Merge "Fix validation of role assignment subtree list"16.0.0.0rc1

author: Zuul <zuul@review.opendev.org> 2019-09-27 01:42:07 +0000
committer: Gerrit Code Review <review@openstack.org> 2019-09-27 01:42:07 +0000
commit: e860c69831289a800a1d7bb52e8621fc460f260b (patch)
tree: aed23d5096b875dc4f163922704e4459887104cd
parent: f0dd69463a6445aff715520c9834b924a85b5495 (diff)
parent: 12bda9fc3ac975c251232d41e92dd70c7a4e6e7c (diff)
download: keystone-e860c69831289a800a1d7bb52e8621fc460f260b.tar.gz
2 files changed, 12 insertions, 8 deletions
diff --git a/keystone/api/role_assignments.py b/keystone/api/role_assignments.py
index d1cfd90c4..fe81cca0f 100644
--- a/keystone/api/role_assignments.py
+++ b/keystone/api/role_assignments.py
@@ -80,12 +80,12 @@ class RoleAssignmentsResource(ks_flask.ResourceBase):
             'group.id', 'role.id', 'scope.domain.id', 'scope.project.id',
             'scope.OS-INHERIT:inherited_to', 'user.id'
         ]
-        target = {}
+        target = None
         if 'scope.project.id' in flask.request.args:
             project_id = flask.request.args['scope.project.id']
             if project_id:
-                target['project'] = PROVIDERS.resource_api.get_project(
-                    project_id)
+                target = {'project': PROVIDERS.resource_api.get_project(
+                    project_id)}
         ENFORCER.enforce_call(action='identity:list_role_assignments_for_tree',
                               filters=filters, target_attr=target)
         if not flask.request.args.get('scope.project.id'):
diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py
index 3bc15af6e..a81d855ce 100644
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@@ -2596,11 +2596,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
 
     def test_project_id_specified_if_include_subtree_specified(self):
         """When using include_subtree, you must specify a project ID."""
-        self.get('/role_assignments?include_subtree=True',
-                 expected_status=http_client.BAD_REQUEST)
-        self.get('/role_assignments?scope.project.id&'
-                 'include_subtree=True',
-                 expected_status=http_client.BAD_REQUEST)
+        r = self.get('/role_assignments?include_subtree=True',
+                     expected_status=http_client.BAD_REQUEST)
+        error_msg = ("scope.project.id must be specified if include_subtree "
+                     "is also specified")
+        self.assertEqual(error_msg, r.result['error']['message'])
+        r = self.get('/role_assignments?scope.project.id&'
+                     'include_subtree=True',
+                     expected_status=http_client.BAD_REQUEST)
+        self.assertEqual(error_msg, r.result['error']['message'])
 
     def test_get_role_assignments_for_project_tree(self):
         """Get role_assignment?scope.project.id=X&include_subtree``.
author	Zuul <zuul@review.opendev.org>	2019-09-27 01:42:07 +0000
committer	Gerrit Code Review <review@openstack.org>	2019-09-27 01:42:07 +0000
commit	e860c69831289a800a1d7bb52e8621fc460f260b (patch)
tree	aed23d5096b875dc4f163922704e4459887104cd
parent	f0dd69463a6445aff715520c9834b924a85b5495 (diff)
parent	12bda9fc3ac975c251232d41e92dd70c7a4e6e7c (diff)
download	keystone-e860c69831289a800a1d7bb52e8621fc460f260b.tar.gz