"Fossies" - the Fresh Open Source Software Archive

Member "keystone-16.0.2/keystone/tests/unit/assignment/test_backends.py" (7 Jun 2021, 192868 Bytes) of package /linux/misc/openstack/keystone-16.0.2.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_backends.py": 16.0.1_vs_16.0.2.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 import uuid
   14 
   15 import mock
   16 from six.moves import range
   17 from testtools import matchers
   18 
   19 from keystone.common import provider_api
   20 import keystone.conf
   21 from keystone import exception
   22 from keystone.tests import unit
   23 from keystone.tests.unit import default_fixtures
   24 
   25 
   26 CONF = keystone.conf.CONF
   27 PROVIDERS = provider_api.ProviderAPIs
   28 
   29 
   30 class AssignmentTestHelperMixin(object):
   31     """Mixin class to aid testing of assignments.
   32 
   33     This class supports data driven test plans that enable:
   34 
   35     - Creation of initial entities, such as domains, users, groups, projects
   36       and roles
   37     - Creation of assignments referencing the above entities
   38     - A set of input parameters and expected outputs to list_role_assignments
   39       based on the above test data
   40 
   41     A test plan is a dict of the form:
   42 
   43     test_plan = {
   44         entities: details and number of entities,
   45         group_memberships: group-user entity memberships,
   46         assignments: list of assignments to create,
   47         tests: list of pairs of input params and expected outputs}
   48 
   49     An example test plan:
   50 
   51     test_plan = {
   52         # First, create the entities required. Entities are specified by
   53         # a dict with the key being the entity type and the value an
   54         # entity specification which can be one of:
   55         #
   56         # - a simple number, e.g. {'users': 3} creates 3 users
   57         # - a dict where more information regarding the contents of the entity
   58         #   is required, e.g. {'domains' : {'users : 3}} creates a domain
   59         #   with three users
   60         # - a list of entity specifications if multiple are required
   61         #
   62         # The following creates a domain that contains a single user, group and
   63         # project, as well as creating three roles.
   64 
   65         'entities': {'domains': {'users': 1, 'groups': 1, 'projects': 1},
   66                      'roles': 3},
   67 
   68         # If it is required that an existing domain be used for the new
   69         # entities, then the id of that domain can be included in the
   70         # domain dict.  For example, if alternatively we wanted to add 3 users
   71         # to the default domain, add a second domain containing 3 projects as
   72         # well as 5 additional empty domains, the entities would be defined as:
   73         #
   74         # 'entities': {'domains': [{'id': DEFAULT_DOMAIN, 'users': 3},
   75         #                          {'projects': 3}, 5]},
   76         #
   77         # A project hierarchy can be specified within the 'projects' section by
   78         # nesting the 'project' key, for example to create a project with three
   79         # sub-projects you would use:
   80 
   81                      'projects': {'project': 3}
   82 
   83         # A more complex hierarchy can also be defined, for example the
   84         # following would define three projects each containing a
   85         # sub-project, each of which contain a further three sub-projects.
   86 
   87                      'projects': [{'project': {'project': 3}},
   88                                   {'project': {'project': 3}},
   89                                   {'project': {'project': 3}}]
   90 
   91         # If the 'roles' entity count is defined as top level key in 'entities'
   92         # dict then these are global roles. If it is placed within the
   93         # 'domain' dict, then they will be domain specific roles. A mix of
   94         # domain specific and global roles are allowed, with the role index
   95         # being calculated in the order they are defined in the 'entities'
   96         # dict.
   97 
   98         # A set of implied role specifications. In this case, prior role
   99         # index 0 implies role index 1, and role 1 implies roles 2 and 3.
  100 
  101         'roles': [{'role': 0, 'implied_roles': [1]},
  102                   {'role': 1, 'implied_roles': [2, 3]}]
  103 
  104         # A list of groups and their members. In this case make users with
  105         # index 0 and 1 members of group with index 0. Users and Groups are
  106         # indexed in the order they appear in the 'entities' key above.
  107 
  108         'group_memberships': [{'group': 0, 'users': [0, 1]}]
  109 
  110         # Next, create assignments between the entities, referencing the
  111         # entities by index, i.e. 'user': 0 refers to user[0]. Entities are
  112         # indexed in the order they appear in the 'entities' key above within
  113         # their entity type.
  114 
  115         'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  116                         {'user': 0, 'role': 1, 'project': 0},
  117                         {'group': 0, 'role': 2, 'domain': 0},
  118                         {'user': 0, 'role': 2, 'project': 0}],
  119 
  120         # Finally, define an array of tests where list_role_assignment() is
  121         # called with the given input parameters and the results are then
  122         # confirmed to be as given in 'results'. Again, all entities are
  123         # referenced by index.
  124 
  125         'tests': [
  126             {'params': {},
  127              'results': [{'user': 0, 'role': 0, 'domain': 0},
  128                          {'user': 0, 'role': 1, 'project': 0},
  129                          {'group': 0, 'role': 2, 'domain': 0},
  130                          {'user': 0, 'role': 2, 'project': 0}]},
  131             {'params': {'role': 2},
  132              'results': [{'group': 0, 'role': 2, 'domain': 0},
  133                          {'user': 0, 'role': 2, 'project': 0}]}]
  134 
  135         # The 'params' key also supports the 'effective',
  136         # 'inherited_to_projects' and 'source_from_group_ids' options to
  137         # list_role_assignments.}
  138 
  139     """
  140 
  141     def _handle_project_spec(self, test_data, domain_id, project_spec,
  142                              parent_id=None):
  143         """Handle the creation of a project or hierarchy of projects.
  144 
  145         project_spec may either be a count of the number of projects to
  146         create, or it may be a list of the form:
  147 
  148         [{'project': project_spec}, {'project': project_spec}, ...]
  149 
  150         This method is called recursively to handle the creation of a
  151         hierarchy of projects.
  152 
  153         """
  154         def _create_project(domain_id, parent_id):
  155             new_project = unit.new_project_ref(domain_id=domain_id,
  156                                                parent_id=parent_id)
  157             new_project = PROVIDERS.resource_api.create_project(
  158                 new_project['id'], new_project
  159             )
  160             return new_project
  161 
  162         if isinstance(project_spec, list):
  163             for this_spec in project_spec:
  164                 self._handle_project_spec(
  165                     test_data, domain_id, this_spec, parent_id=parent_id)
  166         elif isinstance(project_spec, dict):
  167             new_proj = _create_project(domain_id, parent_id)
  168             test_data['projects'].append(new_proj)
  169             self._handle_project_spec(
  170                 test_data, domain_id, project_spec['project'],
  171                 parent_id=new_proj['id'])
  172         else:
  173             for _ in range(project_spec):
  174                 test_data['projects'].append(
  175                     _create_project(domain_id, parent_id))
  176 
  177     def _create_role(self, domain_id=None):
  178         new_role = unit.new_role_ref(domain_id=domain_id)
  179         return PROVIDERS.role_api.create_role(new_role['id'], new_role)
  180 
  181     def _handle_domain_spec(self, test_data, domain_spec):
  182         """Handle the creation of domains and their contents.
  183 
  184         domain_spec may either be a count of the number of empty domains to
  185         create, a dict describing the domain contents, or a list of
  186         domain_specs.
  187 
  188         In the case when a list is provided, this method calls itself
  189         recursively to handle the list elements.
  190 
  191         This method will insert any entities created into test_data
  192 
  193         """
  194         def _create_domain(domain_id=None):
  195             if domain_id is None:
  196                 new_domain = unit.new_domain_ref()
  197                 PROVIDERS.resource_api.create_domain(
  198                     new_domain['id'], new_domain
  199                 )
  200                 return new_domain
  201             else:
  202                 # The test plan specified an existing domain to use
  203                 return PROVIDERS.resource_api.get_domain(domain_id)
  204 
  205         def _create_entity_in_domain(entity_type, domain_id):
  206             """Create a user or group entity in the domain."""
  207             if entity_type == 'users':
  208                 new_entity = unit.new_user_ref(domain_id=domain_id)
  209                 new_entity = PROVIDERS.identity_api.create_user(new_entity)
  210             elif entity_type == 'groups':
  211                 new_entity = unit.new_group_ref(domain_id=domain_id)
  212                 new_entity = PROVIDERS.identity_api.create_group(new_entity)
  213             elif entity_type == 'roles':
  214                 new_entity = self._create_role(domain_id=domain_id)
  215             else:
  216                 # Must be a bad test plan
  217                 raise exception.NotImplemented()
  218             return new_entity
  219 
  220         if isinstance(domain_spec, list):
  221             for x in domain_spec:
  222                 self._handle_domain_spec(test_data, x)
  223         elif isinstance(domain_spec, dict):
  224             # If there is a domain ID specified, then use it
  225             the_domain = _create_domain(domain_spec.get('id'))
  226             test_data['domains'].append(the_domain)
  227             for entity_type, value in domain_spec.items():
  228                 if entity_type == 'id':
  229                     # We already used this above to determine whether to
  230                     # use and existing domain
  231                     continue
  232                 if entity_type == 'projects':
  233                     # If it's projects, we need to handle the potential
  234                     # specification of a project hierarchy
  235                     self._handle_project_spec(
  236                         test_data, the_domain['id'], value)
  237                 else:
  238                     # It's a count of number of entities
  239                     for _ in range(value):
  240                         test_data[entity_type].append(
  241                             _create_entity_in_domain(
  242                                 entity_type, the_domain['id']))
  243         else:
  244             for _ in range(domain_spec):
  245                 test_data['domains'].append(_create_domain())
  246 
  247     def create_entities(self, entity_pattern):
  248         """Create the entities specified in the test plan.
  249 
  250         Process the 'entities' key in the test plan, creating the requested
  251         entities. Each created entity will be added to the array of entities
  252         stored in the returned test_data object, e.g.:
  253 
  254         test_data['users'] = [user[0], user[1]....]
  255 
  256         """
  257         test_data = {}
  258         for entity in ['users', 'groups', 'domains', 'projects', 'roles']:
  259             test_data[entity] = []
  260 
  261         # Create any domains requested and, if specified, any entities within
  262         # those domains
  263         if 'domains' in entity_pattern:
  264             self._handle_domain_spec(test_data, entity_pattern['domains'])
  265 
  266         # Create any roles requested
  267         if 'roles' in entity_pattern:
  268             for _ in range(entity_pattern['roles']):
  269                 test_data['roles'].append(self._create_role())
  270 
  271         return test_data
  272 
  273     def _convert_entity_shorthand(self, key, shorthand_data, reference_data):
  274         """Convert a shorthand entity description into a full ID reference.
  275 
  276         In test plan definitions, we allow a shorthand for referencing to an
  277         entity of the form:
  278 
  279         'user': 0
  280 
  281         which is actually shorthand for:
  282 
  283         'user_id': reference_data['users'][0]['id']
  284 
  285         This method converts the shorthand version into the full reference.
  286 
  287         """
  288         expanded_key = '%s_id' % key
  289         reference_index = '%ss' % key
  290         index_value = (
  291             reference_data[reference_index][shorthand_data[key]]['id'])
  292         return expanded_key, index_value
  293 
  294     def create_implied_roles(self, implied_pattern, test_data):
  295         """Create the implied roles specified in the test plan."""
  296         for implied_spec in implied_pattern:
  297             # Each implied role specification is a dict of the form:
  298             #
  299             # {'role': 0, 'implied_roles': list of roles}
  300 
  301             prior_role = test_data['roles'][implied_spec['role']]['id']
  302             if isinstance(implied_spec['implied_roles'], list):
  303                 for this_role in implied_spec['implied_roles']:
  304                     implied_role = test_data['roles'][this_role]['id']
  305                     PROVIDERS.role_api.create_implied_role(
  306                         prior_role, implied_role
  307                     )
  308             else:
  309                 implied_role = (
  310                     test_data['roles'][implied_spec['implied_roles']]['id'])
  311                 PROVIDERS.role_api.create_implied_role(
  312                     prior_role, implied_role
  313                 )
  314 
  315     def create_group_memberships(self, group_pattern, test_data):
  316         """Create the group memberships specified in the test plan."""
  317         for group_spec in group_pattern:
  318             # Each membership specification is a dict of the form:
  319             #
  320             # {'group': 0, 'users': [list of user indexes]}
  321             #
  322             # Add all users in the list to the specified group, first
  323             # converting from index to full entity ID.
  324             group_value = test_data['groups'][group_spec['group']]['id']
  325             for user_index in group_spec['users']:
  326                 user_value = test_data['users'][user_index]['id']
  327                 PROVIDERS.identity_api.add_user_to_group(
  328                     user_value, group_value
  329                 )
  330         return test_data
  331 
  332     def create_assignments(self, assignment_pattern, test_data):
  333         """Create the assignments specified in the test plan."""
  334         # First store how many assignments are already in the system,
  335         # so during the tests we can check the number of new assignments
  336         # created.
  337         test_data['initial_assignment_count'] = (
  338             len(PROVIDERS.assignment_api.list_role_assignments()))
  339 
  340         # Now create the new assignments in the test plan
  341         for assignment in assignment_pattern:
  342             # Each assignment is a dict of the form:
  343             #
  344             # { 'user': 0, 'project':1, 'role': 6}
  345             #
  346             # where the value of each item is the index into the array of
  347             # entities created earlier.
  348             #
  349             # We process the assignment dict to create the args required to
  350             # make the create_grant() call.
  351             args = {}
  352             for param in assignment:
  353                 if param == 'inherited_to_projects':
  354                     args[param] = assignment[param]
  355                 else:
  356                     # Turn 'entity : 0' into 'entity_id = ac6736ba873d'
  357                     # where entity in user, group, project or domain
  358                     key, value = self._convert_entity_shorthand(
  359                         param, assignment, test_data)
  360                     args[key] = value
  361             PROVIDERS.assignment_api.create_grant(**args)
  362         return test_data
  363 
  364     def execute_assignment_cases(self, test_plan, test_data):
  365         """Execute the test plan, based on the created test_data."""
  366         def check_results(expected, actual, param_arg_count):
  367             if param_arg_count == 0:
  368                 # It was an unfiltered call, so default fixture assignments
  369                 # might be polluting our answer - so we take into account
  370                 # how many assignments there were before the test.
  371                 self.assertEqual(
  372                     len(expected) + test_data['initial_assignment_count'],
  373                     len(actual))
  374             else:
  375                 self.assertThat(actual, matchers.HasLength(len(expected)))
  376 
  377             for each_expected in expected:
  378                 expected_assignment = {}
  379                 for param in each_expected:
  380                     if param == 'inherited_to_projects':
  381                         expected_assignment[param] = each_expected[param]
  382                     elif param == 'indirect':
  383                         # We're expecting the result to contain an indirect
  384                         # dict with the details how the role came to be placed
  385                         # on this entity - so convert the key/value pairs of
  386                         # that dict into real entity references.
  387                         indirect_term = {}
  388                         for indirect_param in each_expected[param]:
  389                             key, value = self._convert_entity_shorthand(
  390                                 indirect_param, each_expected[param],
  391                                 test_data)
  392                             indirect_term[key] = value
  393                         expected_assignment[param] = indirect_term
  394                     else:
  395                         # Convert a simple shorthand entry into a full
  396                         # entity reference
  397                         key, value = self._convert_entity_shorthand(
  398                             param, each_expected, test_data)
  399                         expected_assignment[key] = value
  400                 self.assertIn(expected_assignment, actual)
  401 
  402         def convert_group_ids_sourced_from_list(index_list, reference_data):
  403             value_list = []
  404             for group_index in index_list:
  405                 value_list.append(
  406                     reference_data['groups'][group_index]['id'])
  407             return value_list
  408 
  409         # Go through each test in the array, processing the input params, which
  410         # we build into an args dict, and then call list_role_assignments. Then
  411         # check the results against those specified in the test plan.
  412         for test in test_plan.get('tests', []):
  413             args = {}
  414             for param in test['params']:
  415                 if param in ['effective', 'inherited', 'include_subtree']:
  416                     # Just pass the value into the args
  417                     args[param] = test['params'][param]
  418                 elif param == 'source_from_group_ids':
  419                     # Convert the list of indexes into a list of IDs
  420                     args[param] = convert_group_ids_sourced_from_list(
  421                         test['params']['source_from_group_ids'], test_data)
  422                 else:
  423                     # Turn 'entity : 0' into 'entity_id = ac6736ba873d'
  424                     # where entity in user, group, project or domain
  425                     key, value = self._convert_entity_shorthand(
  426                         param, test['params'], test_data)
  427                     args[key] = value
  428             results = PROVIDERS.assignment_api.list_role_assignments(**args)
  429             check_results(test['results'], results, len(args))
  430 
  431     def execute_assignment_plan(self, test_plan):
  432         """Create entities, assignments and execute the test plan.
  433 
  434         The standard method to call to create entities and assignments and
  435         execute the tests as specified in the test_plan. The test_data
  436         dict is returned so that, if required, the caller can execute
  437         additional manual tests with the entities and assignments created.
  438 
  439         """
  440         test_data = self.create_entities(test_plan['entities'])
  441         if 'implied_roles' in test_plan:
  442             self.create_implied_roles(test_plan['implied_roles'], test_data)
  443         if 'group_memberships' in test_plan:
  444             self.create_group_memberships(test_plan['group_memberships'],
  445                                           test_data)
  446         if 'assignments' in test_plan:
  447             test_data = self.create_assignments(test_plan['assignments'],
  448                                                 test_data)
  449         self.execute_assignment_cases(test_plan, test_data)
  450         return test_data
  451 
  452 
  453 class AssignmentTests(AssignmentTestHelperMixin):
  454 
  455     def _get_domain_fixture(self):
  456         domain = unit.new_domain_ref()
  457         PROVIDERS.resource_api.create_domain(domain['id'], domain)
  458         return domain
  459 
  460     def test_project_add_and_remove_user_role(self):
  461         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  462             self.project_bar['id'])
  463         self.assertNotIn(self.user_two['id'], user_ids)
  464 
  465         PROVIDERS.assignment_api.add_role_to_user_and_project(
  466             project_id=self.project_bar['id'],
  467             user_id=self.user_two['id'],
  468             role_id=self.role_other['id'])
  469         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  470             self.project_bar['id'])
  471         self.assertIn(self.user_two['id'], user_ids)
  472 
  473         PROVIDERS.assignment_api.remove_role_from_user_and_project(
  474             project_id=self.project_bar['id'],
  475             user_id=self.user_two['id'],
  476             role_id=self.role_other['id'])
  477 
  478         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  479             self.project_bar['id'])
  480         self.assertNotIn(self.user_two['id'], user_ids)
  481 
  482     def test_remove_user_role_not_assigned(self):
  483         # Expect failure if attempt to remove a role that was never assigned to
  484         # the user.
  485         self.assertRaises(exception.RoleNotFound,
  486                           PROVIDERS.assignment_api.
  487                           remove_role_from_user_and_project,
  488                           project_id=self.project_bar['id'],
  489                           user_id=self.user_two['id'],
  490                           role_id=self.role_other['id'])
  491 
  492     def test_list_user_ids_for_project(self):
  493         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  494             self.project_baz['id'])
  495         self.assertEqual(2, len(user_ids))
  496         self.assertIn(self.user_two['id'], user_ids)
  497         self.assertIn(self.user_badguy['id'], user_ids)
  498 
  499     def test_list_user_ids_for_project_no_duplicates(self):
  500         # Create user
  501         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  502         user_ref = PROVIDERS.identity_api.create_user(user_ref)
  503         # Create project
  504         project_ref = unit.new_project_ref(
  505             domain_id=CONF.identity.default_domain_id)
  506         PROVIDERS.resource_api.create_project(
  507             project_ref['id'], project_ref)
  508         # Create 2 roles and give user each role in project
  509         for i in range(2):
  510             role_ref = unit.new_role_ref()
  511             PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
  512             PROVIDERS.assignment_api.add_role_to_user_and_project(
  513                 user_id=user_ref['id'],
  514                 project_id=project_ref['id'],
  515                 role_id=role_ref['id'])
  516         # Get the list of user_ids in project
  517         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  518             project_ref['id'])
  519         # Ensure the user is only returned once
  520         self.assertEqual(1, len(user_ids))
  521 
  522     def test_get_project_user_ids_returns_not_found(self):
  523         self.assertRaises(exception.ProjectNotFound,
  524                           PROVIDERS.assignment_api.list_user_ids_for_project,
  525                           uuid.uuid4().hex)
  526 
  527     def test_list_role_assignments_unfiltered(self):
  528         """Test unfiltered listing of role assignments."""
  529         test_plan = {
  530             # Create a domain, with a user, group & project
  531             'entities': {'domains': {'users': 1, 'groups': 1, 'projects': 1},
  532                          'roles': 3},
  533             # Create a grant of each type (user/group on project/domain)
  534             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  535                             {'user': 0, 'role': 1, 'project': 0},
  536                             {'group': 0, 'role': 2, 'domain': 0},
  537                             {'group': 0, 'role': 2, 'project': 0}],
  538             'tests': [
  539                 # Check that we get back the 4 assignments
  540                 {'params': {},
  541                  'results': [{'user': 0, 'role': 0, 'domain': 0},
  542                              {'user': 0, 'role': 1, 'project': 0},
  543                              {'group': 0, 'role': 2, 'domain': 0},
  544                              {'group': 0, 'role': 2, 'project': 0}]}
  545             ]
  546         }
  547         self.execute_assignment_plan(test_plan)
  548 
  549     def test_list_role_assignments_filtered_by_role(self):
  550         """Test listing of role assignments filtered by role ID."""
  551         test_plan = {
  552             # Create a user, group & project in the default domain
  553             'entities': {'domains': {'id': CONF.identity.default_domain_id,
  554                                      'users': 1, 'groups': 1, 'projects': 1},
  555                          'roles': 3},
  556             # Create a grant of each type (user/group on project/domain)
  557             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  558                             {'user': 0, 'role': 1, 'project': 0},
  559                             {'group': 0, 'role': 2, 'domain': 0},
  560                             {'group': 0, 'role': 2, 'project': 0}],
  561             'tests': [
  562                 # Check that when filtering by role, we only get back those
  563                 # that match
  564                 {'params': {'role': 2},
  565                  'results': [{'group': 0, 'role': 2, 'domain': 0},
  566                              {'group': 0, 'role': 2, 'project': 0}]}
  567             ]
  568         }
  569         self.execute_assignment_plan(test_plan)
  570 
  571     def test_list_group_role_assignment(self):
  572         # When a group role assignment is created and the role assignments are
  573         # listed then the group role assignment is included in the list.
