Merge pull request #437 from ImMin5/master

Add service account mgr id field at ServiceAccount

Author: ImMin5

src/spaceone/identity/error/custom.py

@@ -33,3 +33,7 @@ class ERROR_WORKSPACE_EXIST_IN_WORKSPACE_GROUP(ERROR_INVALID_ARGUMENT):
 class ERROR_USER_EXIST_IN_WORKSPACE_GROUP(ERROR_INVALID_ARGUMENT):
     _message = """User exists in Workspace Group. (user_id = {user_id}, workspace_group_id = {workspace_group_id})
                Remove the user from the workspace group before deleting the workspace group."""
+
+
+class ERROR_SERVICE_ACCOUNT_MANAGER_REGISTERED(ERROR_INVALID_ARGUMENT):
+    _message = "Not allowed to delete because of registered service account manager. (service_account_id = {service_account_id})"

src/spaceone/identity/model/service_account/database.py

@@ -18,6 +18,7 @@ class ServiceAccount(MongoModel):
     reference_id = StringField(max_length=255, default=None, null=True)
     is_managed = BooleanField(default=False)
     cost_info = DictField(default=None)
+    service_account_mgr_id = StringField(max_length=40, null=True, default=None)
     secret_schema_id = StringField(max_length=40)
     secret_id = StringField(max_length=40)
     trusted_account_id = StringField(max_length=40, null=True, default=None)
@@ -50,6 +51,7 @@ class ServiceAccount(MongoModel):
             "state",
             "provider",
             "is_managed",
+            "service_account_mgr_id",
             "trusted_account_id",
             "project_id",
             "workspace_id",

src/spaceone/identity/model/service_account/request.py

@@ -24,6 +24,7 @@ class ServiceAccountCreateRequest(BaseModel):
     secret_schema_id: Union[str, None] = None
     secret_data: Union[dict, None] = None
     tags: Union[dict, None] = None
+    service_account_mgr_id: Union[str, None] = None
     trusted_account_id: Union[str, None] = None
     project_id: str
     workspace_id: str
@@ -35,6 +36,7 @@ class ServiceAccountUpdateRequest(BaseModel):
     name: Union[str, None] = None
     data: Union[dict, None] = None
     tags: Union[dict, None] = None
+    service_account_mgr_id: Union[str, None] = None
     project_id: Union[str, None] = None
     workspace_id: str
     domain_id: str

src/spaceone/identity/model/service_account/response.py

@@ -16,6 +16,7 @@ class ServiceAccountResponse(BaseModel):
     tags: Union[dict, None] = None
     reference_id: Union[str, None] = None
     is_managed: Union[bool, None] = None
+    service_account_mgr_id: Union[str, None] = None
     secret_schema_id: Union[str, None] = None
     secret_id: Union[str, None] = None
     trusted_account_id: Union[str, None] = None

src/spaceone/identity/service/role_binding_service.py

@@ -4,10 +4,14 @@
 from spaceone.core.service import *
 from spaceone.core.service.utils import *
 
-from spaceone.identity.error import ERROR_NOT_ALLOWED_TO_DELETE_ROLE_BINDING
+from spaceone.identity.error import (
+    ERROR_NOT_ALLOWED_TO_DELETE_ROLE_BINDING,
+    ERROR_SERVICE_ACCOUNT_MANAGER_REGISTERED,
+)
 from spaceone.identity.error.error_role import *
 from spaceone.identity.manager.role_binding_manager import RoleBindingManager
 from spaceone.identity.manager.role_manager import RoleManager
+from spaceone.identity.manager.service_account_manager import ServiceAccountManager
 from spaceone.identity.manager.user_manager import UserManager
 from spaceone.identity.manager.workspace_manager import WorkspaceManager
 from spaceone.identity.model.role_binding.request import *
@@ -225,6 +229,18 @@ def delete(self, params: RoleBindingDeleteRequest) -> None:
             params.role_binding_id, params.domain_id, params.workspace_id
         )
 
