Merge "Remove member role assignment"
This commit is contained in:
commit
15ec1abca3
@ -162,24 +162,6 @@ class Manager(manager.Manager):
|
||||
"was already created",
|
||||
CONF.member_role_id)
|
||||
|
||||
def add_user_to_project(self, tenant_id, user_id):
|
||||
"""Add user to a tenant by creating a default role relationship.
|
||||
|
||||
:raises keystone.exception.ProjectNotFound: If the project doesn't
|
||||
exist.
|
||||
:raises keystone.exception.UserNotFound: If the user doesn't exist.
|
||||
|
||||
"""
|
||||
self.resource_api.get_project(tenant_id)
|
||||
self.ensure_default_role()
|
||||
|
||||
# now that default role exists, the add should succeed
|
||||
self.driver.add_role_to_user_and_project(
|
||||
user_id,
|
||||
tenant_id,
|
||||
CONF.member_role_id)
|
||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
||||
|
||||
@notifications.role_assignment('created')
|
||||
def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
|
||||
group_id=None, domain_id=None,
|
||||
@ -200,27 +182,6 @@ class Manager(manager.Manager):
|
||||
role_id, user_id=user_id, project_id=tenant_id)
|
||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
||||
|
||||
def remove_user_from_project(self, tenant_id, user_id):
|
||||
"""Remove user from a tenant.
|
||||
|
||||
:raises keystone.exception.ProjectNotFound: If the project doesn't
|
||||
exist.
|
||||
:raises keystone.exception.UserNotFound: If the user doesn't exist.
|
||||
|
||||
"""
|
||||
roles = self.get_roles_for_user_and_project(user_id, tenant_id)
|
||||
if not roles:
|
||||
raise exception.NotFound(tenant_id)
|
||||
for role_id in roles:
|
||||
try:
|
||||
self.driver.remove_role_from_user_and_project(user_id,
|
||||
tenant_id,
|
||||
role_id)
|
||||
except exception.RoleNotFound:
|
||||
LOG.debug("Removing role %s failed because it does not exist.",
|
||||
role_id)
|
||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
||||
|
||||
# TODO(henry-nash): We might want to consider list limiting this at some
|
||||
# point in the future.
|
||||
@MEMOIZE_COMPUTED_ASSIGNMENTS
|
||||
|
@ -1779,86 +1779,6 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
||||
user_id=self.user_foo['id'],
|
||||
source_from_group_ids=[group['id']])
|
||||
|
||||
def test_add_user_to_project(self):
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
tenants = self.assignment_api.list_projects_for_user(
|
||||
self.user_foo['id'])
|
||||
self.assertIn(self.tenant_baz, tenants)
|
||||
|
||||
def test_add_user_to_project_missing_default_role(self):
|
||||
self.role_api.delete_role(CONF.member_role_id)
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
CONF.member_role_id)
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
tenants = (
|
||||
self.assignment_api.list_projects_for_user(self.user_foo['id']))
|
||||
self.assertIn(self.tenant_baz, tenants)
|
||||
default_role = self.role_api.get_role(CONF.member_role_id)
|
||||
self.assertIsNotNone(default_role)
|
||||
|
||||
def test_add_user_to_project_returns_not_found(self):
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.assignment_api.add_user_to_project,
|
||||
uuid.uuid4().hex,
|
||||
self.user_foo['id'])
|
||||
|
||||
def test_add_user_to_project_no_user(self):
|
||||
# If add_user_to_project and the user doesn't exist, then
|
||||
# no error.
|
||||
user_id_not_exist = uuid.uuid4().hex
|
||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user_id_not_exist)
|
||||
|
||||
def test_remove_user_from_project(self):
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
tenants = self.assignment_api.list_projects_for_user(
|
||||
self.user_foo['id'])
|
||||
self.assertNotIn(self.tenant_baz, tenants)
|
||||
|
||||
def test_remove_user_from_project_race_delete_role(self):
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
tenant_id=self.tenant_baz['id'],
|
||||
user_id=self.user_foo['id'],
|
||||
role_id=self.role_other['id'])
