Enhance logging, error handling, and resource management

apps/accounts/internal/domain/invitations.go

@@ -2,6 +2,7 @@ package domain
 
 import (
 	"context"
+
 	"github.com/kloudlite/api/apps/accounts/internal/entities"
 	fc "github.com/kloudlite/api/apps/accounts/internal/entities/field-constants"
 	iamT "github.com/kloudlite/api/apps/iam/types"
@@ -180,12 +181,12 @@ func (d *domain) AcceptInvitation(ctx UserContext, accountName string, inviteTok
 		return false, errors.Newf("invitation already accepted or rejected, won't process further")
 	}
 
-	inv.Accepted = fn.New(true)
-	if _, err := d.invitationRepo.UpdateById(ctx, inv.Id, inv); err != nil {
+	if err := d.addMembership(ctx, accountName, ctx.UserId, inv.UserRole); err != nil {
 		return false, errors.NewE(err)
 	}
 
-	if err := d.addMembership(ctx, accountName, ctx.UserId, inv.UserRole); err != nil {
+	// INFO: invitation accepted, removing invite
+	if err := d.invitationRepo.DeleteById(ctx, inv.Id); err != nil {
 		return false, errors.NewE(err)
 	}
 

apps/accounts/internal/domain/memberships.go

@@ -2,9 +2,10 @@ package domain
 
 import (
 	"context"
-	"github.com/kloudlite/api/apps/accounts/internal/entities"
 	"strings"
 
+	"github.com/kloudlite/api/apps/accounts/internal/entities"
+
 	iamT "github.com/kloudlite/api/apps/iam/types"
 	"github.com/kloudlite/api/grpc-interfaces/kloudlite.io/rpc/iam"
 	"github.com/kloudlite/api/pkg/errors"
@@ -69,7 +70,6 @@ func (d *domain) UpdateAccountMembership(ctx UserContext, accountName string, me
 		ResourceRef:  iamT.NewResourceRef(accountName, iamT.ResourceAccount, accountName),
 		Role:         string(role),
 	})
-
 	if err != nil {
 		return false, errors.NewE(err)
 	}

apps/accounts/main.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"flag"
-	"log/slog"
 	"os"
 	"time"
 
@@ -20,37 +19,42 @@ import (
 )
 
 func main() {
+	start := time.Now()
+
 	var isDev bool
 	flag.BoolVar(&isDev, "dev", false, "--dev")
+
+	var debug bool
+	flag.BoolVar(&debug, "debug", false, "--debug")
+
 	flag.Parse()
 
-	logger, err := logging.New(&logging.Options{Name: "accounts", Dev: isDev})
-	if err != nil {
-		panic(err)
+	if isDev {
+		debug = true
 	}
 
+	logger := logging.NewSlogLogger(logging.SlogOptions{
+		ShowCaller:         true,
+		ShowDebugLogs:      debug,
+		SetAsDefaultLogger: true,
+	})
+
 	app := fx.New(
 		fx.NopLogger,
 
-		fx.Provide(func() logging.Logger {
-			return logger
+		fx.Provide(func() (logging.Logger, error) {
+			return logging.New(&logging.Options{Name: "accounts-api", Dev: isDev, ShowDebugLog: debug})
 		}),
 
-		fx.Provide(func() *slog.Logger {
-			return logging.NewSlogLogger(logging.SlogOptions{
-				ShowCaller:         true,
-				ShowDebugLogs:      isDev,
-				SetAsDefaultLogger: true,
-			})
-		}),
+		fx.Supply(logger),
 
 		fx.Provide(func() (*env.Env, error) {
-			if e, err := env.LoadEnv(); err != nil {
+			e, err := env.LoadEnv()
+			if err != nil {
 				return nil, errors.NewE(err)
-			} else {
-				e.IsDev = isDev
-				return e, nil
 			}
+			e.IsDev = isDev
+			return e, nil
 		}),
 
 		fx.Provide(func(e *env.Env) (*rest.Config, error) {
@@ -79,10 +83,10 @@ func main() {
 	defer cancelFunc()
 
 	if err := app.Start(ctx); err != nil {
-		logger.Errorf(err, "error starting accounts app")
+		logger.Error("failed to start accounts api, got", "err", err)
 		os.Exit(1)
 	}
 
