UUIDs and Org Scoping (#2329)

* wip

* add org scoping, test to demo

* adjust db helper and initialization

Author: breardon2011

taco/cmd/statesman/main.go

@@ -111,8 +111,21 @@ func main() {
 
 	// create repository
 	// repository coordinates blob storage with query index internally
-	repo := repositories.NewUnitRepository(blobStore, queryStore)
-	log.Println("Repository initialized (coordinates blob + query)")
+	// Get the underlying *gorm.DB from the query store
+	db := repositories.GetDBFromQueryStore(queryStore)
+	if db == nil {
+		log.Fatalf("Query store does not provide GetDB method")
+	}
+	
+	// Ensure default organization exists
+	defaultOrgUUID, err := repositories.EnsureDefaultOrganization(context.Background(), db)
+	if err != nil {
+		log.Fatalf("Failed to ensure default organization: %v", err)
+	}
+	log.Printf("Default organization ensured: %s", defaultOrgUUID)
+	
+	repo := repositories.NewUnitRepository(db, blobStore)
+	log.Println("Repository initialized (database-first with blob storage backend)")
 
 	// Create RBAC Manager
 	rbacManager, err := rbac.NewRBACManagerFromQueryStore(queryStore)
@@ -128,8 +141,12 @@ func main() {
 	if !*authDisable {
 		log.Println("Authorization is ENABLED. Wrapping repository with RBAC.")
 
+		// Create bootstrap context with default org for RBAC check
+		// During startup, we need org context to check RBAC status
+		bootstrapCtx := domain.ContextWithOrg(context.Background(), defaultOrgUUID)
+		
 		// Verify RBAC manager was created successfully (fail closed for security)
-		canInit, err := rbacManager.IsEnabled(context.Background())
+		canInit, err := rbacManager.IsEnabled(bootstrapCtx)
 		if err != nil {
 			log.Fatalf("Failed to verify RBAC manager: %v", err)
 		}
@@ -144,8 +161,8 @@ func main() {
 	}
 
 	// Initialize analytics with system ID management (always create system ID)
-	// Analytics uses the full repository for storage operations
-	analytics.InitGlobalWithSystemID("production", fullRepo)
+	// Analytics uses the blob store for storage operations
+	analytics.InitGlobalWithSystemID("production", blobStore)
 	// Initialize system ID synchronously during startup
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
@@ -184,7 +201,8 @@ func main() {
 
 	// Register routes with interface-based dependencies
 	api.RegisterRoutes(e, api.Dependencies{
-		Repository:  fullRepo,      // Coordinated unit operations
+		Repository:  fullRepo,      // RBAC-wrapped repository (used by all routes)
+		BlobStore:   blobStore,     // Direct blob access (for legacy components)
 		QueryStore:  queryStore,    // Direct query access
 		RBACManager: rbacManager,   // RBAC management
 		Signer:      signer,        // JWT signing

taco/cmd/taco/commands/login.go

@@ -231,9 +231,24 @@ func exchangeCodeForTokens(tokenURL, clientID, redirectURI, code, verifier strin
     resp, err := http.DefaultClient.Do(req)
     if err != nil { return nil, err }
     defer resp.Body.Close()
-    if resp.StatusCode != 200 { return nil, fmt.Errorf("token http %d", resp.StatusCode) }
+    
+    // Read response body for error details
+    body, _ := io.ReadAll(resp.Body)
+    
+    if resp.StatusCode != 200 {
+        // Try to parse Auth0/OIDC error response
+        var errResp struct {
+            Error            string `json:"error"`
+            ErrorDescription string `json:"error_description"`
+        }
+        if json.Unmarshal(body, &errResp) == nil && errResp.Error != "" {
+            return nil, fmt.Errorf("token exchange failed (HTTP %d): %s - %s", resp.StatusCode, errResp.Error, errResp.ErrorDescription)
+        }
+        return nil, fmt.Errorf("token http %d: %s", resp.StatusCode, string(body))
+    }
+    
     var out struct{ IDToken string `json:"id_token"` }
-    if err := json.NewDecoder(resp.Body).Decode(&out); err != nil { return nil, err }
+    if err := json.Unmarshal(body, &out); err != nil { return nil, err }
     return &out, nil
 }
 

taco/internal/api/internal.go

@@ -32,9 +32,22 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		userRepo = repositories.NewUserRepositoryFromQueryStore(deps.QueryStore)
 	}
 
