chore(DATAGO-115145): Session deletion on project unshare

src/solace_agent_mesh/common/services/default_resource_sharing_service.py

@@ -31,4 +31,23 @@ def delete_resource_shares(
         resource_type: ResourceType
     ) -> bool:
         """Community has no shares to delete - return True (no-op success)."""
-        return True
+        return True
+
+    def unshare_users_from_resource(
+        self,
+        session,
+        resource_id: str,
+        resource_type: ResourceType,
+        user_emails: List[str]
+    ) -> bool:
+        """Community has no shares to unshare - return True (no-op success)."""
+        return True
+
+    def get_shared_users(
+        self,
+        session,
+        resource_id: str,
+        resource_type: ResourceType
+    ) -> List[str]:
+        """Community has no sharing - return empty list."""
+        return []

src/solace_agent_mesh/gateway/http_sse/routers/tasks.py

@@ -55,6 +55,8 @@
 
 log = logging.getLogger(__name__)
 
+SESSION_NOT_FOUND_MSG = "Session not found."
+
 
 # Background Task Status Models and Endpoints
 class TaskStatusResponse(BaseModel):
@@ -385,6 +387,36 @@ async def _submit_task(
                 finally:
                     db.close()
 
+        # Security: Validate user still has project access
+        if project_id and project_service:
+            if SessionLocal is not None:
+                db = SessionLocal()
+                try:
+                    project = project_service.get_project(db, project_id, user_id)
+                    if not project:
+                        log.warning(
+                            "%sUser %s denied - project %s not found or access denied",
+                            log_prefix,
+                            user_id,
+                            project_id
+                        )
+                        raise HTTPException(
+                            status_code=status.HTTP_404_NOT_FOUND,
+                            detail=SESSION_NOT_FOUND_MSG
+                        )
+                except HTTPException:
+                    raise
+                except Exception as e:
+                    log.error(
+                        "%sFailed to validate project access: %s", log_prefix, e
+                    )
+                    raise HTTPException(
+                        status_code=status.HTTP_404_NOT_FOUND,
+                        detail=SESSION_NOT_FOUND_MSG
+                    )
+                finally:
+                    db.close()
+
         if frontend_session_id:
             session_id = frontend_session_id
             log.info(
@@ -555,6 +587,9 @@ async def _submit_task(
                 result=task_object, request_id=payload.id
             )
 
+    except HTTPException:
+        # Re-raise HTTPExceptions (including our security check) without wrapping
+        raise
     except PermissionError as pe:
         log.warning("%sPermission denied: %s", log_prefix, str(pe))
         raise HTTPException(

src/solace_agent_mesh/gateway/http_sse/services/project_service.py

@@ -693,11 +693,21 @@ def soft_delete_project(self, db, project_id: str, user_id: str) -> bool:
         if not soft_deleted:
             return False
 
-        # Cascade to sessions
         from ..repository.session_repository import SessionRepository
         session_repo = SessionRepository()
-        deleted_count = session_repo.soft_delete_by_project(db, project_id, user_id)
-        self.logger.info(f"Successfully soft deleted project {project_id} and {deleted_count} associated sessions")
+
+        owner_deleted_count = session_repo.soft_delete_by_project(db, project_id, user_id)
+
+        self._resource_sharing_service.delete_resource_shares(
+            session=db,
+            resource_id=project_id,
+            resource_type=ResourceType.PROJECT
+        )
+
+        self.logger.info(
+            f"Successfully soft deleted project {project_id} and {owner_deleted_count} owner sessions "
+            f"(shared users handled by sharing service)"
+        )
 
         return True
 

src/solace_agent_mesh/gateway/http_sse/services/session_service.py

@@ -313,12 +313,9 @@ async def move_session_to_project(
 
         # Validate project exists and user has access if project_id is provided
         if new_project_id:
-            from ..repository.models import ProjectModel
-            project = db.query(ProjectModel).filter(
-                ProjectModel.id == new_project_id,
-                ProjectModel.user_id == user_id,
-                ProjectModel.deleted_at.is_(None)
-            ).first()
+            from .project_service import ProjectService
+            project_service = ProjectService(component=self.component)
+            project = project_service.get_project(db, new_project_id, user_id)
 
             if not project:
                 raise ValueError(f"Project {new_project_id} not found or access denied")

src/solace_agent_mesh/services/resource_sharing_service.py

@@ -56,7 +56,53 @@ def delete_resource_shares(
         """
         Delete all sharing records for a resource (e.g., when resource is deleted).
 
