Keystone_user should not use disabled projects

When testing the password for a keystone_user resource we need to ensure the project id that is used for testing auth is not disabled causing it to fail and puppet things the password should be changed. Change-Id: Ic4b17a2c750c3162cc609a9469d7422c2084b977 Closes-Bug: 1814906
2019-02-06 15:03:29 +01:00 · 2019-02-06 15:03:29 +01:00 · c2456fcaa8
parent 58dfc07b3a
commit c2456fcaa8
3 changed files with 44 additions and 3 deletions
--- a/lib/puppet/provider/keystone_user/openstack.rb
+++ b/lib/puppet/provider/keystone_user/openstack.rb
@ -121,11 +121,17 @@ Puppet::Type.type(:keystone_user).provide(
      # will know we are doing v3password auth - otherwise, it is not used.  The
      # user_id uniquely identifies the user including domain.
      credentials.username = resource[:name]
+
      # Need to specify a project id to get a project scoped token.  List
-      # all of the projects for the user, and use the id from the first one.
+      # all of the projects for the user, and use the id for the first one
+      # that is enabled then fallback to domain id only.
      projects = self.class.request('project', 'list', ['--user', id, '--long'])
-      if projects && projects[0] && projects[0][:id]
-        credentials.project_id = projects[0][:id]
+      first_project = nil
+      if projects && projects.respond_to?(:each)
+        first_project = projects.detect { |p| p && p[:id] && p[:enabled] == 'True' }
+      end
+      if not first_project.nil?
+        credentials.project_id = first_project[:id]
      else
        # last chance - try a domain scoped token
        credentials.domain_id = domain_id
--- a/releasenotes/notes/keystone_user-bug-1814906-06781a797cd2e051.yaml
+++ b/releasenotes/notes/keystone_user-bug-1814906-06781a797cd2e051.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed a bug where the keystone_user resource would test the password with
+    a disabled project causing it to think the password was changed when it
+    actually wasn't.
--- a/spec/unit/provider/keystone_user/openstack_spec.rb
+++ b/spec/unit/provider/keystone_user/openstack_spec.rb
@ -172,6 +172,35 @@ ac43ec53d5a74a0b9f51523ae41a29f0
      expect(password).to eq('pass_one')
    end

+    it 'checks the password with some projects disabled' do
+      mock_creds = Puppet::Provider::Openstack::CredentialsV3.new
+      mock_creds.auth_url   = 'http://127.0.0.1:5000'
+      mock_creds.password   = 'pass_one'
+      mock_creds.username   = 'user_one'
+      mock_creds.user_id    = 'project1_id'
+      mock_creds.project_id = 'project-id-2'
+      Puppet::Provider::Openstack::CredentialsV3.expects(:new).returns(mock_creds)
+
+      described_class.expects(:openstack)
+        .with('project', 'list', '--quiet', '--format', 'csv',
+              ['--user', 'user1_id', '--long'])
+        .returns('"ID","Name","Domain ID","Description","Enabled"
+"project-id-1","domain_one","domain1_id","Domain One",False
+"project-id-2","domain_one","domain1_id","Domain One",True
+"project-id-3","domain_one","domain1_id","Domain One",False
+')
+      Puppet::Provider::Openstack.expects(:openstack)
+        .with('token', 'issue', ['--format', 'value'])
+        .returns('2015-05-14T04:06:05Z
+e664a386befa4a30878dcef20e79f167
+8dce2ae9ecd34c199d2877bf319a3d06
+ac43ec53d5a74a0b9f51523ae41a29f0
+')
+      provider.expects(:id).times(2).returns('user1_id')
+      password = provider.password
+      expect(password).to eq('pass_one')
+    end
+
    it 'fails the password check' do
      described_class.expects(:openstack)
        .with('project', 'list', '--quiet', '--format', 'csv',