From 48904c8748ade880bb76e345dfdf64386a43ea89 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Fri, 18 Apr 2014 11:18:42 -0500 Subject: [PATCH 1/3] Enhance tests for get_roles_for_user_and_project for group=user id There was no test showing what the assignment manager's get_roles_for_user_and_project() method returned when there's a group with the same ID as a user and only the group is granted a role on the project. Turns out that for the SQL and LDAP assignment backends, the role is returned even though the user doesn't have the role. Change-Id: I88909d68d035cf48315c3249234a5dc24cbb4a5f Related-Bug: #1309228 --- keystone/tests/test_backend.py | 37 +++++++++++++++++++++++++++++++++ keystone/tests/test_backend_ldap.py | 39 +++++++++++++++++++++++++++++++++++ keystone/tests/test_backend_sql.py | 39 +++++++++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+) diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py index cf3b969..8e484fc 100644 --- a/keystone/tests/test_backend.py +++ b/keystone/tests/test_backend.py @@ -1379,6 +1379,43 @@ class IdentityTests(object): self.assertIn(role_list[1]['id'], combined_role_list) self.assertIn(role_list[2]['id'], combined_role_list) + def test_get_roles_for_user_and_project_user_group_same_id(self): + """When a user has the same ID as a group, + get_roles_for_user_and_project returns only the roles for the user and + not the group. + + """ + + # Setup: create user, group with same ID, role, and project; + # assign the group the role on the project. + + user_group_id = uuid.uuid4().hex + + user1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.identity_api.create_user(user_group_id, user1) + + group1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.identity_api.create_group(user_group_id, group1) + + role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.assignment_api.create_role(role1['id'], role1) + + project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.assignment_api.create_project(project1['id'], project1) + + self.assignment_api.create_grant(role1['id'], + group_id=user_group_id, + project_id=project1['id']) + + # Check the roles, shouldn't be any since the user wasn't granted any. + roles = self.assignment_api.get_roles_for_user_and_project( + user_group_id, project1['id']) + + self.assertEqual([], roles, 'role for group is %s' % role1['id']) + def test_delete_role_with_user_and_group_grants(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} self.assignment_api.create_role(role1['id'], role1) diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py index 4e17c86..55a8217 100644 --- a/keystone/tests/test_backend_ldap.py +++ b/keystone/tests/test_backend_ldap.py @@ -591,6 +591,45 @@ class BaseLDAPIdentity(test_backend.IdentityTests): self.assertThat(ref_list, matchers.Equals([group])) + def test_get_roles_for_user_and_project_user_group_same_id(self): + """When a user has the same ID as a group, + get_roles_for_user_and_project returns the roles for the group. + + Overriding this test for LDAP because it works differently. The role + for the group is returned. This is bug 1309228. + """ + + # Setup: create user, group with same ID, role, and project; + # assign the group the role on the project. + + user_group_id = uuid.uuid4().hex + + user1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': CONF.identity.default_domain_id, } + self.identity_api.create_user(user_group_id, user1) + + group1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': CONF.identity.default_domain_id, } + self.identity_api.create_group(user_group_id, group1) + + role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.assignment_api.create_role(role1['id'], role1) + + project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'domain_id': CONF.identity.default_domain_id, } + self.assignment_api.create_project(project1['id'], project1) + + self.assignment_api.create_grant(role1['id'], + group_id=user_group_id, + project_id=project1['id']) + + # Check the roles, shouldn't be any since the user wasn't granted any. + roles = self.assignment_api.get_roles_for_user_and_project( + user_group_id, project1['id']) + + self.assertEqual([role1['id']], roles, + 'role for group is %s' % role1['id']) + class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): diff --git a/keystone/tests/test_backend_sql.py b/keystone/tests/test_backend_sql.py index 6c0aa35..9d7c3a8 100644 --- a/keystone/tests/test_backend_sql.py +++ b/keystone/tests/test_backend_sql.py @@ -320,6 +320,45 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): self.assertNotIn('default_project_id', user_ref) session.close() + def test_get_roles_for_user_and_project_user_group_same_id(self): + """When a user has the same ID as a group, + get_roles_for_user_and_project returns the roles for the group. + + Overriding this test for sql because it works differently. The role for + the group is returned. This is bug 1309228. + """ + + # Setup: create user, group with same ID, role, and project; + # assign the group the role on the project. + + user_group_id = uuid.uuid4().hex + + user1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.identity_api.create_user(user_group_id, user1) + + group1 = {'id': user_group_id, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.identity_api.create_group(user_group_id, group1) + + role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.assignment_api.create_role(role1['id'], role1) + + project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID, } + self.assignment_api.create_project(project1['id'], project1) + + self.assignment_api.create_grant(role1['id'], + group_id=user_group_id, + project_id=project1['id']) + + # Check the roles, shouldn't be any since the user wasn't granted any. + roles = self.assignment_api.get_roles_for_user_and_project( + user_group_id, project1['id']) + + self.assertEqual([role1['id']], roles, + 'role for group is %s' % role1['id']) + class SqlTrust(SqlTests, test_backend.TrustTests): pass -- 1.7.9.5