Update workspace group

src/spaceone/identity/interface/grpc/workspace_group.py

@@ -26,24 +26,6 @@ def delete(self, request, context):
         workspace_group_svc.delete(params)
         return self.empty()
 
-    def add_workspaces(self, request, context):
-        params, metadata = self.parse_request(request, context)
-        workspace_group_svc = WorkspaceGroupService(metadata)
-        response: dict = workspace_group_svc.add_workspaces(params)
-        return self.dict_to_message(response)
-
-    def remove_workspaces(self, request, context):
-        params, metadata = self.parse_request(request, context)
-        workspace_group_svc = WorkspaceGroupService(metadata)
-        response: dict = workspace_group_svc.remove_workspaces(params)
-        return self.dict_to_message(response)
-
-    def find_users(self, request, context):
-        params, metadata = self.parse_request(request, context)
-        workspace_group_svc = WorkspaceGroupService(metadata)
-        response: dict = workspace_group_svc.find_users(params)
-        return self.dict_to_message(response)
-
     def add_users(self, request, context):
         params, metadata = self.parse_request(request, context)
         workspace_group_svc = WorkspaceGroupService(metadata)

src/spaceone/identity/manager/role_binding_manager.py

@@ -1,8 +1,9 @@
 import logging
 from typing import Tuple
-from mongoengine import QuerySet
 
+from mongoengine import QuerySet
 from spaceone.core.manager import BaseManager
+
 from spaceone.identity.model.role_binding.database import RoleBinding
 
 _LOGGER = logging.getLogger(__name__)

src/spaceone/identity/manager/workspace_group_manager.py

@@ -1,7 +1,8 @@
 import logging
-from typing import Tuple
+from typing import Dict, List, Tuple
 
 from mongoengine import QuerySet
+from spaceone.core.error import ERROR_INVALID_PARAMETER, ERROR_NOT_FOUND
 from spaceone.core.manager import BaseManager
 
 from spaceone.identity.manager.role_binding_manager import RoleBindingManager
@@ -51,19 +52,21 @@ def delete_workspace_group_by_vo(self, workspace_group_vo: WorkspaceGroup) -> No
 
         if rb_vos.count() > 0:
             _LOGGER.debug(
-                f"[delete_workspace_group_by_vo] Delete role bindings count with {workspace_group_vo.workspaces}: {rb_vos.count()}"
+                f"[delete_workspace_group_by_vo] Delete role bindings count with {workspace_group_vo.users}: {rb_vos.count()}"
             )
-            rb_vos.delete()
+            for rb_vo in rb_vos:
+                _LOGGER.debug(
+                    f"[delete_workspace_group_by_vo] Delete role binding info: {rb_vo.to_dict()}"
+                )
+                rb_vo.delete()
 
         workspace_group_vo.delete()
 
-    # TODO: When add_users and remove_users, are user_id and role_type required?
     def get_workspace_group(
         self,
         workspace_group_id: str,
         domain_id: str,
         user_id: str = None,
-        role_type: str = None,
     ) -> WorkspaceGroup:
         conditions = {
             "workspace_group_id": workspace_group_id,
@@ -73,10 +76,6 @@ def get_workspace_group(
         if user_id:
             conditions["users__user_id"] = user_id
 
-        # TODO: Check if this is correct
-        # if role_type:
-        #     conditions["users__role_type"] = role_type
-
         return self.workspace_group_model.get(**conditions)
 
     def filter_workspace_groups(self, **conditions) -> QuerySet:
@@ -94,3 +93,41 @@ def check_user_id_in_users(user_id: str, workspace_group_vo: WorkspaceGroup):
             workspace_group_user_id == user_id
             for workspace_group_user_id in workspace_group_vo["users"]
         )
+
+    def get_old_users_and_new_users(
+        self, users: List[Dict[str, str]], workspace_group_id: str, domain_id: str
+    ) -> Tuple[List[str], List[str]]:
+        workspace_group_vo = self.get_workspace_group(workspace_group_id, domain_id)
+
+        old_users = list(
+            set(
+                [user_info["user_id"] for user_info in workspace_group_vo.users]
+                if workspace_group_vo.users
+                else []
+            )
+        )
+        new_users = list(set([user_info["user_id"] for user_info in users]))
+
+        return old_users, new_users
+
+    @staticmethod
+    def check_new_users_already_in_workspace_group(
+        old_users: List[str], new_users: List[str]
+    ) -> None:
+        if set(old_users) & set(new_users):
+            _LOGGER.error(
+                f"Users {new_users} is already in workspace group or not registered."
+            )
+            raise ERROR_INVALID_PARAMETER(
+                key="users",
+                reason=f"User {new_users} is already in the workspace group or not registered.",
+            )
+
+    @staticmethod
+    def check_user_ids_exist_in_workspace_group(
+        old_user_ids: List[str], user_ids: List[str]
+    ) -> None:
+        for user_id in user_ids:
+            if user_id not in old_user_ids:
+                _LOGGER.error(f"User ID {user_id} is not in workspace group.")
+                raise ERROR_NOT_FOUND(key="user_id", value=user_id)

src/spaceone/identity/model/workspace_group/database.py

@@ -1,12 +1,28 @@
-from mongoengine import DateTimeField, DictField, ListField, StringField
+from mongoengine import (
+    DateTimeField,
+    DictField,
+    EmbeddedDocument,
+    EmbeddedDocumentField,
+    ListField,
+    StringField,
+)
 from spaceone.core.model.mongo_model import MongoModel
 
