"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/unit/assignment/test_backends.py" (13 May 2020, 192077 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_backends.py": 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from unittest import mock
   14 import uuid
   15 
   16 from testtools import matchers
   17 
   18 from keystone.common import provider_api
   19 import keystone.conf
   20 from keystone import exception
   21 from keystone.tests import unit
   22 from keystone.tests.unit import default_fixtures
   23 
   24 
   25 CONF = keystone.conf.CONF
   26 PROVIDERS = provider_api.ProviderAPIs
   27 
   28 
   29 class AssignmentTestHelperMixin(object):
   30     """Mixin class to aid testing of assignments.
   31 
   32     This class supports data driven test plans that enable:
   33 
   34     - Creation of initial entities, such as domains, users, groups, projects
   35       and roles
   36     - Creation of assignments referencing the above entities
   37     - A set of input parameters and expected outputs to list_role_assignments
   38       based on the above test data
   39 
   40     A test plan is a dict of the form:
   41 
   42     test_plan = {
   43         entities: details and number of entities,
   44         group_memberships: group-user entity memberships,
   45         assignments: list of assignments to create,
   46         tests: list of pairs of input params and expected outputs}
   47 
   48     An example test plan:
   49 
   50     test_plan = {
   51         # First, create the entities required. Entities are specified by
   52         # a dict with the key being the entity type and the value an
   53         # entity specification which can be one of:
   54         #
   55         # - a simple number, e.g. {'users': 3} creates 3 users
   56         # - a dict where more information regarding the contents of the entity
   57         #   is required, e.g. {'domains' : {'users : 3}} creates a domain
   58         #   with three users
   59         # - a list of entity specifications if multiple are required
   60         #
   61         # The following creates a domain that contains a single user, group and
   62         # project, as well as creating three roles.
   63 
   64         'entities': {'domains': {'users': 1, 'groups': 1, 'projects': 1},
   65                      'roles': 3},
   66 
   67         # If it is required that an existing domain be used for the new
   68         # entities, then the id of that domain can be included in the
   69         # domain dict.  For example, if alternatively we wanted to add 3 users
   70         # to the default domain, add a second domain containing 3 projects as
   71         # well as 5 additional empty domains, the entities would be defined as:
   72         #
   73         # 'entities': {'domains': [{'id': DEFAULT_DOMAIN, 'users': 3},
   74         #                          {'projects': 3}, 5]},
   75         #
   76         # A project hierarchy can be specified within the 'projects' section by
   77         # nesting the 'project' key, for example to create a project with three
   78         # sub-projects you would use:
   79 
   80                      'projects': {'project': 3}
   81 
   82         # A more complex hierarchy can also be defined, for example the
   83         # following would define three projects each containing a
   84         # sub-project, each of which contain a further three sub-projects.
   85 
   86                      'projects': [{'project': {'project': 3}},
   87                                   {'project': {'project': 3}},
   88                                   {'project': {'project': 3}}]
   89 
   90         # If the 'roles' entity count is defined as top level key in 'entities'
   91         # dict then these are global roles. If it is placed within the
   92         # 'domain' dict, then they will be domain specific roles. A mix of
   93         # domain specific and global roles are allowed, with the role index
   94         # being calculated in the order they are defined in the 'entities'
   95         # dict.
   96 
   97         # A set of implied role specifications. In this case, prior role
   98         # index 0 implies role index 1, and role 1 implies roles 2 and 3.
   99 
  100         'roles': [{'role': 0, 'implied_roles': [1]},
  101                   {'role': 1, 'implied_roles': [2, 3]}]
  102 
  103         # A list of groups and their members. In this case make users with
  104         # index 0 and 1 members of group with index 0. Users and Groups are
  105         # indexed in the order they appear in the 'entities' key above.
  106 
  107         'group_memberships': [{'group': 0, 'users': [0, 1]}]
  108 
  109         # Next, create assignments between the entities, referencing the
  110         # entities by index, i.e. 'user': 0 refers to user[0]. Entities are
  111         # indexed in the order they appear in the 'entities' key above within
  112         # their entity type.