+        if rb_vo.resource_group == "WORKSPACE":
+            service_account_mgr = ServiceAccountManager()
+            service_account_vos = service_account_mgr.filter_service_accounts(
+                domain_id=params.domain_id,
+                workspace_id=rb_vo.workspace_id,
+                service_account_mgr_id=rb_vo.user_id,
+            )
+            if service_account_vos.count() > 0:
+                raise ERROR_SERVICE_ACCOUNT_MANAGER_REGISTERED(
+                    service_account_id=service_account_vos[0].service_account_id
+                )
+
         if rb_vo.workspace_group_id:
             raise ERROR_NOT_ALLOWED_TO_DELETE_ROLE_BINDING(
                 workspace_group_id=rb_vo.workspace_group_id,

src/spaceone/identity/service/service_account_service.py

@@ -10,6 +10,8 @@
 from spaceone.identity.manager.agent_manager import AgentManager
 from spaceone.identity.manager.app_manager import AppManager
 from spaceone.identity.manager.client_secret_manager import ClientSecretManager
+from spaceone.identity.manager.role_binding_manager import RoleBindingManager
+from spaceone.identity.manager.user_manager import UserManager
 from spaceone.identity.model import App, ServiceAccount
 from spaceone.identity.model.app.response import AppResponse
 from spaceone.identity.model.service_account.request import *
@@ -36,7 +38,10 @@ def __init__(self, *args, **kwargs):
         self.service_account_mgr = ServiceAccountManager()
         self.app_mgr = AppManager()
         self.agent_mgr = AgentManager()
+        self.project_mgr = ProjectManager()
         self.resource_mgr = ResourceManager()
+        self.rb_mgr = RoleBindingManager()
+        self.user_mgr = UserManager()
 
     @transaction(
         permission="identity:ServiceAccount.write",
@@ -73,8 +78,7 @@ def create(
         )
 
         # Check project
-        project_mgr = ProjectManager()
-        project_mgr.get_project(
+        self.project_mgr.get_project(
             params.project_id, params.domain_id, params.workspace_id
         )
 
@@ -96,6 +100,29 @@ def create(
             params.trusted_account_id = None
             secret_type = "SECRET"
 
+        if user_id := params.service_account_mgr_id:
+            # check user_id is valid
+            self.user_mgr.get_user(user_id=user_id, domain_id=params.domain_id)
+
+            rb_vos = self.rb_mgr.filter_role_bindings(
+                user_id=user_id,
+                workspace_id=params.workspace_id,
+                domain_id=params.domain_id,
+            )
+            if rb_vos.count() == 0:
+                raise ERROR_NOT_FOUND(key="service_account_mgr_id", value=user_id)
+
+            if rb_vos.count() > 0:
+                project_vo = self.project_mgr.get_project(
+                    params.project_id, params.domain_id, params.workspace_id
+                )
+
+                if project_vo.project_type == "PRIVATE":
+                    project_users = project_vo.users or []
+                    users = list(set(project_users + [params.service_account_mgr_id]))
+                    add_member_params = {"users": users}
+                    self.project_mgr.update_project_by_vo(add_member_params, project_vo)
+
         service_account_vo = self.service_account_mgr.create_service_account(
             params.dict()
         )
@@ -185,6 +212,26 @@ def update(
                 params.data,
             )
 
+        # check service_account_mgr_id is valid in changed project
+        if (
+            params.project_id
+            and service_account_vo.service_account_mgr_id
+            and service_account_vo.project_id != params.project_id
+        ):
+            project_vo = self.project_mgr.get_project(
+                project_id=params.project_id,
+                domain_id=params.domain_id,
+                workspace_id=params.workspace_id,
+                user_projects=params.user_projects,
+            )
+
+            if (
+                project_vo.project_type == "PRIVATE"
+                and service_account_vo.service_account_mgr_id not in project_vo.users
+            ):
+                params.service_account_mgr_id = None
+
+        # change secret's project_id
         if (
             service_account_vo.secret_id
             and params.project_id