-	common.PrintReadyBanner()
+	common.PrintReadyBanner2(time.Since(start))
 	<-app.Done()
 }

apps/console/internal/domain/environment.go

@@ -666,13 +666,17 @@ func (d *domain) OnEnvironmentDeleteMessage(ctx ConsoleContext, env entities.Env
 		return errors.NewE(err)
 	}
 
-	if err := d.environmentRepo.DeleteOne(
-		ctx,
-		repos.Filter{
-			fields.AccountName:  ctx.AccountName,
-			fields.MetadataName: env.Name,
-		},
-	); err != nil {
+	if err := d.environmentRepo.DeleteOne(ctx, repos.Filter{
+		fields.AccountName:  ctx.AccountName,
+		fields.MetadataName: env.Name,
+	}); err != nil {
+		return errors.NewE(err)
+	}
+
+	if err := d.resourceMappingRepo.DeleteMany(ctx, repos.Filter{
+		fc.ResourceMappingResourceHeirarchy: entities.ResourceHeirarchyEnvironment,
+		fc.EnvironmentName:                  env.Name,
+	}); err != nil {
 		return errors.NewE(err)
 	}
 
@@ -701,16 +705,9 @@ func (d *domain) OnEnvironmentUpdateMessage(ctx ConsoleContext, env entities.Env
 		return d.resyncK8sResource(ctx, xenv.Name, xenv.SyncStatus.Action, &xenv.Environment, xenv.RecordVersion)
 	}
 
-	uenv, err := d.environmentRepo.PatchById(
-		ctx,
-		xenv.Id,
-		common.PatchForSyncFromAgent(
-			&env,
-			recordVersion,
-			status,
-			common.PatchOpts{
-				MessageTimestamp: opts.MessageTimestamp,
-			}))
+	uenv, err := d.environmentRepo.PatchById(ctx, xenv.Id, common.PatchForSyncFromAgent(
+		&env, recordVersion, status, common.PatchOpts{MessageTimestamp: opts.MessageTimestamp}),
+	)
 	if err != nil {
 		return err
 	}

apps/iam/internal/app/grpc-server.go

@@ -11,7 +11,6 @@ import (
 	t "github.com/kloudlite/api/apps/iam/types"
 	"github.com/kloudlite/api/grpc-interfaces/kloudlite.io/rpc/iam"
 	"github.com/kloudlite/api/pkg/errors"
-	fn "github.com/kloudlite/api/pkg/functions"
 	"github.com/kloudlite/api/pkg/logging"
 	"github.com/kloudlite/api/pkg/repos"
 )
@@ -52,6 +51,8 @@ func (s *GrpcService) UpdateMembership(ctx context.Context, in *iam.UpdateMember
 	}, nil
 }
 
+var ErrRoleBindingNotFound error = fmt.Errorf("role binding not found")
+
 func (s *GrpcService) findRoleBinding(ctx context.Context, userId repos.ID, resourceRef string) (*entities.RoleBinding, error) {
 	rb, err := s.rbRepo.FindOne(
 		ctx, repos.Filter{
@@ -63,7 +64,7 @@ func (s *GrpcService) findRoleBinding(ctx context.Context, userId repos.ID, reso
 		return nil, errors.NewE(err)
 	}
 	if rb == nil {
-		return nil, errors.Newf("role binding for (userId=%s,  ResourceRef=%s) not found", userId, resourceRef)
+		return nil, ErrRoleBindingNotFound
 	}
 	return rb, nil
 }
@@ -121,45 +122,99 @@ func (s *GrpcService) Can(ctx context.Context, in *iam.CanIn) (*iam.CanOut, erro
 		return &iam.CanOut{Status: false}, nil
 	}
 
