Merge branch 'ZSPHERE-175@@2' into 'zsv_5.0.0'

<feature>[identity]: add ChangeAccountType API

See merge request zstackio/zstack!9378

Author: gitlab

conf/serviceConfig/identity.xml

@@ -77,4 +77,8 @@
     <message>
         <name>org.zstack.header.identity.role.api.APIGetRolePolicyActionsMsg</name>
     </message>
+
+    <message>
+        <name>org.zstack.header.identity.APIChangeAccountTypeMsg</name>
+    </message>
 </service>

header/src/main/java/org/zstack/header/identity/APIChangeAccountTypeEvent.java

@@ -0,0 +1,37 @@
+package org.zstack.header.identity;
+
+import org.zstack.header.message.APIEvent;
+import org.zstack.header.rest.RestResponse;
+
+@RestResponse(allTo = "inventory")
+public class APIChangeAccountTypeEvent extends APIEvent {
+    private AccountInventory inventory;
+
+    public APIChangeAccountTypeEvent(String apiId) {
+        super(apiId);
+    }
+
+    public APIChangeAccountTypeEvent() {
+        super(null);
+    }
+
+    public AccountInventory getInventory() {
+        return inventory;
+    }
+
+    public void setInventory(AccountInventory inventory) {
+        this.inventory = inventory;
+    }
+
+    public static APIChangeAccountTypeEvent __example__() {
+        APIChangeAccountTypeEvent event = new APIChangeAccountTypeEvent();
+
+        AccountInventory inventory = new AccountInventory();
+        inventory.setName("test");
+        inventory.setType(AccountType.SystemAdmin.toString());
+        inventory.setUuid(uuid());
+
+        event.setInventory(inventory);
+        return event;
+    }
+}

header/src/main/java/org/zstack/header/identity/APIChangeAccountTypeEventDoc_zh_cn.groovy

@@ -0,0 +1,23 @@
+package org.zstack.header.identity
+
+import org.zstack.header.identity.APIChangeAccountTypeEvent
+
+doc {
+	title "ChangeAccountType"
+
+	field {
+		name "success"
+		desc ""
+		type "boolean"
+		since "5.0.0"
+	}
+
+	ref {
+        name "error"
+        path "org.zstack.header.identity.APIChangeAccountTypeEvent.error"
+        desc "错误码，若不为null，则表示操作失败, 操作成功时该字段为null", false
+        type "ErrorCode"
+        since "5.0.0"
+        clz ErrorCode.class
+    }
+}

header/src/main/java/org/zstack/header/identity/APIChangeAccountTypeMsg.java

@@ -0,0 +1,50 @@
+package org.zstack.header.identity;
+
+import org.springframework.http.HttpMethod;
+import org.zstack.header.message.APIMessage;
+import org.zstack.header.message.APIParam;
+import org.zstack.header.rest.RestRequest;
+
+@Action(category = AccountConstant.ACTION_CATEGORY, adminOnly = true)
+@RestRequest(
+        path = "/accounts/{uuid}/actions",
+        method = HttpMethod.PUT,
+        isAction = true,
+        responseClass = APIChangeAccountTypeEvent.class
+)
+public class APIChangeAccountTypeMsg extends APIMessage implements AccountMessage {
+    @APIParam(resourceType = AccountVO.class)
+    private String uuid;
+
+    @APIParam
+    private String type;
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+
+    @Override
+    public String getAccountUuid() {
+        return this.getSession().getAccountUuid();
+    }
+
+    public static APIChangeAccountTypeMsg __example__() {
+        APIChangeAccountTypeMsg msg = new APIChangeAccountTypeMsg();
+        msg.setUuid(uuid());
+        msg.setType(AccountType.SystemAdmin.toString());
+        return msg;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    public void setType(String type) {
+        this.type = type;
+    }
+}

header/src/main/java/org/zstack/header/identity/APIChangeAccountTypeMsgDoc_zh_cn.groovy

@@ -0,0 +1,67 @@
+package org.zstack.header.identity
+
+import org.zstack.header.identity.APIChangeAccountTypeEvent
+
+doc {
+	title "ChangeAccountType"
+
+	category "identity"
+
+	desc """变更账户类型（提权/降权）"""
+
+	rest {
+		request {
+			url "PUT /v1/accounts/{uuid}/actions"
+
+			header (Authorization: 'OAuth the-session-uuid')
+
+			clz APIChangeAccountTypeMsg.class
+
+			desc """变更账户类型，支持将普通用户提升为管理员，或将管理员降级为普通用户（暂不支持）"""
+
+			params {
+
+				column {
+					name "uuid"
+					enclosedIn "changeAccountType"
+					desc "资源的UUID，唯一标示该资源"
+					location "url"
+					type "String"
+					optional false
+					since "5.0.0"
+				}
+				column {
+					name "type"
+					enclosedIn "changeAccountType"
+					desc "账户类型，SystemAdmin表示管理员，Normal表示普通用户（Normal暂不支持，即暂不支持降权）"
+					location "body"
+					type "String"
+					optional false
+					since "5.0.0"
+				}
+				column {
+					name "systemTags"
+					enclosedIn ""
+					desc "系统标签"
+					location "body"
+					type "List"
+					optional true
+					since "5.0.0"
+				}
+				column {
+					name "userTags"
+					enclosedIn ""
+					desc "用户标签"
+					location "body"
+					type "List"
+					optional true
+					since "5.0.0"
+				}
+			}
+		}
+
+		response {
+			clz APIChangeAccountTypeEvent.class
+		}
+	}
+}

header/src/main/java/org/zstack/header/identity/AccountTypeChangedExtensionPoint.java

