From 3c2b2170662bb0ade587618a2105267a0b7d544e Mon Sep 17 00:00:00 2001
From: Valerij Fredriksen <valerijf@yahooinc.com>
Date: Fri, 12 Aug 2022 09:45:48 +0200
Subject: Remove application role management from /user/v1 API

---
 .../controller/restapi/user/UserApiHandler.java      | 20 --------------------
 .../hosted/controller/restapi/user/UserApiTest.java  | 17 -----------------
 .../restapi/user/responses/application-roles.json    | 19 -------------------
 3 files changed, 56 deletions(-)
 delete mode 100644 controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
index e10defb4416..d988d8709d2 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java
@@ -111,7 +111,6 @@ public class UserApiHandler extends ThreadedHttpRequestHandler {
 
     private HttpResponse handlePOST(Path path, HttpRequest request) {
         if (path.matches("/user/v1/tenant/{tenant}")) return addTenantRoleMember(path.get("tenant"), request);
-        if (path.matches("/user/v1/tenant/{tenant}/application/{application}")) return addApplicationRoleMember(path.get("tenant"), path.get("application"), request);
 
         return ErrorResponse.notFoundError(Text.format("No '%s' handler at '%s'", request.getMethod(),
                                                          request.getUri().getPath()));
@@ -119,7 +118,6 @@ public class UserApiHandler extends ThreadedHttpRequestHandler {
 
     private HttpResponse handleDELETE(Path path, HttpRequest request) {
         if (path.matches("/user/v1/tenant/{tenant}")) return removeTenantRoleMember(path.get("tenant"), request);
-        if (path.matches("/user/v1/tenant/{tenant}/application/{application}")) return removeApplicationRoleMember(path.get("tenant"), path.get("application"), request);
 
         return ErrorResponse.notFoundError(Text.format("No '%s' handler at '%s'", request.getMethod(),
                                                          request.getUri().getPath()));
@@ -280,15 +278,6 @@ public class UserApiHandler extends ThreadedHttpRequestHandler {
         return new MessageResponse(user + " is now a member of " + roles.stream().map(Role::toString).collect(Collectors.joining(", ")));
     }
 
-    private HttpResponse addApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) {
-        Inspector requestObject = bodyInspector(request);
-        String roleName = require("roleName", Inspector::asString, requestObject);
-        UserId user = new UserId(require("user", Inspector::asString, requestObject));
-        Role role = Roles.toRole(TenantName.from(tenantName), ApplicationName.from(applicationName), roleName);
-        users.addUsers(role, List.of(user));
-        return new MessageResponse(user + " is now a member of " + role);
-    }
-
     private HttpResponse removeTenantRoleMember(String tenantName, HttpRequest request) {
         Inspector requestObject = bodyInspector(request);
         if (requestObject.field("roles").valid()) {
@@ -348,15 +337,6 @@ public class UserApiHandler extends ThreadedHttpRequestHandler {
         }
     }
 
-    private HttpResponse removeApplicationRoleMember(String tenantName, String applicationName, HttpRequest request) {
-        Inspector requestObject = bodyInspector(request);
-        String roleName = require("roleName", Inspector::asString, requestObject);
-        UserId user = new UserId(require("user", Inspector::asString, requestObject));
-        Role role = Roles.toRole(TenantName.from(tenantName), ApplicationName.from(applicationName), roleName);
-        users.removeUsers(role, List.of(user));
-        return new MessageResponse(user + " is no longer a member of " + role);
-    }
-
     private boolean hasTrialCapacity() {
         if (! controller.system().isPublic()) return true;
         var existing = controller.tenants().asList().stream().map(Tenant::name).collect(Collectors.toList());
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
index 3e9f6256134..85c9405082a 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java
@@ -99,12 +99,6 @@ public class UserApiTest extends ControllerContainerCloudTest {
                         .data("{\"user\":\"developer@tenant\",\"roleName\":\"administrator\"}"),
                 accessDenied, 403);
 
-        // POST a headless for a non-existent application fails.
-        tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST)
-                        .roles(Set.of(Role.administrator(TenantName.from("my-tenant"))))
-                        .data("{\"user\":\"headless@app\",\"roleName\":\"headless\"}"),
-                "{\"error-code\":\"BAD_REQUEST\",\"message\":\"role 'headless' of 'my-app' owned by 'my-tenant' not found\"}", 400);
-
         // POST an application is allowed for a tenant developer.
         tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app", POST)
                         .principal("developer@tenant")
@@ -116,22 +110,11 @@ public class UserApiTest extends ControllerContainerCloudTest {
                         .roles(Set.of(Role.administrator(id.tenant()))),
                 accessDenied, 403);
 
-        // POST a tenant role is not allowed to an application.
-        tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST)
-                        .roles(Set.of(Role.hostedOperator()))
-                        .data("{\"user\":\"developer@app\",\"roleName\":\"developer\"}"),
-                "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Malformed or illegal role name 'developer'.\"}", 400);
-
         // GET tenant role information is available to readers.
         tester.assertResponse(request("/user/v1/tenant/my-tenant")
                         .roles(Set.of(Role.reader(id.tenant()))),
                 new File("tenant-roles.json"));
 
-        // GET application role information is available to tenant administrators.
-        tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app")
-                        .roles(Set.of(Role.administrator(id.tenant()))),
-                new File("application-roles.json"));
-
         // POST a pem deploy key
         tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app/key", POST)
                         .roles(Set.of(Role.developer(id.tenant())))
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json
deleted file mode 100644
index 8497358fe40..00000000000
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/responses/application-roles.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "tenant": "my-tenant",
-  "application": "my-app",
-  "roleNames": [ ],
-  "users": [
-    {
-      "name": "administrator@tenant",
-      "email": "administrator@tenant",
-      "verified": false,
-      "roles": { }
-    },
-    {
-      "name": "developer@tenant",
-      "email": "developer@tenant",
-      "verified": false,
-      "roles": { }
-    }
-  ]
-}
-- 
cgit v1.2.3