Allow adding existing users to registrar (#2616)

core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java

@@ -82,6 +82,8 @@ public class ConsoleUserDataAction extends ConsoleApiAction {
                 // auth checks.
                 "isAdmin", user.getUserRoles().isAdmin(),
                 "globalRole", user.getUserRoles().getGlobalRole(),
+                // registrar-specific roles
+                "userRoles", user.getUserRoles().getRegistrarRoles(),
                 // Include static contact resources in this call to minimize round trips
                 "productName", productName,
                 "supportEmail", supportEmail,

core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java

@@ -48,6 +48,8 @@ import google.registry.tools.IamClient;
 import google.registry.util.StringGenerator;
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
@@ -100,7 +102,12 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     // Temporary flag while testing
     if (user.getUserRoles().isAdmin()) {
       checkPermission(user, registrarId, ConsolePermission.MANAGE_USERS);
-      tm().transact(this::runCreateInTransaction);
+      if (userData.isPresent()) { // Adding existing user to registrar
+        tm().transact(this::runAppendUserInTransaction);
+      } else { // Adding new user to registrar
+        tm().transact(this::runCreateInTransaction);
+      }
+
     } else {
       consoleApiParams.response().setStatus(SC_FORBIDDEN);
     }
@@ -111,7 +118,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     // Temporary flag while testing
     if (user.getUserRoles().isAdmin()) {
       checkPermission(user, registrarId, ConsolePermission.MANAGE_USERS);
-      tm().transact(() -> runUpdateInTransaction());
+      tm().transact(this::runUpdateInTransaction);
     } else {
       consoleApiParams.response().setStatus(SC_FORBIDDEN);
     }
@@ -145,21 +152,46 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     }
   }
 
-  private void runDeleteInTransaction() throws IOException {
-    if (!isModifyingRequestValid()) {
+  private void runAppendUserInTransaction() {
+    if (!isModifyingRequestValid(false)) {
       return;
     }
-    String email = this.userData.get().emailAddress;
-    try {
-      directory.users().delete(email).execute();
-    } catch (IOException e) {
-      setFailedResponse("Failed to delete the user workspace account", SC_INTERNAL_SERVER_ERROR);
-      throw e;
+    ImmutableList<User> allRegistrarUsers = getAllRegistrarUsers(registrarId);
+    if (allRegistrarUsers.size() >= 4)
+      throw new BadRequestException("Total users amount per registrar is limited to 4");
+
+    updateUserRegistrarRoles(
+        this.userData.get().emailAddress,
+        registrarId,
+        RegistrarRole.valueOf(this.userData.get().role),
+        false);
+    consoleApiParams.response().setStatus(SC_OK);
+  }
+
+  private void runDeleteInTransaction() throws IOException {
+    if (!isModifyingRequestValid(true)) {
+      return;
+    }
+
+    String email = this.userData.get().emailAddress;
+    User updatedUser =
+        updateUserRegistrarRoles(
+            email, registrarId, RegistrarRole.valueOf(this.userData.get().role), true);
+
+    // User has no registrars assigned
+    if (updatedUser.getUserRoles().getRegistrarRoles().size() == 0) {
+      try {
+        directory.users().delete(email).execute();
+      } catch (IOException e) {
+        setFailedResponse("Failed to delete the user workspace account", SC_INTERNAL_SERVER_ERROR);
+        throw e;
+      }
+
+      VKey<User> key = VKey.create(User.class, email);
+      tm().delete(key);
+      User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, null, iamClient);
     }
 
-    VKey<User> key = VKey.create(User.class, email);
-    tm().delete(key);
-    User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, null, iamClient);
 
     consoleApiParams.response().setStatus(SC_OK);
   }
@@ -220,27 +252,19 @@ public class ConsoleUsersAction extends ConsoleApiAction {
   }
 
   private void runUpdateInTransaction() {
-    if (!isModifyingRequestValid()) {
+    if (!isModifyingRequestValid(true)) {
       return;
     }
 
-    UserData userData = this.userData.get();
-    UserRoles userRoles =
-        new UserRoles.Builder()
-            .setRegistrarRoles(ImmutableMap.of(registrarId, RegistrarRole.valueOf(userData.role)))
-            .build();
-    User updatedUser =
-        tm().loadByKeyIfPresent(VKey.create(User.class, userData.emailAddress))
-            .get()
-            .asBuilder()
-            .setUserRoles(userRoles)
-            .build();
-
-    tm().put(updatedUser);
+    updateUserRegistrarRoles(
+        this.userData.get().emailAddress,
+        registrarId,
+        RegistrarRole.valueOf(this.userData.get().role),
+        false);
     consoleApiParams.response().setStatus(SC_OK);
   }
 
