fix: user/role group sql lock fix (#3206)

* change1

* "RBAC Refactoring and Policy Creation Optimisation"

* "Removing ClusterType"

* "ReFactoring the changes"

* removed redundant method

* "Changes After Reviews"

* "Changes After Reviews 2"

* "Changes After Reviews 3"

* "Changes After Reviews 4"

* "Changes After Reviews 5"

* "Changes After Reviews 6"

* "Changes After Reviews 6"

* "Changes based on entity"

* Code Cleaning

* Code change 8

* Code change 9

* Code change 9

* Code change 10

* Code change 11

* Code change 12

* Code change 13

* fixed transaction error for creating roles

* refactoring - 1

* refactoring

* Changes after Resolving conflicts

* Changes after Resolving conflicts 2

* Changes after Resolving conflicts 3

* Changes after Resolving access_type to accessType and queries

* Final changes

* Rbac-Optimimisation Change

* Rbac-Optimimisation Final Change

* refactoring

* Fixing Legacy Bug

* Fixing Visiblity issues all pods

* Merge with main

* Intialisation with capacity and adding logs

* Intialisation with capacity and adding logs

* Refactoring the changes

* Adding logs

* Adding logs 1

* Updating the audit logs for create Role

* Handling from code instead of script

* Merge Main

* Deleting Commented Code and adding role group view

* Fixing issues caught in Dev-Testing

* Removing script queries

* Fixing Issues of entity empty

* Dev-Testing Changes

* Final Changes

* Reducing duplication

* Reducing duplication

* Adding audit logs for superAdmin for user role mappings

* Visibility of permissions

* Visibility of permissions for devtron-apps

* Fixing Legacy issue for deleting roleGroup permissions

* deleting group and role mapping from casbin

* fix deadlock condition for user/role group update

* updated sql script no.

---------

Co-authored-by: shivam-nagar23 <[email protected]>

Author: kartik-579

pkg/user/RoleGroupService.go

@@ -124,7 +124,6 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 				}
 			} else {
 				actionType := roleFilter.Action
-
 				accessType := roleFilter.AccessType
 				entityNames := strings.Split(roleFilter.EntityName, ",")
 				environments := strings.Split(roleFilter.Environment, ",")
@@ -137,13 +136,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 							impl.logger.Errorw("error in getting new role model")
 							return nil, err
 						}
-						oldRoleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", "", true)
-						if err != nil {
-							impl.logger.Errorw("error in getting old role model already present", "err", err)
-							return nil, err
-						}
-
-						if oldRoleModel.Id == 0 && roleModel.Id == 0 {
+						if roleModel.Id == 0 {
 							if roleFilter.Entity == bean2.ENTITY_APPS || roleFilter.Entity == bean.CHART_GROUP_ENTITY {
 								flag, err, policiesAdded := impl.userAuthRepository.CreateDefaultPoliciesForAllTypes(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, request.UserId)
 								if err != nil || flag == false {
@@ -161,33 +154,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 							} else {
 								continue
 							}
-						} else if oldRoleModel.Id > 0 && roleModel.Id == 0 {
-							flag, err := impl.userAuthRepository.CreateRolesWithAccessTypeAndEntity(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, request.UserId, oldRoleModel.Role)
-							if err != nil || flag == false {
-								return nil, err
-							}
-							impl.logger.Infow("Getting Role by filter Again for other Types  ")
-							roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", "", false)
-							if err != nil {
-								return nil, err
-							}
-							if roleModel.Id == 0 {
-								continue
-							}
-							// shift user_role_mapping queries
-							userRole, err := impl.userRepository.UpdateRoleIdForUserRolesMappings(oldRoleModel.Id, roleModel.Id)
-							if err != nil {
-								impl.logger.Errorw("Error in updating role id from old roles with new role(access_type  and entity)", "err", err)
-							}
-
-							roleGroupRole, err := impl.roleGroupRepository.UpdateRoleGroupIdForRoleGroupMappings(oldRoleModel.Id, roleModel.Id)
-							if err != nil {
-								impl.logger.Errorw("Error in updating Role Group Role Mappings for old role with new roles (access_type and entity)", "err", err)
-							}
-							impl.logger.Infow("updated user role and roleGroups with new values", "userrole", userRole, "grouprole", roleGroupRole)
-
 						}
-
 						if roleModel.Id > 0 {
 							roleGroupMappingModel := &repository2.RoleGroupRoleMapping{RoleGroupId: model.Id, RoleId: roleModel.Id}
 							roleGroupMappingModel.CreatedBy = request.UserId
@@ -249,12 +216,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
 						impl.logger.Errorw("error in getting new role model by filter")
 						return policiesToBeAdded, err
 					}
-					oldRoleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, true)
-					if err != nil {
-						impl.logger.Errorw("error in getting old role model by filter already present")
-						return policiesToBeAdded, err
-					}
-					if roleModel.Id == 0 && oldRoleModel.Id == 0 {
+					if roleModel.Id == 0 {
 						flag, err, policiesAdded := impl.userAuthRepository.CreateDefaultPoliciesForAllTypes("", "", "", entity, roleFilter.Cluster, namespace, group, kind, resource, actionType, accessType, userId)
 						if err != nil || flag == false {
 							return policiesToBeAdded, err
@@ -267,31 +229,6 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForClusterEntity(roleFil
 						if roleModel.Id == 0 {
 							continue
 						}
-					} else if oldRoleModel.Id > 0 && roleModel.Id == 0 {
-						flag, err := impl.userAuthRepository.CreateRolesWithAccessTypeAndEntity("", "", "", roleFilter.Entity, roleFilter.Cluster, namespace, group, kind, resource, actionType, accessType, userId, oldRoleModel.Role)
-						if err != nil || flag == false {
-							return policiesToBeAdded, err
-						}
-						impl.logger.Infow("Getting Role by filter Again for other Types  ")
-						roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, false)
-						if err != nil {
-							return policiesToBeAdded, err
-						}
-						if roleModel.Id == 0 {
-							continue
-						}
-						// shift user_role_mapping queries
-						userRole, err := impl.userRepository.UpdateRoleIdForUserRolesMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating User Role Mappings for role", "err", err)
-						}
-
-						roleGroupRole, err := impl.roleGroupRepository.UpdateRoleGroupIdForRoleGroupMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating Role Group Role Mappings for role", "err", err)
-						}
-						impl.logger.Infow("updated user role and roleGroups", "userrole", userRole, "grouprole", roleGroupRole)
-
 					}
 					if _, ok := existingRoles[roleModel.Id]; ok {
 						//Adding policies which are removed
@@ -373,7 +310,6 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 	// DELETE PROCESS ENDS
 