  574 
  575         test_plan = {
  576             'entities': {'domains': {'id': CONF.identity.default_domain_id,
  577                                      'groups': 1, 'projects': 1},
  578                          'roles': 1},
  579             'assignments': [{'group': 0, 'role': 0, 'project': 0}],
  580             'tests': [
  581                 {'params': {},
  582                  'results': [{'group': 0, 'role': 0, 'project': 0}]}
  583             ]
  584         }
  585         self.execute_assignment_plan(test_plan)
  586 
  587     def test_list_role_assignments_bad_role(self):
  588         assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  589             role_id=uuid.uuid4().hex)
  590         self.assertEqual([], assignment_list)
  591 
  592     def test_list_role_assignments_user_not_found(self):
  593         def _user_not_found(value):
  594             raise exception.UserNotFound(user_id=value)
  595 
  596         # Note(knikolla): Patch get_user to return UserNotFound
  597         # this simulates the possibility of a user being deleted
  598         # directly in the backend and still having lingering role
  599         # assignments.
  600         with mock.patch.object(PROVIDERS.identity_api, 'get_user',
  601                                _user_not_found):
  602             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  603                 include_names=True
  604             )
  605 
  606         self.assertNotEqual([], assignment_list)
  607         for assignment in assignment_list:
  608             if 'user_name' in assignment:
  609                 # Note(knikolla): In the case of a not found user we
  610                 # populate the values with empty strings.
  611                 self.assertEqual('', assignment['user_name'])
  612                 self.assertEqual('', assignment['user_domain_id'])
  613                 self.assertEqual('', assignment['user_domain_name'])
  614 
  615     def test_list_role_assignments_group_not_found(self):
  616         def _group_not_found(value):
  617             raise exception.GroupNotFound(group_id=value)
  618 
  619         # Setup
  620         # 1) Remove any pre-existing assignments so we control what's there
  621         for a in PROVIDERS.assignment_api.list_role_assignments():
  622             PROVIDERS.assignment_api.delete_grant(**a)
  623         # 2) create a group and 2 users in that group
  624         domain_id = CONF.identity.default_domain_id
  625         group = PROVIDERS.identity_api.create_group(
  626             unit.new_group_ref(domain_id=domain_id))
  627         user1 = PROVIDERS.identity_api.create_user(
  628             unit.new_user_ref(domain_id=domain_id))
  629         user2 = PROVIDERS.identity_api.create_user(
  630             unit.new_user_ref(domain_id=domain_id))
  631         PROVIDERS.identity_api.add_user_to_group(user1['id'], group['id'])
  632         PROVIDERS.identity_api.add_user_to_group(user2['id'], group['id'])
  633         # 3) create a role assignment for the group
  634         PROVIDERS.assignment_api.create_grant(
  635             group_id=group['id'],
  636             domain_id=domain_id,
  637             role_id=default_fixtures.MEMBER_ROLE_ID)
  638 
  639         num_assignments = len(PROVIDERS.assignment_api.list_role_assignments())
  640         self.assertEqual(1, num_assignments)
  641 
  642         # Patch get_group to return GroupNotFound, allowing us to confirm
  643         # that the exception is handled properly when include_names processing
  644         # attempts to lookup a group that has been deleted in the backend
  645         with mock.patch.object(PROVIDERS.identity_api, 'get_group',
  646                                _group_not_found):
  647             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  648                 include_names=True
  649             )
  650 
  651         self.assertEqual(num_assignments, len(assignment_list))
  652         for assignment in assignment_list:
  653             includes_group_assignments = False
  654             if 'group_name' in assignment:
  655                 includes_group_assignments = True
  656                 # Note(knikolla): In the case of a not-found group we
  657                 # populate the values with empty strings.
  658                 self.assertEqual('', assignment['group_name'])
  659                 self.assertEqual('', assignment['group_domain_id'])
  660                 self.assertEqual('', assignment['group_domain_name'])
  661         self.assertTrue(includes_group_assignments)
  662 
  663         num_effective = len(PROVIDERS.assignment_api.list_role_assignments(
  664             effective=True))
  665         self.assertGreater(num_effective, len(assignment_list))
  666 
  667         # Patch list_users_in_group to return GroupNotFound allowing us to
  668         # confirm that the exception is handled properly when effective
  669         # processing attempts to lookup users for a group that has been deleted
  670         # in the backend
  671         with mock.patch.object(PROVIDERS.identity_api, 'list_users_in_group',
  672                                _group_not_found):
  673             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  674                 effective=True
  675             )
  676 
  677         self.assertGreater(num_effective, len(assignment_list))
  678 
  679         # cleanup
  680         PROVIDERS.assignment_api.delete_grant(
  681             group_id=group['id'],
  682             domain_id=domain_id,
  683             role_id=default_fixtures.MEMBER_ROLE_ID)
  684         # TODO(edmondsw) should cleanup users/groups as well, but that raises
  685         # LDAP read-only issues
  686 
  687     def test_add_duplicate_role_grant(self):
  688         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  689             self.user_foo['id'], self.project_bar['id'])
  690         self.assertNotIn(self.role_admin['id'], roles_ref)
  691         PROVIDERS.assignment_api.add_role_to_user_and_project(
  692             self.user_foo['id'], self.project_bar['id'], self.role_admin['id'])
  693         self.assertRaises(
  694             exception.Conflict,
  695             PROVIDERS.assignment_api.add_role_to_user_and_project,
  696             self.user_foo['id'],
  697             self.project_bar['id'],
  698             self.role_admin['id']
  699         )
  700 
  701     def test_get_role_by_user_and_project_with_user_in_group(self):
  702         """Test for get role by user and project, user was added into a group.
  703 
  704         Test Plan:
  705 
  706         - Create a user, a project & a group, add this user to group
  707         - Create roles and grant them to user and project
  708         - Check the role list get by the user and project was as expected
  709 
  710         """
  711         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  712         user_ref = PROVIDERS.identity_api.create_user(user_ref)
  713 
  714         project_ref = unit.new_project_ref(
  715             domain_id=CONF.identity.default_domain_id)
  716         PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
  717 
  718         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  719         group_id = PROVIDERS.identity_api.create_group(group)['id']
  720         PROVIDERS.identity_api.add_user_to_group(user_ref['id'], group_id)
  721 
  722         role_ref_list = []
  723         for i in range(2):
  724             role_ref = unit.new_role_ref()
  725             PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
  726             role_ref_list.append(role_ref)
  727 
  728             PROVIDERS.assignment_api.add_role_to_user_and_project(
  729                 user_id=user_ref['id'],
  730                 project_id=project_ref['id'],
  731                 role_id=role_ref['id'])
  732 
  733         role_list = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  734             user_ref['id'],
  735             project_ref['id'])
  736 
  737         self.assertEqual(set([r['id'] for r in role_ref_list]),
  738                          set(role_list))
  739 
  740     def test_get_role_by_user_and_project(self):
  741         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  742             self.user_foo['id'], self.project_bar['id'])
  743         self.assertNotIn(self.role_admin['id'], roles_ref)
  744         PROVIDERS.assignment_api.add_role_to_user_and_project(
  745             self.user_foo['id'], self.project_bar['id'], self.role_admin['id'])
  746         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  747             self.user_foo['id'], self.project_bar['id'])
  748         self.assertIn(self.role_admin['id'], roles_ref)
  749         self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  750 
  751         PROVIDERS.assignment_api.add_role_to_user_and_project(
  752             self.user_foo['id'],
  753             self.project_bar['id'],
  754             default_fixtures.MEMBER_ROLE_ID)
  755         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  756             self.user_foo['id'], self.project_bar['id'])
  757         self.assertIn(self.role_admin['id'], roles_ref)
  758         self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  759 
  760     def test_get_role_by_trustor_and_project(self):
  761         new_domain = unit.new_domain_ref()
  762         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
  763         new_user = unit.new_user_ref(domain_id=new_domain['id'])
  764         new_user = PROVIDERS.identity_api.create_user(new_user)
  765         new_project = unit.new_project_ref(domain_id=new_domain['id'])
  766         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
  767         role = self._create_role(domain_id=new_domain['id'])
  768 
  769         # Now create the grants (roles are defined in default_fixtures)
  770         PROVIDERS.assignment_api.create_grant(
  771             user_id=new_user['id'],
  772             project_id=new_project['id'],
  773             role_id=default_fixtures.MEMBER_ROLE_ID)
  774         PROVIDERS.assignment_api.create_grant(
  775             user_id=new_user['id'],
  776             domain_id=new_domain['id'],
  777             role_id=role['id'],
  778             inherited_to_projects=True)
  779 
  780         roles_ids = PROVIDERS.assignment_api.get_roles_for_trustor_and_project(
  781             new_user['id'], new_project['id'])
  782         self.assertEqual(2, len(roles_ids))
  783         self.assertIn(self.role_member['id'], roles_ids)
  784         self.assertIn(role['id'], roles_ids)
  785 
  786     def test_get_roles_for_user_and_domain(self):
  787         """Test for getting roles for user on a domain.
  788 
  789         Test Plan:
  790 
  791         - Create a domain, with 2 users
  792         - Check no roles yet exit
  793         - Give user1 two roles on the domain, user2 one role
  794         - Get roles on user1 and the domain - maybe sure we only
  795           get back the 2 roles on user1
  796         - Delete both roles from user1
  797         - Check we get no roles back for user1 on domain
  798 
  799         """
  800         new_domain = unit.new_domain_ref()
  801         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
  802         new_user1 = unit.new_user_ref(domain_id=new_domain['id'])
  803         new_user1 = PROVIDERS.identity_api.create_user(new_user1)
  804         new_user2 = unit.new_user_ref(domain_id=new_domain['id'])
  805         new_user2 = PROVIDERS.identity_api.create_user(new_user2)
  806         roles_ref = PROVIDERS.assignment_api.list_grants(
  807             user_id=new_user1['id'],
  808             domain_id=new_domain['id'])
  809         self.assertEqual(0, len(roles_ref))
  810         # Now create the grants (roles are defined in default_fixtures)
  811         PROVIDERS.assignment_api.create_grant(
  812             user_id=new_user1['id'],
  813             domain_id=new_domain['id'],
  814             role_id=default_fixtures.MEMBER_ROLE_ID)
  815         PROVIDERS.assignment_api.create_grant(
  816             user_id=new_user1['id'],
  817             domain_id=new_domain['id'],
  818             role_id=default_fixtures.OTHER_ROLE_ID)
  819         PROVIDERS.assignment_api.create_grant(
  820             user_id=new_user2['id'],
  821             domain_id=new_domain['id'],
  822             role_id=default_fixtures.ADMIN_ROLE_ID)
  823         # Read back the roles for user1 on domain
  824         roles_ids = PROVIDERS.assignment_api.get_roles_for_user_and_domain(
  825             new_user1['id'], new_domain['id'])
  826         self.assertEqual(2, len(roles_ids))
  827         self.assertIn(self.role_member['id'], roles_ids)
  828         self.assertIn(self.role_other['id'], roles_ids)
  829 
  830         # Now delete both grants for user1
  831         PROVIDERS.assignment_api.delete_grant(
  832             user_id=new_user1['id'],
  833             domain_id=new_domain['id'],
  834             role_id=default_fixtures.MEMBER_ROLE_ID)
  835         PROVIDERS.assignment_api.delete_grant(
  836             user_id=new_user1['id'],
  837             domain_id=new_domain['id'],
  838             role_id=default_fixtures.OTHER_ROLE_ID)
  839         roles_ref = PROVIDERS.assignment_api.list_grants(
  840             user_id=new_user1['id'],
  841             domain_id=new_domain['id'])
  842         self.assertEqual(0, len(roles_ref))
  843 
  844     def test_get_roles_for_user_and_domain_returns_not_found(self):
  845         """Test errors raised when getting roles for user on a domain.
  846 
  847         Test Plan:
  848 
  849         - Check non-existing user gives UserNotFound
  850         - Check non-existing domain gives DomainNotFound
  851 
  852         """
  853         new_domain = self._get_domain_fixture()
  854         new_user1 = unit.new_user_ref(domain_id=new_domain['id'])
  855         new_user1 = PROVIDERS.identity_api.create_user(new_user1)
  856 
  857         self.assertRaises(
  858             exception.UserNotFound,
  859             PROVIDERS.assignment_api.get_roles_for_user_and_domain,
  860             uuid.uuid4().hex,
  861             new_domain['id']
  862         )
  863 
  864         self.assertRaises(
  865             exception.DomainNotFound,
  866             PROVIDERS.assignment_api.get_roles_for_user_and_domain,
  867             new_user1['id'],
  868             uuid.uuid4().hex
  869         )
  870 
  871     def test_get_roles_for_user_and_project_returns_not_found(self):
  872         self.assertRaises(
  873             exception.UserNotFound,
  874             PROVIDERS.assignment_api.get_roles_for_user_and_project,
  875             uuid.uuid4().hex,
  876             self.project_bar['id']
  877         )
  878 
  879         self.assertRaises(
  880             exception.ProjectNotFound,
  881             PROVIDERS.assignment_api.get_roles_for_user_and_project,
  882             self.user_foo['id'],
  883             uuid.uuid4().hex
  884         )
  885 
  886     def test_add_role_to_user_and_project_returns_not_found(self):
  887         self.assertRaises(
  888             exception.ProjectNotFound,
  889             PROVIDERS.assignment_api.add_role_to_user_and_project,
  890             self.user_foo['id'],
  891             uuid.uuid4().hex,
  892             self.role_admin['id']
  893         )
  894 
  895         self.assertRaises(
  896             exception.RoleNotFound,
  897             PROVIDERS.assignment_api.add_role_to_user_and_project,
  898             self.user_foo['id'],
  899             self.project_bar['id'],
  900             uuid.uuid4().hex
  901         )
  902 
  903     def test_add_role_to_user_and_project_no_user(self):
  904         # If add_role_to_user_and_project and the user doesn't exist, then
  905         # no error.
  906         user_id_not_exist = uuid.uuid4().hex
  907         PROVIDERS.assignment_api.add_role_to_user_and_project(
  908             user_id_not_exist, self.project_bar['id'], self.role_admin['id'])
  909 
  910     def test_remove_role_from_user_and_project(self):
  911         PROVIDERS.assignment_api.add_role_to_user_and_project(
  912             self.user_foo['id'],
  913             self.project_bar['id'],
  914             default_fixtures.MEMBER_ROLE_ID)
  915         PROVIDERS.assignment_api.remove_role_from_user_and_project(
  916             self.user_foo['id'],
  917             self.project_bar['id'],
  918             default_fixtures.MEMBER_ROLE_ID)
  919         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  920             self.user_foo['id'], self.project_bar['id'])
  921         self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  922         self.assertRaises(exception.NotFound,
  923                           PROVIDERS.assignment_api.
  924                           remove_role_from_user_and_project,
  925                           self.user_foo['id'],
  926                           self.project_bar['id'],
  927                           default_fixtures.MEMBER_ROLE_ID)
  928 
  929     def test_get_role_grant_by_user_and_project(self):
  930         roles_ref = PROVIDERS.assignment_api.list_grants(
  931             user_id=self.user_foo['id'],
  932             project_id=self.project_bar['id'])
  933         self.assertEqual(1, len(roles_ref))
  934         PROVIDERS.assignment_api.create_grant(
  935             user_id=self.user_foo['id'], project_id=self.project_bar['id'],
  936             role_id=self.role_admin['id']
  937         )
  938         roles_ref = PROVIDERS.assignment_api.list_grants(
  939             user_id=self.user_foo['id'],
  940             project_id=self.project_bar['id'])
  941         self.assertIn(self.role_admin['id'],
  942                       [role_ref['id'] for role_ref in roles_ref])
  943 
  944         PROVIDERS.assignment_api.create_grant(
  945             user_id=self.user_foo['id'],
  946             project_id=self.project_bar['id'],
  947             role_id=default_fixtures.MEMBER_ROLE_ID)
  948         roles_ref = PROVIDERS.assignment_api.list_grants(
  949             user_id=self.user_foo['id'],
  950             project_id=self.project_bar['id'])
  951 
  952         roles_ref_ids = []
  953         for ref in roles_ref:
  954             roles_ref_ids.append(ref['id'])
  955         self.assertIn(self.role_admin['id'], roles_ref_ids)
  956         self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref_ids)
  957 
  958     def test_remove_role_grant_from_user_and_project(self):
  959         PROVIDERS.assignment_api.create_grant(
  960             user_id=self.user_foo['id'],
  961             project_id=self.project_baz['id'],
  962             role_id=default_fixtures.MEMBER_ROLE_ID)
  963         roles_ref = PROVIDERS.assignment_api.list_grants(
  964             user_id=self.user_foo['id'],
  965             project_id=self.project_baz['id'])
  966         self.assertDictEqual(self.role_member, roles_ref[0])
  967 
  968         PROVIDERS.assignment_api.delete_grant(
  969             user_id=self.user_foo['id'],
  970             project_id=self.project_baz['id'],
  971             role_id=default_fixtures.MEMBER_ROLE_ID)
  972         roles_ref = PROVIDERS.assignment_api.list_grants(
  973             user_id=self.user_foo['id'],
  974             project_id=self.project_baz['id'])
  975         self.assertEqual(0, len(roles_ref))
  976         self.assertRaises(exception.RoleAssignmentNotFound,
  977                           PROVIDERS.assignment_api.delete_grant,
  978                           user_id=self.user_foo['id'],
  979                           project_id=self.project_baz['id'],
  980                           role_id=default_fixtures.MEMBER_ROLE_ID)
  981 
  982     def test_get_role_assignment_by_project_not_found(self):
  983         self.assertRaises(exception.RoleAssignmentNotFound,
  984                           PROVIDERS.assignment_api.check_grant_role_id,
  985                           user_id=self.user_foo['id'],
  986                           project_id=self.project_baz['id'],
  987                           role_id=default_fixtures.MEMBER_ROLE_ID)
  988 
  989         self.assertRaises(exception.RoleAssignmentNotFound,
  990                           PROVIDERS.assignment_api.check_grant_role_id,
  991                           group_id=uuid.uuid4().hex,
  992                           project_id=self.project_baz['id'],
  993                           role_id=default_fixtures.MEMBER_ROLE_ID)
  994 
  995     def test_get_role_assignment_by_domain_not_found(self):
  996         self.assertRaises(exception.RoleAssignmentNotFound,
  997                           PROVIDERS.assignment_api.check_grant_role_id,
  998                           user_id=self.user_foo['id'],
  999                           domain_id=CONF.identity.default_domain_id,
 1000                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1001 
 1002         self.assertRaises(exception.RoleAssignmentNotFound,
 1003                           PROVIDERS.assignment_api.check_grant_role_id,
 1004                           group_id=uuid.uuid4().hex,
 1005                           domain_id=CONF.identity.default_domain_id,
 1006                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1007 
 1008     def test_del_role_assignment_by_project_not_found(self):
 1009         self.assertRaises(exception.RoleAssignmentNotFound,
 1010                           PROVIDERS.assignment_api.delete_grant,
 1011                           user_id=self.user_foo['id'],
 1012                           project_id=self.project_baz['id'],
 1013                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1014 
 1015         self.assertRaises(exception.RoleAssignmentNotFound,
 1016                           PROVIDERS.assignment_api.delete_grant,
 1017                           group_id=uuid.uuid4().hex,
 1018                           project_id=self.project_baz['id'],
 1019                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1020 
 1021     def test_del_role_assignment_by_domain_not_found(self):
 1022         self.assertRaises(exception.RoleAssignmentNotFound,
 1023                           PROVIDERS.assignment_api.delete_grant,
 1024                           user_id=self.user_foo['id'],
 1025                           domain_id=CONF.identity.default_domain_id,
 1026                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1027 
 1028         self.assertRaises(exception.RoleAssignmentNotFound,
 1029                           PROVIDERS.assignment_api.delete_grant,
 1030                           group_id=uuid.uuid4().hex,
 1031                           domain_id=CONF.identity.default_domain_id,
 1032                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1033 
 1034     def test_get_and_remove_role_grant_by_group_and_project(self):
 1035         new_domain = unit.new_domain_ref()
 1036         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1037         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1038         new_group = PROVIDERS.identity_api.create_group(new_group)
 1039         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1040         new_user = PROVIDERS.identity_api.create_user(new_user)
 1041         PROVIDERS.identity_api.add_user_to_group(
 1042             new_user['id'], new_group['id']
 1043         )
 1044         roles_ref = PROVIDERS.assignment_api.list_grants(
 1045             group_id=new_group['id'],
 1046             project_id=self.project_bar['id'])
 1047         self.assertEqual(0, len(roles_ref))
 1048         PROVIDERS.assignment_api.create_grant(
 1049             group_id=new_group['id'],
 1050             project_id=self.project_bar['id'],
 1051             role_id=default_fixtures.MEMBER_ROLE_ID)
 1052         roles_ref = PROVIDERS.assignment_api.list_grants(
 1053             group_id=new_group['id'],
 1054             project_id=self.project_bar['id'])
 1055         self.assertDictEqual(self.role_member, roles_ref[0])
 1056 
 1057         PROVIDERS.assignment_api.delete_grant(
 1058             group_id=new_group['id'],
 1059             project_id=self.project_bar['id'],
 1060             role_id=default_fixtures.MEMBER_ROLE_ID)
 1061         roles_ref = PROVIDERS.assignment_api.list_grants(
 1062             group_id=new_group['id'],
 1063             project_id=self.project_bar['id'])
 1064         self.assertEqual(0, len(roles_ref))
 1065         self.assertRaises(exception.RoleAssignmentNotFound,
 1066                           PROVIDERS.assignment_api.delete_grant,
 1067                           group_id=new_group['id'],
 1068                           project_id=self.project_bar['id'],
 1069                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1070 
 1071     def test_get_and_remove_role_grant_by_group_and_domain(self):
 1072         new_domain = unit.new_domain_ref()
 1073         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1074         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1075         new_group = PROVIDERS.identity_api.create_group(new_group)
