Update user_count when removing workspace from workspace_group

src/spaceone/identity/service/workspace_group_service.py

@@ -2,11 +2,7 @@
 from datetime import datetime
 from typing import Dict, List, Union
 
-from spaceone.core.error import (
-    ERROR_INVALID_PARAMETER,
-    ERROR_NOT_FOUND,
-    ERROR_PERMISSION_DENIED,
-)
+from spaceone.core.error import ERROR_INVALID_PARAMETER, ERROR_NOT_FOUND
 from spaceone.core.service import (
     BaseService,
     authentication_handler,
@@ -169,10 +165,6 @@ def add_users(
         Returns:
            WorkspaceGroupResponse:
         """
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         new_users_info_list: List[Dict[str, str]] = params.users
         workspace_group_id = params.workspace_group_id
         domain_id = params.domain_id
@@ -241,10 +233,6 @@ def remove_users(
         Returns:
             WorkspaceGroupResponse:
         """
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         workspace_group_id = params.workspace_group_id
         users = params.users
         domain_id = params.domain_id
@@ -295,10 +283,6 @@ def update_role(
         Returns:
             WorkspaceGroupResponse:
         """
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         workspace_group_id = params.workspace_group_id
         user_id = params.user_id
         role_id = params.role_id
@@ -348,10 +332,6 @@ def get(
         Returns:
             WorkspaceGroupResponse:
         """
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         workspace_group_id = params.workspace_group_id
         domain_id = params.domain_id
 
@@ -395,10 +375,6 @@ def list(
         Returns:
             WorkspaceGroupsResponse:
         """
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         query = params.query
 
         workspace_group_vos, total_count = (
@@ -447,11 +423,6 @@ def stat(self, params: WorkspaceGroupStatQueryRequest) -> dict:
                 'total_count': 'int'
             }
         """
-
-        role_type = self.transaction.get_meta("authorization.role_type")
-        if role_type != "DOMAIN_ADMIN":
-            raise ERROR_PERMISSION_DENIED()
-
         query = params.query
 
         return self.workspace_group_mgr.stat_workspace_group(query)

src/spaceone/identity/service/workspace_service.py

@@ -12,9 +12,12 @@
 from spaceone.identity.manager.project_manager import ProjectManager
 from spaceone.identity.manager.resource_manager import ResourceManager
 from spaceone.identity.manager.role_binding_manager import RoleBindingManager
-from spaceone.identity.manager.service_account_manager import ServiceAccountManager
-from spaceone.identity.manager.trusted_account_manager import TrustedAccountManager
-from spaceone.identity.manager.workspace_group_manager import WorkspaceGroupManager
+from spaceone.identity.manager.service_account_manager import \
+    ServiceAccountManager
+from spaceone.identity.manager.trusted_account_manager import \
+    TrustedAccountManager
+from spaceone.identity.manager.workspace_group_manager import \
+    WorkspaceGroupManager
 from spaceone.identity.manager.workspace_manager import WorkspaceManager
 from spaceone.identity.model import Workspace
 from spaceone.identity.model.workspace.request import *
@@ -37,6 +40,7 @@ def __init__(self, *args, **kwargs):
         self.resource_mgr = ResourceManager()
         self.workspace_mgr = WorkspaceManager()
         self.service_account_mgr = ServiceAccountManager()
+        self.rb_mgr = RoleBindingManager()
         self.workspace_group_mgr = WorkspaceGroupManager()
 
     @transaction(permission="identity:Workspace.write", role_types=["DOMAIN_ADMIN"])
@@ -450,22 +454,37 @@ def _remove_workspace_from_group(
             workspace_vo = self.workspace_mgr.get_workspace(
                 workspace_id=workspace_id, domain_id=domain_id
             )
-            workspace_vo.changed_at = datetime.utcnow()
-            workspace_vo.workspace_group_id = None
-            self.workspace_mgr.update_workspace_by_vo(
-                {"changed_at": workspace_vo.changed_at, "workspace_group_id": None},
-                workspace_vo,
-            )
+            if workspace_vo:
+                workspace_vo.changed_at = datetime.utcnow()
+                workspace_vo.workspace_group_id = None
+
+                user_rb_ids = self.rb_mgr.stat_role_bindings(
+                    query={
+                        "distinct": "user_id",
+                        "filter": [
+                            {"k": "workspace_id", "v": workspace_id, "o": "eq"},
+                            {"k": "domain_id", "v": domain_id, "o": "eq"},
+                        ],
+                    }
+                ).get("results", [])
+                user_rb_total_count = len(user_rb_ids)
+
+                self.workspace_mgr.update_workspace_by_vo(
+                    {
+                        "user_count": user_rb_total_count,
+                        "changed_at": workspace_vo.changed_at,
+                        "workspace_group_id": None,
+                    },
+                    workspace_vo,
+                )
 
-    @staticmethod
-    def _delete_role_bindings(existing_workspace_group_id: str, domain_id: str):
-        rb_mgr = RoleBindingManager()
-        rb_vos = rb_mgr.filter_role_bindings(
+    def _delete_role_bindings(self, existing_workspace_group_id: str, domain_id: str):
+        rb_vos = self.rb_mgr.filter_role_bindings(
             workspace_group_id=existing_workspace_group_id,
             domain_id=domain_id,
         )
         for rb_vo in rb_vos:
-            rb_mgr.delete_role_binding_by_vo(rb_vo)
+            self.rb_mgr.delete_role_binding_by_vo(rb_vo)
 
     @staticmethod
     def _create_role_bindings(