 
+class WorkspaceGroupUser(EmbeddedDocument):
+    user_id = StringField(max_length=40, required=True)
+    role_id = StringField(max_length=40, required=True)
+    role_type = StringField(
+        max_length=20, choices=("WORKSPACE_OWNER", "WORKSPACE_MEMBER")
+    )
+
+
 class WorkspaceGroup(MongoModel):
     workspace_group_id = StringField(max_length=40, generate_id="wg", unique=True)
     name = StringField(max_length=255, unique_with="domain_id")
-    workspaces = ListField(StringField(max_length=40), default=None, null=True)
-    users = ListField(DictField(default=None), default=None, null=True)
+    users = ListField(
+        EmbeddedDocumentField(WorkspaceGroupUser), default=None, null=True
+    )
     tags = DictField(default=None)
     created_by = StringField(max_length=255)
     updated_by = StringField(max_length=255)
@@ -17,7 +33,6 @@ class WorkspaceGroup(MongoModel):
     meta = {
         "updatable_fields": [
             "name",
-            "workspaces",
             "users",
             "tags",
             "updated_by",
@@ -27,9 +42,7 @@ class WorkspaceGroup(MongoModel):
             "workspace_group_id",
             "name",
         ],
-        "change_query_keys": {
-            "workspace_id": "workspaces",
-        },
+        "change_query_keys": {},
         "ordering": ["name"],
         "indexes": [
             "workspace_group_id",

src/spaceone/identity/model/workspace_group/request.py

@@ -6,8 +6,6 @@
     "WorkspaceGroupCreateRequest",
     "WorkspaceGroupUpdateRequest",
     "WorkspaceGroupDeleteRequest",
-    "WorkspaceGroupAddWorkspacesRequest",
-    "WorkspaceGroupRemoveWorkspacesRequest",
     "WorkspaceGroupAddUsersRequest",
     "WorkspaceGroupRemoveUsersRequest",
     "WorkspaceGroupUpdateRoleRequest",
@@ -41,20 +39,6 @@ class WorkspaceGroupDeleteRequest(BaseModel):
     domain_id: str
 
 
-class WorkspaceGroupAddWorkspacesRequest(BaseModel):
-    workspace_group_id: str
-    workspaces: List[str]
-    workspace_id: Union[str, None] = None
-    domain_id: str
-
-
-class WorkspaceGroupRemoveWorkspacesRequest(BaseModel):
-    workspace_group_id: str
-    workspaces: List[str]
-    workspace_id: Union[str, None] = None
-    domain_id: str
-
-
 class WorkspaceGroupAddUsersRequest(BaseModel):
     workspace_group_id: str
     users: List[Dict[str, str]]

src/spaceone/identity/model/workspace_group/response.py

@@ -1,17 +1,24 @@
 from datetime import datetime
-from typing import Dict, List, Union
+from typing import List, Union
 
 from pydantic.main import BaseModel
 from spaceone.core import utils
 
 __all__ = ["WorkspaceGroupResponse", "WorkspaceGroupsResponse"]
 
 
+class WorkspaceGroupUser(BaseModel):
+    user_id: str
+    role_id: str
+    role_type: str
+    user_name: Union[str, None] = None
+    state: Union[str, None] = None
+
+
 class WorkspaceGroupResponse(BaseModel):
     workspace_group_id: Union[str, None] = None
     name: Union[str, None] = None
-    workspaces: Union[list, None] = None
-    users: Union[List[Dict[str, str]], None] = None
+    users: Union[List[WorkspaceGroupUser], None] = None
     tags: Union[dict, None] = None
     created_by: Union[str, None] = None
     updated_by: Union[str, None] = None

src/spaceone/identity/service/role_binding_service.py

@@ -10,6 +10,7 @@
 from spaceone.identity.manager.role_manager import RoleManager
 from spaceone.identity.manager.user_manager import UserManager
 from spaceone.identity.manager.workspace_manager import WorkspaceManager
+from spaceone.identity.model import RoleBinding
 from spaceone.identity.model.role_binding.request import *
 from spaceone.identity.model.role_binding.response import *
 