-	// Create internal group with webhook auth (with orgRepo for existence check)
+	// Create internal group with webhook auth
 	internal := e.Group("/internal/api")
-	internal.Use(middleware.WebhookAuth(orgRepo))
+	internal.Use(middleware.WebhookAuth())
+	
+	// Add org resolution middleware - resolves org name to UUID and adds to domain context
+	if deps.QueryStore != nil {
+		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
+			// Create identifier resolver (infrastructure layer)
+			identifierResolver := repositories.NewIdentifierResolver(db)
+			// Pass interface to middleware (clean architecture!)
+			internal.Use(middleware.ResolveOrgContextMiddleware(identifierResolver))
+			log.Println("Org context resolution middleware enabled for internal routes")
+		} else {
+			log.Println("WARNING: QueryStore does not implement GetDB() *gorm.DB - org resolution disabled")
+		}
+	}
 
 	// Organization and User management endpoints
 	if orgRepo != nil && userRepo != nil {
@@ -70,50 +83,44 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		log.Println("RBAC management endpoints registered at /internal/api/rbac")
 	}
 
-	orgService := domain.NewOrgService()
-	orgScopedRepo := repositories.NewOrgScopedRepository(deps.Repository, orgService)
+	// For internal routes, use RBAC-wrapped repository
+	// Architecture:
+	// - Webhook secret authenticates the SYSTEM (backend orchestrator) 
+	// - X-User-ID header identifies the END USER making the request
+	// - RBAC enforces what that USER can do (via repository layer)
+	// - Org scoping handled by middleware (ResolveOrgContextMiddleware) + database foreign keys
+	
+	// Create identifier resolver for unit name→UUID resolution
+	var identifierResolver domain.IdentifierResolver
+	if deps.QueryStore != nil {
+		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
+			identifierResolver = repositories.NewIdentifierResolver(db)
+		}
+	}
 
-	// Create handler with org-scoped repository
-	// The repository will automatically:
-	// - Filter List() to org namespace
-	// - Validate all operations belong to user's org
+	// Create handler with org-scoped + RBAC-wrapped repository
 	unitHandler := unithandlers.NewHandler(
-		domain.UnitManagement(orgScopedRepo),
+		domain.UnitManagement(deps.Repository), // Use RBAC-wrapped repository directly
+		deps.BlobStore,
 		deps.RBACManager,
 		deps.Signer,
 		deps.QueryStore,
+		identifierResolver,
 	)
 
