chore(guard): refresh protos and implement service account service

Author: hamir-suspect

guard/lib/guard/application.ex

@@ -184,6 +184,10 @@ defmodule Guard.Application do
         worker: Guard.GrpcServers.UserServer,
         active: System.get_env("START_GRPC_USER_API") == "true"
       },
+      %{
+        worker: Guard.GrpcServers.ServiceAccountServer,
+        active: System.get_env("START_GRPC_SERVICE_ACCOUNT_API") == "true"
+      },
       %{
         worker: Guard.GrpcServers.InstanceConfigServer,
         active: System.get_env("START_GRPC_INSTANCE_CONFIG_API") == "true"

guard/lib/guard/front_repo/favorite.ex

@@ -27,7 +27,9 @@ defmodule Guard.FrontRepo.Favorite do
     favorite
     |> cast(attrs, [:user_id, :favorite_id, :kind, :organization_id])
     |> validate_required([:user_id, :favorite_id, :kind, :organization_id])
-    |> unique_constraint([:user_id, :organization_id, :favorite_id, :kind], name: :favorites_index)
+    |> unique_constraint([:user_id, :organization_id, :favorite_id, :kind],
+      name: :favorites_index
+    )
   end
 
   @spec create_favorite(map()) :: {:ok, t()} | {:error, Ecto.Changeset.t()}

guard/lib/guard/front_repo/service_account.ex

@@ -0,0 +1,54 @@
+defmodule Guard.FrontRepo.ServiceAccount do
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  @primary_key {:id, :binary_id, autogenerate: false}
+  @foreign_key_type :binary_id
+
+  @type t :: %__MODULE__{
+          id: String.t(),
+          description: String.t(),
+          creator_id: String.t(),
+          user: Guard.FrontRepo.User.t() | nil,
+          created_at: DateTime.t(),
+          updated_at: DateTime.t()
+        }
+
+  schema "service_accounts" do
+    field(:description, :string)
+    field(:creator_id, :binary_id)
+
+    # The id field itself is the foreign key to user
+    belongs_to(:user, Guard.FrontRepo.User, foreign_key: :id, define_field: false)
+
+    timestamps(inserted_at: :created_at, updated_at: :updated_at, type: :utc_datetime)
+  end
+
+  @doc """
+  Changeset for creating a new service account.
+  """
+  def changeset(service_account, attrs) do
+    service_account
+    |> cast(attrs, [:description, :id, :creator_id])
+    |> validate_required([:id, :creator_id])
+    |> validate_length(:description,
+      max: 500,
+      message: "Description cannot exceed 500 characters"
+    )
+    |> foreign_key_constraint(:id, name: :service_accounts_id_fkey)
+    |> foreign_key_constraint(:creator_id, name: :service_accounts_creator_id_fkey)
+  end
+
+  @doc """
+  Changeset for updating an existing service account.
+  Only allows updating the description field.
+  """
+  def update_changeset(service_account, attrs) do
+    service_account
+    |> cast(attrs, [:description])
+    |> validate_length(:description,
+      max: 500,
+      message: "Description cannot exceed 500 characters"
+    )
+  end
+end

guard/lib/guard/front_repo/user.ex

@@ -41,7 +41,7 @@ defmodule Guard.FrontRepo.User do
     field(:remember_created_at, :utc_datetime)
     field(:visited_at, :utc_datetime)
 
-    field(:creation_source, Ecto.Enum, values: [:okta, :saml_jit])
+    field(:creation_source, Ecto.Enum, values: [:okta, :saml_jit, :service_account])
     field(:single_org_user, :boolean)
     field(:org_id, :binary_id)
     field(:idempotency_token, :string)
@@ -53,6 +53,9 @@ defmodule Guard.FrontRepo.User do
     field(:deactivated, :boolean)
     field(:deactivated_at, :utc_datetime)
 
+    # Service account relationship
+    has_one(:service_account, Guard.FrontRepo.ServiceAccount, foreign_key: :id)
+
     timestamps(inserted_at: :created_at, updated_at: :updated_at, type: :utc_datetime)
   end
 
@@ -229,4 +232,58 @@ defmodule Guard.FrontRepo.User do
 
     invalid_token_string or exists_by_token
   end
+
+  @doc """
+  Returns true if the user is a service account.
+  """
+  def service_account?(%__MODULE__{creation_source: :service_account}), do: true
+  def service_account?(_user), do: false
+
+  @doc """
+  Changeset for creating a service account user.
+  This validates the specific requirements for service account users.
+  """
+  def service_account_changeset(user, params) do
+    user
+    |> cast(params, [
+      :email,
+      :name,
+      :company,
+      :authentication_token,
+      :salt,
+      :creation_source,
+      :single_org_user,
+      :org_id,
+      :idempotency_token
+    ])
+    |> validate_required([:email, :name, :creation_source, :org_id])
+    |> validate_inclusion(:creation_source, [:service_account])
+    |> put_change(:single_org_user, true)
+    |> validate_format(:email, ~r/^[\w\-\.]+@sa\.[\w\-\.]+\.semaphoreci\.com$/i,
+      message:
+        "Service account email must follow the format: [email protected]"
+    )
+    |> unique_constraint(:email, name: :index_users_on_email)
+    |> unique_constraint(:authentication_token, name: :index_users_on_authentication_token)
+    |> unique_constraint(:idempotency_token, name: "users_idempotency_token_index")
+  end
+
+  @doc """
+  Generates a synthetic email for a service account.
+  """
+  def generate_service_account_email(service_account_name, organization_name) do
+    # Sanitize names to ensure valid email format
+    sanitized_sa_name = sanitize_email_part(service_account_name)
+    sanitized_org_name = sanitize_email_part(organization_name)
+
+    "#{sanitized_sa_name}@sa.#{sanitized_org_name}.semaphoreci.com"
+  end
+
+  defp sanitize_email_part(name) do
+    name
+    |> String.downcase()
+    |> String.replace(~r/[^a-z0-9\-]/, "-")
+    |> String.replace(~r/-+/, "-")
+    |> String.trim("-")
+  end
 end