diff --git a/keystone/federation/controllers.py b/keystone/federation/controllers.py index 6748ba1a1f..67b4348275 100644 --- a/keystone/federation/controllers.py +++ b/keystone/federation/controllers.py @@ -447,13 +447,8 @@ class DomainV3(controller.V3Controller): :returns: list of accessible domains """ - domains = self.assignment_api.list_domains_for_groups( - request.auth_context['group_ids']) - domains = domains + self.assignment_api.list_domains_for_user( - request.auth_context['user_id']) - # remove duplicates - domains = [dict(t) for t in set([tuple(d.items()) for d in domains])] - return DomainV3.wrap_collection(request.context_dict, domains) + controller = auth_controllers.Auth() + return controller.get_auth_domains(request) @dependency.requires('assignment_api', 'resource_api') @@ -473,14 +468,8 @@ class ProjectAssignmentV3(controller.V3Controller): :returns: list of accessible projects """ - projects = self.assignment_api.list_projects_for_groups( - request.auth_context['group_ids']) - projects = projects + self.assignment_api.list_projects_for_user( - request.auth_context['user_id']) - # remove duplicates - projects = [dict(t) for t in set([tuple(d.items()) for d in projects])] - return ProjectAssignmentV3.wrap_collection(request.context_dict, - projects) + controller = auth_controllers.Auth() + return controller.get_auth_projects(request) @dependency.requires('federation_api') diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 0cd4492298..11e30f732e 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5090,6 +5090,59 @@ class TestAuthSpecificData(test_v3.RestfulTestCase): self.assertThat(r.json['domains'], matchers.HasLength(1)) self.assertValidDomainListResponse(r) + def test_get_projects_matches_federated_get_projects(self): + # create at least one addition project to make sure it doesn't end up + # in the response, since the user doesn't have any authorization on it + ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id) + r = self.post('/projects', body={'project': ref}) + unauthorized_project_id = r.json['project']['id'] + + r = self.get('/auth/projects', expected_status=http_client.OK) + self.assertThat(r.json['projects'], matchers.HasLength(1)) + for project in r.json['projects']: + self.assertNotEqual(unauthorized_project_id, project['id']) + + expected_project_id = r.json['projects'][0]['id'] + + # call GET /v3/OS-FEDERATION/projects + r = self.get('/OS-FEDERATION/projects', expected_status=http_client.OK) + + # make sure the response is the same + self.assertThat(r.json['projects'], matchers.HasLength(1)) + for project in r.json['projects']: + self.assertEqual(expected_project_id, project['id']) + + def test_get_domains_matches_federated_get_domains(self): + # create at least one addition domain to make sure it doesn't end up + # in the response, since the user doesn't have any authorization on it + ref = unit.new_domain_ref() + r = self.post('/domains', body={'domain': ref}) + unauthorized_domain_id = r.json['domain']['id'] + + ref = unit.new_domain_ref() + r = self.post('/domains', body={'domain': ref}) + authorized_domain_id = r.json['domain']['id'] + + path = '/domains/%(domain_id)s/users/%(user_id)s/roles/%(role_id)s' % { + 'domain_id': authorized_domain_id, + 'user_id': self.user_id, + 'role_id': self.role_id + } + self.put(path, expected_status=http_client.NO_CONTENT) + + r = self.get('/auth/domains', expected_status=http_client.OK) + self.assertThat(r.json['domains'], matchers.HasLength(1)) + self.assertEqual(authorized_domain_id, r.json['domains'][0]['id']) + self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id']) + + # call GET /v3/OS-FEDERATION/domains + r = self.get('/OS-FEDERATION/domains', expected_status=http_client.OK) + + # make sure the response is the same + self.assertThat(r.json['domains'], matchers.HasLength(1)) + self.assertEqual(authorized_domain_id, r.json['domains'][0]['id']) + self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id']) + class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain): def config_overrides(self):