Merge "Fix for notifications for v2 role grant/delete"

2 files changed, 69 insertions, 6 deletions

diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index b14697c65..901cbfad1 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -261,10 +261,24 @@ class Manager(manager.Manager):
                 tenant_id,
                 CONF.member_role_id)
 
-    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
-        self.resource_api.get_project(tenant_id)
+    @notifications.role_assignment('created')
+    def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
+                                              group_id=None, domain_id=None,
+                                              project_id=None,
+                                              inherited_to_projects=False,
+                                              context=None):
+
+        # The parameters for this method must match the parameters for
+        # create_grant so that the notifications.role_assignment decorator
+        # will work.
+
+        self.resource_api.get_project(project_id)
         self.role_api.get_role(role_id)
-        self.driver.add_role_to_user_and_project(user_id, tenant_id, role_id)
+        self.driver.add_role_to_user_and_project(user_id, project_id, role_id)
+
+    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
+        self._add_role_to_user_and_project_adapter(
+            role_id, user_id=user_id, project_id=tenant_id)
 
     def remove_user_from_project(self, tenant_id, user_id):
         """Remove user from a tenant
@@ -383,12 +397,27 @@ class Manager(manager.Manager):
         return [r for r in self.driver.list_role_assignments()
                 if r['role_id'] == role_id]
 
-    def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
-        self.driver.remove_role_from_user_and_project(user_id, tenant_id,
+    @notifications.role_assignment('deleted')
+    def _remove_role_from_user_and_project_adapter(self, role_id, user_id=None,
+                                                   group_id=None,
+                                                   domain_id=None,
+                                                   project_id=None,
+                                                   inherited_to_projects=False,
+                                                   context=None):
+
+        # The parameters for this method must match the parameters for
+        # delete_grant so that the notifications.role_assignment decorator
+        # will work.
+
+        self.driver.remove_role_from_user_and_project(user_id, project_id,
                                                       role_id)
         self.identity_api.emit_invalidate_user_token_persistence(user_id)
         self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
-                                        project_id=tenant_id)
+                                        project_id=project_id)
+
+    def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
+        self._remove_role_from_user_and_project_adapter(
+            role_id, user_id=user_id, project_id=tenant_id)
 
     @notifications.internal(notifications.INVALIDATE_USER_TOKEN_PERSISTENCE)
     def _emit_invalidate_user_token_persistence(self, user_id):
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
index 6c5e74221..1b4040951 100644
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@@ -887,6 +887,40 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
                                    domain=self.domain_id,
                                    group=group['id'])
 
+    def test_add_role_to_user_and_project(self):
+        # A notification is sent when add_role_to_user_and_project is called on
+        # the assignment manager.
+
+        project_ref = self.new_project_ref(self.domain_id)
+        project = self.resource_api.create_project(
+            project_ref['id'], project_ref)
+        tenant_id = project['id']
+
+        self.assignment_api.add_role_to_user_and_project(
+            self.user_id, tenant_id, self.role_id)
+
+        self.assertTrue(self._notifications)
+        note = self._notifications[-1]
+        self.assertEqual(note['action'], 'created.role_assignment')
+        self.assertTrue(note['send_notification_called'])
+
+        self._assert_event(self.role_id, project=tenant_id, user=self.user_id)
+
+    def test_remove_role_from_user_and_project(self):
+        # A notification is sent when remove_role_from_user_and_project is
+        # called on the assignment manager.
+
+        self.assignment_api.remove_role_from_user_and_project(
+            self.user_id, self.project_id, self.role_id)
+
+        self.assertTrue(self._notifications)
+        note = self._notifications[-1]
+        self.assertEqual(note['action'], 'deleted.role_assignment')
+        self.assertTrue(note['send_notification_called'])
+
+        self._assert_event(self.role_id, project=self.project_id,
+                           user=self.user_id)
+
 
 class TestCallbackRegistration(testtools.TestCase):
     def setUp(self):