forked from wrenn/wrenn
pptx704
6eacf0f735
Escape LIKE metacharacters (% and _) in the email prefix before passing to the SQL query, and enforce the documented '@' requirement to prevent broad user enumeration. Move search logic out of TeamService into usersHandler since it is a site-wide lookup, not team-scoped.
394 lines
12 KiB
Go
394 lines
12 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"log/slog"
|
|
"regexp"
|
|
"time"
|
|
|
|
"connectrpc.com/connect"
|
|
"github.com/jackc/pgx/v5"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
|
|
"git.omukk.dev/wrenn/sandbox/internal/db"
|
|
"git.omukk.dev/wrenn/sandbox/internal/id"
|
|
"git.omukk.dev/wrenn/sandbox/internal/lifecycle"
|
|
pb "git.omukk.dev/wrenn/sandbox/proto/hostagent/gen"
|
|
)
|
|
|
|
var teamNameRE = regexp.MustCompile(`^[A-Za-z0-9 _\-@']{1,128}$`)
|
|
|
|
// TeamService provides team management operations.
|
|
type TeamService struct {
|
|
DB *db.Queries
|
|
Pool *pgxpool.Pool
|
|
HostPool *lifecycle.HostClientPool
|
|
}
|
|
|
|
// TeamWithRole pairs a team with the calling user's role in it.
|
|
type TeamWithRole struct {
|
|
db.Team
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
// MemberInfo is a team member with resolved user details.
|
|
type MemberInfo struct {
|
|
UserID string `json:"user_id"`
|
|
Name string `json:"name"`
|
|
Email string `json:"email"`
|
|
Role string `json:"role"`
|
|
JoinedAt time.Time `json:"joined_at"`
|
|
}
|
|
|
|
// callerRole fetches the calling user's role in the given team from DB.
|
|
// Returns an error wrapping "forbidden" if the caller is not a member.
|
|
func (s *TeamService) callerRole(ctx context.Context, teamID, callerUserID string) (string, error) {
|
|
m, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
|
|
UserID: callerUserID,
|
|
TeamID: teamID,
|
|
})
|
|
if err != nil {
|
|
if err == pgx.ErrNoRows {
|
|
return "", fmt.Errorf("forbidden: not a member of this team")
|
|
}
|
|
return "", fmt.Errorf("get membership: %w", err)
|
|
}
|
|
return m.Role, nil
|
|
}
|
|
|
|
// requireAdmin returns an error if the caller is not an admin or owner.
|
|
func requireAdmin(role string) error {
|
|
if role != "owner" && role != "admin" {
|
|
return fmt.Errorf("forbidden: admin or owner role required")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetTeam returns the team by ID. Returns an error if the team is deleted or not found.
|
|
func (s *TeamService) GetTeam(ctx context.Context, teamID string) (db.Team, error) {
|
|
team, err := s.DB.GetTeam(ctx, teamID)
|
|
if err != nil {
|
|
if err == pgx.ErrNoRows {
|
|
return db.Team{}, fmt.Errorf("team not found")
|
|
}
|
|
return db.Team{}, fmt.Errorf("get team: %w", err)
|
|
}
|
|
if team.DeletedAt.Valid {
|
|
return db.Team{}, fmt.Errorf("team not found")
|
|
}
|
|
return team, nil
|
|
}
|
|
|
|
// ListTeamsForUser returns all active teams the user belongs to, with their role in each.
|
|
func (s *TeamService) ListTeamsForUser(ctx context.Context, userID string) ([]TeamWithRole, error) {
|
|
rows, err := s.DB.GetTeamsForUser(ctx, userID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("list teams: %w", err)
|
|
}
|
|
result := make([]TeamWithRole, len(rows))
|
|
for i, r := range rows {
|
|
result[i] = TeamWithRole{
|
|
Team: db.Team{ID: r.ID, Name: r.Name, CreatedAt: r.CreatedAt, IsByoc: r.IsByoc, Slug: r.Slug, DeletedAt: r.DeletedAt},
|
|
Role: r.Role,
|
|
}
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
// CreateTeam creates a new team owned by the given user.
