Return an error when a non-existing tenant is added to a user

Currently, if a user is created without a tenantId, adding a non-existing tenantId to that user succeeds. This change checks for whether the tenant exists in cases where the check was previously skipped. Closes-Bug: #1246473 Change-Id: I2a814c5df902a97297ad05950ae4205664ddf6e6
2013-10-30 21:14:29 +00:00 · 2013-10-30 21:14:29 +00:00 · 50d52538cf
parent 58ff2bc511
commit 50d52538cf
2 changed files with 40 additions and 2 deletions
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@ -234,9 +234,15 @@ class User(controller.V2Controller):
        old_user_ref = self.identity_api.v3_to_v2_user(
            self.identity_api.get_user(user_id))

-        if ('tenantId' in old_user_ref and
+        # Check whether a tenant is being added or changed for the user.
+        # Catch the case where the tenant is being changed for a user and also
+        # where a user previously had no tenant but a tenant is now being
+        # added for the user.
+        if (('tenantId' in old_user_ref and
                old_user_ref['tenantId'] != default_project_id and
-                default_project_id is not None):
+                default_project_id is not None) or
+            ('tenantId' not in old_user_ref and
+                default_project_id is not None)):
            # Make sure the new project actually exists before we perform the
            # user update.
            self.assignment_api.get_project(default_project_id)
--- a/keystone/tests/test_content_types.py
+++ b/keystone/tests/test_content_types.py
@ -538,6 +538,38 @@ class CoreApiTests(object):
            token=token,
            expected_status=404)

+    def test_update_user_with_invalid_tenant_no_prev_tenant(self):
+        token = self.get_scoped_token()
+
+        # Create a new user
+        r = self.admin_request(
+            method='POST',
+            path='/v2.0/users',
+            body={
+                'user': {
+                    'name': 'test_invalid_tenant',
+                    'password': uuid.uuid4().hex,
+                    'enabled': True,
+                },
+            },
+            token=token,
+            expected_status=200)
+        user_id = self._get_user_id(r.result)
+
+        # Update user with an invalid tenant
+        r = self.admin_request(
+            method='PUT',
+            path='/v2.0/users/%(user_id)s' % {
+                'user_id': user_id,
+            },
+            body={
+                'user': {
+                    'tenantId': 'abcde12345heha',
+                },
+            },
+            token=token,
+            expected_status=404)
+
    def test_update_user_with_old_tenant(self):
        token = self.get_scoped_token()