From 512746391260dab84c48e7b4965719b8a8b6410b Mon Sep 17 00:00:00 2001
From: Andreas Eriksen <andreer@verizonmedia.com>
Date: Thu, 18 Jun 2020 14:13:22 +0200
Subject: allow users to delete trial tenants (#13625)

* move classes to open-source repo

* add PlanController to ServiceRegistry

* allow tenant administrators to delete tenants if on trial plan
---
 .../hosted/controller/security/CloudAccessControl.java      | 13 +++++++++++--
 .../hosted/controller/integration/ServiceRegistryMock.java  |  7 +++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

(limited to 'controller-server')

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
index dc3dbabcc07..bd0143ef879 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
@@ -8,6 +8,8 @@ import com.yahoo.vespa.flags.FetchVector;
 import com.yahoo.vespa.flags.FlagSource;
 import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.hosted.controller.Application;
+import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry;
+import com.yahoo.vespa.hosted.controller.api.integration.billing.PlanController;
 import com.yahoo.vespa.hosted.controller.api.integration.organization.BillingInfo;
 import com.yahoo.vespa.hosted.controller.api.integration.user.Roles;
 import com.yahoo.vespa.hosted.controller.api.integration.user.UserId;
@@ -34,11 +36,13 @@ public class CloudAccessControl implements AccessControl {
 
     private final UserManagement userManagement;
     private final BooleanFlag enablePublicSignup;
+    private final PlanController planController;
 
     @Inject
-    public CloudAccessControl(UserManagement userManagement, FlagSource flagSource) {
+    public CloudAccessControl(UserManagement userManagement, FlagSource flagSource, ServiceRegistry serviceRegistry) {
         this.userManagement = userManagement;
         this.enablePublicSignup = Flags.ENABLE_PUBLIC_SIGNUP_FLOW.bindTo(flagSource);
+        planController = serviceRegistry.planController();
     }
 
     @Override
@@ -97,12 +101,17 @@ public class CloudAccessControl implements AccessControl {
 
     @Override
     public void deleteTenant(TenantName tenant, Credentials credentials) {
-        // TODO: allow only if 0 resources, 0 balance
+        if(!(allowedByPrivilegedRole((Auth0Credentials) credentials) || isTrial(tenant)))
+            throw new ForbiddenException("Please contact the Vespa team for assistance in deleting non-trial tenants");
 
         for (TenantRole role : Roles.tenantRoles(tenant))
             userManagement.deleteRole(role);
     }
 
+    private boolean isTrial(TenantName tenant) {
+        return planController.getPlan(tenant).id().equals("trial");
+    }
+
     @Override
     public void createApplication(TenantAndApplicationId id, Credentials credentials) {
         for (Role role : Roles.applicationRoles(id.tenant(), id.application()))
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
index 4f81e443d9c..b7e7c9814e3 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
@@ -12,6 +12,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.aws.MockAwsEventFetcher
 import com.yahoo.vespa.hosted.controller.api.integration.aws.MockResourceTagger;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.NoopApplicationRoleService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger;
+import com.yahoo.vespa.hosted.controller.api.integration.billing.PlanController;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock;
 import com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServer;
 import com.yahoo.vespa.hosted.controller.api.integration.dns.MemoryNameService;
@@ -59,6 +60,7 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     private final MockRunDataStore mockRunDataStore = new MockRunDataStore();
     private final MockResourceTagger mockResourceTagger = new MockResourceTagger();
     private final ApplicationRoleService applicationRoleService = new NoopApplicationRoleService();
+    private final PlanController planController = (tenantName) -> null;
 
     public ServiceRegistryMock(SystemName system) {
         this.zoneRegistryMock = new ZoneRegistryMock(system);
@@ -201,4 +203,9 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
         return endpointCertificateMock;
     }
 
+    @Override
+    public PlanController planController() {
+        return planController;
+    }
+
 }
-- 
cgit v1.2.3