-  private boolean isModifyingRequestValid() {
+  private boolean isModifyingRequestValid(boolean verifyAccess) {
     if (userData.isEmpty()
         || isNullOrEmpty(userData.get().emailAddress)
         || isNullOrEmpty(userData.get().role)) {
@@ -252,7 +276,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
             .orElseThrow(
                 () -> new BadRequestException(String.format("User %s doesn't exist", email)));
 
-    if (!userToUpdate.getUserRoles().getRegistrarRoles().containsKey(registrarId)) {
+    if (verifyAccess && !userToUpdate.getUserRoles().getRegistrarRoles().containsKey(registrarId)) {
       setFailedResponse(
           String.format("Can't update user not associated with registrarId %s", registrarId),
           SC_FORBIDDEN);
@@ -261,6 +285,36 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     return true;
   }
 
+  private User updateUserRegistrarRoles(
+      String email, String registrarId, RegistrarRole newRole, boolean isDelete) {
+    User userToUpdate = tm().loadByKeyIfPresent(VKey.create(User.class, email)).get();
+    Map<String, RegistrarRole> updatedRegistrarRoles;
+    if (isDelete) {
+      updatedRegistrarRoles =
+          userToUpdate.getUserRoles().getRegistrarRoles().entrySet().stream()
+              .filter(entry -> !Objects.equals(entry.getKey(), registrarId))
+              .collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, Map.Entry::getValue));
+    } else {
+      updatedRegistrarRoles =
+          ImmutableMap.<String, RegistrarRole>builder()
+              .putAll(userToUpdate.getUserRoles().getRegistrarRoles())
+              .put(registrarId, newRole)
+              .buildKeepingLast();
+    }
+    var updatedUser =
+        userToUpdate
+            .asBuilder()
+            .setUserRoles(
+                userToUpdate
+                    .getUserRoles()
+                    .asBuilder()
+                    .setRegistrarRoles(updatedRegistrarRoles)
+                    .build())
+            .build();
+    tm().put(updatedUser);
+    return updatedUser;
+  }
+
   private ImmutableList<User> getAllRegistrarUsers(String registrarId) {
     return tm().transact(
             () ->

core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java

@@ -20,6 +20,7 @@ import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.mockito.Mockito.when;
 
+import com.google.common.collect.ImmutableMap;
 import com.google.gson.Gson;
 import google.registry.model.console.User;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -71,6 +72,8 @@ class ConsoleUserDataActionTest {
         GSON.fromJson(((FakeResponse) consoleApiParams.response()).getPayload(), Map.class);
     assertThat(jsonObject)
         .containsExactly(
+            "userRoles",
+            ImmutableMap.of(),
             "isAdmin",
             true,
             "technicalDocsUrl",

core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java

@@ -246,6 +246,50 @@ class ConsoleUsersActionTest {
         .isEmpty();
   }
 
+  @Test
+  void testSuccess_removesRole() throws IOException {
+    User user1 = DatabaseHelper.loadByKey(VKey.create(User.class, "test1@test.com"));
+    AuthResult authResult =
+        AuthResult.createUser(
+            user1
+                .asBuilder()
+                .setUserRoles(user1.getUserRoles().asBuilder().setIsAdmin(true).build())
+                .build());
+    DatabaseHelper.persistResource(
+        new User.Builder()
+            .setEmailAddress("test4@test.com")
+            .setUserRoles(
+                new UserRoles()
+                    .asBuilder()
+                    .setRegistrarRoles(
+                        ImmutableMap.of(
+                            "TheRegistrar",
+                            RegistrarRole.PRIMARY_CONTACT,
+                            "SomeRegistrar",
+                            RegistrarRole.PRIMARY_CONTACT))
+                    .build())
+            .build());
+
+    ConsoleUsersAction action =
+        createAction(
+            Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
+            Optional.of("DELETE"),
+            Optional.of(
+                new UserData("test4@test.com", RegistrarRole.ACCOUNT_MANAGER.toString(), null)));
+
+    action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
+    when(directory.users()).thenReturn(users);
+    when(users.delete(any(String.class))).thenReturn(delete);
+    action.run();
+    var response = ((FakeResponse) consoleApiParams.response());
+    assertThat(response.getStatus()).isEqualTo(SC_OK);
+    Optional<User> actualUser =
+        DatabaseHelper.loadByKeyIfPresent(VKey.create(User.class, "test4@test.com"));
+    assertThat(actualUser).isPresent();
+    assertThat(actualUser.get().getUserRoles().getRegistrarRoles().containsKey("TheRegistrar"))
+        .isFalse();
+  }
+
   @Test
   void testFailure_limitedTo4UsersPerRegistrar() throws IOException {
     User user1 = DatabaseHelper.loadByKey(VKey.create(User.class, "test1@test.com"));