  113 
  114         'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  115                         {'user': 0, 'role': 1, 'project': 0},
  116                         {'group': 0, 'role': 2, 'domain': 0},
  117                         {'user': 0, 'role': 2, 'project': 0}],
  118 
  119         # Finally, define an array of tests where list_role_assignment() is
  120         # called with the given input parameters and the results are then
  121         # confirmed to be as given in 'results'. Again, all entities are
  122         # referenced by index.
  123 
  124         'tests': [
  125             {'params': {},
  126              'results': [{'user': 0, 'role': 0, 'domain': 0},
  127                          {'user': 0, 'role': 1, 'project': 0},
  128                          {'group': 0, 'role': 2, 'domain': 0},
  129                          {'user': 0, 'role': 2, 'project': 0}]},
  130             {'params': {'role': 2},
  131              'results': [{'group': 0, 'role': 2, 'domain': 0},
  132                          {'user': 0, 'role': 2, 'project': 0}]}]
  133 
  134         # The 'params' key also supports the 'effective',
  135         # 'inherited_to_projects' and 'source_from_group_ids' options to
  136         # list_role_assignments.}
  137 
  138     """
  139 
  140     def _handle_project_spec(self, test_data, domain_id, project_spec,
  141                              parent_id=None):
  142         """Handle the creation of a project or hierarchy of projects.
  143 
  144         project_spec may either be a count of the number of projects to
  145         create, or it may be a list of the form:
  146 
  147         [{'project': project_spec}, {'project': project_spec}, ...]
  148 
  149         This method is called recursively to handle the creation of a
  150         hierarchy of projects.
  151 
  152         """
  153         def _create_project(domain_id, parent_id):
  154             new_project = unit.new_project_ref(domain_id=domain_id,
  155                                                parent_id=parent_id)
  156             new_project = PROVIDERS.resource_api.create_project(
  157                 new_project['id'], new_project
  158             )
  159             return new_project
  160 
  161         if isinstance(project_spec, list):
  162             for this_spec in project_spec:
  163                 self._handle_project_spec(
  164                     test_data, domain_id, this_spec, parent_id=parent_id)
  165         elif isinstance(project_spec, dict):
  166             new_proj = _create_project(domain_id, parent_id)
  167             test_data['projects'].append(new_proj)
  168             self._handle_project_spec(
  169                 test_data, domain_id, project_spec['project'],
  170                 parent_id=new_proj['id'])
  171         else:
  172             for _ in range(project_spec):
  173                 test_data['projects'].append(
  174                     _create_project(domain_id, parent_id))
  175 
  176     def _create_role(self, domain_id=None):
  177         new_role = unit.new_role_ref(domain_id=domain_id)
  178         return PROVIDERS.role_api.create_role(new_role['id'], new_role)
  179 
  180     def _handle_domain_spec(self, test_data, domain_spec):
  181         """Handle the creation of domains and their contents.
  182 
  183         domain_spec may either be a count of the number of empty domains to
  184         create, a dict describing the domain contents, or a list of
  185         domain_specs.
  186 
  187         In the case when a list is provided, this method calls itself
  188         recursively to handle the list elements.
  189 
  190         This method will insert any entities created into test_data
  191 
  192         """
  193         def _create_domain(domain_id=None):
  194             if domain_id is None:
  195                 new_domain = unit.new_domain_ref()
  196                 PROVIDERS.resource_api.create_domain(
  197                     new_domain['id'], new_domain
  198                 )
  199                 return new_domain
  200             else:
  201                 # The test plan specified an existing domain to use
  202                 return PROVIDERS.resource_api.get_domain(domain_id)
  203 
  204         def _create_entity_in_domain(entity_type, domain_id):
  205             """Create a user or group entity in the domain."""