|
|
func (s *TeamService) CreateTeam(ctx context.Context, ownerUserID, name string) (TeamWithRole, error) {
|
|
if !teamNameRE.MatchString(name) {
|
|
return TeamWithRole{}, fmt.Errorf("invalid team name: must be 1-128 characters, A-Z a-z 0-9 space _")
|
|
}
|
|
|
|
tx, err := s.Pool.Begin(ctx)
|
|
if err != nil {
|
|
return TeamWithRole{}, fmt.Errorf("begin tx: %w", err)
|
|
}
|
|
defer tx.Rollback(ctx) //nolint:errcheck
|
|
|
|
qtx := s.DB.WithTx(tx)
|
|
|
|
teamID := id.NewTeamID()
|
|
team, err := qtx.InsertTeam(ctx, db.InsertTeamParams{
|
|
ID: teamID,
|
|
Name: name,
|
|
Slug: id.NewTeamSlug(),
|
|
})
|
|
if err != nil {
|
|
return TeamWithRole{}, fmt.Errorf("insert team: %w", err)
|
|
}
|
|
|
|
if err := qtx.InsertTeamMember(ctx, db.InsertTeamMemberParams{
|
|
UserID: ownerUserID,
|
|
TeamID: teamID,
|
|
IsDefault: false,
|
|
Role: "owner",
|
|
}); err != nil {
|
|
return TeamWithRole{}, fmt.Errorf("insert owner: %w", err)
|
|
}
|
|
|
|
if err := tx.Commit(ctx); err != nil {
|
|
return TeamWithRole{}, fmt.Errorf("commit: %w", err)
|
|
}
|
|
|
|
return TeamWithRole{Team: team, Role: "owner"}, nil
|
|
}
|
|
|
|
// RenameTeam updates the team name. Caller must be admin or owner (verified from DB).
|
|
func (s *TeamService) RenameTeam(ctx context.Context, teamID, callerUserID, newName string) error {
|
|
if !teamNameRE.MatchString(newName) {
|
|
return fmt.Errorf("invalid team name: must be 1-128 characters, A-Z a-z 0-9 space _")
|
|
}
|
|
|
|
role, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := requireAdmin(role); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := s.DB.UpdateTeamName(ctx, db.UpdateTeamNameParams{ID: teamID, Name: newName}); err != nil {
|
|
return fmt.Errorf("update name: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DeleteTeam soft-deletes the team and destroys all running/paused/starting sandboxes.
|
|
// Caller must be owner (verified from DB). All DB records (sandboxes, keys, templates)
|
|
// are preserved; only the team's deleted_at is set and active VMs are stopped.
|
|
func (s *TeamService) DeleteTeam(ctx context.Context, teamID, callerUserID string) error {
|
|
role, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if role != "owner" {
|
|
return fmt.Errorf("forbidden: only the owner can delete a team")
|
|
}
|
|
|
|
// Collect active sandboxes and stop them.
|
|
sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
|
|
if err != nil {
|
|
return fmt.Errorf("list active sandboxes: %w", err)
|
|
}
|
|
|
|
var stopIDs []string
|
|
for _, sb := range sandboxes {
|
|
host, hostErr := s.DB.GetHost(ctx, sb.HostID)
|
|
if hostErr == nil {
|
|
agent, agentErr := s.HostPool.GetForHost(host)
|
|
if agentErr == nil {
|
|
if _, err := agent.DestroySandbox(ctx, connect.NewRequest(&pb.DestroySandboxRequest{
|
|
SandboxId: sb.ID,
|
|
})); err != nil && connect.CodeOf(err) != connect.CodeNotFound {
|
|
slog.Warn("team delete: failed to destroy sandbox", "sandbox_id", sb.ID, "error", err)
|
|
}
|
|
}
|
|
}
|
|
stopIDs = append(stopIDs, sb.ID)
|
|
}
|
|
|
|
if len(stopIDs) > 0 {
|
|
if err := s.DB.BulkUpdateStatusByIDs(ctx, db.BulkUpdateStatusByIDsParams{
|
|
Column1: stopIDs,
|
|
Status: "stopped",
|
|
}); err != nil {
|
|
// Do not proceed to soft-delete if sandbox statuses couldn't be updated,
|
|
// as that would leave orphaned "running" records for a deleted team.