 	//Adding New Policies
-	//var policies []casbin2.Policy
 	capacity, mapping := impl.userCommonService.GetCapacityForRoleFilter(request.RoleFilters)
 	var policies = make([]casbin2.Policy, 0, capacity)
 	for index, roleFilter := range request.RoleFilters {
@@ -407,14 +343,8 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 					if err != nil {
 						return nil, err
 					}
-					oldRoleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", "", true)
-					if err != nil {
-						return nil, err
-					}
-					if oldRoleModel.Id == 0 && roleModel.Id == 0 {
-
+					if roleModel.Id == 0 {
 						request.Status = bean2.RoleNotFoundStatusPrefix + roleFilter.Team + "," + environment + "," + entityName + "," + actionType
-
 						if roleFilter.Entity == bean2.ENTITY_APPS || roleFilter.Entity == bean.CHART_GROUP_ENTITY {
 							flag, err, policiesAdded := impl.userAuthRepository.CreateDefaultPoliciesForAllTypes(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, request.UserId)
 							policies = append(policies, policiesAdded...)
@@ -432,34 +362,7 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 						} else {
 							continue
 						}
-					} else if oldRoleModel.Id > 0 && roleModel.Id == 0 {
-
-						flag, err := impl.userAuthRepository.CreateRolesWithAccessTypeAndEntity(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, request.UserId, oldRoleModel.Role)
-						if err != nil || flag == false {
-							return nil, err
-						}
-						impl.logger.Infow("Getting Role by filter Again for other Types  ", "roleFilter", roleFilter)
-						roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", "", false)
-						if err != nil {
-							return nil, err
-						}
-						if roleModel.Id == 0 {
-							continue
-						}
-						// shift user_role_mapping queries
-						userRole, err := impl.userRepository.UpdateRoleIdForUserRolesMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating User Role Mappings for role", "err", err)
-						}
-
-						roleGroupRole, err := impl.roleGroupRepository.UpdateRoleGroupIdForRoleGroupMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating Role Group Role Mappings for role", "err", err)
-						}
-						impl.logger.Infow("updated user role and roleGroups", "userrole", userRole, "grouprole", roleGroupRole)
-
 					}
-
 					if _, ok := existingRoles[roleModel.Id]; ok {
 						//Adding policies which is removed
 						policies = append(policies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(roleGroup.CasbinName), Obj: casbin2.Object(roleModel.Role)})

pkg/user/UserCommonService.go

@@ -109,7 +109,8 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPolicies(userInf
 								delete(eliminatedRoleIds, roleModel.Id)
 							}
 							if _, ok := existingRoleIds[oldRoleModel.Id]; ok {
-								delete(eliminatedRoleIds, roleModel.Id)
+								//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
+								delete(existingRoleIds, oldRoleModel.Id)
 							}
 						}
 					}
@@ -160,7 +161,8 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPolicies(userInf
 						delete(eliminatedRoleIds, roleModel.Id)
 					}
 					if _, ok := existingRoleIds[oldRoleModel.Id]; ok {
-						delete(eliminatedRoleIds, roleModel.Id)
+						//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
+						delete(existingRoleIds, oldRoleModel.Id)
 					}
 
