Guard against deleting last tenant owner

author: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-04-09 16:11:09 +0200
committer: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-04-09 16:11:09 +0200
commit: ddd0811dca9dd176808af1d3794af90806bffd67 (patch)
tree: 33eac530cb567218fa69ef6a9699eea17a36eb04 /controller-server
parent: 8d7076665e8ad6294068ac543fdbc8185ec7a71c (diff)
1 files changed, 13 insertions, 8 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
index e64ce004d6a..03ffdbb0208 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
@@ -17,6 +17,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.user.UserId;
 import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
 import com.yahoo.vespa.hosted.controller.api.integration.user.UserRoles;
 import com.yahoo.vespa.hosted.controller.api.role.Role;
+import com.yahoo.vespa.hosted.controller.api.role.RoleDefinition;
 import com.yahoo.vespa.hosted.controller.api.role.Roles;
 import com.yahoo.vespa.hosted.controller.restapi.ErrorResponse;
 import com.yahoo.vespa.hosted.controller.restapi.MessageResponse;
@@ -150,36 +151,40 @@ public class UserApiHandler extends LoggingRequestHandler {
     private HttpResponse addTenantRoleMember(String tenantName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
         String roleName = require("roleName", Inspector::asString, requestObject);
-        String user = require("user", Inspector::asString, requestObject);
+        UserId user = new UserId(require("user", Inspector::asString, requestObject));
         Role role = roles.toRole(TenantName.from(tenantName), roleName);
-        users.addUsers(role, List.of(new UserId(user)));
+        users.addUsers(role, List.of(user));
         return new MessageResponse(user + " is now a member of " + role);
     }
 
     private HttpResponse addApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
         String roleName = require("roleName", Inspector::asString, requestObject);
-        String user = require("user", Inspector::asString, requestObject);
+        UserId user = new UserId(require("user", Inspector::asString, requestObject));
         Role role = roles.toRole(TenantName.from(tenantName), ApplicationName.from(applicationName), roleName);
-        users.addUsers(role, List.of(new UserId(user)));
+        users.addUsers(role, List.of(user));
         return new MessageResponse(user + " is now a member of " + role);
     }
 
     private HttpResponse removeTenantRoleMember(String tenantName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
         String roleName = require("roleName", Inspector::asString, requestObject);
-        String user = require("user", Inspector::asString, requestObject);
+        UserId user = new UserId(require("user", Inspector::asString, requestObject));
         Role role = roles.toRole(TenantName.from(tenantName), roleName);
-        users.removeUsers(role, List.of(new UserId(user)));
+        if (   role.definition() == RoleDefinition.tenantOwner
+            && users.listUsers(role).equals(List.of(user)))
+            throw new IllegalArgumentException("Can't remove the last owner of a tenant.");
+
+        users.removeUsers(role, List.of(user));
         return new MessageResponse(user + " is no longer a member of " + role);
     }
 
     private HttpResponse removeApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
         String roleName = require("roleName", Inspector::asString, requestObject);
-        String user = require("user", Inspector::asString, requestObject);
+        UserId user = new UserId(require("user", Inspector::asString, requestObject));
         Role role = roles.toRole(TenantName.from(tenantName), ApplicationName.from(applicationName), roleName);
-        users.removeUsers(role, List.of(new UserId(user)));
+        users.removeUsers(role, List.of(user));
         return new MessageResponse(user + " is no longer a member of " + role);
     }
author	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-04-09 16:11:09 +0200
committer	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-04-09 16:11:09 +0200
commit	ddd0811dca9dd176808af1d3794af90806bffd67 (patch)
tree	33eac530cb567218fa69ef6a9699eea17a36eb04 /controller-server
parent	8d7076665e8ad6294068ac543fdbc8185ec7a71c (diff)