-
-
-
-	if deps.RBACManager != nil {
-		// With RBAC - apply RBAC permission checks
-		// Org scoping is automatic via orgScopedRepository
-		internal.POST("/units", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitWrite, "*")(unitHandler.CreateUnit))
-		internal.GET("/units", unitHandler.ListUnits) // Automatically filters by org
-		internal.GET("/units/:id", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnit))
-		internal.DELETE("/units/:id", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitDelete, "{id}")(unitHandler.DeleteUnit))
-		internal.GET("/units/:id/download", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitRead, "{id}")(unitHandler.DownloadUnit))
-		internal.POST("/units/:id/upload", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitWrite, "{id}")(unitHandler.UploadUnit))
-		internal.POST("/units/:id/lock", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitLock, "{id}")(unitHandler.LockUnit))
-		internal.DELETE("/units/:id/unlock", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitLock, "{id}")(unitHandler.UnlockUnit))
-		internal.GET("/units/:id/status", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnitStatus))
-		internal.GET("/units/:id/versions", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitRead, "{id}")(unitHandler.ListVersions))
-		internal.POST("/units/:id/restore", wrapWithWebhookRBAC(deps.RBACManager, rbac.ActionUnitWrite, "{id}")(unitHandler.RestoreVersion))
-	} else {
-		internal.POST("/units", unitHandler.CreateUnit)
-		internal.GET("/units", unitHandler.ListUnits)
-		internal.GET("/units/:id", unitHandler.GetUnit)
-		internal.DELETE("/units/:id", unitHandler.DeleteUnit)
-		internal.GET("/units/:id/download", unitHandler.DownloadUnit)
-		internal.POST("/units/:id/upload", unitHandler.UploadUnit)
-		internal.POST("/units/:id/lock", unitHandler.LockUnit)
-		internal.DELETE("/units/:id/unlock", unitHandler.UnlockUnit)
-		internal.GET("/units/:id/status", unitHandler.GetUnitStatus)
-		internal.GET("/units/:id/versions", unitHandler.ListVersions)
-		internal.POST("/units/:id/restore", unitHandler.RestoreVersion)
-	}
+	// Internal routes with RBAC enforcement
+	// Note: Users must have permissions assigned via /internal/api/rbac endpoints
+	internal.POST("/units", unitHandler.CreateUnit)
+	internal.GET("/units", unitHandler.ListUnits)
+	internal.GET("/units/:id", unitHandler.GetUnit)
+	internal.DELETE("/units/:id", unitHandler.DeleteUnit)
+	internal.GET("/units/:id/download", unitHandler.DownloadUnit)
+	internal.POST("/units/:id/upload", unitHandler.UploadUnit)
+	internal.POST("/units/:id/lock", unitHandler.LockUnit)
+	internal.DELETE("/units/:id/unlock", unitHandler.UnlockUnit)
+	internal.GET("/units/:id/status", unitHandler.GetUnitStatus)
+	internal.GET("/units/:id/versions", unitHandler.ListVersions)
+	internal.POST("/units/:id/restore", unitHandler.RestoreVersion)
 
 	// Health check for internal routes
 	internal.GET("/health", func(c echo.Context) error {
@@ -153,7 +160,6 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 
 	log.Printf("Internal routes registered at /internal/api/* with webhook authentication")
 }
-
 // wrapWithWebhookRBAC wraps a handler with RBAC permission checking
 func wrapWithWebhookRBAC(manager *rbac.RBACManager, action rbac.Action, resource string) func(echo.HandlerFunc) echo.HandlerFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
@@ -208,3 +214,4 @@ func wrapWithWebhookRBAC(manager *rbac.RBACManager, action rbac.Action, resource
 		}
 	}
 }
+

taco/internal/api/org_handler.go

@@ -29,16 +29,17 @@ func NewOrgHandler(orgRepo domain.OrganizationRepository, userRepo domain.UserRe
 
 // CreateOrgRequest is the request body for creating an organization
 type CreateOrgRequest struct {
-	OrgID string `json:"org_id" validate:"required"`
-	Name  string `json:"name" validate:"required"`
+	Name        string `json:"name" validate:"required"`         // Unique identifier (e.g., "acme")
+	DisplayName string `json:"display_name" validate:"required"` // Friendly name (e.g., "Acme Corp")
 }
 
 // CreateOrgResponse is the response for creating an organization
 type CreateOrgResponse struct {
-	OrgID     string `json:"org_id"`
-	Name      string `json:"name"`
-	CreatedBy string `json:"created_by"`
-	CreatedAt string `json:"created_at"`
+	ID          string `json:"id"`           // UUID
+	Name        string `json:"name"`         // Unique identifier
+	DisplayName string `json:"display_name"` // Friendly name
+	CreatedBy   string `json:"created_by"`
+	CreatedAt   string `json:"created_at"`
 }
 
 // CreateOrganization handles POST /internal/orgs
@@ -82,15 +83,15 @@ func (h *OrgHandler) CreateOrganization(c echo.Context) error {
 		})
 	}
 
-	if req.OrgID == "" || req.Name == "" {
+	if req.Name == "" || req.DisplayName == "" {
 		return c.JSON(http.StatusBadRequest, map[string]string{
-			"error": "org_id and name are required",
+			"error": "name and display_name are required",
 		})
 	}
 
 	slog.Info("Creating organization",
-		"orgID", req.OrgID,
 		"name", req.Name,
+		"displayName", req.DisplayName,
 		"createdBy", userIDStr,
 	)
 
