diff --git a/keystone/federation/controllers.py b/keystone/federation/controllers.py index 42e39ce684..f81f31e563 100644 --- a/keystone/federation/controllers.py +++ b/keystone/federation/controllers.py @@ -455,13 +455,8 @@ class DomainV3(controller.V3Controller): :returns: list of accessible domains """ - domains = PROVIDERS.assignment_api.list_domains_for_groups( - request.auth_context['group_ids']) - domains = domains + PROVIDERS.assignment_api.list_domains_for_user( - request.auth_context['user_id']) - # remove duplicates - domains = k_utils.remove_duplicate_dicts_by_id(domains) - return DomainV3.wrap_collection(request.context_dict, domains) + controller = auth_controllers.Auth() + return controller.get_auth_domains(request) class ProjectAssignmentV3(controller.V3Controller): @@ -484,14 +479,8 @@ class ProjectAssignmentV3(controller.V3Controller): :returns: list of accessible projects """ - projects = PROVIDERS.assignment_api.list_projects_for_groups( - request.auth_context['group_ids']) - projects = projects + PROVIDERS.assignment_api.list_projects_for_user( - request.auth_context['user_id']) - # remove duplicates - projects = k_utils.remove_duplicate_dicts_by_id(projects) - return ProjectAssignmentV3.wrap_collection(request.context_dict, - projects) + controller = auth_controllers.Auth() + return controller.get_auth_projects(request) class ServiceProvider(_ControllerBase): diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index f83df746dc..9ffad8cb01 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -4979,6 +4979,59 @@ class TestAuthSpecificData(test_v3.RestfulTestCase): def test_head_projects_with_project_scoped_token(self): self.head('/auth/projects', expected_status=http_client.OK) + def test_get_projects_matches_federated_get_projects(self): + # create at least one addition project to make sure it doesn't end up + # in the response, since the user doesn't have any authorization on it + ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id) + r = self.post('/projects', body={'project': ref}) + unauthorized_project_id = r.json['project']['id'] + + r = self.get('/auth/projects', expected_status=http_client.OK) + self.assertThat(r.json['projects'], matchers.HasLength(1)) + for project in r.json['projects']: + self.assertNotEqual(unauthorized_project_id, project['id']) + + expected_project_id = r.json['projects'][0]['id'] + + # call GET /v3/OS-FEDERATION/projects + r = self.get('/OS-FEDERATION/projects', expected_status=http_client.OK) + + # make sure the response is the same + self.assertThat(r.json['projects'], matchers.HasLength(1)) + for project in r.json['projects']: + self.assertEqual(expected_project_id, project['id']) + + def test_get_domains_matches_federated_get_domains(self): + # create at least one addition domain to make sure it doesn't end up + # in the response, since the user doesn't have any authorization on it + ref = unit.new_domain_ref() + r = self.post('/domains', body={'domain': ref}) + unauthorized_domain_id = r.json['domain']['id'] + + ref = unit.new_domain_ref() + r = self.post('/domains', body={'domain': ref}) + authorized_domain_id = r.json['domain']['id'] + + path = '/domains/%(domain_id)s/users/%(user_id)s/roles/%(role_id)s' % { + 'domain_id': authorized_domain_id, + 'user_id': self.user_id, + 'role_id': self.role_id + } + self.put(path, expected_status=http_client.NO_CONTENT) + + r = self.get('/auth/domains', expected_status=http_client.OK) + self.assertThat(r.json['domains'], matchers.HasLength(1)) + self.assertEqual(authorized_domain_id, r.json['domains'][0]['id']) + self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id']) + + # call GET /v3/OS-FEDERATION/domains + r = self.get('/OS-FEDERATION/domains', expected_status=http_client.OK) + + # make sure the response is the same + self.assertThat(r.json['domains'], matchers.HasLength(1)) + self.assertEqual(authorized_domain_id, r.json['domains'][0]['id']) + self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id']) + def test_get_domains_with_project_scoped_token(self): self.put(path='/domains/%s/users/%s/roles/%s' % ( self.domain['id'], self.user['id'], self.role['id']))