[SM-755] Add EF Secrets Manager cleanup on deletes (#3228)

* Add Delete Cascade for EF AccessPolicy table * Add AP removal on EF user deletion * Remove SM entities on EF org delete
bitwarden · Sep 21, 2023 · 46faeca · 46faeca
1 parent 90d600d
commit 46faeca
Show file tree

Hide file tree

Showing 13 changed files with 7,008 additions and 33 deletions.
diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs
@@ -144,27 +144,42 @@ public override async Task DeleteAsync(Core.Entities.Organization organization)
             var dbContext = GetDatabaseContext(scope);
             await dbContext.UserBumpAccountRevisionDateByOrganizationIdAsync(organization.Id);
             var deleteCiphersTransaction = await dbContext.Database.BeginTransactionAsync();
-            dbContext.Ciphers.RemoveRange(
-                dbContext.Ciphers.Where(c => c.UserId == null && c.OrganizationId == organization.Id));
+            await dbContext.Ciphers.Where(c => c.UserId == null && c.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
             await deleteCiphersTransaction.CommitAsync();
+
             var organizationDeleteTransaction = await dbContext.Database.BeginTransactionAsync();
-            dbContext.SsoUsers.RemoveRange(dbContext.SsoUsers.Where(su => su.OrganizationId == organization.Id));
-            dbContext.SsoConfigs.RemoveRange(dbContext.SsoConfigs.Where(sc => sc.OrganizationId == organization.Id));
-            var collectionUsers = from cu in dbContext.CollectionUsers
-                                  join ou in dbContext.OrganizationUsers on cu.OrganizationUserId equals ou.Id
-                                  where ou.OrganizationId == organization.Id
-                                  select cu;
-            dbContext.CollectionUsers.RemoveRange(collectionUsers);
-            dbContext.OrganizationUsers.RemoveRange(
-                dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organization.Id));
-            dbContext.ProviderOrganizations.RemoveRange(
-                dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id));
+            await dbContext.SsoUsers.Where(su => su.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.SsoConfigs.Where(sc => sc.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.CollectionUsers.Where(cu => cu.OrganizationUser.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+
+            await dbContext.GroupServiceAccountAccessPolicy.Where(ap => ap.GrantedServiceAccount.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.Project.Where(p => p.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.Secret.Where(s => s.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.ApiKeys.Where(ak => ak.ServiceAccount.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.ServiceAccount.Where(sa => sa.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
 
             // The below section are 3 SPROCS in SQL Server but are only called by here
-            dbContext.OrganizationApiKeys.RemoveRange(
-                dbContext.OrganizationApiKeys.Where(oa => oa.OrganizationId == organization.Id));
-            dbContext.OrganizationConnections.RemoveRange(
-                dbContext.OrganizationConnections.Where(oc => oc.OrganizationId == organization.Id));
+            await dbContext.OrganizationApiKeys.Where(oa => oa.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
+            await dbContext.OrganizationConnections.Where(oc => oc.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
             var sponsoringOrgs = await dbContext.OrganizationSponsorships
                 .Where(os => os.SponsoringOrganizationId == organization.Id)
                 .ToListAsync();

diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationUserRepository.cs
@@ -93,6 +93,11 @@ public async Task DeleteAsync(Guid organizationUserId)
                 .Where(gu => gu.OrganizationUserId == organizationUserId);
             dbContext.GroupUsers.RemoveRange(groupUsers);
 
+            dbContext.UserProjectAccessPolicy.RemoveRange(
+                dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
+            dbContext.UserServiceAccountAccessPolicy.RemoveRange(
+                dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
+
             var orgSponsorships = await dbContext.OrganizationSponsorships
                 .Where(os => os.SponsoringOrganizationUserId == organizationUserId)
                 .ToListAsync();
@@ -325,7 +330,7 @@ public async Task<ICollection<OrganizationUserUserDetails>> GetManyDetailsByOrga
             var userIds = users.Select(u => u.Id);
             var userIdEntities = dbContext.OrganizationUsers.Where(x => userIds.Contains(x.Id));
 
