Merge branch 'main' of ssh://github.com/linuxfoundation/lfx-v2-mailing-list-service into andrest50/settings

andrest50 · andrest50 · commit f0c97522d016 · 2026-01-07T06:36:00.000-08:00
diff --git a/internal/service/grpsio_member_writer.go b/internal/service/grpsio_member_writer.go
@@ -19,6 +19,16 @@ import (
 	"github.com/linuxfoundation/lfx-v2-mailing-list-service/pkg/utils"
 )
 
+// groupsioMailingListMemberStub represents the minimal data needed for member access control
+type groupsioMailingListMemberStub struct {
+	// UID is the mailing list member ID.
+	UID string `json:"uid"`
+	// Username is the username (i.e. LFID) of the member. This is the identity of the user object in FGA.
+	Username string `json:"username"`
+	// MailingListUID is the mailing list ID for the mailing list the member belongs to.
+	MailingListUID string `json:"mailing_list_uid"`
+}
+
 // ensureMemberIdempotent checks if member already exists by Groups.io member ID or email
 // Returns existing entity if found, nil if not found, error on failure
 // Pattern mirrors ensureMailingListIdempotent
@@ -415,8 +425,8 @@ func (o *grpsIOWriterOrchestrator) DeleteGrpsIOMember(ctx context.Context, uid s
 	)
 
 	// Publish delete messages (indexer and access control)
-	if o.publisher != nil {
-		if err := o.publishMemberDeleteMessages(ctx, uid); err != nil {
+	if o.publisher != nil && member != nil {
+		if err := o.publishMemberDeleteMessages(ctx, uid, *member); err != nil {
 			slog.ErrorContext(ctx, "failed to publish member delete messages", "error", err)
 			// Don't fail the operation on message failure, delete succeeded
 		}
@@ -461,16 +471,24 @@ func (o *grpsIOWriterOrchestrator) publishMemberMessages(ctx context.Context, me
 		return fmt.Errorf("failed to build %s indexer message: %w", action, err)
 	}
 
-	// TODO: LFXV2-459 - Review and implement member access control logic for OpenFGA integration
-	// Access control message building and publishing will be implemented after research is complete
-
-	// Publish messages concurrently (only indexer for now)
+	// Prepare messages to publish
 	messages := []func() error{
 		func() error {
 			return o.publisher.Indexer(ctx, constants.IndexGroupsIOMemberSubject, indexerMessage)
 		},
 	}
 
+	// Only publish access control message if member has a username (required for FGA identity)
+	if member.Username != "" {
+		accessMessage := o.buildMemberAccessMessage(member)
+		messages = append(messages, func() error {
+			return o.publisher.Access(ctx, constants.PutMemberGroupsIOMailingListSubject, accessMessage)
+		})
+	} else {
+		slog.DebugContext(ctx, "skipping access control message - member has no username",
+			"member_uid", member.UID)
+	}
+
 	// Execute all messages concurrently
 	errPublishingMessage := concurrent.NewWorkerPool(len(messages)).Run(ctx, messages...)
 	if errPublishingMessage != nil {
@@ -489,15 +507,13 @@ func (o *grpsIOWriterOrchestrator) publishMemberMessages(ctx context.Context, me
 	return nil
 }
 
-// publishMemberDeleteMessages publishes member delete messages concurrently (for future use)
-// nolint:unused // Reserved for future member deletion functionality
-func (o *grpsIOWriterOrchestrator) publishMemberDeleteMessages(ctx context.Context, uid string) error {
+// publishMemberDeleteMessages publishes member delete messages concurrently
+func (o *grpsIOWriterOrchestrator) publishMemberDeleteMessages(ctx context.Context, uid string, member model.GrpsIOMember) error {
 	if o.publisher == nil {
 		slog.WarnContext(ctx, "publisher not available, skipping member delete message publishing")
 		return nil
 	}
 
-	// For delete messages, we just need the UID
 	indexerMessage := &model.IndexerMessage{
 		Action: model.ActionDeleted,
 		Tags:   []string{},
@@ -509,16 +525,22 @@ func (o *grpsIOWriterOrchestrator) publishMemberDeleteMessages(ctx context.Conte
 		return fmt.Errorf("failed to build member delete indexer message: %w", err)
 	}
 
-	// Publish delete messages concurrently
+	// Prepare messages to publish
 	messages := []func() error{
 		func() error {
 			return o.publisher.Indexer(ctx, constants.IndexGroupsIOMemberSubject, builtMessage)
 		},
-		// TODO: LFXV2-459 Implement proper member removal from mailing list relations
-		// Currently commented out to avoid deleting entire mailing list from OpenFGA
-		// func() error {
-		//	return o.publisher.Access(ctx, constants.DeleteAllAccessGroupsIOMemberSubject, uid)
-		// },
+	}
+
+	// Only publish access control message if member has a username (required for FGA identity)
+	if member.Username != "" {
+		accessMessage := o.buildMemberAccessMessage(&member)
+		messages = append(messages, func() error {
+			return o.publisher.Access(ctx, constants.RemoveMemberGroupsIOMailingListSubject, accessMessage)
+		})
+	} else {
+		slog.DebugContext(ctx, "skipping access control delete message - member has no username",
+			"member_uid", uid)
 	}
 
 	// Execute all messages concurrently
@@ -546,6 +568,15 @@ func (o *grpsIOWriterOrchestrator) buildMemberIndexerMessage(ctx context.Context
 	return indexerMessage.Build(ctx, member)
 }
 
+// buildMemberAccessMessage creates the access control message stub for OpenFGA integration
+func (o *grpsIOWriterOrchestrator) buildMemberAccessMessage(member *model.GrpsIOMember) *groupsioMailingListMemberStub {
+	return &groupsioMailingListMemberStub{
+		UID:            member.UID,
+		Username:       member.Username,
+		MailingListUID: member.MailingListUID,
+	}
+}
+
 // mergeMemberData merges existing member data with updated fields, preserving immutable fields
 func (o *grpsIOWriterOrchestrator) mergeMemberData(ctx context.Context, existing *model.GrpsIOMember, updated *model.GrpsIOMember) {
 	// Preserve immutable fields
diff --git a/pkg/constants/subjects.go b/pkg/constants/subjects.go
@@ -19,6 +19,9 @@ const (
 	UpdateAccessGroupsIOMailingListSubject    = "lfx.update_access.groupsio_mailing_list"
 	DeleteAllAccessGroupsIOMailingListSubject = "lfx.delete_all_access.groupsio_mailing_list"
 
+	PutMemberGroupsIOMailingListSubject    = "lfx.put_member.groupsio_mailing_list"
+	RemoveMemberGroupsIOMailingListSubject = "lfx.remove_member.groupsio_mailing_list"
+
 	// Committee event subjects from committee-api
 	CommitteeMemberCreatedSubject = "lfx.committee-api.committee_member.created"
 	CommitteeMemberDeletedSubject = "lfx.committee-api.committee_member.deleted"
