@valentinkolb/cloud 0.1.0

package/src/services/accounts/group-sql.ts

@@ -0,0 +1,106 @@
+import { sql, type SQLQuery } from "bun";
+
+type SqlFragment = SQLQuery;
+type SqlValue = SQLQuery | string;
+
+export const recursiveUserGroupsSubquery = (params: { userId: SqlValue; select: SqlFragment }) => sql`
+  WITH RECURSIVE user_all_groups AS (
+    SELECT ug.group_id, g.provider
+    FROM auth.user_groups_v2 ug
+    JOIN auth.groups g ON g.id = ug.group_id
+    WHERE ug.user_id = ${params.userId}::uuid
+    UNION
+    SELECT gg.parent_group_id, g_parent.provider
+    FROM auth.group_groups_v2 gg
+    JOIN auth.groups g_parent ON g_parent.id = gg.parent_group_id
+    JOIN user_all_groups ag ON gg.child_group_id = ag.group_id
+    WHERE g_parent.provider = ag.provider
+  )
+  ${params.select}
+`;
+
+export const managedGroupsNamesSubquery = (userId: SqlValue) =>
+  recursiveUserGroupsSubquery({
+    userId,
+    select: sql`
+      SELECT DISTINCT g.name
+      FROM auth.groups g
+      LEFT JOIN auth.group_manager_users_v2 gmu ON gmu.group_id = g.id AND gmu.user_id = ${userId}::uuid
+      LEFT JOIN auth.group_manager_groups_v2 gmg ON gmg.group_id = g.id
+      LEFT JOIN user_all_groups ug ON ug.group_id = gmg.manager_group_id AND ug.provider = g.provider
+      WHERE gmu.user_id IS NOT NULL OR ug.group_id IS NOT NULL
+      ORDER BY g.name
+    `,
+  });
+
+export const managedGroupIdsSubquery = (userId: SqlValue) =>
+  recursiveUserGroupsSubquery({
+    userId,
+    select: sql`
+      SELECT managed.id
+      FROM (
+        SELECT DISTINCT g.id, g.name
+        FROM auth.groups g
+        LEFT JOIN auth.group_manager_users_v2 gmu ON gmu.group_id = g.id AND gmu.user_id = ${userId}::uuid
+        LEFT JOIN auth.group_manager_groups_v2 gmg ON gmg.group_id = g.id
+        LEFT JOIN user_all_groups ug ON ug.group_id = gmg.manager_group_id AND ug.provider = g.provider
+        WHERE gmu.user_id IS NOT NULL OR ug.group_id IS NOT NULL
+      ) managed
+      ORDER BY managed.name
+    `,
+  });
+
+export const recursiveGroupNamesSubquery = (userId: SqlValue) =>
+  recursiveUserGroupsSubquery({
+    userId,
+    select: sql`
+      SELECT DISTINCT g.name
+      FROM user_all_groups ag
+      JOIN auth.groups g ON g.id = ag.group_id
+      ORDER BY g.name
+    `,
+  });
+
+export const recursiveGroupIdsSubquery = (userId: SqlValue) =>
+  recursiveUserGroupsSubquery({
+    userId,
+    select: sql`
+      SELECT group_ids.group_id
+      FROM (
+        SELECT DISTINCT g.id AS group_id, g.name
+        FROM user_all_groups ag
+        JOIN auth.groups g ON g.id = ag.group_id
+      ) group_ids
+      ORDER BY group_ids.name
+    `,
+  });
+
+export const buildMemberGroupScopeCondition = (params: { userId: SqlValue; groupProvider: SqlFragment }) => sql`
+  g.id IN (
+    ${recursiveUserGroupsSubquery({
+      userId: params.userId,
+      select: sql`
+        SELECT DISTINCT ug.group_id
+        FROM user_all_groups ug
+        WHERE ug.provider = ${params.groupProvider}
+      `,
+    })}
+  )
+`;
+
+export const buildManagedGroupScopeCondition = (params: { userId: SqlValue; groupProvider: SqlFragment }) => sql`
+  g.id IN (
+    ${recursiveUserGroupsSubquery({
+      userId: params.userId,
+      select: sql`
+        SELECT DISTINCT g_manage.id
+        FROM auth.groups g_manage
+        LEFT JOIN auth.group_manager_users_v2 gmu ON gmu.group_id = g_manage.id AND gmu.user_id = ${params.userId}::uuid
+        LEFT JOIN auth.group_manager_groups_v2 gmg ON gmg.group_id = g_manage.id
+        LEFT JOIN user_all_groups ug ON ug.group_id = gmg.manager_group_id AND ug.provider = g_manage.provider
+        WHERE g_manage.provider = ${params.groupProvider}
+          AND (gmu.user_id IS NOT NULL OR ug.group_id IS NOT NULL)
+      `,
+    })}
+  )
+`;

