diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2019-10-10 15:41:23 +0200 |
---|---|---|
committer | Øyvind Grønnesby <oyving@verizonmedia.com> | 2019-10-10 15:41:23 +0200 |
commit | 55c26f313e22ac42e10d9121ac5f730802999ba4 (patch) | |
tree | b74dc4f6742685fc5f5cb5b9d40726fd3cd371f6 /controller-server | |
parent | 1f05379160fcf9bed15e34cfc5c8dbc8a9f9954c (diff) |
Allow multiple roles when removing roles as well
Diffstat (limited to 'controller-server')
2 files changed, 32 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java index 6c65293b06f..752409d5694 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java @@ -207,23 +207,48 @@ public class UserApiHandler extends LoggingRequestHandler { private HttpResponse removeTenantRoleMember(String tenantName, HttpRequest request) { Inspector requestObject = bodyInspector(request); + if (requestObject.field("roles").valid()) { + return removeMultipleTenantRoleMembers(tenantName, requestObject); + } + return removeTenantRoleMember(tenantName, requestObject); + } + + private HttpResponse removeTenantRoleMember(String tenantName, Inspector requestObject) { + TenantName tenant = TenantName.from(tenantName); String roleName = require("roleName", Inspector::asString, requestObject); UserId user = new UserId(require("user", Inspector::asString, requestObject)); - Role role = Roles.toRole(TenantName.from(tenantName), roleName); + Role role = Roles.toRole(tenant, roleName); + removeTenantRoleMember(tenant, user, role); + + return new MessageResponse(user+" is no longer a member of "+role); + } + + private HttpResponse removeMultipleTenantRoleMembers(String tenantName, Inspector requestObject) { + var tenant = TenantName.from(tenantName); + var user = new UserId(require("user", Inspector::asString, requestObject)); + var roles = SlimeStream.fromArray(requestObject.field("roles"), Inspector::asString) + .map(roleName -> Roles.toRole(tenant, roleName)) + .collect(Collectors.toUnmodifiableList()); + + roles.forEach(role -> removeTenantRoleMember(tenant, user, role)); + + return new MessageResponse(user + " is no longer a member of " + roles.stream().map(Role::toString).collect(Collectors.joining(", "))); + } + + private void removeTenantRoleMember(TenantName tenantName, UserId user, Role role) { if ( role.definition() == RoleDefinition.administrator - && Set.of(user.value()).equals(users.listUsers(role).stream().map(User::email).collect(Collectors.toSet()))) - throw new IllegalArgumentException("Can't remove the last administrator of a tenant."); + && Set.of(user.value()).equals(users.listUsers(role).stream().map(User::email).collect(Collectors.toSet()))) + throw new IllegalArgumentException("Can't remove the last administrator of a tenant."); if (role.definition().equals(RoleDefinition.developer)) - controller.tenants().lockIfPresent(TenantName.from(tenantName), LockedTenant.Cloud.class, tenant -> { + controller.tenants().lockIfPresent(tenantName, LockedTenant.Cloud.class, tenant -> { PublicKey key = tenant.get().developerKeys().inverse().get(new SimplePrincipal(user.value())); if (key != null) controller.tenants().store(tenant.withoutDeveloperKey(key)); }); users.removeUsers(role, List.of(user)); - return new MessageResponse(user+" is no longer a member of "+role); } private HttpResponse removeApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java index 1d90ec3512c..76faee222a7 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java @@ -181,8 +181,8 @@ public class UserApiTest extends ControllerContainerCloudTest { // DELETE the developer role clears any developer key. tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE) .roles(Set.of(Role.administrator(id.tenant()))) - .data("{\"user\":\"developer@tenant\",\"roleName\":\"developer\"}"), - "{\"message\":\"user 'developer@tenant' is no longer a member of role 'developer' of 'my-tenant'\"}"); + .data("{\"user\":\"developer@tenant\",\"roles\":[\"developer\",\"reader\"]}"), + "{\"message\":\"user 'developer@tenant' is no longer a member of role 'developer' of 'my-tenant', role 'reader' of 'my-tenant'\"}"); // DELETE the last tenant owner is not allowed. tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE) |