From bfafac1d99b963c0866a98bb95a6f8e2e4e7c56e Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Wed, 1 Nov 2017 10:50:35 +0100
Subject: [PATCH 1/5] Allow user creation in domain other than default

For reasonably recent OpenStack releases, users are always created in a
domain (by default in the aptly named 'Default' domain). With this
patch, a new domain name attribute can be passed to the openstack_user's
:create action in order to create a user in a specific domain.
---
 libraries/openstack_user.rb | 9 +++++++++
 spec/user_spec.rb           | 1 +
 2 files changed, 10 insertions(+)

diff --git a/libraries/openstack_user.rb b/libraries/openstack_user.rb
index ec8d3ac..ec40b82 100644
--- a/libraries/openstack_user.rb
+++ b/libraries/openstack_user.rb
@@ -32,8 +32,17 @@ module OpenstackclientCookbook
     action :create do
       user = connection.users.find { |u| u.name == user_name }
       project = connection.projects.find { |p| p.name == project_name }
+      domain = connection.domains.find { |u| u.name == domain_name }
       if user
         log "User with name: \"#{user_name}\" already exists"
+      elsif domain
+        connection.users.create(
+          name: user_name,
+          domain_id: domain.id,
+          email: email,
+          default_project_id: project ? project.id : nil,
+          password: password
+        )
       else
         connection.users.create(
           name: user_name,
diff --git a/spec/user_spec.rb b/spec/user_spec.rb
index e4226cc..b98ff1b 100644
--- a/spec/user_spec.rb
+++ b/spec/user_spec.rb
@@ -133,6 +133,7 @@ describe 'openstackclient_test::user' do
       expect(users_empty).to receive(:create)
         .with(
           name: 'myuser',
+          domain_id: 5,
           email: 'myemail',
           default_project_id: 42,
           password: 'mypassword'

From 97239e41a9852a18d7204846d14a4e6b415ed536 Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Wed, 1 Nov 2017 10:56:01 +0100
Subject: [PATCH 2/5] Add comments to openstack_user.rb

The new comments try to clarify the purpose of the ":grant_domain"
action of the openstack_user resource.

In contrast to what the name may suggest, the action does not grant a
domain (which is not possible). Instead, it grants a role to a user who
is already in a specific domain. The domain attribute is merely used to
identify the user.
---
 libraries/openstack_user.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libraries/openstack_user.rb b/libraries/openstack_user.rb
index ec40b82..4fd8d2d 100644
--- a/libraries/openstack_user.rb
+++ b/libraries/openstack_user.rb
@@ -62,6 +62,7 @@ module OpenstackclientCookbook
       end
     end
 
+    # Grant a role in a project
     action :grant_role do
       user = connection.users.find { |u| u.name == user_name }
       project = connection.projects.find { |p| p.name == project_name }
@@ -76,6 +77,10 @@ module OpenstackclientCookbook
       project.revoke_role_from_user role.id, user.id if role && project && user
     end
 
+    # Grant a role in a domain
+    # Note: in spite of what the action name may suggest, the domain name is
+    # only used to identify a user who is in that domain. This action grants
+    # the user a role in the domain.
     action :grant_domain do
       user = connection.users.find { |u| u.name == user_name }
       domain = connection.domains.find { |p| p.name == domain_name }

From 15781eac4e389e4f553e80599f47f223c1608a64 Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Fri, 10 Nov 2017 11:05:08 +0100
Subject: [PATCH 3/5] Add platform, version to spec files

This patch adds platform and version to the spec files. Without it,
every single test results in this warning:

WARNING: you must specify a 'platform' and 'version' to your ChefSpec Runner and/or Fauxhai constructor, in the future omitting these will become a hard error. A list of available platforms is available at https://github.com/customink/fauxhai/blob/master/PLATFORMS.md
---
 spec/domain_spec.rb   | 4 +++-
 spec/endpoint_spec.rb | 4 +++-
 spec/project_spec.rb  | 4 +++-
 spec/role_spec.rb     | 4 +++-
 spec/service_spec.rb  | 4 +++-
 spec/spec_helper.rb   | 5 +++++
 spec/user_spec.rb     | 4 +++-
 7 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/spec/domain_spec.rb b/spec/domain_spec.rb
index e639541..6458f07 100644
--- a/spec/domain_spec.rb
+++ b/spec/domain_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_domain'
 
 describe 'openstackclient_test::domain' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_domain'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_domain'])
+    )
     runner.converge(described_recipe)
   end
 
diff --git a/spec/endpoint_spec.rb b/spec/endpoint_spec.rb
index dc2286c..5fb9621 100644
--- a/spec/endpoint_spec.rb
+++ b/spec/endpoint_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_endpoint'
 
 describe 'openstackclient_test::endpoint' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_endpoint'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_endpoint'])
+    )
     runner.converge(described_recipe)
   end
 
diff --git a/spec/project_spec.rb b/spec/project_spec.rb
index c5e7d0e..f61dd92 100644
--- a/spec/project_spec.rb
+++ b/spec/project_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_project'
 
 describe 'openstackclient_test::project' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_project'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_project'])
+    )
     runner.converge(described_recipe)
   end
 
diff --git a/spec/role_spec.rb b/spec/role_spec.rb
index c0531c2..e4c2061 100644
--- a/spec/role_spec.rb
+++ b/spec/role_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_role'
 
 describe 'openstackclient_test::role' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_role'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_role'])
+    )
     runner.converge(described_recipe)
   end
 
diff --git a/spec/service_spec.rb b/spec/service_spec.rb
index 1aec03e..f0b158a 100644
--- a/spec/service_spec.rb
+++ b/spec/service_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_service'
 
 describe 'openstackclient_test::service' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_service'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_service'])
+    )
     runner.converge(described_recipe)
   end
 
