From 5599226956fa788114747d6784e0bf7151c84d05 Mon Sep 17 00:00:00 2001
From: henriquetruta <henrique@lsd.ufcg.edu.br>
Date: Thu, 17 Sep 2015 14:45:44 -0300
Subject: [PATCH] Prevents creating is_domain=True projects in v2

Keystone v2 must not allow the creation of projects with the is_domain
field set True.

Co-Authored-By: Rodrigo Duarte <rodrigods@lsd.ufcg.edu.br>

Change-Id: I569e4ab147a16bb019fb3d5f4f6218c75f4a3cca
Closes-Bug: 1496946
---
 keystone/resource/controllers.py          |  5 +++++
 keystone/tests/unit/test_v2_controller.py | 24 +++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py
index d748fe54c8..db82757f37 100644
--- a/keystone/resource/controllers.py
+++ b/keystone/resource/controllers.py
@@ -85,6 +85,11 @@ class Tenant(controller.V2Controller):
             msg = _('Name field is required and cannot be empty')
             raise exception.ValidationError(message=msg)
 
+        if 'is_domain' in tenant_ref:
+            msg = _('The creation of projects acting as domains is not '
+                    'allowed in v2.')
+            raise exception.ValidationError(message=msg)
+
         self.assert_admin(context)
         tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
         initiator = notifications._get_request_audit_info(context)
diff --git a/keystone/tests/unit/test_v2_controller.py b/keystone/tests/unit/test_v2_controller.py
index c112b0f034..c8501a70e6 100644
--- a/keystone/tests/unit/test_v2_controller.py
+++ b/keystone/tests/unit/test_v2_controller.py
@@ -124,6 +124,30 @@ class TenantTestCase(unit.TestCase):
             context
         )
 
+    def test_create_is_domain_project_fails(self):
+        """Test that the creation of a project acting as a domain fails."""
+        project = {'name': uuid.uuid4().hex, 'domain_id': 'default',
+                   'is_domain': True}
+
+        self.assertRaises(
+            exception.ValidationError,
+            self.tenant_controller.create_project,
+            _ADMIN_CONTEXT,
+            project
+        )
+
+    def test_create_project_passing_is_domain_false_fails(self):
+        """Test that passing is_domain=False is not allowed."""
+        project = {'name': uuid.uuid4().hex, 'domain_id': 'default',
+                   'is_domain': False}
+
+        self.assertRaises(
+            exception.ValidationError,
+            self.tenant_controller.create_project,
+            _ADMIN_CONTEXT,
+            project
+        )
+
     def test_update_is_domain_project_not_found(self):
         """Test that update is_domain project is not allowed in v2."""
         project = self._create_is_domain_project()