fix: cascade delete organization user roles

Signed-off-by: Kush Sharma <thekushsharma@gmail.com>

Author: kushsharma

cmd/serve.go

@@ -260,7 +260,8 @@ func buildAPIDependencies(
 	)
 
 	organizationRepository := postgres.NewOrganizationRepository(dbc)
-	organizationService := organization.NewService(organizationRepository, relationService, userService, authnService, cfg.App.DisableOrgsOnCreate)
+	organizationService := organization.NewService(organizationRepository, relationService, userService,
+		authnService, cfg.App.DisableOrgsOnCreate)
 
 	domainRepository := postgres.NewDomainRepository(logger, dbc)
 	domainService := domain.NewService(logger, domainRepository, userService, organizationService)

core/deleter/service.go

@@ -2,8 +2,11 @@ package deleter
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
+	"github.com/raystack/frontier/internal/bootstrap/schema"
+
 	"github.com/google/uuid"
 	"github.com/raystack/frontier/core/invitation"
 
@@ -25,6 +28,7 @@ type ProjectService interface {
 type OrganizationService interface {
 	Get(ctx context.Context, id string) (organization.Organization, error)
 	DeleteModel(ctx context.Context, id string) error
+	RemoveUsers(ctx context.Context, orgID string, userIDs []string) error
 }
 
 type RoleService interface {
@@ -158,3 +162,70 @@ func (d Service) DeleteOrganization(ctx context.Context, id string) error {
 
 	return d.orgService.DeleteModel(ctx, id)
 }
+
+// RemoveUsersFromOrg removes users from an organization as members
+func (d Service) RemoveUsersFromOrg(ctx context.Context, orgID string, userIDs []string) error {
+	var err error
+	for _, userID := range userIDs {
+		userPolicies, policyErr := d.policyService.List(ctx, policy.Filter{
+			PrincipalID:   userID,
+			PrincipalType: schema.UserPrincipal,
+		})
+		if policyErr != nil && !errors.Is(err, policy.ErrNotExist) {
+			err = errors.Join(err, policyErr)
+			continue
+		}
+		for _, pol := range userPolicies {
+			// delete org level roles
+			if pol.ResourceID == orgID && pol.ResourceType == schema.OrganizationNamespace {
+				if policyErr := d.policyService.Delete(ctx, pol.ID); policyErr != nil {
+					err = errors.Join(err, policyErr)
+				}
+			}
+
+			// delete project level roles
+			if pol.ResourceType == schema.ProjectNamespace {
+				orgProjects, err := d.projService.List(ctx, project.Filter{
+					OrgID: orgID,
+				})
+				if err != nil && !errors.Is(err, project.ErrNotExist) {
+					return err
+				}
+				for _, p := range orgProjects {
+					if pol.ResourceID == p.ID {
+						if policyErr := d.policyService.Delete(ctx, pol.ID); policyErr != nil {
+							err = errors.Join(err, policyErr)
+						}
+					}
+				}
+
+				// delete resource level roles
+				// not doing it at the moment as it can be pretty expensive
+			}
+
+			// delete group level roles
+			if pol.ResourceType == schema.GroupNamespace {
+				orgGroups, err := d.groupService.List(ctx, group.Filter{
+					OrganizationID: orgID,
+				})
+				if err != nil && !errors.Is(err, group.ErrNotExist) {
+					return err
+				}
+				for _, g := range orgGroups {
+					if pol.ResourceID == g.ID {
+						if policyErr := d.policyService.Delete(ctx, pol.ID); policyErr != nil {
+							err = errors.Join(err, policyErr)
+						}
+					}
+				}
+			}
+		}
+	}
+	if err != nil {
+		// abort if any error occurred
+		return err
+	}
+
+	// remove user from org
+	return d.orgService.RemoveUsers(ctx, orgID, userIDs)
+}

core/organization/service.go

@@ -37,7 +37,8 @@ type Service struct {
 }
 
 func NewService(repository Repository, relationService RelationService,
-	userService UserService, authnService AuthnService, disableOrgsOnCreate bool) *Service {
+	userService UserService, authnService AuthnService,
+	disableOrgsOnCreate bool) *Service {
 	defaultState := Enabled
 	if disableOrgsOnCreate {
 		defaultState = Disabled
@@ -197,9 +198,12 @@ func (s Service) AddUsers(ctx context.Context, orgID string, userIDs []string) e
 }
 