  206             if entity_type == 'users':
  207                 new_entity = unit.new_user_ref(domain_id=domain_id)
  208                 new_entity = PROVIDERS.identity_api.create_user(new_entity)
  209             elif entity_type == 'groups':
  210                 new_entity = unit.new_group_ref(domain_id=domain_id)
  211                 new_entity = PROVIDERS.identity_api.create_group(new_entity)
  212             elif entity_type == 'roles':
  213                 new_entity = self._create_role(domain_id=domain_id)
  214             else:
  215                 # Must be a bad test plan
  216                 raise exception.NotImplemented()
  217             return new_entity
  218 
  219         if isinstance(domain_spec, list):
  220             for x in domain_spec:
  221                 self._handle_domain_spec(test_data, x)
  222         elif isinstance(domain_spec, dict):
  223             # If there is a domain ID specified, then use it
  224             the_domain = _create_domain(domain_spec.get('id'))
  225             test_data['domains'].append(the_domain)
  226             for entity_type, value in domain_spec.items():
  227                 if entity_type == 'id':
  228                     # We already used this above to determine whether to
  229                     # use and existing domain
  230                     continue
  231                 if entity_type == 'projects':
  232                     # If it's projects, we need to handle the potential
  233                     # specification of a project hierarchy
  234                     self._handle_project_spec(
  235                         test_data, the_domain['id'], value)
  236                 else:
  237                     # It's a count of number of entities
  238                     for _ in range(value):
  239                         test_data[entity_type].append(
  240                             _create_entity_in_domain(
  241                                 entity_type, the_domain['id']))
  242         else:
  243             for _ in range(domain_spec):
  244                 test_data['domains'].append(_create_domain())
  245 
  246     def create_entities(self, entity_pattern):
  247         """Create the entities specified in the test plan.
  248 
  249         Process the 'entities' key in the test plan, creating the requested
  250         entities. Each created entity will be added to the array of entities
  251         stored in the returned test_data object, e.g.:
  252 
  253         test_data['users'] = [user[0], user[1]....]
  254 
  255         """
  256         test_data = {}
  257         for entity in ['users', 'groups', 'domains', 'projects', 'roles']:
  258             test_data[entity] = []
  259 
  260         # Create any domains requested and, if specified, any entities within
  261         # those domains
  262         if 'domains' in entity_pattern:
  263             self._handle_domain_spec(test_data, entity_pattern['domains'])
  264 
  265         # Create any roles requested
  266         if 'roles' in entity_pattern:
  267             for _ in range(entity_pattern['roles']):
  268                 test_data['roles'].append(self._create_role())
  269 
  270         return test_data
  271 
  272     def _convert_entity_shorthand(self, key, shorthand_data, reference_data):
  273         """Convert a shorthand entity description into a full ID reference.
  274 
  275         In test plan definitions, we allow a shorthand for referencing to an
  276         entity of the form:
  277 
  278         'user': 0
  279 
  280         which is actually shorthand for:
  281 
  282         'user_id': reference_data['users'][0]['id']
  283 
  284         This method converts the shorthand version into the full reference.
  285 
  286         """
  287         expanded_key = '%s_id' % key
  288         reference_index = '%ss' % key
  289         index_value = (
  290             reference_data[reference_index][shorthand_data[key]]['id'])
  291         return expanded_key, index_value
  292 
  293     def create_implied_roles(self, implied_pattern, test_data):
  294         """Create the implied roles specified in the test plan."""
  295         for implied_spec in implied_pattern:
  296             # Each implied role specification is a dict of the form:
  297             #
  298             # {'role': 0, 'implied_roles': list of roles}
  299 
  300             prior_role = test_data['roles'][implied_spec['role']]['id']
  301             if isinstance(implied_spec['implied_roles'], list):
  302                 for this_role in implied_spec['implied_roles']:
  303                     implied_role = test_data['roles'][this_role]['id']
  304                     PROVIDERS.role_api.create_implied_role(
  305                         prior_role, implied_role
  306                     )
  307             else:
  308                 implied_role = (
  309                     test_data['roles'][implied_spec['implied_roles']]['id'])
  310                 PROVIDERS.role_api.create_implied_role(
  311                     prior_role, implied_role
  312                 )
  313 
  314     def create_group_memberships(self, group_pattern, test_data):
  315         """Create the group memberships specified in the test plan."""
