Merge "Added --removePermission to RemoteUserTool"

mduft · Gerrit · commit 165d419696cd · 2025-10-13T13:44:14.000Z
diff --git a/minion/src/test/java/io/bdeploy/minion/cli/UserManagementCliTest.java b/minion/src/test/java/io/bdeploy/minion/cli/UserManagementCliTest.java
@@ -60,6 +60,13 @@ void testUserCreationAndPermissionManagement(RemoteService remote) {
         assertDoesNotThrow(() -> remote(admin2Remote, RemoteUserTool.class, "--list"));
         assertThrows(ForbiddenException.class, () -> remote(userRemote, RemoteUserTool.class, "--list"));
 
+        // Remove the permission of the second administrator
+        remote(remote, RemoteUserTool.class, "--update=" + admin2Username, "--removePermission=ADMIN");
+
+        // Check if the permission actually got removed
+        admin2data = getUserRowByName(remote, admin2Username);
+        assertEquals("[]", admin2data.get("Permissions"));
+
         // Promote the permission of the user
         remote(remote, RemoteUserTool.class, "--update=" + userUsername, "--permission=ADMIN");
 
diff --git a/ui/src/main/java/io/bdeploy/ui/cli/RemoteUserTool.java b/ui/src/main/java/io/bdeploy/ui/cli/RemoteUserTool.java
@@ -45,6 +45,9 @@ public class RemoteUserTool extends RemoteServiceTool<UserConfig> {
         @Help("Add a specific permission to the user. Values can be READ, WRITE or ADMIN. Use in conjunction with --scope, otherwise permission is global.")
         String permission();
 
+        @Help("Removes a specific permission from the user. Values can be READ, WRITE or ADMIN. Use in conjunction with --scope, otherwise permission is global.")
+        String removePermission();
+
         @Help("Scopes a specific permission specified with --permission to a certain instance group")
         String scope();
 
@@ -76,6 +79,9 @@ protected RenderableResult run(UserConfig config, RemoteService remote) {
         if (config.add() != null) {
             addUser(config, admin);
         } else if (config.update() != null) {
+            if (config.permission() != null && config.removePermission() != null) {
+                helpAndFail("Cannot add and remove a permission simultaneously");
+            }
             updateUser(config, admin);
         } else if (config.remove() != null) {
             admin.deleteUser(config.remove());
@@ -143,6 +149,12 @@ private void updateUser(UserConfig config, AuthAdminResource admin) {
                 updated = true;
             }
         }
+        if (config.removePermission() != null) {
+            if (user.permissions
+                    .remove(new ScopedPermission(config.scope(), Permission.valueOf(config.removePermission().toUpperCase())))) {
+                updated = true;
+            }
+        }
         if (updated) {
             admin.updateUser(user);
         }
