From 790beed561d96307c84b15a773466e985a6142fc Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Fri, 29 Jun 2018 19:29:54 +0000
Subject: [PATCH] Reduce duplication in federated auth APIs

The GET /v3/OS-FEDERATION/projects API was introduced to handle
federated user tokens, but now that GET /v3/auth/projects knows
how to handle federated tokens, it's just a duplicated API.

In the past we deprecated the federated auth projects API, but it
still uses a separate code path from GET /v3/auth/projects. Instead
of running the risk that comes with two code paths that do the same
thing, we should consolidate them.

Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
---
 keystone/federation/controllers.py  | 10 ++-----
 keystone/tests/unit/test_v3_auth.py | 53 +++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/keystone/federation/controllers.py b/keystone/federation/controllers.py
index 42e39ce..e2231f7 100644
--- a/keystone/federation/controllers.py
+++ b/keystone/federation/controllers.py
@@ -484,14 +484,8 @@ class ProjectAssignmentV3(controller.V3Controller):
         :returns: list of accessible projects
 
         """
-        projects = PROVIDERS.assignment_api.list_projects_for_groups(
-            request.auth_context['group_ids'])
-        projects = projects + PROVIDERS.assignment_api.list_projects_for_user(
-            request.auth_context['user_id'])
-        # remove duplicates
-        projects = k_utils.remove_duplicate_dicts_by_id(projects)
-        return ProjectAssignmentV3.wrap_collection(request.context_dict,
-                                                   projects)
+        controller = auth_controllers.Auth()
+        return controller.get_auth_projects(request)
 
 
 class ServiceProvider(_ControllerBase):
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 7109f54..acb0cb1 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -4909,6 +4909,59 @@ class TestAuthSpecificData(test_v3.RestfulTestCase):
     def test_head_projects_with_project_scoped_token(self):
         self.head('/auth/projects', expected_status=http_client.OK)
 
+    def test_get_projects_matches_federated_get_projects(self):
+        # create at least one addition project to make sure it doesn't end up
+        # in the response, since the user doesn't have any authorization on it
+        ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
+        r = self.post('/projects', body={'project': ref})
+        unauthorized_project_id = r.json['project']['id']
+
+        r = self.get('/auth/projects', expected_status=http_client.OK)
+        self.assertThat(r.json['projects'], matchers.HasLength(1))
+        for project in r.json['projects']:
+            self.assertNotEqual(unauthorized_project_id, project['id'])
+
+        expected_project_id = r.json['projects'][0]['id']
+
+        # call GET /v3/OS-FEDERATION/projects
+        r = self.get('/OS-FEDERATION/projects', expected_status=http_client.OK)
+
+        # make sure the response is the same
+        self.assertThat(r.json['projects'], matchers.HasLength(1))
+        for project in r.json['projects']:
+            self.assertEqual(expected_project_id, project['id'])
+
+    def test_get_domains_matches_federated_get_domains(self):
+        # create at least one addition domain to make sure it doesn't end up
+        # in the response, since the user doesn't have any authorization on it
+        ref = unit.new_domain_ref()
+        r = self.post('/domains', body={'domain': ref})
+        unauthorized_domain_id = r.json['domain']['id']
+
+        ref = unit.new_domain_ref()
+        r = self.post('/domains', body={'domain': ref})
+        authorized_domain_id = r.json['domain']['id']
+
+        path = '/domains/%(domain_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+            'domain_id': authorized_domain_id,
+            'user_id': self.user_id,
+            'role_id': self.role_id
+        }
+        self.put(path, expected_status=http_client.NO_CONTENT)
+
+        r = self.get('/auth/domains', expected_status=http_client.OK)
+        self.assertThat(r.json['domains'], matchers.HasLength(1))
+        self.assertEqual(authorized_domain_id, r.json['domains'][0]['id'])
+        self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id'])
+
+        # call GET /v3/OS-FEDERATION/domains
+        r = self.get('/OS-FEDERATION/domains', expected_status=http_client.OK)
+
+        # make sure the response is the same
+        self.assertThat(r.json['domains'], matchers.HasLength(1))
+        self.assertEqual(authorized_domain_id, r.json['domains'][0]['id'])
+        self.assertNotEqual(unauthorized_domain_id, r.json['domains'][0]['id'])
+
     def test_get_domains_with_project_scoped_token(self):
         self.put(path='/domains/%s/users/%s/roles/%s' % (
             self.domain['id'], self.user['id'], self.role['id']))
-- 
2.7.4