104 lines
3.1 KiB
Go
104 lines
3.1 KiB
Go
package user
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/gocql/gocql"
|
|
"go.uber.org/zap"
|
|
|
|
domainuser "codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/internal/domain/user"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/logger"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/security/ipcrypt"
|
|
)
|
|
|
|
// CreateUserEntityUseCase creates and validates a user domain entity
|
|
type CreateUserEntityUseCase struct {
|
|
ipEncryptor *ipcrypt.IPEncryptor
|
|
logger *zap.Logger
|
|
}
|
|
|
|
// ProvideCreateUserEntityUseCase creates a new CreateUserEntityUseCase
|
|
func ProvideCreateUserEntityUseCase(ipEncryptor *ipcrypt.IPEncryptor, logger *zap.Logger) *CreateUserEntityUseCase {
|
|
return &CreateUserEntityUseCase{
|
|
ipEncryptor: ipEncryptor,
|
|
logger: logger.Named("create-user-entity-usecase"),
|
|
}
|
|
}
|
|
|
|
// Execute creates a new user domain entity with validation
|
|
func (uc *CreateUserEntityUseCase) Execute(tenantID string, input *CreateUserInput) (*domainuser.User, error) {
|
|
// Set default role if not provided
|
|
role := int(input.Role)
|
|
if role == 0 {
|
|
role = 1 // Default role
|
|
}
|
|
|
|
now := time.Now()
|
|
|
|
// CWE-359: Encrypt IP address for GDPR compliance
|
|
encryptedIP := ""
|
|
if input.CreatedFromIPAddress != "" {
|
|
encrypted, err := uc.ipEncryptor.Encrypt(input.CreatedFromIPAddress)
|
|
if err != nil {
|
|
uc.logger.Error("failed to encrypt IP address",
|
|
zap.Error(err),
|
|
zap.String("ip_plain", input.CreatedFromIPAddress))
|
|
// Don't fail user creation if encryption fails, just log it
|
|
encryptedIP = ""
|
|
} else {
|
|
encryptedIP = encrypted
|
|
uc.logger.Debug("IP address encrypted for user creation")
|
|
}
|
|
}
|
|
|
|
// Create domain entity
|
|
user := &domainuser.User{
|
|
ID: gocql.TimeUUID().String(),
|
|
TenantID: tenantID,
|
|
Email: input.Email,
|
|
FirstName: input.FirstName,
|
|
LastName: input.LastName,
|
|
Name: input.FirstName + " " + input.LastName, // Computed from FirstName + LastName
|
|
Role: role,
|
|
Status: 1, // Default active status
|
|
|
|
ProfileData: &domainuser.UserProfileData{
|
|
AgreeTermsOfService: true, // Default to true for entity creation
|
|
},
|
|
|
|
SecurityData: &domainuser.UserSecurityData{
|
|
PasswordHash: input.PasswordHash,
|
|
PasswordHashAlgorithm: "argon2id",
|
|
WasEmailVerified: false,
|
|
},
|
|
|
|
Metadata: &domainuser.UserMetadata{
|
|
CreatedFromIPAddress: encryptedIP, // CWE-359: Encrypted IP
|
|
CreatedFromIPTimestamp: now, // CWE-359: For 90-day GDPR expiration
|
|
ModifiedFromIPAddress: encryptedIP, // CWE-359: Encrypted IP
|
|
ModifiedFromIPTimestamp: now, // CWE-359: For 90-day GDPR expiration
|
|
CreatedAt: now,
|
|
ModifiedAt: now,
|
|
},
|
|
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}
|
|
|
|
// Validate domain entity
|
|
if err := user.Validate(); err != nil {
|
|
// CWE-532: Use hashed email to prevent PII in logs
|
|
uc.logger.Warn("user validation failed",
|
|
logger.EmailHash(input.Email),
|
|
zap.Error(err))
|
|
return nil, err
|
|
}
|
|
|
|
// CWE-532: Use hashed email to prevent PII in logs
|
|
uc.logger.Debug("user entity created and validated",
|
|
zap.String("user_id", user.ID),
|
|
logger.EmailHash(user.Email),
|
|
zap.Int("role", user.Role))
|
|
|
|
return user, nil
|
|
}
|