fix: user addition to groups and enforces idempotency
This MR fixes an issue with user addition
Previously during user addition, the
userEmailwas explicitly removed first and then re-added. This operation can be performed any number of times using a JWT issued for any authorized entity other the
userEmail. However when the same
userEmailis added the second time using a JWT authorized for the
userEmail, the user addition logic removes the user first. Since this removal, the JWT with azp set to
userEmailloses complete access to the subproject/dataset.
There is a need to maintain idempotency for the user entitlements to fix 1). This MR catches
409 conflictsand if the expectedRole for the input
userEmaildoes not match the existing entitlements role then an error is thrown. If the roles match no error is returned. This ensures the useremail can be added any number of times if the entitlements role and the user input role matches.
If an error is returned with
409 Conflicts, then the end-user will need to first delete the user completely and re-add.
Refactors the code for improving readability