  316         for group_spec in group_pattern:
  317             # Each membership specification is a dict of the form:
  318             #
  319             # {'group': 0, 'users': [list of user indexes]}
  320             #
  321             # Add all users in the list to the specified group, first
  322             # converting from index to full entity ID.
  323             group_value = test_data['groups'][group_spec['group']]['id']
  324             for user_index in group_spec['users']:
  325                 user_value = test_data['users'][user_index]['id']
  326                 PROVIDERS.identity_api.add_user_to_group(
  327                     user_value, group_value
  328                 )
  329         return test_data
  330 
  331     def create_assignments(self, assignment_pattern, test_data):
  332         """Create the assignments specified in the test plan."""
  333         # First store how many assignments are already in the system,
  334         # so during the tests we can check the number of new assignments
  335         # created.
  336         test_data['initial_assignment_count'] = (
  337             len(PROVIDERS.assignment_api.list_role_assignments()))
  338 
  339         # Now create the new assignments in the test plan
  340         for assignment in assignment_pattern:
  341             # Each assignment is a dict of the form:
  342             #
  343             # { 'user': 0, 'project':1, 'role': 6}
  344             #
  345             # where the value of each item is the index into the array of
  346             # entities created earlier.
  347             #
  348             # We process the assignment dict to create the args required to
  349             # make the create_grant() call.
  350             args = {}
  351             for param in assignment:
  352                 if param == 'inherited_to_projects':
  353                     args[param] = assignment[param]
  354                 else:
  355                     # Turn 'entity : 0' into 'entity_id = ac6736ba873d'
  356                     # where entity in user, group, project or domain
  357                     key, value = self._convert_entity_shorthand(
  358                         param, assignment, test_data)
  359                     args[key] = value
  360             PROVIDERS.assignment_api.create_grant(**args)
  361         return test_data
  362 
  363     def execute_assignment_cases(self, test_plan, test_data):
  364         """Execute the test plan, based on the created test_data."""
  365         def check_results(expected, actual, param_arg_count):
  366             if param_arg_count == 0:
  367                 # It was an unfiltered call, so default fixture assignments
  368                 # might be polluting our answer - so we take into account
  369                 # how many assignments there were before the test.
  370                 self.assertEqual(
  371                     len(expected) + test_data['initial_assignment_count'],
  372                     len(actual))
  373             else:
  374                 self.assertThat(actual, matchers.HasLength(len(expected)))
  375 
  376             for each_expected in expected:
  377                 expected_assignment = {}
  378                 for param in each_expected:
  379                     if param == 'inherited_to_projects':
  380                         expected_assignment[param] = each_expected[param]
  381                     elif param == 'indirect':
  382                         # We're expecting the result to contain an indirect
  383                         # dict with the details how the role came to be placed
  384                         # on this entity - so convert the key/value pairs of
  385                         # that dict into real entity references.
  386                         indirect_term = {}
  387                         for indirect_param in each_expected[param]:
  388                             key, value = self._convert_entity_shorthand(
  389                                 indirect_param, each_expected[param],
  390                                 test_data)
  391                             indirect_term[key] = value
  392                         expected_assignment[param] = indirect_term
  393                     else:
  394                         # Convert a simple shorthand entry into a full
  395                         # entity reference
  396                         key, value = self._convert_entity_shorthand(
  397                             param, each_expected, test_data)
  398                         expected_assignment[key] = value
  399                 self.assertIn(expected_assignment, actual)
  400 
  401         def convert_group_ids_sourced_from_list(index_list, reference_data):
  402             value_list = []
  403             for group_index in index_list:
  404                 value_list.append(
  405                     reference_data['groups'][group_index]['id'])
  406             return value_list
  407 
  408         # Go through each test in the array, processing the input params, which
  409         # we build into an args dict, and then call list_role_assignments. Then
  410         # check the results against those specified in the test plan.
