feat(api): remove user from org (#211)

## 📝 Description

Http api for removing a user from the org (clevertap):
renderedtext/tasks#7779

Changes made to RBAC are only here so that the endpoint for retracting
roles would not crash if the user is already not part of the
organization

I made changes to the plumber Dockerfile, Makefile and test_helper in
order to be able to run tests both locally (using make test.ex) and on
CI

## ✅ Checklist
- [x] I have tested this change
- [x] This change requires documentation update (for now we will only
have private docs for clevertap)

Author: VeljkoMaksimovic

ee/rbac/lib/rbac/grpc_servers/rbac_server.ex

@@ -289,8 +289,8 @@ defmodule Rbac.GrpcServers.RbacServer do
     is_owner? =
       Rbac.RoleManagement.fetch_subject_role_bindings(rbi)
       |> elem(0)
-      |> List.first()
-      |> Map.get(:role_bindings)
+      |> List.first(%{})
+      |> Map.get(:role_bindings, [])
       |> Enum.map(&Rbac.Repo.RbacRole.get_role_by_id(&1["role_id"]))
       |> Enum.any?(&(&1.name == "Owner"))
 

public-api/v1alpha/Dockerfile

@@ -21,7 +21,7 @@ RUN ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
 RUN mix local.hex --force && mix local.rebar --force
 
 RUN mkdir api
-WORKDIR /app/api
+WORKDIR /app
 
 # install mix dependencies
 COPY public-api/v1alpha/mix.exs public-api/v1alpha/mix.lock ./
@@ -86,7 +86,7 @@ RUN \
 USER "${USER}"
 
 # copy release executables
-COPY --from=builder --chown="${USER}":"${USER}" /app/api/_build/"${MIX_ENV}"/rel/pipelines_api ./
+COPY --from=builder --chown="${USER}":"${USER}" /app/_build/"${MIX_ENV}"/rel/pipelines_api ./
 
 ENTRYPOINT ["bin/pipelines_api"]
 

public-api/v1alpha/Makefile

@@ -3,7 +3,6 @@ export MIX_ENV?=dev
 include ../../Makefile
 
 DOCKER_BUILD_PATH=../..
-OUT_VOLUME=$(PWD)/out:/app/api/out
 INTERNAL_API_BRANCH?=master
 TMP_INTERNAL_REPO_DIR?=/tmp/internal_api
 RELATIVE_INTERNAL_PB_OUTPUT_DIR=lib/internal_api
@@ -33,6 +32,7 @@ PROJECTHUB_API_GRPC_URL?=127.0.0.1:50052
 LOG_LEVEL?=debug
 API_VERSION?=v1alpha
 ON_PREM?="false"
+TMP_REPO_DIR ?= /tmp/internal_api
 
 CONTAINER_ENV_VARS= \
   -e IN_DOCKER=$(IN_DOCKER) \
@@ -62,7 +62,7 @@ test.ex.setup: export MIX_ENV=test
 test.ex.setup:
 ifeq ($(CI),)
 # Localy we use database supplied by docker-compose
-	docker compose $(DOCKER_COMPOSE_OPTS) run -e MIX_ENV=$(MIX_ENV) --build app mix do deps.get, test $(FILE)
+	docker compose $(DOCKER_COMPOSE_OPTS) run -e MIX_ENV=$(MIX_ENV) --build app mix do deps.get
 else
 	docker run --network host -v $(PWD)/out:/app/out $(CONTAINER_ENV_VARS) $(IMAGE):$(IMAGE_TAG) sh
 endif

public-api/v1alpha/lib/internal_api/rbac.pb.ex

@@ -306,6 +306,30 @@ defmodule InternalApi.RBAC.ListMembersResponse.Member do
   field(:subject_role_bindings, 3, repeated: true, type: InternalApi.RBAC.SubjectRoleBinding)
 end
 
