Merge "Expose bug in /role_assignments API with system-scope"
This commit is contained in:
commit
d877d5690b
|
@ -24,6 +24,7 @@ import keystone.conf
|
|||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -3591,6 +3592,29 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
) % {'project_id': self.project_id}
|
||||
self.get(path, expected_status=http_client.BAD_REQUEST)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_user_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
|
||||
# assign the user a role on the system
|
||||
member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
|
||||
'user_id': self.user['id'],
|
||||
'role_id': system_role_id
|
||||
}
|
||||
self.put(member_url)
|
||||
|
||||
# The user has a role on the system and on a project, but self.role_id
|
||||
# is only given to the user on the project. If we ask for role
|
||||
# assignments matching that role for that specific user, we should only
|
||||
# get one back. Instead, we get two back because the role assignment
|
||||
# API isn't filtering out system role assignments when queried for a
|
||||
# specific role.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
|
||||
) % {'role_id': self.role_id, 'user_id': self.user['id']}
|
||||
response = self.get(path)
|
||||
self.assertValidRoleAssignmentListResponse(response, expected_length=1)
|
||||
|
||||
|
||||
# FIXME(lbragstad): These tests contain system-level API calls, which means
|
||||
# they will log a warning message if they are called with a project-scoped
|
||||
|
@ -3860,3 +3884,36 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
}
|
||||
)
|
||||
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_group_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
group = self._create_group()
|
||||
|
||||
# assign the group a role on the system
|
||||
member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
|
||||
'group_id': group['id'],
|
||||
'role_id': system_role_id
|
||||
}
|
||||
self.put(member_url)
|
||||
|
||||
# assign the group a role on the system
|
||||
member_url = (
|
||||
'/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
|
||||
{'project_id': self.project_id,
|
||||
'group_id': group['id'],
|
||||
'role_id': self.role_id}
|
||||
)
|
||||
self.put(member_url)
|
||||
|
||||
# The group has a role on the system and on a project, but self.role_id
|
||||
# is only given to the group on the project. If we ask for role
|
||||
# assignments matching that role for that specific group, we should
|
||||
# only get one back. Instead, we get two back because the role
|
||||
# assignment API isn't filtering out system role assignments when
|
||||
# queried for a specific role.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
|
||||
) % {'role_id': self.role_id, 'group_id': group['id']}
|
||||
response = self.get(path)
|
||||
self.assertValidRoleAssignmentListResponse(response, expected_length=1)
|
||||
|
|
Loading…
Reference in New Issue