  411         for test in test_plan.get('tests', []):
  412             args = {}
  413             for param in test['params']:
  414                 if param in ['effective', 'inherited', 'include_subtree']:
  415                     # Just pass the value into the args
  416                     args[param] = test['params'][param]
  417                 elif param == 'source_from_group_ids':
  418                     # Convert the list of indexes into a list of IDs
  419                     args[param] = convert_group_ids_sourced_from_list(
  420                         test['params']['source_from_group_ids'], test_data)
  421                 else:
  422                     # Turn 'entity : 0' into 'entity_id = ac6736ba873d'
  423                     # where entity in user, group, project or domain
  424                     key, value = self._convert_entity_shorthand(
  425                         param, test['params'], test_data)
  426                     args[key] = value
  427             results = PROVIDERS.assignment_api.list_role_assignments(**args)
  428             check_results(test['results'], results, len(args))
  429 
  430     def execute_assignment_plan(self, test_plan):
  431         """Create entities, assignments and execute the test plan.
  432 
  433         The standard method to call to create entities and assignments and
  434         execute the tests as specified in the test_plan. The test_data
  435         dict is returned so that, if required, the caller can execute
  436         additional manual tests with the entities and assignments created.
  437 
  438         """
  439         test_data = self.create_entities(test_plan['entities'])
  440         if 'implied_roles' in test_plan:
  441             self.create_implied_roles(test_plan['implied_roles'], test_data)
  442         if 'group_memberships' in test_plan:
  443             self.create_group_memberships(test_plan['group_memberships'],
  444                                           test_data)
  445         if 'assignments' in test_plan:
  446             test_data = self.create_assignments(test_plan['assignments'],
  447                                                 test_data)
  448         self.execute_assignment_cases(test_plan, test_data)
  449         return test_data
  450 
  451 
  452 class AssignmentTests(AssignmentTestHelperMixin):
  453 
  454     def _get_domain_fixture(self):
  455         domain = unit.new_domain_ref()
  456         PROVIDERS.resource_api.create_domain(domain['id'], domain)
  457         return domain
  458 
  459     def test_project_add_and_remove_user_role(self):
  460         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  461             self.project_bar['id'])
  462         self.assertNotIn(self.user_two['id'], user_ids)
  463 
  464         PROVIDERS.assignment_api.add_role_to_user_and_project(
  465             project_id=self.project_bar['id'],
  466             user_id=self.user_two['id'],
  467             role_id=self.role_other['id'])
  468         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  469             self.project_bar['id'])
  470         self.assertIn(self.user_two['id'], user_ids)
  471 
  472         PROVIDERS.assignment_api.remove_role_from_user_and_project(
  473             project_id=self.project_bar['id'],
  474             user_id=self.user_two['id'],
  475             role_id=self.role_other['id'])
  476 
  477         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  478             self.project_bar['id'])
  479         self.assertNotIn(self.user_two['id'], user_ids)
  480 
  481     def test_remove_user_role_not_assigned(self):
  482         # Expect failure if attempt to remove a role that was never assigned to
  483         # the user.
