diff options
-rw-r--r-- | keystone/identity/backends/kvs.py | 11 | ||||
-rw-r--r-- | keystone/identity/backends/ldap/core.py | 13 | ||||
-rw-r--r-- | keystone/identity/backends/sql.py | 11 | ||||
-rw-r--r-- | tests/test_backend.py | 10 |
4 files changed, 45 insertions, 0 deletions
diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py index 81909ba5..ad6ca0f1 100644 --- a/keystone/identity/backends/kvs.py +++ b/keystone/identity/backends/kvs.py @@ -356,6 +356,17 @@ class Identity(kvs.Base, identity.Driver): def delete_role(self, role_id): try: self.db.delete('role-%s' % role_id) + metadata_keys = filter(lambda x: x.startswith("metadata-"), + self.db.keys()) + for key in metadata_keys: + tenant_id = key.split('-')[1] + user_id = key.split('-')[2] + try: + self.remove_role_from_user_and_tenant(user_id, + tenant_id, + role_id) + except exception.RoleNotFound: + pass except exception.NotFound: raise exception.RoleNotFound(role_id=role_id) role_list = set(self.db.get('role_list', [])) diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 352abd7d..540679c0 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -969,3 +969,16 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): super(RoleApi, self).update(role_id, role) except exception.NotFound: raise exception.RoleNotFound(role_id=role_id) + + def delete(self, id): + conn = self.get_connection() + query = '(objectClass=%s)' % self.object_class + tenant_dn = self.tenant_api.tree_dn + try: + for role_dn, _ in conn.search_s(tenant_dn, + ldap.SCOPE_SUBTREE, + query): + conn.delete_s(role_dn) + except ldap.NO_SUCH_OBJECT: + pass + super(RoleApi, self).delete(id) diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py index ebacf973..f8d836ac 100644 --- a/keystone/identity/backends/sql.py +++ b/keystone/identity/backends/sql.py @@ -487,6 +487,17 @@ class Identity(sql.Base, identity.Driver): def delete_role(self, role_id): session = self.get_session() with session.begin(): + metadata_refs = session.query(Metadata) + for metadata_ref in metadata_refs: + metadata = metadata_ref.to_dict() + user_id = metadata['user_id'] + tenant_id = metadata['tenant_id'] + try: + self.remove_role_from_user_and_tenant(user_id, + tenant_id, + role_id) + except exception.RoleNotFound: + pass if not session.query(Role).filter_by(id=role_id).delete(): raise exception.RoleNotFound(role_id=role_id) session.flush() diff --git a/tests/test_backend.py b/tests/test_backend.py index eb6fa671..696e125d 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -636,6 +636,16 @@ class IdentityTests(object): self.identity_api.get_tenant, tenant['id']) + def test_delete_role_check_role_grant(self): + role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.identity_api.create_role(role['id'], role) + self.identity_api.add_role_to_user_and_tenant( + self.user_foo['id'], self.tenant_bar['id'], role['id']) + self.identity_api.delete_role(role['id']) + roles_ref = self.identity_api.get_roles_for_user_and_tenant( + self.user_foo['id'], self.tenant_bar['id']) + self.assertNotIn(role['id'], roles_ref) + class TokenTests(object): def test_token_crud(self): |