func revokeControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access permission.Access) error {
controllerTag := accessor.ControllerTag()
switch access {
case permission.LoginAccess:
// Revoking login access removes all access.
err := accessor.RemoveUserAccess(targetUserTag, controllerTag)
return errors.Annotate(err, "could not revoke controller access")
case permission.AddModelAccess:
// Revoking add-model access sets login.
controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag)
if err != nil {
return errors.Annotate(err, "could not look up controller access for user")
}
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.LoginAccess)
return errors.Annotate(err, "could not set controller access to read-only")
case permission.SuperuserAccess:
// Revoking superuser sets add-model.
controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag)
if err != nil {
return errors.Annotate(err, "could not look up controller access for user")
}
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.AddModelAccess)
return errors.Annotate(err, "could not set controller access to add-model")
default:
return errors.Errorf("don't know how to revoke %q access", access)
}
}
func grantControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access permission.Access) error {
_, err := accessor.AddControllerUser(state.UserAccessSpec{User: targetUserTag, CreatedBy: apiUser, Access: access})
if errors.IsAlreadyExists(err) {
controllerTag := accessor.ControllerTag()
controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag)
if errors.IsNotFound(err) {
// Conflicts with prior check, must be inconsistent state.
err = txn.ErrExcessiveContention
}
if err != nil {
return errors.Annotate(err, "could not look up controller access for user")
}
// Only set access if greater access is being granted.
if controllerUser.Access.EqualOrGreaterControllerAccessThan(access) {
return errors.Errorf("user already has %q access or greater", access)
}
if _, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, access); err != nil {
return errors.Annotate(err, "could not set controller access for user")
}
return nil
}
if err != nil {
return errors.Trace(err)
}
return nil
}