feat: add role_id to assign to the service account

hamir-suspect · hamir-suspect · commit 5748458c34a6 · 2025-07-24T11:42:58.000+02:00
diff --git a/guard/lib/guard/service_account/actions.ex b/guard/lib/guard/service_account/actions.ex
@@ -16,7 +16,8 @@ defmodule Guard.ServiceAccount.Actions do
           org_id: String.t(),
           name: String.t(),
           description: String.t(),
-          creator_id: String.t()
+          creator_id: String.t(),
+          role_id: String.t()
         }
 
   @doc """
@@ -28,15 +29,21 @@ defmodule Guard.ServiceAccount.Actions do
   3. Creates a service_account record
   4. Generates an API token
   5. Creates RBAC user record
-  6. Publishes UserCreated event
+  6. Assigns the specified role to the service account
+  7. Publishes UserCreated event
 
   Returns {:ok, %{service_account: service_account, api_token: api_token}} or {:error, reason}
   """
   @spec create(service_account_params()) ::
           {:ok, %{service_account: map(), api_token: String.t()}} | {:error, atom() | list()}
   def create(
-        %{org_id: _org_id, name: _name, description: _description, creator_id: _creator_id} =
-          params
+        %{
+          org_id: _org_id,
+          name: _name,
+          description: _description,
+          creator_id: _creator_id,
+          role_id: _role_id
+        } = params
       ) do
     case _create(params) do
       {:ok, {service_account, api_token}} ->
@@ -124,7 +131,13 @@ defmodule Guard.ServiceAccount.Actions do
   defp _create(params) do
     FrontRepo.transaction(fn ->
       with {:ok, result} <- ServiceAccount.create(params),
-           {:ok, _rbac_user} <- create_rbac_user(result.service_account) do
+           {:ok, _rbac_user} <- create_rbac_user(result.service_account),
+           :ok <-
+             Guard.Api.Rbac.assign_role(
+               result.service_account.org_id,
+               result.service_account.id,
+               params.role_id
+             ) do
         # Return the service account data and API token
         {result.service_account, result.api_token}
       else
diff --git a/guard/lib/guard/store/service_account.ex b/guard/lib/guard/store/service_account.ex
@@ -384,8 +384,8 @@ defmodule Guard.Store.ServiceAccount do
       user_id: user.id,
       email: user.email,
       user: user,
-      created_at: service_account.created_at,
-      updated_at: service_account.updated_at
+      created_at: user.created_at,
+      updated_at: user.updated_at
     }
   end
 end
diff --git a/guard/lib/internal_api/service_account.pb.ex b/guard/lib/internal_api/service_account.pb.ex
@@ -6,14 +6,16 @@ defmodule InternalApi.ServiceAccount.CreateRequest do
           org_id: String.t(),
           name: String.t(),
           description: String.t(),
-          creator_id: String.t()
+          creator_id: String.t(),
+          role_id: String.t()
         }
 
-  defstruct [:org_id, :name, :description, :creator_id]
+  defstruct [:org_id, :name, :description, :creator_id, :role_id]
   field(:org_id, 1, type: :string)
   field(:name, 2, type: :string)
   field(:description, 3, type: :string)
   field(:creator_id, 4, type: :string)
+  field(:role_id, 5, type: :string)
 end
 
 defmodule InternalApi.ServiceAccount.CreateResponse do
diff --git a/guard/test/guard/service_account/actions_test.exs b/guard/test/guard/service_account/actions_test.exs
@@ -34,6 +34,7 @@ defmodule Guard.ServiceAccount.ActionsTest do
            create: fn _, _, _, _ -> :ok end,
            fetch: fn _ -> %{id: "rbac-user-id", user_id: "user-id"} end
          ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]},
         {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
       ]) do
         params = ServiceAccountFactory.build_params()
@@ -80,6 +81,7 @@ defmodule Guard.ServiceAccount.ActionsTest do
            end,
            fetch: fn _ -> %{id: "rbac-user-id", user_id: "user-id"} end
          ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]},
         {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
       ]) do
         params = ServiceAccountFactory.build_params()
@@ -95,11 +97,17 @@ defmodule Guard.ServiceAccount.ActionsTest do
             "Test SA"
           )
         )
+
+        # Verify role assignment was called
+        assert_called(Guard.Api.Rbac.assign_role("org-id", "user-id", :_))
       end
     end
 
     test "handles service account creation failure" do
-      with_mock ServiceAccount, [:passthrough], create: fn _ -> {:error, :creation_failed} end do
+      with_mocks([
+        {ServiceAccount, [:passthrough], [create: fn _ -> {:error, :creation_failed} end]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]}
+      ]) do
         params = ServiceAccountFactory.build_params()
 