  484         self.assertRaises(exception.RoleNotFound,
  485                           PROVIDERS.assignment_api.
  486                           remove_role_from_user_and_project,
  487                           project_id=self.project_bar['id'],
  488                           user_id=self.user_two['id'],
  489                           role_id=self.role_other['id'])
  490 
  491     def test_list_user_ids_for_project(self):
  492         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  493             self.project_baz['id'])
  494         self.assertEqual(2, len(user_ids))
  495         self.assertIn(self.user_two['id'], user_ids)
  496         self.assertIn(self.user_badguy['id'], user_ids)
  497 
  498     def test_list_user_ids_for_project_no_duplicates(self):
  499         # Create user
  500         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  501         user_ref = PROVIDERS.identity_api.create_user(user_ref)
  502         # Create project
  503         project_ref = unit.new_project_ref(
  504             domain_id=CONF.identity.default_domain_id)
  505         PROVIDERS.resource_api.create_project(
  506             project_ref['id'], project_ref)
  507         # Create 2 roles and give user each role in project
  508         for i in range(2):
  509             role_ref = unit.new_role_ref()
  510             PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
  511             PROVIDERS.assignment_api.add_role_to_user_and_project(
  512                 user_id=user_ref['id'],
  513                 project_id=project_ref['id'],
  514                 role_id=role_ref['id'])
  515         # Get the list of user_ids in project
  516         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
  517             project_ref['id'])
  518         # Ensure the user is only returned once
  519         self.assertEqual(1, len(user_ids))
  520 
  521     def test_get_project_user_ids_returns_not_found(self):
  522         self.assertRaises(exception.ProjectNotFound,
  523                           PROVIDERS.assignment_api.list_user_ids_for_project,
  524                           uuid.uuid4().hex)
  525 
  526     def test_list_role_assignments_unfiltered(self):
  527         """Test unfiltered listing of role assignments."""
  528         test_plan = {
  529             # Create a domain, with a user, group & project
  530             'entities': {'domains': {'users': 1, 'groups': 1, 'projects': 1},
  531                          'roles': 3},
  532             # Create a grant of each type (user/group on project/domain)
  533             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  534                             {'user': 0, 'role': 1, 'project': 0},
  535                             {'group': 0, 'role': 2, 'domain': 0},
  536                             {'group': 0, 'role': 2, 'project': 0}],
  537             'tests': [
  538                 # Check that we get back the 4 assignments
  539                 {'params': {},
  540                  'results': [{'user': 0, 'role': 0, 'domain': 0},
  541                              {'user': 0, 'role': 1, 'project': 0},
  542                              {'group': 0, 'role': 2, 'domain': 0},
  543                              {'group': 0, 'role': 2, 'project': 0}]}
  544             ]
  545         }
  546         self.execute_assignment_plan(test_plan)
  547 
  548     def test_list_role_assignments_filtered_by_role(self):
  549         """Test listing of role assignments filtered by role ID."""
  550         test_plan = {
  551             # Create a user, group & project in the default domain
  552             'entities': {'domains': {'id': CONF.identity.default_domain_id,
  553                                      'users': 1, 'groups': 1, 'projects': 1},
  554                          'roles': 3},
  555             # Create a grant of each type (user/group on project/domain)
  556             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
  557                             {'user': 0, 'role': 1, 'project': 0},
  558                             {'group': 0, 'role': 2, 'domain': 0},
  559                             {'group': 0, 'role': 2, 'project': 0}],
  560             'tests': [
  561                 # Check that when filtering by role, we only get back those
  562                 # that match
  563                 {'params': {'role': 2},
  564                  'results': [{'group': 0, 'role': 2, 'domain': 0},
  565                              {'group': 0, 'role': 2, 'project': 0}]}
  566             ]
  567         }
  568         self.execute_assignment_plan(test_plan)
  569 
  570     def test_list_group_role_assignment(self):
  571         # When a group role assignment is created and the role assignments are
  572         # listed then the group role assignment is included in the list.
  573 
  574         test_plan = {
  575             'entities': {'domains': {'id': CONF.identity.default_domain_id,
  576                                      'groups': 1, 'projects': 1},
  577                          'roles': 1},
  578             'assignments': [{'group': 0, 'role': 0, 'project': 0}],
  579             'tests': [
  580                 {'params': {},
  581                  'results': [{'group': 0, 'role': 0, 'project': 0}]}
  582             ]
  583         }
  584         self.execute_assignment_plan(test_plan)
  585 
  586     def test_list_role_assignments_bad_role(self):
  587         assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  588             role_id=uuid.uuid4().hex)
  589         self.assertEqual([], assignment_list)
  590 
  591     def test_list_role_assignments_user_not_found(self):
  592         def _user_not_found(value):
  593             raise exception.UserNotFound(user_id=value)
  594 
  595         # Note(knikolla): Patch get_user to return UserNotFound
  596         # this simulates the possibility of a user being deleted
  597         # directly in the backend and still having lingering role
  598         # assignments.