@@ -101,7 +102,7 @@ func (h *OrgHandler) CreateOrganization(c echo.Context) error {
 
 	// Create organization in transaction
 	err := h.orgRepo.WithTransaction(ctx, func(ctx context.Context, txRepo domain.OrganizationRepository) error {
-		createdOrg, err := txRepo.Create(ctx, req.OrgID, req.Name, userIDStr)
+		createdOrg, err := txRepo.Create(ctx, req.Name, req.DisplayName, userIDStr)
 		if err != nil {
 			return err
 		}
@@ -123,7 +124,7 @@ func (h *OrgHandler) CreateOrganization(c echo.Context) error {
 		}
 
 		slog.Error("Failed to create organization",
-			"orgID", req.OrgID,
+			"name", req.Name,
 			"error", err,
 		)
 		return c.JSON(http.StatusInternalServerError, map[string]string{
@@ -135,33 +136,37 @@ func (h *OrgHandler) CreateOrganization(c echo.Context) error {
 	// Initialize RBAC after org creation (outside transaction for SQLite compatibility)
 	if h.rbacManager != nil {
 		slog.Info("Initializing RBAC for new organization",
-			"orgID", req.OrgID,
+			"orgName", req.Name,
+			"orgID", org.ID,
 			"adminUser", userIDStr,
 		)
 
-		if err := h.rbacManager.InitializeRBAC(ctx, userIDStr, emailStr); err != nil {
+		if err := h.rbacManager.InitializeRBAC(ctx, org.ID, userIDStr, emailStr); err != nil {
 			// Org was created but RBAC failed - log warning but don't fail the request
 			// User can retry RBAC initialization or assign roles manually
 			slog.Warn("Organization created but RBAC initialization failed",
-				"orgID", req.OrgID,
+				"orgName", req.Name,
+				"orgID", org.ID,
 				"error", err,
 				"recommendation", "RBAC can be initialized later via /rbac/init endpoint",
 			)
 			// Continue with success response - org was created
 		} else {
 			slog.Info("RBAC initialized successfully",
-				"orgID", req.OrgID,
+				"orgName", req.Name,
+				"orgID", org.ID,
 				"adminUser", userIDStr,
 			)
 		}
 	}
 
 	// Success - org created (and RBAC initialized if available)
 	return c.JSON(http.StatusCreated, CreateOrgResponse{
-		OrgID:     org.OrgID,
-		Name:      org.Name,
-		CreatedBy: org.CreatedBy,
-		CreatedAt: org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		ID:          org.ID,
+		Name:        org.Name,
+		DisplayName: org.DisplayName,
+		CreatedBy:   org.CreatedBy,
+		CreatedAt:   org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
 	})
 }
 
@@ -193,11 +198,12 @@ func (h *OrgHandler) GetOrganization(c echo.Context) error {
 	}
 
 	return c.JSON(http.StatusOK, map[string]interface{}{
-		"org_id":     org.OrgID,
-		"name":       org.Name,
-		"created_by": org.CreatedBy,
-		"created_at": org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
-		"updated_at": org.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		"id":           org.ID,
+		"name":         org.Name,
+		"display_name": org.DisplayName,
+		"created_by":   org.CreatedBy,
+		"created_at":   org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		"updated_at":   org.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
 	})
 }
 
@@ -216,11 +222,12 @@ func (h *OrgHandler) ListOrganizations(c echo.Context) error {
 	response := make([]map[string]interface{}, len(orgs))
 	for i, org := range orgs {
 		response[i] = map[string]interface{}{
-			"org_id":     org.OrgID,
-			"name":       org.Name,
-			"created_by": org.CreatedBy,
-			"created_at": org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
-			"updated_at": org.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
+			"id":           org.ID,
+			"name":         org.Name,
+			"display_name": org.DisplayName,
+			"created_by":   org.CreatedBy,
+			"created_at":   org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+			"updated_at":   org.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
 		}
 	}