Fix for notifications for v2 role grant/delete

Notifications were not being sent when role grants were added or deleted using the v2 API. SecurityImpact Change-Id: I577d4435d551181298b23e713ed84f76d9f1ba3e Closes-Bug: #1435396
2015-03-23 12:26:50 -05:00 · 2015-03-23 12:26:50 -05:00 · 2e859e17f9
parent f5332c99be
commit 2e859e17f9
2 changed files with 69 additions and 6 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -261,10 +261,24 @@ class Manager(manager.Manager):
                tenant_id,
                CONF.member_role_id)

-    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
-        self.resource_api.get_project(tenant_id)
+    @notifications.role_assignment('created')
+    def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
+                                              group_id=None, domain_id=None,
+                                              project_id=None,
+                                              inherited_to_projects=False,
+                                              context=None):
+
+        # The parameters for this method must match the parameters for
+        # create_grant so that the notifications.role_assignment decorator
+        # will work.
+
+        self.resource_api.get_project(project_id)
        self.role_api.get_role(role_id)
-        self.driver.add_role_to_user_and_project(user_id, tenant_id, role_id)
+        self.driver.add_role_to_user_and_project(user_id, project_id, role_id)
+
+    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
+        self._add_role_to_user_and_project_adapter(
+            role_id, user_id=user_id, project_id=tenant_id)

    def remove_user_from_project(self, tenant_id, user_id):
        """Remove user from a tenant
@ -374,12 +388,27 @@ class Manager(manager.Manager):
        return [r for r in self.driver.list_role_assignments()
                if r['role_id'] == role_id]

-    def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
-        self.driver.remove_role_from_user_and_project(user_id, tenant_id,
+    @notifications.role_assignment('deleted')
+    def _remove_role_from_user_and_project_adapter(self, role_id, user_id=None,
+                                                   group_id=None,
+                                                   domain_id=None,
+                                                   project_id=None,
+                                                   inherited_to_projects=False,
+                                                   context=None):
+
+        # The parameters for this method must match the parameters for
+        # delete_grant so that the notifications.role_assignment decorator
+        # will work.
+
+        self.driver.remove_role_from_user_and_project(user_id, project_id,
                                                      role_id)
        self.identity_api.emit_invalidate_user_token_persistence(user_id)
        self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
-                                        project_id=tenant_id)
+                                        project_id=project_id)
+
+    def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
+        self._remove_role_from_user_and_project_adapter(
+            role_id, user_id=user_id, project_id=tenant_id)

    @notifications.internal(notifications.INVALIDATE_USER_TOKEN_PERSISTENCE)
    def _emit_invalidate_user_token_persistence(self, user_id):
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@ -880,6 +880,40 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
                                   domain=self.domain_id,
                                   group=group['id'])

+    def test_add_role_to_user_and_project(self):
+        # A notification is sent when add_role_to_user_and_project is called on
+        # the assignment manager.
+
+        project_ref = self.new_project_ref(self.domain_id)
+        project = self.resource_api.create_project(
+            project_ref['id'], project_ref)
+        tenant_id = project['id']
+
+        self.assignment_api.add_role_to_user_and_project(
+            self.user_id, tenant_id, self.role_id)
+
+        self.assertTrue(self._notifications)
+        note = self._notifications[-1]
+        self.assertEqual(note['action'], 'created.role_assignment')
+        self.assertTrue(note['send_notification_called'])
+
+        self._assert_event(self.role_id, project=tenant_id, user=self.user_id)
+
+    def test_remove_role_from_user_and_project(self):
+        # A notification is sent when remove_role_from_user_and_project is
+        # called on the assignment manager.
+
+        self.assignment_api.remove_role_from_user_and_project(
+            self.user_id, self.project_id, self.role_id)
+
+        self.assertTrue(self._notifications)
+        note = self._notifications[-1]
+        self.assertEqual(note['action'], 'deleted.role_assignment')
+        self.assertTrue(note['send_notification_called'])
+
+        self._assert_event(self.role_id, project=self.project_id,
+                           user=self.user_id)
+

 class TestCallbackRegistration(testtools.TestCase):
    def setUp(self):