 1076         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1077         new_user = PROVIDERS.identity_api.create_user(new_user)
 1078         PROVIDERS.identity_api.add_user_to_group(
 1079             new_user['id'], new_group['id']
 1080         )
 1081 
 1082         roles_ref = PROVIDERS.assignment_api.list_grants(
 1083             group_id=new_group['id'],
 1084             domain_id=new_domain['id'])
 1085         self.assertEqual(0, len(roles_ref))
 1086 
 1087         PROVIDERS.assignment_api.create_grant(
 1088             group_id=new_group['id'],
 1089             domain_id=new_domain['id'],
 1090             role_id=default_fixtures.MEMBER_ROLE_ID)
 1091 
 1092         roles_ref = PROVIDERS.assignment_api.list_grants(
 1093             group_id=new_group['id'],
 1094             domain_id=new_domain['id'])
 1095         self.assertDictEqual(self.role_member, roles_ref[0])
 1096 
 1097         PROVIDERS.assignment_api.delete_grant(
 1098             group_id=new_group['id'],
 1099             domain_id=new_domain['id'],
 1100             role_id=default_fixtures.MEMBER_ROLE_ID)
 1101         roles_ref = PROVIDERS.assignment_api.list_grants(
 1102             group_id=new_group['id'],
 1103             domain_id=new_domain['id'])
 1104         self.assertEqual(0, len(roles_ref))
 1105         self.assertRaises(exception.RoleAssignmentNotFound,
 1106                           PROVIDERS.assignment_api.delete_grant,
 1107                           group_id=new_group['id'],
 1108                           domain_id=new_domain['id'],
 1109                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1110 
 1111     def test_get_and_remove_correct_role_grant_from_a_mix(self):
 1112         new_domain = unit.new_domain_ref()
 1113         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1114         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 1115         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 1116         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1117         new_group = PROVIDERS.identity_api.create_group(new_group)
 1118         new_group2 = unit.new_group_ref(domain_id=new_domain['id'])
 1119         new_group2 = PROVIDERS.identity_api.create_group(new_group2)
 1120         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1121         new_user = PROVIDERS.identity_api.create_user(new_user)
 1122         new_user2 = unit.new_user_ref(domain_id=new_domain['id'])
 1123         new_user2 = PROVIDERS.identity_api.create_user(new_user2)
 1124         PROVIDERS.identity_api.add_user_to_group(
 1125             new_user['id'], new_group['id']
 1126         )
 1127         # First check we have no grants
 1128         roles_ref = PROVIDERS.assignment_api.list_grants(
 1129             group_id=new_group['id'],
 1130             domain_id=new_domain['id'])
 1131         self.assertEqual(0, len(roles_ref))
 1132         # Now add the grant we are going to test for, and some others as
 1133         # well just to make sure we get back the right one
 1134         PROVIDERS.assignment_api.create_grant(
 1135             group_id=new_group['id'],
 1136             domain_id=new_domain['id'],
 1137             role_id=default_fixtures.MEMBER_ROLE_ID)
 1138 
 1139         PROVIDERS.assignment_api.create_grant(
 1140             group_id=new_group2['id'], domain_id=new_domain['id'],
 1141             role_id=self.role_admin['id']
 1142         )
 1143         PROVIDERS.assignment_api.create_grant(
 1144             user_id=new_user2['id'], domain_id=new_domain['id'],
 1145             role_id=self.role_admin['id']
 1146         )
 1147         PROVIDERS.assignment_api.create_grant(
 1148             group_id=new_group['id'], project_id=new_project['id'],
 1149             role_id=self.role_admin['id']
 1150         )
 1151 
 1152         roles_ref = PROVIDERS.assignment_api.list_grants(
 1153             group_id=new_group['id'],
 1154             domain_id=new_domain['id'])
 1155         self.assertDictEqual(self.role_member, roles_ref[0])
 1156 
 1157         PROVIDERS.assignment_api.delete_grant(
 1158             group_id=new_group['id'],
 1159             domain_id=new_domain['id'],
 1160             role_id=default_fixtures.MEMBER_ROLE_ID)
 1161         roles_ref = PROVIDERS.assignment_api.list_grants(
 1162             group_id=new_group['id'],
 1163             domain_id=new_domain['id'])
 1164         self.assertEqual(0, len(roles_ref))
 1165         self.assertRaises(exception.RoleAssignmentNotFound,
 1166                           PROVIDERS.assignment_api.delete_grant,
 1167                           group_id=new_group['id'],
 1168                           domain_id=new_domain['id'],
 1169                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1170 
 1171     def test_get_and_remove_role_grant_by_user_and_domain(self):
 1172         new_domain = unit.new_domain_ref()
 1173         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1174         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1175         new_user = PROVIDERS.identity_api.create_user(new_user)
 1176         roles_ref = PROVIDERS.assignment_api.list_grants(
 1177             user_id=new_user['id'],
 1178             domain_id=new_domain['id'])
 1179         self.assertEqual(0, len(roles_ref))
 1180         PROVIDERS.assignment_api.create_grant(
 1181             user_id=new_user['id'],
 1182             domain_id=new_domain['id'],
 1183             role_id=default_fixtures.MEMBER_ROLE_ID)
 1184         roles_ref = PROVIDERS.assignment_api.list_grants(
 1185             user_id=new_user['id'],
 1186             domain_id=new_domain['id'])
 1187         self.assertDictEqual(self.role_member, roles_ref[0])
 1188 
 1189         PROVIDERS.assignment_api.delete_grant(
 1190             user_id=new_user['id'],
 1191             domain_id=new_domain['id'],
 1192             role_id=default_fixtures.MEMBER_ROLE_ID)
 1193         roles_ref = PROVIDERS.assignment_api.list_grants(
 1194             user_id=new_user['id'],
 1195             domain_id=new_domain['id'])
 1196         self.assertEqual(0, len(roles_ref))
 1197         self.assertRaises(exception.RoleAssignmentNotFound,
 1198                           PROVIDERS.assignment_api.delete_grant,
 1199                           user_id=new_user['id'],
 1200                           domain_id=new_domain['id'],
 1201                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1202 
 1203     def test_get_and_remove_role_grant_by_group_and_cross_domain(self):
 1204         group1_domain1_role = unit.new_role_ref()
 1205         PROVIDERS.role_api.create_role(
 1206             group1_domain1_role['id'], group1_domain1_role
 1207         )
 1208         group1_domain2_role = unit.new_role_ref()
 1209         PROVIDERS.role_api.create_role(
 1210             group1_domain2_role['id'], group1_domain2_role
 1211         )
 1212         domain1 = unit.new_domain_ref()
 1213         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1214         domain2 = unit.new_domain_ref()
 1215         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1216         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1217         group1 = PROVIDERS.identity_api.create_group(group1)
 1218         roles_ref = PROVIDERS.assignment_api.list_grants(
 1219             group_id=group1['id'],
 1220             domain_id=domain1['id'])
 1221         self.assertEqual(0, len(roles_ref))
 1222         roles_ref = PROVIDERS.assignment_api.list_grants(
 1223             group_id=group1['id'],
 1224             domain_id=domain2['id'])
 1225         self.assertEqual(0, len(roles_ref))
 1226         PROVIDERS.assignment_api.create_grant(
 1227             group_id=group1['id'], domain_id=domain1['id'],
 1228             role_id=group1_domain1_role['id']
 1229         )
 1230         PROVIDERS.assignment_api.create_grant(
 1231             group_id=group1['id'], domain_id=domain2['id'],
 1232             role_id=group1_domain2_role['id']
 1233         )
 1234         roles_ref = PROVIDERS.assignment_api.list_grants(
 1235             group_id=group1['id'],
 1236             domain_id=domain1['id'])
 1237         self.assertDictEqual(group1_domain1_role, roles_ref[0])
 1238         roles_ref = PROVIDERS.assignment_api.list_grants(
 1239             group_id=group1['id'],
 1240             domain_id=domain2['id'])
 1241         self.assertDictEqual(group1_domain2_role, roles_ref[0])
 1242 
 1243         PROVIDERS.assignment_api.delete_grant(
 1244             group_id=group1['id'], domain_id=domain2['id'],
 1245             role_id=group1_domain2_role['id']
 1246         )
 1247         roles_ref = PROVIDERS.assignment_api.list_grants(
 1248             group_id=group1['id'],
 1249             domain_id=domain2['id'])
 1250         self.assertEqual(0, len(roles_ref))
 1251         self.assertRaises(exception.RoleAssignmentNotFound,
 1252                           PROVIDERS.assignment_api.delete_grant,
 1253                           group_id=group1['id'],
 1254                           domain_id=domain2['id'],
 1255                           role_id=group1_domain2_role['id'])
 1256 
 1257     def test_get_and_remove_role_grant_by_user_and_cross_domain(self):
 1258         user1_domain1_role = unit.new_role_ref()
 1259         PROVIDERS.role_api.create_role(
 1260             user1_domain1_role['id'], user1_domain1_role
 1261         )
 1262         user1_domain2_role = unit.new_role_ref()
 1263         PROVIDERS.role_api.create_role(
 1264             user1_domain2_role['id'], user1_domain2_role
 1265         )
 1266         domain1 = unit.new_domain_ref()
 1267         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1268         domain2 = unit.new_domain_ref()
 1269         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1270         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1271         user1 = PROVIDERS.identity_api.create_user(user1)
 1272         roles_ref = PROVIDERS.assignment_api.list_grants(
 1273             user_id=user1['id'],
 1274             domain_id=domain1['id'])
 1275         self.assertEqual(0, len(roles_ref))
 1276         roles_ref = PROVIDERS.assignment_api.list_grants(
 1277             user_id=user1['id'],
 1278             domain_id=domain2['id'])
 1279         self.assertEqual(0, len(roles_ref))
 1280         PROVIDERS.assignment_api.create_grant(
 1281             user_id=user1['id'], domain_id=domain1['id'],
 1282             role_id=user1_domain1_role['id']
 1283         )
 1284         PROVIDERS.assignment_api.create_grant(
 1285             user_id=user1['id'], domain_id=domain2['id'],
 1286             role_id=user1_domain2_role['id']
 1287         )
 1288         roles_ref = PROVIDERS.assignment_api.list_grants(
 1289             user_id=user1['id'],
 1290             domain_id=domain1['id'])
 1291         self.assertDictEqual(user1_domain1_role, roles_ref[0])
 1292         roles_ref = PROVIDERS.assignment_api.list_grants(
 1293             user_id=user1['id'],
 1294             domain_id=domain2['id'])
 1295         self.assertDictEqual(user1_domain2_role, roles_ref[0])
 1296 
 1297         PROVIDERS.assignment_api.delete_grant(
 1298             user_id=user1['id'], domain_id=domain2['id'],
 1299             role_id=user1_domain2_role['id']
 1300         )
 1301         roles_ref = PROVIDERS.assignment_api.list_grants(
 1302             user_id=user1['id'],
 1303             domain_id=domain2['id'])
 1304         self.assertEqual(0, len(roles_ref))
 1305         self.assertRaises(exception.RoleAssignmentNotFound,
 1306                           PROVIDERS.assignment_api.delete_grant,
 1307                           user_id=user1['id'],
 1308                           domain_id=domain2['id'],
 1309                           role_id=user1_domain2_role['id'])
 1310 
 1311     def test_role_grant_by_group_and_cross_domain_project(self):
 1312         role1 = unit.new_role_ref()
 1313         PROVIDERS.role_api.create_role(role1['id'], role1)
 1314         role2 = unit.new_role_ref()
 1315         PROVIDERS.role_api.create_role(role2['id'], role2)
 1316         domain1 = unit.new_domain_ref()
 1317         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1318         domain2 = unit.new_domain_ref()
 1319         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1320         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1321         group1 = PROVIDERS.identity_api.create_group(group1)
 1322         project1 = unit.new_project_ref(domain_id=domain2['id'])
 1323         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1324         roles_ref = PROVIDERS.assignment_api.list_grants(
 1325             group_id=group1['id'],
 1326             project_id=project1['id'])
 1327         self.assertEqual(0, len(roles_ref))
 1328         PROVIDERS.assignment_api.create_grant(
 1329             group_id=group1['id'], project_id=project1['id'],
 1330             role_id=role1['id']
 1331         )
 1332         PROVIDERS.assignment_api.create_grant(
 1333             group_id=group1['id'], project_id=project1['id'],
 1334             role_id=role2['id']
 1335         )
 1336         roles_ref = PROVIDERS.assignment_api.list_grants(
 1337             group_id=group1['id'],
 1338             project_id=project1['id'])
 1339 
 1340         roles_ref_ids = []
 1341         for ref in roles_ref:
 1342             roles_ref_ids.append(ref['id'])
 1343         self.assertIn(role1['id'], roles_ref_ids)
 1344         self.assertIn(role2['id'], roles_ref_ids)
 1345 
 1346         PROVIDERS.assignment_api.delete_grant(
 1347             group_id=group1['id'], project_id=project1['id'],
 1348             role_id=role1['id']
 1349         )
 1350         roles_ref = PROVIDERS.assignment_api.list_grants(
 1351             group_id=group1['id'],
 1352             project_id=project1['id'])
 1353         self.assertEqual(1, len(roles_ref))
 1354         self.assertDictEqual(role2, roles_ref[0])
 1355 
 1356     def test_role_grant_by_user_and_cross_domain_project(self):
 1357         role1 = unit.new_role_ref()
 1358         PROVIDERS.role_api.create_role(role1['id'], role1)
 1359         role2 = unit.new_role_ref()
 1360         PROVIDERS.role_api.create_role(role2['id'], role2)
 1361         domain1 = unit.new_domain_ref()
 1362         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1363         domain2 = unit.new_domain_ref()
 1364         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1365         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1366         user1 = PROVIDERS.identity_api.create_user(user1)
 1367         project1 = unit.new_project_ref(domain_id=domain2['id'])
 1368         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1369         roles_ref = PROVIDERS.assignment_api.list_grants(
 1370             user_id=user1['id'],
 1371             project_id=project1['id'])
 1372         self.assertEqual(0, len(roles_ref))
 1373         PROVIDERS.assignment_api.create_grant(
 1374             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1375         )
 1376         PROVIDERS.assignment_api.create_grant(
 1377             user_id=user1['id'], project_id=project1['id'], role_id=role2['id']
 1378         )
 1379         roles_ref = PROVIDERS.assignment_api.list_grants(
 1380             user_id=user1['id'],
 1381             project_id=project1['id'])
 1382 
 1383         roles_ref_ids = []
 1384         for ref in roles_ref:
 1385             roles_ref_ids.append(ref['id'])
 1386         self.assertIn(role1['id'], roles_ref_ids)
 1387         self.assertIn(role2['id'], roles_ref_ids)
 1388 
 1389         PROVIDERS.assignment_api.delete_grant(
 1390             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1391         )
 1392         roles_ref = PROVIDERS.assignment_api.list_grants(
 1393             user_id=user1['id'],
 1394             project_id=project1['id'])
 1395         self.assertEqual(1, len(roles_ref))
 1396         self.assertDictEqual(role2, roles_ref[0])
 1397 
 1398     def test_delete_user_grant_no_user(self):
 1399         # Can delete a grant where the user doesn't exist.
 1400         role = unit.new_role_ref()
 1401         role_id = role['id']
 1402         PROVIDERS.role_api.create_role(role_id, role)
 1403 
 1404         user_id = uuid.uuid4().hex
 1405 
 1406         PROVIDERS.assignment_api.create_grant(
 1407             role_id, user_id=user_id, project_id=self.project_bar['id']
 1408         )
 1409 
 1410         PROVIDERS.assignment_api.delete_grant(
 1411             role_id, user_id=user_id, project_id=self.project_bar['id']
 1412         )
 1413 
 1414     def test_delete_group_grant_no_group(self):
 1415         # Can delete a grant where the group doesn't exist.
 1416         role = unit.new_role_ref()
 1417         role_id = role['id']
 1418         PROVIDERS.role_api.create_role(role_id, role)
 1419 
 1420         group_id = uuid.uuid4().hex
 1421 
 1422         PROVIDERS.assignment_api.create_grant(
 1423             role_id, group_id=group_id, project_id=self.project_bar['id']
 1424         )
 1425 
 1426         PROVIDERS.assignment_api.delete_grant(
 1427             role_id, group_id=group_id, project_id=self.project_bar['id']
 1428         )
 1429 
 1430     def test_grant_crud_throws_exception_if_invalid_role(self):
 1431         """Ensure RoleNotFound thrown if role does not exist."""
 1432         def assert_role_not_found_exception(f, **kwargs):
 1433             self.assertRaises(exception.RoleNotFound, f,
 1434                               role_id=uuid.uuid4().hex, **kwargs)
 1435 
 1436         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1437         user_resp = PROVIDERS.identity_api.create_user(user)
 1438         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1439         group_resp = PROVIDERS.identity_api.create_group(group)
 1440         project = unit.new_project_ref(
 1441             domain_id=CONF.identity.default_domain_id)
 1442         project_resp = PROVIDERS.resource_api.create_project(
 1443             project['id'], project
 1444         )
 1445 
 1446         for manager_call in [PROVIDERS.assignment_api.create_grant,
 1447                              PROVIDERS.assignment_api.get_grant]:
 1448             assert_role_not_found_exception(
 1449                 manager_call,
 1450                 user_id=user_resp['id'], project_id=project_resp['id'])
 1451             assert_role_not_found_exception(
 1452                 manager_call,
 1453                 group_id=group_resp['id'], project_id=project_resp['id'])
 1454             assert_role_not_found_exception(
 1455                 manager_call,
 1456                 user_id=user_resp['id'],
 1457                 domain_id=CONF.identity.default_domain_id)
 1458             assert_role_not_found_exception(
 1459                 manager_call,
 1460                 group_id=group_resp['id'],
 1461                 domain_id=CONF.identity.default_domain_id)
 1462 
 1463         assert_role_not_found_exception(
 1464             PROVIDERS.assignment_api.delete_grant,
 1465             user_id=user_resp['id'], project_id=project_resp['id'])
 1466         assert_role_not_found_exception(
 1467             PROVIDERS.assignment_api.delete_grant,
 1468             group_id=group_resp['id'], project_id=project_resp['id'])
 1469         assert_role_not_found_exception(
 1470             PROVIDERS.assignment_api.delete_grant,
 1471             user_id=user_resp['id'],
 1472             domain_id=CONF.identity.default_domain_id)
 1473         assert_role_not_found_exception(
 1474             PROVIDERS.assignment_api.delete_grant,
 1475             group_id=group_resp['id'],
 1476             domain_id=CONF.identity.default_domain_id)
 1477 
 1478     def test_multi_role_grant_by_user_group_on_project_domain(self):
 1479         role_list = []
 1480         for _ in range(10):
 1481             role = unit.new_role_ref()
 1482             PROVIDERS.role_api.create_role(role['id'], role)
 1483             role_list.append(role)
 1484         domain1 = unit.new_domain_ref()
 1485         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1486         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1487         user1 = PROVIDERS.identity_api.create_user(user1)
 1488         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1489         group1 = PROVIDERS.identity_api.create_group(group1)
 1490         group2 = unit.new_group_ref(domain_id=domain1['id'])
 1491         group2 = PROVIDERS.identity_api.create_group(group2)
 1492         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1493         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1494 
 1495         PROVIDERS.identity_api.add_user_to_group(
 1496             user1['id'], group1['id']
 1497         )
 1498         PROVIDERS.identity_api.add_user_to_group(
 1499             user1['id'], group2['id']
 1500         )
 1501 
 1502         roles_ref = PROVIDERS.assignment_api.list_grants(
 1503             user_id=user1['id'],
 1504             project_id=project1['id'])
 1505         self.assertEqual(0, len(roles_ref))
 1506         PROVIDERS.assignment_api.create_grant(
 1507             user_id=user1['id'], domain_id=domain1['id'],
 1508             role_id=role_list[0]['id']
 1509         )
 1510         PROVIDERS.assignment_api.create_grant(
 1511             user_id=user1['id'], domain_id=domain1['id'],
 1512             role_id=role_list[1]['id']
 1513         )
 1514         PROVIDERS.assignment_api.create_grant(
 1515             group_id=group1['id'], domain_id=domain1['id'],
 1516             role_id=role_list[2]['id']
 1517         )
 1518         PROVIDERS.assignment_api.create_grant(
 1519             group_id=group1['id'], domain_id=domain1['id'],
 1520             role_id=role_list[3]['id']
 1521         )
 1522         PROVIDERS.assignment_api.create_grant(
 1523             user_id=user1['id'], project_id=project1['id'],
 1524             role_id=role_list[4]['id']
 1525         )
 1526         PROVIDERS.assignment_api.create_grant(
 1527             user_id=user1['id'], project_id=project1['id'],
 1528             role_id=role_list[5]['id']
 1529         )
 1530         PROVIDERS.assignment_api.create_grant(
 1531             group_id=group1['id'], project_id=project1['id'],
 1532             role_id=role_list[6]['id']
 1533         )
 1534         PROVIDERS.assignment_api.create_grant(
 1535             group_id=group1['id'], project_id=project1['id'],
 1536             role_id=role_list[7]['id']
 1537         )
 1538         roles_ref = PROVIDERS.assignment_api.list_grants(
 1539             user_id=user1['id'], domain_id=domain1['id']
 1540         )
 1541         self.assertEqual(2, len(roles_ref))
 1542         self.assertIn(role_list[0], roles_ref)
 1543         self.assertIn(role_list[1], roles_ref)
 1544         roles_ref = PROVIDERS.assignment_api.list_grants(
 1545             group_id=group1['id'], domain_id=domain1['id']
 1546         )
 1547         self.assertEqual(2, len(roles_ref))
 1548         self.assertIn(role_list[2], roles_ref)
 1549         self.assertIn(role_list[3], roles_ref)
 1550         roles_ref = PROVIDERS.assignment_api.list_grants(
 1551             user_id=user1['id'], project_id=project1['id']
 1552         )
 1553         self.assertEqual(2, len(roles_ref))
 1554         self.assertIn(role_list[4], roles_ref)
 1555         self.assertIn(role_list[5], roles_ref)
 1556         roles_ref = PROVIDERS.assignment_api.list_grants(
 1557             group_id=group1['id'], project_id=project1['id']
 1558         )
 1559         self.assertEqual(2, len(roles_ref))
 1560         self.assertIn(role_list[6], roles_ref)
 1561         self.assertIn(role_list[7], roles_ref)
 1562 
 1563         # Now test the alternate way of getting back lists of grants,
 1564         # where user and group roles are combined.  These should match
 1565         # the above results.
 1566         combined_list = (
 1567             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1568                 user1['id'], project1['id']
 1569             )
 1570         )
 1571         self.assertEqual(4, len(combined_list))
 1572         self.assertIn(role_list[4]['id'], combined_list)
 1573         self.assertIn(role_list[5]['id'], combined_list)
 1574         self.assertIn(role_list[6]['id'], combined_list)
 1575         self.assertIn(role_list[7]['id'], combined_list)
 1576 
 1577         combined_role_list = (
 1578             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 1579                 user1['id'], domain1['id']
 1580             )
 1581         )
 1582         self.assertEqual(4, len(combined_role_list))
 1583         self.assertIn(role_list[0]['id'], combined_role_list)
 1584         self.assertIn(role_list[1]['id'], combined_role_list)
 1585         self.assertIn(role_list[2]['id'], combined_role_list)
 1586         self.assertIn(role_list[3]['id'], combined_role_list)
 1587 
 1588     def test_multi_group_grants_on_project_domain(self):
 1589         """Test multiple group roles for user on project and domain.
