From 9d1a704aa27966dfd13b1c718fbe574da42360ea Mon Sep 17 00:00:00 2001
From: John ODonnell <john.odonnell@cyberark.com>
Date: Fri, 16 Jun 2023 13:37:14 -0400
Subject: [PATCH] Roles API: remove 403 response

As of Conjur v1.19.3, requests to the Roles API return 404
when the caller has insufficient privilege. See
https://github.com/cyebrark/conjur/pull/2755.
---
 CHANGELOG.md                        |  6 ++++
 spec/roles.yml                      |  6 ----
 test/python/roles/test_roles_api.py | 46 -----------------------------
 3 files changed, 6 insertions(+), 52 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 549b170d..e5b2f549 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Removed
+- Removed possible 403 response code from Roles API endpoints. As of Conjur
+  v1.19.3, requests to the Roles API return 404 when the caller has insufficient
+  privilege - see [cyberark/conjur#2755](https://github.com/cyberark/conjur/pull/2755).
+  [cyberark/conjur-openapi-spec#225](https://github.com/cyberark/conjur-openapi-spec/pull/225)
+
 ## [5.3.0] - 2021-12-22
 
 ### Added
diff --git a/spec/roles.yml b/spec/roles.yml
index 4be0eff4..e2ebb1ca 100644
--- a/spec/roles.yml
+++ b/spec/roles.yml
@@ -129,8 +129,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":
@@ -196,8 +194,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":
@@ -263,8 +259,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":
diff --git a/test/python/roles/test_roles_api.py b/test/python/roles/test_roles_api.py
index cbeb7be9..5e952a4d 100644
--- a/test/python/roles/test_roles_api.py
+++ b/test/python/roles/test_roles_api.py
@@ -177,26 +177,6 @@ def test_add_member_to_role_401(self):
 
         self.assertEqual(context.exception.status, 401)
 
-    def test_add_member_to_role_403(self):
-        """Test case for 403 status response when adding role member
-        403 - the authenticated user lacks the necessary privilege
-        """
-        # establish a new api client as user Bob
-        bob_client = api_config.get_api_client(username='bob')
-        bob_roles_api = conjur.RolesApi(bob_client)
-
-        # attempt to add Alice as a member of userGroup as Bob
-        with self.assertRaises(conjur.ApiException) as context:
-            bob_roles_api.add_member_to_role(
-                self.account,
-                'group',
-                'userGroup',
-                members='',
-                member=self.ALICE_ID
-            )
-
-        self.assertEqual(context.exception.status, 403)
-
     def test_add_member_to_role_404(self):
         """Test case for 404 status response when adding role member
         404 - the role inteded for assignment as member does not exist
@@ -286,32 +266,6 @@ def test_remove_member_from_role_401(self):
 
         self.assertEqual(context.exception.status, 401)
 
-    def test_remove_member_from_role_403(self):
-        """Test case for 403 status response when deleting role member
-        403 - the authenticated client lacks the necessary privilege
-        """
-        # add Alice as a member of userGroup and confirm
-        self.add_user_to_group('alice')
-        group_members = self.api.show_role(self.account, 'group', 'userGroup', members='')
-        self.assertEqual(len(group_members), 2)
-        self.assertEqual(group_members[1]['member'], self.ALICE_ID)
-
-        # establish a new api client as user Bob
-        bob_client = api_config.get_api_client(username='bob')
-        bob_roles_api = conjur.RolesApi(bob_client)
-
-        # attempt to delete Alice as member of userGroup as Bob
-        with self.assertRaises(conjur.ApiException) as context:
-            bob_roles_api.remove_member_from_role(
-                self.account,
-                'group',
-                'userGroup',
-                members='',
-                member=self.ALICE_ID
-            )
-
-        self.assertEqual(context.exception.status, 403)
-
     def test_remove_member_from_role_404(self):
         """Test case for 404 status response when deleting role member
         404 - the queried role intended for deletion was not found