for an org, since this command returns only the invites,you as an user sent.

In any case, I've renamed it to list and made it clear in the description of the command what it does.

Thanks!

[buccarel]

I was about to post a similar comment, even though not quite the same.

If we use sent, maybe instead of "creating" and invite, we "send" it

[danlishka]

are we checking deleted_at?

[migmartri]

The invites queries skip automatically the deleted entries..

https://github.com/chainloop-dev/chainloop/pull/404/files#diff-1d9d80f114bb28dba41c49e4c69ca79251075b74ddade6f6400d8f61a232ae30R95

So invites, err := uc.repo.PendingInvites(ctx, receiverEmail) will skip those

Is that the deletedAt you were talking about, or any other soft-deleted entity?

[buccarel]

🚀