|
|
return fmt.Errorf("update sandbox statuses: %w", err)
|
|
}
|
|
}
|
|
|
|
if err := s.DB.SoftDeleteTeam(ctx, teamID); err != nil {
|
|
return fmt.Errorf("soft delete team: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetMembers returns all members of the team with their emails and roles.
|
|
func (s *TeamService) GetMembers(ctx context.Context, teamID string) ([]MemberInfo, error) {
|
|
rows, err := s.DB.GetTeamMembers(ctx, teamID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("get members: %w", err)
|
|
}
|
|
members := make([]MemberInfo, len(rows))
|
|
for i, r := range rows {
|
|
var joinedAt time.Time
|
|
if r.JoinedAt.Valid {
|
|
joinedAt = r.JoinedAt.Time
|
|
}
|
|
members[i] = MemberInfo{
|
|
UserID: r.ID,
|
|
Name: r.Name,
|
|
Email: r.Email,
|
|
Role: r.Role,
|
|
JoinedAt: joinedAt,
|
|
}
|
|
}
|
|
return members, nil
|
|
}
|
|
|
|
// AddMember adds an existing user (looked up by email) to the team as a member.
|
|
// Caller must be admin or owner (verified from DB).
|
|
func (s *TeamService) AddMember(ctx context.Context, teamID, callerUserID, email string) (MemberInfo, error) {
|
|
role, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return MemberInfo{}, err
|
|
}
|
|
if err := requireAdmin(role); err != nil {
|
|
return MemberInfo{}, err
|
|
}
|
|
|
|
target, err := s.DB.GetUserByEmail(ctx, email)
|
|
if err != nil {
|
|
if err == pgx.ErrNoRows {
|
|
return MemberInfo{}, fmt.Errorf("user not found: no account with that email")
|
|
}
|
|
return MemberInfo{}, fmt.Errorf("look up user: %w", err)
|
|
}
|
|
|
|
// Check if already a member.
|
|
_, memberCheckErr := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
|
|
UserID: target.ID,
|
|
TeamID: teamID,
|
|
})
|
|
if memberCheckErr == nil {
|
|
return MemberInfo{}, fmt.Errorf("invalid: user is already a member of this team")
|
|
} else if memberCheckErr != pgx.ErrNoRows {
|
|
return MemberInfo{}, fmt.Errorf("check membership: %w", memberCheckErr)
|
|
}
|
|
|
|
if err := s.DB.InsertTeamMember(ctx, db.InsertTeamMemberParams{
|
|
UserID: target.ID,
|
|
TeamID: teamID,
|
|
IsDefault: false,
|
|
Role: "member",
|
|
}); err != nil {
|
|
return MemberInfo{}, fmt.Errorf("insert member: %w", err)
|
|
}
|
|
|
|
return MemberInfo{UserID: target.ID, Name: target.Name, Email: target.Email, Role: "member"}, nil
|
|
}
|
|
|
|
// RemoveMember removes a user from the team.
|
|
// Caller must be admin or owner (verified from DB). Owner cannot be removed.
