Refactor: Move role guard to domain

Signed-off-by: JeffMboya <jangina.mboya@gmail.com>

Author: JeffMboya

domains/service.go

@@ -5,6 +5,7 @@ package domains
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/absmach/supermq"
@@ -351,15 +352,75 @@ func (svc *service) RemoveEntityMembers(ctx context.Context, session authn.Sessi
 	return svc.ProvisionManageService.RemoveEntityMembers(ctx, session, entityID, members)
 }
 
-func (svc *service) RoleRemoveMembers(ctx context.Context, session authn.Session, entityID, roleID string, members []string) (err error) {
-	for _, member := range members {
-		if err := svc.repo.DeleteInvitation(ctx, member, entityID); err != nil && err != repoerr.ErrNotFound {
-			return err
+func (svc *service) RoleRemoveMembers(ctx context.Context, session authn.Session, entityID, roleID string, members []string) error {
+	if len(members) == 0 {
+		return svcerr.ErrMalformedEntity
+	}
+
+	ro, err := svc.repo.RetrieveEntityRole(ctx, entityID, roleID)
+	if err != nil {
+		return errors.Wrap(svcerr.ErrViewEntity, fmt.Errorf("failed to retrieve role '%s' for entity '%s': %w", roleID, entityID, err))
+	}
+
+	isBuiltInRole := false
+	if _, ok := svc.ProvisionManageService.BuiltInRoles[roles.BuiltInRoleName(ro.Name)]; ok {
+		isBuiltInRole = true
+	}
+
+	if isBuiltInRole {
+		membersPage, listErr := svc.repo.RoleListMembers(ctx, ro.ID, 0, 0)
+		if listErr != nil {
+			return errors.Wrap(svcerr.ErrViewEntity, fmt.Errorf("failed to list members for built-in role '%s' to check count: %w", ro.Name, listErr))
+		}
+
+		if membersPage.Total <= uint64(len(members)) {
+			return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("built-in role '%s' must retain at least one member. Attempting to remove %d member(s) from %d would leave too few.", ro.Name, len(members), membersPage.Total))
 		}
 	}
+
+	for _, memberID := range members {
+		if err := svc.repo.DeleteInvitation(ctx, memberID, entityID); err != nil && err != repoerr.ErrNotFound {
+			return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("failed to delete invitation for member '%s' in domain '%s' from role '%s': %w", memberID, entityID, ro.Name, err))
+		}
+	}
+
 	return svc.ProvisionManageService.RoleRemoveMembers(ctx, session, entityID, roleID, members)
 }
 
 func (svc *service) RoleRemoveAllMembers(ctx context.Context, session authn.Session, entityID, roleID string) error {
+	ro, err := svc.repo.RetrieveEntityRole(ctx, entityID, roleID)
+	if err != nil {
+		return errors.Wrap(svcerr.ErrViewEntity, fmt.Errorf("failed to retrieve role '%s' for entity '%s': %w", roleID, entityID, err))
+	}
+
+	isBuiltInRole := false
+	if _, ok := svc.ProvisionManageService.BuiltInRoles[roles.BuiltInRoleName(ro.Name)]; ok {
+		isBuiltInRole = true
+	}
+
+	if isBuiltInRole {
+		membersPage, listErr := svc.repo.RoleListMembers(ctx, ro.ID, 0, 0)
+		if listErr != nil {
+			return errors.Wrap(svcerr.ErrViewEntity, fmt.Errorf("failed to list members for built-in role '%s' to check count: %w", ro.Name, listErr))
+		}
+
+		if membersPage.Total > 0 {
+			return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("built-in role '%s' must retain at least one member and cannot have all members removed", ro.Name))
+		}
+	}
+
+	currentMembersPage, listErr := svc.repo.RoleListMembers(ctx, ro.ID, 0, 0)
+	if listErr != nil {
+		return errors.Wrap(svcerr.ErrViewEntity, fmt.Errorf("failed to list members of role '%s' for invitation cleanup: %w", ro.Name, listErr))
+	}
+
+	if len(currentMembersPage.Members) > 0 {
+		for _, member := range currentMembersPage.Members {
+			memberID := string(member)
+			if err := svc.repo.DeleteInvitation(ctx, memberID, entityID); err != nil && err != repoerr.ErrNotFound {
+				return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("failed to delete invitation for member '%s' in domain '%s' from role '%s': %w", memberID, entityID, ro.Name, err))
+			}
+		}
+	}
 	return svc.ProvisionManageService.RoleRemoveAllMembers(ctx, session, entityID, roleID)
 }

pkg/roles/provisionmanage.go

@@ -34,7 +34,7 @@ type ProvisionManageService struct {
 	sidProvider  supermq.IDProvider
 	policy       policies.Service
 	actions      []Action
-	builtInRoles map[BuiltInRoleName][]Action
+	BuiltInRoles map[BuiltInRoleName][]Action
 }
 
 func NewProvisionManageService(entityType string, repo Repository, policy policies.Service, sidProvider supermq.IDProvider, actions []Action, builtInRoles map[BuiltInRoleName][]Action) (ProvisionManageService, error) {
@@ -44,7 +44,7 @@ func NewProvisionManageService(entityType string, repo Repository, policy polici
 		sidProvider:  sidProvider,
 		policy:       policy,
 		actions:      actions,
-		builtInRoles: builtInRoles,
+		BuiltInRoles: builtInRoles,
 	}
 	return rm, nil
 }
@@ -143,7 +143,7 @@ func (r ProvisionManageService) AddNewEntitiesRoles(ctx context.Context, domainI
 
 	for _, entityID := range entityIDs {
 		for defaultRole, defaultRoleMembers := range newBuiltInRoleMembers {
-			actions, ok := r.builtInRoles[defaultRole]
+			actions, ok := r.BuiltInRoles[defaultRole]
 			if !ok {
 				return []RoleProvision{}, fmt.Errorf("default role %s not found in in-built roles", defaultRole)
 			}
@@ -559,16 +559,6 @@ func (r ProvisionManageService) RoleRemoveMembers(ctx context.Context, session a
 		return errors.Wrap(svcerr.ErrRemoveEntity, err)
 	}
 
-	if _, ok := r.builtInRoles[BuiltInRoleName(ro.Name)]; ok {
-		page, err := r.repo.RoleListMembers(ctx, ro.ID, 0, 0)
-		if err != nil {
-			return errors.Wrap(svcerr.ErrViewEntity, err)
-		}
-		if page.Total <= uint64(len(members)) {
-			return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("built-in role '%s' must retain at least one member", ro.Name))
-		}
-	}
-
 	if len(members) == 0 {
 		return svcerr.ErrMalformedEntity
 	}
@@ -602,10 +592,6 @@ func (r ProvisionManageService) RoleRemoveAllMembers(ctx context.Context, sessio
 		return errors.Wrap(svcerr.ErrRemoveEntity, err)
 	}
 
-	if _, ok := r.builtInRoles[BuiltInRoleName(ro.Name)]; ok {
-		return errors.Wrap(svcerr.ErrRemoveEntity, fmt.Errorf("removing all members from built-in role '%s' is not permitted", ro.Name))
-	}
-
 	prs := policies.Policy{
 		ObjectType:  policies.RoleType,
 		Object:      ro.ID,