+defmodule InternalApi.RBAC.CountMembersRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          org_id: String.t()
+        }
+  defstruct [:org_id]
+
+  field(:org_id, 1, type: :string)
+end
+
+defmodule InternalApi.RBAC.CountMembersResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          members: integer
+        }
+  defstruct [:members]
+
+  field(:members, 1, type: :int32)
+end
+
 defmodule InternalApi.RBAC.SubjectRoleBinding do
   @moduledoc false
   use Protobuf, syntax: :proto3
@@ -406,6 +430,25 @@ defmodule InternalApi.RBAC.Subject do
   field(:display_name, 3, type: :string)
 end
 
+defmodule InternalApi.RBAC.RefreshCollaboratorsRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          org_id: String.t()
+        }
+  defstruct [:org_id]
+
+  field(:org_id, 1, type: :string)
+end
+
+defmodule InternalApi.RBAC.RefreshCollaboratorsResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  defstruct []
+end
+
 defmodule InternalApi.RBAC.Role do
   @moduledoc false
   use Protobuf, syntax: :proto3
@@ -493,6 +536,7 @@ defmodule InternalApi.RBAC.RoleBindingSource do
   field(:ROLE_BINDING_SOURCE_GITLAB, 4)
   field(:ROLE_BINDING_SOURCE_SCIM, 5)
   field(:ROLE_BINDING_SOURCE_INHERITED_FROM_ORG_ROLE, 6)
+  field(:ROLE_BINDING_SOURCE_SAML_JIT, 7)
 end
 
 defmodule InternalApi.RBAC.RBAC.Service do
@@ -525,6 +569,7 @@ defmodule InternalApi.RBAC.RBAC.Service do
   rpc(:ModifyRole, InternalApi.RBAC.ModifyRoleRequest, InternalApi.RBAC.ModifyRoleResponse)
   rpc(:DestroyRole, InternalApi.RBAC.DestroyRoleRequest, InternalApi.RBAC.DestroyRoleResponse)
   rpc(:ListMembers, InternalApi.RBAC.ListMembersRequest, InternalApi.RBAC.ListMembersResponse)
+  rpc(:CountMembers, InternalApi.RBAC.CountMembersRequest, InternalApi.RBAC.CountMembersResponse)
 
   rpc(
     :ListAccessibleOrgs,
@@ -537,6 +582,12 @@ defmodule InternalApi.RBAC.RBAC.Service do
     InternalApi.RBAC.ListAccessibleProjectsRequest,
     InternalApi.RBAC.ListAccessibleProjectsResponse
   )
+
+  rpc(
+    :RefreshCollaborators,
+    InternalApi.RBAC.RefreshCollaboratorsRequest,
+    InternalApi.RBAC.RefreshCollaboratorsResponse
+  )
 end
 
 defmodule InternalApi.RBAC.RBAC.Stub do

public-api/v1alpha/lib/internal_api/user.pb.ex

@@ -101,7 +101,6 @@ defmodule InternalApi.User.DescribeResponse do
           github_token: String.t(),
           github_scope: integer,
           github_uid: String.t(),
-          api_token: String.t(),
           name: String.t(),
           github_login: String.t(),
           company: String.t(),
@@ -119,7 +118,6 @@ defmodule InternalApi.User.DescribeResponse do
     :github_token,
     :github_scope,
     :github_uid,
-    :api_token,
     :name,
     :github_login,
     :company,
@@ -137,7 +135,6 @@ defmodule InternalApi.User.DescribeResponse do
   field(:github_token, 7, type: :string)
   field(:github_scope, 12, type: InternalApi.User.DescribeResponse.RepoScope, enum: true)
   field(:github_uid, 8, type: :string)
-  field(:api_token, 9, type: :string)
   field(:name, 10, type: :string)
   field(:github_login, 11, type: :string)
   field(:company, 13, type: :string)
@@ -180,6 +177,7 @@ defmodule InternalApi.User.RepositoryProvider.Type do
 
   field(:GITHUB, 0)
   field(:BITBUCKET, 1)
+  field(:GITLAB, 2)
 end
 
 defmodule InternalApi.User.RepositoryProvider.Scope do
@@ -314,40 +312,12 @@ defmodule InternalApi.User.RegenerateTokenResponse do
 
