1. Top
  2. yamori
  3. Files
  4. packages
  5. backend
  6. services
  7. workspace
  8. create_user.go
yamori

有給休暇計算を主目的とした簡易勤怠管理システム

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
  38. 38
  39. 39
  40. 40
  41. 41
  42. 42
  43. 43
  44. 44
  45. 45
  46. 46
  47. 47
  48. 48
  49. 49
  50. 50
  51. 51
  52. 52
  53. 53
  54. 54
  55. 55
  56. 56
  57. 57
  58. 58
  59. 59
  60. 60
  61. 61
  62. 62
  63. 63
  64. 64
  65. 65
  66. 66
  67. 67
  68. 68
  69. 69
  70. 70
  71. 71
  72. 72
  73. 73
  74. 74
  75. 75
  76. 76
  77. 77
  78. 78
  79. 79
  80. 80
  81. 81
  82. 82
  83. 83
  84. 84
  85. 85
  86. 86
  87. 87
  88. 88
  89. 89
  90. 90
  91. 91
  92. 92
  93. 93
  94. 94
  95. 95
  96. 96
  97. 97
  98. 98
  99. 99
  100. 100
  101. 101
  102. 102
  103. 103
  104. 104
  105. 105
  106. 106
  107. 107
  108. 108
  109. 109
  110. 110
  111. 111
  112. 112
  113. 113
  114. 114
  115. 115
  116. 116
  117. 117
  118. 118
  119. 119
  120. 120
  121. 121
  122. 122
  123. 123
  124. 124
  125. 125
  126. 126
  127. 127
  128. 128
  129. 129
  130. 130
  131. 131
  132. 132
  133. 133
  134. 134
  135. 135
  136. 136
  137. 137
  138. 138
  139. 139
  140. 140
  141. 141
  142. 142
  143. 143
  144. 144
  145. 145
  146. 146
  147. 147
  148. 148
  149. 149
  150. 150
  151. 151
  152. 152
  153. 153
  154. 154
  155. 155
  156. 156
  157. 157
  158. 158
  159. 159
  160. 160
  161. 161
  162. 162
  163. 163
  164. 164
  165. 165
  166. 166
  167. 167
  168. 168
  169. 169
  170. 170
  171. 171
  172. 172
  173. 173
  174. 174
  175. 175
  176. 176
  177. 177
  178. 178
  179. 179
  180. 180
  181. 181
  182. 182
  183. 183
  184. 184
  185. 185
  186. 186
  187. 187
  188. 188
  189. 189
  190. 190
  191. 191
  192. 192
  193. 193
  194. 194
  195. 195
  196. 196
  197. 197
  198. 198
  199. 199
  200. 200
  201. 201
  202. 202
  203. 203
  204. 204
  205. 205
  206. 206
  207. 207
  208. 208
  209. 209
  210. 210
  211. 211
  212. 212
  213. 213
  214. 214
  215. 215
  216. 216
  217. 217
  218. 218
  219. 219
  220. 220
  221. 221
  222. 222
  223. 223
  224. 224
  225. 225
  226. 226
  227. 227
  228. 228
  229. 229
  230. 230
  231. 231
  232. 232
  233. 233
  234. 234
  235. 235
  236. 236
  237. 237
  238. 238
  239. 239
  240. 240
  241. 241
  242. 242
  243. 243
  244. 244
  245. 245
  246. 246
  247. 247
  248. 248
  249. 249
  250. 250
  251. 251
  252. 252
  253. 253
  254. 254
  255. 255
  256. 256
  257. 257
  258. 258
  259. 259
  260. 260
  261. 261
  262. 262
  263. 263
  264. 264
  265. 265
  266. 266
  267. 267
  268. 268
  269. 269
  270. 270
  271. 271
  272. 272
  273. 273
  274. 274
  275. 275
  276. 276
  277. 277
  278. 278
  279. 279
  280. 280
  281. 281
  282. 282
  283. 283
  284. 284
  285. 285
  286. 286
  287. 287
  288. 288
  289. 289
  290. 290
  291. 291
  292. 292
  293. 293
  294. 294
  295. 295
  296. 296
  297. 297 
// SPDX-FileCopyrightText: 2025 Shota FUJI <pockawoooh@gmail.com>
// SPDX-License-Identifier: AGPL-3.0-only

package workspace

import (
	"context"
	"crypto/rand"
	"slices"
	"strings"

	"connectrpc.com/connect"
	"github.com/google/uuid"
	"google.golang.org/protobuf/proto"

	eventV1 "pocka.jp/x/yamori/proto/go/backend/events/v1"
	"pocka.jp/x/yamori/proto/go/backend/workspace/v1/types"
	errorV1 "pocka.jp/x/yamori/proto/go/error/v1"
	workspaceV2 "pocka.jp/x/yamori/proto/go/workspace/v2"

