feat: deactivate and reactivate service account

Author: hamir-suspect

guard/lib/guard/grpc_servers/service_account_server.ex

@@ -185,28 +185,88 @@ defmodule Guard.GrpcServers.ServiceAccountServer do
     )
   end
 
-  @spec delete(ServiceAccountPB.DeleteRequest.t(), GRPC.Server.Stream.t()) ::
-          ServiceAccountPB.DeleteResponse.t()
-  def delete(%ServiceAccountPB.DeleteRequest{service_account_id: service_account_id}, _stream) do
+  @spec deactivate(ServiceAccountPB.DeactivateRequest.t(), GRPC.Server.Stream.t()) ::
+          ServiceAccountPB.DeactivateResponse.t()
+  def deactivate(
+        %ServiceAccountPB.DeactivateRequest{service_account_id: service_account_id},
+        _stream
+      ) do
+    observe_and_log(
+      "grpc.service_account.deactivate",
+      %{service_account_id: service_account_id},
+      fn ->
+        validate_uuid!(service_account_id)
+
+        case Guard.ServiceAccount.Actions.deactivate(service_account_id) do
+          {:ok, :deactivated} ->
+            ServiceAccountPB.DeactivateResponse.new()
+
+          {:error, :not_found} ->
+            grpc_error!(:not_found, "Service account #{service_account_id} not found")
+
+          {:error, reason} ->
+            Logger.error(
+              "Failed to deactivate service account #{service_account_id}: #{inspect(reason)}"
+            )
+
+            grpc_error!(:internal, "Failed to deactivate service account")
+        end
+      end
+    )
+  end
+
+  @spec reactivate(ServiceAccountPB.ReactivateRequest.t(), GRPC.Server.Stream.t()) ::
+          ServiceAccountPB.ReactivateResponse.t()
+  def reactivate(
+        %ServiceAccountPB.ReactivateRequest{service_account_id: service_account_id},
+        _stream
+      ) do
+    observe_and_log(
+      "grpc.service_account.reactivate",
+      %{service_account_id: service_account_id},
+      fn ->
+        validate_uuid!(service_account_id)
+
+        case Guard.ServiceAccount.Actions.reactivate(service_account_id) do
+          {:ok, :reactivated} ->
+            ServiceAccountPB.ReactivateResponse.new()
+
+          {:error, :not_found} ->
+            grpc_error!(:not_found, "Service account #{service_account_id} not found")
+
+          {:error, reason} ->
+            Logger.error(
+              "Failed to reactivate service account #{service_account_id}: #{inspect(reason)}"
+            )
+
+            grpc_error!(:internal, "Failed to reactivate service account")
+        end
+      end
+    )
+  end
+
+  @spec destroy(ServiceAccountPB.DestroyRequest.t(), GRPC.Server.Stream.t()) ::
+          ServiceAccountPB.DestroyResponse.t()
+  def destroy(%ServiceAccountPB.DestroyRequest{service_account_id: service_account_id}, _stream) do
     observe_and_log(
-      "grpc.service_account.delete",
+      "grpc.service_account.destroy",
       %{service_account_id: service_account_id},
       fn ->
         validate_uuid!(service_account_id)
 
-        case Guard.ServiceAccount.Actions.delete(service_account_id) do
-          {:ok, :deleted} ->
-            ServiceAccountPB.DeleteResponse.new()
+        case Guard.ServiceAccount.Actions.destroy(service_account_id) do
+          {:ok, :destroyed} ->
+            ServiceAccountPB.DestroyResponse.new()
 
           {:error, :not_found} ->
             grpc_error!(:not_found, "Service account #{service_account_id} not found")
 
           {:error, reason} ->
             Logger.error(
-              "Failed to delete service account #{service_account_id}: #{inspect(reason)}"
+              "Failed to destroy service account #{service_account_id}: #{inspect(reason)}"
             )
 
-            grpc_error!(:internal, "Failed to delete service account")
+            grpc_error!(:internal, "Failed to destroy service account")
         end
       end
     )

guard/lib/guard/service_account/actions.ex

@@ -74,16 +74,50 @@ defmodule Guard.ServiceAccount.Actions do
   end
 
   @doc """
-  Soft delete a service account by deactivating the associated user.
+  Deactivate a service account by setting the user's deactivated flag to true.
 