 1590 
 1591         Test Plan:
 1592 
 1593         - Create 6 roles
 1594         - Create a domain, with a project, user and two groups
 1595         - Make the user a member of both groups
 1596         - Check no roles yet exit
 1597         - Assign a role to each user and both groups on both the
 1598           project and domain
 1599         - Get a list of effective roles for the user on both the
 1600           project and domain, checking we get back the correct three
 1601           roles
 1602 
 1603         """
 1604         role_list = []
 1605         for _ in range(6):
 1606             role = unit.new_role_ref()
 1607             PROVIDERS.role_api.create_role(role['id'], role)
 1608             role_list.append(role)
 1609         domain1 = unit.new_domain_ref()
 1610         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1611         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1612         user1 = PROVIDERS.identity_api.create_user(user1)
 1613         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1614         group1 = PROVIDERS.identity_api.create_group(group1)
 1615         group2 = unit.new_group_ref(domain_id=domain1['id'])
 1616         group2 = PROVIDERS.identity_api.create_group(group2)
 1617         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1618         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1619 
 1620         PROVIDERS.identity_api.add_user_to_group(
 1621             user1['id'], group1['id']
 1622         )
 1623         PROVIDERS.identity_api.add_user_to_group(
 1624             user1['id'], group2['id']
 1625         )
 1626 
 1627         roles_ref = PROVIDERS.assignment_api.list_grants(
 1628             user_id=user1['id'],
 1629             project_id=project1['id'])
 1630         self.assertEqual(0, len(roles_ref))
 1631         PROVIDERS.assignment_api.create_grant(
 1632             user_id=user1['id'], domain_id=domain1['id'],
 1633             role_id=role_list[0]['id']
 1634         )
 1635         PROVIDERS.assignment_api.create_grant(
 1636             group_id=group1['id'], domain_id=domain1['id'],
 1637             role_id=role_list[1]['id']
 1638         )
 1639         PROVIDERS.assignment_api.create_grant(
 1640             group_id=group2['id'], domain_id=domain1['id'],
 1641             role_id=role_list[2]['id']
 1642         )
 1643         PROVIDERS.assignment_api.create_grant(
 1644             user_id=user1['id'], project_id=project1['id'],
 1645             role_id=role_list[3]['id']
 1646         )
 1647         PROVIDERS.assignment_api.create_grant(
 1648             group_id=group1['id'], project_id=project1['id'],
 1649             role_id=role_list[4]['id']
 1650         )
 1651         PROVIDERS.assignment_api.create_grant(
 1652             group_id=group2['id'], project_id=project1['id'],
 1653             role_id=role_list[5]['id']
 1654         )
 1655 
 1656         # Read by the roles, ensuring we get the correct 3 roles for
 1657         # both project and domain
 1658         combined_list = (
 1659             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1660                 user1['id'], project1['id']
 1661             )
 1662         )
 1663         self.assertEqual(3, len(combined_list))
 1664         self.assertIn(role_list[3]['id'], combined_list)
 1665         self.assertIn(role_list[4]['id'], combined_list)
 1666         self.assertIn(role_list[5]['id'], combined_list)
 1667 
 1668         combined_role_list = (
 1669             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 1670                 user1['id'], domain1['id']
 1671             )
 1672         )
 1673         self.assertEqual(3, len(combined_role_list))
 1674         self.assertIn(role_list[0]['id'], combined_role_list)
 1675         self.assertIn(role_list[1]['id'], combined_role_list)
 1676         self.assertIn(role_list[2]['id'], combined_role_list)
 1677 
 1678     def test_delete_role_with_user_and_group_grants(self):
 1679         role1 = unit.new_role_ref()
 1680         PROVIDERS.role_api.create_role(role1['id'], role1)
 1681         domain1 = unit.new_domain_ref()
 1682         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1683         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1684         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1685         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1686         user1 = PROVIDERS.identity_api.create_user(user1)
 1687         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1688         group1 = PROVIDERS.identity_api.create_group(group1)
 1689         PROVIDERS.assignment_api.create_grant(
 1690             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1691         )
 1692         PROVIDERS.assignment_api.create_grant(
 1693             user_id=user1['id'], domain_id=domain1['id'], role_id=role1['id']
 1694         )
 1695         PROVIDERS.assignment_api.create_grant(
 1696             group_id=group1['id'], project_id=project1['id'],
 1697             role_id=role1['id']
 1698         )
 1699         PROVIDERS.assignment_api.create_grant(
 1700             group_id=group1['id'], domain_id=domain1['id'], role_id=role1['id']
 1701         )
 1702         roles_ref = PROVIDERS.assignment_api.list_grants(
 1703             user_id=user1['id'],
 1704             project_id=project1['id'])
 1705         self.assertEqual(1, len(roles_ref))
 1706         roles_ref = PROVIDERS.assignment_api.list_grants(
 1707             group_id=group1['id'],
 1708             project_id=project1['id'])
 1709         self.assertEqual(1, len(roles_ref))
 1710         roles_ref = PROVIDERS.assignment_api.list_grants(
 1711             user_id=user1['id'],
 1712             domain_id=domain1['id'])
 1713         self.assertEqual(1, len(roles_ref))
 1714         roles_ref = PROVIDERS.assignment_api.list_grants(
 1715             group_id=group1['id'],
 1716             domain_id=domain1['id'])
 1717         self.assertEqual(1, len(roles_ref))
 1718         PROVIDERS.role_api.delete_role(role1['id'])
 1719         roles_ref = PROVIDERS.assignment_api.list_grants(
 1720             user_id=user1['id'],
 1721             project_id=project1['id'])
 1722         self.assertEqual(0, len(roles_ref))
 1723         roles_ref = PROVIDERS.assignment_api.list_grants(
 1724             group_id=group1['id'],
 1725             project_id=project1['id'])
 1726         self.assertEqual(0, len(roles_ref))
 1727         roles_ref = PROVIDERS.assignment_api.list_grants(
 1728             user_id=user1['id'],
 1729             domain_id=domain1['id'])
 1730         self.assertEqual(0, len(roles_ref))
 1731         roles_ref = PROVIDERS.assignment_api.list_grants(
 1732             group_id=group1['id'],
 1733             domain_id=domain1['id'])
 1734         self.assertEqual(0, len(roles_ref))
 1735 
 1736     def test_list_role_assignment_by_domain(self):
 1737         """Test listing of role assignment filtered by domain."""
 1738         test_plan = {
 1739             # A domain with 3 users, 1 group, a spoiler domain and 2 roles.
 1740             'entities': {'domains': [{'users': 3, 'groups': 1}, 1],
 1741                          'roles': 2},
 1742             # Users 1 & 2 are in the group
 1743             'group_memberships': [{'group': 0, 'users': [1, 2]}],
 1744             # Assign a role for user 0 and the group
 1745             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1746                             {'group': 0, 'role': 1, 'domain': 0}],
 1747             'tests': [
 1748                 # List all effective assignments for domain[0].
 1749                 # Should get one direct user role and user roles for each of
 1750                 # the users in the group.
 1751                 {'params': {'domain': 0, 'effective': True},
 1752                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1753                              {'user': 1, 'role': 1, 'domain': 0,
 1754                               'indirect': {'group': 0}},
 1755                              {'user': 2, 'role': 1, 'domain': 0,
 1756                               'indirect': {'group': 0}}
 1757                              ]},
 1758                 # Using domain[1] should return nothing
 1759                 {'params': {'domain': 1, 'effective': True},
 1760                  'results': []},
 1761             ]
 1762         }
 1763         self.execute_assignment_plan(test_plan)
 1764 
 1765     def test_list_role_assignment_by_user_with_domain_group_roles(self):
 1766         """Test listing assignments by user, with group roles on a domain."""
 1767         test_plan = {
 1768             # A domain with 3 users, 3 groups, a spoiler domain
 1769             # plus 3 roles.
 1770             'entities': {'domains': [{'users': 3, 'groups': 3}, 1],
 1771                          'roles': 3},
 1772             # Users 1 & 2 are in the group 0, User 1 also in group 1
 1773             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1774                                   {'group': 1, 'users': [0]}],
 1775             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1776                             {'group': 0, 'role': 1, 'domain': 0},
 1777                             {'group': 1, 'role': 2, 'domain': 0},
 1778                             # ...and two spoiler assignments
 1779                             {'user': 1, 'role': 1, 'domain': 0},
 1780                             {'group': 2, 'role': 2, 'domain': 0}],
 1781             'tests': [
 1782                 # List all effective assignments for user[0].
 1783                 # Should get one direct user role and a user roles for each of
 1784                 # groups 0 and 1
 1785                 {'params': {'user': 0, 'effective': True},
 1786                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1787                              {'user': 0, 'role': 1, 'domain': 0,
 1788                               'indirect': {'group': 0}},
 1789                              {'user': 0, 'role': 2, 'domain': 0,
 1790                               'indirect': {'group': 1}}
 1791                              ]},
 1792                 # Adding domain[0] as a filter should return the same data
 1793                 {'params': {'user': 0, 'domain': 0, 'effective': True},
 1794                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1795                              {'user': 0, 'role': 1, 'domain': 0,
 1796                               'indirect': {'group': 0}},
 1797                              {'user': 0, 'role': 2, 'domain': 0,
 1798                               'indirect': {'group': 1}}
 1799                              ]},
 1800                 # Using domain[1] should return nothing
 1801                 {'params': {'user': 0, 'domain': 1, 'effective': True},
 1802                  'results': []},
 1803                 # Using user[2] should return nothing
 1804                 {'params': {'user': 2, 'domain': 0, 'effective': True},
 1805                  'results': []},
 1806             ]
 1807         }
 1808         self.execute_assignment_plan(test_plan)
 1809 
 1810     def test_list_role_assignment_using_sourced_groups(self):
 1811         """Test listing assignments when restricted by source groups."""
 1812         test_plan = {
 1813             # The default domain with 3 users, 3 groups, 3 projects,
 1814             # plus 3 roles.
 1815             'entities': {'domains': {'id': CONF.identity.default_domain_id,
 1816                                      'users': 3, 'groups': 3, 'projects': 3},
 1817                          'roles': 3},
 1818             # Users 0 & 1 are in the group 0, User 0 also in group 1
 1819             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1820                                   {'group': 1, 'users': [0]}],
 1821             # Spread the assignments around - we want to be able to show that
 1822             # if sourced by group, assignments from other sources are excluded
 1823             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 1824                             {'group': 0, 'role': 1, 'project': 1},
 1825                             {'group': 1, 'role': 2, 'project': 0},
 1826                             {'group': 1, 'role': 2, 'project': 1},
 1827                             {'user': 2, 'role': 1, 'project': 1},
 1828                             {'group': 2, 'role': 2, 'project': 2}
 1829                             ],
 1830             'tests': [
 1831                 # List all effective assignments sourced from groups 0 and 1
 1832                 {'params': {'source_from_group_ids': [0, 1],
 1833                             'effective': True},
 1834                  'results': [{'group': 0, 'role': 1, 'project': 1},
 1835                              {'group': 1, 'role': 2, 'project': 0},
 1836                              {'group': 1, 'role': 2, 'project': 1}
 1837                              ]},
 1838                 # Adding a role a filter should further restrict the entries
 1839                 {'params': {'source_from_group_ids': [0, 1], 'role': 2,
 1840                             'effective': True},
 1841                  'results': [{'group': 1, 'role': 2, 'project': 0},
 1842                              {'group': 1, 'role': 2, 'project': 1}
 1843                              ]},
 1844             ]
 1845         }
 1846         self.execute_assignment_plan(test_plan)
 1847 
 1848     def test_list_role_assignment_using_sourced_groups_with_domains(self):
 1849         """Test listing domain assignments when restricted by source groups."""
 1850         test_plan = {
 1851             # A domain with 3 users, 3 groups, 3 projects, a second domain,
 1852             # plus 3 roles.
 1853             'entities': {'domains': [{'users': 3, 'groups': 3, 'projects': 3},
 1854                                      1],
 1855                          'roles': 3},
 1856             # Users 0 & 1 are in the group 0, User 0 also in group 1
 1857             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1858                                   {'group': 1, 'users': [0]}],
 1859             # Spread the assignments around - we want to be able to show that
 1860             # if sourced by group, assignments from other sources are excluded
 1861             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1862                             {'group': 0, 'role': 1, 'domain': 1},
 1863                             {'group': 1, 'role': 2, 'project': 0},
 1864                             {'group': 1, 'role': 2, 'project': 1},
 1865                             {'user': 2, 'role': 1, 'project': 1},
 1866                             {'group': 2, 'role': 2, 'project': 2}
 1867                             ],
 1868             'tests': [
 1869                 # List all effective assignments sourced from groups 0 and 1
 1870                 {'params': {'source_from_group_ids': [0, 1],
 1871                             'effective': True},
 1872                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 1873                              {'group': 1, 'role': 2, 'project': 0},
 1874                              {'group': 1, 'role': 2, 'project': 1}
 1875                              ]},
 1876                 # Adding a role a filter should further restrict the entries
 1877                 {'params': {'source_from_group_ids': [0, 1], 'role': 1,
 1878                             'effective': True},
 1879                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 1880                              ]},
 1881             ]
 1882         }
 1883         self.execute_assignment_plan(test_plan)
 1884 
 1885     def test_list_role_assignment_fails_with_userid_and_source_groups(self):
 1886         """Show we trap this unsupported internal combination of params."""
 1887         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1888         group = PROVIDERS.identity_api.create_group(group)
 1889         self.assertRaises(exception.UnexpectedError,
 1890                           PROVIDERS.assignment_api.list_role_assignments,
 1891                           effective=True,
 1892                           user_id=self.user_foo['id'],
 1893                           source_from_group_ids=[group['id']])
 1894 
 1895     def test_list_user_project_ids_returns_not_found(self):
 1896         self.assertRaises(exception.UserNotFound,
 1897                           PROVIDERS.assignment_api.list_projects_for_user,
 1898                           uuid.uuid4().hex)
 1899 
 1900     def test_delete_user_with_project_association(self):
 1901         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1902         user = PROVIDERS.identity_api.create_user(user)
 1903         role_member = unit.new_role_ref()
 1904         PROVIDERS.role_api.create_role(role_member['id'], role_member)
 1905         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1906             user['id'], self.project_bar['id'], role_member['id']
 1907         )
 1908         PROVIDERS.identity_api.delete_user(user['id'])
 1909         self.assertRaises(exception.UserNotFound,
 1910                           PROVIDERS.assignment_api.list_projects_for_user,
 1911                           user['id'])
 1912 
 1913     def test_delete_user_with_project_roles(self):
 1914         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1915         user = PROVIDERS.identity_api.create_user(user)
 1916         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1917             user['id'],
 1918             self.project_bar['id'],
 1919             self.role_member['id'])
 1920         PROVIDERS.identity_api.delete_user(user['id'])
 1921         self.assertRaises(exception.UserNotFound,
 1922                           PROVIDERS.assignment_api.list_projects_for_user,
 1923                           user['id'])
 1924 
 1925     def test_delete_role_returns_not_found(self):
 1926         self.assertRaises(exception.RoleNotFound,
 1927                           PROVIDERS.role_api.delete_role,
 1928                           uuid.uuid4().hex)
 1929 
 1930     def test_delete_project_with_role_assignments(self):
 1931         project = unit.new_project_ref(
 1932             domain_id=CONF.identity.default_domain_id)
 1933         PROVIDERS.resource_api.create_project(project['id'], project)
 1934         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1935             self.user_foo['id'],
 1936             project['id'],
 1937             default_fixtures.MEMBER_ROLE_ID)
 1938         PROVIDERS.resource_api.delete_project(project['id'])
 1939         self.assertRaises(exception.ProjectNotFound,
 1940                           PROVIDERS.assignment_api.list_user_ids_for_project,
 1941                           project['id'])
 1942 
 1943     def test_delete_role_check_role_grant(self):
 1944         role = unit.new_role_ref()
 1945         alt_role = unit.new_role_ref()
 1946         PROVIDERS.role_api.create_role(role['id'], role)
 1947         PROVIDERS.role_api.create_role(alt_role['id'], alt_role)
 1948         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1949             self.user_foo['id'], self.project_bar['id'], role['id'])
 1950         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1951             self.user_foo['id'], self.project_bar['id'], alt_role['id'])
 1952         PROVIDERS.role_api.delete_role(role['id'])
 1953         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1954             self.user_foo['id'], self.project_bar['id'])
 1955         self.assertNotIn(role['id'], roles_ref)
 1956         self.assertIn(alt_role['id'], roles_ref)
 1957 
 1958     def test_list_projects_for_user(self):
 1959         domain = unit.new_domain_ref()
 1960         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 1961         user1 = unit.new_user_ref(domain_id=domain['id'])
 1962         user1 = PROVIDERS.identity_api.create_user(user1)
 1963         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 1964             user1['id']
 1965         )
 1966         self.assertEqual(0, len(user_projects))
 1967         PROVIDERS.assignment_api.create_grant(
 1968             user_id=user1['id'], project_id=self.project_bar['id'],
 1969             role_id=self.role_member['id']
 1970         )
 1971         PROVIDERS.assignment_api.create_grant(
 1972             user_id=user1['id'], project_id=self.project_baz['id'],
 1973             role_id=self.role_member['id']
 1974         )
 1975         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 1976             user1['id']
 1977         )
 1978         self.assertEqual(2, len(user_projects))
 1979 
 1980     def test_list_projects_for_user_with_grants(self):
 1981         # Create two groups each with a role on a different project, and
 1982         # make user1 a member of both groups.  Both these new projects
 1983         # should now be included, along with any direct user grants.
 1984         domain = unit.new_domain_ref()
 1985         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 1986         user1 = unit.new_user_ref(domain_id=domain['id'])
 1987         user1 = PROVIDERS.identity_api.create_user(user1)
 1988         group1 = unit.new_group_ref(domain_id=domain['id'])
 1989         group1 = PROVIDERS.identity_api.create_group(group1)
 1990         group2 = unit.new_group_ref(domain_id=domain['id'])
 1991         group2 = PROVIDERS.identity_api.create_group(group2)
 1992         project1 = unit.new_project_ref(domain_id=domain['id'])
 1993         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1994         project2 = unit.new_project_ref(domain_id=domain['id'])
 1995         PROVIDERS.resource_api.create_project(project2['id'], project2)
 1996         PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
 1997         PROVIDERS.identity_api.add_user_to_group(user1['id'], group2['id'])
 1998 
 1999         # Create 3 grants, one user grant, the other two as group grants
 2000         PROVIDERS.assignment_api.create_grant(
 2001             user_id=user1['id'], project_id=self.project_bar['id'],
 2002             role_id=self.role_member['id']
 2003         )
 2004         PROVIDERS.assignment_api.create_grant(
 2005             group_id=group1['id'], project_id=project1['id'],
 2006             role_id=self.role_admin['id']
 2007         )
 2008         PROVIDERS.assignment_api.create_grant(
 2009             group_id=group2['id'], project_id=project2['id'],
 2010             role_id=self.role_admin['id']
 2011         )
 2012         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 2013             user1['id']
 2014         )
 2015         self.assertEqual(3, len(user_projects))
 2016 
 2017     def test_create_grant_no_user(self):
 2018         # If call create_grant with a user that doesn't exist, doesn't fail.
 2019         PROVIDERS.assignment_api.create_grant(
 2020             self.role_other['id'],
 2021             user_id=uuid.uuid4().hex,
 2022             project_id=self.project_bar['id'])
 2023 
 2024     def test_create_grant_no_group(self):
 2025         # If call create_grant with a group that doesn't exist, doesn't fail.
 2026         PROVIDERS.assignment_api.create_grant(
 2027             self.role_other['id'],
 2028             group_id=uuid.uuid4().hex,
 2029             project_id=self.project_bar['id'])
 2030 
 2031     def test_delete_group_removes_role_assignments(self):
 2032         # When a group is deleted any role assignments for the group are
 2033         # removed.
 2034 
 2035         def get_member_assignments():
 2036             assignments = PROVIDERS.assignment_api.list_role_assignments()
 2037             return ([x for x in assignments if x['role_id'] ==
 2038                     default_fixtures.MEMBER_ROLE_ID])
 2039 
 2040         orig_member_assignments = get_member_assignments()
 2041 
 2042         # Create a group.
 2043         new_group = unit.new_group_ref(
 2044             domain_id=CONF.identity.default_domain_id)
 2045         new_group = PROVIDERS.identity_api.create_group(new_group)
 2046 
 2047         # Create a project.
 2048         new_project = unit.new_project_ref(
 2049             domain_id=CONF.identity.default_domain_id)
 2050         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2051 
 2052         # Assign a role to the group.
 2053         PROVIDERS.assignment_api.create_grant(
 2054             group_id=new_group['id'], project_id=new_project['id'],
 2055             role_id=default_fixtures.MEMBER_ROLE_ID)
 2056 
 2057         # Delete the group.
 2058         PROVIDERS.identity_api.delete_group(new_group['id'])
 2059 
 2060         # Check that the role assignment for the group is gone
 2061         member_assignments = get_member_assignments()
 2062 
 2063         self.assertThat(member_assignments,
 2064                         matchers.Equals(orig_member_assignments))
 2065 
 2066     def test_get_roles_for_groups_on_domain(self):
 2067         """Test retrieving group domain roles.
 2068 
 2069         Test Plan:
 2070 
 2071         - Create a domain, three groups and three roles
 2072         - Assign one an inherited and the others a non-inherited group role
 2073           to the domain
 2074         - Ensure that only the non-inherited roles are returned on the domain
 2075 
 2076         """
 2077         domain1 = unit.new_domain_ref()
 2078         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2079         group_list = []
 2080         group_id_list = []
 2081         role_list = []
 2082         for _ in range(3):
 2083             group = unit.new_group_ref(domain_id=domain1['id'])
 2084             group = PROVIDERS.identity_api.create_group(group)
 2085             group_list.append(group)
 2086             group_id_list.append(group['id'])
 2087 
 2088             role = unit.new_role_ref()
 2089             PROVIDERS.role_api.create_role(role['id'], role)
 2090             role_list.append(role)
 2091 
 2092         # Assign the roles - one is inherited
 2093         PROVIDERS.assignment_api.create_grant(
 2094             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2095             role_id=role_list[0]['id']
 2096         )
 2097         PROVIDERS.assignment_api.create_grant(
 2098             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2099             role_id=role_list[1]['id']
 2100         )
 2101         PROVIDERS.assignment_api.create_grant(
 2102             group_id=group_list[2]['id'], domain_id=domain1['id'],
 2103             role_id=role_list[2]['id'], inherited_to_projects=True
 2104         )
 2105 
 2106         # Now get the effective roles for the groups on the domain project. We
 2107         # shouldn't get back the inherited role.
 2108 
 2109         role_refs = PROVIDERS.assignment_api.get_roles_for_groups(
 2110             group_id_list, domain_id=domain1['id'])
 2111 
 2112         self.assertThat(role_refs, matchers.HasLength(2))
 2113         self.assertIn(role_list[0], role_refs)
 2114         self.assertIn(role_list[1], role_refs)
 2115 
 2116     def test_get_roles_for_groups_on_project(self):
 2117         """Test retrieving group project roles.
