🐛 fix: make credentials inactive on deleteUser and fix `org.metad…

…ata == null` bug (#156)

* 🔨 chore: make `credentials` inactive on `deleteUser` and fix `org.metadata == null` bug

* 🔧 chore: move guard to `CognitoProviderImpl`

src/main/kotlin/com/hypto/iam/server/apis/UsersApi.kt

@@ -5,6 +5,7 @@ package com.hypto.iam.server.apis
 import com.google.gson.Gson
 import com.hypto.iam.server.configs.AppConfig
 import com.hypto.iam.server.db.repositories.PasscodeRepo
+import com.hypto.iam.server.db.repositories.UserAuthRepo
 import com.hypto.iam.server.extensions.PaginationContext
 import com.hypto.iam.server.models.ChangeUserPasswordRequest
 import com.hypto.iam.server.models.CreateUserPasswordRequest
@@ -25,6 +26,7 @@ import com.hypto.iam.server.security.withPermission
 import com.hypto.iam.server.service.PasscodeService
 import com.hypto.iam.server.service.PrincipalPolicyService
 import com.hypto.iam.server.service.TokenService
+import com.hypto.iam.server.service.TokenServiceImpl
 import com.hypto.iam.server.service.UsersService
 import com.hypto.iam.server.utils.ApplicationIdUtil
 import com.hypto.iam.server.utils.HrnFactory
@@ -52,6 +54,7 @@ fun Route.createUsersApi() {
     val passcodeService: PasscodeService by inject()
     val idGenerator: ApplicationIdUtil.Generator by inject()
     val tokenService: TokenService by inject()
+    val userAuthRepo: UserAuthRepo by inject()
 
     // **** Create User api ****//
 
@@ -95,6 +98,11 @@ fun Route.createUsersApi() {
                 loginAccess = loginAccess,
                 policies = policies
             )
+            userAuthRepo.create(
+                hrn = user.hrn,
+                providerName = TokenServiceImpl.ISSUER,
+                authMetadata = null
+            )
 
             val token = tokenService.generateJwtToken(ResourceHrn(user.hrn))
             call.respondText(

src/main/kotlin/com/hypto/iam/server/db/repositories/CredentialsRepo.kt

@@ -31,14 +31,28 @@ object CredentialsRepo : BaseRepo<CredentialsRecord, Credentials, UUID>() {
     }
 
     /**
-     * Fetch records that have `user_hrn = value`
+     * Fetch records that matches the `id` and `user_hrn`
      */
     suspend fun fetchByIdAndUserHrn(id: UUID, value: String): CredentialsRecord? {
         return ctx("credentials.fetch_by_id").selectFrom(CREDENTIALS)
             .where(CREDENTIALS.ID.eq(id).and(CREDENTIALS.USER_HRN.eq(value)))
             .fetchOne()
     }
 
+    /**
+     * Updates status to `inactive` for users with `userHrn`
+     * @return true on successful update. false otherwise.
+     */
+    suspend fun updateStatusForUser(userHrn: String, status: Credential.Status = Credential.Status.inactive): Boolean {
+        val count = ctx("credentials.update_status_for_user")
+            .update(CREDENTIALS)
+            .set(CREDENTIALS.STATUS, status.value)
+            .set(CREDENTIALS.UPDATED_AT, LocalDateTime.now())
+            .where(CREDENTIALS.USER_HRN.eq(userHrn))
+            .execute()
+        return count > 0
+    }
+
     /**
      * Fetch a unique record that has `refresh_token = value`
      */

src/main/kotlin/com/hypto/iam/server/db/repositories/UserRepo.kt

@@ -34,6 +34,7 @@ object UserRepo : BaseRepo<UsersRecord, Users, String>() {
     ): List<UsersRecord> {
         return ctx("users.fetchMany").selectFrom(USERS)
             .where(USERS.ORGANIZATION_ID.eq(organizationId))
+            .and(USERS.DELETED.eq(false))
             .paginate(USERS.CREATED_AT, paginationContext)
             .fetch()
     }

src/main/kotlin/com/hypto/iam/server/idp/CognitoProviderImpl.kt

@@ -2,6 +2,7 @@
 
 package com.hypto.iam.server.idp
 
+import com.hypto.iam.server.configs.AppConfig
 import com.hypto.iam.server.exceptions.InternalException
 import com.hypto.iam.server.exceptions.UnknownException
 import com.hypto.iam.server.idp.CognitoConstants.ACTION_SUPPRESS
@@ -69,6 +70,7 @@ object CognitoConstants {
 class CognitoIdentityProviderImpl : IdentityProvider, KoinComponent {
     private val cognitoClient: CognitoIdentityProviderClient by inject()
     private val aliasAttributeTypes = mutableListOf(AliasAttributeType.EMAIL, AliasAttributeType.PREFERRED_USERNAME)
+    private val appConfig: AppConfig by inject()
 
     override suspend fun createIdentityGroup(name: String, configuration: Configuration): IdentityGroup {
         try {
@@ -121,6 +123,7 @@ class CognitoIdentityProviderImpl : IdentityProvider, KoinComponent {
 
     override suspend fun deleteIdentityGroup(identityGroup: IdentityGroup) {
         try {
+            if (identityGroup == appConfig.cognito) return
             val deletePoolRequest = DeleteUserPoolRequest.builder().userPoolId(identityGroup.id).build()
             cognitoClient.deleteUserPool(deletePoolRequest)
         } catch (e: Exception) {

src/main/kotlin/com/hypto/iam/server/service/OrganizationsService.kt

@@ -269,8 +269,10 @@ class OrganizationsServiceImpl : KoinComponent, OrganizationsService {
         val org = organizationRepo.findById(id) ?: throw EntityNotFoundException("Organization id - $id not found")
         organizationRepo.deleteById(id)
 