   This marks the user as deactivated rather than physically deleting records,
   allowing for audit trails and potential recovery.
   """
-  @spec delete(String.t()) :: {:ok, :deleted} | {:error, atom()}
-  def delete(service_account_id) do
-    case ServiceAccount.delete(service_account_id) do
-      {:ok, :deleted} ->
-        {:ok, :deleted}
+  @spec deactivate(String.t()) :: {:ok, :deactivated} | {:error, atom()}
+  def deactivate(service_account_id) do
+    case ServiceAccount.deactivate(service_account_id) do
+      {:ok, :deactivated} ->
+        {:ok, :deactivated}
+
+      {:error, error} ->
+        {:error, error}
+    end
+  end
+
+  @doc """
+  Reactivate a previously deactivated service account.
+
+  This sets the user's deactivated flag to false, allowing the service account
+  to be used again.
+  """
+  @spec reactivate(String.t()) :: {:ok, :reactivated} | {:error, atom()}
+  def reactivate(service_account_id) do
+    case ServiceAccount.reactivate(service_account_id) do
+      {:ok, :reactivated} ->
+        {:ok, :reactivated}
+
+      {:error, error} ->
+        {:error, error}
+    end
+  end
+
+  @doc """
+  Permanently destroy a service account and all associated records.
+
+  This physically deletes the service account and user records from the database.
+  This action cannot be undone and should be used with caution.
+  """
+  @spec destroy(String.t()) :: {:ok, :destroyed} | {:error, atom()}
+  def destroy(service_account_id) do
+    case ServiceAccount.destroy(service_account_id) do
+      {:ok, :destroyed} ->
+        {:ok, :destroyed}
 
       {:error, error} ->
         {:error, error}

guard/lib/guard/store/service_account.ex

@@ -140,17 +140,17 @@ defmodule Guard.Store.ServiceAccount do
   end
 
   @doc """
-  Delete (deactivate) a service account.
+  Deactivate a service account.
 
   Performs a soft delete by setting the user's deactivated flag to true.
   """
-  @spec delete(String.t()) :: {:ok, :deleted} | {:error, :not_found | :internal_error}
-  def delete(service_account_id) when is_binary(service_account_id) do
+  @spec deactivate(String.t()) :: {:ok, :deactivated} | {:error, :not_found | :internal_error}
+  def deactivate(service_account_id) when is_binary(service_account_id) do
     if valid_uuid?(service_account_id) do
       case FrontRepo.transaction(fn ->
              with {:ok, _current_data} <- find(service_account_id),
                   {:ok, _updated_user} <- deactivate_user_record(service_account_id) do
-               :deleted
+               :deactivated
              else
                {:error, :not_found} ->
                  FrontRepo.rollback(:not_found)
@@ -159,7 +159,7 @@ defmodule Guard.Store.ServiceAccount do
                  FrontRepo.rollback(:internal_error)
              end
            end) do
-        {:ok, :deleted} -> {:ok, :deleted}
+        {:ok, :deactivated} -> {:ok, :deactivated}
         {:error, reason} -> {:error, reason}
       end
     else
@@ -168,7 +168,92 @@ defmodule Guard.Store.ServiceAccount do
   rescue
     e ->
       Logger.error(
-        "Error during service account deletion #{inspect(service_account_id)}: #{inspect(e)}"
+        "Error during service account deactivation #{inspect(service_account_id)}: #{inspect(e)}"
+      )
+
+      {:error, :internal_error}
+  end
+
+  @doc """
+  Reactivate a service account.
+
+  Reactivates a previously deactivated service account by setting the user's deactivated flag to false.
+  """
+  @spec reactivate(String.t()) :: {:ok, :reactivated} | {:error, :not_found | :internal_error}
+  def reactivate(service_account_id) when is_binary(service_account_id) do
+    if valid_uuid?(service_account_id) do
+      case FrontRepo.transaction(fn ->
+             # Use a modified query that includes deactivated service accounts
+             query =
+               build_service_account_query()
+               |> where([sa, u], sa.id == ^service_account_id)
+               |> where([sa, u], is_nil(u.blocked_at))
+
+             case FrontRepo.one(query) do
+               nil ->
+                 FrontRepo.rollback(:not_found)
+
+               _service_account ->
+                 case reactivate_user_record(service_account_id) do
+                   {:ok, _updated_user} -> :reactivated
+                   {:error, _reason} -> FrontRepo.rollback(:internal_error)
+                 end
+             end
+           end) do
+        {:ok, :reactivated} -> {:ok, :reactivated}
+        {:error, reason} -> {:error, reason}
+      end
+    else
+      {:error, :invalid_id}
+    end
+  rescue
+    e ->
+      Logger.error(
+        "Error during service account reactivation #{inspect(service_account_id)}: #{inspect(e)}"
+      )
+
+      {:error, :internal_error}
+  end
+
+  @doc """
+  Destroy a service account.
+
+  Permanently deletes the service account and associated user records from the database.
+  This action cannot be undone.
+  """
+  @spec destroy(String.t()) :: {:ok, :destroyed} | {:error, :not_found | :internal_error}
+  def destroy(service_account_id) when is_binary(service_account_id) do
+    if valid_uuid?(service_account_id) do
+      case FrontRepo.transaction(fn ->
+             # Use a modified query that includes deactivated service accounts for destruction
+             query =
+               build_service_account_query()
+               |> where([sa, u], sa.id == ^service_account_id)
+               |> where([sa, u], is_nil(u.blocked_at))
+
+             case FrontRepo.one(query) do
+               nil ->
+                 FrontRepo.rollback(:not_found)
+
+               _service_account ->
+                 with {:ok, _} <- destroy_service_account_record(service_account_id),
+                      {:ok, _} <- destroy_user_record(service_account_id) do
+                   :destroyed
+                 else
+                   {:error, _reason} -> FrontRepo.rollback(:internal_error)
+                 end
+             end
+           end) do
+        {:ok, :destroyed} -> {:ok, :destroyed}
+        {:error, reason} -> {:error, reason}
+      end
+    else
+      {:error, :invalid_id}
+    end
+  rescue
+    e ->
+      Logger.error(
+        "Error during service account destruction #{inspect(service_account_id)}: #{inspect(e)}"
       )
 
