[CORE-58] Cascade policy deletion

[calypsomatic]

Ticket: https://broadworkbench.atlassian.net/browse/CORE-58

This PR now cascade deletes policies when deleting a resource. Instead of throwing an error that some policy members are in use like deleteResource previous did, it simply removes the problematic rows from the table.

I've demonstrated on my BEE that with this code, when a workspace has policies attached to it due to an imported TDR snapshot, it can be successfully deleted without any errors or orphaned policy references.

Why:

Users were unable to delete any workspace that had had a TDR snapshot with a policy imported into it, as those policies had entries in Sam's database that were not being deleted.

---

PR checklist

• I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
• I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

[davidangb]

Some comments inline about separate APIs/functions vs adding to the existing ones; otherwise, looks like a good approach to me. I'd love a knowledgable Sam person to review the SQL queries but it seems like a good high-level approach.

Can you write tests for this?

[dvoet]

I think this is fine and should just happen all the time. No new api, not even an option on the existing api. Just do it.

One other change that needs to happen is that any groups that are modified need to be synchronized by calling cloudExtensions.onGroupUpdate.

So, I would update ResourceService.deleteResource directly to first figure out any groups that are changing and sync them instead of calling checkNoPoliciesInUse. Then I would modify accessPolicyDAO.deleteResource to include your 2 new delete statements in the same transaction as the other deletes.

[dvoet]

The resource was deleted in the line above, the database calls in cloudSyncPolicies won't find anything. I think you need to get the list of groups that will be changed by having the resource removed before deleting the resource then sync them afterwards.

And something else I think I missed: PostgresGroupDAO.updateGroupUpdatedDateAndVersion needs to be called for each group updated.

[calypsomatic]

Just to make sure I understand what you're asking, I should do something like:

affectedPolicies <- accessPolicyDAO.findAffectedPolicies(resource, samRequestContext) //New method
_ <- accessPolicyDAO.deleteResource(resource, leaveTombStone, samRequestContext)
_ <- cloudSyncPolicies(affectedPolicies, samRequestContext) //Update this method to take in policies instead of finding them
_ <- updateGroupUpdatedDateAndVersion(affectedPolicies, samRequestContext)

Is that correct?

[dvoet]

yes but updateGroupUpdatedDateAndVersion should come before cloudSyncPolicies. The sync process keeps track of the last synchronized version and won't do anything if that version is the same as the current version. So the order of operations should be change the policy/group in the sam db, bump the version, cloud sync.

And here is yet another idea (sorry if I am jerking you around): instead of your new database queries to bulk delete entries, you can list the policies that need to be updated along with which policy is being removed. For each of those pairs (policy changing, policy removed), call removeSubjectFromPolicy (in the same class, ResourceService). That takes care of the database calls, syncing, everything. The code would look something like

affectedPolicies <- accessPolicyDAO.findAffectedPolicies(resource, samRequestContext) //New method
_ <- affectedPolicies.traverse { case (policyToUpdate, policyToRemove) => removeSubjectFromPolicy(policyToUpdate, policyToRemove, samRequestContext) }

where findAffectedPolicies (or maybe there is a better name) returns a IO[List[(FullyQualifiedPolicyId, FullyQualifiedPolicyId)]]

[dvoet]

pg is an alias to the group table so its name will not be an access policy name

[dvoet]

I suggest naming these something more readable and include whether they are representing rows from the container or member policy. Same with fullyQualifiedPolicyId1 vs fullyQualifiedPolicyId2. One is the container and one is the member. Naming them better will help keep things straight.

[davidangb]

if you are using removeSubjectFromPolicy, do you still need the call to cloudSyncPolicies? Does removeSubjectFromPolicy handle the syncing internally?

[calypsomatic]

Not sure, actually. Maybe @dvoet knows?

[dvoet]

you don't need to call cloudSyncPolicies

[davidangb]

findPolicyGroupMemberhips? findPolicyGroupParticipation? maybe findPolicyGroupsInUse to reflect the method it is supplanting?

[davidangb]

is this still necessary here, given that ResourceService calls removeSubjectFromPolicy?

[calypsomatic]

I guess not!

[davidangb]

I think you could also write this as:

policyGroups should contain theSameElementsAs List(parentPolicy.id, childPolicy.id)

optional; pick whatever approach is more consistent with Sam code. I do see theSameElementsAs used elsewhere in Sam.

[dvoet]

need an extra set of parens in there
policyGroups should contain theSameElementsAs List((parentPolicy.id, childPolicy.id))
and that 1 line can replace your 3

[dvoet]

I think this looks right. Approved assuming the cleanup David pointed and my test comments.

[dvoet]

need an extra set of parens in there
policyGroups should contain theSameElementsAs List((parentPolicy.id, childPolicy.id))
and that 1 line can replace your 3

[dvoet]

I would add 2 more policies to childResource, one that is not a member of a parentResource policy and on that is a member of a different policy. Maybe even add another parent resource.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
5.8% Duplication on New Code

See analysis details on SonarCloud

[davidangb]

thanks for sticking with this one!