Allow multiple roles when removing roles as well

author: Øyvind Grønnesby <oyving@verizonmedia.com> 2019-10-10 15:41:23 +0200
committer: Øyvind Grønnesby <oyving@verizonmedia.com> 2019-10-10 15:41:23 +0200
commit: 55c26f313e22ac42e10d9121ac5f730802999ba4 (patch)
tree: b74dc4f6742685fc5f5cb5b9d40726fd3cd371f6 /controller-server
parent: 1f05379160fcf9bed15e34cfc5c8dbc8a9f9954c (diff)
2 files changed, 32 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
index 6c65293b06f..752409d5694 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
@@ -207,23 +207,48 @@ public class UserApiHandler extends LoggingRequestHandler {
 
     private HttpResponse removeTenantRoleMember(String tenantName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
+        if (requestObject.field("roles").valid()) {
+            return removeMultipleTenantRoleMembers(tenantName, requestObject);
+        }
+        return removeTenantRoleMember(tenantName, requestObject);
+    }
+
+    private HttpResponse removeTenantRoleMember(String tenantName, Inspector requestObject) {
+        TenantName tenant = TenantName.from(tenantName);
         String roleName = require("roleName", Inspector::asString, requestObject);
         UserId user = new UserId(require("user", Inspector::asString, requestObject));
-        Role role = Roles.toRole(TenantName.from(tenantName), roleName);
+        Role role = Roles.toRole(tenant, roleName);
 
+        removeTenantRoleMember(tenant, user, role);
+
+        return new MessageResponse(user+" is no longer a member of "+role);
+    }
+
+    private HttpResponse removeMultipleTenantRoleMembers(String tenantName, Inspector requestObject) {
+        var tenant = TenantName.from(tenantName);
+        var user = new UserId(require("user", Inspector::asString, requestObject));
+        var roles = SlimeStream.fromArray(requestObject.field("roles"), Inspector::asString)
+                .map(roleName -> Roles.toRole(tenant, roleName))
+                .collect(Collectors.toUnmodifiableList());
+
+        roles.forEach(role -> removeTenantRoleMember(tenant, user, role));
+
+        return new MessageResponse(user + " is no longer a member of " + roles.stream().map(Role::toString).collect(Collectors.joining(", ")));
+    }
+
+    private void removeTenantRoleMember(TenantName tenantName, UserId user, Role role) {
         if (   role.definition() == RoleDefinition.administrator
-            && Set.of(user.value()).equals(users.listUsers(role).stream().map(User::email).collect(Collectors.toSet())))
-        throw new IllegalArgumentException("Can't remove the last administrator of a tenant.");
+                && Set.of(user.value()).equals(users.listUsers(role).stream().map(User::email).collect(Collectors.toSet())))
+            throw new IllegalArgumentException("Can't remove the last administrator of a tenant.");
 
         if (role.definition().equals(RoleDefinition.developer))
-            controller.tenants().lockIfPresent(TenantName.from(tenantName), LockedTenant.Cloud.class, tenant -> {
+            controller.tenants().lockIfPresent(tenantName, LockedTenant.Cloud.class, tenant -> {
                 PublicKey key = tenant.get().developerKeys().inverse().get(new SimplePrincipal(user.value()));
                 if (key != null)
                     controller.tenants().store(tenant.withoutDeveloperKey(key));
             });
 
         users.removeUsers(role, List.of(user));
-        return new MessageResponse(user+" is no longer a member of "+role);
     }
 
     private HttpResponse removeApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
index 1d90ec3512c..76faee222a7 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
@@ -181,8 +181,8 @@ public class UserApiTest extends ControllerContainerCloudTest {
         // DELETE the developer role clears any developer key.
         tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE)
                                       .roles(Set.of(Role.administrator(id.tenant())))
-                                      .data("{\"user\":\"developer@tenant\",\"roleName\":\"developer\"}"),
-                              "{\"message\":\"user 'developer@tenant' is no longer a member of role 'developer' of 'my-tenant'\"}");
+                                      .data("{\"user\":\"developer@tenant\",\"roles\":[\"developer\",\"reader\"]}"),
+                              "{\"message\":\"user 'developer@tenant' is no longer a member of role 'developer' of 'my-tenant', role 'reader' of 'my-tenant'\"}");
 
         // DELETE the last tenant owner is not allowed.
         tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE)
author	Øyvind Grønnesby <oyving@verizonmedia.com>	2019-10-10 15:41:23 +0200
committer	Øyvind Grønnesby <oyving@verizonmedia.com>	2019-10-10 15:41:23 +0200
commit	55c26f313e22ac42e10d9121ac5f730802999ba4 (patch)
tree	b74dc4f6742685fc5f5cb5b9d40726fd3cd371f6 /controller-server
parent	1f05379160fcf9bed15e34cfc5c8dbc8a9f9954c (diff)