[backend] feat(multitenancy): adding builtin connectors for new tenants (#3505)

openaev-api/src/main/java/io/openaev/aop/BypassRlsAspect.java

@@ -5,15 +5,25 @@
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 
 /**
  * Aspect that enables RLS bypass for methods annotated with {@link BypassRls}. Sets the bypass flag
  * on the current thread before execution and always clears it afterwards.
+ *
+ * <p>The {@link Order} is set to {@code Ordered.LOWEST_PRECEDENCE - 2} so that this aspect runs
+ * <b>before</b> {@code @Transactional} (which defaults to {@code LOWEST_PRECEDENCE}). This is
+ * critical because {@link io.openaev.config.TenantAwareDataSourceConfig} checks the bypass flag at
+ * connection-checkout time: if the flag is not yet set when the transaction opens, the connection
+ * is obtained under the restricted {@code openaev_app} role and PostgreSQL Row-Level Security is
+ * enforced, causing spurious policy violations.
  */
 @Aspect
 @Component
 @Slf4j
+@Order(Ordered.LOWEST_PRECEDENCE - 2)
 public class BypassRlsAspect {
 
   @Around("@annotation(io.openaev.aop.BypassRls)")

openaev-api/src/main/java/io/openaev/collectors/expectations_expiration_manager/ExpectationsExpirationManagerCollector.java

@@ -5,6 +5,8 @@
 import io.openaev.rest.collector.service.CollectorService;
 import jakarta.annotation.PostConstruct;
 import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import lombok.RequiredArgsConstructor;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 import org.springframework.stereotype.Service;
@@ -24,7 +26,10 @@ public void init() {
       ExpectationsExpirationManagerJob job =
           new ExpectationsExpirationManagerJob(
               this.collectorService, this.config, this.expectationsExpirationManagerService);
-      this.taskScheduler.scheduleAtFixedRate(job, Duration.ofSeconds(this.config.getInterval()));
+      this.taskScheduler.scheduleAtFixedRate(
+          job,
+          Instant.now().plus(1, ChronoUnit.MINUTES),
+          Duration.ofSeconds(this.config.getInterval()));
     }
   }
 }

openaev-api/src/main/java/io/openaev/collectors/expectations_expiration_manager/ExpectationsExpirationManagerJob.java

@@ -2,25 +2,37 @@
 
 import io.openaev.collectors.expectations_expiration_manager.config.ExpectationsExpirationManagerConfig;
 import io.openaev.collectors.expectations_expiration_manager.service.ExpectationsExpirationManagerService;
+import io.openaev.integration.BuiltinTenantRegistrable;
 import io.openaev.rest.collector.service.CollectorService;
+import io.openaev.rest.exception.ElementNotFoundException;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 @Service
 @Slf4j
-public class ExpectationsExpirationManagerJob implements Runnable {
+public class ExpectationsExpirationManagerJob implements Runnable, BuiltinTenantRegistrable {
   private static final String FAKE_DETECTOR_COLLECTOR_TYPE = "openaev_fake_detector";
   private static final String FAKE_DETECTOR_COLLECTOR_NAME = "Expectations Expiration Manager";
   private final ExpectationsExpirationManagerService fakeDetectorService;
+  private final CollectorService collectorService;
+  private final ExpectationsExpirationManagerConfig config;
 
   @Autowired
   public ExpectationsExpirationManagerJob(
       CollectorService collectorService,
       ExpectationsExpirationManagerConfig config,
       ExpectationsExpirationManagerService fakeDetectorService) {
+    this.collectorService = collectorService;
+    this.config = config;
     this.fakeDetectorService = fakeDetectorService;
+  }
+
+  @Override
+  public void registerForTenant() throws Exception {
     try {
+      collectorService.collector(config.getId());
+    } catch (ElementNotFoundException e) {
       collectorService.register(
           config.getId(),
           FAKE_DETECTOR_COLLECTOR_TYPE,
@@ -29,8 +41,6 @@ public ExpectationsExpirationManagerJob(
           0,
           null,
           getClass().getResourceAsStream("/img/icon-fake-detector.png"));
-    } catch (Exception e) {
-      log.error("Error creating expectations expiration manager ", e);
     }
   }
 

openaev-api/src/main/java/io/openaev/collectors/expectations_vulnerability_manager/ExpectationsVulnerabilityManagerCollector.java

@@ -1,15 +1,16 @@
 package io.openaev.collectors.expectations_vulnerability_manager;
 
+import io.openaev.integration.BuiltinTenantRegistrable;
 import io.openaev.rest.collector.service.CollectorService;
-import jakarta.annotation.PostConstruct;
+import io.openaev.rest.exception.ElementNotFoundException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
 @RequiredArgsConstructor
 @Service
 @Slf4j
-public class ExpectationsVulnerabilityManagerCollector {
+public class ExpectationsVulnerabilityManagerCollector implements BuiltinTenantRegistrable {
 
   private final CollectorService collectorService;
   public static final String EXPECTATIONS_VULNERABILITY_COLLECTOR_ID =
@@ -19,9 +20,11 @@ public class ExpectationsVulnerabilityManagerCollector {
   public static final String EXPECTATIONS_VULNERABILITY_COLLECTOR_NAME =
       "Expectations Vulnerability Manager";
 
