Fix remove role assignment adds role using LDAP assignment

When using the LDAP assignment backend, attempting to remove a role assignment when the role hadn't been used before would actually add the role assignment and would not return a 404 Not Found like the SQL backend. This change makes it so that when attempt to remove a role that wasn't assigned then 404 Not Found is returned. Closes-Bug: #1242855 Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3 (cherry picked from commit c6800ca1ac) (cherry picked from commit b17e7bec76)
2013-10-21 15:21:12 -05:00 · 2013-10-21 15:21:12 -05:00 · 4221b6020e
parent e6adb2f75a
commit 4221b6020e
2 changed files with 13 additions and 14 deletions
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@ -426,20 +426,10 @@ class RoleApi(common_ldap.BaseLdap):
        try:
            conn.modify_s(role_dn, [(ldap.MOD_DELETE,
                                     self.member_attribute, user_dn)])
-        except ldap.NO_SUCH_OBJECT:
-            if tenant_dn is None:
-                raise exception.RoleNotFound(role_id=role_id)
-            attrs = [('objectClass', [self.object_class]),
-                     (self.member_attribute, [user_dn])]
-
-            if self.use_dumb_member:
-                attrs[1][1].append(self.dumb_member)
-            try:
-                conn.add_s(role_dn, attrs)
-            except Exception as inst:
-                raise inst
-        except ldap.NO_SUCH_ATTRIBUTE:
-            raise exception.UserNotFound(user_id=user_id)
+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+            raise exception.RoleNotFound(message=_(
+                'Cannot remove role that has not been granted, %s') %
+                role_id)
        finally:
            conn.unbind_s()

--- a/keystone/tests/test_backend.py
+++ b/keystone/tests/test_backend.py
@ -61,6 +61,15 @@ class IdentityTests(object):
            self.tenant_bar['id'])
        self.assertNotIn(self.user_two['id'], user_ids)

+    def test_remove_user_role_not_assigned(self):
+        # Expect failure if attempt to remove a role that was never assigned to
+        # the user.
+        self.assertRaises(exception.RoleNotFound,
+                          self.identity_api.remove_role_from_user_and_project,
+                          tenant_id=self.tenant_bar['id'],
+                          user_id=self.user_two['id'],
+                          role_id=self.role_other['id'])
+
    def test_authenticate_bad_user(self):
        self.assertRaises(AssertionError,
                          self.identity_api.authenticate,