clean up network permissions when an account is deleted

Author: bernardodemarco

engine/schema/src/main/java/org/apache/cloudstack/network/dao/NetworkPermissionDao.java

@@ -40,6 +40,13 @@ public interface NetworkPermissionDao extends GenericDao<NetworkPermissionVO, Lo
      */
     void removeAllPermissions(long networkId);
 
+    /**
+     * Removes all network permissions associated with a given account.
+     *
+     * @param accountId The ID of the account from which all network permissions will be removed.
+     */
+    void removeAccountPermissions(long accountId);
+
     /**
      * Find a Network permission by networkId, accountName, and domainId
      *

engine/schema/src/main/java/org/apache/cloudstack/network/dao/NetworkPermissionDaoImpl.java

@@ -35,6 +35,7 @@ public class NetworkPermissionDaoImpl extends GenericDaoBase<NetworkPermissionVO
 
     private SearchBuilder<NetworkPermissionVO> NetworkAndAccountSearch;
     private SearchBuilder<NetworkPermissionVO> NetworkIdSearch;
+    private SearchBuilder<NetworkPermissionVO> accountSearch;
     private GenericSearchBuilder<NetworkPermissionVO, Long> FindNetworkIdsByAccount;
 
     protected NetworkPermissionDaoImpl() {
@@ -47,6 +48,10 @@ protected NetworkPermissionDaoImpl() {
         NetworkIdSearch.and("networkId", NetworkIdSearch.entity().getNetworkId(), SearchCriteria.Op.EQ);
         NetworkIdSearch.done();
 
+        accountSearch = createSearchBuilder();
+        accountSearch.and("accountId", accountSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
+        accountSearch.done();
+
         FindNetworkIdsByAccount = createSearchBuilder(Long.class);
         FindNetworkIdsByAccount.select(null, SearchCriteria.Func.DISTINCT, FindNetworkIdsByAccount.entity().getNetworkId());
         FindNetworkIdsByAccount.and("account", FindNetworkIdsByAccount.entity().getAccountId(), SearchCriteria.Op.IN);
@@ -71,6 +76,16 @@ public void removeAllPermissions(long networkId) {
         expunge(sc);
     }
 
+    @Override
+    public void removeAccountPermissions(long accountId) {
+        SearchCriteria<NetworkPermissionVO> sc = accountSearch.create();
+        sc.setParameters("accountId", accountId);
+        int networkPermissionRemoved = expunge(sc);
+        if (networkPermissionRemoved > 0) {
+            s_logger.debug(String.format("Removed [%s] network permission(s) for the account with Id [%s]", networkPermissionRemoved, accountId));
+        }
+    }
+
     @Override
     public NetworkPermissionVO findByNetworkAndAccount(long networkId, long accountId) {
         SearchCriteria<NetworkPermissionVO> sc = NetworkAndAccountSearch.create();

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -873,6 +873,9 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c
             // delete the account from project accounts
             _projectAccountDao.removeAccountFromProjects(accountId);
 
+            // Delete account's network permissions
+            networkPermissionDao.removeAccountPermissions(accountId);
+
             if (account.getType() != Account.Type.PROJECT) {
                 // delete the account from group
                 _messageBus.publish(_name, MESSAGE_REMOVE_ACCOUNT_EVENT, PublishScope.LOCAL, accountId);
@@ -1865,7 +1868,6 @@ public boolean deleteUserAccount(long accountId) {
         }
 
         checkIfAccountManagesProjects(accountId);
-        checkIfAccountHasNetworkPermissions(accountId);
 
         CallContext.current().putContextParameter(Account.class, account.getUuid());
 
@@ -1876,22 +1878,12 @@ protected void checkIfAccountManagesProjects(long accountId) {
         List<Long> managedProjectIds = _projectAccountDao.listAdministratedProjectIds(accountId);
         if (!CollectionUtils.isEmpty(managedProjectIds)) {
             throw new InvalidParameterValueException(String.format(
-                    "Unable to delete account [%s], because it manages the following project(s): %s. Please, remove the account from these projects first.",
+                    "Unable to delete account [%s], because it manages the following project(s): %s. Please, remove the account from these projects or demote it to a regular project role first.",
                     accountId, managedProjectIds
             ));
         }
     }
 
-    protected void checkIfAccountHasNetworkPermissions(long accountId) {
-        List<Long> networkIds = networkPermissionDao.listPermittedNetworkIdsByAccounts(List.of(accountId));
-        if (!CollectionUtils.isEmpty(networkIds)) {
-            throw new InvalidParameterValueException(String.format(
-                    "Unable to delete account [%s], because it has network permissions for the following network(s): %s. Please, remove the network permissions first.",
-                    accountId, networkIds
-            ));
-        }
-    }
-
     private boolean isDeleteNeeded(AccountVO account, long accountId, Account caller) {
         if (account == null) {
             s_logger.info(String.format("The account, identified by id %d, doesn't exist", accountId ));

server/src/test/java/com/cloud/user/AccountManagerImplTest.java

@@ -1210,24 +1210,6 @@ public void checkIfAccountManagesProjectsTestNotThrowExceptionWhenTheAccountIsNo
         accountManagerImpl.checkIfAccountManagesProjects(accountId);
     }
 
-    @Test(expected = InvalidParameterValueException.class)
-    public void checkIfAccountHasNetworkPermissionsTestThrowExceptionWhenTheAccountHasNetworkPermissions() {
-        long accountId = 1L;
-        List<Long> networkIds = List.of(1L);
-
-        Mockito.when(networkPermissionDaoMock.listPermittedNetworkIdsByAccounts(List.of(accountId))).thenReturn(networkIds);
-        accountManagerImpl.checkIfAccountHasNetworkPermissions(accountId);
-    }
-
-    @Test
-    public void checkIfAccountHasNetworkPermissionsTestNotThrowExceptionWhenTheAccountDoesNotHaveNetworkPermissions() {
-        long accountId = 1L;
-        List<Long> networkIds = new ArrayList<>();
-
-        Mockito.when(networkPermissionDaoMock.listPermittedNetworkIdsByAccounts(List.of(accountId))).thenReturn(networkIds);
-        accountManagerImpl.checkIfAccountHasNetworkPermissions(accountId);
-    }
-
     @Test(expected = InvalidParameterValueException.class)
     public void checkIfAccountManagesProjectsTestThrowExceptionWhenTheAccountIsAProjectAdministrator() {
         long accountId = 1L;