From 9e4fe654ed3f2fa4040ccbcd0ccc003f56f9bce2 Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Sun, 25 Mar 2012 12:03:26 -0500
Subject: user-role-crud 404 (bug 963056)

user-role-add
user-role-remove

Change-Id: I1b3cd019d0d110b01ed175822cdd6c9ddb486412
---
 keystone/identity/backends/kvs.py |  4 ++++
 keystone/identity/backends/sql.py |  4 ++++
 keystone/identity/core.py         | 14 +++++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

(limited to 'keystone')

diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py
index 95286a9f..55bd8f08 100644
--- a/keystone/identity/backends/kvs.py
+++ b/keystone/identity/backends/kvs.py
@@ -144,6 +144,10 @@ class Identity(kvs.Base, identity.Driver):
         if not metadata_ref:
             metadata_ref = {}
         roles = set(metadata_ref.get('roles', []))
+        if role_id not in roles:
+            msg = 'Cannot remove role that has not been granted, %s' % role_id
+            raise exception.RoleNotFound(message=msg)
+
         roles.remove(role_id)
         metadata_ref['roles'] = list(roles)
         self.update_metadata(user_id, tenant_id, metadata_ref)
diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index 00dedcba..443ddd3b 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -286,6 +286,10 @@ class Identity(sql.Base, identity.Driver):
             is_new = True
             metadata_ref = {}
         roles = set(metadata_ref.get('roles', []))
+        if role_id not in roles:
+            msg = 'Cannot remove role that has not been granted, %s' % role_id
+            raise exception.RoleNotFound(message=msg)
+
         roles.remove(role_id)
         metadata_ref['roles'] = list(roles)
         if not is_new:
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index c2a1041d..ee225264 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -497,6 +497,12 @@ class RoleController(wsgi.Application):
         if tenant_id is None:
             raise exception.NotImplemented(message='User roles not supported: '
                                                    'tenant_id required')
+        if self.identity_api.get_user(context, user_id) is None:
+            raise exception.UserNotFound(user_id=user_id)
+        if self.identity_api.get_tenant(context, tenant_id) is None:
+            raise exception.TenantNotFound(tenant_id=tenant_id)
+        if self.identity_api.get_role(context, role_id) is None:
+            raise exception.RoleNotFound(role_id=role_id)
 
         # This still has the weird legacy semantics that adding a role to
         # a user also adds them to a tenant
@@ -517,9 +523,15 @@ class RoleController(wsgi.Application):
         if tenant_id is None:
             raise exception.NotImplemented(message='User roles not supported: '
                                                    'tenant_id required')
+        if self.identity_api.get_user(context, user_id) is None:
+            raise exception.UserNotFound(user_id=user_id)
+        if self.identity_api.get_tenant(context, tenant_id) is None:
+            raise exception.TenantNotFound(tenant_id=tenant_id)
+        if self.identity_api.get_role(context, role_id) is None:
+            raise exception.RoleNotFound(role_id=role_id)
 
         # This still has the weird legacy semantics that adding a role to
-        # a user also adds them to a tenant
+        # a user also adds them to a tenant, so we must follow up on that
         self.identity_api.remove_role_from_user_and_tenant(
                 context, user_id, tenant_id, role_id)
         roles = self.identity_api.get_roles_for_user_and_tenant(
-- 
cgit