|
|
func (s *TeamService) RemoveMember(ctx context.Context, teamID, callerUserID, targetUserID string) error {
|
|
callerRole, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := requireAdmin(callerRole); err != nil {
|
|
return err
|
|
}
|
|
|
|
targetMembership, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
|
|
UserID: targetUserID,
|
|
TeamID: teamID,
|
|
})
|
|
if err != nil {
|
|
if err == pgx.ErrNoRows {
|
|
return fmt.Errorf("not found: user is not a member of this team")
|
|
}
|
|
return fmt.Errorf("get target membership: %w", err)
|
|
}
|
|
|
|
if targetMembership.Role == "owner" {
|
|
return fmt.Errorf("forbidden: the owner cannot be removed from the team")
|
|
}
|
|
|
|
if err := s.DB.DeleteTeamMember(ctx, db.DeleteTeamMemberParams{
|
|
TeamID: teamID,
|
|
UserID: targetUserID,
|
|
}); err != nil {
|
|
return fmt.Errorf("delete member: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// UpdateMemberRole changes a member's role to admin or member.
|
|
// Caller must be admin or owner (verified from DB). Owner's role cannot be changed.
|
|
// Valid target roles: "admin", "member".
|
|
func (s *TeamService) UpdateMemberRole(ctx context.Context, teamID, callerUserID, targetUserID, newRole string) error {
|
|
if newRole != "admin" && newRole != "member" {
|
|
return fmt.Errorf("invalid: role must be admin or member")
|
|
}
|
|
|
|
callerRole, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := requireAdmin(callerRole); err != nil {
|
|
return err
|
|
}
|
|
|
|
targetMembership, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
|
|
UserID: targetUserID,
|
|
TeamID: teamID,
|
|
})
|
|
if err != nil {
|
|
if err == pgx.ErrNoRows {
|
|
return fmt.Errorf("not found: user is not a member of this team")
|
|
}
|
|
return fmt.Errorf("get target membership: %w", err)
|
|
}
|
|
|
|
if targetMembership.Role == "owner" {
|
|
return fmt.Errorf("forbidden: the owner's role cannot be changed")
|
|
}
|
|
|
|
if err := s.DB.UpdateMemberRole(ctx, db.UpdateMemberRoleParams{
|
|
TeamID: teamID,
|
|
UserID: targetUserID,
|
|
Role: newRole,
|
|
}); err != nil {
|
|
return fmt.Errorf("update role: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// LeaveTeam removes the calling user from the team.
|
|
// The owner cannot leave; they must delete the team instead.
|
|
func (s *TeamService) LeaveTeam(ctx context.Context, teamID, callerUserID string) error {
|
|
role, err := s.callerRole(ctx, teamID, callerUserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if role == "owner" {
|
|
return fmt.Errorf("forbidden: the owner cannot leave the team; delete the team instead")
|
|
}
|
|
|
|
if err := s.DB.DeleteTeamMember(ctx, db.DeleteTeamMemberParams{
|
|
TeamID: teamID,
|
|
UserID: callerUserID,
|
|
}); err != nil {
|
|
return fmt.Errorf("leave team: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetBYOC enables the BYOC feature flag for a team. Once enabled, BYOC cannot
|
|
// be disabled — it is a one-way transition.
|
|
// Admin-only — the caller must verify admin status before invoking this.
|
|
func (s *TeamService) SetBYOC(ctx context.Context, teamID string, enabled bool) error {
|
|
team, err := s.DB.GetTeam(ctx, teamID)
|
|
if err != nil {
|
|
return fmt.Errorf("team not found: %w", err)
|
|
}
|
|
if team.DeletedAt.Valid {
|
|
return fmt.Errorf("team not found")
|
|
}
|
|
if !enabled {
|
|
return fmt.Errorf("invalid request: BYOC cannot be disabled once enabled")
|
|
}
|
|
if team.IsByoc {
|
|
// Already enabled — idempotent, no-op.
|
|
return nil
|
|
}
|
|
if err := s.DB.SetTeamBYOC(ctx, db.SetTeamBYOCParams{ID: teamID, IsByoc: true}); err != nil {
|
|
return fmt.Errorf("set byoc: %w", err)
|
|
}
|
|
return nil
|
|
}
|