package/src/services/accounts/groups.ts

@@ -0,0 +1,246 @@
+import { sql } from "bun";
+import type { BaseGroup, GroupMember, MutationResult, UserProvider } from "../../contracts/shared";
+import * as localGroups from "./local-groups";
+import { providers } from "../providers";
+import { freeipa } from "../../server/services";
+import { toPgUuidArray } from "../postgres";
+import { buildBaseGroup } from "./base-group";
+import {
+  buildManagedGroupScopeCondition,
+  buildMemberGroupScopeCondition,
+} from "./group-sql";
+
+type DbRow = Record<string, unknown>;
+
+type GroupListScope = "all" | "member" | "managed";
+
+const getGroup = async (id: string): Promise<BaseGroup | null> => {
+  const [row] = await sql<DbRow[]>`
+    SELECT id, provider, name, description, gid_number
+    FROM auth.groups
+    WHERE id = ${id}::uuid
+  `;
+  if (!row) return null;
+  return buildBaseGroup(row);
+};
+
+const listCanonical = async (params: {
+  ids?: string[];
+  userId?: string;
+  scope?: GroupListScope;
+  search?: string;
+  provider?: UserProvider;
+  page?: number;
+  perPage?: number;
+}): Promise<{
+  groups: BaseGroup[];
+  total: number;
+  pagination: { page: number; perPage: number; totalPages: number; hasNext: boolean };
+}> => {
+  const page = params.page ?? 1;
+  const perPage = params.perPage ?? 100;
+  const offset = (page - 1) * perPage;
+  const pattern = params.search ? `%${freeipa.util.escapeLike(params.search.toLowerCase())}%` : null;
+  const ids = params.ids ?? [];
+  const scope = params.scope ?? (params.userId ? "member" : "all");
+  const scopeUserId = params.userId ?? "00000000-0000-0000-0000-000000000000";
+  const idsCondition = ids.length === 0 ? sql`TRUE` : sql`g.id = ANY(${toPgUuidArray(ids)}::uuid[])`;
+
+  if (params.ids && params.ids.length === 0) {
+    return {
+      groups: [],
+      total: 0,
+      pagination: {
+        page,
+        perPage,
+        totalPages: 0,
+        hasNext: false,
+      },
+    };
+  }
+
+  const rows = await sql<DbRow[]>`
+    SELECT g.id, g.provider, g.name, g.description, g.gid_number, COUNT(*) OVER() AS total
+    FROM auth.groups g
+    WHERE (${params.provider ?? null}::text IS NULL OR g.provider = ${params.provider ?? null})
+      AND ${idsCondition}
+      AND (
+        ${scope === "all"} = true
+        OR ${params.userId ?? null}::uuid IS NULL
+        OR (${scope === "member"} = true AND ${buildMemberGroupScopeCondition({ userId: scopeUserId, groupProvider: sql`g.provider` })})
+        OR (${scope === "managed"} = true AND ${buildManagedGroupScopeCondition({ userId: scopeUserId, groupProvider: sql`g.provider` })})
+      )
+      AND (
+        ${pattern}::text IS NULL
+        OR LOWER(g.name) LIKE ${pattern} ESCAPE '\\'
+        OR LOWER(COALESCE(g.description, '')) LIKE ${pattern} ESCAPE '\\'
+      )
+    ORDER BY g.name
+    LIMIT ${perPage}
+    OFFSET ${offset}
+  `;
+
+  const total = rows.length > 0 ? Number((rows[0] as Record<string, unknown>).total) : 0;
+  return {
+    groups: rows.map(buildBaseGroup),
+    total,
+    pagination: {
+      page,
+      perPage,
+      totalPages: Math.ceil(total / perPage),
+      hasNext: page * perPage < total,
+    },
+  };
+};
+
+export const list = async (params: {
+  ids?: string[];
+  userId?: string;
+  scope?: GroupListScope;
+  search?: string;
+  provider?: UserProvider;
+  page?: number;
+  perPage?: number;
+}) => {
+  return listCanonical(params);
+};
+
+export const get = async (params: { id: string }): Promise<BaseGroup | null> => {
+  return getGroup(params.id);
+};
+
+export const getMembers = async (params: { id: string; provider?: UserProvider; type?: "user" | "group"; recursive?: boolean }): Promise<GroupMember[]> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.getMembers(params);
+  if (!provider) return [];
+  return providers.ipa.groups.getMembers(params);
+};
+
+export const getManagers = async (params: { id: string; provider?: UserProvider; type?: "user" | "group"; recursive?: boolean }): Promise<GroupMember[]> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.getManagers(params);
+  if (!provider) return [];
+  return providers.ipa.groups.getManagers(params);
+};
