Merge "Fix role_assignments role.id filter"

This commit is contained in:
Zuul 2020-01-27 20:00:05 +00:00 committed by Gerrit Code Review
commit 7bb26ffd15
5 changed files with 51 additions and 7 deletions

View File

@ -925,9 +925,11 @@ class Manager(manager.Manager):
a['system'] = {'all': True} a['system'] = {'all': True}
system_assignments.append(a) system_assignments.append(a)
for i, assignment in enumerate(system_assignments): if role_id:
if role_id and role_id != assignment['role_id']: system_assignments = [
system_assignments.pop(i) sa for sa in system_assignments
if role_id == sa['role_id']
]
assignments = [] assignments = []
for assignment in itertools.chain( for assignment in itertools.chain(

View File

@ -385,6 +385,8 @@ class _SystemUserTests(object):
def test_user_can_filter_role_assignments_by_role(self): def test_user_can_filter_role_assignments_by_role(self):
assignments = self._setup_test_role_assignments() assignments = self._setup_test_role_assignments()
self.expected = [ra for ra in self.expected
if ra['role_id'] == assignments['role_id']]
self.expected.append({ self.expected.append({
'user_id': assignments['user_id'], 'user_id': assignments['user_id'],
'project_id': assignments['project_id'], 'project_id': assignments['project_id'],
@ -484,6 +486,8 @@ class _SystemUserTests(object):
def test_user_can_filter_role_assignments_by_system_and_role(self): def test_user_can_filter_role_assignments_by_system_and_role(self):
assignments = self._setup_test_role_assignments() assignments = self._setup_test_role_assignments()
self.expected = [ra for ra in self.expected
if ra['role_id'] == assignments['role_id']]
self.expected.append({ self.expected.append({
'user_id': assignments['user_id'], 'user_id': assignments['user_id'],
'system': 'all', 'system': 'all',

View File

@ -1402,6 +1402,8 @@ class AssignmentTestMixin(object):
""" """
if attribs.get('domain_id'): if attribs.get('domain_id'):
link = '/domains/' + attribs['domain_id'] link = '/domains/' + attribs['domain_id']
elif attribs.get('system'):
link = '/system'
else: else:
link = '/projects/' + attribs['project_id'] link = '/projects/' + attribs['project_id']
@ -1429,6 +1431,8 @@ class AssignmentTestMixin(object):
if attribs.get('domain_id'): if attribs.get('domain_id'):
entity['scope'] = {'domain': {'id': attribs['domain_id']}} entity['scope'] = {'domain': {'id': attribs['domain_id']}}
elif attribs.get('system'):
entity['scope'] = {'system': {'all': True}}
else: else:
entity['scope'] = {'project': {'id': attribs['project_id']}} entity['scope'] = {'project': {'id': attribs['project_id']}}

View File

@ -920,7 +920,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.role2 = unit.new_role_ref() self.role2 = unit.new_role_ref()
PROVIDERS.role_api.create_role(self.role2['id'], self.role2) PROVIDERS.role_api.create_role(self.role2['id'], self.role2)
# Now add one of each of the four types of assignment # Now add one of each of the six types of assignment
gd_entity = self.build_role_assignment_entity( gd_entity = self.build_role_assignment_entity(
domain_id=self.domain_id, group_id=group1['id'], domain_id=self.domain_id, group_id=group1['id'],
@ -944,6 +944,22 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
role_id=self.role2['id']) role_id=self.role2['id'])
self.put(up_entity['links']['assignment']) self.put(up_entity['links']['assignment'])
gs_entity = self.build_role_assignment_entity(
system='all',
group_id=group1['id'],
role_id=self.role1['id'])
self.put(gs_entity['links']['assignment'])
us_entity = self.build_role_assignment_entity(
system='all',
user_id=user1['id'],
role_id=self.role2['id'])
self.put(us_entity['links']['assignment'])
us2_entity = self.build_role_assignment_entity(
system='all',
user_id=user2['id'],
role_id=self.role2['id'])
self.put(us2_entity['links']['assignment'])
# Now list by various filters to make sure we get back the right ones # Now list by various filters to make sure we get back the right ones
collection_url = ('/role_assignments?scope.project.id=%s' % collection_url = ('/role_assignments?scope.project.id=%s' %
@ -970,7 +986,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http_client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http_client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
@ -979,7 +995,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http_client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http_client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
@ -988,10 +1004,21 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http_client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http_client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
self.assertRoleAssignmentInListResponse(r, gs_entity)
collection_url = '/role_assignments?role.id=%s' % self.role2['id']
r = self.get(collection_url, expected_status=http_client.OK)
self.head(collection_url, expected_status=http_client.OK)
self.assertValidRoleAssignmentListResponse(r,
expected_length=4,
resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, ud_entity)
self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, us_entity)
# Let's try combining two filers together.... # Let's try combining two filers together....

View File

@ -0,0 +1,7 @@
---
fixes:
- |
[`bug 1858012 <https://bugs.launchpad.net/keystone/+bug/1858012>`_]
Fixes a bug in the /v3/role_assignments filtering where the `role.id` query
parameter didn't properly filter role assignments by role in cases where
there were multiple system role assignments.