 // RemoveUsers removes users from an organization as members
+// it doesn't remove user access to projects or other resources provided
+// by policies
 func (s Service) RemoveUsers(ctx context.Context, orgID string, userIDs []string) error {
 	var err error
 	for _, userID := range userIDs {
+		// remove user from org
 		if currentErr := s.relationService.Delete(ctx, relation.Relation{
 			Object: relation.Object{
 				ID:        orgID,
@@ -209,7 +213,6 @@ func (s Service) RemoveUsers(ctx context.Context, orgID string, userIDs []string
 				ID:        userID,
 				Namespace: schema.UserPrincipal,
 			},
-			RelationName: schema.MemberRelationName,
 		}); err != nil {
 			err = errors.Join(err, currentErr)
 		}

internal/api/v1beta1/deleter.go

@@ -12,6 +12,7 @@ import (
 type CascadeDeleter interface {
 	DeleteProject(ctx context.Context, id string) error
 	DeleteOrganization(ctx context.Context, id string) error
+	RemoveUsersFromOrg(ctx context.Context, orgID string, userIDs []string) error
 }
 
 func (h Handler) DeleteProject(ctx context.Context, request *frontierv1beta1.DeleteProjectRequest) (*frontierv1beta1.DeleteProjectResponse, error) {

internal/api/v1beta1/mocks/cascade_deleter.go

@@ -39,7 +39,6 @@ type OrganizationService interface {
 	Update(ctx context.Context, toUpdate organization.Organization) (organization.Organization, error)
 	ListByUser(ctx context.Context, userID string) ([]organization.Organization, error)
 	AddUsers(ctx context.Context, orgID string, userID []string) error
-	RemoveUsers(ctx context.Context, orgID string, userID []string) error
 	Enable(ctx context.Context, id string) error
 	Disable(ctx context.Context, id string) error
 }
@@ -415,7 +414,7 @@ func (h Handler) RemoveOrganizationUser(ctx context.Context, request *frontierv1
 		return nil, grpcMinAdminCountErr
 	}
 
-	if err := h.orgService.RemoveUsers(ctx, orgResp.ID, []string{request.GetUserId()}); err != nil {
+	if err := h.deleterService.RemoveUsersFromOrg(ctx, orgResp.ID, []string{request.GetUserId()}); err != nil {
 		logger.Error(err.Error())
 		return nil, grpcInternalServerError
 	}

