fix: do not create org during auto-onboarding (#986)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/configs/samples/config.yaml

@@ -65,6 +65,6 @@ referrer_shared_index:
 
 onboarding:
   - name: "read-only-demo"
-    role: "viewer"
+    role: MEMBERSHIP_ROLE_ORG_VIEWER
   - name: "read-write-demo"
-    role: "owner"
+    role: MEMBERSHIP_ROLE_ORG_OWNER

app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go

@@ -156,5 +156,10 @@ message OnboardingSpec {
   // Name of the organization
   string name = 1 [(buf.validate.field).string.min_len = 1];
   // Role to assign to the user
-  controlplane.v1.MembershipRole role = 2;
+  controlplane.v1.MembershipRole role = 2 [
+    (buf.validate.field).enum = {
+      not_in: [0]
+    },
+    (buf.validate.field).enum.defined_only = true
+  ];
 }

app/controlplane/internal/conf/controlplane/config/v1/conf.proto

@@ -19,9 +19,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"time"
 
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/authz"
 	conf "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf/controlplane/config/v1"
+	"github.com/chainloop-dev/chainloop/pkg/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
@@ -49,9 +52,13 @@ type OrganizationUseCase struct {
 	onboardingConfig  []*conf.OnboardingSpec
 }
 
-func NewOrganizationUseCase(repo OrganizationRepo, repoUC *CASBackendUseCase, iUC *IntegrationUseCase, mRepo MembershipRepo, onboardingConfig []*conf.OnboardingSpec, logger log.Logger) *OrganizationUseCase {
+func NewOrganizationUseCase(repo OrganizationRepo, repoUC *CASBackendUseCase, iUC *IntegrationUseCase, mRepo MembershipRepo, onboardingConfig []*conf.OnboardingSpec, l log.Logger) *OrganizationUseCase {
+	if l == nil {
+		l = log.NewStdLogger(io.Discard)
+	}
+
 	return &OrganizationUseCase{orgRepo: repo,
-		logger:            log.NewHelper(logger),
+		logger:            servicelogger.ScopedHelper(l, "biz/organization"),
 		casBackendUseCase: repoUC,
 		integrationUC:     iUC,
 		membershipRepo:    mRepo,
@@ -259,10 +266,13 @@ func (uc *OrganizationUseCase) AutoOnboardOrganizations(ctx context.Context, use
 	}
 
 	for _, spec := range uc.onboardingConfig {
-		// Ensure the organization exists or create it if it doesn't
-		org, err := uc.ensureOrganizationExists(ctx, spec)
+		// Find organization or skip onboarding if it doesn't exist
+		org, err := uc.orgRepo.FindByName(ctx, spec.GetName())
 		if err != nil {
-			return fmt.Errorf("failed to ensure organization exists: %w", err)
+			return fmt.Errorf("failed to find organization: %w", err)
+		} else if org == nil {
+			uc.logger.Infow("msg", "Organization not found", "name", spec.GetName())
+			continue
 		}
 
 		// Parse organization UUID
@@ -272,40 +282,17 @@ func (uc *OrganizationUseCase) AutoOnboardOrganizations(ctx context.Context, use
 		}
 
 		// Ensure user membership
-		if err := uc.ensureUserMembership(ctx, orgUUID, userUUID, spec); err != nil {
+		if err := uc.ensureUserMembership(ctx, orgUUID, userUUID, PbRoleToBiz(spec.GetRole())); err != nil {
 			return fmt.Errorf("failed to ensure user membership: %w", err)
 		}
 	}
 
 	return nil
 }
 
-// ensureOrganizationExists ensures that an organization specified by the onboarding configuration exists.
-// If the organization does not exist, it creates it.
-func (uc *OrganizationUseCase) ensureOrganizationExists(ctx context.Context, spec *conf.OnboardingSpec) (*Organization, error) {
-	// Ensure the organization exists or create it if it doesn't
-	org, err := uc.orgRepo.FindByName(ctx, spec.GetName())
-	if err != nil {
-		return nil, fmt.Errorf("failed to find organization: %w", err)
-	} else if org == nil {
-		// Create the organization since it does not exist
-		org, err = uc.orgRepo.Create(ctx, spec.GetName())
-		if err != nil {
-			return nil, fmt.Errorf("failed to create organization: %w", err)
-		}
-
-		// Create default inline CAS-backend
-		if _, err := uc.casBackendUseCase.CreateInlineFallbackBackend(ctx, org.ID); err != nil {
-			return nil, fmt.Errorf("failed to create fallback backend: %w", err)
-		}
-	}
-
-	return org, nil
-}
-
 // ensureUserMembership ensures that a user is a member of the specified organization with the appropriate role.
 // If the membership does not exist, it creates it.
-func (uc *OrganizationUseCase) ensureUserMembership(ctx context.Context, orgUUID, userUUID uuid.UUID, spec *conf.OnboardingSpec) error {
+func (uc *OrganizationUseCase) ensureUserMembership(ctx context.Context, orgUUID, userUUID uuid.UUID, role authz.Role) error {
 	m, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgUUID, userUUID)
 	if err != nil {
 		return fmt.Errorf("failed to find membership: %w", err)
@@ -317,10 +304,11 @@ func (uc *OrganizationUseCase) ensureUserMembership(ctx context.Context, orgUUID
 	}
 