-        val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
-        identityProvider.deleteIdentityGroup(identityGroup)
+        if (org.metadata != null) {
+            val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
+            identityProvider.deleteIdentityGroup(identityGroup)
+        }
 
         return BaseSuccessResponse(true)
     }

src/main/kotlin/com/hypto/iam/server/service/UsersService.kt

@@ -4,6 +4,7 @@ package com.hypto.iam.server.service
 
 import com.google.gson.Gson
 import com.hypto.iam.server.configs.AppConfig
+import com.hypto.iam.server.db.repositories.CredentialsRepo
 import com.hypto.iam.server.db.repositories.OrganizationRepo
 import com.hypto.iam.server.db.repositories.PasscodeRepo
 import com.hypto.iam.server.db.repositories.UserAuthRepo
@@ -47,6 +48,7 @@ class UsersServiceImpl : KoinComponent, UsersService {
     private val appConfig: AppConfig by inject()
     private val passcodeRepo: PasscodeRepo by inject()
     private val userAuthRepo: UserAuthRepo by inject()
+    private val credentialRepo: CredentialsRepo by inject()
 
     @Suppress("CyclomaticComplexMethod")
     override suspend fun createUser(
@@ -147,13 +149,25 @@ class UsersServiceImpl : KoinComponent, UsersService {
             password = password ?: throw BadRequestException("Password is required"),
         )
 
+        val identityGroup = if (org.metadata != null) {
+            gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
+        } else {
+            organizationRepo.update(
+                organizationId,
+                null,
+                null,
+                appConfig.cognito
+            )
+            appConfig.cognito
+        }
+
         identityProvider.createUser(
             RequestContext(
                 organizationId = organizationId,
                 requestedPrincipal = createdBy ?: "unknown user",
                 verified
             ),
-            gson.fromJson(org.metadata.data(), IdentityGroup::class.java),
+            identityGroup,
             passwordCredentials
         )
     }
@@ -201,6 +215,10 @@ class UsersServiceImpl : KoinComponent, UsersService {
             throw BadRequestException("User - $userName does not have login access")
         }
 
+        if (userAuthRepo.fetchByUserHrnAndProviderName(userHrn.toString(), TokenServiceImpl.ISSUER) == null) {
+            throw BadRequestException("User does not have password access")
+        }
+
         val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
         identityProvider.authenticate(identityGroup, userName, oldPassword)
         identityProvider.setUserPassword(identityGroup, userName, newPassword)
@@ -222,7 +240,18 @@ class UsersServiceImpl : KoinComponent, UsersService {
             throw BadRequestException("User - ${userHrn.resourceInstance} does not have login access")
         }
 
-        val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
+        val identityGroup = if (org.metadata != null) {
+            gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
+        } else {
+            organizationRepo.update(
+                organizationId,
+                null,
+                null,
+                appConfig.cognito
+            )
+            appConfig.cognito
+        }
+
         identityProvider.setUserPassword(identityGroup, user.username, password)
         passcodeRepo.deleteByEmailAndPurpose(user.email!!, VerifyEmailRequest.Purpose.reset)
         return BaseSuccessResponse(true)
@@ -311,7 +340,10 @@ class UsersServiceImpl : KoinComponent, UsersService {
             ?: throw EntityNotFoundException("User not found")
 
         val userStatus = status?.toUserStatus()
-        if (userRecord.loginAccess == true && org.metadata != null) {
+        if (userRecord.loginAccess == true &&
+            org.metadata != null &&
+            userAuthRepo.fetchByUserHrnAndProviderName(userHrn.toString(), TokenServiceImpl.ISSUER) != null
+        ) {
             val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
 
             identityProvider.updateUser(
@@ -340,11 +372,17 @@ class UsersServiceImpl : KoinComponent, UsersService {
         val userRecord = userRepo.findByHrn(userHrn.toString())
             ?: throw EntityNotFoundException("User not found")
 
-        if (userRecord.loginAccess == true) {
+        if (userRecord.loginAccess == true &&
+            org.metadata != null &&
+            userAuthRepo.fetchByUserHrnAndProviderName(userHrn.toString(), TokenServiceImpl.ISSUER) != null
+        ) {
             val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
             identityProvider.deleteUser(identityGroup, userName)
         }
-        userRepo.delete(userHrn.toString())
+        txMan.wrap {
+            credentialRepo.updateStatusForUser(userHrn.toString())
+            userRepo.delete(userHrn.toString())
+        }
 
         return BaseSuccessResponse(true)
     }
@@ -359,6 +397,10 @@ class UsersServiceImpl : KoinComponent, UsersService {
             throw BadRequestException("User - $userName does not have login access")
         }
 
+        if (userAuthRepo.fetchByUserHrnAndProviderName(userRecord.hrn, TokenServiceImpl.ISSUER) == null) {
+            throw AuthenticationException("User - $userName does not have password access")
+        }
+
         val identityGroup = gson.fromJson(org.metadata.data(), IdentityGroup::class.java)
         identityProvider.authenticate(identityGroup, userName, password)