diff options
| author | Kristi Nikolla <knikolla@bu.edu> | 2017-04-21 15:31:49 -0400 |
|---|---|---|
| committer | Kristi Nikolla <knikolla@bu.edu> | 2017-05-16 15:31:16 -0400 |
| commit | 0392b36a0d7d3e7cc479b357245da04c949924de (patch) | |
| tree | d53690e5fc41d4401891750b3bea61d4d97ca040 /keystone/tests/unit/assignment/test_backends.py | |
| parent | 6c6589d2b0f308cb788b37b29ebde515304ee41e (diff) | |
| download | keystone-0392b36a0d7d3e7cc479b357245da04c949924de.tar.gz | |
Handle NotFound when listing role assignments for deleted users
Keystone can use an external identity store for the users, and
store assignments for these users in the SQL database that it
manages. When a user has been deleted directly in the external
identity store, these assignments will persist. Therefore when
listing role assignments and asking for names to be included,
keystone will try to get information of the user and fail with
NotFound.
This catches the NotFound exception of the get_user and get_group
calls and fills the user values with and empty string.
Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
Closes-Bug: 1684820
Diffstat (limited to 'keystone/tests/unit/assignment/test_backends.py')
| -rw-r--r-- | keystone/tests/unit/assignment/test_backends.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index 1612e4c1c..5f5b29508 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -579,6 +579,52 @@ class AssignmentTests(AssignmentTestHelperMixin): role_id=uuid.uuid4().hex) self.assertEqual([], assignment_list) + def test_list_role_assignments_user_not_found(self): + def _user_not_found(value): + raise exception.UserNotFound(user_id=value) + + # Note(knikolla): Patch get_user to return UserNotFound + # this simulates the possibility of a user being deleted + # directly in the backend and still having lingering role + # assignments. + with mock.patch.object(self.identity_api, 'get_user', + _user_not_found): + assignment_list = self.assignment_api.list_role_assignments( + include_names=True + ) + + self.assertNotEqual([], assignment_list) + for assignment in assignment_list: + if 'user_name' in assignment: + # Note(knikolla): In the case of a not found user we + # populate the values with empty strings. + self.assertEqual('', assignment['user_name']) + self.assertEqual('', assignment['user_domain_id']) + self.assertEqual('', assignment['user_domain_name']) + + def test_list_role_assignments_group_not_found(self): + def _group_not_found(value): + raise exception.GroupNotFound(group_id=value) + + # Note(knikolla): Patch get_group to return GroupNotFound + # this simulates the case of a group being deleted + # directly in the backend and still having lingering role + # assignments. + with mock.patch.object(self.identity_api, 'get_group', + _group_not_found): + assignment_list = self.assignment_api.list_role_assignments( + include_names=True + ) + + self.assertNotEqual([], assignment_list) + for assignment in assignment_list: + if 'group_name' in assignment: + # Note(knikolla): In the case of a not found group we + # populate the values with empty strings. + self.assertEqual('', assignment['group_name']) + self.assertEqual('', assignment['group_domain_id']) + self.assertEqual('', assignment['group_domain_name']) + def test_add_duplicate_role_grant(self): roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) |