+        IMPORTANT: Implementations MUST also cleanup any dependent data
+        (e.g., sessions created by shared users) to maintain data consistency.
+
         Returns:
             True if successful, False otherwise.
         """
+        pass
+
+    @abstractmethod
+    def unshare_users_from_resource(
+        self,
+        session,
+        resource_id: str,
+        resource_type: ResourceType,
+        user_emails: List[str]
+    ) -> bool:
+        """
+        Remove specific users' access to a resource.
+
+        IMPORTANT: Implementations MUST cleanup dependent data
+        (e.g., sessions) when removing access.
+
+        Args:
+            session: Database session
+            resource_id: The resource ID
+            resource_type: Type of resource (e.g., PROJECT)
+            user_emails: List of user emails to unshare
+
+        Returns:
+            True if successful, False otherwise.
+        """
+        pass
+
+    @abstractmethod
+    def get_shared_users(
+        self,
+        session,
+        resource_id: str,
+        resource_type: ResourceType
+    ) -> List[str]:
+        """
+        Get list of user emails with shared access to a resource.
+
+        This is used when deleting resources to ensure sessions created by
+        shared users are also cleaned up.
+
+        Returns:
+            List of user emails. Empty list for community, actual emails for enterprise.
+        """
         pass

tests/integration/apis/persistence/test_tasks_api.py

@@ -780,3 +780,155 @@ def test_task_and_session_integration(api_client: TestClient):
     assert user_message["message"] == "Integration test message"
 
