Add ability for super users to take ownership of namespaces

Fixes #1395

endpoints/api/superuser.py

@@ -422,6 +422,54 @@ class SuperUserManagement(ApiResource):
     abort(403)
 
 
+@resource('/v1/superuser/takeownership/<namespace>')
+@path_param('namespace', 'The namespace of the user or organization being managed')
+@internal_only
+@show_if(features.SUPER_USERS)
+class SuperUserTakeOwnership(ApiResource):
+  """ Resource for a superuser to take ownership of a namespace. """
+  @require_fresh_login
+  @verify_not_prod
+  @nickname('takeOwnership')
+  @require_scope(scopes.SUPERUSER)
+  def post(self, namespace):
+    """ Takes ownership of the specified organization or user. """
+    if SuperUserPermission().can():
+      # Disallow for superusers.
+      if superusers.is_superuser(namespace):
+        abort(400)
+
+      entity = model.user.get_user_or_org(namespace)
+      if entity is None:
+        abort(404)
+
+      authed_user = get_authenticated_user()
+      was_user = not entity.organization
+      if entity.organization:
+        # Add the superuser as an admin to the owners team of the org.
+        model.organization.add_user_as_admin(authed_user, entity)
+      else:
+        # If the entity is a user, convert it to an organization and add the current superuser
+        # as the admin.
+        model.organization.convert_user_to_organization(entity, get_authenticated_user())
+
+      # Log the change.
+      log_metadata = {
+        'entity_id': entity.id,
+        'namespace': namespace,
+        'was_user': was_user,
+        'superuser': authed_user.username,
+      }
+
+      log_action('take_ownership', authed_user.username, log_metadata)
+
+      return jsonify({
+        'namespace': namespace
+      })
+
+    abort(403)
+
+
 @resource('/v1/superuser/organizations/<name>')
 @path_param('name', 'The name of the organizaton being managed')
 @internal_only