Added delete user

trustgraph-flow/trustgraph/iam/service/iam.py

@@ -236,6 +236,8 @@ class IamService:
                 return await self.handle_disable_user(v)
             if op == "enable-user":
                 return await self.handle_enable_user(v)
+            if op == "delete-user":
+                return await self.handle_delete_user(v)
             if op == "create-workspace":
                 return await self.handle_create_workspace(v)
             if op == "list-workspaces":
@@ -730,6 +732,46 @@ class IamService:
         )
         return IamResponse()
 
+    async def handle_delete_user(self, v):
+        """Hard-delete a user.  Removes the ``iam_users`` row, the
+        ``iam_users_by_username`` lookup row, and every API key
+        belonging to the user.
+
+        Unlike disable, this frees the username for re-use and
+        removes the user's personal data from storage (intended to
+        cover GDPR erasure-style requirements).  When audit logging
+        lands, the decision to delete vs. anonymise referenced audit
+        rows will need to be revisited."""
+        if not v.workspace:
+            return _err("invalid-argument", "workspace required")
+        if not v.user_id:
+            return _err("invalid-argument", "user_id required")
+
+        user_row, err = await self._user_in_workspace(
+            v.user_id, v.workspace,
+        )
+        if err is not None:
+            return err
+
+        # user_row indices match get_user columns.  Username is [2].
+        username = user_row[2]
+
+        # Revoke all API keys.
+        key_rows = await self.table_store.list_api_keys_by_user(v.user_id)
+        for kr in key_rows:
+            await self.table_store.delete_api_key(kr[0])
+
+        # Remove username lookup.
+        if username:
+            await self.table_store.delete_username_lookup(
+                v.workspace, username,
+            )
+
+        # Remove user record.
+        await self.table_store.delete_user(v.user_id)
+
+        return IamResponse()
+
     # ------------------------------------------------------------------
     # Workspace CRUD
     # ------------------------------------------------------------------

trustgraph-flow/trustgraph/tables/iam.py

@@ -180,6 +180,9 @@ class IamTableStore:
             DELETE FROM iam_users_by_username
             WHERE workspace = ? AND username = ?
         """)
+        self.delete_user_stmt = c.prepare("""
+            DELETE FROM iam_users WHERE id = ?
+        """)
 
         self.put_api_key_stmt = c.prepare("""
             INSERT INTO iam_api_keys (
@@ -301,6 +304,17 @@ class IamTableStore:
             self.cassandra, self.list_users_by_workspace_stmt, (workspace,),
         )
 
+    async def delete_user(self, id):
+        await async_execute(
+            self.cassandra, self.delete_user_stmt, (id,),
+        )
+
+    async def delete_username_lookup(self, workspace, username):
+        await async_execute(
+            self.cassandra, self.delete_username_lookup_stmt,
+            (workspace, username),
+        )
+
     # ------------------------------------------------------------------
     # API keys
     # ------------------------------------------------------------------