Merge branch 'vij-fix-billable-member-removal' into 'master'

Add Billable Member deletion API endpoint See merge request gitlab-org/gitlab!55645

Merge branch 'vij-fix-billable-member-removal' into 'master'
Add Billable Member deletion API endpoint See merge request gitlab-org/gitlab!55645
72c5f09a · Heinrich Lee Yu · 3c0902c7 · 248a8706 · 72c5f09a · 72c5f09a
Commit 72c5f09a authored Mar 09, 2021 by Heinrich Lee Yu
6 changed files
--- a/doc/api/members.md
+++ b/doc/api/members.md
@@ -310,6 +310,27 @@ Example response:
 ]
 ```

+## Remove a billable member from a group
+
+Removes a billable member from a group and its subgroups and projects.
+
+The user does not need to be a group member to qualify for removal.
+For example, if the user was added directly to a project within the group, you can
+still use this API to remove them.
+
+```plaintext
+DELETE /groups/:id/billable_members/:user_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `user_id` | integer | yes   | The user ID of the member |
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/:id/billable_members/:user_id"
+```
+
 ## Add a member to a group or project

 Adds a member to a group or project.

--- a/ee/app/services/billable_members/destroy_service.rb
+++ b/ee/app/services/billable_members/destroy_service.rb
+# frozen_string_literal: true
+
+# BillableMembers::DestroyService class
+#
+# Used to find and remove all billable Member records (GroupMember or ProjectMember)
+# within a group's hierarchy for the given user_id, so that a billable member can be completely
+# removed from the group and it's subgroups and projects
+#
+# Ex.
+#   BillableMembers::Destroy.new(group, user_id: 1, current_user: current_user).execute
+#
+module BillableMembers
+  class DestroyService
+    include BaseServiceUtility
+
+    InvalidGroupError = Class.new(StandardError)
+
+    def initialize(group, user_id:, current_user:)
+      @group = group
+      @user_id = user_id
+      @current_user = current_user
+    end
+
+    def execute
+      check_group_level
+      check_user_access
+
+      remove_user_from_resources
+
+      success
+    rescue InvalidGroupError, Gitlab::Access::AccessDeniedError => e
+      error(e.message)
+    end
+
+    private
+
+    attr_reader :group, :user_id, :current_user
+
+    # rubocop: disable CodeReuse/ActiveRecord
+    def remove_user_from_resources
+      memberships = ::Member.in_hierarchy(group).where(user_id: user_id)
+
+      memberships.find_each do |member|
+        ::Members::DestroyService.new(current_user).execute(member, skip_subresources: true)
+      end
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
+    def check_group_level
+      unless group.root?
+        raise InvalidGroupError, 'Invalid group provided, must be top-level'
+      end
+    end
+
+    def check_user_access
+      unless can?(current_user, :admin_group_member, group)
+        raise Gitlab::Access::AccessDeniedError, 'User unauthorized to remove member'
+      end
+    end
+  end
+end
--- a/ee/changelogs/unreleased/vij-fix-billable-member-removal.yml
+++ b/ee/changelogs/unreleased/vij-fix-billable-member-removal.yml
+---
+title: Add remove Billable Member API endpoint
+merge_request: 55645
+author:
+type: added
--- a/ee/lib/ee/api/members.rb
+++ b/ee/lib/ee/api/members.rb
@@ -77,6 +77,22 @@ module EE

            present users, with: ::EE::API::Entities::BillableMember, current_user: current_user
          end
+
+          desc 'Removes a billable member from a group or project.'
+          params do
+            requires :user_id, type: Integer, desc: 'The user ID of the member'
+          end
+          delete ":id/billable_members/:user_id" do
+            group = find_group!(params[:id])
+
+            result = ::BillableMembers::DestroyService.new(group, user_id: params[:user_id], current_user: current_user).execute
+
+            if result[:status] == :success
+              no_content!
