feat: remove org (#4148)

* feat(command): remove org

* refactor: imports, unused code, error handling

* reduce org removed in action

* add org deletion to projections

* add org removal to projections

* add org removal to projections

* org removed projection

* lint import

* projections

* fix: table names in tests

* fix: table names in tests

* logging

* add org state

* fix(domain): add Owner removed to object details

* feat(ListQuery): add with owner removed

* fix(org-delete): add bool to functions to select with owner removed

* fix(org-delete): add bools to user grants with events to determine if dependencies lost owner

* fix(org-delete): add unit tests for owner removed and org removed events

* fix(org-delete): add handling of org remove for grants and members

* fix(org-delete): correction of unit tests for owner removed

* fix(org-delete): update projections, unit tests and get functions

* fix(org-delete): add change date to authnkeys and owner removed to org metadata

* fix(org-delete): include owner removed for login names

* fix(org-delete): some column fixes in projections and build for queries with owner removed

* indexes

* fix(org-delete): include review changes

* fix(org-delete): change user projection name after merge

* fix(org-delete): include review changes for project grant where no project owner is necessary

* fix(org-delete): include auth and adminapi tables with owner removed information

* fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed

* fix(org-delete): add permissions for org.remove

* remove unnecessary unique constraints

* fix column order in primary keys

* fix(org-delete): include review changes

* fix(org-delete): add owner removed indexes and chang setup step to create tables

* fix(org-delete): move PK order of instance_id and change added user_grant from review

* fix(org-delete): no params for prepareUserQuery

* change to step 6

* merge main

* fix(org-delete): OldUserName rename to private

* fix linting

* cleanup

* fix: remove org test

* create prerelease

* chore: delete org-delete as prerelease

Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

cmd/defaults.yaml

@@ -566,6 +566,7 @@ InternalAuthZ:
         - "org.global.read"
         - "org.create"
         - "org.write"
+        - "org.delete"
         - "org.member.read"
         - "org.member.write"
         - "org.member.delete"
@@ -639,6 +640,7 @@ InternalAuthZ:
         - "org.global.read"
         - "org.create"
         - "org.write"
+        - "org.delete"
         - "org.member.read"
         - "org.member.write"
         - "org.member.delete"
@@ -710,6 +712,7 @@ InternalAuthZ:
         - "org.global.read"
         - "org.create"
         - "org.write"
+        - "org.delete"
         - "org.member.read"
         - "org.member.write"
         - "org.member.delete"

cmd/setup/06.go

@@ -0,0 +1,28 @@
+package setup
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+)
+
+var (
+	//go:embed 06/adminapi.sql
+	createAdminViews06 string
+	//go:embed 06/auth.sql
+	createAuthViews06 string
+)
+
+type OwnerRemoveColumns struct {
+	dbClient *sql.DB
+}
+
+func (mig *OwnerRemoveColumns) Execute(ctx context.Context) error {
+	stmt := createAdminViews06 + createAuthViews06
+	_, err := mig.dbClient.ExecContext(ctx, stmt)
+	return err
+}
+
+func (mig *OwnerRemoveColumns) String() string {
+	return "06_resource_owner_columns"
+}

cmd/setup/06/adminapi.sql

@@ -0,0 +1,30 @@
+
+CREATE TABLE adminapi.styling2 (
+    aggregate_id TEXT NOT NULL,
+    creation_date TIMESTAMPTZ NULL,
+    change_date TIMESTAMPTZ NULL,
+    label_policy_state INT2 NOT NULL DEFAULT 0::INT2,
+    sequence INT8 NULL,
+    primary_color TEXT NULL,
+    background_color TEXT NULL,
+    warn_color TEXT NULL,
+    font_color TEXT NULL,
+    primary_color_dark TEXT NULL,
+    background_color_dark TEXT NULL,
+    warn_color_dark TEXT NULL,
+    font_color_dark TEXT NULL,
+    logo_url TEXT NULL,
+    icon_url TEXT NULL,
+    logo_dark_url TEXT NULL,
+    icon_dark_url TEXT NULL,
+    font_url TEXT NULL,
+    err_msg_popup BOOL NULL,
+    disable_watermark BOOL NULL,
+    hide_login_name_suffix BOOL NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, aggregate_id, label_policy_state)
+);
+
+CREATE INDEX owner_removed_idx ON adminapi.styling2 (owner_removed);