	"pocka.jp/x/yamori/backend/core/event"
	"pocka.jp/x/yamori/backend/core/projection"
	workspaceEvent "pocka.jp/x/yamori/backend/events/workspace"
)

func createUserSystemError(message string) *connect.Response[workspaceV2.CreateUserResponse] {
	return connect.NewResponse(&workspaceV2.CreateUserResponse{
		Result: &workspaceV2.CreateUserResponse_SystemError{
			SystemError: &errorV1.SystemError{
				Message: proto.String(message),
			},
		},
	})
}

func createUserAuthError() *connect.Response[workspaceV2.CreateUserResponse] {
	return connect.NewResponse(&workspaceV2.CreateUserResponse{
		Result: &workspaceV2.CreateUserResponse_AuthenticationError{
			AuthenticationError: &errorV1.AuthenticationError{},
		},
	})
}

func createUserPermError() *connect.Response[workspaceV2.CreateUserResponse] {
	return connect.NewResponse(&workspaceV2.CreateUserResponse{
		Result: &workspaceV2.CreateUserResponse_PermissionError{
			PermissionError: &errorV1.PermissionError{},
		},
	})
}

func (s *Service) CreateUser(
	ctx context.Context,
	req *connect.Request[workspaceV2.CreateUserRequest],
) (*connect.Response[workspaceV2.CreateUserResponse], error) {
	logger := s.core.Logger.With(
		"service", "yamori.workspace.v2.WorkspaceService",
		"method", "CreateUser",
	)

	header := req.Header()
	token, err := s.core.LoadTokenFromCookie(&header)
	if err != nil || token == nil {
		return createUserAuthError(), nil
	}

	tx, err := s.core.DB.Begin()
	if err != nil {
		logger.Error("Failed to begin transaction", "error", err)
		return createUserSystemError("Database error"), nil
	}
	defer tx.Rollback()

	users, err := projection.GetUsers(tx)
	if err != nil {
		logger.Error("Failed to read users projection", "error", err)
		return createUserSystemError("Database error"), nil
	}

	secret, err := projection.GetLoginJwtSecret(tx)
	if err != nil {
		logger.Error("Failed to read login_jwt_secret projection", "error", err)
		return createUserSystemError("Database error"), nil
	}

	if err := event.UpdateProjections(tx, users, secret); err != nil {
		logger.Error("Failed to update projections", "error", err)
		return createUserSystemError("Database error"), nil
	}

	user, err := token.FindUser(secret, users)
	if err != nil {
		logger.Warn("Malformed token found", "error", err)

		return connect.NewResponse(&workspaceV2.CreateUserResponse{
			Result: &workspaceV2.CreateUserResponse_AuthenticationError{
				AuthenticationError: &errorV1.AuthenticationError{},
			},
		}), nil
	}

	name := req.Msg.GetName()
	if name == "" {
		return connect.NewResponse(&workspaceV2.CreateUserResponse{
			Result: &workspaceV2.CreateUserResponse_MissingFieldError{
				MissingFieldError: &errorV1.MissingFieldError{
					Path: proto.String("name"),
				},
			},
		}), nil
	}

	if strings.Trim(name, " \r\n\t") != name {
		return connect.NewResponse(&workspaceV2.CreateUserResponse{
			Result: &workspaceV2.CreateUserResponse_NameSurroundedBySpaces{
				NameSurroundedBySpaces: "Name cannot contain space, CR, LF, Tab",
			},
		}), nil
	}

	displayName := strings.Trim(req.Msg.GetDisplayName(), " \r\n\t")
	if displayName == "" {
		displayName = name
	}

	password := req.Msg.GetPassword()
	if password == "" {
		return connect.NewResponse(&workspaceV2.CreateUserResponse{
			Result: &workspaceV2.CreateUserResponse_MissingFieldError{
				MissingFieldError: &errorV1.MissingFieldError{
					Path: proto.String("password"),
				},
			},
		}), nil
	}

	if len(password) <= 8 {
		return connect.NewResponse(&workspaceV2.CreateUserResponse{
			Result: &workspaceV2.CreateUserResponse_PasswordLessThanBytes{
				PasswordLessThanBytes: 8,
			},
		}), nil
	}

	requiredPerm := types.Permission_PERMISSION_ADD_REGULAR_USER
	if req.Msg.GetIsAdmin() {
		requiredPerm = types.Permission_PERMISSION_ADD_ADMIN_USER
	}

