Skip to content

fix: add postgres triggers to remove deleted users from user_links #12117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Feb 20, 2024
Merged

fix: add postgres triggers to remove deleted users from user_links #12117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
7e17c09
chore: add database test fixture to insert non-unique linked_ids
Emyrk Feb 12, 2024
4abe528
mend
Emyrk Feb 12, 2024
5fdbf98
mend
Emyrk Feb 12, 2024
513e1cc
rename test fixute
Emyrk Feb 12, 2024
8435d59
add extra case
Emyrk Feb 12, 2024
9e3085d
accidental file change
Emyrk Feb 12, 2024
fea25b0
chore: add database test fixture to insert non-unique linked_ids
Emyrk Feb 12, 2024
51de1f4
mend
Emyrk Feb 12, 2024
0e9270b
mend
Emyrk Feb 12, 2024
0b80aa5
rename test fixute
Emyrk Feb 12, 2024
7030101
accidental file change
Emyrk Feb 12, 2024
4d89937
chore: creaet unit test to exercise failed email change bug
Emyrk Feb 12, 2024
4628c39
Add links to existing issues
Emyrk Feb 13, 2024
c426259
fix: add postgres triggers to keep user_links clear of deleted users
Emyrk Feb 13, 2024
188f03b
Add migrations to prevent deleted users with links
Emyrk Feb 13, 2024
e0902a3
Force soft delete of users, do not allow un-delete
Emyrk Feb 13, 2024
e3788d5
fix some tests
Emyrk Feb 13, 2024
ee6aabc
move code
Emyrk Feb 13, 2024
f2c90c1
linting
Emyrk Feb 13, 2024
c6ff417
move migration
Emyrk Feb 13, 2024
fa3401e
Make gen
Emyrk Feb 13, 2024
a54b652
fix user gen
Emyrk Feb 13, 2024
b70a8c9
remove excess fixture file
Emyrk Feb 13, 2024
f8b63ca
rename SoftDelete back to UpdateDeleted
Emyrk Feb 20, 2024
149875e
Fix dbauthz
Emyrk Feb 20, 2024
f97567c
Merge remote-tracking branch 'origin/main' into stevenmasley/deleted_…
Emyrk Feb 20, 2024
f28491e
bump migrations
Emyrk Feb 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions cli/delete_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (

"github.com/coder/coder/v2/cli/clitest"
"github.com/coder/coder/v2/coderd/coderdtest"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/codersdk"
"github.com/coder/coder/v2/pty/ptytest"
Expand Down Expand Up @@ -95,10 +94,7 @@ func TestDelete(t *testing.T) {
// this way.
ctx := testutil.Context(t, testutil.WaitShort)
// nolint:gocritic // Unit test
err := api.Database.UpdateUserDeletedByID(dbauthz.AsSystemRestricted(ctx), database.UpdateUserDeletedByIDParams{
ID: deleteMeUser.ID,
Deleted: true,
})
err := api.Database.UpdateUserDeletedByID(dbauthz.AsSystemRestricted(ctx), deleteMeUser.ID)
require.NoError(t, err)

inv, root := clitest.New(t, "delete", fmt.Sprintf("%s/%s", deleteMeUser.ID, workspace.Name), "-y", "--orphan")
Expand Down
22 changes: 2 additions & 20 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -607,16 +607,6 @@ func (q *querier) SoftDeleteTemplateByID(ctx context.Context, id uuid.UUID) erro
return deleteQ(q.log, q.auth, q.db.GetTemplateByID, deleteF)(ctx, id)
}

func (q *querier) SoftDeleteUserByID(ctx context.Context, id uuid.UUID) error {
deleteF := func(ctx context.Context, id uuid.UUID) error {
return q.db.UpdateUserDeletedByID(ctx, database.UpdateUserDeletedByIDParams{
ID: id,
Deleted: true,
})
}
return deleteQ(q.log, q.auth, q.db.GetUserByID, deleteF)(ctx, id)
}

func (q *querier) SoftDeleteWorkspaceByID(ctx context.Context, id uuid.UUID) error {
return deleteQ(q.log, q.auth, q.db.GetWorkspaceByID, func(ctx context.Context, id uuid.UUID) error {
return q.db.UpdateWorkspaceDeletedByID(ctx, database.UpdateWorkspaceDeletedByIDParams{
Expand Down Expand Up @@ -2881,16 +2871,8 @@ func (q *querier) UpdateUserAppearanceSettings(ctx context.Context, arg database
return q.db.UpdateUserAppearanceSettings(ctx, arg)
}