   @type t :: %__MODULE__{
           status: Google.Rpc.Status.t(),
-          user: InternalApi.User.User.t()
+          api_token: String.t()
         }
-  defstruct [:status, :user]
+  defstruct [:status, :api_token]
 
   field(:status, 1, type: Google.Rpc.Status)
-  field(:user, 2, type: InternalApi.User.User)
-end
-
-defmodule InternalApi.User.RefererRequest do
-  @moduledoc false
-  use Protobuf, syntax: :proto3
-
-  @type t :: %__MODULE__{
-          user_id: String.t()
-        }
-  defstruct [:user_id]
-
-  field(:user_id, 1, type: :string)
-end
-
-defmodule InternalApi.User.RefererResponse do
-  @moduledoc false
-  use Protobuf, syntax: :proto3
-
-  @type t :: %__MODULE__{
-          user_id: String.t(),
-          entry_url: String.t(),
-          http_referer: String.t()
-        }
-  defstruct [:user_id, :entry_url, :http_referer]
-
-  field(:user_id, 1, type: :string)
-  field(:entry_url, 2, type: :string)
-  field(:http_referer, 3, type: :string)
+  field(:api_token, 3, type: :string)
 end
 
 defmodule InternalApi.User.CheckGithubTokenRequest do
@@ -442,6 +412,18 @@ defmodule InternalApi.User.DescribeByRepositoryProviderRequest do
   field(:provider, 1, type: InternalApi.User.RepositoryProvider)
 end
 
+defmodule InternalApi.User.DescribeByEmailRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          email: String.t()
+        }
+  defstruct [:email]
+
+  field(:email, 1, type: :string)
+end
+
 defmodule InternalApi.User.RefreshRepositoryProviderRequest do
   @moduledoc false
   use Protobuf, syntax: :proto3
@@ -470,6 +452,26 @@ defmodule InternalApi.User.RefreshRepositoryProviderResponse do
   field(:repository_provider, 2, type: InternalApi.User.RepositoryProvider)
 end
 
+defmodule InternalApi.User.CreateRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          email: String.t(),
+          name: String.t(),
+          password: String.t(),
+          repository_providers: [InternalApi.User.RepositoryProvider.t()],
+          skip_password_change: boolean
+        }
+  defstruct [:email, :name, :password, :repository_providers, :skip_password_change]
+
+  field(:email, 1, type: :string)
+  field(:name, 2, type: :string)
+  field(:password, 3, type: :string)
+  field(:repository_providers, 4, repeated: true, type: InternalApi.User.RepositoryProvider)
+  field(:skip_password_change, 5, type: :bool)
+end
+
 defmodule InternalApi.User.User do
   @moduledoc false
   use Protobuf, syntax: :proto3
@@ -479,7 +481,6 @@ defmodule InternalApi.User.User do
           avatar_url: String.t(),
           github_uid: String.t(),
           name: String.t(),
-          api_token: String.t(),
           github_login: String.t(),
           company: String.t(),
           email: String.t(),
@@ -497,7 +498,6 @@ defmodule InternalApi.User.User do
     :avatar_url,
     :github_uid,
     :name,
-    :api_token,
     :github_login,
     :company,
     :email,
@@ -515,7 +515,6 @@ defmodule InternalApi.User.User do
   field(:avatar_url, 3, type: :string)
   field(:github_uid, 4, type: :string)
   field(:name, 5, type: :string)
-  field(:api_token, 6, type: :string)
   field(:github_login, 7, type: :string)
   field(:company, 8, type: :string)
   field(:email, 9, type: :string)
@@ -581,22 +580,6 @@ defmodule InternalApi.User.UserUpdated do
   field(:timestamp, 2, type: Google.Protobuf.Timestamp)
 end
 