 2118 
 2119         Test Plan:
 2120 
 2121         - Create two domains, two projects, six groups and six roles
 2122         - Project1 is in Domain1, Project2 is in Domain2
 2123         - Domain2/Project2 are spoilers
 2124         - Assign a different direct group role to each project as well
 2125           as both an inherited and non-inherited role to each domain
 2126         - Get the group roles for Project 1 - depending on whether we have
 2127           enabled inheritance, we should either get back just the direct role
 2128           or both the direct one plus the inherited domain role from Domain 1
 2129 
 2130         """
 2131         domain1 = unit.new_domain_ref()
 2132         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2133         domain2 = unit.new_domain_ref()
 2134         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 2135         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2136         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2137         project2 = unit.new_project_ref(domain_id=domain2['id'])
 2138         PROVIDERS.resource_api.create_project(project2['id'], project2)
 2139         group_list = []
 2140         group_id_list = []
 2141         role_list = []
 2142         for _ in range(6):
 2143             group = unit.new_group_ref(domain_id=domain1['id'])
 2144             group = PROVIDERS.identity_api.create_group(group)
 2145             group_list.append(group)
 2146             group_id_list.append(group['id'])
 2147 
 2148             role = unit.new_role_ref()
 2149             PROVIDERS.role_api.create_role(role['id'], role)
 2150             role_list.append(role)
 2151 
 2152         # Assign the roles - one inherited and one non-inherited on Domain1,
 2153         # plus one on Project1
 2154         PROVIDERS.assignment_api.create_grant(
 2155             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2156             role_id=role_list[0]['id']
 2157         )
 2158         PROVIDERS.assignment_api.create_grant(
 2159             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2160             role_id=role_list[1]['id'], inherited_to_projects=True
 2161         )
 2162         PROVIDERS.assignment_api.create_grant(
 2163             group_id=group_list[2]['id'], project_id=project1['id'],
 2164             role_id=role_list[2]['id']
 2165         )
 2166 
 2167         # ...and a duplicate set of spoiler assignments to Domain2/Project2
 2168         PROVIDERS.assignment_api.create_grant(
 2169             group_id=group_list[3]['id'], domain_id=domain2['id'],
 2170             role_id=role_list[3]['id']
 2171         )
 2172         PROVIDERS.assignment_api.create_grant(
 2173             group_id=group_list[4]['id'], domain_id=domain2['id'],
 2174             role_id=role_list[4]['id'], inherited_to_projects=True
 2175         )
 2176         PROVIDERS.assignment_api.create_grant(
 2177             group_id=group_list[5]['id'], project_id=project2['id'],
 2178             role_id=role_list[5]['id']
 2179         )
 2180 
 2181         # With inheritance on, we should also get back the inherited role from
 2182         # its owning domain.
 2183 
 2184         role_refs = PROVIDERS.assignment_api.get_roles_for_groups(
 2185             group_id_list, project_id=project1['id'])
 2186 
 2187         self.assertThat(role_refs, matchers.HasLength(2))
 2188         self.assertIn(role_list[1], role_refs)
 2189         self.assertIn(role_list[2], role_refs)
 2190 
 2191     def test_list_domains_for_groups(self):
 2192         """Test retrieving domains for a list of groups.
 2193 
 2194         Test Plan:
 2195 
 2196         - Create three domains, three groups and one role
 2197         - Assign a non-inherited group role to two domains, and an inherited
 2198           group role to the third
 2199         - Ensure only the domains with non-inherited roles are returned
 2200 
 2201         """
 2202         domain_list = []
 2203         group_list = []
 2204         group_id_list = []
 2205         for _ in range(3):
 2206             domain = unit.new_domain_ref()
 2207             PROVIDERS.resource_api.create_domain(domain['id'], domain)
 2208             domain_list.append(domain)
 2209 
 2210             group = unit.new_group_ref(domain_id=domain['id'])
 2211             group = PROVIDERS.identity_api.create_group(group)
 2212             group_list.append(group)
 2213             group_id_list.append(group['id'])
 2214 
 2215         role1 = unit.new_role_ref()
 2216         PROVIDERS.role_api.create_role(role1['id'], role1)
 2217 
 2218         # Assign the roles - one is inherited
 2219         PROVIDERS.assignment_api.create_grant(
 2220             group_id=group_list[0]['id'], domain_id=domain_list[0]['id'],
 2221             role_id=role1['id']
 2222         )
 2223         PROVIDERS.assignment_api.create_grant(
 2224             group_id=group_list[1]['id'], domain_id=domain_list[1]['id'],
 2225             role_id=role1['id']
 2226         )
 2227         PROVIDERS.assignment_api.create_grant(
 2228             group_id=group_list[2]['id'], domain_id=domain_list[2]['id'],
 2229             role_id=role1['id'], inherited_to_projects=True
 2230         )
 2231 
 2232         # Now list the domains that have roles for any of the 3 groups
 2233         # We shouldn't get back domain[2] since that had an inherited role.
 2234 
 2235         domain_refs = (
 2236             PROVIDERS.assignment_api.list_domains_for_groups(group_id_list))
 2237 
 2238         self.assertThat(domain_refs, matchers.HasLength(2))
 2239         self.assertIn(domain_list[0], domain_refs)
 2240         self.assertIn(domain_list[1], domain_refs)
 2241 
 2242     def test_list_projects_for_groups(self):
 2243         """Test retrieving projects for a list of groups.
 2244 
 2245         Test Plan:
 2246 
 2247         - Create two domains, four projects, seven groups and seven roles
 2248         - Project1-3 are in Domain1, Project4 is in Domain2
 2249         - Domain2/Project4 are spoilers
 2250         - Project1 and 2 have direct group roles, Project3 has no direct
 2251           roles but should inherit a group role from Domain1
 2252         - Get the projects for the group roles that are assigned to Project1
 2253           Project2 and the inherited one on Domain1. Depending on whether we
 2254           have enabled inheritance, we should either get back just the projects
 2255           with direct roles (Project 1 and 2) or also Project3 due to its
 2256           inherited role from Domain1.
 2257 
 2258         """
 2259         domain1 = unit.new_domain_ref()
 2260         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2261         domain2 = unit.new_domain_ref()
 2262         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 2263         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2264         project1 = PROVIDERS.resource_api.create_project(
 2265             project1['id'], project1
 2266         )
 2267         project2 = unit.new_project_ref(domain_id=domain1['id'])
 2268         project2 = PROVIDERS.resource_api.create_project(
 2269             project2['id'], project2
 2270         )
 2271         project3 = unit.new_project_ref(domain_id=domain1['id'])
 2272         project3 = PROVIDERS.resource_api.create_project(
 2273             project3['id'], project3
 2274         )
 2275         project4 = unit.new_project_ref(domain_id=domain2['id'])
 2276         project4 = PROVIDERS.resource_api.create_project(
 2277             project4['id'], project4
 2278         )
 2279         group_list = []
 2280         role_list = []
 2281         for _ in range(7):
 2282             group = unit.new_group_ref(domain_id=domain1['id'])
 2283             group = PROVIDERS.identity_api.create_group(group)
 2284             group_list.append(group)
 2285 
 2286             role = unit.new_role_ref()
 2287             PROVIDERS.role_api.create_role(role['id'], role)
 2288             role_list.append(role)
 2289 
 2290         # Assign the roles - one inherited and one non-inherited on Domain1,
 2291         # plus one on Project1 and Project2
 2292         PROVIDERS.assignment_api.create_grant(
 2293             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2294             role_id=role_list[0]['id']
 2295         )
 2296         PROVIDERS.assignment_api.create_grant(
 2297             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2298             role_id=role_list[1]['id'], inherited_to_projects=True
 2299         )
 2300         PROVIDERS.assignment_api.create_grant(
 2301             group_id=group_list[2]['id'], project_id=project1['id'],
 2302             role_id=role_list[2]['id']
 2303         )
 2304         PROVIDERS.assignment_api.create_grant(
 2305             group_id=group_list[3]['id'], project_id=project2['id'],
 2306             role_id=role_list[3]['id']
 2307         )
 2308 
 2309         # ...and a few of spoiler assignments to Domain2/Project4
 2310         PROVIDERS.assignment_api.create_grant(
 2311             group_id=group_list[4]['id'], domain_id=domain2['id'],
 2312             role_id=role_list[4]['id']
 2313         )
 2314         PROVIDERS.assignment_api.create_grant(
 2315             group_id=group_list[5]['id'], domain_id=domain2['id'],
 2316             role_id=role_list[5]['id'], inherited_to_projects=True
 2317         )
 2318         PROVIDERS.assignment_api.create_grant(
 2319             group_id=group_list[6]['id'], project_id=project4['id'],
 2320             role_id=role_list[6]['id']
 2321         )
 2322 
 2323         group_id_list = [group_list[1]['id'], group_list[2]['id'],
 2324                          group_list[3]['id']]
 2325 
 2326         # With inheritance on, we should also get back the Project3 due to the
 2327         # inherited role from its owning domain.
 2328         project_refs = (
 2329             PROVIDERS.assignment_api.list_projects_for_groups(group_id_list))
 2330 
 2331         self.assertThat(project_refs, matchers.HasLength(3))
 2332         self.assertIn(project1, project_refs)
 2333         self.assertIn(project2, project_refs)
 2334         self.assertIn(project3, project_refs)
 2335 
 2336     def test_update_role_no_name(self):
 2337         # A user can update a role and not include the name.
 2338 
 2339         # description is picked just because it's not name.
 2340         PROVIDERS.role_api.update_role(
 2341             self.role_member['id'], {'description': uuid.uuid4().hex}
 2342         )
 2343         # If the previous line didn't raise an exception then the test passes.
 2344 
 2345     def test_update_role_same_name(self):
 2346         # A user can update a role and set the name to be the same as it was.
 2347 
 2348         PROVIDERS.role_api.update_role(
 2349             self.role_member['id'], {'name': self.role_member['name']}
 2350         )
 2351         # If the previous line didn't raise an exception then the test passes.
 2352 
 2353     def _test_list_role_assignment_containing_names(self, domain_role=False):
 2354         # Create Refs
 2355         new_domain = self._get_domain_fixture()
 2356         if domain_role:
 2357             new_role = unit.new_role_ref(domain_id=new_domain['id'])
 2358         else:
 2359             new_role = unit.new_role_ref()
 2360         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 2361         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 2362         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 2363         # Create entities
 2364         new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role)
 2365         new_user = PROVIDERS.identity_api.create_user(new_user)
 2366         new_group = PROVIDERS.identity_api.create_group(new_group)
 2367         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2368         PROVIDERS.assignment_api.create_grant(
 2369             user_id=new_user['id'], project_id=new_project['id'],
 2370             role_id=new_role['id']
 2371         )
 2372         PROVIDERS.assignment_api.create_grant(
 2373             group_id=new_group['id'], project_id=new_project['id'],
 2374             role_id=new_role['id']
 2375         )
 2376         PROVIDERS.assignment_api.create_grant(
 2377             domain_id=new_domain['id'], user_id=new_user['id'],
 2378             role_id=new_role['id']
 2379         )
 2380         # Get the created assignments with the include_names flag
 2381         _asgmt_prj = PROVIDERS.assignment_api.list_role_assignments(
 2382             user_id=new_user['id'],
 2383             project_id=new_project['id'],
 2384             include_names=True)
 2385         _asgmt_grp = PROVIDERS.assignment_api.list_role_assignments(
 2386             group_id=new_group['id'],
 2387             project_id=new_project['id'],
 2388             include_names=True)
 2389         _asgmt_dmn = PROVIDERS.assignment_api.list_role_assignments(
 2390             domain_id=new_domain['id'],
 2391             user_id=new_user['id'],
 2392             include_names=True)
 2393         # Make sure we can get back the correct number of assignments
 2394         self.assertThat(_asgmt_prj, matchers.HasLength(1))
 2395         self.assertThat(_asgmt_grp, matchers.HasLength(1))
 2396         self.assertThat(_asgmt_dmn, matchers.HasLength(1))
 2397         # get the first assignment
 2398         first_asgmt_prj = _asgmt_prj[0]
 2399         first_asgmt_grp = _asgmt_grp[0]
 2400         first_asgmt_dmn = _asgmt_dmn[0]
 2401         # Assert the names are correct in the project response
 2402         self.assertEqual(new_project['name'],
 2403                          first_asgmt_prj['project_name'])
 2404         self.assertEqual(new_project['domain_id'],
 2405                          first_asgmt_prj['project_domain_id'])
 2406         self.assertEqual(new_user['name'],
 2407                          first_asgmt_prj['user_name'])
 2408         self.assertEqual(new_user['domain_id'],
 2409                          first_asgmt_prj['user_domain_id'])
 2410         self.assertEqual(new_role['name'],
 2411                          first_asgmt_prj['role_name'])
 2412         if domain_role:
 2413             self.assertEqual(new_role['domain_id'],
 2414                              first_asgmt_prj['role_domain_id'])
 2415         # Assert the names are correct in the group response
 2416         self.assertEqual(new_group['name'],
 2417                          first_asgmt_grp['group_name'])
 2418         self.assertEqual(new_group['domain_id'],
 2419                          first_asgmt_grp['group_domain_id'])
 2420         self.assertEqual(new_project['name'],
 2421                          first_asgmt_grp['project_name'])
 2422         self.assertEqual(new_project['domain_id'],
 2423                          first_asgmt_grp['project_domain_id'])
 2424         self.assertEqual(new_role['name'],
 2425                          first_asgmt_grp['role_name'])
 2426         if domain_role:
 2427             self.assertEqual(new_role['domain_id'],
 2428                              first_asgmt_grp['role_domain_id'])
 2429         # Assert the names are correct in the domain response
 2430         self.assertEqual(new_domain['name'],
 2431                          first_asgmt_dmn['domain_name'])
 2432         self.assertEqual(new_user['name'],
 2433                          first_asgmt_dmn['user_name'])
 2434         self.assertEqual(new_user['domain_id'],
 2435                          first_asgmt_dmn['user_domain_id'])
 2436         self.assertEqual(new_role['name'],
 2437                          first_asgmt_dmn['role_name'])
 2438         if domain_role:
 2439             self.assertEqual(new_role['domain_id'],
 2440                              first_asgmt_dmn['role_domain_id'])
 2441 
 2442     def test_list_role_assignment_containing_names_global_role(self):
 2443         self._test_list_role_assignment_containing_names()
 2444 
 2445     def test_list_role_assignment_containing_names_domain_role(self):
 2446         self._test_list_role_assignment_containing_names(domain_role=True)
 2447 
 2448     def test_list_role_assignment_does_not_contain_names(self):
 2449         """Test names are not included with list role assignments.
 2450 
 2451         Scenario:
 2452             - names are NOT included by default
 2453             - names are NOT included when include_names=False
 2454 
 2455         """
 2456         def assert_does_not_contain_names(assignment):
 2457             first_asgmt_prj = assignment[0]
 2458             self.assertNotIn('project_name', first_asgmt_prj)
 2459             self.assertNotIn('project_domain_id', first_asgmt_prj)
 2460             self.assertNotIn('user_name', first_asgmt_prj)
 2461             self.assertNotIn('user_domain_id', first_asgmt_prj)
 2462             self.assertNotIn('role_name', first_asgmt_prj)
 2463             self.assertNotIn('role_domain_id', first_asgmt_prj)
 2464 
 2465         # Create Refs
 2466         new_role = unit.new_role_ref()
 2467         new_domain = self._get_domain_fixture()
 2468         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 2469         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 2470         # Create entities
 2471         new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role)
 2472         new_user = PROVIDERS.identity_api.create_user(new_user)
 2473         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2474         PROVIDERS.assignment_api.create_grant(
 2475             user_id=new_user['id'], project_id=new_project['id'],
 2476             role_id=new_role['id']
 2477         )
 2478         # Get the created assignments with NO include_names flag
 2479         role_assign_without_names = (
 2480             PROVIDERS.assignment_api.list_role_assignments(
 2481                 user_id=new_user['id'], project_id=new_project['id']
 2482             )
 2483         )
 2484         assert_does_not_contain_names(role_assign_without_names)
 2485         # Get the created assignments with include_names=False
 2486         role_assign_without_names = (
 2487             PROVIDERS.assignment_api.list_role_assignments(
 2488                 user_id=new_user['id'],
 2489                 project_id=new_project['id'],
 2490                 include_names=False
 2491             )
 2492         )
 2493         assert_does_not_contain_names(role_assign_without_names)
 2494 
 2495     def test_delete_user_assignments_user_same_id_as_group(self):
 2496         """Test deleting user assignments when user_id == group_id.
 2497 
 2498         In this scenario, only user assignments must be deleted (i.e.
 2499         USER_DOMAIN or USER_PROJECT).
 2500 
 2501         Test plan:
 2502         * Create a user and a group with the same ID;
 2503         * Create four roles and assign them to both user and group;
 2504         * Delete all user assignments;
 2505         * Group assignments must stay intact.
 2506         """
 2507         # Create a common ID
 2508         common_id = uuid.uuid4().hex
 2509         # Create a project
 2510         project = unit.new_project_ref(
 2511             domain_id=CONF.identity.default_domain_id)
 2512         project = PROVIDERS.resource_api.create_project(project['id'], project)
 2513         # Create a user
 2514         user = unit.new_user_ref(id=common_id,
 2515                                  domain_id=CONF.identity.default_domain_id)
 2516         user = PROVIDERS.identity_api.driver.create_user(common_id, user)
 2517         self.assertEqual(common_id, user['id'])
 2518         # Create a group
 2519         group = unit.new_group_ref(id=common_id,
 2520                                    domain_id=CONF.identity.default_domain_id)
 2521         group = PROVIDERS.identity_api.driver.create_group(common_id, group)
 2522         self.assertEqual(common_id, group['id'])
 2523         # Create four roles
 2524         roles = []
 2525         for _ in range(4):
 2526             role = unit.new_role_ref()
 2527             roles.append(PROVIDERS.role_api.create_role(role['id'], role))
 2528         # Assign roles for user
 2529         PROVIDERS.assignment_api.driver.create_grant(
 2530             user_id=user['id'], domain_id=CONF.identity.default_domain_id,
 2531             role_id=roles[0]['id'])
 2532         PROVIDERS.assignment_api.driver.create_grant(
 2533             user_id=user['id'], project_id=project['id'],
 2534             role_id=roles[1]['id']
 2535         )
 2536         # Assign roles for group
 2537         PROVIDERS.assignment_api.driver.create_grant(
 2538             group_id=group['id'], domain_id=CONF.identity.default_domain_id,
 2539             role_id=roles[2]['id'])
 2540         PROVIDERS.assignment_api.driver.create_grant(
 2541             group_id=group['id'], project_id=project['id'],
 2542             role_id=roles[3]['id']
 2543         )
 2544         # Make sure they were assigned
 2545         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2546             user_id=user['id'])
 2547         self.assertThat(user_assignments, matchers.HasLength(2))
 2548         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2549             group_id=group['id'])
 2550         self.assertThat(group_assignments, matchers.HasLength(2))
 2551         # Delete user assignments
 2552         PROVIDERS.assignment_api.delete_user_assignments(user_id=user['id'])
 2553         # Assert only user assignments were deleted
 2554         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2555             user_id=user['id'])
 2556         self.assertThat(user_assignments, matchers.HasLength(0))
 2557         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2558             group_id=group['id'])
 2559         self.assertThat(group_assignments, matchers.HasLength(2))
 2560         # Make sure these remaining assignments are group-related
 2561         for assignment in group_assignments:
 2562             self.assertThat(assignment.keys(), matchers.Contains('group_id'))
 2563 
 2564     def test_delete_group_assignments_group_same_id_as_user(self):
 2565         """Test deleting group assignments when group_id == user_id.
 2566 
 2567         In this scenario, only group assignments must be deleted (i.e.
 2568         GROUP_DOMAIN or GROUP_PROJECT).
 2569 
 2570         Test plan:
 2571         * Create a group and a user with the same ID;
 2572         * Create four roles and assign them to both group and user;
 2573         * Delete all group assignments;
 2574         * User assignments must stay intact.
 2575         """
 2576         # Create a common ID
 2577         common_id = uuid.uuid4().hex
 2578         # Create a project
 2579         project = unit.new_project_ref(
 2580             domain_id=CONF.identity.default_domain_id)
 2581         project = PROVIDERS.resource_api.create_project(project['id'], project)
 2582         # Create a user
 2583         user = unit.new_user_ref(id=common_id,
 2584                                  domain_id=CONF.identity.default_domain_id)
 2585         user = PROVIDERS.identity_api.driver.create_user(common_id, user)
 2586         self.assertEqual(common_id, user['id'])
 2587         # Create a group
 2588         group = unit.new_group_ref(id=common_id,
 2589                                    domain_id=CONF.identity.default_domain_id)
 2590         group = PROVIDERS.identity_api.driver.create_group(common_id, group)
 2591         self.assertEqual(common_id, group['id'])
 2592         # Create four roles
 2593         roles = []
 2594         for _ in range(4):
 2595             role = unit.new_role_ref()
 2596             roles.append(PROVIDERS.role_api.create_role(role['id'], role))
 2597         # Assign roles for user
 2598         PROVIDERS.assignment_api.driver.create_grant(
 2599             user_id=user['id'], domain_id=CONF.identity.default_domain_id,
 2600             role_id=roles[0]['id'])
 2601         PROVIDERS.assignment_api.driver.create_grant(
 2602             user_id=user['id'], project_id=project['id'],
 2603             role_id=roles[1]['id']
 2604         )
 2605         # Assign roles for group
 2606         PROVIDERS.assignment_api.driver.create_grant(
 2607             group_id=group['id'], domain_id=CONF.identity.default_domain_id,
 2608             role_id=roles[2]['id'])
 2609         PROVIDERS.assignment_api.driver.create_grant(
 2610             group_id=group['id'], project_id=project['id'],
 2611             role_id=roles[3]['id']
 2612         )
 2613         # Make sure they were assigned
 2614         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2615             user_id=user['id'])
 2616         self.assertThat(user_assignments, matchers.HasLength(2))
 2617         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2618             group_id=group['id'])
 2619         self.assertThat(group_assignments, matchers.HasLength(2))
 2620         # Delete group assignments
 2621         PROVIDERS.assignment_api.delete_group_assignments(group_id=group['id'])
 2622         # Assert only group assignments were deleted
 2623         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2624             group_id=group['id'])
 2625         self.assertThat(group_assignments, matchers.HasLength(0))
 2626         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2627             user_id=user['id'])
 2628         self.assertThat(user_assignments, matchers.HasLength(2))
 2629         # Make sure these remaining assignments are user-related
 2630         for assignment in group_assignments:
 2631             self.assertThat(assignment.keys(), matchers.Contains('user_id'))
 2632 
 2633     def test_remove_foreign_assignments_when_deleting_a_domain(self):
 2634         # A user and a group are in default domain and have assigned a role on
 2635         # two new domains. This test makes sure that when one of the new
 2636         # domains is deleted, the role assignments for the user and the group
 2637         # from the default domain are deleted only on that domain.
