From 626e6bebf44b7032996c90980a4dee08aab3b936 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@redhat.com>
Date: Mon, 18 Oct 2021 10:52:48 -0700
Subject: [PATCH] mgr/rgw: realm remove zone-creds

add command to remove zone creds. Either removes the access key
or the entire user if was the only access key for that user.

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
---
 src/pybind/mgr/rgw/module.py |  14 +++++
 src/pybind/mgr/rgw/rgwam.py  | 104 +++++++++++++++++++++++++++++++++++
 2 files changed, 118 insertions(+)

diff --git a/src/pybind/mgr/rgw/module.py b/src/pybind/mgr/rgw/module.py
index 15525f6d32a..c48da3302af 100644
--- a/src/pybind/mgr/rgw/module.py
+++ b/src/pybind/mgr/rgw/module.py
@@ -139,6 +139,20 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule):
 
         return HandleCommandResult(retval=retval, stdout=out, stderr=err)
 
+    @CLICommand('rgw realm remove zone-creds', perm='rw')
+    def _cmd_rgw_realm_rm_zone_creds(self,
+                                 realm_name: Optional[str] = None,
+                                 realm_token : Optional[str] = None):
+        """Create credentials for new zone creation"""
+
+        try:
+            retval, out, err = RGWAM(self.env).realm_rm_zone_creds(realm_name, realm_token)
+        except RGWAMException as e:
+            self.log.error('cmd run exception: (%d) %s' % (e.retcode, e.message))
+            return (e.retcode, e.message, e.stderr)
+
+        return HandleCommandResult(retval=retval, stdout=out, stderr=err)
+
     @CLICommand('rgw zone create', perm='rw')
     def _cmd_rgw_zone_create(self,
                              realm_token : Optional[str] = None,
diff --git a/src/pybind/mgr/rgw/rgwam.py b/src/pybind/mgr/rgw/rgwam.py
index 2b763483448..41f1bba7a12 100644
--- a/src/pybind/mgr/rgw/rgwam.py
+++ b/src/pybind/mgr/rgw/rgwam.py
@@ -327,6 +327,38 @@ class UserOp:
 
         return RGWAdminJSONCmd(ze).run(params)
 
+    def info(self, zone : EntityKey, zg : EntityKey, uid = None, access_key = None):
+        ze = ZoneEnv(self.env, zone = zone, zg = zg)
+
+        params = [ 'user',
+                   'info' ]
+
+        opt_arg(params, '--uid', uid )
+        opt_arg(params, '--access-key', access_key)
+
+        return RGWAdminJSONCmd(ze).run(params)
+
+    def rm(self, zone : EntityKey, zg : EntityKey, uid = None, access_key = None):
+        ze = ZoneEnv(self.env, zone = zone, zg = zg)
+
+        params = [ 'user',
+                   'rm' ]
+
+        opt_arg(params, '--uid', uid )
+        opt_arg(params, '--access-key', access_key)
+
+        return RGWAdminCmd(ze).run(params)
+
+    def rm_key(self, zone : EntityKey, zg : EntityKey, access_key = None):
+        ze = ZoneEnv(self.env, zone = zone, zg = zg)
+
+        params = [ 'key',
+                   'remove' ]
+
+        opt_arg(params, '--access-key', access_key)
+
+        return RGWAdminCmd(ze).run(params)
+
 class RGWAM:
     def __init__(self, env):
         self.env = env
@@ -495,6 +527,78 @@ class RGWAM:
         realm_token_b = realm_token.to_json().encode('utf-8')
         return (0, 'Realm Token: %s' % base64.b64encode(realm_token_b).decode('utf-8'), '')
 
+    def realm_rm_zone_creds(self, realm_name, realm_token_b64):
+        if not realm_token_b64:
+            print('missing realm token')
+            return False
+
+        realm_token_b = base64.b64decode(realm_token_b64)
+        realm_token_s = realm_token_b.decode('utf-8')
+
+        realm_token = json.loads(realm_token_s)
+
+        access_key = realm_token['access_key']
+
+        try:
+            period_info = self.period_op().get(EntityName(realm_name))
+        except RGWAMException as e:
+            raise RGWAMException('failed to fetch period info', e)
+
+        period = RGWPeriod(period_info)
+
+        master_zg = EntityID(period.master_zonegroup)
+        master_zone = EntityID(period.master_zone)
+
+        logging.info('Period: ' + period.id)
+        logging.info('Master zone: ' + period.master_zone)
+
+        try:
+            zone_info = self.zone_op().get(zone = master_zone)
+        except RGWAMException as e:
+            raise RGWAMException('failed to access master zone', e)
+
+        zone_name = zone_info['name']
+        zone_id = zone_info['id']
+
+        if period.master_zone != zone_id:
+            return (-errno.EINVAL, '', 'Command needs to run on master zone')
+
+        try:
+            user_info = self.user_op().info(master_zone, master_zg, access_key = access_key)
+        except RGWAMException as e:
+            raise RGWAMException('failed to create system user', e)
+
+        user = RGWUser(user_info)
+
+        only_key = True
+
+        for k in user.keys:
+            if k.access_key != access_key:
+                only_key = False
+                break
+
+        success_message = ''
+
+        if only_key:
+            # the only key this user has is the one defined in the token
+            # can remove the user completely
+
+            try:
+                self.user_op().rm(master_zone, master_zg, uid = user.uid)
+            except RGWAMException as e:
+                raise RGWAMException('failed removing user ' + user,uid, e)
+
+            success_message = 'Removed uid ' + user.uid
+        else:
+            try:
+                self.user_op().rm_key(master_zone, master_zg, access_key = access_key)
+            except RGWAMException as e:
+                raise RGWAMException('failed removing access key ' + access_key + '(uid = ' + user.uid + ')', e)
+
+            success_message = 'Removed access key ' + access_key + '(uid = ' + user.uid + ')'
+
+        return (0, success_message, '')
+
     def zone_create(self, realm_token_b64, zonegroup_name = None, zone_name = None, endpoints = None, start_radosgw = True):
         if not realm_token_b64:
             print('missing realm access config')
-- 
2.39.5