	if !slices.Contains(user.Permissions, requiredPerm) {
		return createUserPermError(), nil
	}

	for _, u := range users.Projection.Users {
		if u.GetName() == name {
			return connect.NewResponse(&workspaceV2.CreateUserResponse{
				Result: &workspaceV2.CreateUserResponse_DuplicatedName{
					DuplicatedName: name,
				},
			}), nil
		}
	}

	id, err := uuid.NewRandom()
	if err != nil {
		logger.Error("Failed to generate UUID", "error", err)
		return createUserSystemError("Unable to issue a new ID"), nil
	}

	keyID := make([]byte, 32)
	rand.Read(keyID)

	err = event.AppendEvents(tx, []*eventV1.Event{
		workspaceEvent.CreateUser(id.String(), name, displayName, keyID),
		workspaceEvent.ConfigurePasswordLogin(id.String(), password),
	})
	if err != nil {
		logger.Error("Failed to append user creation events", "error", err)
		return createUserSystemError("Database error"), nil
	}

	if req.Msg.GetIsAdmin() {
		err := event.AppendEvents(tx, []*eventV1.Event{
			workspaceEvent.GrantAdminAccess(id.String()),
		})
		if err != nil {
			logger.Error("Failed to append adming grant events", "error", err)
			return createUserSystemError("Database error"), nil
		}
	} else {
		permissions := make([]types.Permission, 0, 32)

		if req.Msg.Permissions != nil {
			if req.Msg.Permissions.GetCanAddUser() {
				// ユーザ追加権限はここに来ている時点で持っているためチェックは不要。
				permissions = append(permissions, types.Permission_PERMISSION_ADD_REGULAR_USER)
			}

			if req.Msg.Permissions.GetCanDeleteRegularUser() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_DELETE_REGULAR_USER) {
					return createUserPermError(), nil
				}

				permissions = append(permissions, types.Permission_PERMISSION_DELETE_REGULAR_USER)
			}

			if req.Msg.Permissions.GetCanReadOtherUserProfile() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_READ_REGULAR_USER_PROFILE) {
					return createUserPermError(), nil
				}

				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_READ_ADMIN_USER_PROFILE) {
					return createUserPermError(), nil
				}

				permissions = append(
					permissions,
					types.Permission_PERMISSION_READ_REGULAR_USER_PROFILE,
					types.Permission_PERMISSION_READ_ADMIN_USER_PROFILE,
				)
			}

			if req.Msg.Permissions.GetCanUpdateOtherRegularUserProfile() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_PROFILE) {
					return createUserPermError(), nil
				}

				permissions = append(permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_PROFILE)
			}

			if req.Msg.Permissions.GetCanUpdateSelfProfile() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_SELF_PROFILE) {
					return createUserPermError(), nil
				}

				permissions = append(permissions, types.Permission_PERMISSION_UPDATE_SELF_PROFILE)
			}

			if req.Msg.Permissions.GetCanUpdateOtherRegularUserLoginMethod() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_LOGIN_METHOD) {
					return createUserPermError(), nil
				}

				permissions = append(
					permissions,
					types.Permission_PERMISSION_UPDATE_REGULAR_USER_LOGIN_METHOD,
				)
			}

			if req.Msg.Permissions.GetCanUpdateWorkspace() {
				if !slices.Contains(user.Permissions, types.Permission_PERMISSION_EDIT_WORKSPACE_PROFILE) {
					return createUserPermError(), nil
				}

				permissions = append(permissions, types.Permission_PERMISSION_EDIT_WORKSPACE_PROFILE)
			}
		}

		err := event.AppendEvents(tx, []*eventV1.Event{
			workspaceEvent.GrantPermission(id.String(), permissions),
		})
		if err != nil {
			logger.Error("Failed to append a permissions grant event", "error", err)
			return createUserSystemError("Database error"), nil
		}
	}

	if err := event.UpdateProjections(tx, users); err != nil {
		logger.Error("Failed to update users projection", "error", err)
		return createUserSystemError("Database error"), nil
	}

	if err := tx.Commit(); err != nil {
		logger.Error("Failed to commit transaction", "error", err)
		return createUserSystemError("Database error"), nil
	}

	for _, u := range users.Projection.Users {
		if u.GetId() == id.String() {
			logger.Debug("Created a new user", "id", id.String())

			return connect.NewResponse(&workspaceV2.CreateUserResponse{
				Result: &workspaceV2.CreateUserResponse_Ok{
					Ok: projectionUserToMessage(u),
				},
			}), nil
		}
	}

	logger.Error(
		"Creation of user succeeded, but the user does not exist in projection",
		"id",
		id.String(),
	)

	return createUserSystemError("Database error"), nil
}