remove_role_from_user_and_project affecting all users (bug 1170649)

Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d

2 files changed, 54 insertions, 0 deletions

diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index 71cab057..50b297ff 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -431,6 +431,7 @@ class Identity(sql.Base, identity.Driver):
             else:
                 session = self.get_session()
                 q = session.query(UserProjectGrant)
+                q = q.filter_by(user_id=user_id)
                 q = q.filter_by(project_id=tenant_id)
                 q.delete()
         except exception.MetadataNotFound:
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index 1ee3719d..c9d1edfb 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -697,6 +697,59 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
                   headers={'X-Subject-Token': token2},
                   expected_status=401)
 
+    def test_removing_role_assignment_does_not_affect_other_users(self):
+        """Revoking a role from one user should not affect other users."""
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']))
+        user1_token = r.headers.get('X-Subject-Token')
+
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        user3_token = r.headers.get('X-Subject-Token')
+
+        # delete relationships between user1 and projectA from setUp
+        self.delete(
+            '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+                'project_id': self.projectA['id'],
+                'user_id': self.user1['id'],
+                'role_id': self.role1['id']})
+        self.delete(
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.projectA['id'],
+             'group_id': self.group1['id'],
+             'role_id': self.role1['id']})
+
+        # authorization for the first user should now fail
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user1_token},
+                  expected_status=401)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
+        # authorization for the second user should still succeed
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user3_token},
+                  expected_status=204)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+
 
 class TestAuthJSON(test_v3.RestfulTestCase):
     content_type = 'json'