       {:error, :internal_error}
@@ -340,6 +425,47 @@ defmodule Guard.Store.ServiceAccount do
     end
   end
 
+  defp reactivate_user_record(user_id) do
+    user = FrontRepo.get!(User, user_id)
+
+    changeset =
+      User.changeset(user, %{
+        deactivated: false,
+        deactivated_at: nil
+      })
+
+    case FrontRepo.update(changeset) do
+      {:ok, user} -> {:ok, user}
+      {:error, changeset} -> {:error, changeset.errors}
+    end
+  end
+
+  defp destroy_service_account_record(service_account_id) do
+    case FrontRepo.get(ServiceAccount, service_account_id) do
+      nil ->
+        {:error, :not_found}
+
+      service_account ->
+        case FrontRepo.delete(service_account) do
+          {:ok, _} -> {:ok, :deleted}
+          {:error, changeset} -> {:error, changeset.errors}
+        end
+    end
+  end
+
+  defp destroy_user_record(user_id) do
+    case FrontRepo.get(User, user_id) do
+      nil ->
+        {:error, :not_found}
+
+      user ->
+        case FrontRepo.delete(user) do
+          {:ok, _} -> {:ok, :deleted}
+          {:error, changeset} -> {:error, changeset.errors}
+        end
+    end
+  end
+
   defp update_user_token(user_id, hashed_token) do
     user = FrontRepo.get!(User, user_id)
 

guard/lib/internal_api/service_account.pb.ex

@@ -135,7 +135,7 @@ defmodule InternalApi.ServiceAccount.DeactivateResponse do
   defstruct []
 end
 
-defmodule InternalApi.ServiceAccount.DeleteRequest do
+defmodule InternalApi.ServiceAccount.ReactivateRequest do
   @moduledoc false
   use Protobuf, syntax: :proto3
 
@@ -147,7 +147,26 @@ defmodule InternalApi.ServiceAccount.DeleteRequest do
   field(:service_account_id, 1, type: :string)
 end
 
-defmodule InternalApi.ServiceAccount.DeleteResponse do
+defmodule InternalApi.ServiceAccount.ReactivateResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  defstruct []
+end
+
+defmodule InternalApi.ServiceAccount.DestroyRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+
+  defstruct [:service_account_id]
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DestroyResponse do
   @moduledoc false
   use Protobuf, syntax: :proto3
 
@@ -245,9 +264,15 @@ defmodule InternalApi.ServiceAccount.ServiceAccountService.Service do
   )
 
   rpc(
-    :Delete,
-    InternalApi.ServiceAccount.DeleteRequest,
-    InternalApi.ServiceAccount.DeleteResponse
+    :Reactivate,
+    InternalApi.ServiceAccount.ReactivateRequest,
+    InternalApi.ServiceAccount.ReactivateResponse
+  )
+
+  rpc(
+    :Destroy,
+    InternalApi.ServiceAccount.DestroyRequest,
+    InternalApi.ServiceAccount.DestroyResponse
   )
 
   rpc(