 				}
@@ -262,7 +264,8 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPoliciesForGroup
 								delete(eliminatedRoles, roleModel.Id)
 							}
 							if _, ok := existingRoles[oldRoleModel.Id]; ok {
-								delete(eliminatedRoles, roleModel.Id)
+								//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
+								delete(existingRoles, oldRoleModel.Id)
 							}
 						}
 					}
@@ -310,12 +313,12 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPoliciesForGroup
 						request.Status = "role not fount for any given filter: " + roleFilter.Team + "," + environment + "," + entityName + "," + actionType
 						continue
 					}
-					//roleModel := roleModels[0]
 					if _, ok := existingRoles[roleModel.Id]; ok {
 						delete(eliminatedRoles, roleModel.Id)
 					}
-					if _, ok := existingRoles[roleModel.Id]; ok {
-						delete(eliminatedRoles, roleModel.Id)
+					if _, ok := existingRoles[oldRoleModel.Id]; ok {
+						//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
+						delete(existingRoles, oldRoleModel.Id)
 					}
 
 				}

pkg/user/UserService.go

@@ -412,8 +412,6 @@ func (impl UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.R
 	rolesChanged := false
 	roleFilter = impl.userCommonService.ReplacePlaceHolderForEmptyEntriesInRoleFilter(roleFilter)
 	if entity == bean2.CLUSTER {
-		impl.logger.Infow("Creating Or updating User for Cluster Entity ", roleFilter.Cluster)
-
 		policiesToBeAdded, rolesChanged, err = impl.createOrUpdateUserRolesForClusterEntity(roleFilter, userId, model, existingRoles, token, managerAuth, tx, entity, capacity)
 		if err != nil {
 			return nil, false, err
@@ -425,9 +423,6 @@ func (impl UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.R
 		environments := strings.Split(roleFilter.Environment, ",")
 		for _, environment := range environments {
 			for _, entityName := range entityNames {
-
-				impl.logger.Infow("Creating Or updating User Roles for other types ", "environment", environment, "entityName", entityName)
-
 				if managerAuth != nil {
 					// check auth only for apps permission, skip for chart group
 					rbacObject := fmt.Sprintf("%s", strings.ToLower(roleFilter.Team))
@@ -438,24 +433,17 @@ func (impl UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.R
 				}
 				entityName = impl.userCommonService.RemovePlaceHolderInRoleFilterField(entityName)
 				environment = impl.userCommonService.RemovePlaceHolderInRoleFilterField(environment)
-				impl.logger.Infow("Getting Roles for other types ")
-
 				roleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", actionType, false)
 				if err != nil {
+					impl.logger.Errorw("error in getting role by all type", "err", err, "roleFilter", roleFilter)
 					return policiesToBeAdded, rolesChanged, err
 				}
-				oldRoleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", actionType, true)
-				if err != nil {
-					return policiesToBeAdded, rolesChanged, err
-				}
-				if oldRoleModel.Id == 0 && roleModel.Id == 0 {
+				if roleModel.Id == 0 {
 					impl.logger.Debugw("no role found for given filter", "filter", "roleFilter", roleFilter)
 					flag, err, policiesAdded := impl.userAuthRepository.CreateDefaultPoliciesForAllTypes(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, userId)
 					if err != nil || flag == false {
 						return policiesToBeAdded, rolesChanged, err
 					}
-					impl.logger.Infow("Getting Role by filter Again for other Types  ")
-
 					policiesToBeAdded = append(policiesToBeAdded, policiesAdded...)
 					roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", actionType, false)
 					if err != nil {
@@ -464,37 +452,9 @@ func (impl UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.R
 					if roleModel.Id == 0 {
 						continue
 					}
-				} else if oldRoleModel.Id > 0 && roleModel.Id == 0 {
-
-					flag, err := impl.userAuthRepository.CreateRolesWithAccessTypeAndEntity(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, userId, oldRoleModel.Role)
-					if err != nil || flag == false {
-						return policiesToBeAdded, rolesChanged, err
-					}
-					impl.logger.Infow("Getting Role by filter Again for other Types  ")
-					roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, roleFilter.Team, entityName, environment, actionType, accessType, "", "", "", "", "", actionType, false)
-					if err != nil {
-						return policiesToBeAdded, rolesChanged, err
-					}
-					if roleModel.Id == 0 {
-						continue
-					}
-					// shift user_role_mapping queries
-					userRole, err := impl.userRepository.UpdateRoleIdForUserRolesMappings(oldRoleModel.Id, roleModel.Id)
