This MR fixes an issue with user addition
Previously during user addition, the
userEmail was explicitly removed first and then re-added. This operation can be performed any number of times using a JWT issued for any authorized entity other the
However when the same
userEmail is added the second time using a JWT authorized for the
userEmail, the user addition logic removes
the user first. Since this removal, the JWT with azp set to
userEmail loses complete access to the subproject/dataset.
There is a need to maintain idempotency for the user entitlements to fix 1).
This MR catches
409 conflicts and if the expectedRole for the input
userEmail does not match the existing entitlements role then an error is thrown. If the roles match no error is returned.
This ensures the useremail can be added any number of times if the entitlements role and the user input role matches.
If an error is returned with
409 Conflicts, then the end-user will need to first delete the user completely and re-add.
Refactors the code for improving readability