handle unassignment of role
This commit is contained in:
Mike Mason
@@ -31,22 +31,11 @@ func (s *service) AssignUser(ctx context.Context, userID gidx.PrefixedID, resour
|
||||
var memberships []ResourceMemberships
|
||||
|
||||
for _, resourceID := range resourceIDs {
|
||||
var (
|
||||
role string
|
||||
err error
|
||||
)
|
||||
|
||||
if idType, ok := s.idPrefixMap[resourceID.Prefix()]; ok {
|
||||
switch idType {
|
||||
case TypeOrganization:
|
||||
role, err = s.metal.GetUserOrganizationRole(ctx, userID, resourceID)
|
||||
case TypeProject:
|
||||
role, err = s.metal.GetUserProjectRole(ctx, userID, resourceID)
|
||||
}
|
||||
}
|
||||
|
||||
role, err := s.getUserResourceRole(ctx, userID, resourceID)
|
||||
if err != nil {
|
||||
return err
|
||||
s.logger.Warnw("failed to determine role for user resource", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if role == "" {
|
||||
@@ -60,13 +49,82 @@ func (s *service) AssignUser(ctx context.Context, userID gidx.PrefixedID, resour
|
||||
})
|
||||
}
|
||||
|
||||
s.processMemberships(ctx, memberships)
|
||||
s.syncMemberships(ctx, memberships)
|
||||
|
||||
s.logger.Infow("assignment sync complete", "memberships", len(memberships))
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *service) RemoveUser(ctx context.Context, userID gidx.PrefixedID, resourceIDs ...gidx.PrefixedID) error {
|
||||
func (s *service) UnassignUser(ctx context.Context, userID gidx.PrefixedID, resourceIDs ...gidx.PrefixedID) error {
|
||||
for _, resourceID := range resourceIDs {
|
||||
rlogger := s.logger.With("user.id", userID, "resource.id", resourceID)
|
||||
|
||||
role, err := s.getUserResourceRole(ctx, userID, resourceID)
|
||||
if err != nil {
|
||||
rlogger.Warnw("failed to determine role for user resource", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if role == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
actions := s.roles[role]
|
||||
|
||||
rlogger = rlogger.With("role.name", role, "role.actions", actions)
|
||||
|
||||
resourceRole, err := s.perms.FindResourceRoleByActions(ctx, resourceID, actions)
|
||||
if err != nil {
|
||||
rlogger.Warnw("failed to find role by actions for resource", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
rlogger = rlogger.With("role.id", resourceRole.ID)
|
||||
|
||||
assigned, err := s.perms.RoleHasAssignment(ctx, resourceRole.ID, userID)
|
||||
if err != nil {
|
||||
rlogger.Warnw("failed to check role assignment", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if !assigned {
|
||||
rlogger.Warnw("unable to unassign member which is not assigned")
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if err = s.perms.UnassignRole(ctx, resourceRole.ID, userID); err != nil {
|
||||
rlogger.Errorw("failed to unassign member from role", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *service) getUserResourceRole(ctx context.Context, userID, resourceID gidx.PrefixedID) (string, error) {
|
||||
var (
|
||||
role string
|
||||
err error
|
||||
)
|
||||
|
||||
if idType, ok := s.idPrefixMap[resourceID.Prefix()]; ok {
|
||||
switch idType {
|
||||
case TypeOrganization:
|
||||
role, err = s.metal.GetUserOrganizationRole(ctx, userID, resourceID)
|
||||
case TypeProject:
|
||||
role, err = s.metal.GetUserProjectRole(ctx, userID, resourceID)
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return role, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user