|
||||
|
||||
# Mock a race condition, delete a role after
|
||||
# get_roles_for_user_and_project() is called in
|
||||
# remove_user_from_project().
|
||||
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||
self.user_foo['id'], self.tenant_baz['id'])
|
||||
self.role_api.delete_role(self.role_other['id'])
|
||||
self.assignment_api.get_roles_for_user_and_project = mock.Mock(
|
||||
return_value=roles)
|
||||
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
tenants = self.assignment_api.list_projects_for_user(
|
||||
self.user_foo['id'])
|
||||
self.assertNotIn(self.tenant_baz, tenants)
|
||||
|
||||
def test_remove_user_from_project_returns_not_found(self):
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.assignment_api.remove_user_from_project,
|
||||
uuid.uuid4().hex,
|
||||
self.user_foo['id'])
|
||||
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.assignment_api.remove_user_from_project,
|
||||
self.tenant_bar['id'],
|
||||
uuid.uuid4().hex)
|
||||
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.assignment_api.remove_user_from_project,
|
||||
self.tenant_baz['id'],
|
||||
self.user_foo['id'])
|
||||
|
||||
def test_list_user_project_ids_returns_not_found(self):
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.assignment_api.list_projects_for_user,
|
||||
@ -1867,8 +1787,11 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
||||
def test_delete_user_with_project_association(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||
self.tenant_bar['id'],
|
||||
role_member['id'])
|
||||
self.identity_api.delete_user(user['id'])
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.assignment_api.list_projects_for_user,
|
||||
|
@ -739,9 +739,11 @@ class TestCase(BaseTestCase):
|
||||
# the dict returned.
|
||||
user_copy['password'] = user['password']
|
||||
|
||||
# fixtures.ROLES[2] is the _member_ role.
|
||||
for tenant_id in tenants:
|
||||
self.assignment_api.add_user_to_project(
|
||||
tenant_id, user_copy['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
|
||||
|
||||
# Use the ID from the fixture as the attribute name, so
|
||||
# that our tests can easily reference each user dict, while
|
||||
# the ID in the dict will be the real public ID.
|
||||
|
@ -74,8 +74,13 @@ class IdentityTests(object):
|
||||
del user['id']
|
||||
|
||||
new_user = self.identity_api.create_user(user)
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
new_user['id'])
|
||||
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
|
||||
self.assignment_api.add_role_to_user_and_project(new_user['id'],
|
||||
self.tenant_baz['id'],
|
||||
role_member['id'])
|
||||
user_ref = self.identity_api.authenticate(
|
||||
self.make_request(),
|
||||
user_id=new_user['id'],
|
||||
@ -89,7 +94,7 @@ class IdentityTests(object):
|
||||
role_list = self.assignment_api.get_roles_for_user_and_project(
|
||||
new_user['id'], self.tenant_baz['id'])
|
||||
self.assertEqual(1, len(role_list))
|
||||
self.assertIn(CONF.member_role_id, role_list)
|
||||
self.assertIn(role_member['id'], role_list)
|
||||
|
||||
def test_authenticate_if_no_password_set(self):
|
||||
id_ = uuid.uuid4().hex
|
||||
|
@ -716,8 +716,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests,
|
||||
def test_authenticate_requires_simple_bind(self):
|
||||
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
||||
user['id'])
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||
self.tenant_baz['id'],
|
||||
role_member['id'])
|
||||
driver = self.identity_api._select_identity_driver(
|
||||
user['domain_id'])
|
||||
driver.user.LDAP_USER = None
|
||||
|
@ -268,8 +268,11 @@ class SqlIdentity(SqlTests,
|
||||
def test_delete_user_with_project_association(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||
self.tenant_bar['id'],
|
||||
role_member['id'])
|
||||
self.identity_api.delete_user(user['id'])
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.assignment_api.list_projects_for_user,
|
||||
@ -317,8 +320,11 @@ class SqlIdentity(SqlTests,
|
||||
def test_delete_project_with_user_association(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
||||
user['id'])
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||
self.tenant_bar['id'],
|
||||
role_member['id'])
|
||||
self.resource_api.delete_project(self.tenant_bar['id'])
|
||||
tenants = self.assignment_api.list_projects_for_user(user['id'])
|
||||
self.assertEqual([], tenants)
|
||||
|
@ -1962,8 +1962,6 @@ class TokenAPITests(object):
|
||||
self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1)
|
||||
role_group_domain1 = unit.new_role_ref()
|
||||
self.role_api.create_role(role_group_domain1['id'], role_group_domain1)
|
||||
self.assignment_api.add_user_to_project(project1['id'],
|
||||
user_foo['id'])
|
||||
new_group = unit.new_group_ref(domain_id=domain1['id'])
|
||||
new_group = self.identity_api.create_group(new_group)
|
||||
self.identity_api.add_user_to_group(user_foo['id'],
|
||||
|
@ -234,8 +234,12 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
||||
domain_id=domain2['id'],
|
||||
project_id=project2['id'])
|
||||
|
||||
self.assignment_api.add_user_to_project(project2['id'],
|
||||
user2['id'])
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
|
||||
self.assignment_api.add_role_to_user_and_project(user2['id'],
|
||||
project2['id'],
|
||||
role_member['id'])
|
||||
|
||||
# First check a user in that domain can authenticate..
|
||||
auth_data = self.build_authentication_request(
|
||||
|
Loading…
Reference in New Issue
Block a user