Don't remove role assignment if no change

If there is no change of role assignment, do not update. Change-Id: I4f1c89b265e2cbeacc9f110bd1e27d5c9234f714 Closes-Bug: #1522310
7 years ago · 0500ac6765
parent e7ec1982cc
commit 0500ac6765
4 changed files with 50 additions and 24 deletions
--- a/heat/engine/resources/openstack/keystone/role_assignments.py
+++ b/heat/engine/resources/openstack/keystone/role_assignments.py
@ -254,30 +254,32 @@ class KeystoneRoleAssignmentMixin(object):
                    self.properties.get(self.ROLES))

    def update_assignment(self, prop_diff, user_id=None, group_id=None):
-        (new_role_assignments,
-         removed_role_assignments) = self._find_differences(
-            prop_diff.get(self.ROLES),
-            self._stored_properties_data.get(self.ROLES))
-
-        if len(new_role_assignments) > 0:
-            if user_id is not None:
-                self._add_role_assignments_to_user(
-                    user_id,
-                    new_role_assignments)
-            elif group_id is not None:
-                self._add_role_assignments_to_group(
-                    group_id,
-                    new_role_assignments)
-
-        if len(removed_role_assignments) > 0:
-            if user_id is not None:
-                self._remove_role_assignments_from_user(
-                    user_id,
-                    removed_role_assignments)
-            elif group_id is not None:
-                self._remove_role_assignments_from_group(
-                    group_id,
-                    removed_role_assignments)
+        # if there is no change do not update
+        if self.ROLES in prop_diff:
+            (new_role_assignments,
+             removed_role_assignments) = self._find_differences(
+                prop_diff.get(self.ROLES),
+                self._stored_properties_data.get(self.ROLES))
+
+            if len(new_role_assignments) > 0:
+                if user_id is not None:
+                    self._add_role_assignments_to_user(
+                        user_id,
+                        new_role_assignments)
+                elif group_id is not None:
+                    self._add_role_assignments_to_group(
+                        group_id,
+                        new_role_assignments)
+
+            if len(removed_role_assignments) > 0:
+                if user_id is not None:
+                    self._remove_role_assignments_from_user(
+                        user_id,
+                        removed_role_assignments)
+                elif group_id is not None:
+                    self._remove_role_assignments_from_group(
+                        group_id,
+                        removed_role_assignments)

    def delete_assignment(self, user_id=None, group_id=None):
        if self._stored_properties_data.get(self.ROLES) is not None:
--- a/heat/tests/openstack/keystone/test_group.py
+++ b/heat/tests/openstack/keystone/test_group.py
@ -261,6 +261,11 @@ class KeystoneGroupTest(common.HeatTestCase):
            domain_id='test_domain'
        )

+        # validate the role assignment isn't updated
+        self.roles = self.keystoneclient.roles
+        self.assertEqual(0, self.roles.revoke.call_count)
+        self.assertEqual(0, self.roles.grant.call_count)
+
    def test_group_handle_update_default(self):
        self.test_group.resource_id = '477e8273-60a7-4c41-b683-fdb0bc7cd151'
        self.test_group._stored_properties_data = dict(domain='default')
--- a/heat/tests/openstack/keystone/test_role_assignments.py
+++ b/heat/tests/openstack/keystone/test_role_assignments.py
@ -309,6 +309,20 @@ class KeystoneRoleAssignmentMixinTest(common.HeatTestCase):
            group='group_1',
            project='project_1')

+    def test_role_assignment_update_roles_no_change(self):
+        prop_diff = {}
+        self.test_role_assignment.update_assignment(
+            group_id='group_1',
+            prop_diff=prop_diff)
+        self.assertEqual(0, self.roles.grant.call_count)
+        self.assertEqual(0, self.roles.revoke.call_count)
+
+        self.test_role_assignment.update_assignment(
+            user_id='user_1',
+            prop_diff=prop_diff)
+        self.assertEqual(0, self.roles.grant.call_count)
+        self.assertEqual(0, self.roles.revoke.call_count)
+
    def test_role_assignment_delete_user(self):
        self.test_role_assignment._stored_properties_data = {
            'roles': [
--- a/heat/tests/openstack/keystone/test_user.py
+++ b/heat/tests/openstack/keystone/test_user.py
@ -235,6 +235,11 @@ class KeystoneUserTest(common.HeatTestCase):
                self.test_user.resource_id,
                group)

+        # validate the role assignment isn't updated
+        self.roles = self.keystoneclient.roles
+        self.assertEqual(0, self.roles.revoke.call_count)
+        self.assertEqual(0, self.roles.grant.call_count)
+
    def test_user_handle_delete(self):
        self.test_user.resource_id = '477e8273-60a7-4c41-b683-fdb0bc7cd151'
        self.test_user._stored_properties_data = {