Merge "Fix validation of role assignment subtree list"

keystone/api/role_assignments.py

@@ -80,12 +80,12 @@ class RoleAssignmentsResource(ks_flask.ResourceBase):
             'group.id', 'role.id', 'scope.domain.id', 'scope.project.id',
             'scope.OS-INHERIT:inherited_to', 'user.id'
         ]
-        target = {}
+        target = None
         if 'scope.project.id' in flask.request.args:
             project_id = flask.request.args['scope.project.id']
             if project_id:
-                target['project'] = PROVIDERS.resource_api.get_project(
+                target = {'project': PROVIDERS.resource_api.get_project(
-                    project_id)
+                    project_id)}
         ENFORCER.enforce_call(action='identity:list_role_assignments_for_tree',
                               filters=filters, target_attr=target)
         if not flask.request.args.get('scope.project.id'):

keystone/tests/unit/test_v3_assignment.py

@@ -2596,11 +2596,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
 
     def test_project_id_specified_if_include_subtree_specified(self):
         """When using include_subtree, you must specify a project ID."""
-        self.get('/role_assignments?include_subtree=True',
+        r = self.get('/role_assignments?include_subtree=True',
                      expected_status=http_client.BAD_REQUEST)
-        self.get('/role_assignments?scope.project.id&'
+        error_msg = ("scope.project.id must be specified if include_subtree "
+                     "is also specified")
+        self.assertEqual(error_msg, r.result['error']['message'])
+        r = self.get('/role_assignments?scope.project.id&'
                      'include_subtree=True',
                      expected_status=http_client.BAD_REQUEST)
+        self.assertEqual(error_msg, r.result['error']['message'])
 
     def test_get_role_assignments_for_project_tree(self):
         """Get role_assignment?scope.project.id=X&include_subtree``.