-  @PostConstruct
-  public void init() {
+  @Override
+  public void registerForTenant() throws Exception {
     try {
+      collectorService.collector(EXPECTATIONS_VULNERABILITY_COLLECTOR_ID);
+    } catch (ElementNotFoundException e) {
       collectorService.register(
           EXPECTATIONS_VULNERABILITY_COLLECTOR_ID,
           EXPECTATIONS_VULNERABILITY_COLLECTOR_TYPE,
@@ -30,8 +33,6 @@ public void init() {
           0,
           null,
           getClass().getResourceAsStream("/img/icon-expectations-vulnerability-manager.png"));
-    } catch (Exception e) {
-      log.error("Error creating expectations vulnerability manager ", e);
     }
   }
 }

openaev-api/src/main/java/io/openaev/executors/ExecutorService.java

@@ -69,7 +69,9 @@ protected List<Executor> getAllConnectors() {
 
   @Override
   protected Executor getConnectorById(String executorId) {
-    return executorRepository.findById(executorId).orElse(null);
+    return executorRepository
+        .findByIdAndTenantId(executorId, TenantContext.getCurrentTenant())
+        .orElse(null);
   }
 
   @Override
@@ -105,7 +107,7 @@ public Iterable<ExecutorOutput> executorsOutput(boolean isIncludeNext) {
    */
   public Executor executor(String id) throws ElementNotFoundException {
     return executorRepository
-        .findById(id)
+        .findByIdAndTenantId(id, TenantContext.getCurrentTenant())
         .orElseThrow(() -> new ElementNotFoundException("Executor not found with id: " + id));
   }
 
@@ -162,10 +164,12 @@ public Executor register(
       fileService.uploadStream(EXECUTORS_IMAGES_BANNERS_BASE_PATH, type + EXT_PNG, bannerData);
     }
 
-    Executor executor = executorRepository.findById(id).orElse(null);
+    Executor executor =
+        executorRepository.findByIdAndTenantId(id, TenantContext.getCurrentTenant()).orElse(null);
     if (executor == null) {
       executor = new Executor();
       executor.setId(id);
+      executor.setTenant(new Tenant(TenantContext.getCurrentTenant()));
     }
 
     executor.setName(name);
@@ -179,7 +183,9 @@ public Executor register(
 
   @Transactional
   public void remove(String id) {
-    executorRepository.findById(id).ifPresent(executor -> executorRepository.deleteById(id));
+    executorRepository
+        .findByIdAndTenantId(id, TenantContext.getCurrentTenant())
+        .ifPresent(executor -> executorRepository.delete(executor));
   }
 
   /**

openaev-api/src/main/java/io/openaev/helper/InjectHelper.java

@@ -11,13 +11,15 @@
 import io.openaev.execution.ExecutionContext;
 import io.openaev.execution.ExecutionContextService;
 import jakarta.annotation.Resource;
+import jakarta.persistence.EntityManager;
 import jakarta.validation.constraints.NotNull;
 import java.time.Instant;
 import java.util.List;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import lombok.RequiredArgsConstructor;
 import org.hibernate.Hibernate;
+import org.hibernate.Session;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 import reactor.util.function.Tuple2;
@@ -41,6 +43,7 @@ public class InjectHelper {
 
   private final InjectRepository injectRepository;
   private final ExecutionContextService executionContextService;
+  private final EntityManager entityManager;
 
   /**
    * Retrieves the teams targeted by an inject.
@@ -121,6 +124,9 @@ private boolean isBeforeOrEqualsNow(Injection injection) {
    * @return list of pending injects scheduled within the threshold
    */
   public List<Inject> getAllPendingInjectsWithThresholdMinutes(int thresholdMinutes) {
+    // Disable tenant filter — called from InjectsExecutionJob which runs cross-tenant
+    entityManager.unwrap(Session.class).disableFilter("tenantFilter");
+
     return this.injectRepository.findAll(
         InjectSpecification.pendingInjectWithThresholdMinutes(thresholdMinutes));
   }
@@ -153,6 +159,9 @@ private ExecutableInject toExecutableInject(Inject inject) {
    */
   @Transactional
   public List<ExecutableInject> getInjectsToRun() {
+    // Disable tenant filter — called from InjectsExecutionJob which runs cross-tenant
+    entityManager.unwrap(Session.class).disableFilter("tenantFilter");
+
     // Get injects
     List<Inject> injects = this.injectRepository.findAll(InjectSpecification.executable());
     Stream<ExecutableInject> executableInjects =