-            // Query groups/collections separately to avoid cartesian explosion 
+            // Query groups/collections separately to avoid cartesian explosion
             if (includeGroups)
             {
                 groups = (await (from gu in dbContext.GroupUsers

diff --git a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
@@ -167,6 +167,10 @@ join ou in dbContext.OrganizationUsers on gu.OrganizationUserId equals ou.Id
                              where ou.UserId == user.Id
                              select gu;
             dbContext.GroupUsers.RemoveRange(groupUsers);
+            dbContext.UserProjectAccessPolicy.RemoveRange(
+                dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUser.UserId == user.Id));
+            dbContext.UserServiceAccountAccessPolicy.RemoveRange(
+                dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUser.UserId == user.Id));
             dbContext.OrganizationUsers.RemoveRange(dbContext.OrganizationUsers.Where(ou => ou.UserId == user.Id));
             dbContext.ProviderUsers.RemoveRange(dbContext.ProviderUsers.Where(pu => pu.UserId == user.Id));
             dbContext.SsoUsers.RemoveRange(dbContext.SsoUsers.Where(su => su.UserId == user.Id));

diff --git a/...ture.EntityFramework/SecretsManager/Configurations/AccessPolicyEntityTypeConfiguration.cs b/...ture.EntityFramework/SecretsManager/Configurations/AccessPolicyEntityTypeConfiguration.cs
@@ -39,6 +39,12 @@ public void Configure(EntityTypeBuilder<UserProjectAccessPolicy> builder)
         builder
             .Property(e => e.GrantedProjectId)
             .HasColumnName(nameof(UserProjectAccessPolicy.GrantedProjectId));
+
+        builder
+            .HasOne(e => e.GrantedProject)
+            .WithMany(e => e.UserAccessPolicies)
+            .HasForeignKey(nameof(UserProjectAccessPolicy.GrantedProjectId))
+            .OnDelete(DeleteBehavior.Cascade);
     }
 }
 
@@ -67,6 +73,18 @@ public void Configure(EntityTypeBuilder<GroupProjectAccessPolicy> builder)
         builder
             .Property(e => e.GrantedProjectId)
             .HasColumnName(nameof(GroupProjectAccessPolicy.GrantedProjectId));
+
+        builder
+            .HasOne(e => e.GrantedProject)
+            .WithMany(e => e.GroupAccessPolicies)
+            .HasForeignKey(nameof(GroupProjectAccessPolicy.GrantedProjectId))
+            .OnDelete(DeleteBehavior.Cascade);
+
+        builder
+            .HasOne(e => e.Group)
+            .WithMany()
+            .HasForeignKey(nameof(GroupProjectAccessPolicy.GroupId))
+            .OnDelete(DeleteBehavior.Cascade);
     }
 }
 
@@ -81,6 +99,12 @@ public void Configure(EntityTypeBuilder<GroupServiceAccountAccessPolicy> builder
         builder
             .Property(e => e.GrantedServiceAccountId)
             .HasColumnName(nameof(GroupServiceAccountAccessPolicy.GrantedServiceAccountId));
+
+        builder
+            .HasOne(e => e.Group)
+            .WithMany()
+            .HasForeignKey(nameof(GroupProjectAccessPolicy.GroupId))
+            .OnDelete(DeleteBehavior.Cascade);
     }
 }
 
@@ -95,5 +119,11 @@ public void Configure(EntityTypeBuilder<ServiceAccountProjectAccessPolicy> build
         builder
             .Property(e => e.GrantedProjectId)
             .HasColumnName(nameof(ServiceAccountProjectAccessPolicy.GrantedProjectId));
+
+        builder
+            .HasOne(e => e.GrantedProject)
+            .WithMany(e => e.ServiceAccountAccessPolicies)
+            .HasForeignKey(nameof(ServiceAccountProjectAccessPolicy.GrantedProjectId))
+            .OnDelete(DeleteBehavior.Cascade);
     }
 }