+
+export const getParents = async (params: { id: string; provider?: UserProvider; recursive?: boolean }): Promise<string[]> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.getParents(params);
+  if (!provider) return [];
+  return providers.ipa.groups.getParents(params);
+};
+
+export const getManagedGroups = async (params: { id: string; provider?: UserProvider }): Promise<string[]> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.getManagedGroups(params);
+  if (!provider) return [];
+  return providers.ipa.groups.getManagedGroups(params);
+};
+
+export const create = async (params: {
+  ipaSession?: string | null;
+  provider: UserProvider;
+  name: string;
+  description?: string;
+  posix?: boolean;
+}): Promise<MutationResult<BaseGroup>> => {
+  if (params.provider === "local") {
+    if (params.posix) return { ok: false, error: "Local groups do not support POSIX mode", status: 400 };
+    return localGroups.create({ name: params.name, description: params.description });
+  }
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to create IPA groups", status: 401 };
+  return providers.ipa.groups.add({
+    ipaSession: params.ipaSession,
+    cn: params.name,
+    description: params.description,
+    posix: params.posix,
+  });
+};
+
+export const update = async (params: {
+  ipaSession?: string | null;
+  id: string;
+  provider?: UserProvider;
+  description: string;
+}): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.update({ id: params.id, description: params.description });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  return providers.ipa.groups.update({
+    ipaSession: params.ipaSession,
+    id: params.id,
+    description: params.description,
+  });
+};
+
+export const remove = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider }): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.remove({ id: params.id });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to delete IPA groups", status: 401 };
+  return providers.ipa.groups.remove({
+    ipaSession: params.ipaSession,
+    id: params.id,
+  });
+};
+
+export const makePosix = async (params: {
+  ipaSession?: string | null;
+  id: string;
+  provider?: UserProvider;
+}): Promise<MutationResult<{ gidnumber: number | null }>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return { ok: false, error: "Local groups do not support POSIX mode", status: 400 };
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to change IPA groups", status: 401 };
+  return providers.ipa.groups.makePosix({
+    ipaSession: params.ipaSession,
+    id: params.id,
+  });
+};
+
+export const addMember = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.addMember({ id: params.id, user: params.user, group: params.group });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  return providers.ipa.groups.addMember({
+    ipaSession: params.ipaSession,
+    id: params.id,
+    user: params.user,
+    group: params.group,
+  });
+};
+
+export const removeMember = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.removeMember({ id: params.id, user: params.user, group: params.group });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  return providers.ipa.groups.removeMember({
+    ipaSession: params.ipaSession,
+    id: params.id,
+    user: params.user,
+    group: params.group,
+  });
+};
+
+export const addManager = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.addManager({ id: params.id, user: params.user, group: params.group });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  return providers.ipa.groups.addManager({
+    ipaSession: params.ipaSession,
+    id: params.id,
+    user: params.user,
+    group: params.group,
+  });
+};
+
+export const removeManager = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+  const provider = params.provider ?? (await getGroup(params.id))?.provider;
+  if (provider === "local") return localGroups.removeManager({ id: params.id, user: params.user, group: params.group });
+  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  return providers.ipa.groups.removeManager({
+    ipaSession: params.ipaSession,
+    id: params.id,
+    user: params.user,
+    group: params.group,
+  });
+};

