/**
* Removes a role from the given user
*
* @param loggedInUser The current user
* @param login The login for the user you would like to remove the role from
* @param role The role you would like to remove from the user
* @return Returns 1 if successful (exception otherwise)
* @throws FaultException A FaultException is thrown if the user doesn't have access to lookup the
* user corresponding to login or if the user does not exist.
* @xmlrpc.doc Remove a role from a user.
* @xmlrpc.param #param("string", "sessionKey")
* @xmlrpc.param #param_desc("string", "login", "User login name to update.")
* @xmlrpc.param #param_desc("string", "role", "Role label to remove. Can be any of:
* satellite_admin, org_admin, channel_admin, config_admin, system_group_admin,
* activation_key_admin, or monitoring_admin.")
* @xmlrpc.returntype #return_int_success()
*/
public int removeRole(User loggedInUser, String login, String role) throws FaultException {
validateRoleInputs(role, loggedInUser);
if (RoleFactory.SAT_ADMIN.getLabel().equals(role)) {
return modifySatAdminRole(loggedInUser, login, false);
}
ensureOrgAdmin(loggedInUser);
User target = XmlRpcUserHelper.getInstance().lookupTargetUser(loggedInUser, login);
/*
* Perform some error checking here... we need to make sure that this
* isn't the last org_admin in the org trying to remove org_admin
* status from himself.
*/
if (role.equals(RoleFactory.ORG_ADMIN.getLabel())
&& target.hasRole(RoleFactory.ORG_ADMIN)
&& target.getOrg().numActiveOrgAdmins() <= 1) {
throw new PermissionCheckFailureException();
}
// Retrieve the role object corresponding to the role label passed in and
// remove from user
Role r = RoleFactory.lookupByLabel(role);
target.removePermanentRole(r);
UserManager.storeUser(target);
return 1;
}
/**
* @param loggedInUser The current user
* @param login User to modify.
* @param readOnly readOnly flag to set
* @return 1 (should always succeed)
* @xmlrpc.doc Sets whether the target user should have only read-only API access or standard full
* scale access.
* @xmlrpc.param #param("string", "sessionKey")
* @xmlrpc.param #param_desc("string", "login", "User's login name.")
* @xmlrpc.param #param_desc("boolean", "readOnly", "Sets whether the target user should have only
* read-only API access or standard full scale access.")
* @xmlrpc.returntype #return_int_success()
*/
public int setReadOnly(User loggedInUser, String login, Boolean readOnly) {
// Logged in user must be an org admin.
ensureOrgAdmin(loggedInUser);
User targetUser = XmlRpcUserHelper.getInstance().lookupTargetUser(loggedInUser, login);
if (readOnly
&& targetUser.hasRole(RoleFactory.ORG_ADMIN)
&& targetUser.getOrg().numActiveOrgAdmins() < 2) {
throw new InvalidOperationException(
"error.readonly_org_admin", targetUser.getOrg().getName());
}
if (readOnly
&& targetUser.hasRole(RoleFactory.SAT_ADMIN)
&& SatManager.getActiveSatAdmins().size() < 2) {
throw new InvalidOperationException("error.readonly_sat_admin");
}
targetUser.setReadOnly(readOnly);
return 1;
}
/**
* Migrate systems from one organization to another. If executed by a Satellite administrator, the
* systems will be migrated from their current organization to the organization specified by the
* toOrgId. If executed by an organization administrator, the systems must exist in the same
* organization as that administrator and the systems will be migrated to the organization
* specified by the toOrgId. In any scenario, the origination and destination organizations must
* be defined in a trust.
*
* @param sessionKey User's session key.
* @param toOrgId destination organization ID.
* @param sids System IDs.
* @return list of systems migrated.
* @throws FaultException A FaultException is thrown if: - The user performing the request is not
* an organization administrator - The user performing the request is not a satellite
* administrator, but the from org id is different than the user's org id. - The from and to
* org id provided are the same. - One or more of the servers provides do not exist - The
* origination or destination organization does not exist - The user is not defined in the
* destination organization's trust
* @xmlrpc.doc Migrate systems from one organization to another. If executed by a Satellite
* administrator, the systems will be migrated from their current organization to the
* organization specified by the toOrgId. If executed by an organization administrator, the
* systems must exist in the same organization as that administrator and the systems will be
* migrated to the organization specified by the toOrgId. In any scenario, the origination and
* destination organizations must be defined in a trust.
* @xmlrpc.param #param("string", "sessionKey")
* @xmlrpc.param #param_desc("int", "toOrgId", "ID of the organization where the system(s) will be
* migrated to.")
* @xmlrpc.param #array_single("int", "systemId")
* @xmlrpc.returntype #array_single("int", "serverIdMigrated")
*/
public Object[] migrateSystems(String sessionKey, Integer toOrgId, List<Integer> sids)
throws FaultException {
// the user executing the request must at least be an org admin to perform
// a system migration
User admin = getOrgAdmin(sessionKey);
Org toOrg = verifyOrgExists(toOrgId);
List<Server> servers = new LinkedList<Server>();
for (Integer sid : sids) {
Long serverId = new Long(sid.longValue());
Server server = null;
try {
server = ServerFactory.lookupById(serverId);
// throw a no_such_system exception if the server was not found.
if (server == null) {
throw new NoSuchSystemException("No such system - sid[" + sid + "]");
}
} catch (LookupException e) {
throw new NoSuchSystemException("No such system - sid[" + sid + "]");
}
servers.add(server);
// As a pre-requisite to performing the actual migration, verify that each
// server that is planned for migration passes the criteria that follows.
// If any of the servers fails that criteria, none will be migrated.
// unless the user is a satellite admin, they are not permitted to migrate
// systems from an org that they do not belong to
if ((!admin.hasRole(RoleFactory.SAT_ADMIN)) && (!admin.getOrg().equals(server.getOrg()))) {
throw new PermissionCheckFailureException(server);
}
// do not allow the user to migrate systems to/from the same org. doing so
// would essentially remove entitlements, channels...etc from the systems
// being migrated.
if (toOrg.equals(server.getOrg())) {
throw new MigrationToSameOrgException(server);
}
// if the originating org is not defined within the destination org's trust
// the migration should not be permitted.
if (!toOrg.getTrustedOrgs().contains(server.getOrg())) {
throw new OrgNotInTrustException(server);
}
}
List<Long> serversMigrated = MigrationManager.migrateServers(admin, toOrg, servers);
return serversMigrated.toArray();
}
private void verifyKSAdmin(User user) {
if (!user.hasRole(RoleFactory.CONFIG_ADMIN)) {
throw new PermissionCheckFailureException(RoleFactory.CONFIG_ADMIN);
}
}
/**
* Simple test illustrating how roles work. Note that the channel_admin role is implied for an org
* admin iff the org has the channel_admin role.
*/
public void testAddRole() {
User user = UserTestUtils.findNewUser("testuser", "testorg");
user.addPermanentRole(RoleFactory.ORG_ADMIN);
assertTrue(user.hasRole(RoleFactory.CHANNEL_ADMIN));
}
