1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
#
# Author:: Steven Danna (<steve@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative "../knife"
class Chef
class Knife
class UserDelete < Knife
deps do
require_relative "../org"
end
banner "knife user delete USER (options)"
option :no_disassociate_user,
long: "--no-disassociate-user",
short: "-d",
description: "Don't disassociate the user first"
option :remove_from_admin_groups,
long: "--remove-from-admin-groups",
short: "-R",
description: "If the user is a member of any org admin groups, attempt to remove from those groups. Ignored if --no-disassociate-user is set."
attr_reader :username
def run
@username = @name_args[0]
admin_memberships = []
unremovable_memberships = []
if @username.nil?
show_usage
ui.fatal("You must specify a user name")
exit 1
end
ui.confirm "Do you want to delete the user #{username}"
unless config[:no_disassociate_user]
ui.stderr.puts("Checking organization memberships...")
orgs = org_memberships(username)
if orgs.length > 0
ui.stderr.puts("Checking admin group memberships for #{orgs.length} org(s).")
admin_memberships, unremovable_memberships = admin_group_memberships(orgs, username)
end
unless admin_memberships.empty?
unless config[:remove_from_admin_groups]
error_exit_admin_group_member!(username, admin_memberships)
end
unless unremovable_memberships.empty?
error_exit_cant_remove_admin_membership!(username, unremovable_memberships)
end
remove_from_admin_groups(admin_memberships, username)
end
disassociate_user(orgs, username)
end
delete_user(username)
end
def disassociate_user(orgs, username)
orgs.each { |org| org.dissociate_user(username) }
end
def org_memberships(username)
org_data = root_rest.get("users/#{username}/organizations")
org_data.map { |org| Chef::Org.new(org["organization"]["name"]) }
end
def remove_from_admin_groups(admin_of, username)
admin_of.each do |org|
ui.stderr.puts "Removing #{username} from admins group of '#{org.name}'"
org.remove_user_from_group("admins", username)
end
end
def admin_group_memberships(orgs, username)
admin_of = []
unremovable = []
orgs.each do |org|
if org.user_member_of_group?(username, "admins")
admin_of << org
if org.actor_delete_would_leave_admins_empty?
unremovable << org
end
end
end
[admin_of, unremovable]
end
def delete_user(username)
ui.stderr.puts "Deleting user #{username}."
root_rest.delete("users/#{username}")
end
# Error message that says how to removed from org
# admin groups before deleting
# Further
def error_exit_admin_group_member!(username, admin_of)
message = "#{username} is in the 'admins' group of the following organization(s):\n\n"
admin_of.each { |org| message << "- #{org.name}\n" }
message << <<~EOM
Run this command again with the --remove-from-admin-groups option to
remove the user from these admin group(s) automatically.
EOM
ui.fatal message
exit 1
end
def error_exit_cant_remove_admin_membership!(username, only_admin_of)
message = <<~EOM
#{username} is the only member of the 'admins' group of the
following organization(s):
EOM
only_admin_of.each { |org| message << "- #{org.name}\n" }
message << <<~EOM
Removing the only administrator of an organization can break it.
Assign additional users or groups to the admin group(s) before
deleting this user.
EOM
ui.fatal message
exit 1
end
end
end
end
|