-defmodule InternalApi.User.UserRefererCreated do
-  @moduledoc false
-  use Protobuf, syntax: :proto3
-
-  @type t :: %__MODULE__{
-          user_id: String.t(),
-          entry_url: String.t(),
-          http_referer: String.t()
-        }
-  defstruct [:user_id, :entry_url, :http_referer]
-
-  field(:user_id, 1, type: :string)
-  field(:entry_url, 2, type: :string)
-  field(:http_referer, 3, type: :string)
-end
-
 defmodule InternalApi.User.UserJoinedOrganization do
   @moduledoc false
   use Protobuf, syntax: :proto3
@@ -731,6 +714,7 @@ defmodule InternalApi.User.UserService.Service do
     InternalApi.User.User
   )
 
+  rpc(:DescribeByEmail, InternalApi.User.DescribeByEmailRequest, InternalApi.User.User)
   rpc(:SearchUsers, InternalApi.User.SearchUsersRequest, InternalApi.User.SearchUsersResponse)
   rpc(:DescribeMany, InternalApi.User.DescribeManyRequest, InternalApi.User.DescribeManyResponse)
   rpc(:Update, InternalApi.User.UpdateRequest, InternalApi.User.UpdateResponse)
@@ -750,7 +734,6 @@ defmodule InternalApi.User.UserService.Service do
 
   rpc(:CreateFavorite, InternalApi.User.Favorite, InternalApi.User.Favorite)
   rpc(:DeleteFavorite, InternalApi.User.Favorite, InternalApi.User.Favorite)
-  rpc(:Referer, InternalApi.User.RefererRequest, InternalApi.User.RefererResponse)
 
   rpc(
     :CheckGithubToken,
@@ -772,6 +755,8 @@ defmodule InternalApi.User.UserService.Service do
     InternalApi.User.RefreshRepositoryProviderRequest,
     InternalApi.User.RefreshRepositoryProviderResponse
   )
+
+  rpc(:Create, InternalApi.User.CreateRequest, InternalApi.User.User)
 end
 
 defmodule InternalApi.User.UserService.Stub do

public-api/v1alpha/lib/pipelines_api/rbac_client.ex

@@ -38,4 +38,15 @@ defmodule PipelinesAPI.RBACClient do
       )
     end)
   end
+
+  def retract_role(params) do
+    LogTee.debug(params, "RBACClient.retract_role")
+
+    Metrics.benchmark("PipelinesAPI.RBAC_client", ["retract_role"], fn ->
+      params
+      |> RequestFormatter.form_retract_role_request()
+      |> GrpcClient.retract_role()
+      |> ResponseFormatter.process_retract_role_response()
+    end)
+  end
 end

public-api/v1alpha/lib/pipelines_api/rbac_client/grpc_client.ex

@@ -114,4 +114,33 @@ defmodule PipelinesAPI.RBACClient.GrpcClient do
       |> RBAC.Stub.list_roles(list_roles_request, opts())
     end)
   end
+
+  def retract_role({:ok, retract_role_request = %{role_assignment: _, requester_id: _}}) do
+    LogTee.debug(retract_role_request, "RBACClient.GrpcClient.retract_role")
+
+    result =
+      Wormhole.capture(__MODULE__, :retract_role_, [retract_role_request],
+        stacktrace: true,
+        skip_log: true,
+        timeout_ms: @wormhole_timeout
+      )
+
+    case result do
+      {:ok, result} -> result
+      {:error, reason} -> Log.internal_error(reason, "retract_role")
+    end
+  end
+
+  def retract_role({:ok, _}), do: ToTuple.user_error("invalid retract role request")
+
+  def retract_role(error), do: error
+
+  def retract_role_(retract_role_request) do
+    {:ok, channel} = GRPC.Stub.connect(url())
+
+    Metrics.benchmark("PipelinesAPI.RBAC_client", ["retract_role_"], fn ->
+      channel
+      |> RBAC.Stub.retract_role(retract_role_request, opts())
+    end)
+  end
 end