openaev-api/src/main/java/io/openaev/integration/BuiltinIntegrationFactory.java

@@ -0,0 +1,36 @@
+package io.openaev.integration;
+
+import io.openaev.authorisation.HttpClientFactory;
+import io.openaev.service.catalog_connectors.CatalogConnectorService;
+import io.openaev.service.connector_instances.ConnectorInstanceService;
+
+/**
+ * Base class for built-in integration factories whose connectors must be registered for every
+ * tenant. Subclasses implement {@link #registerConnectorForTenant()} which contains only the
+ * DB-registration logic (the same calls that {@code innerStart()} does on the {@link Integration}
+ * side), without creating in-memory executor objects.
+ *
+ * <p>{@link ManagerFactory} discovers all {@link BuiltinTenantRegistrable} beans and calls {@link
+ * #registerForTenant()} once per new tenant after switching the tenant context.
+ */
+public abstract class BuiltinIntegrationFactory extends IntegrationFactory
+    implements BuiltinTenantRegistrable {
+
+  protected BuiltinIntegrationFactory(
+      ConnectorInstanceService connectorInstanceService,
+      CatalogConnectorService catalogConnectorService,
+      HttpClientFactory httpClientFactory) {
+    super(connectorInstanceService, catalogConnectorService, httpClientFactory);
+  }
+
+  /**
+   * Registers the built-in connector (injector / executor) in the <b>current</b> tenant context.
+   * Must be idempotent — safe to call even if the connector already exists (upsert semantics).
+   */
+  public abstract void registerConnectorForTenant() throws Exception;
+
+  @Override
+  public void registerForTenant() throws Exception {
+    registerConnectorForTenant();
+  }
+}

openaev-api/src/main/java/io/openaev/integration/BuiltinTenantRegistrable.java

@@ -0,0 +1,15 @@
+package io.openaev.integration;
+
+/**
+ * Marker interface for any built-in component (injector, executor, collector) that must be
+ * registered once per tenant. Implementations are auto-discovered by {@link ManagerFactory} via
+ * Spring injection, so adding a new built-in component requires only implementing this interface on
+ * a {@code @Service} bean — no manual wiring in {@code ManagerFactory}.
+ *
+ * <p>Must be idempotent — safe to call even if the component already exists (upsert semantics).
+ */
+public interface BuiltinTenantRegistrable {
+
+  /** Registers this built-in component in the <b>current</b> tenant context. */
+  void registerForTenant() throws Exception;
+}

openaev-api/src/main/java/io/openaev/integration/ManagerFactory.java

@@ -1,17 +1,29 @@
 package io.openaev.integration;
 
 import static io.openaev.aop.lock.LockResourceType.MANAGER_FACTORY;
+import static io.openaev.helper.StreamHelper.fromIterable;
 
 import io.openaev.aop.lock.Lock;
+import io.openaev.database.audit.TenantAssertionControl;
+import io.openaev.database.model.Tenant;
+import io.openaev.database.repository.TenantRepository;
+import io.openaev.datapack.DataPackProcessor;
+import io.openaev.multitenancy.DependenciesManager;
+import io.openaev.multitenancy.DependenciesManagerException;
+import io.openaev.rest.injector_contract.InjectorContractService;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
+@Slf4j
 @Service
 @RequiredArgsConstructor
-public class ManagerFactory {
+public class ManagerFactory implements DependenciesManager {
   private final List<IntegrationFactory> factories;
+  private final TenantRepository tenantRepository;
+  private final TenantRegistrationExecutor tenantRegistrationExecutor;
 
   private volatile Manager manager = null;
 
@@ -20,6 +32,7 @@ public class ManagerFactory {
   public Manager getManager() {
     if (manager == null) {
       try {
+        registerBuiltinsForAllTenants();
         this.manager = new Manager(factories);
         this.manager.monitorIntegrations();
       } catch (Exception e) {
@@ -28,4 +41,48 @@ public Manager getManager() {
     }
     return this.manager;
   }
+
+  /**
+   * Ensures built-in connectors are registered for every existing tenant. Each tenant registration
+   * runs in its own transaction and persistence context (via {@link TenantRegistrationExecutor}) to
+   * avoid JPA entity identity collisions when connector IDs are reused across tenants.
+   */
+  private void registerBuiltinsForAllTenants() {
+    List<Tenant> tenants = fromIterable(tenantRepository.findAll());
+    TenantAssertionControl.suppress();
+    try {
+      for (Tenant tenant : tenants) {
+        try {
+          // Use isolated transaction per tenant to avoid JPA L1 cache identity collisions
+          // (connector IDs are reused across tenants).
+          tenantRegistrationExecutor.registerForTenantIsolated(tenant);
+        } catch (DependenciesManagerException e) {
+          log.error(
+              "Failed to register built-in connectors for tenant '{}': {}",
+              tenant.getName(),
+              e.getMessage(),
+              e);
+        }
+      }
+    } finally {
+      TenantAssertionControl.restore();
+    }
+  }
+
+  // -- TENANT DEPENDENCIES --
+
+  @Override
+  public void createDependencyForTenant(Tenant tenant) throws DependenciesManagerException {
+    tenantRegistrationExecutor.registerForTenant(tenant);
+  }
+
+  @Override
+  public void deleteDependencyForTenant(String tenantId) {
+    // Built-in connectors are tenant-scoped and deleted by CASCADE.
+  }
+
+  @Override
+  public List<Class<? extends DependenciesManager>> getPrerequisite() {
+    return List.of(InjectorContractService.class, DataPackProcessor.class);
+  }
 }