-	var hasAccountMemberRole bool
-
-	canFilter := repos.Filter{
-		"resource_ref": map[string]any{"$in": in.ResourceRefs},
-		"user_id":      in.UserId,
+	arb := make([]any, len(rb))
+	for i := range rb {
+		arb = append(arb, rb[i])
 	}
 
-	for i := range rb {
-		if rb[i] == t.RoleAccountMember {
-			hasAccountMemberRole = true
-
-			rr := make([]map[string]any, 0, len(in.ResourceRefs))
-
-			for i := range in.ResourceRefs {
-				accountName, _, _, err := t.ParseResourceRef(in.ResourceRefs[i])
-				if err != nil {
-					return nil, err
-				}
-
-				if strings.TrimSpace(accountName) == "" {
-					return nil, fmt.Errorf("accountName must be provided")
-				}
-
-				nf := s.rbRepo.MergeMatchFilters(repos.Filter{}, map[string]repos.MatchFilter{
-					"resource_ref": {
-						MatchType: repos.MatchTypeRegex,
-						Regex:     fn.New(t.NewResourceRef(accountName, "*", "*")),
-					},
-				})
-				rr = append(rr, map[string]any{"resource_ref": nf["resource_ref"]})
-			}
-
-			delete(canFilter, "resource_ref")
-			canFilter["$or"] = rr
+	accountName := ""
+	for i := range in.ResourceRefs {
+		acc, _, _, err := t.ParseResourceRef(in.ResourceRefs[i])
+		if err != nil {
+			return nil, err
 		}
+		accountName = acc
 	}
 
-	rbs, err := s.rbRepo.Find(
-		ctx, repos.Query{Filter: canFilter},
+	// var hasAccountMemberRole bool
+
+	// resourceFilter := repos.Filter{
+	// 	"resource_ref": map[string]any{"$in": in.ResourceRefs},
+	// 	"user_id":      in.UserId,
+	// }
+
+	// resourceFilter = s.rbRepo.MergeMatchFilters(resourceFilter, map[string]repos.MatchFilter{
+	// 	"role": {
+	// 		MatchType: repos.MatchTypeArray,
+	// 		Array:     arb,
+	// 	},
+	// })
+
+	accountLevelFilter := s.rbRepo.MergeMatchFilters(repos.Filter{}, map[string]repos.MatchFilter{
+		"user_id": {
+			MatchType: repos.MatchTypeExact,
+			Exact:     in.UserId,
+		},
+		"resource_ref": {
+			MatchType: repos.MatchTypeExact,
+			Exact:     fmt.Sprintf("%s/account/%s", accountName, accountName),
+		},
+		"role": {
+			MatchType: repos.MatchTypeArray,
+			Array:     []any{t.RoleAccountOwner, t.RoleAccountAdmin, t.RoleAccountMember},
+		},
+	})
+
+	// for i := range rb {
+	// 	if rb[i] == t.RoleAccountMember {
+	// 		hasAccountMemberRole = true
+	//
+	// 		rr := make([]map[string]any, 0, len(in.ResourceRefs))
+	//
+	// 		for i := range in.ResourceRefs {
+	// 			accountName, _, _, err := t.ParseResourceRef(in.ResourceRefs[i])
+	// 			if err != nil {
+	// 				return nil, err
+	// 			}
+	//
+	// 			if strings.TrimSpace(accountName) == "" {
+	// 				return nil, fmt.Errorf("accountName must be provided")
+	// 			}
+	//
+	// 			nf := s.rbRepo.MergeMatchFilters(repos.Filter{}, map[string]repos.MatchFilter{
+	// 				"resource_ref": {
+	// 					MatchType: repos.MatchTypeRegex,
+	// 					// FIXME: HERE
+	// 					Regex: fn.New(t.NewResourceRef(accountName, "*", "*")),
+	// 				},
+	// 			})
+	// 			rr = append(rr, map[string]any{
+	// 				"resource_ref": nf["resource_ref"],
+	// 			})
+	// 		}
+	//
+	// 		// FIXME: error HERE
+	// 		delete(canFilter, "resource_ref")
+	// 		canFilter["$or"] = rr
+	// 	}
+	// }
+
+	// accountMemberFilter := repos.Filter{
+	//   "resource_ref":
+	// }
+	//
+	// resourceFilter = s.rbRepo.MergeMatchFilters(resourceFilter, map[string]repos.MatchFilter{
+	// 	"role": {
+	// 		MatchType: repos.MatchTypeArray,
+	// 		Array:     []any{t.RoleAccountOwner, t.RoleAccountAdmin, t.RoleAccountMember},
+	// 	},
+	// })
+
+	rbs, err := s.rbRepo.Find(ctx, repos.Query{Filter: repos.Filter{
+		"$and": []map[string]any{
+			accountLevelFilter,
+		},
+	}},
 	)
 	if err != nil {
 		return nil, errors.NewEf(err, "could not find rolebindings for (resourceRefs=%s)", strings.Join(in.ResourceRefs, ","))
@@ -169,18 +224,22 @@ func (s *GrpcService) Can(ctx context.Context, in *iam.CanIn) (*iam.CanOut, erro
 		return nil, errors.Newf("no rolebinding found for (userId=%s, resourceRefs=%s)", in.UserId, strings.Join(in.ResourceRefs, ","))
 	}
 