     print(f"✓ Task-session integration verified for session {session_id}")
+
+
+def test_send_message_to_nonexistent_project_returns_404(api_client: TestClient):
+    """Test that sending a message with non-existent project_id returns 404"""
+    import uuid
+
+    nonexistent_project_id = str(uuid.uuid4())
+
+    task_payload = {
+        "jsonrpc": "2.0",
+        "id": str(uuid.uuid4()),
+        "method": "message/stream",
+        "params": {
+            "message": {
+                "role": "user",
+                "messageId": str(uuid.uuid4()),
+                "kind": "message",
+                "parts": [{"kind": "text", "text": "Test message"}],
+                "metadata": {
+                    "agent_name": "TestAgent",
+                    "project_id": nonexistent_project_id,
+                },
+            }
+        },
+    }
+
+    response = api_client.post("/api/v1/message:stream", json=task_payload)
+
+    # Should return 404 when project doesn't exist
+    assert response.status_code == 404
+    response_data = response.json()
+    # HTTPException returns 'detail' field directly, or wrapped in 'message' by error handler
+    error_message = response_data.get("detail") or response_data.get("message", "")
+    assert "Session not found" in error_message
+
+    print("Non-existent project returns 404 with standard message")
+
+
+def test_send_message_to_valid_project(api_client: TestClient, gateway_adapter):
+    """Test that sending a message to a valid project succeeds"""
+    import uuid
+
+    # First create a project using gateway adapter
+    project_id = str(uuid.uuid4())
+    gateway_adapter.seed_project(
+        project_id=project_id,
+        name="Test Project for Message",
+        user_id="sam_dev_user",
+        description="Project for testing message submission",
+    )
+
+    # Now send a message with that project_id
+    task_payload = {
+        "jsonrpc": "2.0",
+        "id": str(uuid.uuid4()),
+        "method": "message/stream",
+        "params": {
+            "message": {
+                "role": "user",
+                "messageId": str(uuid.uuid4()),
+                "kind": "message",
+                "parts": [{"kind": "text", "text": "Message to valid project"}],
+                "metadata": {
+                    "agent_name": "TestAgent",
+                    "project_id": project_id,
+                },
+            }
+        },
+    }
+
+    response = api_client.post("/api/v1/message:stream", json=task_payload)
+
+    # Should succeed
+    assert response.status_code == 200
+    response_data = response.json()
+    assert "result" in response_data
+    assert "id" in response_data["result"]
+
+    print(f"Message to valid project {project_id} succeeded")
+
+
+def test_send_message_without_project_id_succeeds(api_client: TestClient):
+    """Test that messages without project_id work normally (non-project sessions)"""
+    import uuid
+
+    task_payload = {
+        "jsonrpc": "2.0",
+        "id": str(uuid.uuid4()),
+        "method": "message/stream",
+        "params": {
+            "message": {
+                "role": "user",
+                "messageId": str(uuid.uuid4()),
+                "kind": "message",
+                "parts": [{"kind": "text", "text": "Non-project message"}],
+                "metadata": {
+                    "agent_name": "TestAgent",
+                    # No project_id - regular session
+                },
+            }
+        },
+    }
+
+    response = api_client.post("/api/v1/message:stream", json=task_payload)
+
+    # Should succeed without project access check
+    assert response.status_code == 200
+    response_data = response.json()
+    assert "result" in response_data
+
+    print("Message without project_id succeeded (regular session)")
+
+
+def test_send_message_project_access_check_handles_exceptions(api_client: TestClient):
+    """Test that project access validation handles database errors gracefully"""
+    import uuid
+    from unittest.mock import patch
+
+    # Create a valid project
+    project_id = str(uuid.uuid4())
+
+    task_payload = {
+        "jsonrpc": "2.0",
+        "id": str(uuid.uuid4()),
+        "method": "message/stream",
+        "params": {
+            "message": {
+                "role": "user",
+                "messageId": str(uuid.uuid4()),
+                "kind": "message",
+                "parts": [{"kind": "text", "text": "Test message"}],
+                "metadata": {
+                    "agent_name": "TestAgent",
+                    "project_id": project_id,
+                },
+            }
+        },
+    }
+
+    # Mock project_service.get_project to raise an exception
+    with patch('solace_agent_mesh.gateway.http_sse.services.project_service.ProjectService.get_project') as mock_get:
+        mock_get.side_effect = Exception("Database error")
+
+        response = api_client.post("/api/v1/message:stream", json=task_payload)
+
+        # Should return 404 due to exception in access validation
+        assert response.status_code == 404
+        response_data = response.json()
+        error_message = response_data.get("detail") or response_data.get("message", "")
+        assert "Session not found" in error_message
+
+    print("Exception in project access check handled correctly")

tests/unit/services/test_default_resource_sharing_service.py

@@ -62,3 +62,52 @@ def test_delete_resource_shares_returns_true(self):
         )
 
         assert result is True
+
+    def test_unshare_users_from_resource_returns_true(self):
+        """Test that unshare_users_from_resource returns True indicating successful operation.
+
+        When users are unshared from a resource, this method is called to remove
+        their access. In community edition, there are no shares to remove, but
+        the operation succeeds (no-op). Returning True indicates the operation
+        completed successfully without errors.
+        """
+        user_emails = ["[email protected]", "[email protected]"]
+
+        result = self.service.unshare_users_from_resource(
+            session=self.mock_session,
+            resource_id=self.resource_id,
+            resource_type=self.resource_type,
+            user_emails=user_emails,
+        )
+
+        assert result is True
+
+    def test_unshare_users_from_resource_handles_empty_list(self):
+        """Test that unshare_users_from_resource handles empty email list correctly.
+
+        Edge case: when called with an empty list of user emails, the method
+        should still succeed (no-op on empty input).
+        """
+        result = self.service.unshare_users_from_resource(
+            session=self.mock_session,
+            resource_id=self.resource_id,
+            resource_type=self.resource_type,
+            user_emails=[],
+        )
+
+        assert result is True
+
+    def test_get_shared_users_returns_empty_list(self):
+        """Test that get_shared_users returns an empty list.
+
+        This method is used to retrieve users who have shared access to a resource.
+        In community edition, no users have shared access (only ownership exists),
+        so this method always returns an empty list.
+        """
+        result = self.service.get_shared_users(
+            session=self.mock_session,
+            resource_id=self.resource_id,
+            resource_type=self.resource_type,
+        )
+
+        assert result == []