From 74c3e879f4ae1e6ed0af26b13d082915335c4d0b Mon Sep 17 00:00:00 2001 From: Adam Young Date: Mon, 4 Feb 2013 14:13:56 -0500 Subject: Delete Roles for User and Project LDAP Code was not including the attribute id for the member list Bug 1115519 unit tests show that delete of user with roles assigned is broken for LDAP Change-Id: Icfa7a4a970cb9db544c3c77af9531aae5c1f56b4 --- keystone/identity/backends/ldap/core.py | 30 ++++++++++++++++++++---------- tests/test_backend.py | 14 ++++++++++++++ 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index ca2177b7..ef7f0bba 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -644,11 +644,15 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin): class UserRoleAssociation(object): """Role Grant model.""" - def __init__(self, user_id=None, role_id=None, tenant_id=None, + def __init__(self, user_id=None, role_id=None, tenant_id=None, id=None, *args, **kw): self.user_id = str(user_id) self.role_id = role_id self.project_id = str(tenant_id) + if id is None: + self.id = create_role_ref(role_id, tenant_id, user_id) + else: + self.id = id class GroupRoleAssociation(object): @@ -661,6 +665,17 @@ class GroupRoleAssociation(object): self.project_id = str(tenant_id) +def create_role_ref(role_id, tenant_id, user_id): + role_id = '' if role_id is None else str(role_id) + tenant_id = '' if tenant_id is None else str(tenant_id) + user_id = '' if user_id is None else str(user_id) + return '%d-%d-%s%s%s' % (len(role_id), + len(tenant_id), + role_id, + tenant_id, + user_id) + + # TODO(termie): turn this into a data object and move logic to driver class RoleApi(common_ldap.BaseLdap, ApiShimMixin): DEFAULT_OU = 'ou=Roles' @@ -685,14 +700,7 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): @staticmethod def _create_ref(role_id, tenant_id, user_id): - role_id = '' if role_id is None else str(role_id) - tenant_id = '' if tenant_id is None else str(tenant_id) - user_id = '' if user_id is None else str(user_id) - return '%d-%d-%s%s%s' % (len(role_id), - len(tenant_id), - role_id, - tenant_id, - user_id) + return create_role_ref(role_id, tenant_id, user_id) @staticmethod def _explode_ref(rolegrant): @@ -902,7 +910,9 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): role_dn = self._subrole_id_to_dn(role_id, tenant_id) conn = self.get_connection() try: - conn.modify_s(role_dn, [(ldap.MOD_DELETE, '', [user_dn])]) + conn.modify_s(role_dn, [(ldap.MOD_DELETE, + self.member_attribute, + [user_dn])]) except ldap.NO_SUCH_ATTRIBUTE: raise exception.Error("No such user in role") diff --git a/tests/test_backend.py b/tests/test_backend.py index 2967eb55..f8194a80 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -666,6 +666,20 @@ class IdentityTests(object): self.identity_api.get_projects_for_user, user['id']) + def test_delete_user_with_project_roles(self): + user = {'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'password': uuid.uuid4().hex} + self.identity_api.create_user(user['id'], user) + self.identity_api.add_role_to_user_and_project( + user['id'], + self.tenant_bar['id'], + self.role_member['id']) + self.identity_api.delete_user(user['id']) + self.assertRaises(exception.UserNotFound, + self.identity_api.get_projects_for_user, + user['id']) + def test_delete_user_404(self): self.assertRaises(exception.UserNotFound, self.identity_api.delete_user, -- cgit