-					if err != nil {
-						impl.logger.Errorw("Error in updating User Role Mappings for role", "err", err)
-					}
-
-					roleGroupRole, err := impl.roleGroupRepository.UpdateRoleGroupIdForRoleGroupMappings(oldRoleModel.Id, roleModel.Id)
-					if err != nil {
-						impl.logger.Errorw("Error in updating Role Group Role Mappings for role", "err", err)
-					}
-					impl.logger.Infow("updated user role and roleGroups", "userrole", userRole, "grouprole", roleGroupRole)
-
 				}
 				if _, ok := existingRoles[roleModel.Id]; ok {
 					//Adding policies which is removed
-					impl.logger.Infow("Adding policies which is removed")
-
 					policiesToBeAdded = append(policiesToBeAdded, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
 				} else if roleModel.Id > 0 {
 					rolesChanged = true
@@ -507,12 +467,10 @@ func (impl UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.R
 							UpdatedBy: userId,
 							UpdatedOn: time.Now(),
 						}}
-					impl.logger.Infow("Creating User Role Mapping for other types")
 					userRoleModel, err = impl.userAuthRepository.CreateUserRoleMapping(userRoleModel, tx)
 					if err != nil {
 						return nil, rolesChanged, err
 					}
-					impl.logger.Infow("User Policy addition in var")
 					policiesToBeAdded = append(policiesToBeAdded, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
 				}
 			}
@@ -553,11 +511,7 @@ func (impl UserServiceImpl) createOrUpdateUserRolesForClusterEntity(roleFilter b
 					if err != nil {
 						return policiesToBeAdded, rolesChanged, err
 					}
-					oldRoleModel, err := impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, true)
-					if err != nil {
-						return policiesToBeAdded, rolesChanged, err
-					}
-					if roleModel.Id == 0 && oldRoleModel.Id == 0 {
+					if roleModel.Id == 0 {
 						impl.logger.Infow("Creating Polices for cluster", resource, kind, namespace, group)
 						flag, err, policiesAdded := impl.userAuthRepository.CreateDefaultPoliciesForAllTypes("", "", "", entity, roleFilter.Cluster, namespace, group, kind, resource, actionType, accessType, userId)
 						if err != nil || flag == false {
@@ -572,33 +526,7 @@ func (impl UserServiceImpl) createOrUpdateUserRolesForClusterEntity(roleFilter b
 						if roleModel.Id == 0 {
 							continue
 						}
-					} else if oldRoleModel.Id > 0 && roleModel.Id == 0 {
-						flag, err := impl.userAuthRepository.CreateRolesWithAccessTypeAndEntity("", "", "", roleFilter.Entity, roleFilter.Cluster, namespace, group, kind, resource, actionType, accessType, userId, oldRoleModel.Role)
-						if err != nil || flag == false {
-							return policiesToBeAdded, rolesChanged, err
-						}
-						impl.logger.Infow("Getting Role by filter Again for other Types  ")
-						roleModel, err = impl.userAuthRepository.GetRoleByFilterForAllTypes(entity, "", "", "", "", accessType, roleFilter.Cluster, namespace, group, kind, resource, actionType, false)
-						if err != nil {
-							return policiesToBeAdded, rolesChanged, err
-						}
-						if roleModel.Id == 0 {
-							continue
-						}
-						// shift user_role_mapping queries
-						userRole, err := impl.userRepository.UpdateRoleIdForUserRolesMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating User Role Mappings for role", "err", err)
-						}
-
-						roleGroupRole, err := impl.roleGroupRepository.UpdateRoleGroupIdForRoleGroupMappings(oldRoleModel.Id, roleModel.Id)
-						if err != nil {
-							impl.logger.Errorw("Error in updating Role Group Role Mappings for role", "err", err)
-						}
-						impl.logger.Infow("updated user role and roleGroups", "userrole", userRole, "grouprole", roleGroupRole)
-
 					}
-
 					if _, ok := existingRoles[roleModel.Id]; ok {
 						//Adding policies which are removed
 						policiesToBeAdded = append(policiesToBeAdded, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
@@ -618,7 +546,6 @@ func (impl UserServiceImpl) createOrUpdateUserRolesForClusterEntity(roleFilter b
 							if err != nil {
 								return nil, rolesChanged, err
 							}
-							impl.logger.Infow("Adding policies g type to var")
 							policiesToBeAdded = append(policiesToBeAdded, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
 						}
 					}
@@ -628,6 +555,7 @@ func (impl UserServiceImpl) createOrUpdateUserRolesForClusterEntity(roleFilter b
 	}
 	return policiesToBeAdded, rolesChanged, nil
 }
+
 func (impl UserServiceImpl) mergeRoleFilter(oldR []bean.RoleFilter, newR []bean.RoleFilter) []bean.RoleFilter {
 	var roleFilters []bean.RoleFilter
 	keysMap := make(map[string]bool)