tenseleyflow/shithub / 3c50abc

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package orgs

+

+import (

+	"context"

+	"errors"

+	"fmt"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"

+)

+

+// pgInt8 wraps an int64 as the pgtype.Int8 the sqlc-generated query

+// expects. Local helper so the call sites stay one-liners.

+func pgInt8(v int64) pgtype.Int8 { return pgtype.Int8{Int64: v, Valid: v != 0} }

+

+// HardDeleteDeps is the augmented Deps shape the org hard-delete

+// orchestrator needs. RepoFS lets us tear down the bare repos on

+// disk; the lifecycle.HardDelete cascade reuses that same path so

+// org-owned repos go through the same teardown user-owned ones do.

+type HardDeleteDeps struct {

+	Deps

+	RepoFS *storage.RepoFS

+	Audit  *audit.Recorder

+}

+

+// SoftDelete sets `orgs.deleted_at = now()`, kicking off the 14-day

+// grace window. The principals trigger drops the slug row so the

+// name becomes available to a new claimant immediately — restoring

+// before grace re-creates the row. Pre-flight check: the org must

+// not already be soft-deleted.

+func SoftDelete(ctx context.Context, deps Deps, orgID, actorUserID int64) error {

+	q := orgsdb.New()

+	row, err := q.GetOrgByID(ctx, deps.Pool, orgID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return ErrOrgNotFound

+		}

+		return err

+	}

+	if row.DeletedAt.Valid {

+		return ErrDeleted

+	}

+	if err := q.SoftDeleteOrg(ctx, deps.Pool, orgID); err != nil {

+		return fmt.Errorf("soft delete: %w", err)

+	}

+	if deps.Audit != nil {

+		// Borrow the repo soft-delete action shape until the audit

+		// catalog grows a dedicated `org_soft_deleted` entry; the

+		// kind=org metadata makes the org row identifiable in the log.

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoSoftDeleted,

+			audit.TargetUser, orgID,

+			map[string]any{"slug": string(row.Slug), "kind": "org"})

+	}

+	return nil

+}

+

+// Restore clears `deleted_at` for an org still inside its 14-day

+// grace window. Caller (web handler) checks that the actor is an

+// org owner BEFORE calling. Returns ErrOrgNotFound when the org's

+// past-grace + already-purged or never existed.

+func Restore(ctx context.Context, deps Deps, orgID, actorUserID int64) error {

+	q := orgsdb.New()

+	row, err := q.GetOrgByID(ctx, deps.Pool, orgID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return ErrOrgNotFound

+		}

+		return err

+	}

+	if !row.DeletedAt.Valid {

+		// Not deleted; nothing to restore. Idempotent.

+		return nil

+	}

+	// Slug-collision check: a new user/org may have claimed the slug

+	// during the grace window (the principals row was dropped on

+	// soft-delete). Refuse to restore if so — the operator can rename

+	// the conflicting principal and retry.

+	var taken bool

+	if err := deps.Pool.QueryRow(ctx,

+		`SELECT EXISTS(SELECT 1 FROM principals WHERE slug = $1)`,

+		row.Slug,

+	).Scan(&taken); err != nil {

+		return err

+	}

+	if taken {

+		return ErrSlugTaken

+	}

+	if err := q.RestoreOrg(ctx, deps.Pool, orgID); err != nil {

+		return fmt.Errorf("restore: %w", err)

+	}

+	_ = actorUserID // audit entry deferred

+	return nil

+}

+

+// HardDelete is the cascade run by the past-grace sweep. For each

+// org-owned repo (including already-soft-deleted ones) it runs the

+// existing lifecycle.HardDelete tear-down (bare-repo on disk + DB

+// rows). Then drops org_invitations + org_members + the orgs row.

+// The principals trigger removes the slug entry as part of the

+// orgs DELETE.

+//

+// Best-effort: a per-repo failure is logged but doesn't stop the

+// sweep — leaving zombie repos in the DB is preferable to leaving

+// the org row in a half-deleted state where its slug is permanently

+// pinned. Operators can retry via the manual sweep job.