// UpdateUserDeletedByID
// Deprecated: Delete this function in favor of 'SoftDeleteUserByID'. Deletes are
// irreversible.
func (q *querier) UpdateUserDeletedByID(ctx context.Context, arg database.UpdateUserDeletedByIDParams) error {
fetch := func(ctx context.Context, arg database.UpdateUserDeletedByIDParams) (database.User, error) {
return q.db.GetUserByID(ctx, arg.ID)
}
// This uses the rbac.ActionDelete action always as this function should always delete.
// We should delete this function in favor of 'SoftDeleteUserByID'.
return deleteQ(q.log, q.auth, fetch, q.db.UpdateUserDeletedByID)(ctx, arg)
func (q *querier) UpdateUserDeletedByID(ctx context.Context, id uuid.UUID) error {
return deleteQ(q.log, q.auth, q.db.GetUserByID, q.db.UpdateUserDeletedByID)(ctx, id)
}

func (q *querier) UpdateUserHashedPassword(ctx context.Context, arg database.UpdateUserHashedPasswordParams) error {
Expand Down
9 changes: 1 addition & 8 deletions coderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1015,17 +1015,10 @@ func (s *MethodTestSuite) TestUser() {
LoginType: database.LoginTypeOIDC,
}).Asserts(u, rbac.ActionUpdate)
}))
s.Run("SoftDeleteUserByID", s.Subtest(func(db database.Store, check *expects) {
s.Run("UpdateUserDeletedByID", s.Subtest(func(db database.Store, check *expects) {
u := dbgen.User(s.T(), db, database.User{})
check.Args(u.ID).Asserts(u, rbac.ActionDelete).Returns()
}))
s.Run("UpdateUserDeletedByID", s.Subtest(func(db database.Store, check *expects) {
u := dbgen.User(s.T(), db, database.User{Deleted: true})
check.Args(database.UpdateUserDeletedByIDParams{
ID: u.ID,
Deleted: true,
}).Asserts(u, rbac.ActionDelete).Returns()
}))
s.Run("UpdateUserHashedPassword", s.Subtest(func(db database.Store, check *expects) {
u := dbgen.User(s.T(), db, database.User{})
check.Args(database.UpdateUserHashedPasswordParams{
Expand Down
5 changes: 1 addition & 4 deletions coderd/database/dbgen/dbgen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,10 +311,7 @@ func User(t testing.TB, db database.Store, orig database.User) database.User {
}

if orig.Deleted {
err = db.UpdateUserDeletedByID(genCtx, database.UpdateUserDeletedByIDParams{
ID: user.ID,
Deleted: orig.Deleted,
})
err = db.UpdateUserDeletedByID(genCtx, user.ID)
require.NoError(t, err, "set user as deleted")
}
return user
Expand Down
51 changes: 30 additions & 21 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,18 @@ func isNotNull(v interface{}) bool {
return reflect.ValueOf(v).FieldByName("Valid").Bool()
}

// Took the error from the real database.
var deletedUserLinkError = &pq.Error{
Severity: "ERROR",
// "raise_exception" error
Code: "P0001",
Message: "Cannot create user_link for deleted user",
Where: "PL/pgSQL function insert_user_links_fail_if_user_deleted() line 7 at RAISE",
File: "pl_exec.c",
Line: "3864",
Routine: "exec_stmt_raise",
}

func (*FakeQuerier) AcquireLock(_ context.Context, _ int64) error {
return xerrors.New("AcquireLock must only be called within a transaction")
}
Expand Down Expand Up @@ -5560,6 +5572,10 @@ func (q *FakeQuerier) InsertUserLink(_ context.Context, args database.InsertUser
q.mutex.Lock()
defer q.mutex.Unlock()

if u, err := q.getUserByIDNoLock(args.UserID); err == nil && u.Deleted {
return database.UserLink{}, deletedUserLinkError
}

//nolint:gosimple
link := database.UserLink{
UserID: args.UserID,
Expand Down Expand Up @@ -6724,33 +6740,22 @@ func (q *FakeQuerier) UpdateUserAppearanceSettings(_ context.Context, arg databa
return database.User{}, sql.ErrNoRows
}

func (q *FakeQuerier) UpdateUserDeletedByID(_ context.Context, params database.UpdateUserDeletedByIDParams) error {
if err := validateDatabaseType(params); err != nil {
return err
}

func (q *FakeQuerier) UpdateUserDeletedByID(_ context.Context, id uuid.UUID) error {
q.mutex.Lock()
defer q.mutex.Unlock()