 2638         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2639         group = PROVIDERS.identity_api.create_group(group)
 2640 
 2641         role = unit.new_role_ref()
 2642         role = PROVIDERS.role_api.create_role(role['id'], role)
 2643 
 2644         new_domains = [unit.new_domain_ref(), unit.new_domain_ref()]
 2645         for new_domain in new_domains:
 2646             PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 2647 
 2648             PROVIDERS.assignment_api.create_grant(
 2649                 group_id=group['id'], domain_id=new_domain['id'],
 2650                 role_id=role['id']
 2651             )
 2652             PROVIDERS.assignment_api.create_grant(
 2653                 user_id=self.user_two['id'], domain_id=new_domain['id'],
 2654                 role_id=role['id']
 2655             )
 2656 
 2657         # Check there are 4 role assignments for that role
 2658         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2659             role_id=role['id'])
 2660         self.assertThat(role_assignments, matchers.HasLength(4))
 2661 
 2662         # Delete first new domain and check only 2 assignments were left
 2663         PROVIDERS.resource_api.update_domain(
 2664             new_domains[0]['id'], {'enabled': False}
 2665         )
 2666         PROVIDERS.resource_api.delete_domain(new_domains[0]['id'])
 2667 
 2668         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2669             role_id=role['id'])
 2670         self.assertThat(role_assignments, matchers.HasLength(2))
 2671 
 2672         # Delete second new domain and check no assignments were left
 2673         PROVIDERS.resource_api.update_domain(
 2674             new_domains[1]['id'], {'enabled': False}
 2675         )
 2676         PROVIDERS.resource_api.delete_domain(new_domains[1]['id'])
 2677 
 2678         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2679             role_id=role['id'])
 2680         self.assertEqual([], role_assignments)
 2681 
 2682 
 2683 class InheritanceTests(AssignmentTestHelperMixin):
 2684 
 2685     def test_role_assignments_user_domain_to_project_inheritance(self):
 2686         test_plan = {
 2687             'entities': {'domains': {'users': 2, 'projects': 1},
 2688                          'roles': 3},
 2689             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 2690                             {'user': 0, 'role': 1, 'project': 0},
 2691                             {'user': 0, 'role': 2, 'domain': 0,
 2692                              'inherited_to_projects': True},
 2693                             {'user': 1, 'role': 1, 'project': 0}],
 2694             'tests': [
 2695                 # List all direct assignments for user[0]
 2696                 {'params': {'user': 0},
 2697                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 2698                              {'user': 0, 'role': 1, 'project': 0},
 2699                              {'user': 0, 'role': 2, 'domain': 0,
 2700                               'inherited_to_projects': 'projects'}]},
 2701                 # Now the effective ones - so the domain role should turn into
 2702                 # a project role
 2703                 {'params': {'user': 0, 'effective': True},
 2704                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 2705                              {'user': 0, 'role': 1, 'project': 0},
 2706                              {'user': 0, 'role': 2, 'project': 0,
 2707                               'indirect': {'domain': 0}}]},
 2708                 # Narrow down to effective roles for user[0] and project[0]
 2709                 {'params': {'user': 0, 'project': 0, 'effective': True},
 2710                  'results': [{'user': 0, 'role': 1, 'project': 0},
 2711                              {'user': 0, 'role': 2, 'project': 0,
 2712                               'indirect': {'domain': 0}}]}
 2713             ]
 2714         }
 2715         self.execute_assignment_plan(test_plan)
 2716 
 2717     def _test_crud_inherited_and_direct_assignment(self, **kwargs):
 2718         """Test inherited and direct assignments for the actor and target.
 2719 
 2720         Ensure it is possible to create both inherited and direct role
 2721         assignments for the same actor on the same target. The actor and the
 2722         target are specified in the kwargs as ('user_id' or 'group_id') and
 2723         ('project_id' or 'domain_id'), respectively.
 2724 
 2725         """
 2726         # Create a new role to avoid assignments loaded from default fixtures
 2727         role = unit.new_role_ref()
 2728         role = PROVIDERS.role_api.create_role(role['id'], role)
 2729 
 2730         # Define the common assignment entity
 2731         assignment_entity = {'role_id': role['id']}
 2732         assignment_entity.update(kwargs)
 2733 
 2734         # Define assignments under test
 2735         direct_assignment_entity = assignment_entity.copy()
 2736         inherited_assignment_entity = assignment_entity.copy()
 2737         inherited_assignment_entity['inherited_to_projects'] = 'projects'
 2738 
 2739         # Create direct assignment and check grants
 2740         PROVIDERS.assignment_api.create_grant(
 2741             inherited_to_projects=False, **assignment_entity
 2742         )
 2743 
 2744         grants = PROVIDERS.assignment_api.list_role_assignments(
 2745             role_id=role['id']
 2746         )
 2747         self.assertThat(grants, matchers.HasLength(1))
 2748         self.assertIn(direct_assignment_entity, grants)
 2749 
 2750         # Now add inherited assignment and check grants
 2751         PROVIDERS.assignment_api.create_grant(
 2752             inherited_to_projects=True, **assignment_entity
 2753         )
 2754 
 2755         grants = PROVIDERS.assignment_api.list_role_assignments(
 2756             role_id=role['id']
 2757         )
 2758         self.assertThat(grants, matchers.HasLength(2))
 2759         self.assertIn(direct_assignment_entity, grants)
 2760         self.assertIn(inherited_assignment_entity, grants)
 2761 
 2762         # Delete both and check grants
 2763         PROVIDERS.assignment_api.delete_grant(
 2764             inherited_to_projects=False, **assignment_entity
 2765         )
 2766         PROVIDERS.assignment_api.delete_grant(
 2767             inherited_to_projects=True, **assignment_entity
 2768         )
 2769 
 2770         grants = PROVIDERS.assignment_api.list_role_assignments(
 2771             role_id=role['id']
 2772         )
 2773         self.assertEqual([], grants)
 2774 
 2775     def test_crud_inherited_and_direct_assignment_for_user_on_domain(self):
 2776         self._test_crud_inherited_and_direct_assignment(
 2777             user_id=self.user_foo['id'],
 2778             domain_id=CONF.identity.default_domain_id)
 2779 
 2780     def test_crud_inherited_and_direct_assignment_for_group_on_domain(self):
 2781         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2782         group = PROVIDERS.identity_api.create_group(group)
 2783 
 2784         self._test_crud_inherited_and_direct_assignment(
 2785             group_id=group['id'], domain_id=CONF.identity.default_domain_id)
 2786 
 2787     def test_crud_inherited_and_direct_assignment_for_user_on_project(self):
 2788         self._test_crud_inherited_and_direct_assignment(
 2789             user_id=self.user_foo['id'], project_id=self.project_baz['id'])
 2790 
 2791     def test_crud_inherited_and_direct_assignment_for_group_on_project(self):
 2792         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2793         group = PROVIDERS.identity_api.create_group(group)
 2794 
 2795         self._test_crud_inherited_and_direct_assignment(
 2796             group_id=group['id'], project_id=self.project_baz['id'])
 2797 
 2798     def test_inherited_role_grants_for_user(self):
 2799         """Test inherited user roles.
 2800 
 2801         Test Plan:
 2802 
 2803         - Enable OS-INHERIT extension
 2804         - Create 3 roles
 2805         - Create a domain, with a project and a user
 2806         - Check no roles yet exit
 2807         - Assign a direct user role to the project and a (non-inherited)
 2808           user role to the domain
 2809         - Get a list of effective roles - should only get the one direct role
 2810         - Now add an inherited user role to the domain
 2811         - Get a list of effective roles - should have two roles, one
 2812           direct and one by virtue of the inherited user role
 2813         - Also get effective roles for the domain - the role marked as
 2814           inherited should not show up
 2815 
 2816         """
 2817         role_list = []
 2818         for _ in range(3):
 2819             role = unit.new_role_ref()
 2820             PROVIDERS.role_api.create_role(role['id'], role)
 2821             role_list.append(role)
 2822         domain1 = unit.new_domain_ref()
 2823         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2824         user1 = unit.new_user_ref(domain_id=domain1['id'])
 2825         user1 = PROVIDERS.identity_api.create_user(user1)
 2826         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2827         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2828 
 2829         roles_ref = PROVIDERS.assignment_api.list_grants(
 2830             user_id=user1['id'],
 2831             project_id=project1['id'])
 2832         self.assertEqual(0, len(roles_ref))
 2833 
 2834         # Create the first two roles - the domain one is not inherited
 2835         PROVIDERS.assignment_api.create_grant(
 2836             user_id=user1['id'], project_id=project1['id'],
 2837             role_id=role_list[0]['id']
 2838         )
 2839         PROVIDERS.assignment_api.create_grant(
 2840             user_id=user1['id'], domain_id=domain1['id'],
 2841             role_id=role_list[1]['id']
 2842         )
 2843 
 2844         # Now get the effective roles for the user and project, this
 2845         # should only include the direct role assignment on the project
 2846         combined_list = (
 2847             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2848                 user1['id'], project1['id']
 2849             )
 2850         )
 2851         self.assertEqual(1, len(combined_list))
 2852         self.assertIn(role_list[0]['id'], combined_list)
 2853 
 2854         # Now add an inherited role on the domain
 2855         PROVIDERS.assignment_api.create_grant(
 2856             user_id=user1['id'], domain_id=domain1['id'],
 2857             role_id=role_list[2]['id'], inherited_to_projects=True
 2858         )
 2859 
 2860         # Now get the effective roles for the user and project again, this
 2861         # should now include the inherited role on the domain
 2862         combined_list = (
 2863             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2864                 user1['id'], project1['id']
 2865             )
 2866         )
 2867         self.assertEqual(2, len(combined_list))
 2868         self.assertIn(role_list[0]['id'], combined_list)
 2869         self.assertIn(role_list[2]['id'], combined_list)
 2870 
 2871         # Finally, check that the inherited role does not appear as a valid
 2872         # directly assigned role on the domain itself
 2873         combined_role_list = (
 2874             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 2875                 user1['id'], domain1['id']
 2876             )
 2877         )
 2878         self.assertEqual(1, len(combined_role_list))
 2879         self.assertIn(role_list[1]['id'], combined_role_list)
 2880 
 2881         # TODO(henry-nash): The test above uses get_roles_for_user_and_project
 2882         # and get_roles_for_user_and_domain, which will, in a subsequent patch,
 2883         # be re-implemented to simply call list_role_assignments (see blueprint
 2884         # remove-role-metadata).
 2885         #
 2886         # The test plan below therefore mirrors this test, to ensure that
 2887         # list_role_assignments works the same. Once get_roles_for_user_and
 2888         # project/domain have been re-implemented then the manual tests above
 2889         # can be refactored to simply ensure it gives the same answers.
 2890         test_plan = {
 2891             # A domain with a user & project, plus 3 roles.
 2892             'entities': {'domains': {'users': 1, 'projects': 1},
 2893                          'roles': 3},
 2894             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 2895                             {'user': 0, 'role': 1, 'domain': 0},
 2896                             {'user': 0, 'role': 2, 'domain': 0,
 2897                              'inherited_to_projects': True}],
 2898             'tests': [
 2899                 # List all effective assignments for user[0] on project[0].
 2900                 # Should get one direct role and one inherited role.
 2901                 {'params': {'user': 0, 'project': 0, 'effective': True},
 2902                  'results': [{'user': 0, 'role': 0, 'project': 0},
 2903                              {'user': 0, 'role': 2, 'project': 0,
 2904                               'indirect': {'domain': 0}}]},
 2905                 # Ensure effective mode on the domain does not list the
 2906                 # inherited role on that domain
 2907                 {'params': {'user': 0, 'domain': 0, 'effective': True},
 2908                  'results': [{'user': 0, 'role': 1, 'domain': 0}]},
 2909                 # Ensure non-inherited mode also only returns the non-inherited
 2910                 # role on the domain
 2911                 {'params': {'user': 0, 'domain': 0, 'inherited': False},
 2912                  'results': [{'user': 0, 'role': 1, 'domain': 0}]},
 2913             ]
 2914         }
 2915         self.execute_assignment_plan(test_plan)
 2916 
 2917     def test_inherited_role_grants_for_group(self):
 2918         """Test inherited group roles.
 2919 
 2920         Test Plan:
 2921 
 2922         - Enable OS-INHERIT extension
 2923         - Create 4 roles
 2924         - Create a domain, with a project, user and two groups
 2925         - Make the user a member of both groups
 2926         - Check no roles yet exit
 2927         - Assign a direct user role to the project and a (non-inherited)
 2928           group role on the domain
 2929         - Get a list of effective roles - should only get the one direct role
 2930         - Now add two inherited group roles to the domain
 2931         - Get a list of effective roles - should have three roles, one
 2932           direct and two by virtue of inherited group roles
 2933 
 2934         """
 2935         role_list = []
 2936         for _ in range(4):
 2937             role = unit.new_role_ref()
 2938             PROVIDERS.role_api.create_role(role['id'], role)
 2939             role_list.append(role)
 2940         domain1 = unit.new_domain_ref()
 2941         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2942         user1 = unit.new_user_ref(domain_id=domain1['id'])
 2943         user1 = PROVIDERS.identity_api.create_user(user1)
 2944         group1 = unit.new_group_ref(domain_id=domain1['id'])
 2945         group1 = PROVIDERS.identity_api.create_group(group1)
 2946         group2 = unit.new_group_ref(domain_id=domain1['id'])
 2947         group2 = PROVIDERS.identity_api.create_group(group2)
 2948         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2949         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2950 
 2951         PROVIDERS.identity_api.add_user_to_group(
 2952             user1['id'], group1['id']
 2953         )
 2954         PROVIDERS.identity_api.add_user_to_group(
 2955             user1['id'], group2['id']
 2956         )
 2957 
 2958         roles_ref = PROVIDERS.assignment_api.list_grants(
 2959             user_id=user1['id'],
 2960             project_id=project1['id'])
 2961         self.assertEqual(0, len(roles_ref))
 2962 
 2963         # Create two roles - the domain one is not inherited
 2964         PROVIDERS.assignment_api.create_grant(
 2965             user_id=user1['id'], project_id=project1['id'],
 2966             role_id=role_list[0]['id']
 2967         )
 2968         PROVIDERS.assignment_api.create_grant(
 2969             group_id=group1['id'], domain_id=domain1['id'],
 2970             role_id=role_list[1]['id']
 2971         )
 2972 
 2973         # Now get the effective roles for the user and project, this
 2974         # should only include the direct role assignment on the project
 2975         combined_list = (
 2976             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2977                 user1['id'], project1['id']
 2978             )
 2979         )
 2980         self.assertEqual(1, len(combined_list))
 2981         self.assertIn(role_list[0]['id'], combined_list)
 2982 
 2983         # Now add to more group roles, both inherited, to the domain
 2984         PROVIDERS.assignment_api.create_grant(
 2985             group_id=group2['id'], domain_id=domain1['id'],
 2986             role_id=role_list[2]['id'], inherited_to_projects=True
 2987         )
 2988         PROVIDERS.assignment_api.create_grant(
 2989             group_id=group2['id'], domain_id=domain1['id'],
 2990             role_id=role_list[3]['id'], inherited_to_projects=True
 2991         )
 2992 
 2993         # Now get the effective roles for the user and project again, this
 2994         # should now include the inherited roles on the domain
 2995         combined_list = (
 2996             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2997                 user1['id'], project1['id']
 2998             )
 2999         )
 3000         self.assertEqual(3, len(combined_list))
 3001         self.assertIn(role_list[0]['id'], combined_list)
 3002         self.assertIn(role_list[2]['id'], combined_list)
 3003         self.assertIn(role_list[3]['id'], combined_list)
 3004 
 3005         # TODO(henry-nash): The test above uses get_roles_for_user_and_project
 3006         # which will, in a subsequent patch, be re-implemented to simply call
 3007         # list_role_assignments (see blueprint remove-role-metadata).
 3008         #
 3009         # The test plan below therefore mirrors this test, to ensure that
 3010         # list_role_assignments works the same. Once
 3011         # get_roles_for_user_and_project has been re-implemented then the
 3012         # manual tests above can be refactored to simply ensure it gives
 3013         # the same answers.
 3014         test_plan = {
 3015             # A domain with a user and project, 2 groups, plus 4 roles.
 3016             'entities': {'domains': {'users': 1, 'projects': 1, 'groups': 2},
 3017                          'roles': 4},
 3018             'group_memberships': [{'group': 0, 'users': [0]},
 3019                                   {'group': 1, 'users': [0]}],
 3020             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3021                             {'group': 0, 'role': 1, 'domain': 0},
 3022                             {'group': 1, 'role': 2, 'domain': 0,
 3023                              'inherited_to_projects': True},
 3024                             {'group': 1, 'role': 3, 'domain': 0,
 3025                              'inherited_to_projects': True}],
 3026             'tests': [
 3027                 # List all effective assignments for user[0] on project[0].
 3028                 # Should get one direct role and both inherited roles, but
 3029                 # not the direct one on domain[0], even though user[0] is
 3030                 # in group[0].
 3031                 {'params': {'user': 0, 'project': 0, 'effective': True},
 3032                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3033                              {'user': 0, 'role': 2, 'project': 0,
 3034                               'indirect': {'domain': 0, 'group': 1}},
 3035                              {'user': 0, 'role': 3, 'project': 0,
 3036                               'indirect': {'domain': 0, 'group': 1}}]}
 3037             ]
 3038         }
 3039         self.execute_assignment_plan(test_plan)
 3040 
 3041     def test_list_projects_for_user_with_inherited_grants(self):
 3042         """Test inherited user roles.
 3043 
 3044         Test Plan:
 3045 
 3046         - Enable OS-INHERIT extension
 3047         - Create a domain, with two projects and a user
 3048         - Assign an inherited user role on the domain, as well as a direct
 3049           user role to a separate project in a different domain
 3050         - Get a list of projects for user, should return all three projects
 3051 
 3052         """
 3053         domain = unit.new_domain_ref()
 3054         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 3055         user1 = unit.new_user_ref(domain_id=domain['id'])
 3056         user1 = PROVIDERS.identity_api.create_user(user1)
 3057         project1 = unit.new_project_ref(domain_id=domain['id'])
 3058         PROVIDERS.resource_api.create_project(project1['id'], project1)
 3059         project2 = unit.new_project_ref(domain_id=domain['id'])
 3060         PROVIDERS.resource_api.create_project(project2['id'], project2)
 3061 
 3062         # Create 2 grants, one on a project and one inherited grant
 3063         # on the domain
 3064         PROVIDERS.assignment_api.create_grant(
 3065             user_id=user1['id'], project_id=self.project_bar['id'],
 3066             role_id=self.role_member['id']
 3067         )
 3068         PROVIDERS.assignment_api.create_grant(
 3069             user_id=user1['id'], domain_id=domain['id'],
 3070             role_id=self.role_admin['id'], inherited_to_projects=True
 3071         )
 3072         # Should get back all three projects, one by virtue of the direct
 3073         # grant, plus both projects in the domain
 3074         user_projects = (
 3075             PROVIDERS.assignment_api.list_projects_for_user(user1['id'])
 3076         )
 3077         self.assertEqual(3, len(user_projects))
 3078 
 3079         # TODO(henry-nash): The test above uses list_projects_for_user
 3080         # which may, in a subsequent patch, be re-implemented to call
 3081         # list_role_assignments and then report only the distinct projects.
 3082         #
 3083         # The test plan below therefore mirrors this test, to ensure that
 3084         # list_role_assignments works the same. Once list_projects_for_user
 3085         # has been re-implemented then the manual tests above can be
 3086         # refactored.
 3087         test_plan = {
 3088             # A domain with 1 project, plus a second domain with 2 projects,
 3089             # as well as a user. Also, create 2 roles.
 3090             'entities': {'domains': [{'projects': 1},
 3091                                      {'users': 1, 'projects': 2}],
 3092                          'roles': 2},
 3093             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3094                             {'user': 0, 'role': 1, 'domain': 1,
 3095                              'inherited_to_projects': True}],
 3096             'tests': [
 3097                 # List all effective assignments for user[0]
 3098                 # Should get one direct role plus one inherited role for each
 3099                 # project in domain
 3100                 {'params': {'user': 0, 'effective': True},
 3101                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3102                              {'user': 0, 'role': 1, 'project': 1,
 3103                               'indirect': {'domain': 1}},
 3104                              {'user': 0, 'role': 1, 'project': 2,
 3105                               'indirect': {'domain': 1}}]}
 3106             ]
 3107         }
 3108         self.execute_assignment_plan(test_plan)
 3109 
 3110     def test_list_projects_for_user_with_inherited_user_project_grants(self):
 3111         """Test inherited role assignments for users on nested projects.
 3112 
 3113         Test Plan:
 3114 
 3115         - Enable OS-INHERIT extension
 3116         - Create a hierarchy of projects with one root and one leaf project
 3117         - Assign an inherited user role on root project
 3118         - Assign a non-inherited user role on root project
 3119         - Get a list of projects for user, should return both projects
 3120         - Disable OS-INHERIT extension
 3121         - Get a list of projects for user, should return only root project
 3122 
 3123         """
 3124         # Enable OS-INHERIT extension
 3125         root_project = unit.new_project_ref(
 3126             domain_id=CONF.identity.default_domain_id)
 3127         root_project = PROVIDERS.resource_api.create_project(
 3128             root_project['id'], root_project
 3129         )
 3130         leaf_project = unit.new_project_ref(
 3131             domain_id=CONF.identity.default_domain_id,
 3132             parent_id=root_project['id'])
 3133         leaf_project = PROVIDERS.resource_api.create_project(
 3134             leaf_project['id'], leaf_project
 3135         )
 3136 
 3137         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3138         user = PROVIDERS.identity_api.create_user(user)
 3139 
 3140         # Grant inherited user role
 3141         PROVIDERS.assignment_api.create_grant(
 3142             user_id=user['id'], project_id=root_project['id'],
 3143             role_id=self.role_admin['id'], inherited_to_projects=True
 3144         )
 3145         # Grant non-inherited user role
 3146         PROVIDERS.assignment_api.create_grant(
 3147             user_id=user['id'], project_id=root_project['id'],
 3148             role_id=self.role_member['id']
 3149         )
 3150         # Should get back both projects: because the direct role assignment for
 3151         # the root project and inherited role assignment for leaf project
 3152         user_projects = (
 3153             PROVIDERS.assignment_api.list_projects_for_user(user['id'])
 3154         )
 3155         self.assertEqual(2, len(user_projects))
 3156         self.assertIn(root_project, user_projects)
 3157         self.assertIn(leaf_project, user_projects)
 3158 
 3159         # TODO(henry-nash): The test above uses list_projects_for_user
 3160         # which may, in a subsequent patch, be re-implemented to call
 3161         # list_role_assignments and then report only the distinct projects.
