Merge "Expose bug in /role_assignments API with system-scope"

2018-02-14 06:55:47 +00:00 · 2018-02-14 06:55:47 +00:00 · d877d5690b
parent 3a3b3c5b5a a226a3d8be
commit d877d5690b
1 changed files with 57 additions and 0 deletions
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@ -24,6 +24,7 @@ import keystone.conf
 from keystone import exception
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils


 CONF = keystone.conf.CONF
@ -3591,6 +3592,29 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
        ) % {'project_id': self.project_id}
        self.get(path, expected_status=http_client.BAD_REQUEST)

+    @test_utils.wip("Waiting on fix for bug #1748970")
+    def test_query_for_role_id_does_not_return_system_user_roles(self):
+        system_role_id = self._create_new_role()
+
+        # assign the user a role on the system
+        member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
+            'user_id': self.user['id'],
+            'role_id': system_role_id
+        }
+        self.put(member_url)
+
+        # The user has a role on the system and on a project, but self.role_id
+        # is only given to the user on the project. If we ask for role
+        # assignments matching that role for that specific user, we should only
+        # get one back. Instead, we get two back because the role assignment
+        # API isn't filtering out system role assignments when queried for a
+        # specific role.
+        path = (
+            '/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
+        ) % {'role_id': self.role_id, 'user_id': self.user['id']}
+        response = self.get(path)
+        self.assertValidRoleAssignmentListResponse(response, expected_length=1)
+

 # FIXME(lbragstad): These tests contain system-level API calls, which means
 # they will log a warning message if they are called with a project-scoped
@ -3860,3 +3884,36 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
            }
        )
        self.assertValidRoleAssignmentListResponse(response, expected_length=0)
+
+    @test_utils.wip("Waiting on fix for bug #1748970")
+    def test_query_for_role_id_does_not_return_system_group_roles(self):
+        system_role_id = self._create_new_role()
+        group = self._create_group()
+
+        # assign the group a role on the system
+        member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
+            'group_id': group['id'],
+            'role_id': system_role_id
+        }
+        self.put(member_url)
+
+        # assign the group a role on the system
+        member_url = (
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.project_id,
+             'group_id': group['id'],
+             'role_id': self.role_id}
+        )
+        self.put(member_url)
+
+        # The group has a role on the system and on a project, but self.role_id
+        # is only given to the group on the project. If we ask for role
+        # assignments matching that role for that specific group, we should
+        # only get one back. Instead, we get two back because the role
+        # assignment API isn't filtering out system role assignments when
+        # queried for a specific role.
+        path = (
+            '/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
+        ) % {'role_id': self.role_id, 'group_id': group['id']}
+        response = self.get(path)
+        self.assertValidRoleAssignmentListResponse(response, expected_length=1)