Update setting permissions on org creation

[#175042021]
Co-authored-by: Jenna Goldstrich <jgoldstrich@pivotal.io>
Co-authored-by: Merric de Launey <mdelauney@pivotal.io>

Author: MerricdeLauney

app/actions/organization_create.rb

@@ -1,3 +1,5 @@
+require 'role_create'
+
 module VCAP::CloudController
   class OrganizationCreate
     class Error < ::StandardError
@@ -8,7 +10,7 @@ def initialize(perm_client:, user_audit_info:)
       @user_audit_info = user_audit_info
     end
 
-    def create(message)
+    def create(message, user)
       org = nil
       Organization.db.transaction do
         org = VCAP::CloudController::Organization.create(
@@ -19,8 +21,10 @@ def create(message)
         MetadataUpdate.update(org, message)
       end
 
-      VCAP::CloudController::Roles::ORG_ROLE_NAMES.each do |role|
-        perm_client.create_org_role(role: role, org_id: org.guid)
+      VCAP::CloudController::RoleTypes::ORGANIZATION_ROLES.each do |role|
+        VCAP::CloudController::RoleCreate.new(message, @user_audit_info).create_organization_role(type: role,
+                                                                   user: user,
+                                                                   organization: org)
       end
 
       Repositories::OrganizationEventRepository.new.record_organization_create(org, @user_audit_info, message.audit_hash)

app/controllers/v3/organizations_controller.rb

@@ -47,7 +47,7 @@ def create
     message = VCAP::CloudController::OrganizationCreateMessage.new(hashed_params[:body])
     unprocessable!(message.errors.full_messages) unless message.valid?
 
-    org = OrganizationCreate.new(perm_client: perm_client, user_audit_info: user_audit_info).create(message)
+    org = OrganizationCreate.new(perm_client: perm_client, user_audit_info: user_audit_info).create(message, current_user)
 
     render json: Presenters::V3::OrganizationPresenter.new(org), status: :created
   rescue OrganizationCreate::Error => e

spec/request/organizations_spec.rb

@@ -10,18 +10,24 @@ module VCAP::CloudController
     let!(:organization2) { Organization.make name: 'Dungeon World' }
     let!(:organization3) { Organization.make name: 'The Sprawl' }
     let!(:inaccessible_organization) { Organization.make name: 'D&D' }
+    let(:uaa_client) { instance_double(VCAP::CloudController::UaaClient) }
 
     before do
       organization1.add_user(user)
       organization2.add_user(user)
       organization3.add_user(user)
       Domain.dataset.destroy # this will clean up the seeded test domains
       TestConfig.override(kubernetes: {})
+
+      allow(CloudController::DependencyLocator.instance).to receive(:uaa_client).and_return(uaa_client)
+      allow(uaa_client).to receive(:usernames_for_ids).with([user.guid]).and_return(
+        { user.guid => 'Ragnaros' }
+      )
     end
 
     describe 'POST /v3/organizations' do
-      it 'creates a new organization with the given name' do
-        request_body = {
+      let(:request_body) {
+        {
           name: 'org1',
           metadata: {
             labels: {
@@ -34,7 +40,8 @@ module VCAP::CloudController
             }
           }
         }.to_json
-
+      }
+      it 'creates a new organization with the given name' do
         expect {
           post '/v3/organizations', request_body, admin_header
         }.to change {
@@ -68,12 +75,12 @@ module VCAP::CloudController
       end
 
       it 'allows creating a suspended org' do
-        request_body = {
+        suspended_request_body = {
           name: 'suspended-org',
           suspended: true
         }.to_json
 
-        post '/v3/organizations', request_body, admin_header
+        post '/v3/organizations', suspended_request_body, admin_header
         expect(last_response.status).to eq(201)
 
