private void assertCannotAssignCloudAdminRoleAs(String principalId) throws Throwable {
host.assumeIdentity(buildUserServicePath(principalId));
try {
assignCloudAdminRoleTo(USER_EMAIL_BASIC_USER);
fail(String.format(
"Expected user '%s' not to have the privilege to assign the cloud admin role",
principalId));
} catch (IllegalAccessError e) {
assertThat("Unexpected failure, expected forbidden message",
e.getMessage(), containsString(FORBIDDEN));
}
PrincipalRoles roles = getUserRolesFor(USER_EMAIL_BASIC_USER);
assertNotNull("could not retrieve roles for user " + USER_EMAIL_BASIC_USER, roles);
assertNotNull("roles set is empty or null for user " + USER_EMAIL_BASIC_USER, roles.roles);
String msg = String.format("Expected user '%s' not to have role '%s'",
USER_EMAIL_BASIC_USER,
AuthRole.CLOUD_ADMIN);
Assert.assertThat(msg, roles.roles, not(hasItem(AuthRole.CLOUD_ADMIN)));
}