Merge pull request #338 from ImMin5/master

Add safe delete role logic
cloudforet-io · Sep 5, 2024 · 306a0bc · 306a0bc
2 parents 209e2b4 + 0e00213
commit 306a0bc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/src/spaceone/identity/error/custom.py b/src/spaceone/identity/error/custom.py
@@ -19,3 +19,7 @@ class ERROR_ROLE_DOES_NOT_EXIST_OF_USER(ERROR_NOT_FOUND):
 
 class ERROR_NOT_ALLOWED_TO_DELETE_ROLE_BINDING(ERROR_INVALID_ARGUMENT):
     _message = "Not allowed to delete role binding. (workspace_group_id = {workspace_group_id}, role_binding_id = {role_binding_id})"
+
+
+class ERROR_ROLE_IN_USED_AT_ROLE_BINDING(ERROR_INVALID_ARGUMENT):
+    _message = "Role is in used at RoleBinding. (role_id = {role_id})"
diff --git a/src/spaceone/identity/service/role_service.py b/src/spaceone/identity/service/role_service.py
@@ -5,6 +5,8 @@
 from spaceone.core.service import *
 from spaceone.core.service.utils import *
 
+from spaceone.identity.error.custom import ERROR_ROLE_IN_USED_AT_ROLE_BINDING
+from spaceone.identity.manager.role_binding_manager import RoleBindingManager
 from spaceone.identity.manager.role_manager import RoleManager
 from spaceone.identity.model.role.request import *
 from spaceone.identity.model.role.request import BasicRoleSearchQueryRequest
@@ -23,6 +25,7 @@ class RoleService(BaseService):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.role_mgr = RoleManager()
+        self.rb_mgr = RoleBindingManager()
 
     @transaction(permission="identity:Role.write", role_types=["DOMAIN_ADMIN"])
     @convert_model
@@ -133,6 +136,13 @@ def delete(self, params: RoleDeleteRequest) -> None:
         if role_vo.is_managed:
             raise ERROR_PERMISSION_DENIED()
 
+        rb_vos = self.rb_mgr.filter_role_bindings(
+            role_id=role_vo.role_id, domain_id=role_vo.domain_id
+        )
+
+        if rb_vos.count() > 0:
+            raise ERROR_ROLE_IN_USED_AT_ROLE_BINDING(role_id=role_vo.role_id)
+
         self.role_mgr.delete_role_by_vo(role_vo)
 
     @transaction(