         created_org = Organization.last
@@ -96,6 +103,58 @@ module VCAP::CloudController
           }
         )
       end
+
+      context 'when "user_org_creation" feature flag is enabled' do
+        before do
+          VCAP::CloudController::FeatureFlag.make(name: 'user_org_creation', enabled: true)
+        end
+
+        it 'lets ALL users create orgs' do
+          expect {
+            post '/v3/organizations', request_body, user_header
+          }.to change {
+            Organization.count
+          }.by 1
+
+          created_org = Organization.last
+
+          expect(last_response.status).to eq(201)
+          expect(parsed_response).to be_a_response_like(
+            {
+              'guid' => created_org.guid,
+              'created_at' => iso8601,
+              'updated_at' => iso8601,
+              'name' => 'org1',
+              'links' => {
+                'self' => { 'href' => "#{link_prefix}/v3/organizations/#{created_org.guid}" },
+                'domains' => { 'href' => "http://api2.vcap.me/v3/organizations/#{created_org.guid}/domains" },
+                'default_domain' => { 'href' => "http://api2.vcap.me/v3/organizations/#{created_org.guid}/domains/default" },
+                'quota' => { 'href' => "http://api2.vcap.me/v3/organization_quotas/#{created_org.quota_definition.guid}" }
+              },
+              'relationships' => { 'quota' => { 'data' => { 'guid' => created_org.quota_definition.guid } } },
+              'metadata' => {
+                'labels' => { 'freaky' => 'friday' },
+                'annotations' => { 'make' => 'subaru', 'model' => 'xv crosstrek', 'color' => 'orange' }
+              },
+              'suspended' => false
+            }
+          )
+        end
+        it 'gives the user all org roles associated with the new org' do
+          expect {
+            post '/v3/organizations', request_body, user_header
+          }.to change {
+            Organization.count
+          }.by 1
+
+          created_org = Organization.last
+          expect(OrganizationManager.first(organization_id: created_org.id, user_id: user.id)).to be_present
+          expect(OrganizationBillingManager.first(organization_id: created_org.id, user_id: user.id)).to be_present
+          expect(OrganizationAuditor.first(organization_id: created_org.id, user_id: user.id)).to be_present
+          expect(OrganizationUser.first(organization_id: created_org.id, user_id: user.id)).to be_present
+          expect(last_response.status).to eq(201)
+        end
+      end
     end
 
     describe 'GET /v3/organizations' do

spec/unit/actions/organization_create_spec.rb

@@ -8,8 +8,16 @@ module VCAP::CloudController
       let(:user_email) { 'user@example.com' }
       let(:user_audit_info) { UserAuditInfo.new(user_guid: user.guid, user_email: user_email) }
       let(:perm_client) { instance_spy(VCAP::CloudController::Perm::Client) }
+      let(:uaa_client) { instance_double(VCAP::CloudController::UaaClient) }
       subject(:org_create) { OrganizationCreate.new(perm_client: perm_client, user_audit_info: user_audit_info) }
 
+      before do
+        allow(CloudController::DependencyLocator.instance).to receive(:uaa_client).and_return(uaa_client)
+        allow(uaa_client).to receive(:usernames_for_ids).with([user.guid]).and_return(
+          { user.guid => 'Ragnaros' }
+        )
+      end
+
       context 'when creating a non-suspended organization' do
         let(:message) do
           VCAP::CloudController::OrganizationUpdateMessage.new({
@@ -28,7 +36,7 @@ module VCAP::CloudController
         end
 
         it 'creates a organization' do
-          organization = org_create.create(message)
+          organization = org_create.create(message, user)
 
           expect(organization.name).to eq('my-organization')
 
@@ -44,10 +52,11 @@ module VCAP::CloudController
         end
 
         it 'creates an audit event' do
-          created_org = org_create.create(message)
-          expect(VCAP::CloudController::Event.count).to eq(1)
-          event = VCAP::CloudController::Event.first
-          expect(event.values).to include(
+          created_org = org_create.create(message, user)
+          expect(VCAP::CloudController::Event.count).to eq(5)
+          org_create_event = VCAP::CloudController::Event.find(type: 'audit.organization.create')
+          expect(org_create_event).to exist
+          expect(org_create_event.values).to include(
             type: 'audit.organization.create',
             actor: user_audit_info.user_guid,
             actor_type: 'user',
@@ -58,8 +67,8 @@ module VCAP::CloudController
             actee_name: 'my-organization',
             organization_guid: created_org.guid
           )
-          expect(event.metadata).to eq({ 'request' => message.audit_hash })
-          expect(event.timestamp).to be
+          expect(org_create_event.metadata).to eq({ 'request' => message.audit_hash })
+          expect(org_create_event.timestamp).to be
         end
       end
 
@@ -68,7 +77,7 @@ module VCAP::CloudController
           name: 'my-organization',
           suspended: true
         })
-        organization = org_create.create(message)
+        organization = org_create.create(message, user)
 
         expect(organization.name).to eq('my-organization')
         expect(organization.suspended?).to be true
@@ -83,7 +92,7 @@ module VCAP::CloudController
 
           message = VCAP::CloudController::OrganizationUpdateMessage.new(name: 'foobar')
           expect {
-            org_create.create(message)
+            org_create.create(message, user)
           }.to raise_error(OrganizationCreate::Error, 'blork is busted')
         end
 
@@ -97,7 +106,7 @@ module VCAP::CloudController
           it 'raises a human-friendly error' do
             message = VCAP::CloudController::OrganizationUpdateMessage.new(name: name)
             expect {
-              org_create.create(message)
+              org_create.create(message, user)
             }.to raise_error(OrganizationCreate::Error, "Organization '#{name}' already exists.")
           end
         end