internal/api/v1beta1/mocks/organization_service.go

@@ -1061,14 +1061,14 @@ func TestHandler_AddOrganizationUser(t *testing.T) {
 func TestHandler_RemoveOrganizationUser(t *testing.T) {
 	tests := []struct {
 		name    string
-		setup   func(os *mocks.OrganizationService, us *mocks.UserService)
+		setup   func(os *mocks.OrganizationService, us *mocks.UserService, ds *mocks.CascadeDeleter)
 		req     *frontierv1beta1.RemoveOrganizationUserRequest
 		want    *frontierv1beta1.RemoveOrganizationUserResponse
 		wantErr error
 	}{
 		{
 			name: "should return internal error if org service return some error",
-			setup: func(os *mocks.OrganizationService, us *mocks.UserService) {
+			setup: func(os *mocks.OrganizationService, us *mocks.UserService, ds *mocks.CascadeDeleter) {
 				os.EXPECT().Get(mock.AnythingOfType("*context.emptyCtx"), testOrgID).Return(organization.Organization{}, errors.New("some error"))
 			},
 			req: &frontierv1beta1.RemoveOrganizationUserRequest{
@@ -1080,12 +1080,12 @@ func TestHandler_RemoveOrganizationUser(t *testing.T) {
 		},
 		{
 			name: "should return the error and not remove user if it is the last admin user",
-			setup: func(os *mocks.OrganizationService, us *mocks.UserService) {
+			setup: func(os *mocks.OrganizationService, us *mocks.UserService, ds *mocks.CascadeDeleter) {
 				os.EXPECT().Get(mock.AnythingOfType("*context.emptyCtx"), testOrgID).Return(testOrgMap[testOrgID], nil)
 				us.EXPECT().ListByOrg(mock.AnythingOfType("*context.emptyCtx"), testOrgID, "update").Return([]user.User{
 					testUserMap[testUserID],
 				}, nil)
-				os.EXPECT().RemoveUsers(mock.AnythingOfType("*context.emptyCtx"), testOrgID, []string{testUserID}).Return(nil)
+				ds.EXPECT().RemoveUsersFromOrg(mock.AnythingOfType("*context.emptyCtx"), testOrgID, []string{testUserID}).Return(nil)
 			},
 			req: &frontierv1beta1.RemoveOrganizationUserRequest{
 				Id:     testOrgID,
@@ -1096,7 +1096,7 @@ func TestHandler_RemoveOrganizationUser(t *testing.T) {
 		},
 		{
 			name: "should remove user from org successfully",
-			setup: func(os *mocks.OrganizationService, us *mocks.UserService) {
+			setup: func(os *mocks.OrganizationService, us *mocks.UserService, ds *mocks.CascadeDeleter) {
 				os.EXPECT().Get(mock.AnythingOfType("*context.emptyCtx"), testOrgID).Return(testOrgMap[testOrgID], nil)
 				us.EXPECT().ListByOrg(mock.AnythingOfType("*context.emptyCtx"), testOrgID, "update").Return([]user.User{
 					testUserMap[testUserID],
@@ -1110,7 +1110,7 @@ func TestHandler_RemoveOrganizationUser(t *testing.T) {
 						UpdatedAt: time.Time{},
 					},
 				}, nil)
-				os.EXPECT().RemoveUsers(mock.AnythingOfType("*context.emptyCtx"), testOrgID, []string{"some-user-id"}).Return(nil)
+				ds.EXPECT().RemoveUsersFromOrg(mock.AnythingOfType("*context.emptyCtx"), testOrgID, []string{"some-user-id"}).Return(nil)
 			},
 			req: &frontierv1beta1.RemoveOrganizationUserRequest{
 				Id:     testOrgID,
@@ -1125,11 +1125,16 @@ func TestHandler_RemoveOrganizationUser(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			mockOrgService := new(mocks.OrganizationService)
 			mockUserService := new(mocks.UserService)
+			mockDeleterService := new(mocks.CascadeDeleter)
 			ctx := context.Background()
 			if tt.setup != nil {
-				tt.setup(mockOrgService, mockUserService)
+				tt.setup(mockOrgService, mockUserService, mockDeleterService)
+			}
+			mockDep := Handler{
+				orgService:     mockOrgService,
+				userService:    mockUserService,
+				deleterService: mockDeleterService,
 			}
-			mockDep := Handler{orgService: mockOrgService, userService: mockUserService}
 			got, err := mockDep.RemoveOrganizationUser(ctx, tt.req)
 			assert.EqualValues(t, tt.wantErr, err)
 			assert.EqualValues(t, tt.want, got)

internal/api/v1beta1/org.go

@@ -442,7 +442,7 @@ func (h Handler) ListCurrentUserGroups(ctx context.Context, request *frontierv1b
 		groupsPb = append(groupsPb, &groupPB)
 	}
 
-	if len(request.WithPermissions) == 0 {
+	if len(request.WithPermissions) > 0 {
 		resourceIds := utils.Map(groupsList, func(res group.Group) string {
 			return res.ID
 		})
@@ -612,7 +612,7 @@ func (h Handler) ListProjectsByCurrentUser(ctx context.Context, request *frontie
 		}
 		projects = append(projects, projPB)
 	}
-	if len(request.WithPermissions) == 0 {
+	if len(request.WithPermissions) > 0 {
 		resourceIds := utils.Map(projList, func(res project.Project) string {
 			return res.ID
 		})

internal/api/v1beta1/org_test.go

@@ -84,7 +84,6 @@ func (r PolicyRepository) List(ctx context.Context, flt policy.Filter) ([]policy
 			"resource_type": schema.OrganizationNamespace,
 		})
 	}
-
 	if flt.GroupID != "" {
 		stmt = stmt.Where(goqu.Ex{
 			"resource_id":   flt.GroupID,