 3162         #
 3163         # The test plan below therefore mirrors this test, to ensure that
 3164         # list_role_assignments works the same. Once list_projects_for_user
 3165         # has been re-implemented then the manual tests above can be
 3166         # refactored.
 3167         test_plan = {
 3168             # A domain with a project and sub-project, plus a user.
 3169             # Also, create 2 roles.
 3170             'entities': {
 3171                 'domains': {'id': CONF.identity.default_domain_id, 'users': 1,
 3172                             'projects': {'project': 1}},
 3173                 'roles': 2},
 3174             # A direct role and an inherited role on the parent
 3175             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3176                             {'user': 0, 'role': 1, 'project': 0,
 3177                              'inherited_to_projects': True}],
 3178             'tests': [
 3179                 # List all effective assignments for user[0] - should get back
 3180                 # one direct role plus one inherited role.
 3181                 {'params': {'user': 0, 'effective': True},
 3182                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3183                              {'user': 0, 'role': 1, 'project': 1,
 3184                               'indirect': {'project': 0}}]}
 3185             ]
 3186         }
 3187         self.execute_assignment_plan(test_plan)
 3188 
 3189     def test_list_projects_for_user_with_inherited_group_grants(self):
 3190         """Test inherited group roles.
 3191 
 3192         Test Plan:
 3193 
 3194         - Enable OS-INHERIT extension
 3195         - Create two domains, each with two projects
 3196         - Create a user and group
 3197         - Make the user a member of the group
 3198         - Assign a user role two projects, an inherited
 3199           group role to one domain and an inherited regular role on
 3200           the other domain
 3201         - Get a list of projects for user, should return both pairs of projects
 3202           from the domain, plus the one separate project
 3203 
 3204         """
 3205         domain = unit.new_domain_ref()
 3206         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 3207         domain2 = unit.new_domain_ref()
 3208         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 3209         project1 = unit.new_project_ref(domain_id=domain['id'])
 3210         PROVIDERS.resource_api.create_project(project1['id'], project1)
 3211         project2 = unit.new_project_ref(domain_id=domain['id'])
 3212         PROVIDERS.resource_api.create_project(project2['id'], project2)
 3213         project3 = unit.new_project_ref(domain_id=domain2['id'])
 3214         PROVIDERS.resource_api.create_project(project3['id'], project3)
 3215         project4 = unit.new_project_ref(domain_id=domain2['id'])
 3216         PROVIDERS.resource_api.create_project(project4['id'], project4)
 3217         user1 = unit.new_user_ref(domain_id=domain['id'])
 3218         user1 = PROVIDERS.identity_api.create_user(user1)
 3219         group1 = unit.new_group_ref(domain_id=domain['id'])
 3220         group1 = PROVIDERS.identity_api.create_group(group1)
 3221         PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
 3222 
 3223         # Create 4 grants:
 3224         # - one user grant on a project in domain2
 3225         # - one user grant on a project in the default domain
 3226         # - one inherited user grant on domain
 3227         # - one inherited group grant on domain2
 3228         PROVIDERS.assignment_api.create_grant(
 3229             user_id=user1['id'], project_id=project3['id'],
 3230             role_id=self.role_member['id']
 3231         )
 3232         PROVIDERS.assignment_api.create_grant(
 3233             user_id=user1['id'], project_id=self.project_bar['id'],
 3234             role_id=self.role_member['id']
 3235         )
 3236         PROVIDERS.assignment_api.create_grant(
 3237             user_id=user1['id'], domain_id=domain['id'],
 3238             role_id=self.role_admin['id'], inherited_to_projects=True
 3239         )
 3240         PROVIDERS.assignment_api.create_grant(
 3241             group_id=group1['id'], domain_id=domain2['id'],
 3242             role_id=self.role_admin['id'], inherited_to_projects=True
 3243         )
 3244         # Should get back all five projects, but without a duplicate for
 3245         # project3 (since it has both a direct user role and an inherited role)
 3246         user_projects = (
 3247             PROVIDERS.assignment_api.list_projects_for_user(user1['id'])
 3248         )
 3249         self.assertEqual(5, len(user_projects))
 3250 
 3251         # TODO(henry-nash): The test above uses list_projects_for_user
 3252         # which may, in a subsequent patch, be re-implemented to call
 3253         # list_role_assignments and then report only the distinct projects.
 3254         #
 3255         # The test plan below therefore mirrors this test, to ensure that
 3256         # list_role_assignments works the same. Once list_projects_for_user
 3257         # has been re-implemented then the manual tests above can be
 3258         # refactored.
 3259         test_plan = {
 3260             # A domain with a 1 project, plus a second domain with 2 projects,
 3261             # as well as a user & group and a 3rd domain with 2 projects.
 3262             # Also, created 2 roles.
 3263             'entities': {'domains': [{'projects': 1},
 3264                                      {'users': 1, 'groups': 1, 'projects': 2},
 3265                                      {'projects': 2}],
 3266                          'roles': 2},
 3267             'group_memberships': [{'group': 0, 'users': [0]}],
 3268             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3269                             {'user': 0, 'role': 0, 'project': 3},
 3270                             {'user': 0, 'role': 1, 'domain': 1,
 3271                              'inherited_to_projects': True},
 3272                             {'user': 0, 'role': 1, 'domain': 2,
 3273                              'inherited_to_projects': True}],
 3274             'tests': [
 3275                 # List all effective assignments for user[0]
 3276                 # Should get back both direct roles plus roles on both projects
 3277                 # from each domain. Duplicates should not be filtered out.
 3278                 {'params': {'user': 0, 'effective': True},
 3279                  'results': [{'user': 0, 'role': 0, 'project': 3},
 3280                              {'user': 0, 'role': 0, 'project': 0},
 3281                              {'user': 0, 'role': 1, 'project': 1,
 3282                               'indirect': {'domain': 1}},
 3283                              {'user': 0, 'role': 1, 'project': 2,
 3284                               'indirect': {'domain': 1}},
 3285                              {'user': 0, 'role': 1, 'project': 3,
 3286                               'indirect': {'domain': 2}},
 3287                              {'user': 0, 'role': 1, 'project': 4,
 3288                               'indirect': {'domain': 2}}]}
 3289             ]
 3290         }
 3291         self.execute_assignment_plan(test_plan)
 3292 
 3293     def test_list_projects_for_user_with_inherited_group_project_grants(self):
 3294         """Test inherited role assignments for groups on nested projects.
 3295 
 3296         Test Plan:
 3297 
 3298         - Enable OS-INHERIT extension
 3299         - Create a hierarchy of projects with one root and one leaf project
 3300         - Assign an inherited group role on root project
 3301         - Assign a non-inherited group role on root project
 3302         - Get a list of projects for user, should return both projects
 3303         - Disable OS-INHERIT extension
 3304         - Get a list of projects for user, should return only root project
 3305 
 3306         """
 3307         root_project = unit.new_project_ref(
 3308             domain_id=CONF.identity.default_domain_id)
 3309         root_project = PROVIDERS.resource_api.create_project(
 3310             root_project['id'], root_project
 3311         )
 3312         leaf_project = unit.new_project_ref(
 3313             domain_id=CONF.identity.default_domain_id,
 3314             parent_id=root_project['id'])
 3315         leaf_project = PROVIDERS.resource_api.create_project(
 3316             leaf_project['id'], leaf_project
 3317         )
 3318 
 3319         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3320         user = PROVIDERS.identity_api.create_user(user)
 3321 
 3322         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 3323         group = PROVIDERS.identity_api.create_group(group)
 3324         PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
 3325 
 3326         # Grant inherited group role
 3327         PROVIDERS.assignment_api.create_grant(
 3328             group_id=group['id'], project_id=root_project['id'],
 3329             role_id=self.role_admin['id'], inherited_to_projects=True
 3330         )
 3331         # Grant non-inherited group role
 3332         PROVIDERS.assignment_api.create_grant(
 3333             group_id=group['id'], project_id=root_project['id'],
 3334             role_id=self.role_member['id']
 3335         )
 3336         # Should get back both projects: because the direct role assignment for
 3337         # the root project and inherited role assignment for leaf project
 3338         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 3339             user['id']
 3340         )
 3341         self.assertEqual(2, len(user_projects))
 3342         self.assertIn(root_project, user_projects)
 3343         self.assertIn(leaf_project, user_projects)
 3344 
 3345         # TODO(henry-nash): The test above uses list_projects_for_user
 3346         # which may, in a subsequent patch, be re-implemented to call
 3347         # list_role_assignments and then report only the distinct projects.
 3348         #
 3349         # The test plan below therefore mirrors this test, to ensure that
 3350         # list_role_assignments works the same. Once list_projects_for_user
 3351         # has been re-implemented then the manual tests above can be
 3352         # refactored.
 3353         test_plan = {
 3354             # A domain with a project and sub-project, plus a user.
 3355             # Also, create 2 roles.
 3356             'entities': {
 3357                 'domains': {'id': CONF.identity.default_domain_id, 'users': 1,
 3358                             'groups': 1,
 3359                             'projects': {'project': 1}},
 3360                 'roles': 2},
 3361             'group_memberships': [{'group': 0, 'users': [0]}],
 3362             # A direct role and an inherited role on the parent
 3363             'assignments': [{'group': 0, 'role': 0, 'project': 0},
 3364                             {'group': 0, 'role': 1, 'project': 0,
 3365                              'inherited_to_projects': True}],
 3366             'tests': [
 3367                 # List all effective assignments for user[0] - should get back
 3368                 # one direct role plus one inherited role.
 3369                 {'params': {'user': 0, 'effective': True},
 3370                  'results': [{'user': 0, 'role': 0, 'project': 0,
 3371                               'indirect': {'group': 0}},
 3372                              {'user': 0, 'role': 1, 'project': 1,
 3373                               'indirect': {'group': 0, 'project': 0}}]}
 3374             ]
 3375         }
 3376         self.execute_assignment_plan(test_plan)
 3377 
 3378     def test_list_assignments_for_tree(self):
 3379         """Test we correctly list direct assignments for a tree."""
 3380         # Enable OS-INHERIT extension
 3381 
 3382         test_plan = {
 3383             # Create a domain with a project hierarchy 3 levels deep:
 3384             #
 3385             #                      project 0
 3386             #             ____________|____________
 3387             #            |                         |
 3388             #         project 1                 project 4
 3389             #      ______|_____              ______|_____
 3390             #     |            |            |            |
 3391             #  project 2    project 3    project 5    project 6
 3392             #
 3393             # Also, create 1 user and 4 roles.
 3394             'entities': {
 3395                 'domains': {
 3396                     'projects': {'project': [{'project': 2},
 3397                                              {'project': 2}]},
 3398                     'users': 1},
 3399                 'roles': 4},
 3400             'assignments': [
 3401                 # Direct assignment to projects 1 and 2
 3402                 {'user': 0, 'role': 0, 'project': 1},
 3403                 {'user': 0, 'role': 1, 'project': 2},
 3404                 # Also an inherited assignment on project 1
 3405                 {'user': 0, 'role': 2, 'project': 1,
 3406                  'inherited_to_projects': True},
 3407                 # ...and two spoiler assignments, one to the root and one
 3408                 # to project 4
 3409                 {'user': 0, 'role': 0, 'project': 0},
 3410                 {'user': 0, 'role': 3, 'project': 4}],
 3411             'tests': [
 3412                 # List all assignments for project 1 and its subtree.
 3413                 {'params': {'project': 1, 'include_subtree': True},
 3414                  'results': [
 3415                      # Only the actual assignments should be returned, no
 3416                      # expansion of inherited assignments
 3417                      {'user': 0, 'role': 0, 'project': 1},
 3418                      {'user': 0, 'role': 1, 'project': 2},
 3419                      {'user': 0, 'role': 2, 'project': 1,
 3420                       'inherited_to_projects': 'projects'}]}
 3421             ]
 3422         }
 3423 
 3424         self.execute_assignment_plan(test_plan)
 3425 
 3426     def test_list_effective_assignments_for_tree(self):
 3427         """Test we correctly list effective assignments for a tree."""
 3428         test_plan = {
 3429             # Create a domain with a project hierarchy 3 levels deep:
 3430             #
 3431             #                      project 0
 3432             #             ____________|____________
 3433             #            |                         |
 3434             #         project 1                 project 4
 3435             #      ______|_____              ______|_____
 3436             #     |            |            |            |
 3437             #  project 2    project 3    project 5    project 6
 3438             #
 3439             # Also, create 1 user and 4 roles.
 3440             'entities': {
 3441                 'domains': {
 3442                     'projects': {'project': [{'project': 2},
 3443                                              {'project': 2}]},
 3444                     'users': 1},
 3445                 'roles': 4},
 3446             'assignments': [
 3447                 # An inherited assignment on project 1
 3448                 {'user': 0, 'role': 1, 'project': 1,
 3449                  'inherited_to_projects': True},
 3450                 # A direct assignment to project 2
 3451                 {'user': 0, 'role': 2, 'project': 2},
 3452                 # ...and two spoiler assignments, one to the root and one
 3453                 # to project 4
 3454                 {'user': 0, 'role': 0, 'project': 0},
 3455                 {'user': 0, 'role': 3, 'project': 4}],
 3456             'tests': [
 3457                 # List all effective assignments for project 1 and its subtree.
 3458                 {'params': {'project': 1, 'effective': True,
 3459                             'include_subtree': True},
 3460                  'results': [
 3461                      # The inherited assignment on project 1 should appear only
 3462                      # on its children
 3463                      {'user': 0, 'role': 1, 'project': 2,
 3464                       'indirect': {'project': 1}},
 3465                      {'user': 0, 'role': 1, 'project': 3,
 3466                       'indirect': {'project': 1}},
 3467                      # And finally the direct assignment on project 2
 3468                      {'user': 0, 'role': 2, 'project': 2}]}
 3469             ]
 3470         }
 3471 
 3472         self.execute_assignment_plan(test_plan)
 3473 
 3474     def test_list_effective_assignments_for_tree_with_mixed_assignments(self):
 3475         """Test that we correctly combine assignments for a tree.
 3476 
 3477         In this test we want to ensure that when asking for a list of
 3478         assignments in a subtree, any assignments inherited from above the
 3479         subtree are correctly combined with any assignments within the subtree
 3480         itself.
 3481 
 3482         """
 3483         test_plan = {
 3484             # Create a domain with a project hierarchy 3 levels deep:
 3485             #
 3486             #                      project 0
 3487             #             ____________|____________
 3488             #            |                         |
 3489             #         project 1                 project 4
 3490             #      ______|_____              ______|_____
 3491             #     |            |            |            |
 3492             #  project 2    project 3    project 5    project 6
 3493             #
 3494             # Also, create 2 users, 1 group and 4 roles.
 3495             'entities': {
 3496                 'domains': {
 3497                     'projects': {'project': [{'project': 2},
 3498                                              {'project': 2}]},
 3499                     'users': 2, 'groups': 1},
 3500                 'roles': 4},
 3501             # Both users are part of the same group
 3502             'group_memberships': [{'group': 0, 'users': [0, 1]}],
 3503             # We are going to ask for listing of assignment on project 1 and
 3504             # it's subtree. So first we'll add two inherited assignments above
 3505             # this (one user and one for a group that contains this user).
 3506             'assignments': [{'user': 0, 'role': 0, 'project': 0,
 3507                              'inherited_to_projects': True},
 3508                             {'group': 0, 'role': 1, 'project': 0,
 3509                              'inherited_to_projects': True},
 3510                             # Now an inherited assignment on project 1 itself,
 3511                             # which should ONLY show up on its children
 3512                             {'user': 0, 'role': 2, 'project': 1,
 3513                              'inherited_to_projects': True},
 3514                             # ...and a direct assignment on one of those
 3515                             # children
 3516                             {'user': 0, 'role': 3, 'project': 2},
 3517                             # The rest are spoiler assignments
 3518                             {'user': 0, 'role': 2, 'project': 5},
 3519                             {'user': 0, 'role': 3, 'project': 4}],
 3520             'tests': [
 3521                 # List all effective assignments for project 1 and its subtree.
 3522                 {'params': {'project': 1, 'user': 0, 'effective': True,
 3523                             'include_subtree': True},
 3524                  'results': [
 3525                      # First, we should see the inherited user assignment from
 3526                      # project 0 on all projects in the subtree
 3527                      {'user': 0, 'role': 0, 'project': 1,
 3528                       'indirect': {'project': 0}},
 3529                      {'user': 0, 'role': 0, 'project': 2,
 3530                       'indirect': {'project': 0}},
 3531                      {'user': 0, 'role': 0, 'project': 3,
 3532                       'indirect': {'project': 0}},
 3533                      # Also the inherited group assignment from project 0 on
 3534                      # the subtree
 3535                      {'user': 0, 'role': 1, 'project': 1,
 3536                       'indirect': {'project': 0, 'group': 0}},
 3537                      {'user': 0, 'role': 1, 'project': 2,
 3538                       'indirect': {'project': 0, 'group': 0}},
 3539                      {'user': 0, 'role': 1, 'project': 3,
 3540                       'indirect': {'project': 0, 'group': 0}},
 3541                      # The inherited assignment on project 1 should appear only
 3542                      # on its children
 3543                      {'user': 0, 'role': 2, 'project': 2,
 3544                       'indirect': {'project': 1}},
 3545                      {'user': 0, 'role': 2, 'project': 3,
 3546                       'indirect': {'project': 1}},
 3547                      # And finally the direct assignment on project 2
 3548                      {'user': 0, 'role': 3, 'project': 2}]}
 3549             ]
 3550         }
 3551 
 3552         self.execute_assignment_plan(test_plan)
 3553 
 3554     def test_list_effective_assignments_for_tree_with_domain_assignments(self):
 3555         """Test we correctly honor domain inherited assignments on the tree."""
 3556         test_plan = {
 3557             # Create a domain with a project hierarchy 3 levels deep:
 3558             #
 3559             #                      project 0
 3560             #             ____________|____________
 3561             #            |                         |
 3562             #         project 1                 project 4
 3563             #      ______|_____              ______|_____
 3564             #     |            |            |            |
 3565             #  project 2    project 3    project 5    project 6
 3566             #
 3567             # Also, create 1 user and 4 roles.
 3568             'entities': {
 3569                 'domains': {
 3570                     'projects': {'project': [{'project': 2},
 3571                                              {'project': 2}]},
 3572                     'users': 1},
 3573                 'roles': 4},
 3574             'assignments': [
 3575                 # An inherited assignment on the domain (which should be
 3576                 # applied to all the projects)
 3577                 {'user': 0, 'role': 1, 'domain': 0,
 3578                  'inherited_to_projects': True},
 3579                 # A direct assignment to project 2
 3580                 {'user': 0, 'role': 2, 'project': 2},
 3581                 # ...and two spoiler assignments, one to the root and one
 3582                 # to project 4
 3583                 {'user': 0, 'role': 0, 'project': 0},
 3584                 {'user': 0, 'role': 3, 'project': 4}],
 3585             'tests': [
 3586                 # List all effective assignments for project 1 and its subtree.
 3587                 {'params': {'project': 1, 'effective': True,
 3588                             'include_subtree': True},
 3589                  'results': [
 3590                      # The inherited assignment from the domain should appear
 3591                      # only on the part of the subtree we are interested in
 3592                      {'user': 0, 'role': 1, 'project': 1,
 3593                       'indirect': {'domain': 0}},
 3594                      {'user': 0, 'role': 1, 'project': 2,
 3595                       'indirect': {'domain': 0}},
 3596                      {'user': 0, 'role': 1, 'project': 3,
 3597                       'indirect': {'domain': 0}},
 3598                      # And finally the direct assignment on project 2
 3599                      {'user': 0, 'role': 2, 'project': 2}]}
 3600             ]
 3601         }
 3602 
 3603         self.execute_assignment_plan(test_plan)
 3604 
 3605     def test_list_user_ids_for_project_with_inheritance(self):
 3606         test_plan = {
 3607             # A domain with a project and sub-project, plus four users,
 3608             # two groups, as well as 4 roles.
 3609             'entities': {
 3610                 'domains': {'id': CONF.identity.default_domain_id, 'users': 4,
 3611                             'groups': 2,
 3612                             'projects': {'project': 1}},
 3613                 'roles': 4},
 3614             # Each group has a unique user member
 3615             'group_memberships': [{'group': 0, 'users': [1]},
 3616                                   {'group': 1, 'users': [3]}],
 3617             # Set up assignments so that there should end up with four
 3618             # effective assignments on project 1 - one direct, one due to
 3619             # group membership and one user assignment inherited from the
 3620             # parent and one group assignment inherited from the parent.
 3621             'assignments': [{'user': 0, 'role': 0, 'project': 1},
 3622                             {'group': 0, 'role': 1, 'project': 1},
 3623                             {'user': 2, 'role': 2, 'project': 0,
 3624                              'inherited_to_projects': True},
 3625                             {'group': 1, 'role': 3, 'project': 0,
 3626                              'inherited_to_projects': True}],
 3627         }
 3628         # Use assignment plan helper to create all the entities and
 3629         # assignments - then we'll run our own tests using the data
 3630         test_data = self.execute_assignment_plan(test_plan)
 3631         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
 3632             test_data['projects'][1]['id'])
 3633         self.assertThat(user_ids, matchers.HasLength(4))
 3634         for x in range(0, 4):
 3635             self.assertIn(test_data['users'][x]['id'], user_ids)
 3636 
 3637     def test_list_role_assignment_using_inherited_sourced_groups(self):
 3638         """Test listing inherited assignments when restricted by groups."""
 3639         test_plan = {
 3640             # A domain with 3 users, 3 groups, 3 projects, a second domain,
 3641             # plus 3 roles.
 3642             'entities': {'domains': [{'users': 3, 'groups': 3, 'projects': 3},
 3643                                      1],
 3644                          'roles': 3},
 3645             # Users 0 & 1 are in the group 0, User 0 also in group 1
 3646             'group_memberships': [{'group': 0, 'users': [0, 1]},
 3647                                   {'group': 1, 'users': [0]}],
 3648             # Spread the assignments around - we want to be able to show that
 3649             # if sourced by group, assignments from other sources are excluded
 3650             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 3651                             {'group': 0, 'role': 1, 'domain': 1},
 3652                             {'group': 1, 'role': 2, 'domain': 0,
 3653                              'inherited_to_projects': True},
 3654                             {'group': 1, 'role': 2, 'project': 1},
 3655                             {'user': 2, 'role': 1, 'project': 1,
 3656                              'inherited_to_projects': True},
 3657                             {'group': 2, 'role': 2, 'project': 2}
 3658                             ],
 3659             'tests': [
 3660                 # List all effective assignments sourced from groups 0 and 1.
