1 Upstream patch fixed in Havana 2013.2.1 |
|
2 |
|
3 commit 82dcde08f60c45002955875664a3cf82d1d211bc |
|
4 Author: Brant Knudson <[email protected]> |
|
5 Date: Mon Oct 21 15:21:12 2013 -0500 |
|
6 |
|
7 Fix remove role assignment adds role using LDAP assignment |
|
8 |
|
9 When using the LDAP assignment backend, attempting to remove a |
|
10 role assignment when the role hadn't been used before would |
|
11 actually add the role assignment and would not return a |
|
12 404 Not Found like the SQL backend. |
|
13 |
|
14 This change makes it so that when attempt to remove a role that |
|
15 wasn't assigned then 404 Not Found is returned. |
|
16 |
|
17 Closes-Bug: #1242855 |
|
18 Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3 |
|
19 (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0) |
|
20 (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa) |
|
21 (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0) |
|
22 |
|
23 diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py |
|
24 index 8ac7395..3d016c0 100644 |
|
25 --- a/keystone/identity/backends/ldap/core.py |
|
26 +++ b/keystone/identity/backends/ldap/core.py |
|
27 @@ -704,21 +704,10 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): |
|
28 try: |
|
29 conn.modify_s(role_dn, [(ldap.MOD_DELETE, |
|
30 self.member_attribute, user_dn)]) |
|
31 - except ldap.NO_SUCH_OBJECT: |
|
32 - if tenant_id is None or self.get(role_id) is None: |
|
33 - raise exception.RoleNotFound(role_id=role_id) |
|
34 - attrs = [('objectClass', [self.object_class]), |
|
35 - (self.member_attribute, [user_dn])] |
|
36 - |
|
37 - if self.use_dumb_member: |
|
38 - attrs[1][1].append(self.dumb_member) |
|
39 - try: |
|
40 - conn.add_s(role_dn, attrs) |
|
41 - except Exception as inst: |
|
42 - raise inst |
|
43 - |
|
44 - except ldap.NO_SUCH_ATTRIBUTE: |
|
45 - raise exception.UserNotFound(user_id=user_id) |
|
46 + except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): |
|
47 + raise exception.RoleNotFound(message=_( |
|
48 + 'Cannot remove role that has not been granted, %s') % |
|
49 + role_id) |
|
50 |
|
51 def get_role_assignments(self, tenant_id): |
|
52 conn = self.get_connection() |
|
53 diff --git a/tests/test_backend.py b/tests/test_backend.py |
|
54 index d4c2e6c..1af3c16 100644 |
|
55 --- a/tests/test_backend.py |
|
56 +++ b/tests/test_backend.py |
|
57 @@ -57,6 +57,15 @@ class IdentityTests(object): |
|
58 user_refs = self.identity_api.get_project_users(self.tenant_bar['id']) |
|
59 self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs]) |
|
60 |
|
61 + def test_remove_user_role_not_assigned(self): |
|
62 + # Expect failure if attempt to remove a role that was never assigned to |
|
63 + # the user. |
|
64 + self.assertRaises(exception.RoleNotFound, |
|
65 + self.identity_api.remove_role_from_user_and_project, |
|
66 + tenant_id=self.tenant_bar['id'], |
|
67 + user_id=self.user_two['id'], |
|
68 + role_id=self.role_other['id']) |
|
69 + |
|
70 def test_authenticate_bad_user(self): |
|
71 self.assertRaises(AssertionError, |
|
72 self.identity_api.authenticate, |
|