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index c52199f..01b6b1d 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -23,4 +23,9 @@ RSpec.configure do |config|
   config.log_level = :error
 end
 
+UBUNTU_OPTS = {
+  platform: 'ubuntu',
+  version: '16.04'
+}.freeze
+
 at_exit { ChefSpec::Coverage.report! }
diff --git a/spec/user_spec.rb b/spec/user_spec.rb
index b98ff1b..55464bb 100644
--- a/spec/user_spec.rb
+++ b/spec/user_spec.rb
@@ -19,7 +19,9 @@ require_relative '../libraries/openstack_user'
 
 describe 'openstackclient_test::user' do
   let(:chef_run) do
-    runner = ChefSpec::SoloRunner.new(step_into: ['openstack_user'])
+    runner = ChefSpec::SoloRunner.new(
+      UBUNTU_OPTS.merge(step_into: ['openstack_user'])
+    )
     runner.converge(described_recipe)
   end
 

From ae02bdc63297c58fb641c291b4172b57e4f2d869 Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Fri, 10 Nov 2017 11:49:40 +0100
Subject: [PATCH 4/5] Remove superfluous arguments for grant_domain,
 revoke_domain

The project_name argument is ignored by openstack_user's grant_domain
and revoke_domain actions. This patch removes them from the test recipe.
---
 spec/cookbooks/openstackclient_test/recipes/user.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/spec/cookbooks/openstackclient_test/recipes/user.rb b/spec/cookbooks/openstackclient_test/recipes/user.rb
index 2eb6ec5..2d043d5 100644
--- a/spec/cookbooks/openstackclient_test/recipes/user.rb
+++ b/spec/cookbooks/openstackclient_test/recipes/user.rb
@@ -49,7 +49,6 @@ end
 
 openstack_user 'myuser' do
   role_name 'myrole'
-  project_name 'myproject'
   domain_name 'mydomain'
   connection_params connection_params
   action :grant_domain
@@ -57,7 +56,6 @@ end
 
 openstack_user 'myuser' do
   role_name 'myrole'
-  project_name 'myproject'
   domain_name 'mydomain'
   connection_params connection_params
   action :revoke_domain

From 049eb35d46a44f87552347926bf5ba7555699373 Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Fri, 10 Nov 2017 15:43:58 +0100
Subject: [PATCH 5/5] Use user model for grant_domain, revoke_domain

Unlike the rest of the library, openstack_user's grant_domain and
revoke_domain actions bypass the fog models and call directly into the
requests. It works, but it is inconsistent and confusing.

This patch uses user.grant_role instead of directly calling
connection.grant_domain_user_role. Likewise for revoke_domain.
---
 libraries/openstack_user.rb |  6 ++----
 spec/user_spec.rb           | 16 ++++++++--------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/libraries/openstack_user.rb b/libraries/openstack_user.rb
index 4fd8d2d..fd1822a 100644
--- a/libraries/openstack_user.rb
+++ b/libraries/openstack_user.rb
@@ -85,16 +85,14 @@ module OpenstackclientCookbook
       user = connection.users.find { |u| u.name == user_name }
       domain = connection.domains.find { |p| p.name == domain_name }
       role = connection.roles.find { |r| r.name == role_name }
-      connection.grant_domain_user_role(
-        domain.id, user.id, role.id) if role && domain && user
+      user.grant_role role.id if role && domain && user
     end
 
     action :revoke_domain do
       user = connection.users.find { |u| u.name == user_name }
       domain = connection.domains.find { |p| p.name == domain_name }
       role = connection.roles.find { |r| r.name == role_name }
-      connection.revoke_domain_user_role(
-        domain.id, user.id, role.id) if role && domain && user
+      user.revoke_role  role.id if role && domain && user
     end
   end
 end
diff --git a/spec/user_spec.rb b/spec/user_spec.rb
index 55464bb..0eec778 100644
--- a/spec/user_spec.rb
+++ b/spec/user_spec.rb
@@ -35,7 +35,9 @@ describe 'openstackclient_test::user' do
   let(:found_user) do
     double :find,
            id: 4,
-           destroy: true
+           destroy: true,
+           grant_role: true,
+           revoke_role: true
   end
 
   let(:users_populated) do
@@ -155,9 +157,7 @@ describe 'openstackclient_test::user' do
              users: users_populated,
              domains: domains_populated,
              roles: roles_populated,
-             projects: projects_populated,
-             grant_domain_user_role: true,
-             revoke_domain_user_role: true
+             projects: projects_populated
     end
 
     before do
@@ -244,14 +244,14 @@ describe 'openstackclient_test::user' do
     end
 
     it do
-      expect(connection_dub).to receive(:grant_domain_user_role)
-        .with(5, 4, 3)
+      expect(found_user).to receive(:grant_role)
+        .with(3)
       chef_run
     end
 
     it do
-      expect(connection_dub).to receive(:revoke_domain_user_role)
-        .with(5, 4, 3)
+      expect(found_user).to receive(:revoke_role)
+        .with(3)
       chef_run
     end
   end