 3661                 # We should see the inherited group assigned on the 3 projects
 3662                 # from domain 0, as well as the direct assignments.
 3663                 {'params': {'source_from_group_ids': [0, 1],
 3664                             'effective': True},
 3665                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 3666                              {'group': 1, 'role': 2, 'project': 0,
 3667                               'indirect': {'domain': 0}},
 3668                              {'group': 1, 'role': 2, 'project': 1,
 3669                               'indirect': {'domain': 0}},
 3670                              {'group': 1, 'role': 2, 'project': 2,
 3671                               'indirect': {'domain': 0}},
 3672                              {'group': 1, 'role': 2, 'project': 1}
 3673                              ]},
 3674             ]
 3675         }
 3676         self.execute_assignment_plan(test_plan)
 3677 
 3678 
 3679 class ImpliedRoleTests(AssignmentTestHelperMixin):
 3680 
 3681     def test_implied_role_crd(self):
 3682         prior_role_ref = unit.new_role_ref()
 3683         PROVIDERS.role_api.create_role(prior_role_ref['id'], prior_role_ref)
 3684         implied_role_ref = unit.new_role_ref()
 3685         PROVIDERS.role_api.create_role(
 3686             implied_role_ref['id'], implied_role_ref
 3687         )
 3688 
 3689         PROVIDERS.role_api.create_implied_role(
 3690             prior_role_ref['id'],
 3691             implied_role_ref['id'])
 3692         implied_role = PROVIDERS.role_api.get_implied_role(
 3693             prior_role_ref['id'],
 3694             implied_role_ref['id'])
 3695         expected_implied_role_ref = {
 3696             'prior_role_id': prior_role_ref['id'],
 3697             'implied_role_id': implied_role_ref['id']}
 3698         self.assertDictContainsSubset(
 3699             expected_implied_role_ref,
 3700             implied_role)
 3701 
 3702         PROVIDERS.role_api.delete_implied_role(
 3703             prior_role_ref['id'],
 3704             implied_role_ref['id'])
 3705         self.assertRaises(exception.ImpliedRoleNotFound,
 3706                           PROVIDERS.role_api.get_implied_role,
 3707                           uuid.uuid4().hex,
 3708                           uuid.uuid4().hex)
 3709 
 3710     def test_delete_implied_role_returns_not_found(self):
 3711         self.assertRaises(exception.ImpliedRoleNotFound,
 3712                           PROVIDERS.role_api.delete_implied_role,
 3713                           uuid.uuid4().hex,
 3714                           uuid.uuid4().hex)
 3715 
 3716     def test_role_assignments_simple_tree_of_implied_roles(self):
 3717         """Test that implied roles are expanded out."""
 3718         test_plan = {
 3719             'entities': {'domains': {'users': 1, 'projects': 1},
 3720                          'roles': 4},
 3721             # Three level tree of implied roles
 3722             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3723                               {'role': 1, 'implied_roles': [2, 3]}],
 3724             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3725             'tests': [
 3726                 # List all direct assignments for user[0], this should just
 3727                 # show the one top level role assignment
 3728                 {'params': {'user': 0},
 3729                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3730                 # Listing in effective mode should show the implied roles
 3731                 # expanded out
 3732                 {'params': {'user': 0, 'effective': True},
 3733                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3734                              {'user': 0, 'role': 1, 'project': 0,
 3735                               'indirect': {'role': 0}},
 3736                              {'user': 0, 'role': 2, 'project': 0,
 3737                               'indirect': {'role': 1}},
 3738                              {'user': 0, 'role': 3, 'project': 0,
 3739                               'indirect': {'role': 1}}]},
 3740             ]
 3741         }
 3742         self.execute_assignment_plan(test_plan)
 3743 
 3744     def test_circular_inferences(self):
 3745         """Test that implied roles are expanded out."""
 3746         test_plan = {
 3747             'entities': {'domains': {'users': 1, 'projects': 1},
 3748                          'roles': 4},
 3749             # Three level tree of implied roles
 3750             'implied_roles': [{'role': 0, 'implied_roles': [1]},
 3751                               {'role': 1, 'implied_roles': [2, 3]},
 3752                               {'role': 3, 'implied_roles': [0]}],
 3753             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3754             'tests': [
 3755                 # List all direct assignments for user[0], this should just
 3756                 # show the one top level role assignment
 3757                 {'params': {'user': 0},
 3758                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3759                 # Listing in effective mode should show the implied roles
 3760                 # expanded out
 3761                 {'params': {'user': 0, 'effective': True},
 3762                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3763                              {'user': 0, 'role': 0, 'project': 0,
 3764                               'indirect': {'role': 3}},
 3765                              {'user': 0, 'role': 1, 'project': 0,
 3766                               'indirect': {'role': 0}},
 3767                              {'user': 0, 'role': 2, 'project': 0,
 3768                               'indirect': {'role': 1}},
 3769                              {'user': 0, 'role': 3, 'project': 0,
 3770                               'indirect': {'role': 1}}]},
 3771             ]
 3772         }
 3773         self.execute_assignment_plan(test_plan)
 3774 
 3775     def test_role_assignments_directed_graph_of_implied_roles(self):
 3776         """Test that a role can have multiple, different prior roles."""
 3777         test_plan = {
 3778             'entities': {'domains': {'users': 1, 'projects': 1},
 3779                          'roles': 6},
 3780             # Three level tree of implied roles, where one of the roles at the
 3781             # bottom is implied by more than one top level role
 3782             'implied_roles': [{'role': 0, 'implied_roles': [1, 2]},
 3783                               {'role': 1, 'implied_roles': [3, 4]},
 3784                               {'role': 5, 'implied_roles': 4}],
 3785             # The user gets both top level roles
 3786             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3787                             {'user': 0, 'role': 5, 'project': 0}],
 3788             'tests': [
 3789                 # The implied roles should be expanded out and there should be
 3790                 # two entries for the role that had two different prior roles.
 3791                 {'params': {'user': 0, 'effective': True},
 3792                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3793                              {'user': 0, 'role': 5, 'project': 0},
 3794                              {'user': 0, 'role': 1, 'project': 0,
 3795                               'indirect': {'role': 0}},
 3796                              {'user': 0, 'role': 2, 'project': 0,
 3797                               'indirect': {'role': 0}},
 3798                              {'user': 0, 'role': 3, 'project': 0,
 3799                               'indirect': {'role': 1}},
 3800                              {'user': 0, 'role': 4, 'project': 0,
 3801                               'indirect': {'role': 1}},
 3802                              {'user': 0, 'role': 4, 'project': 0,
 3803                               'indirect': {'role': 5}}]},
 3804             ]
 3805         }
 3806         test_data = self.execute_assignment_plan(test_plan)
 3807 
 3808         # We should also be able to get a similar (yet summarized) answer to
 3809         # the above by calling get_roles_for_user_and_project(), which should
 3810         # list the role_ids, yet remove any duplicates
 3811         role_ids = PROVIDERS.assignment_api.get_roles_for_user_and_project(
 3812             test_data['users'][0]['id'], test_data['projects'][0]['id'])
 3813         # We should see 6 entries, not 7, since role index 5 appeared twice in
 3814         # the answer from list_role_assignments
 3815         self.assertThat(role_ids, matchers.HasLength(6))
 3816         for x in range(0, 5):
 3817             self.assertIn(test_data['roles'][x]['id'], role_ids)
 3818 
 3819     def test_role_assignments_implied_roles_filtered_by_role(self):
 3820         """Test that you can filter by role even if roles are implied."""
 3821         test_plan = {
 3822             'entities': {'domains': {'users': 1, 'projects': 2},
 3823                          'roles': 4},
 3824             # Three level tree of implied roles
 3825             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3826                               {'role': 1, 'implied_roles': [2, 3]}],
 3827             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3828                             {'user': 0, 'role': 3, 'project': 1}],
 3829             'tests': [
 3830                 # List effective roles filtering by one of the implied roles,
 3831                 # showing that the filter was implied post expansion of
 3832                 # implied roles (and that non implied roles are included in
 3833                 # the filter
 3834                 {'params': {'role': 3, 'effective': True},
 3835                  'results': [{'user': 0, 'role': 3, 'project': 0,
 3836                               'indirect': {'role': 1}},
 3837                              {'user': 0, 'role': 3, 'project': 1}]},
 3838             ]
 3839         }
 3840         self.execute_assignment_plan(test_plan)
 3841 
 3842     def test_role_assignments_simple_tree_of_implied_roles_on_domain(self):
 3843         """Test that implied roles are expanded out when placed on a domain."""
 3844         test_plan = {
 3845             'entities': {'domains': {'users': 1},
 3846                          'roles': 4},
 3847             # Three level tree of implied roles
 3848             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3849                               {'role': 1, 'implied_roles': [2, 3]}],
 3850             'assignments': [{'user': 0, 'role': 0, 'domain': 0}],
 3851             'tests': [
 3852                 # List all direct assignments for user[0], this should just
 3853                 # show the one top level role assignment
 3854                 {'params': {'user': 0},
 3855                  'results': [{'user': 0, 'role': 0, 'domain': 0}]},
 3856                 # Listing in effective mode should how the implied roles
 3857                 # expanded out
 3858                 {'params': {'user': 0, 'effective': True},
 3859                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 3860                              {'user': 0, 'role': 1, 'domain': 0,
 3861                               'indirect': {'role': 0}},
 3862                              {'user': 0, 'role': 2, 'domain': 0,
 3863                               'indirect': {'role': 1}},
 3864                              {'user': 0, 'role': 3, 'domain': 0,
 3865                               'indirect': {'role': 1}}]},
 3866             ]
 3867         }
 3868         self.execute_assignment_plan(test_plan)
 3869 
 3870     def test_role_assignments_inherited_implied_roles(self):
 3871         """Test that you can intermix inherited and implied roles."""
 3872         test_plan = {
 3873             'entities': {'domains': {'users': 1, 'projects': 1},
 3874                          'roles': 4},
 3875             # Simply one level of implied roles
 3876             'implied_roles': [{'role': 0, 'implied_roles': 1}],
 3877             # Assign to top level role as an inherited assignment to the
 3878             # domain
 3879             'assignments': [{'user': 0, 'role': 0, 'domain': 0,
 3880                              'inherited_to_projects': True}],
 3881             'tests': [
 3882                 # List all direct assignments for user[0], this should just
 3883                 # show the one top level role assignment
 3884                 {'params': {'user': 0},
 3885                  'results': [{'user': 0, 'role': 0, 'domain': 0,
 3886                               'inherited_to_projects': 'projects'}]},
 3887                 # List in effective mode - we should only see the initial and
 3888                 # implied role on the project (since inherited roles are not
 3889                 # active on their anchor point).
 3890                 {'params': {'user': 0, 'effective': True},
 3891                  'results': [{'user': 0, 'role': 0, 'project': 0,
 3892                               'indirect': {'domain': 0}},
 3893                              {'user': 0, 'role': 1, 'project': 0,
 3894                               'indirect': {'domain': 0, 'role': 0}}]},
 3895             ]
 3896         }
 3897         self.execute_assignment_plan(test_plan)
 3898 
 3899     def test_role_assignments_domain_specific_with_implied_roles(self):
 3900         test_plan = {
 3901             'entities': {'domains': {'users': 1, 'projects': 1, 'roles': 2},
 3902                          'roles': 2},
 3903             # Two level tree of implied roles, with the top and 1st level being
 3904             # domain specific roles, and the bottom level being inferred global
 3905             # roles.
 3906             'implied_roles': [{'role': 0, 'implied_roles': [1]},
 3907                               {'role': 1, 'implied_roles': [2, 3]}],
 3908             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3909             'tests': [
 3910                 # List all direct assignments for user[0], this should just
 3911                 # show the one top level role assignment, even though this is a
 3912                 # domain specific role (since we are in non-effective mode and
 3913                 # we show any direct role assignment in that mode).
 3914                 {'params': {'user': 0},
 3915                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3916                 # Now the effective ones - so the implied roles should be
 3917                 # expanded out, as well as any domain specific roles should be
 3918                 # removed.
 3919                 {'params': {'user': 0, 'effective': True},
 3920                  'results': [{'user': 0, 'role': 2, 'project': 0,
 3921                               'indirect': {'role': 1}},
 3922                              {'user': 0, 'role': 3, 'project': 0,
 3923                               'indirect': {'role': 1}}]},
 3924             ]
 3925         }
 3926         self.execute_assignment_plan(test_plan)
 3927 
 3928 
 3929 class SystemAssignmentTests(AssignmentTestHelperMixin):
 3930     def test_create_system_grant_for_user(self):
 3931         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3932         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3933         role_ref = self._create_role()
 3934 
 3935         PROVIDERS.assignment_api.create_system_grant_for_user(
 3936             user_id, role_ref['id']
 3937         )
 3938         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3939             user_id
 3940         )
 3941         self.assertEqual(len(system_roles), 1)
 3942         self.assertIsNone(system_roles[0]['domain_id'])
 3943         self.assertEqual(system_roles[0]['id'], role_ref['id'])
 3944         self.assertEqual(system_roles[0]['name'], role_ref['name'])
 3945 
 3946     def test_list_system_grants_for_user(self):
 3947         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3948         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3949         first_role = self._create_role()
 3950         second_role = self._create_role()
 3951 
 3952         PROVIDERS.assignment_api.create_system_grant_for_user(
 3953             user_id, first_role['id']
 3954         )
 3955         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3956             user_id
 3957         )
 3958         self.assertEqual(len(system_roles), 1)
 3959 
 3960         PROVIDERS.assignment_api.create_system_grant_for_user(
 3961             user_id, second_role['id']
 3962         )
 3963         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3964             user_id
 3965         )
 3966         self.assertEqual(len(system_roles), 2)
 3967 
 3968     def test_check_system_grant_for_user(self):
 3969         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3970         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3971         role = self._create_role()
 3972 
 3973         self.assertRaises(
 3974             exception.RoleAssignmentNotFound,
 3975             PROVIDERS.assignment_api.check_system_grant_for_user,
 3976             user_id,
 3977             role['id']
 3978         )
 3979 
 3980         PROVIDERS.assignment_api.create_system_grant_for_user(
 3981             user_id, role['id']
 3982         )
 3983         PROVIDERS.assignment_api.check_system_grant_for_user(
 3984             user_id, role['id']
 3985         )
 3986 
 3987     def test_delete_system_grant_for_user(self):
 3988         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3989         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3990         role = self._create_role()
 3991 
 3992         PROVIDERS.assignment_api.create_system_grant_for_user(
 3993             user_id, role['id']
 3994         )
 3995         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3996             user_id
 3997         )
 3998         self.assertEqual(len(system_roles), 1)
 3999 
 4000         PROVIDERS.assignment_api.delete_system_grant_for_user(
 4001             user_id, role['id']
 4002         )
 4003         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 4004             user_id
 4005         )
 4006         self.assertEqual(len(system_roles), 0)
 4007 
 4008     def test_check_system_grant_for_user_with_invalid_role_fails(self):
 4009         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4010         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4011 
 4012         self.assertRaises(
 4013             exception.RoleAssignmentNotFound,
 4014             PROVIDERS.assignment_api.check_system_grant_for_user,
 4015             user_id,
 4016             uuid.uuid4().hex
 4017         )
 4018 
 4019     def test_check_system_grant_for_user_with_invalid_user_fails(self):
 4020         role = self._create_role()
 4021 
 4022         self.assertRaises(
 4023             exception.RoleAssignmentNotFound,
 4024             PROVIDERS.assignment_api.check_system_grant_for_user,
 4025             uuid.uuid4().hex,
 4026             role['id']
 4027         )
 4028 
 4029     def test_delete_system_grant_for_user_with_invalid_role_fails(self):
 4030         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4031         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4032         role = self._create_role()
 4033 
 4034         PROVIDERS.assignment_api.create_system_grant_for_user(
 4035             user_id, role['id']
 4036         )
 4037         self.assertRaises(
 4038             exception.RoleAssignmentNotFound,
 4039             PROVIDERS.assignment_api.delete_system_grant_for_user,
 4040             user_id,
 4041             uuid.uuid4().hex
 4042         )
 4043 
 4044     def test_delete_system_grant_for_user_with_invalid_user_fails(self):
 4045         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4046         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4047         role = self._create_role()
 4048 
 4049         PROVIDERS.assignment_api.create_system_grant_for_user(
 4050             user_id, role['id']
 4051         )
 4052         self.assertRaises(
 4053             exception.RoleAssignmentNotFound,
 4054             PROVIDERS.assignment_api.delete_system_grant_for_user,
 4055             uuid.uuid4().hex,
 4056             role['id']
 4057         )
 4058 
 4059     def test_list_system_grants_for_user_returns_empty_list(self):
 4060         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4061         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4062 
 4063         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 4064             user_id
 4065         )
 4066         self.assertFalse(system_roles)
 4067 
 4068     def test_create_system_grant_for_user_fails_with_domain_role(self):
 4069         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4070         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4071         role = self._create_role(domain_id=CONF.identity.default_domain_id)
 4072 
 4073         self.assertRaises(
 4074             exception.ValidationError,
 4075             PROVIDERS.assignment_api.create_system_grant_for_user,
 4076             user_id,
 4077             role['id']
 4078         )
 4079 
 4080     def test_create_system_grant_for_group(self):
 4081         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4082         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4083         role_ref = self._create_role()
 4084 
 4085         PROVIDERS.assignment_api.create_system_grant_for_group(
 4086             group_id, role_ref['id']
 4087         )
 4088         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4089             group_id
 4090         )
 4091         self.assertEqual(len(system_roles), 1)
 4092         self.assertIsNone(system_roles[0]['domain_id'])
 4093         self.assertEqual(system_roles[0]['id'], role_ref['id'])
 4094         self.assertEqual(system_roles[0]['name'], role_ref['name'])
 4095 
 4096     def test_list_system_grants_for_group(self):
 4097         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4098         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4099         first_role = self._create_role()
 4100         second_role = self._create_role()
 4101 
 4102         PROVIDERS.assignment_api.create_system_grant_for_group(
 4103             group_id, first_role['id']
 4104         )
 4105         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4106             group_id
 4107         )
 4108         self.assertEqual(len(system_roles), 1)
 4109 
 4110         PROVIDERS.assignment_api.create_system_grant_for_group(
 4111             group_id, second_role['id']
 4112         )
 4113         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4114             group_id
 4115         )
 4116         self.assertEqual(len(system_roles), 2)
 4117 
 4118     def test_check_system_grant_for_group(self):
 4119         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4120         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4121         role = self._create_role()
 4122 
 4123         self.assertRaises(
 4124             exception.RoleAssignmentNotFound,
 4125             PROVIDERS.assignment_api.check_system_grant_for_group,
 4126             group_id,
 4127             role['id']
 4128         )
 4129 
 4130         PROVIDERS.assignment_api.create_system_grant_for_group(
 4131             group_id, role['id']
 4132         )
 4133         PROVIDERS.assignment_api.check_system_grant_for_group(
 4134             group_id, role['id']
 4135         )
 4136 
 4137     def test_delete_system_grant_for_group(self):
 4138         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4139         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4140         role = self._create_role()
 4141 
 4142         PROVIDERS.assignment_api.create_system_grant_for_group(
 4143             group_id, role['id']
 4144         )
 4145         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4146             group_id
 4147         )
 4148         self.assertEqual(len(system_roles), 1)
 4149 
 4150         PROVIDERS.assignment_api.delete_system_grant_for_group(
 4151             group_id, role['id']
 4152         )
 4153         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4154             group_id
 4155         )
 4156         self.assertEqual(len(system_roles), 0)
 4157 
 4158     def test_check_system_grant_for_group_with_invalid_role_fails(self):
 4159         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4160         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4161 
 4162         self.assertRaises(
 4163             exception.RoleAssignmentNotFound,
 4164             PROVIDERS.assignment_api.check_system_grant_for_group,
 4165             group_id,
 4166             uuid.uuid4().hex
 4167         )
 4168 
 4169     def test_check_system_grant_for_group_with_invalid_group_fails(self):
 4170         role = self._create_role()
 4171 
 4172         self.assertRaises(
 4173             exception.RoleAssignmentNotFound,
 4174             PROVIDERS.assignment_api.check_system_grant_for_group,
 4175             uuid.uuid4().hex,
 4176             role['id']
 4177         )
 4178 
 4179     def test_delete_system_grant_for_group_with_invalid_role_fails(self):
 4180         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4181         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4182         role = self._create_role()
 4183 
 4184         PROVIDERS.assignment_api.create_system_grant_for_group(
 4185             group_id, role['id']
 4186         )
 4187         self.assertRaises(
 4188             exception.RoleAssignmentNotFound,
 4189             PROVIDERS.assignment_api.delete_system_grant_for_group,
 4190             group_id,
 4191             uuid.uuid4().hex
 4192         )
 4193 
 4194     def test_delete_system_grant_for_group_with_invalid_group_fails(self):
 4195         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4196         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4197         role = self._create_role()
 4198 
 4199         PROVIDERS.assignment_api.create_system_grant_for_group(
 4200             group_id, role['id']
 4201         )
 4202         self.assertRaises(
 4203             exception.RoleAssignmentNotFound,
 4204             PROVIDERS.assignment_api.delete_system_grant_for_group,
 4205             uuid.uuid4().hex,
 4206             role['id']
 4207         )
 4208 
 4209     def test_list_system_grants_for_group_returns_empty_list(self):
 4210         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4211         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4212 
 4213         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4214             group_id
 4215         )
 4216         self.assertFalse(system_roles)
 4217 
 4218     def test_create_system_grant_for_group_fails_with_domain_role(self):
 4219         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4220         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4221         role = self._create_role(CONF.identity.default_domain_id)
 4222 
 4223         self.assertRaises(
 4224             exception.ValidationError,
 4225             PROVIDERS.assignment_api.create_system_grant_for_group,
 4226             group_id,
 4227             role['id']
 4228         )
 4229 
 4230     def test_delete_role_with_system_assignments(self):
 4231         role = unit.new_role_ref()
 4232         PROVIDERS.role_api.create_role(role['id'], role)
 4233         domain = unit.new_domain_ref()
 4234         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 4235         user = unit.new_user_ref(domain_id=domain['id'])
 4236         user = PROVIDERS.identity_api.create_user(user)
 4237 
 4238         # creating a system grant for user
 4239         PROVIDERS.assignment_api.create_system_grant_for_user(
 4240             user['id'], role['id']
 4241         )
 4242         # deleting the role user has on system
 4243         PROVIDERS.role_api.delete_role(role['id'])
 4244         system_roles = PROVIDERS.assignment_api.list_role_assignments(
 4245             role_id=role['id']
 4246         )
 4247         self.assertEqual(len(system_roles), 0)