Fix issue with v3 tokens and group membership roles

The driver calls used by v3 token controllers to obtain roles for a user on both project and domain were incorrectly implemented, leading to roles being missed out of the token. v2 tokens are not affected, since they don't use the same driver calls. This fixes these functions and adds additonal tests to cover the cases (all of which would fail without this patch). As part of this fix, the implementation of "get_roles_for_user_and_project() is pulled up into the driver class (like the domain equivalent is already), since, for all implementations, it is independant of backend technology. Fixes bug 1197874 Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
author: Henry Nash <henryn@linux.vnet.ibm.com> 2013-07-05 06:04:25 +0100
committer: Henry Nash <henryn@linux.vnet.ibm.com> 2013-07-06 16:36:26 +0100
commit: 22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1 (patch)
tree: befd0f8ebadd234a539cddaed527d87fa3f1fcb5 /tests/test_backend.py
parent: 6450f75deffa9a63fc77dbf9d4d35ad7e11feaf2 (diff)
download: keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.tar.gz
keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.tar.xz
keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.zip
1 files changed, 100 insertions, 1 deletions
diff --git a/tests/test_backend.py b/tests/test_backend.py
index ea40cd8b..ebf94924 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -1081,7 +1081,7 @@ class IdentityTests(object):
 
     def test_multi_role_grant_by_user_group_on_project_domain(self):
         role_list = []
-        for _ in range(8):
+        for _ in range(10):
             role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
             self.identity_api.create_role(role['id'], role)
             role_list.append(role)
@@ -1150,6 +1150,105 @@ class IdentityTests(object):
         self.assertIn(role_list[6], roles_ref)
         self.assertIn(role_list[7], roles_ref)
 
+        # Now test the alternate way of getting back lists of grants,
+        # where user and group roles are combined.  These should match
+        # the above results.
+        combined_role_list = self.identity_api.get_roles_for_user_and_project(
+            user1['id'], project1['id'])
+        self.assertEquals(len(combined_role_list), 4)
+        self.assertIn(role_list[4]['id'], combined_role_list)
+        self.assertIn(role_list[5]['id'], combined_role_list)
+        self.assertIn(role_list[6]['id'], combined_role_list)
+        self.assertIn(role_list[7]['id'], combined_role_list)
+
+        combined_role_list = self.identity_api.get_roles_for_user_and_domain(
+            user1['id'], domain1['id'])
+        self.assertEquals(len(combined_role_list), 4)
+        self.assertIn(role_list[0]['id'], combined_role_list)
+        self.assertIn(role_list[1]['id'], combined_role_list)
+        self.assertIn(role_list[2]['id'], combined_role_list)
+        self.assertIn(role_list[3]['id'], combined_role_list)
+
+    def test_multi_group_grants_on_project_domain(self):
+        """Test multiple group roles for user on project and domain.
+
+        Test Plan:
+        - Create 6 roles
+        - Create a domain, with a project, user and two groups
+        - Make the user a member of both groups
+        - Check no roles yet exit
+        - Assign a role to each user and both groups on both the
+          project and domain
+        - Get a list of effective roles for the user on both the
+          project and domain, checking we get back the correct three
+          roles
+
+        """
+        role_list = []
+        for _ in range(6):
+            role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+            self.identity_api.create_role(role['id'], role)
+            role_list.append(role)
+        domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        self.identity_api.create_domain(domain1['id'], domain1)
+        user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
+                 'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
+                 'enabled': True}
+        self.identity_api.create_user(user1['id'], user1)
+        group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
+                  'domain_id': domain1['id'], 'enabled': True}
+        self.identity_api.create_group(group1['id'], group1)
+        group2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
+                  'domain_id': domain1['id'], 'enabled': True}
+        self.identity_api.create_group(group2['id'], group2)
+        project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
+                    'domain_id': domain1['id']}
+        self.identity_api.create_project(project1['id'], project1)
+
+        self.identity_api.add_user_to_group(user1['id'],
+                                            group1['id'])
+        self.identity_api.add_user_to_group(user1['id'],
+                                            group2['id'])
+
+        roles_ref = self.identity_api.list_grants(
+            user_id=user1['id'],
+            project_id=project1['id'])
+        self.assertEquals(len(roles_ref), 0)
+        self.identity_api.create_grant(user_id=user1['id'],
+                                       domain_id=domain1['id'],
+                                       role_id=role_list[0]['id'])
+        self.identity_api.create_grant(group_id=group1['id'],
+                                       domain_id=domain1['id'],
+                                       role_id=role_list[1]['id'])
+        self.identity_api.create_grant(group_id=group2['id'],
+                                       domain_id=domain1['id'],
+                                       role_id=role_list[2]['id'])
+        self.identity_api.create_grant(user_id=user1['id'],
+                                       project_id=project1['id'],
+                                       role_id=role_list[3]['id'])
+        self.identity_api.create_grant(group_id=group1['id'],
+                                       project_id=project1['id'],
+                                       role_id=role_list[4]['id'])
+        self.identity_api.create_grant(group_id=group2['id'],
+                                       project_id=project1['id'],
+                                       role_id=role_list[5]['id'])
+
+        # Read by the roles, ensuring we get the correct 3 roles for
+        # both project and domain
+        combined_role_list = self.identity_api.get_roles_for_user_and_project(
+            user1['id'], project1['id'])
+        self.assertEquals(len(combined_role_list), 3)
+        self.assertIn(role_list[3]['id'], combined_role_list)
+        self.assertIn(role_list[4]['id'], combined_role_list)
+        self.assertIn(role_list[5]['id'], combined_role_list)
+
+        combined_role_list = self.identity_api.get_roles_for_user_and_domain(
+            user1['id'], domain1['id'])
+        self.assertEquals(len(combined_role_list), 3)
+        self.assertIn(role_list[0]['id'], combined_role_list)
+        self.assertIn(role_list[1]['id'], combined_role_list)
+        self.assertIn(role_list[2]['id'], combined_role_list)
+
     def test_delete_role_with_user_and_group_grants(self):
         role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
         self.identity_api.create_role(role1['id'], role1)
author	Henry Nash <henryn@linux.vnet.ibm.com>	2013-07-05 06:04:25 +0100
committer	Henry Nash <henryn@linux.vnet.ibm.com>	2013-07-06 16:36:26 +0100
commit	22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1 (patch)
tree	befd0f8ebadd234a539cddaed527d87fa3f1fcb5 /tests/test_backend.py
parent	6450f75deffa9a63fc77dbf9d4d35ad7e11feaf2 (diff)
download	keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.tar.gz keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.tar.xz keystone-22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1.zip