Delete technical roles from former GeoServer role service

CHANGELOG.md

@@ -14,6 +14,7 @@
 - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null.
 - [#165](https://github.com/LayerManager/layman/issues/165) Create DB schema `_role_service` that can be used as [role service](doc/security.md#role-service).
 #### Data migrations
+- [#165](https://github.com/LayerManager/layman/issues/165) Delete technical roles and user-role relations in GeoServer `default` role service, which is now replaced by JDBC role service.
 ### Changes
 - [#165](https://github.com/LayerManager/layman/issues/165) Prior to this version, Layman enabled to use [usernames](doc/models.md#username) and pseudo-role `EVERYONE` in access rights. From now on, Layman accepts also [role names](doc/models.md#role).
 - [#165](https://github.com/LayerManager/layman/issues/165) Roles (except of `EVERYONE`) are managed by [role service](doc/security.md#role-service).

src/layman/upgrade/__init__.py

@@ -71,6 +71,9 @@
             upgrade_v1_22.remove_authn_txt_files,
             upgrade_v1_22.insert_map_layer_relations,
         ]),
+        ((1, 23, 0), [
+            upgrade_v1_23.delete_user_roles,
+        ]),
     ],
 }
 

src/layman/upgrade/upgrade_v1_23.py

@@ -1,8 +1,11 @@
+from urllib.parse import urljoin
 import logging
+import requests
 
-from geoserver import util as gs_util
+from geoserver import util as gs_util, GS_REST, GS_REST_TIMEOUT
 from db import util as db_util
 from layman import settings
+from layman.common.prime_db_schema import users
 
 logger = logging.getLogger(__name__)
 DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA
@@ -124,3 +127,44 @@ def create_role_service_schema():
     db_util.run_statement(create_user_roles_view)
 
     gs_util.reload(settings.LAYMAN_GS_AUTH)
+
+
+def delete_user_roles():
+    logger.info(f'    Delete user roles from GeoServer')
+
+    role_service = 'default'
+    gs_rest_roles_service = urljoin(GS_REST, f'security/roles/service/{role_service}/')
+
+    for user in users.get_usernames():
+        logger.info(f'      Delete user {user}')
+        for role in [f'USER_{user}', settings.LAYMAN_GS_ROLE]:
+            r_url = urljoin(gs_rest_roles_service, f'role/{role}/user/{user}/')
+            response = requests.delete(
+                r_url,
+                headers=gs_util.headers_json,
+                auth=settings.LAYMAN_GS_AUTH,
+                timeout=GS_REST_TIMEOUT,
+            )
+            association_not_exists = response.status_code == 404
+            if not association_not_exists:
+                response.raise_for_status()
+
+        response = requests.delete(
+            urljoin(gs_rest_roles_service, 'role/' + role),
+            headers=gs_util.headers_json,
+            auth=settings.LAYMAN_GS_AUTH,
+            timeout=GS_REST_TIMEOUT,
+        )
+        role_not_exists = response.status_code == 404
+        if not role_not_exists:
+            response.raise_for_status()
+
+    response = requests.delete(
+        urljoin(gs_rest_roles_service, 'role/' + settings.LAYMAN_GS_ROLE),
+        headers=gs_util.headers_json,
+        auth=settings.LAYMAN_GS_AUTH,
+        timeout=GS_REST_TIMEOUT,
+    )
+    role_not_exists = response.status_code == 404
+    if not role_not_exists:
+        response.raise_for_status()