@@ -269,26 +270,7 @@ def delete(self, params: RoleBindingDeleteRequest) -> None:
         user_vo = self.user_mgr.get_user(rb_vo.user_id, rb_vo.domain_id)
 
         self.user_mgr.update_user_by_vo(user_role_info, user_vo)
-        self.role_binding_manager.delete_role_binding_by_vo(rb_vo)
-
-        workspace_vo = self.workspace_mgr.get_workspace(
-            params.workspace_id, params.domain_id
-        )
-
-        user_rb_ids = self.role_binding_manager.stat_role_bindings(
-            query={
-                "distinct": "user_id",
-                "filter": [
-                    {"k": "workspace_id", "v": params.workspace_id, "o": "eq"},
-                    {"k": "domain_id", "v": params.domain_id, "o": "eq"},
-                ],
-            }
-        ).get("results", [])
-        user_rb_total_count = len(user_rb_ids)
-
-        self.workspace_mgr.update_workspace_by_vo(
-            {"user_count": user_rb_total_count}, workspace_vo
-        )
+        self.delete_role_binding_by_vo(rb_vo, params.domain_id, params.workspace_id)
 
     @transaction(
         permission="identity:RoleBinding.read",
@@ -474,3 +456,26 @@ def _get_latest_role_type(before: str, after: str) -> str:
                 return "USER"
 
             return after
+
+    def delete_role_binding_by_vo(
+        self, rb_vo: RoleBinding, domain_id: str, workspace_id: str = None
+    ):
+        self.role_binding_manager.delete_role_binding_by_vo(rb_vo)
+
+        if workspace_id:
+            workspace_vo = self.workspace_mgr.get_workspace(workspace_id, domain_id)
+
+            user_rb_ids = self.role_binding_manager.stat_role_bindings(
+                query={
+                    "distinct": "user_id",
+                    "filter": [
+                        {"k": "workspace_id", "v": workspace_id, "o": "eq"},
+                        {"k": "domain_id", "v": domain_id, "o": "eq"},
+                    ],
+                }
+            ).get("results", [])
+            user_rb_total_count = len(user_rb_ids)
+
+            self.workspace_mgr.update_workspace_by_vo(
+                {"user_count": user_rb_total_count}, workspace_vo
+            )

src/spaceone/identity/service/token_service.py

@@ -128,8 +128,8 @@ def grant(self, params: TokenGrantRequest) -> Union[GrantTokenResponse, dict]:
 
         # todo: remove
         if (
-                domain_id == SystemManager.get_root_domain_id()
-                and params.scope == "WORKSPACE"
+            domain_id == SystemManager.get_root_domain_id()
+            and params.scope == "WORKSPACE"
         ):
             public_jwk = self.domain_secret_mgr.get_domain_public_key(domain_id)
             domain_id = params.domain_id
@@ -317,7 +317,7 @@ def _verify_token(grant_type: str, token: str, public_jwk: dict) -> dict:
         return token_info
 
     def _get_user_role_info(
-            self, user_vo: User, workspace_id: str = None
+        self, user_vo: User, workspace_id: str = None
     ) -> Tuple[str, Union[str, None]]:
         if user_vo.role_type == "DOMAIN_ADMIN":
             rb_vos = self.rb_mgr.filter_role_bindings(
@@ -357,13 +357,13 @@ def _get_app_role_info(app_vo: App) -> Tuple[str, str]:
         key="identity:role-permissions-page-access:{domain_id}:{role_id}", expire=600
     )
     def _get_role_permissions_and_page_access(
-            self, role_id: str, domain_id: str
+        self, role_id: str, domain_id: str
     ) -> Tuple[List[str], List[str]]:
         role_vo = self.role_mgr.get_role(role_id=role_id, domain_id=domain_id)
         return role_vo.permissions, role_vo.page_access
 
     def _get_user_projects_in_project_group(
-            self, domain_id: str, workspace_id: str, user_id: str
+        self, domain_id: str, workspace_id: str, user_id: str
     ) -> List[str]:
         user_projects = []
         project_groups = self.project_group_mgr.filter_project_groups(
@@ -384,7 +384,7 @@ def _get_user_projects_in_project_group(
         return user_projects
 
     def _get_user_projects(
-            self, user_id: str, workspace_id: str, domain_id: str
+        self, user_id: str, workspace_id: str, domain_id: str
     ) -> List[str]:
         user_projects = []
 
@@ -419,7 +419,7 @@ def _check_user_required_actions(required_actions: list, user_id: str) -> None:
         expire=600,
     )
     def _get_combined_role_permissions_and_page_access(
-            self, role_type: str, user_id: str, domain_id: str
+        self, role_type: str, user_id: str, domain_id: str
     ) -> Tuple[List[str], List[str]]:
         role_bindings = self.rb_mgr.filter_role_bindings(
             role_type=role_type,