From 9cefb4dfc9f3497fd4c123ad9b1aadc65b2974d0 Mon Sep 17 00:00:00 2001 From: Raildo Mascena Date: Thu, 24 May 2018 17:13:05 -0300 Subject: [PATCH] Exposing ambiguity bug when querying role assignments Test case exposing the issue described in that bug also, adding the expected result commented, to be removed the commented tags, after the bug be fixed. Change-Id: I0e7b181977a1850a9a93472892407817561bfa0a Partial-Bug: 1754677 --- keystone/tests/unit/test_v3_assignment.py | 56 +++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 4273d0186d..7c53cfb59d 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -24,6 +24,7 @@ import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 +from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -1978,6 +1979,61 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase, self._test_list_role_assignments_include_names(role) + @test_utils.wip("Skipped until Bug 1754677 is resolved") + def test_remove_assignment_for_project_acting_as_domain(self): + """Test goal: remove assignment for project acting as domain. + + Ensure when we have two role assignments for the project + acting as domain, one dealing with it as a domain and other as a + project, we still able to remove those assignments later. + + Test plan: + - Create a role and a domain with a user; + - Grant a role for this user in this domain; + - Grant a role for this user in the same entity as a project; + - Ensure that both assignments were created and it was valid; + - Remove the domain assignment for the user and show that the project + assignment for him still valid + + """ + role = unit.new_role_ref() + PROVIDERS.role_api.create_role(role['id'], role) + domain = unit.new_domain_ref() + PROVIDERS.resource_api.create_domain(domain['id'], domain) + user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id']) + + assignment_domain = self.build_role_assignment_entity( + role_id=role['id'], domain_id=domain['id'], user_id=user['id'], + inherited_to_projects=False) + assignment_project = self.build_role_assignment_entity( + role_id=role['id'], project_id=domain['id'], user_id=user['id'], + inherited_to_projects=False) + + self.put(assignment_domain['links']['assignment']) + self.put(assignment_project['links']['assignment']) + + collection_url = '/role_assignments?user.id=%(user_id)s' % ( + {'user_id': user['id']}) + result = self.get(collection_url) + # We have two role assignments based in both roles for the domain and + # project scope + self.assertValidRoleAssignmentListResponse( + result, expected_length=2, resource_url=collection_url) + self.assertRoleAssignmentInListResponse(result, assignment_domain) + + domain_url = '/domains/%s/users/%s/roles/%s' % ( + domain['id'], user['id'], role['id']) + self.delete(domain_url) + + collection_url = '/role_assignments?user.id=%(user_id)s' % ( + {'user_id': user['id']}) + result = self.get(collection_url) + # Now we only have one assignment for the project scope since the + # domain scope was removed. + self.assertValidRoleAssignmentListResponse( + result, expected_length=1, resource_url=collection_url) + self.assertRoleAssignmentInListResponse(result, assignment_project) + def test_list_inherited_role_assignments_include_names(self): """Call ``GET /role_assignments?include_names``.