for i, u := range q.users {
if u.ID == params.ID {
u.Deleted = params.Deleted
if u.ID == id {
u.Deleted = true
q.users[i] = u
// NOTE: In the real world, this is done by a trigger.
i := 0
for {
if i >= len(q.apiKeys) {
break
}
k := q.apiKeys[i]
if k.UserID == u.ID {
q.apiKeys[i] = q.apiKeys[len(q.apiKeys)-1]
q.apiKeys = q.apiKeys[:len(q.apiKeys)-1]
// We removed an element, so decrement
i--
}
i++
}
q.apiKeys = slices.DeleteFunc(q.apiKeys, func(u database.APIKey) bool {
return id == u.UserID
})

q.userLinks = slices.DeleteFunc(q.userLinks, func(u database.UserLink) bool {
return id == u.UserID
})
return nil
}
}
Expand Down Expand Up @@ -6804,6 +6809,10 @@ func (q *FakeQuerier) UpdateUserLink(_ context.Context, params database.UpdateUs
q.mutex.Lock()
defer q.mutex.Unlock()

if u, err := q.getUserByIDNoLock(params.UserID); err == nil && u.Deleted {
return database.UserLink{}, deletedUserLinkError
}

for i, link := range q.userLinks {
if link.UserID == params.UserID && link.LoginType == params.LoginType {
link.OAuthAccessToken = params.OAuthAccessToken
Expand Down
6 changes: 3 additions & 3 deletions coderd/database/dbmetrics/dbmetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion coderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 27 additions & 2 deletions coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 26 additions & 0 deletions coderd/database/migrations/000194_trigger_delete_user_user_link.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
DROP TRIGGER IF EXISTS trigger_update_users ON users;
DROP FUNCTION IF EXISTS delete_deleted_user_resources;

DROP TRIGGER IF EXISTS trigger_upsert_user_links ON user_links;
DROP FUNCTION IF EXISTS insert_user_links_fail_if_user_deleted;

-- Restore the previous trigger
CREATE FUNCTION delete_deleted_user_api_keys() RETURNS trigger
LANGUAGE plpgsql
AS $$
DECLARE
BEGIN
IF (NEW.deleted) THEN
DELETE FROM api_keys
WHERE user_id = OLD.id;
END IF;
RETURN NEW;
END;
$$;


CREATE TRIGGER trigger_update_users
AFTER INSERT OR UPDATE ON users
FOR EACH ROW
WHEN (NEW.deleted = true)
EXECUTE PROCEDURE delete_deleted_user_api_keys();
66 changes: 66 additions & 0 deletions coderd/database/migrations/000194_trigger_delete_user_user_link.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
-- We need to delete all existing user_links for soft-deleted users
DELETE FROM
user_links
WHERE
user_id
IN (
SELECT id FROM users WHERE deleted
);

-- Drop the old trigger
DROP TRIGGER trigger_update_users ON users;
-- Drop the old function
DROP FUNCTION delete_deleted_user_api_keys;

-- When we soft-delete a user, we also want to delete their API key.
-- The previous function deleted all api keys. This extends that with user_links.
CREATE FUNCTION delete_deleted_user_resources() RETURNS trigger
LANGUAGE plpgsql
AS $$
DECLARE
BEGIN
IF (NEW.deleted) THEN
-- Remove their api_keys
DELETE FROM api_keys
WHERE user_id = OLD.id;

-- Remove their user_links
-- Their login_type is preserved in the users table.
-- Matching this user back to the link can still be done by their
-- email if the account is undeleted. Although that is not a guarantee.
DELETE FROM user_links
WHERE user_id = OLD.id;
END IF;
RETURN NEW;
END;
$$;


-- Update it to the new trigger
CREATE TRIGGER trigger_update_users
AFTER INSERT OR UPDATE ON users
FOR EACH ROW
WHEN (NEW.deleted = true)
EXECUTE PROCEDURE delete_deleted_user_resources();


-- Prevent adding new user_links for soft-deleted users
CREATE FUNCTION insert_user_links_fail_if_user_deleted() RETURNS trigger
LANGUAGE plpgsql
AS $$

DECLARE
BEGIN
IF (NEW.user_id IS NOT NULL) THEN
IF (SELECT deleted FROM users WHERE id = NEW.user_id LIMIT 1) THEN
RAISE EXCEPTION 'Cannot create user_link for deleted user';
END IF;
END IF;
RETURN NEW;
END;
$$;

CREATE TRIGGER trigger_upsert_user_links
BEFORE INSERT OR UPDATE ON user_links
FOR EACH ROW
EXECUTE PROCEDURE insert_user_links_fail_if_user_deleted();
2 changes: 1 addition & 1 deletion coderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 3 additions & 8 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion coderd/database/queries/users.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ WHERE
UPDATE
users
SET
deleted = $2
deleted = true
WHERE
id = $1;

Expand Down
Loading