gc cron job to clean up dangling policy_bindings entries

kinjalh · kinjalh · commit c7ee50e05f89 · 2026-02-03T01:25:09.000-05:00
diff --git a/config/prod.exs b/config/prod.exs
@@ -68,6 +68,7 @@ config :console, Console.Cron.Scheduler,
     {"15 * * * *",     {Console.Deployments.Cron, :prune_vuln_reports, []}},
     {"*/15 * * * *",   {Console.Deployments.Cron, :pr_governance, []}},
     {"15 3 * * *",     {Console.Deployments.Cron, :prune_dangling_templates, []}},
+    {"20 3 * * *",     {Console.Deployments.Cron, :prune_dangling_policy_bindings, []}},
     {"30 3 * * *",     {Console.Deployments.Cron, :prune_insight_components, []}},
     {"0 4 * * *",      {Console.Deployments.Cron, :prune_helm_repositories, []}},
     {"0 5 * * *",      {Console.Deployments.Cron, :prune_agent_run_repositories, []}},
diff --git a/lib/console/deployments/cron.ex b/lib/console/deployments/cron.ex
@@ -18,6 +18,7 @@ defmodule Console.Deployments.Cron do
     AppNotification,
     Alert,
     ClusterAuditLog,
+    PolicyBinding,
     PolicyConstraint,
     VulnerabilityReport,
     ServiceTemplate,
@@ -298,6 +299,20 @@ defmodule Console.Deployments.Cron do
     |> Stream.run()
   end
 
+  def prune_dangling_policy_bindings() do
+    PolicyBinding.dangling()
+    |> PolicyBinding.ordered(asc: :id)
+    |> Repo.stream(method: :keyset)
+    |> Stream.chunk_every(100)
+    |> Stream.each(fn bindings ->
+      ids = Enum.map(bindings, & &1.id)
+      Logger.info "pruning #{length(ids)} dangling policy bindings"
+      PolicyBinding.for_ids(ids)
+      |> Repo.delete_all(timeout: 10_000)
+    end)
+    |> Stream.run()
+  end
+
   def add_ignore_crds(search) do
     Service.search(search)
     |> Repo.stream(method: :keyset)
diff --git a/lib/console/schema/policy_binding.ex b/lib/console/schema/policy_binding.ex
@@ -1,6 +1,7 @@
 defmodule Console.Schema.PolicyBinding do
   use Piazza.Ecto.Schema
   alias Console.Schema.{User, Group}
+  alias Console.Repo
 
   schema "policy_bindings" do
     field :policy_id, :binary_id
@@ -10,6 +11,66 @@ defmodule Console.Schema.PolicyBinding do
     timestamps()
   end
 
+  @doc """
+  Fetches all tables and their policy-related columns from the database schema.
+  Returns a map of table_name => [column_names] for uuid columns ending in '_policy_id' or 'bindings_id'.
+  """
+  def policy_columns do
+    query = """
+    SELECT table_name, column_name
+    FROM information_schema.columns
+    WHERE (column_name LIKE '%policy_id' OR column_name = 'bindings_id')
+      AND table_schema = 'public'
+      AND table_name != 'policy_bindings'
+      AND data_type = 'uuid'
+    ORDER BY table_name, column_name
+    """
+
+    Repo.query!(query, [], timeout: 30_000).rows
+    |> Enum.group_by(fn [table, _col] -> table end, fn [_table, col] -> col end)
+  end
+
+  @doc """
+  Returns IDs of dangling policy bindings (bindings whose policy_id is not referenced anywhere).
+  Uses database introspection to dynamically find all tables with policy references.
+  """
+  def dangling_ids do
+    table_columns = policy_columns()
+    where_clause = build_where_clause(table_columns)
+
+    sql = """
+    SELECT pb.id FROM policy_bindings pb
+    WHERE #{where_clause}
+    ORDER BY pb.id ASC
+    """
+
+    Repo.query!(sql, [], timeout: 300_000).rows
+    |> List.flatten()
+    |> Enum.map(&Ecto.UUID.load!/1)
+  end
+
+  @doc """
+  Returns an Ecto query for dangling policy bindings.
+  Note: This loads dangling IDs first, so for very large datasets consider using dangling_ids/0 directly.
+  """
+  def dangling(query \\ __MODULE__) do
+    ids = dangling_ids()
+    from(p in query, where: p.id in ^ids)
+  end
+
+  defp build_where_clause(table_columns) do
+    table_columns
+    |> Enum.map(fn {table, columns} ->
+      conditions = Enum.map_join(columns, " OR ", fn col -> "#{col} = pb.policy_id" end)
+      "NOT EXISTS(SELECT 1 FROM #{table} WHERE #{conditions})"
+    end)
+    |> Enum.join(" AND ")
+  end
+
+  def ordered(query \\ __MODULE__, order \\ [asc: :id]) do
+    from(p in query, order_by: ^order)
+  end
+
   @valid ~w(user_id group_id policy_id)a
 
   def changeset(model, attrs \\ %{}) do
diff --git a/test/console/deployments/cron_test.exs b/test/console/deployments/cron_test.exs
@@ -349,4 +349,31 @@ defmodule Console.Deployments.CronTest do
       assert refetch(keep)
     end
   end
+
+  describe "#prune_dangling_policy_bindings/0" do
+    test "it will prune dangling policy bindings" do
+      user = insert(:user)
+
+      # Create a project with write_bindings - these should be kept
+      project = insert(:project, write_bindings: [%{user_id: user.id}])
+      %{write_bindings: [kept_binding]} = Console.Repo.preload(project, [:write_bindings])
+
+      # Create orphaned policy bindings with random policy_ids that don't exist anywhere
+      orphaned = for _ <- 1..3 do
+        %Console.Schema.PolicyBinding{}
+        |> Console.Schema.PolicyBinding.changeset(%{
+          policy_id: Ecto.UUID.generate(),
+          user_id: user.id
+        })
+        |> Console.Repo.insert!()
+      end
+      :ok = Cron.prune_dangling_policy_bindings()
+
+      # Referenced binding should still exist
+      assert refetch(kept_binding)
+
+      # Orphaned bindings should be deleted
+      for binding <- orphaned, do: refute refetch(binding)
+    end
+  end
 end