+func HardDelete(ctx context.Context, hd HardDeleteDeps, orgID int64) error {

+	q := orgsdb.New()

+	repoIDs, err := q.ListOrgRepoIDs(ctx, hd.Pool, pgInt8(orgID))

+	if err != nil {

+		return fmt.Errorf("list org repos: %w", err)

+	}

+	ldeps := lifecycle.Deps{

+		Pool: hd.Pool, RepoFS: hd.RepoFS, Audit: hd.Audit, Logger: hd.Logger,

+	}

+	for _, rid := range repoIDs {

+		if err := lifecycle.HardDelete(ctx, ldeps, 0, rid); err != nil && hd.Logger != nil {

+			hd.Logger.WarnContext(ctx, "orgs: cascade repo hard-delete failed",

+				"org_id", orgID, "repo_id", rid, "error", err)

+		}

+	}

+	// org_members + org_invitations cascade via FK ON DELETE CASCADE

+	// already; the principals trigger drops the slug row inside the

+	// same tx. Audit row goes in before the row vanishes so the log

+	// retains the slug.

+	row, _ := q.GetOrgByID(ctx, hd.Pool, orgID)

+	if hd.Audit != nil {

+		_ = hd.Audit.Record(ctx, hd.Pool, 0,

+			audit.ActionRepoHardDeleted,

+			audit.TargetUser, orgID,

+			map[string]any{"slug": string(row.Slug), "kind": "org"})

+	}

+	if err := q.HardDeleteOrgRow(ctx, hd.Pool, orgID); err != nil {

+		return fmt.Errorf("hard delete org row: %w", err)

+	}

+	return nil

+}

+

+// ListPastGraceOrgIDs is a thin wrapper exposing the sqlc query so

+// the worker bundle doesn't need to import orgsdb directly.

+func ListPastGraceOrgIDs(ctx context.Context, deps Deps) ([]int64, error) {

+	return orgsdb.New().ListOrgIDsPastSoftDeleteGrace(ctx, deps.Pool)

+}

+

+// TestHardDelete_DropsOrgRowAndPrincipal exercises the cascade

+// without the worker scaffolding: soft-delete + manually expire

+// grace via raw UPDATE + HardDelete. Asserts the orgs row is gone,

+// the principals row is gone (slug freed), and the org-owned repo

+// is hard-deleted via the lifecycle cascade.

+func TestHardDelete_DropsOrgRowAndPrincipal(t *testing.T) {

+	pool, deps, alice := setup(t)

+	ctx := context.Background()

+	row, err := orgs.Create(ctx, deps, orgs.CreateParams{

+		Slug: "acme", DisplayName: "Acme", CreatedByUserID: alice,

+	})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	// Soft-delete + force expiry by backdating deleted_at past grace.

+	if err := orgs.SoftDelete(ctx, deps, row.ID, alice); err != nil {

+		t.Fatalf("soft delete: %v", err)

+	}

+	if _, err := pool.Exec(ctx,

+		`UPDATE orgs SET deleted_at = now() - interval '15 days' WHERE id=$1`, row.ID); err != nil {

+		t.Fatalf("backdate: %v", err)

+	}

+	// Sweep should see this org as past-grace.

+	ids, err := orgs.ListPastGraceOrgIDs(ctx, deps)

+	if err != nil {

+		t.Fatalf("ListPastGraceOrgIDs: %v", err)

+	}

+	found := false

+	for _, id := range ids {

+		if id == row.ID {

+			found = true

+		}

+	}

+	if !found {

+		t.Fatalf("past-grace list missing org id %d (got %v)", row.ID, ids)

+	}

+	// Cascade. RepoFS nil is fine here — no repos under this org.

+	if err := orgs.HardDelete(ctx, orgs.HardDeleteDeps{Deps: deps}, row.ID); err != nil {

+		t.Fatalf("HardDelete: %v", err)

+	}

+	// Org row gone, slug freed in principals.

+	var stillExists bool

+	_ = pool.QueryRow(ctx, `SELECT EXISTS(SELECT 1 FROM orgs WHERE id=$1)`, row.ID).Scan(&stillExists)

+	if stillExists {

+		t.Fatal("org row should be gone")

+	}

+	var slugTaken bool

+	_ = pool.QueryRow(ctx, `SELECT EXISTS(SELECT 1 FROM principals WHERE slug='acme')`).Scan(&slugTaken)

+	if slugTaken {

+		t.Fatal("principals slug 'acme' should be freed")

+	}

+}

+-- name: ListOrgIDsPastSoftDeleteGrace :many

+-- Sweep input for the lifecycle worker: every soft-deleted org whose

+-- 14-day grace window has elapsed. The interval is intentionally a

+-- DB literal (not a parameter) so the policy lives next to the data.