 	// Create the membership with the specified role
-	_, err = uc.membershipRepo.Create(ctx, orgUUID, userUUID, true, PbRoleToBiz(spec.GetRole()))
+	_, err = uc.membershipRepo.Create(ctx, orgUUID, userUUID, true, role)
 	if err != nil {
 		return fmt.Errorf("failed to create membership: %w", err)
 	}
 
+	uc.logger.Infow("msg", "User auto-onboarded to organization", "org", orgUUID, "user", userUUID, "role", role)
 	return nil
 }

app/controlplane/pkg/biz/organization.go

@@ -275,9 +275,9 @@ func (s *OrgIntegrationTestSuite) SetupTest() {
 
 type AuthOnboardingTestSuite struct {
 	testhelpers.UseCasesEachTestSuite
-	usr, usr1 *biz.User
-	org       *biz.Organization
-	m         *biz.Membership
+	userWithoutOrg, userInOrg *biz.User
+	existingOrg               *biz.Organization
+	m                         *biz.Membership
 }
 
 func (s *AuthOnboardingTestSuite) SetupTest() {
@@ -286,109 +286,100 @@ func (s *AuthOnboardingTestSuite) SetupTest() {
 
 	s.TestingUseCases = testhelpers.NewTestingUseCases(t, testhelpers.WithOnboardingConfiguration([]*conf.OnboardingSpec{
 		{
-			Name: "testing-org",
+			Name: "non-existing-org",
 			Role: v1.MembershipRole_MEMBERSHIP_ROLE_ORG_VIEWER,
 		},
+		{
+			Name: "existing-org",
+			Role: v1.MembershipRole_MEMBERSHIP_ROLE_ORG_OWNER,
+		},
 	}))
 
-	s.setupUsersAndOrganization(ctx)
-	s.setupMembership(ctx)
-}
-
-func (s *AuthOnboardingTestSuite) setupUsersAndOrganization(ctx context.Context) {
+	// Create org and two users
 	var err error
-	s.org, err = s.Organization.Create(ctx, "onboarded-org")
+	s.existingOrg, err = s.Organization.Create(ctx, "existing-org")
 	require.NoError(s.T(), err)
 
-	s.usr, err = s.User.FindOrCreateByEmail(ctx, "foo@bar", true)
+	s.userWithoutOrg, err = s.User.FindOrCreateByEmail(ctx, "foo@bar", true)
 	require.NoError(s.T(), err)
 
-	s.usr1, err = s.User.FindOrCreateByEmail(ctx, "bar@foo", true)
+	s.userInOrg, err = s.User.FindOrCreateByEmail(ctx, "bar@foo", true)
 	require.NoError(s.T(), err)
-}
 
-func (s *AuthOnboardingTestSuite) setupMembership(ctx context.Context) {
-	var err error
-	s.m, err = s.Membership.Create(ctx, s.org.ID, s.usr1.ID, biz.WithMembershipRole(authz.RoleViewer))
+	// usr1 is already a member of the org
+	s.m, err = s.Membership.Create(ctx, s.existingOrg.ID, s.userInOrg.ID, biz.WithMembershipRole(authz.RoleViewer))
 	s.NoError(err)
 }
 
+// User without org only gets attached to the existing org
 func (s *AuthOnboardingTestSuite) TestAutoOnboardOrganizations() {
 	ctx := context.Background()
 
-	org, err := s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
-	s.Nil(err)
-	s.Nil(org)
-
-	err = s.Organization.AutoOnboardOrganizations(ctx, s.usr.ID)
+	// User has no memberships
+	memberships, err := s.Membership.ByUser(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
+	s.Len(memberships, 0)
 
-	org, err = s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
+	// Auto onboard
+	err = s.Organization.AutoOnboardOrganizations(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
-	s.NotNil(org)
 
-	m, err := s.Membership.FindByOrgAndUser(ctx, org.ID, s.usr.ID)
+	// User has now 1 membership that points to the existing org
+	memberships, err = s.Membership.ByUser(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
-	s.NotNil(m)
+	s.Len(memberships, 1)
+	s.Equal(s.existingOrg.ID, memberships[0].OrganizationID.String())
+	s.Equal(authz.RoleOwner, memberships[0].Role)
 }
 
