Fix failure of delete domain group grant when identity is LDAP.

When deleting a domain group assignment while using a non
domain-aware backend, such as LDAP, an AttributeError was being
raised when trying to find all the relevent tokens. This was due
to a hang over from when you had to pass domain scope to
list_user_in_group(). This only affected domain group grants,
by luck we got away with it for group project grants.

Change-Id: I47b61886698232a7d3dfb4b502d61723cb0eb786
Closes-Bug: 1373113
This commit is contained in:
Henry Nash 2014-09-23 17:49:15 -03:00
parent d8d1477d83
commit 5b331f469d
2 changed files with 42 additions and 2 deletions

View File

@ -566,8 +566,7 @@ class Manager(manager.Manager):
try:
# NOTE(morganfainberg): The user ids are the important part
# for invalidating tokens below, so extract them here.
for user in self.identity_api.list_users_in_group(group_id,
domain_id):
for user in self.identity_api.list_users_in_group(group_id):
if user['id'] != user_id:
self._emit_invalidate_user_token_persistence(
user['id'])

View File

@ -1962,6 +1962,47 @@ class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
domain['id'],
domain)
def test_get_and_remove_role_grant_by_group_and_domain(self):
# TODO(henry-nash): We should really rewrite the tests in test_backend
# to be more flexible as to where the domains are sourced from, so
# that we would not need to override such tests here. This is raised
# as bug 1373865.
new_domain = self._get_domain_fixture()
new_group = {'domain_id': new_domain['id'], 'name': uuid.uuid4().hex}
new_group = self.identity_api.create_group(new_group)
new_user = {'name': 'new_user', 'password': uuid.uuid4().hex,
'enabled': True, 'domain_id': new_domain['id']}
new_user = self.identity_api.create_user(new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
roles_ref = self.assignment_api.list_grants(
group_id=new_group['id'],
domain_id=new_domain['id'])
self.assertEqual(0, len(roles_ref))
self.assignment_api.create_grant(group_id=new_group['id'],
domain_id=new_domain['id'],
role_id='member')
roles_ref = self.assignment_api.list_grants(
group_id=new_group['id'],
domain_id=new_domain['id'])
self.assertDictEqual(roles_ref[0], self.role_member)
self.assignment_api.delete_grant(group_id=new_group['id'],
domain_id=new_domain['id'],
role_id='member')
roles_ref = self.assignment_api.list_grants(
group_id=new_group['id'],
domain_id=new_domain['id'])
self.assertEqual(0, len(roles_ref))
self.assertRaises(exception.NotFound,
self.assignment_api.delete_grant,
group_id=new_group['id'],
domain_id=new_domain['id'],
role_id='member')
class LdapIdentitySqlAssignmentWithMapping(LdapIdentitySqlAssignment):
"""Class to test mapping of default LDAP backend.