@@ -0,0 +1,16 @@
+package org.zstack.header.identity;
+
+import org.zstack.header.errorcode.ErrorCode;
+
+/**
+ * Extension point for account type change operations.
+ * Plugins can implement this interface to perform custom logic
+ * when an account type is changed (e.g., promote to admin or demote to normal).
+ */
+public interface AccountTypeChangedExtensionPoint {
+    ErrorCode preAccountTypeChange(String accountUuid, AccountType oldType, AccountType newType);
+
+    void beforeAccountTypeChange(String accountUuid, AccountType oldType, AccountType newType);
+
+    void afterAccountTypeChange(String accountUuid, AccountType newType);
+}

identity/src/main/java/org/zstack/identity/AccountBase.java

@@ -27,6 +27,7 @@
 import org.zstack.header.message.APIMessage;
 import org.zstack.header.message.Message;
 import org.zstack.header.message.MessageReply;
+import static org.zstack.core.Platform.argerr;
 import org.zstack.utils.CollectionUtils;
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
@@ -316,11 +317,42 @@ private void handleApiMessage(APIMessage msg) {
             handle((APIDeleteAccountMsg) msg);
         } else if (msg instanceof APIGetAccountQuotaUsageMsg) {
             handle((APIGetAccountQuotaUsageMsg) msg);
+        } else if (msg instanceof APIChangeAccountTypeMsg) {
+            handle((APIChangeAccountTypeMsg) msg);
         } else {
             bus.dealWithUnknownMessage(msg);
         }
     }
 
+    private void handle(APIChangeAccountTypeMsg msg) {
+        APIChangeAccountTypeEvent evt = new APIChangeAccountTypeEvent(msg.getId());
+        String accountUuid = msg.getUuid();
+        AccountVO account = dbf.findByUuid(accountUuid, AccountVO.class);
+        if (account == null) {
+            evt.setError(argerr("Cannot find account[uuid:%s]", accountUuid));
+            bus.publish(evt);
+            return;
+        }
+        AccountType originalAccountType = account.getType();
+        AccountType targetAccountType = AccountType.valueOf(msg.getType());
+        List<AccountTypeChangedExtensionPoint> extensions = pluginRgty.getExtensionList(AccountTypeChangedExtensionPoint.class);
+        for (AccountTypeChangedExtensionPoint extension : extensions) {
+            ErrorCode errorCode = extension.preAccountTypeChange(accountUuid, originalAccountType, targetAccountType);
+            if (errorCode != null) {
+                evt.setError(errorCode);
+                bus.publish(evt);
+                return;
+            }
+        }
+        CollectionUtils.forEach(extensions, ext -> ext.beforeAccountTypeChange(accountUuid, originalAccountType, targetAccountType));
+
+        account.setType(targetAccountType);
+        account = dbf.updateAndRefresh(account);
+        CollectionUtils.forEach(extensions, ext -> ext.afterAccountTypeChange(accountUuid, targetAccountType));
+        evt.setInventory(AccountInventory.valueOf(account));
+        bus.publish(evt);
+    }
+
     private void handle(APIGetAccountQuotaUsageMsg msg) {
         APIGetAccountQuotaUsageReply reply = new APIGetAccountQuotaUsageReply();
 

identity/src/main/java/org/zstack/identity/AccountManagerImpl.java

@@ -971,13 +971,48 @@ public APIMessage intercept(APIMessage msg) throws ApiMessageInterceptionExcepti
             validate((APIGetAccountQuotaUsageMsg) msg);
         } else if (msg instanceof APIUpdateQuotaMsg) {
             validate((APIUpdateQuotaMsg) msg);
+        } else if (msg instanceof APIChangeAccountTypeMsg) {
+            validate((APIChangeAccountTypeMsg) msg);
         }
 
         setServiceId(msg);
 
         return msg;
     }
 
+    private void validate(APIChangeAccountTypeMsg msg) {
+        if (!AccountConstant.INITIAL_SYSTEM_ADMIN_UUID.equals(msg.getSession().getAccountUuid())) {
+            throw new ApiMessageInterceptionException(argerr(
+                    "Only builtin admin account can change account type."
+            ));
+        }
+
+        AccountVO account = dbf.findByUuid(msg.getUuid(), AccountVO.class);
+        if (account == null) {
+            throw new ApiMessageInterceptionException(argerr(
+                    "Cannot find account[uuid:%s]", msg.getUuid()
+            ));
+        }
+
+        if (AccountConstant.INITIAL_SYSTEM_ADMIN_UUID.equals(msg.getUuid())) {
+            throw new ApiMessageInterceptionException(argerr(
+                    "Cannot change type of builtin admin account."
+            ));
+        }
+
+        if (account.getType().toString().equals(msg.getType())) {
+            throw new ApiMessageInterceptionException(argerr(
+                    "Account[uuid:%s] is already %s.", msg.getUuid(), msg.getType()
+            ));
+        }
+
+        if (!AccountType.SystemAdmin.toString().equals(msg.getType())) {
+            throw new ApiMessageInterceptionException(argerr(
+                "Only promoting to SystemAdmin is currently supported, got type[%s].", msg.getType()
+            ));
+        }
+    }
+
     private void validate(APIGetAccountQuotaUsageMsg msg) {
         if (msg.getUuid() == null) {
             msg.setUuid(msg.getSession().getAccountUuid());