+SELECT id FROM orgs

+WHERE deleted_at IS NOT NULL

+  AND deleted_at < (now() - interval '14 days');

+

+-- name: ListOrgRepoIDs :many

+-- All repo IDs (including soft-deleted) belonging to an org. Used by

+-- the org hard-delete cascade to fan out per-repo destruction.

+SELECT id FROM repos WHERE owner_org_id = $1;

+

+-- name: HardDeleteOrgRow :exec

+-- Final row removal after the cascade finished. The principals

+-- trigger drops the matching principals row in the same tx.

+DELETE FROM orgs WHERE id = $1;

+

+const hardDeleteOrgRow = `-- name: HardDeleteOrgRow :exec

+DELETE FROM orgs WHERE id = $1

+`

+

+// Final row removal after the cascade finished. The principals

+// trigger drops the matching principals row in the same tx.

+func (q *Queries) HardDeleteOrgRow(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, hardDeleteOrgRow, id)

+	return err

+}

+

+const listOrgIDsPastSoftDeleteGrace = `-- name: ListOrgIDsPastSoftDeleteGrace :many

+SELECT id FROM orgs

+WHERE deleted_at IS NOT NULL

+  AND deleted_at < (now() - interval '14 days')

+`

+

+// Sweep input for the lifecycle worker: every soft-deleted org whose

+// 14-day grace window has elapsed. The interval is intentionally a

+// DB literal (not a parameter) so the policy lives next to the data.

+func (q *Queries) ListOrgIDsPastSoftDeleteGrace(ctx context.Context, db DBTX) ([]int64, error) {

+	rows, err := db.Query(ctx, listOrgIDsPastSoftDeleteGrace)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []int64{}

+	for rows.Next() {

+		var id int64

+		if err := rows.Scan(&id); err != nil {

+			return nil, err

+		}

+		items = append(items, id)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listOrgRepoIDs = `-- name: ListOrgRepoIDs :many

+SELECT id FROM repos WHERE owner_org_id = $1

+`

+

+// All repo IDs (including soft-deleted) belonging to an org. Used by

+// the org hard-delete cascade to fan out per-repo destruction.

+func (q *Queries) ListOrgRepoIDs(ctx context.Context, db DBTX, ownerOrgID pgtype.Int8) ([]int64, error) {

+	rows, err := db.Query(ctx, listOrgRepoIDs, ownerOrgID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []int64{}

+	for rows.Next() {

+		var id int64

+		if err := rows.Scan(&id); err != nil {

+			return nil, err

+		}

+		items = append(items, id)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+	// Final row removal after the cascade finished. The principals

+	// trigger drops the matching principals row in the same tx.

+	HardDeleteOrgRow(ctx context.Context, db DBTX, id int64) error

+	// Sweep input for the lifecycle worker: every soft-deleted org whose

+	// 14-day grace window has elapsed. The interval is intentionally a

+	// DB literal (not a parameter) so the policy lives next to the data.

+	ListOrgIDsPastSoftDeleteGrace(ctx context.Context, db DBTX) ([]int64, error)

+	// All repo IDs (including soft-deleted) belonging to an org. Used by

+	// the org hard-delete cascade to fan out per-repo destruction.

+	ListOrgRepoIDs(ctx context.Context, db DBTX, ownerOrgID pgtype.Int8) ([]int64, error)

+	"github.com/tenseleyFlow/shithub/internal/orgs"

+

+		// 3. S30 — hard-delete orgs past their 14-day grace window.

+		// Cascade per-repo via lifecycle.HardDelete inside the org

+		// orchestrator. Same per-row failure-tolerant shape as the

+		// repo path above.

+		odeps := orgs.Deps{Pool: deps.Pool, Logger: deps.Logger, Audit: deps.Audit}

+		ohd := orgs.HardDeleteDeps{Deps: odeps, RepoFS: deps.RepoFS, Audit: deps.Audit}

+		orgIDs, err := orgs.ListPastGraceOrgIDs(ctx, odeps)

+		if err != nil {

+			deps.Logger.WarnContext(ctx, "lifecycle:sweep: list past-grace orgs", "error", err)

+		}

+		for _, oid := range orgIDs {

+			if err := ctx.Err(); err != nil {

+				return err

+			}

+			if err := orgs.HardDelete(ctx, ohd, oid); err != nil {

+				deps.Logger.WarnContext(ctx, "lifecycle:sweep: org hard delete failed",

+					"org_id", oid, "error", err)

+			}

+		}