Fixes bug in Federation list projects endpoint

'/OS-FEDERATION/projects' and '/auth/projects' API endpoints did not honor project inherited group role assignments. This patch fixed this bug. Closes-Bug: #1424500 Change-Id: I4937289362122952d1b3e1b73c5712601c675bb4
2015-03-30 19:32:47 -03:00 · 2015-03-30 19:32:47 -03:00 · 93587bf168
parent 51317c8083
commit 93587bf168
2 changed files with 15 additions and 6 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -350,9 +350,11 @@ class Manager(manager.Manager):
        if not CONF.os_inherit.enabled:
            return self.resource_api.list_projects_from_ids(project_ids)

-        # Inherited roles are enabled, so check to see if these groups have any
-        # roles on any domain, in which case we must add in all the projects
-        # in that domain.
+        # os_inherit extension is enabled, so check to see if these groups have
+        # any inherited role assignment on: i) any domain, in which case we
+        # must add in all the projects in that domain; ii) any project, in
+        # which case we must add in all the subprojects under that project in
+        # the hierarchy.

        domain_ids = self.driver.list_domain_ids_for_groups(
            group_ids, inherited=True)
@ -360,8 +362,17 @@ class Manager(manager.Manager):
        project_ids_from_domains = (
            self.resource_api.list_project_ids_from_domain_ids(domain_ids))

+        parents_ids = self.list_project_ids_for_groups(group_ids,
+                                                       driver_hints.Hints(),
+                                                       inherited=True)
+
+        subproject_ids = []
+        for parent_id in parents_ids:
+            subtree = self.resource_api.list_projects_in_subtree(parent_id)
+            subproject_ids += [subproject['id'] for subproject in subtree]
+
        return self.resource_api.list_projects_from_ids(
-            list(set(project_ids + project_ids_from_domains)))
+            list(set(project_ids + project_ids_from_domains + subproject_ids)))

    def list_role_assignments_for_role(self, role_id=None):
        # NOTE(henry-nash): Currently the efficiency of the key driver
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -41,7 +41,6 @@ from keystone.tests.unit import federation_fixtures
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import mapping_fixtures
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils
 from keystone.token.providers import common as token_common


@ -2295,7 +2294,6 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
    # The advantage would be to reduce the complexity of this test class and
    # have tests specific to this fuctionality grouped, easing readability and
    # maintenability.
-    @utils.wip('waiting on bug #1424500')
    def test_list_projects_for_inherited_project_assignment(self):
        # Enable os_inherit extension
        self.config_fixture.config(group='os_inherit', enabled=True)