Add notifications to user/group membership

When a user is added or removed from a group we should emit a notification. The
notification has group as the resource type and the group ID as the
resource ID. The notification also includes the user, user ID, and the
operation that was done ('removed' or 'added').

This way consumers are notified of user and group memberships.

Change-Id: I93ca3a0cb2fe9b93f5370e5871be1f1b30d87f72
Closes-Bug: 1552639

keystone/identity/controllers.py

@@ -255,7 +255,8 @@ class UserV3(controller.V3Controller):
 
     @controller.protected(callback=_check_user_and_group_protection)
     def add_user_to_group(self, context, user_id, group_id):
-        self.identity_api.add_user_to_group(user_id, group_id)
+        initiator = notifications._get_request_audit_info(context)
+        self.identity_api.add_user_to_group(user_id, group_id, initiator)
 
     @controller.protected(callback=_check_user_and_group_protection)
     def check_user_in_group(self, context, user_id, group_id):
@@ -263,7 +264,8 @@ class UserV3(controller.V3Controller):
 
     @controller.protected(callback=_check_user_and_group_protection)
     def remove_user_from_group(self, context, user_id, group_id):
-        self.identity_api.remove_user_from_group(user_id, group_id)
+        initiator = notifications._get_request_audit_info(context)
+        self.identity_api.remove_user_from_group(user_id, group_id, initiator)
 
     @controller.protected()
     def delete_user(self, context, user_id):

keystone/identity/core.py

@@ -1061,7 +1061,7 @@ class Manager(manager.Manager):
 
     @domains_configured
     @exception_translated('group')
-    def add_user_to_group(self, user_id, group_id):
+    def add_user_to_group(self, user_id, group_id, initiator=None):
         @exception_translated('user')
         def get_entity_info_for_user(public_id):
             return self._get_domain_driver_and_entity_id(public_id)
@@ -1081,10 +1081,12 @@ class Manager(manager.Manager):
         # Invalidate user role assignments cache region, as it may now need to
         # include role assignments from the specified group to its users
         assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+        notifications.Audit.added_to(self._GROUP, group_id, self._USER,
+                                     user_id, initiator)
 
     @domains_configured
     @exception_translated('group')
-    def remove_user_from_group(self, user_id, group_id):
+    def remove_user_from_group(self, user_id, group_id, initiator=None):
         @exception_translated('user')
         def get_entity_info_for_user(public_id):
             return self._get_domain_driver_and_entity_id(public_id)
@@ -1105,6 +1107,8 @@ class Manager(manager.Manager):
         # Invalidate user role assignments cache region, as it may be caching
         # role assignments expanded from this group to this user
         assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+        notifications.Audit.removed_from(self._GROUP, group_id, self._USER,
+                                         user_id, initiator)
 
     @notifications.internal(notifications.INVALIDATE_USER_TOKEN_PERSISTENCE)
     def emit_invalidate_user_token_persistence(self, user_id):

keystone/tests/unit/common/test_notifications.py

@@ -722,6 +722,28 @@ class NotificationsForEntities(BaseNotificationTest):
         # No audit event should have occurred
         self.assertEqual(0, len(self._audits))
 
+    def test_add_user_to_group(self):
+        user_ref = unit.new_user_ref(domain_id=self.domain_id)
+        user_ref = self.identity_api.create_user(user_ref)
+        group_ref = unit.new_group_ref(domain_id=self.domain_id)
+        group_ref = self.identity_api.create_group(group_ref)
+        self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
+        self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
+                               actor_id=user_ref['id'], actor_type='user',
+                               actor_operation='added')
+
+    def test_remove_user_from_group(self):
+        user_ref = unit.new_user_ref(domain_id=self.domain_id)
+        user_ref = self.identity_api.create_user(user_ref)
+        group_ref = unit.new_group_ref(domain_id=self.domain_id)
+        group_ref = self.identity_api.create_group(group_ref)
+        self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
+        self.identity_api.remove_user_from_group(user_ref['id'],
+                                                 group_ref['id'])
+        self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
+                               actor_id=user_ref['id'], actor_type='user',
+                               actor_operation='removed')
+
 
 class CADFNotificationsForEntities(NotificationsForEntities):
 

releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - Support has now been added to send notification events
+    on user/group membership. When a user is added or removed
+    from a group a notification will be sent including the
+    identifiers of both the user and the group.