From 3fa997531f757a832aab209d585bb98503e72cc2 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Tue, 13 Feb 2018 20:37:03 +0000
Subject: [PATCH] Expose bug in system assignment when deleting groups

Project and domain role assignment are cleaned up when deleting
groups. This commit introduces a test case that shows this isn't the
case for system role assignments. A subsequent patch will implement
a fix to make sure system role assignments are removed when groups
are deleted, to be consistent with project and domain assignments.

Change-Id: I9b452aff144fd8867cdac2f44cbcaa0d1de63a12
Partial-Bug: 1749267
---
 keystone/tests/unit/test_v3_assignment.py | 25 +++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py
index 416c310151..04d937fbcf 100644
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@@ -24,6 +24,7 @@ import keystone.conf
 from keystone import exception
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils
 
 
 CONF = keystone.conf.CONF
@@ -425,6 +426,30 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
             self.head('/auth/tokens', token=token,
                       expected_status=http_client.UNAUTHORIZED)
 
+    @test_utils.wip("Waiting on a fix for bug #1749267")
+    def test_delete_group_before_removing_system_assignments_succeeds(self):
+        system_role = self._create_new_role()
+        group = self._create_group()
+        path = (
+            '/system/groups/%(group_id)s/roles/%(role_id)s' %
+            {'group_id': group['id'], 'role_id': system_role}
+        )
+        self.put(path)
+
+        response = self.get('/role_assignments')
+        number_of_assignments = len(response.json_body['role_assignments'])
+
+        path = '/groups/%(group_id)s' % {'group_id': group['id']}
+        self.delete(path)
+
+        # The group with the system role assignment is a new group and only has
+        # one role on the system. We should expect one less role assignment in
+        # the list.
+        response = self.get('/role_assignments')
+        self.assertValidRoleAssignmentListResponse(
+            response, expected_length=number_of_assignments - 1
+        )
+
     @unit.skip_if_cache_disabled('assignment')
     def test_delete_grant_from_user_and_project_invalidate_cache(self):
         # create a new project