-func (s *AuthOnboardingTestSuite) TestOnboardOrganizationsTwice() {
+func (s *AuthOnboardingTestSuite) TestAutoOnboardNoOrganizationsCreated() {
 	ctx := context.Background()
 
-	org, err := s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
-	s.Nil(err)
+	org, err := s.Repos.OrganizationRepo.FindByName(ctx, "non-existing-org")
+	s.NoError(err)
 	s.Nil(org)
 
-	// Call it once
-	err = s.Organization.AutoOnboardOrganizations(ctx, s.usr.ID)
+	// Auto onboard
+	err = s.Organization.AutoOnboardOrganizations(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
 
-	// Call it twice
-	err = s.Organization.AutoOnboardOrganizations(ctx, s.usr.ID)
+	// The org has not been created
+	org, err = s.Repos.OrganizationRepo.FindByName(ctx, "non-existing-org")
 	s.NoError(err)
+	s.Nil(org)
+}
 
-	org, err = s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
+func (s *AuthOnboardingTestSuite) TestOnboardOrganizationsTwice() {
+	ctx := context.Background()
+
+	// Auto onboard
+	err := s.Organization.AutoOnboardOrganizations(ctx, s.userWithoutOrg.ID)
+	s.NoError(err)
+	// Auto onboard again
+	err = s.Organization.AutoOnboardOrganizations(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
-	s.NotNil(org)
 
-	m, err := s.Membership.FindByOrgAndUser(ctx, org.ID, s.usr.ID)
+	// User has now 1 membership that points to the existing org
+	memberships, err := s.Membership.ByUser(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
-	s.NotNil(m)
+	s.Len(memberships, 1)
 }
 
 func (s *AuthOnboardingTestSuite) TestAutoOnboardWithExistingMemberships() {
 	ctx := context.Background()
 
-	org, err := s.Repos.OrganizationRepo.FindByName(ctx, s.org.Name)
-	s.Nil(err)
-	s.NotNil(org)
-
-	m, err := s.Membership.FindByOrgAndUser(ctx, org.ID, s.usr1.ID)
+	err := s.Organization.AutoOnboardOrganizations(ctx, s.userInOrg.ID)
 	s.NoError(err)
-	s.NotNil(m)
-	s.Equal(s.m.Role, m.Role)
 
-	err = s.Organization.AutoOnboardOrganizations(ctx, s.usr1.ID)
+	got, err := s.Membership.FindByOrgAndUser(ctx, s.existingOrg.ID, s.userInOrg.ID)
 	s.NoError(err)
-
-	newM, err := s.Membership.FindByOrgAndUser(ctx, org.ID, s.usr1.ID)
-	s.NoError(err)
-	s.NotNil(newM)
-	s.Equal(s.m.Role, newM.Role)
+	s.Equal(s.m, got)
 }
 
 func (s *AuthOnboardingTestSuite) TestAutoOnboardWithoutConfiguration() {
 	ctx := context.Background()
 	s.TestingUseCases = testhelpers.NewTestingUseCases(s.T())
 
-	org, err := s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
-	s.Nil(err)
-	s.Nil(org)
-
-	err = s.Organization.AutoOnboardOrganizations(ctx, s.usr.ID)
+	err := s.Organization.AutoOnboardOrganizations(ctx, s.userWithoutOrg.ID)
 	s.NoError(err)
-
-	org, err = s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
-	s.Nil(err)
-	s.Nil(org)
 }

app/controlplane/pkg/biz/organization_integration_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/testhelpers"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 )
 
@@ -137,26 +138,25 @@ func (s *userOnboardingTestSuite) TestAutoOnboardOrganizationsNoConfiguration()
 
 func (s *userOnboardingTestSuite) TestAutoOnboardOrganizationsWithConfiguration() {
 	ctx := context.Background()
-	// Create a user with no orgs
-
+	const orgName = "existing-org"
 	s.TestingUseCases = testhelpers.NewTestingUseCases(s.T(), testhelpers.WithOnboardingConfiguration([]*conf.OnboardingSpec{
 		{
-			Name: "testing-org",
+			Name: orgName,
 			Role: v1.MembershipRole_MEMBERSHIP_ROLE_ORG_VIEWER,
 		},
 	}))
 
-	org, err := s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
-	s.Nil(err)
-	s.Nil(org)
+	// The user got onboarded in the existing org
+	org, err := s.Organization.Create(ctx, orgName)
+	require.NoError(s.T(), err)
 
 	user, err := s.User.FindOrCreateByEmail(ctx, "[email protected]")
 	s.NoError(err)
 	s.NotNil(user)
 
-	org, err = s.Repos.OrganizationRepo.FindByName(ctx, "testing-org")
+	m, err := s.Membership.FindByOrgAndUser(ctx, org.ID, user.ID)
 	s.NoError(err)
-	s.NotNil(org)
+	s.NotNil(m)
 }
 
 // Utility struct to hold the test suite