-	if hasAccountMemberRole && len(rbs) > 0 {
+	if len(rbs) > 0 {
 		return &iam.CanOut{Status: true}, nil
 	}
 
-	for i := range rbs {
-		// 2nd loop, but very small length (always < #roles), so it's not exactly O(n^2), much like XO(n)
-		for _, role := range s.roleBindingMap[t.Action(in.Action)] {
-			if role == rbs[i].Role {
-				return &iam.CanOut{Status: true}, nil
-			}
-		}
-	}
+	// if hasAccountMemberRole && len(rbs) > 0 {
+	// 	return &iam.CanOut{Status: true}, nil
+	// }
+	//
+	// for i := range rbs {
+	// 	// 2nd loop, but very small length (always < #roles), so it's not exactly O(n^2), much like XO(n)
+	// 	for _, role := range s.roleBindingMap[t.Action(in.Action)] {
+	// 		if role == rbs[i].Role {
+	// 			return &iam.CanOut{Status: true}, nil
+	// 		}
+	// 	}
+	// }
 
 	return &iam.CanOut{Status: false}, nil
 }
@@ -236,6 +295,10 @@ func (s *GrpcService) RemoveMembership(ctx context.Context, in *iam.RemoveMember
 
 	rb, err := s.findRoleBinding(ctx, repos.ID(in.UserId), in.ResourceRef)
 	if err != nil {
+		if errors.Is(err, ErrRoleBindingNotFound) {
+			s.logger.WithKV("userID", in.UserId, "resourceRef", in.ResourceRef).Infof("role binding might already have been deleted")
+			return &iam.RemoveMembershipOut{Result: true}, nil
+		}
 		return nil, errors.NewE(err)
 	}
 

apps/iam/internal/app/main.go

@@ -2,10 +2,11 @@ package app
 
 import (
 	"encoding/json"
+	"os"
+
 	"github.com/kloudlite/api/apps/iam/internal/entities"
 	"github.com/kloudlite/api/pkg/errors"
 	"github.com/kloudlite/api/pkg/logging"
-	"os"
 
 	"github.com/kloudlite/api/apps/iam/internal/env"
 	"github.com/kloudlite/api/grpc-interfaces/kloudlite.io/rpc/iam"

apps/iam/internal/env/env.go

@@ -11,6 +11,8 @@ type Env struct {
 	MongoDbName string `env:"MONGO_DB_NAME" required:"true"`
 
 	ActionRoleMapFile string `env:"ACTION_ROLE_MAP_FILE" required:"false"`
+
+	ShowGRPCLogs bool `env:"SHOW_GRPC_LOGS" default:"false"`
 }
 
 func LoadEnv() (*Env, error) {