package/src/services/accounts/index.ts

@@ -0,0 +1,14 @@
+import * as model from "./model";
+import * as authz from "./authz";
+import * as users from "./users";
+import * as groups from "./groups";
+import * as entities from "./entities";
+import * as localGroups from "./local-groups";
+import * as switching from "./switching";
+import * as lifecycle from "./lifecycle";
+import { accountsAppService } from "./app";
+
+export { model, authz, users, groups, entities, localGroups, switching, lifecycle };
+export { accountsAppService };
+
+export const accounts = { model, authz, users, groups, entities, localGroups, switching, lifecycle, app: accountsAppService } as const;

package/src/services/accounts/ipa-data.ts

@@ -0,0 +1,64 @@
+import { sql } from "bun";
+import type { IpaUserData } from "../../contracts/shared";
+
+type DbRow = Record<string, unknown>;
+
+export const userIpaDataJoin = sql`LEFT JOIN auth.user_ipa_data ui ON ui.user_id = u.id`;
+
+export const userIpaDataColumns = sql`
+  ui.uid_number AS ipa_uid_number,
+  ui.phone AS ipa_phone,
+  ui.employee_type AS ipa_employee_type,
+  ui.mobile AS ipa_mobile,
+  ui.addr_street AS ipa_addr_street,
+  ui.addr_postal_code AS ipa_addr_postal_code,
+  ui.addr_city AS ipa_addr_city,
+  ui.addr_state AS ipa_addr_state,
+  ui.ipa_password_expires AS ipa_password_expires,
+  ui.last_login_ipa AS ipa_last_login_ipa,
+  ui.synced_at AS ipa_synced_at,
+  ui.ssh_public_keys AS ipa_ssh_public_keys,
+  ui.ssh_fingerprints AS ipa_ssh_fingerprints
+`;
+
+export const emptyIpaUserData = (): IpaUserData => ({
+  uidNumber: null,
+  phone: null,
+  employeeType: null,
+  mobile: null,
+  address: {
+    street: null,
+    postalCode: null,
+    city: null,
+    state: null,
+  },
+  passwordExpires: null,
+  lastLoginIpa: null,
+  syncedAt: null,
+  sshPublicKeys: [],
+  sshFingerprints: [],
+});
+
+export const buildIpaUserData = (row: DbRow): IpaUserData | null => {
+  if (!row.ipa_uid_number && !row.ipa_phone && !row.ipa_password_expires && !row.ipa_synced_at && !row.ipa_ssh_public_keys) {
+    return null;
+  }
+
+  return {
+    uidNumber: (row.ipa_uid_number as number) ?? null,
+    phone: (row.ipa_phone as string) ?? null,
+    employeeType: (row.ipa_employee_type as string) ?? null,
+    mobile: (row.ipa_mobile as string) ?? null,
+    address: {
+      street: (row.ipa_addr_street as string) ?? null,
+      postalCode: (row.ipa_addr_postal_code as string) ?? null,
+      city: (row.ipa_addr_city as string) ?? null,
+      state: (row.ipa_addr_state as string) ?? null,
+    },
+    passwordExpires: row.ipa_password_expires ? (row.ipa_password_expires as Date).toISOString() : null,
+    lastLoginIpa: row.ipa_last_login_ipa ? (row.ipa_last_login_ipa as Date).toISOString() : null,
+    syncedAt: row.ipa_synced_at ? (row.ipa_synced_at as Date).toISOString() : null,
+    sshPublicKeys: (row.ipa_ssh_public_keys as string[]) ?? [],
+    sshFingerprints: (row.ipa_ssh_fingerprints as string[]) ?? [],
+  };
+};

package/src/services/accounts/lifecycle.ts

@@ -0,0 +1,2 @@
+export { accountLifecycle } from "../account-lifecycle";
+export type { AccountLifecycleService } from "../account-lifecycle";