cmd/setup/06/auth.sql

@@ -0,0 +1,124 @@
+CREATE TABLE auth.users2 (
+    id TEXT NULL,
+    creation_date TIMESTAMPTZ NULL,
+    change_date TIMESTAMPTZ NULL,
+    resource_owner TEXT NULL,
+    user_state INT2 NULL,
+    password_set BOOL NULL,
+    password_change_required BOOL NULL,
+    password_change TIMESTAMPTZ NULL,
+    last_login TIMESTAMPTZ NULL,
+    user_name TEXT NULL,
+    login_names TEXT[] NULL,
+    preferred_login_name TEXT NULL,
+    first_name TEXT NULL,
+    last_name TEXT NULL,
+    nick_name TEXT NULL,
+    display_name TEXT NULL,
+    preferred_language TEXT NULL,
+    gender INT2 NULL,
+    email TEXT NULL,
+    is_email_verified BOOL NULL,
+    phone TEXT NULL,
+    is_phone_verified BOOL NULL,
+    country TEXT NULL,
+    locality TEXT NULL,
+    postal_code TEXT NULL,
+    region TEXT NULL,
+    street_address TEXT NULL,
+    otp_state INT2 NULL,
+    mfa_max_set_up INT2 NULL,
+    mfa_init_skipped TIMESTAMPTZ NULL,
+    sequence INT8 NULL,
+    init_required BOOL NULL,
+    username_change_required BOOL NULL,
+    machine_name TEXT NULL,
+    machine_description TEXT NULL,
+    user_type TEXT NULL,
+    u2f_tokens BYTEA NULL,
+    passwordless_tokens BYTEA NULL,
+    avatar_key TEXT NULL,
+    passwordless_init_required BOOL NULL,
+    password_init_required BOOL NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, id)
+);
+CREATE INDEX owner_removed_idx ON auth.users2 (owner_removed);
+
+CREATE TABLE auth.user_external_idps2 (
+    external_user_id TEXT NOT NULL,
+    idp_config_id TEXT NOT NULL,
+    user_id TEXT NULL,
+    idp_name TEXT NULL,
+    user_display_name TEXT NULL,
+    creation_date TIMESTAMPTZ NULL,
+    change_date TIMESTAMPTZ NULL,
+    sequence INT8 NULL,
+    resource_owner TEXT NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, external_user_id, idp_config_id)
+);
+CREATE INDEX owner_removed_idx ON auth.user_external_idps2 (owner_removed);
+
+CREATE TABLE auth.org_project_mapping2 (
+    org_id TEXT NOT NULL,
+    project_id TEXT NOT NULL,
+    project_grant_id TEXT NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, org_id, project_id)
+);
+CREATE INDEX owner_removed_idx ON auth.org_project_mapping2 (owner_removed);
+
+CREATE TABLE auth.idp_providers2 (
+    aggregate_id TEXT NOT NULL,
+    idp_config_id TEXT NOT NULL,
+    creation_date TIMESTAMPTZ NULL,
+    change_date TIMESTAMPTZ NULL,
+    sequence INT8 NULL,
+    name TEXT NULL,
+    idp_config_type INT2 NULL,
+    idp_provider_type INT2 NULL,
+    idp_state INT2 NULL,
+    styling_type INT2 NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, aggregate_id, idp_config_id)
+);
+CREATE INDEX owner_removed_idx ON auth.idp_providers2 (owner_removed);
+
+CREATE TABLE auth.idp_configs2 (
+    idp_config_id TEXT NOT NULL,
+    creation_date TIMESTAMPTZ NULL,
+    change_date TIMESTAMPTZ NULL,
+    sequence INT8 NULL,
+    aggregate_id TEXT NULL,
+    name TEXT NULL,
+    idp_state INT2 NULL,
+    idp_provider_type INT2 NULL,
+    is_oidc BOOL NULL,
+    oidc_client_id TEXT NULL,
+    oidc_client_secret JSONB NULL,
+    oidc_issuer TEXT NULL,
+    oidc_scopes TEXT[] NULL,
+    oidc_idp_display_name_mapping INT2 NULL,
+    oidc_idp_username_mapping INT2 NULL,
+    styling_type INT2 NULL,
+    oauth_authorization_endpoint TEXT NULL,
+    oauth_token_endpoint TEXT NULL,
+    auto_register BOOL NULL,
+    jwt_endpoint TEXT NULL,
+    jwt_keys_endpoint TEXT NULL,
+    jwt_header_name TEXT NULL,
+    instance_id TEXT NOT NULL,
+    owner_removed BOOL DEFAULT false,
+
+    PRIMARY KEY (instance_id, idp_config_id)
+);
+CREATE INDEX owner_removed_idx ON auth.idp_configs2 (owner_removed);

cmd/setup/config.go

@@ -54,11 +54,12 @@ func MustNewConfig(v *viper.Viper) *Config {
 }
 
 type Steps struct {
-	s1ProjectionTable   *ProjectionTable
-	s2AssetsTable       *AssetTable
-	FirstInstance       *FirstInstance
-	s4EventstoreIndexes *EventstoreIndexes
-	s5LastFailed        *LastFailed
+	s1ProjectionTable    *ProjectionTable
+	s2AssetsTable        *AssetTable
+	FirstInstance        *FirstInstance
+	s4EventstoreIndexes  *EventstoreIndexes
+	s5LastFailed         *LastFailed
+	s6OwnerRemoveColumns *OwnerRemoveColumns
 }
 
 type encryptionKeyConfig struct {

cmd/setup/setup.go

@@ -83,6 +83,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 
 	steps.s4EventstoreIndexes = &EventstoreIndexes{dbClient: dbClient, dbType: config.Database.Type()}
 	steps.s5LastFailed = &LastFailed{dbClient: dbClient}
+	steps.s6OwnerRemoveColumns = &OwnerRemoveColumns{dbClient: dbClient}
 
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -110,6 +111,8 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	logging.OnError(err).Fatal("unable to migrate step 4")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s5LastFailed)
 	logging.OnError(err).Fatal("unable to migrate step 5")
+	err = migration.Migrate(ctx, eventstoreClient, steps.s6OwnerRemoveColumns)
+	logging.OnError(err).Fatal("unable to migrate step 6")
 
 	for _, repeatableStep := range repeatableSteps {
 		err = migration.Migrate(ctx, eventstoreClient, repeatableStep)