         {:error, :creation_failed} = Actions.create(params)
@@ -131,6 +139,7 @@ defmodule Guard.ServiceAccount.ActionsTest do
          [
            create: fn _, _, _, _ -> :error end
          ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]},
         {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
       ]) do
         params = ServiceAccountFactory.build_params()
@@ -167,16 +176,59 @@ defmodule Guard.ServiceAccount.ActionsTest do
          [
            create: fn _, _, _, _ -> :ok end,
            fetch: fn _ -> nil end
-         ]}
+         ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]}
       ]) do
         params = ServiceAccountFactory.build_params()
 
         {:error, :rbac_user_not_found} = Actions.create(params)
       end
     end
 
+    test "handles role assignment failure" do
+      with_mocks([
+        {ServiceAccount, [:passthrough],
+         [
+           create: fn _ ->
+             {:ok,
+              %{
+                service_account: %{
+                  id: "user-id",
+                  user_id: "user-id",
+                  name: "Test SA",
+                  description: "Test Description",
+                  org_id: "org-id",
+                  creator_id: "creator-id",
+                  deactivated: false,
+                  email: "test@example.com"
+                },
+                api_token: "test-token"
+              }}
+           end
+         ]},
+        {Guard.Store.RbacUser, [:passthrough],
+         [
+           create: fn _, _, _, _ -> :ok end,
+           fetch: fn _ -> %{id: "rbac-user-id", user_id: "user-id"} end
+         ]},
+        {Guard.Api.Rbac, [:passthrough],
+         [assign_role: fn _, _, _ -> {:error, :assignment_failed} end]},
+        {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
+      ]) do
+        params = ServiceAccountFactory.build_params()
+
+        {:error, :assignment_failed} = Actions.create(params)
+
+        # Verify event was NOT published on failure
+        refute called(Guard.Events.UserCreated.publish(:_, :_))
+      end
+    end
+
     test "handles service account store creation failure" do
-      with_mock ServiceAccount, [:passthrough], create: fn _ -> {:error, :creation_failed} end do
+      with_mocks([
+        {ServiceAccount, [:passthrough], [create: fn _ -> {:error, :creation_failed} end]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]}
+      ]) do
         params = ServiceAccountFactory.build_params()
 
         {:error, :creation_failed} = Actions.create(params)
@@ -335,9 +387,10 @@ defmodule Guard.ServiceAccount.ActionsTest do
          [reset_auth_token: fn _ -> {:ok, "test-token"} end]},
         {Guard.Store.RbacUser, [:passthrough],
          [
-           create: fn _, _, _ -> :ok end,
+           create: fn _, _, _, _ -> :ok end,
            fetch: fn _ -> %{id: "rbac-user-id"} end
          ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]},
         {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
       ]) do
         params =
@@ -372,9 +425,10 @@ defmodule Guard.ServiceAccount.ActionsTest do
          [reset_auth_token: fn _ -> {:ok, "test-token"} end]},
         {Guard.Store.RbacUser, [:passthrough],
          [
-           create: fn _, _, _ -> :ok end,
+           create: fn _, _, _, _ -> :ok end,
            fetch: fn _ -> %{id: "rbac-user-id"} end
          ]},
+        {Guard.Api.Rbac, [:passthrough], [assign_role: fn _, _, _ -> :ok end]},
         {Guard.Events.UserCreated, [:passthrough], [publish: fn _, _ -> :ok end]}
       ]) do
         # Create service account first
diff --git a/guard/test/support/factories/service_account_factory.ex b/guard/test/support/factories/service_account_factory.ex
@@ -60,7 +60,8 @@ defmodule Support.Factories.ServiceAccountFactory do
       org_id: get_org_id(options[:org_id]),
       name: get_name(options[:name]),
       description: get_description(options[:description]),
-      creator_id: get_creator_id(options[:creator_id])
+      creator_id: get_creator_id(options[:creator_id]),
+      role_id: get_role_id(options[:role_id])
     }
   end
 
@@ -75,7 +76,8 @@ defmodule Support.Factories.ServiceAccountFactory do
       org_id: get_org_id(options[:org_id]),
       name: get_name(options[:name]),
       description: get_description(options[:description]),
-      creator_id: creator_user.id
+      creator_id: creator_user.id,
+      role_id: get_role_id(options[:role_id])
     }
   end
 
@@ -110,6 +112,9 @@ defmodule Support.Factories.ServiceAccountFactory do
     "#{sanitized_name}@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
   end
 
+  defp get_role_id(nil), do: UUID.generate()
+  defp get_role_id(role_id), do: role_id
+
   defp generate_token_hash do
     # Generate a simple hash for testing
     :crypto.hash(:sha256, UUID.generate()) |> Base.encode64()
