Delete role does not delete role assignments in tenants (bug 1057436)

Change-Id: I2474c2a74135470162030a243491ced59533c024
2012-10-12 08:49:50 +02:00 · 2012-10-12 08:49:50 +02:00 · d05d112849
parent 8b6b07faed
commit d05d112849
4 changed files with 45 additions and 0 deletions
--- a/keystone/identity/backends/kvs.py
+++ b/keystone/identity/backends/kvs.py
@ -356,6 +356,17 @@ class Identity(kvs.Base, identity.Driver):
    def delete_role(self, role_id):
        try:
            self.db.delete('role-%s' % role_id)
+            metadata_keys = filter(lambda x: x.startswith("metadata-"),
+                                   self.db.keys())
+            for key in metadata_keys:
+                tenant_id = key.split('-')[1]
+                user_id = key.split('-')[2]
+                try:
+                    self.remove_role_from_user_and_tenant(user_id,
+                                                          tenant_id,
+                                                          role_id)
+                except exception.RoleNotFound:
+                    pass
        except exception.NotFound:
            raise exception.RoleNotFound(role_id=role_id)
        role_list = set(self.db.get('role_list', []))
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@ -969,3 +969,16 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
            super(RoleApi, self).update(role_id, role)
        except exception.NotFound:
            raise exception.RoleNotFound(role_id=role_id)
+
+    def delete(self, id):
+        conn = self.get_connection()
+        query = '(objectClass=%s)' % self.object_class
+        tenant_dn = self.tenant_api.tree_dn
+        try:
+            for role_dn, _ in conn.search_s(tenant_dn,
+                                            ldap.SCOPE_SUBTREE,
+                                            query):
+                conn.delete_s(role_dn)
+        except ldap.NO_SUCH_OBJECT:
+            pass
+        super(RoleApi, self).delete(id)
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@ -487,6 +487,17 @@ class Identity(sql.Base, identity.Driver):
    def delete_role(self, role_id):
        session = self.get_session()
        with session.begin():
+            metadata_refs = session.query(Metadata)
+            for metadata_ref in metadata_refs:
+                metadata = metadata_ref.to_dict()
+                user_id = metadata['user_id']
+                tenant_id = metadata['tenant_id']
+                try:
+                    self.remove_role_from_user_and_tenant(user_id,
+                                                          tenant_id,
+                                                          role_id)
+                except exception.RoleNotFound:
+                    pass
            if not session.query(Role).filter_by(id=role_id).delete():
                raise exception.RoleNotFound(role_id=role_id)
            session.flush()
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@ -636,6 +636,16 @@ class IdentityTests(object):
                          self.identity_api.get_tenant,
                          tenant['id'])

+    def test_delete_role_check_role_grant(self):
+        role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        self.identity_api.create_role(role['id'], role)
+        self.identity_api.add_role_to_user_and_tenant(
+            self.user_foo['id'], self.tenant_bar['id'], role['id'])
+        self.identity_api.delete_role(role['id'])
+        roles_ref = self.identity_api.get_roles_for_user_and_tenant(
+            self.user_foo['id'], self.tenant_bar['id'])
+        self.assertNotIn(role['id'], roles_ref)
+

 class TokenTests(object):
    def test_token_crud(self):