+            else
+              bad_request!(nil)
+            end
+          end
        end
      end
    end

--- a/ee/spec/requests/api/members_spec.rb
+++ b/ee/spec/requests/api/members_spec.rb
@@ -351,7 +351,7 @@ RSpec.describe API::Members do
    end
  end

-  describe "GET /groups/:id/billable_members" do
+  context 'billable member endpoints' do
    let_it_be(:owner) { create(:user) }
    let_it_be(:maintainer) { create(:user) }
    let_it_be(:group) do
@@ -368,33 +368,34 @@ RSpec.describe API::Members do
      end
    end

+    describe 'GET /groups/:id/billable_members' do
      let(:url) { "/groups/#{group.id}/billable_members" }
      let(:params) { {} }

-    subject do
+      subject(:get_billable_members) do
        get api(url, owner), params: params
        json_response
      end

      context 'with sub group and projects' do
-      let!(:project_user) { create(:user) }
-      let!(:project) do
+        let_it_be(:project_user) { create(:user) }
+        let_it_be(:project) do
          create(:project, :public, group: nested_group) do |project|
            project.add_developer(project_user)
          end
        end

-      let!(:linked_group_user) { create(:user, name: 'Scott McNeil') }
-      let!(:linked_group) do
+        let_it_be(:linked_group_user) { create(:user, name: 'Scott McNeil') }
+        let_it_be(:linked_group) do
          create(:group) do |linked_group|
            linked_group.add_developer(linked_group_user)
          end
        end

-      let!(:project_group_link) { create(:project_group_link, project: project, group: linked_group) }
+        let_it_be(:project_group_link) { create(:project_group_link, project: project, group: linked_group) }

        it 'returns paginated billable users' do
-        subject
+          get_billable_members

          expect_paginated_array_response(*[owner, maintainer, nested_user, project_user, linked_group_user].map(&:id))
        end
@@ -409,11 +410,11 @@ RSpec.describe API::Members do
          end
        end

-      context 'with seach params provided' do
+        context 'with search params provided' do
          let(:params) { { search: nested_user.name } }

          it 'returns the relevant billable users' do
-          subject
+            get_billable_members

            expect_paginated_array_response([nested_user.id])
          end
@@ -441,7 +442,7 @@ RSpec.describe API::Members do
            let(:params) { { search: 'Scott', sort: 'name_desc' } }

            it 'returns the relevant billable users' do
-            subject
+              get_billable_members

              expect_paginated_array_response(*[linked_group_user, nested_user].map(&:id))
            end
@@ -473,7 +474,7 @@ RSpec.describe API::Members do
        let(:url) { "/groups/#{child_group.id}/billable_members" }

        it 'returns error' do
-        subject
+          get_billable_members

          expect(response).to have_gitlab_http_status(:bad_request)
        end
@@ -502,6 +503,54 @@ RSpec.describe API::Members do
      end
    end

+    describe 'DELETE /groups/:id/billable_members/:user_id' do
+      context 'when the current user has insufficient rights' do
+        it 'returns 400' do
+          not_an_owner = create(:user)
+
+          delete api("/groups/#{group.id}/billable_members/#{maintainer.id}", not_an_owner)
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+      end
+
+      shared_examples 'successful deletion' do
+        it 'deletes the member' do
+          expect(group.member?(user)).to be is_group_member
+
+          expect do
+            delete api("/groups/#{group.id}/billable_members/#{user.id}", owner)
+
+            expect(response).to have_gitlab_http_status(:no_content)
+          end.to change { source.members.count }.by(-1)
+        end
+      end
+
+      context 'when authenticated as an owner' do
+        context 'with a user that is a GroupMember' do
+          let(:user) { maintainer }
+          let(:is_group_member) { true }
+          let(:source) { group }
+
+          it_behaves_like 'successful deletion'
+        end
+
+        context 'with a user that is only a ProjectMember' do
+          let(:user) { create(:user) }
+          let(:is_group_member) { false }
+          let(:source) { project }
+          let(:project) do
+            create(:project, group: group) do |project|
+              project.add_developer(user)
+            end
+          end
+
+          it_behaves_like 'successful deletion'
+        end
+      end
+    end
+  end
+
  context 'without LDAP' do
    let(:group) { create(:group) }
    let(:owner) { create(:user) }

--- a/ee/spec/services/billable_members/destroy_service_spec.rb
+++ b/ee/spec/services/billable_members/destroy_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe BillableMembers::DestroyService do
+  describe '#execute' do
+    let_it_be(:current_user) { create(:user) }
+    let_it_be(:root_group) { create(:group) }
+    let(:group) { root_group }
+
+    let(:user_id) { nil }
+
+    subject(:execute) { described_class.new(group, user_id: user_id, current_user: current_user).execute }
+
+    context 'when unauthorized' do
+      it 'raises an access error' do
+        result = execute
+
+        expect(result[:status]).to eq :error
+        expect(result[:message]).to eq 'User unauthorized to remove member'
+      end
+    end
+
+    context 'when authorized' do
+      let(:subgroup) { create(:group, parent: root_group) }
+      let(:project_1) { create(:project, group: subgroup) }
+      let(:project_2) { create(:project, group: root_group) }
+
+      let(:group_member) { create(:group_member, group: root_group) }
+      let(:subgroup_member) { create(:group_member, group: subgroup) }
+      let(:project_member) { create(:project_member, project: project_1) }
+
+      before do
+        group.add_owner(current_user)
+      end
+
+      context 'when passing a sub group to the service' do
+        let(:group) { subgroup }
+
+        it 'raises an invalid group error' do
+          result = execute
+
+          expect(result[:status]).to eq :error
+          expect(result[:message]).to eq 'Invalid group provided, must be top-level'
+        end
+      end
+
+      context 'when removing a group member' do
+        let(:user_id) { group_member.user_id }
+
+        it 'removes the member' do
+          execute
+
+          expect(root_group.members).not_to include(group_member)
+        end
+      end
+
+      context 'when removing a subgroup member' do
+        let(:user_id) { subgroup_member.user_id }
+
+        it 'removes the member' do
+          execute
+
+          expect(subgroup.members).not_to include(subgroup_member)
+        end
+      end
+
+      context 'when removing a project member' do
+        let(:user_id) { project_member.user_id }
+
+        it 'removes the member' do
+          execute
+
+          expect(project_1.members).not_to include(project_member)
+        end
+      end
+
+      context 'when the user is a direct member of multiple projects' do
+        let(:multi_project_user) { create(:user) }
+        let(:user_id) { multi_project_user.id }
+
+        it 'removes the user from all the projects' do
+          project_1.add_developer(multi_project_user)
+          project_2.add_developer(multi_project_user)
+
+          execute
+
+          expect(multi_project_user.projects).not_to include(project_1)
+          expect(multi_project_user.projects).not_to include(project_2)
+        end
+      end
+    end
+  end
+end