Merge "Expose bug in /role_assignments API with system-scope"
This commit is contained in:
commit
d877d5690b
|
@ -24,6 +24,7 @@ import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
|
from keystone.tests.unit import utils as test_utils
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
@ -3591,6 +3592,29 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
||||||
) % {'project_id': self.project_id}
|
) % {'project_id': self.project_id}
|
||||||
self.get(path, expected_status=http_client.BAD_REQUEST)
|
self.get(path, expected_status=http_client.BAD_REQUEST)
|
||||||
|
|
||||||
|
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||||
|
def test_query_for_role_id_does_not_return_system_user_roles(self):
|
||||||
|
system_role_id = self._create_new_role()
|
||||||
|
|
||||||
|
# assign the user a role on the system
|
||||||
|
member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
|
||||||
|
'user_id': self.user['id'],
|
||||||
|
'role_id': system_role_id
|
||||||
|
}
|
||||||
|
self.put(member_url)
|
||||||
|
|
||||||
|
# The user has a role on the system and on a project, but self.role_id
|
||||||
|
# is only given to the user on the project. If we ask for role
|
||||||
|
# assignments matching that role for that specific user, we should only
|
||||||
|
# get one back. Instead, we get two back because the role assignment
|
||||||
|
# API isn't filtering out system role assignments when queried for a
|
||||||
|
# specific role.
|
||||||
|
path = (
|
||||||
|
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
|
||||||
|
) % {'role_id': self.role_id, 'user_id': self.user['id']}
|
||||||
|
response = self.get(path)
|
||||||
|
self.assertValidRoleAssignmentListResponse(response, expected_length=1)
|
||||||
|
|
||||||
|
|
||||||
# FIXME(lbragstad): These tests contain system-level API calls, which means
|
# FIXME(lbragstad): These tests contain system-level API calls, which means
|
||||||
# they will log a warning message if they are called with a project-scoped
|
# they will log a warning message if they are called with a project-scoped
|
||||||
|
@ -3860,3 +3884,36 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
|
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
|
||||||
|
|
||||||
|
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||||
|
def test_query_for_role_id_does_not_return_system_group_roles(self):
|
||||||
|
system_role_id = self._create_new_role()
|
||||||
|
group = self._create_group()
|
||||||
|
|
||||||
|
# assign the group a role on the system
|
||||||
|
member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
|
||||||
|
'group_id': group['id'],
|
||||||
|
'role_id': system_role_id
|
||||||
|
}
|
||||||
|
self.put(member_url)
|
||||||
|
|
||||||
|
# assign the group a role on the system
|
||||||
|
member_url = (
|
||||||
|
'/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
|
||||||
|
{'project_id': self.project_id,
|
||||||
|
'group_id': group['id'],
|
||||||
|
'role_id': self.role_id}
|
||||||
|
)
|
||||||
|
self.put(member_url)
|
||||||
|
|
||||||
|
# The group has a role on the system and on a project, but self.role_id
|
||||||
|
# is only given to the group on the project. If we ask for role
|
||||||
|
# assignments matching that role for that specific group, we should
|
||||||
|
# only get one back. Instead, we get two back because the role
|
||||||
|
# assignment API isn't filtering out system role assignments when
|
||||||
|
# queried for a specific role.
|
||||||
|
path = (
|
||||||
|
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
|
||||||
|
) % {'role_id': self.role_id, 'group_id': group['id']}
|
||||||
|
response = self.get(path)
|
||||||
|
self.assertValidRoleAssignmentListResponse(response, expected_length=1)
|
||||||
|
|
Loading…
Reference in New Issue