Merge "Fix operation order in role deletion"

2024-03-12 17:22:35 +00:00 · 2024-03-12 17:22:35 +00:00 · 0ba7fdbd15
parent f3a3f8948a 63556be0e3
commit 0ba7fdbd15
2 changed files with 26 additions and 1 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -1339,10 +1339,10 @@ class RoleManager(manager.Manager):
        ro_opt.check_immutable_delete(resource_ref=role,
                                      resource_type='role',
                                      resource_id=role_id)
-        PROVIDERS.assignment_api.delete_role_assignments(role_id)
        PROVIDERS.assignment_api._send_app_cred_notification_for_role_removal(
            role_id
        )
+        PROVIDERS.assignment_api.delete_role_assignments(role_id)
        self.driver.delete_role(role_id)
        notifications.Audit.deleted(self._ROLE, role_id, initiator)
        self.get_role.invalidate(self, role_id)
--- a/keystone/tests/unit/test_v3_application_credential.py
+++ b/keystone/tests/unit/test_v3_application_credential.py
@ -380,6 +380,31 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                self.assertNotIn('secret', ac)
                self.assertNotIn('secret_hash', ac)

+    def test_list_application_credentials_with_deleted_role(self):
+        second_role = unit.new_role_ref(name='test_new_role')
+        PROVIDERS.role_api.create_role(second_role['id'], second_role)
+        PROVIDERS.assignment_api.add_role_to_user_and_project(
+            self.user_id, self.project_id, second_role['id'])
+        with self.test_client() as c:
+            token = self.get_scoped_token()
+            resp = c.get('/v3/users/%s/application_credentials' % self.user_id,
+                         expected_status_code=http.client.OK,
+                         headers={'X-Auth-Token': token})
+            self.assertEqual([], resp.json['application_credentials'])
+            roles = [{'id': second_role['id']}]
+            app_cred_body = self._app_cred_body(roles=roles)
+            c.post('/v3/users/%s/application_credentials' % self.user_id,
+                   json=app_cred_body,
+                   expected_status_code=http.client.CREATED,
+                   headers={'X-Auth-Token': token})
+            resp = c.get('/v3/users/%s/application_credentials' % self.user_id,
+                         expected_status_code=http.client.OK,
+                         headers={'X-Auth-Token': token})
+            PROVIDERS.role_api.delete_role(second_role['id'])
+            resp = c.get('/v3/users/%s/application_credentials' % self.user_id,
+                         expected_status_code=http.client.OK,
+                         headers={'X-Auth-Token': token})
+
    def test_list_application_credentials_by_name(self):
        with self.test_client() as c:
            roles = [{'id': self.role_id}]