Exposing ambiguity bug when querying role assignments

Test case exposing the issue described in that bug also, adding the expected result commented, to be removed the commented tags, after the bug be fixed. Change-Id: I0e7b181977a1850a9a93472892407817561bfa0a Partial-Bug: 1754677
2018-05-24 17:13:05 -03:00 · 2018-05-24 17:13:05 -03:00 · 9cefb4dfc9
parent 37ce541741
commit 9cefb4dfc9
1 changed files with 56 additions and 0 deletions
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@ -24,6 +24,7 @@ import keystone.conf
 from keystone import exception
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils


 CONF = keystone.conf.CONF
@ -1978,6 +1979,61 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,

        self._test_list_role_assignments_include_names(role)

+    @test_utils.wip("Skipped until Bug 1754677 is resolved")
+    def test_remove_assignment_for_project_acting_as_domain(self):
+        """Test goal: remove assignment for project acting as domain.
+
+        Ensure when we have two role assignments for the project
+        acting as domain, one dealing with it as a domain and other as a
+        project, we still able to remove those assignments later.
+
+        Test plan:
+        - Create a role and a domain with a user;
+        - Grant a role for this user in this domain;
+        - Grant a role for this user in the same entity as a project;
+        - Ensure that both assignments were created and it was valid;
+        - Remove the domain assignment for the user and show that the project
+        assignment for him still valid
+
+        """
+        role = unit.new_role_ref()
+        PROVIDERS.role_api.create_role(role['id'], role)
+        domain = unit.new_domain_ref()
+        PROVIDERS.resource_api.create_domain(domain['id'], domain)
+        user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
+
+        assignment_domain = self.build_role_assignment_entity(
+            role_id=role['id'], domain_id=domain['id'], user_id=user['id'],
+            inherited_to_projects=False)
+        assignment_project = self.build_role_assignment_entity(
+            role_id=role['id'], project_id=domain['id'], user_id=user['id'],
+            inherited_to_projects=False)
+
+        self.put(assignment_domain['links']['assignment'])
+        self.put(assignment_project['links']['assignment'])
+
+        collection_url = '/role_assignments?user.id=%(user_id)s' % (
+                         {'user_id': user['id']})
+        result = self.get(collection_url)
+        # We have two role assignments based in both roles for the domain and
+        # project scope
+        self.assertValidRoleAssignmentListResponse(
+            result, expected_length=2, resource_url=collection_url)
+        self.assertRoleAssignmentInListResponse(result, assignment_domain)
+
+        domain_url = '/domains/%s/users/%s/roles/%s' % (
+            domain['id'], user['id'], role['id'])
+        self.delete(domain_url)
+
+        collection_url = '/role_assignments?user.id=%(user_id)s' % (
+                         {'user_id': user['id']})
+        result = self.get(collection_url)
+        # Now we only have one assignment for the project scope since the
+        # domain scope was removed.
+        self.assertValidRoleAssignmentListResponse(
+            result, expected_length=1, resource_url=collection_url)
+        self.assertRoleAssignmentInListResponse(result, assignment_project)
+
    def test_list_inherited_role_assignments_include_names(self):
        """Call ``GET /role_assignments?include_names``.