[RHCLOUD-35997] Add admin endpoint to delete/list workspace/tenantmapping

[astrozzc]

Link(s) to Jira

• https://issues.redhat.com/browse/RHCLOUD-35997

Description of Intent of Change(s)

The what, why and how.

Local Testing

How can the feature be exercised?
How can the bug be exploited and fix confirmed?
Is any special local setup required?

Checklist

• if API spec changes are required, is the spec updated?
• are there any pre/post merge actions required? if so, document here.
• are theses changes covered by unit tests?
• if warranted, are documentation changes accounted for?
• does this require migration changes?
  • if yes, are they backwards compatible?
• is there known, direct impact to dependent teams/components?
  • if yes, how will this be handled?

Secure Coding Practices Checklist Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Practices Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

[coderbydesign]

Will we want to manage BindingMapping as well?

[astrozzc]

Added

[coderbydesign]

This would be all default + standard, correct? Not just default? Some of these would still fail if they have FK refs?

[coderbydesign]

I guess in our case for now, we're just using this for default and root though, right? So we should be able to get away with just deleting defaults first and then root, I guess is what you're saying? Platex may start testing with full hierarchy though, which would mean we'd need to do some recursive deletion.

[alechenninger]

This will miss bindings for system roles because those are in the public tenant. Is this intentional?

I think we probably want removing the binding to be based off of the tenant of the resource, however we don't have a foreign key here, and we might not always know the owning Tenant of the bound resource. For now, we actually do, though, since the resource is always a Workspace. Maybe we could just start there? That is, find all workspaces for a tenant, and then delete all the binding mappings for those workspaces (using resource type namespace, resource type name, and resource id fields to filter).

In the long run, we probably won't be able to support removing bindings by org, unless we make it clear it's limited to only certain narrow filter options (like custom roles, or workspace bindings).

It also may be safer for us to just blow away everything, but it probably doesn't hurt to have something org specific in case it is needed. It just has to be used very carefully of course.

[astrozzc]

I had the wrong impression the bindings for system roles have to be kept. I am ignoring the org_id for bindingmapping for now

[astrozzc]

/retest

[alechenninger]

Maybe abort or raise an error if its the binding and org_id is passed? Just so we have to be intentional if we want to delete everything, and someone doesn't think they're only deleting bindings for one org and end up accidentally deleting everything.

[astrozzc]

Updated

[lpichler]

@astrozzc Does this need update to open api spec ?

[lpichler]

Does resource needs to be checked if exists in RESOURCE_MODEL_MAPPING ? Maybe this check should in get_resources function ?

[astrozzc]

It has already been checked at the beginning of the migration_resources function: https://github.com/RedHatInsights/insights-rbac/pull/1287/files#diff-fb45a5441f65035cd9b020f4b00090da2927a3b9c40c9dc56848e7129c9219ceR557-R568

[lpichler]

typo optinos

[astrozzc]

Oops, forgot to update this, good catch!

[astrozzc]

@astrozzc Does this need update to open api spec ?

Oh, good point! Let me update that

[astrozzc]

/retest

[astrozzc]

/retest

[alechenninger]

LGTM