  599         with mock.patch.object(PROVIDERS.identity_api, 'get_user',
  600                                _user_not_found):
  601             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  602                 include_names=True
  603             )
  604 
  605         self.assertNotEqual([], assignment_list)
  606         for assignment in assignment_list:
  607             if 'user_name' in assignment:
  608                 # Note(knikolla): In the case of a not found user we
  609                 # populate the values with empty strings.
  610                 self.assertEqual('', assignment['user_name'])
  611                 self.assertEqual('', assignment['user_domain_id'])
  612                 self.assertEqual('', assignment['user_domain_name'])
  613 
  614     def test_list_role_assignments_group_not_found(self):
  615         def _group_not_found(value):
  616             raise exception.GroupNotFound(group_id=value)
  617 
  618         # Setup
  619         # 1) Remove any pre-existing assignments so we control what's there
  620         for a in PROVIDERS.assignment_api.list_role_assignments():
  621             PROVIDERS.assignment_api.delete_grant(**a)
  622         # 2) create a group and 2 users in that group
  623         domain_id = CONF.identity.default_domain_id
  624         group = PROVIDERS.identity_api.create_group(
  625             unit.new_group_ref(domain_id=domain_id))
  626         user1 = PROVIDERS.identity_api.create_user(
  627             unit.new_user_ref(domain_id=domain_id))
  628         user2 = PROVIDERS.identity_api.create_user(
  629             unit.new_user_ref(domain_id=domain_id))
  630         PROVIDERS.identity_api.add_user_to_group(user1['id'], group['id'])
  631         PROVIDERS.identity_api.add_user_to_group(user2['id'], group['id'])
  632         # 3) create a role assignment for the group
  633         PROVIDERS.assignment_api.create_grant(
  634             group_id=group['id'],
  635             domain_id=domain_id,
  636             role_id=default_fixtures.MEMBER_ROLE_ID)
  637 
  638         num_assignments = len(PROVIDERS.assignment_api.list_role_assignments())
  639         self.assertEqual(1, num_assignments)
  640 
  641         # Patch get_group to return GroupNotFound, allowing us to confirm
  642         # that the exception is handled properly when include_names processing
  643         # attempts to lookup a group that has been deleted in the backend
  644         with mock.patch.object(PROVIDERS.identity_api, 'get_group',
  645                                _group_not_found):
  646             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  647                 include_names=True
  648             )
  649 
  650         self.assertEqual(num_assignments, len(assignment_list))
  651         for assignment in assignment_list:
  652             includes_group_assignments = False
  653             if 'group_name' in assignment:
  654                 includes_group_assignments = True
  655                 # Note(knikolla): In the case of a not-found group we
  656                 # populate the values with empty strings.
  657                 self.assertEqual('', assignment['group_name'])
  658                 self.assertEqual('', assignment['group_domain_id'])
  659                 self.assertEqual('', assignment['group_domain_name'])
  660         self.assertTrue(includes_group_assignments)
  661 
  662         num_effective = len(PROVIDERS.assignment_api.list_role_assignments(
  663             effective=True))
  664         self.assertGreater(num_effective, len(assignment_list))
  665 
  666         # Patch list_users_in_group to return GroupNotFound allowing us to
  667         # confirm that the exception is handled properly when effective
  668         # processing attempts to lookup users for a group that has been deleted
  669         # in the backend
  670         with mock.patch.object(PROVIDERS.identity_api, 'list_users_in_group',
  671                                _group_not_found):
  672             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
  673                 effective=True
  674             )
  675 
  676         self.assertGreater(num_effective, len(assignment_list))
  677 
  678         # cleanup
  679         PROVIDERS.assignment_api.delete_grant(
  680             group_id=group['id'],
  681             domain_id=domain_id,
  682             role_id=default_fixtures.MEMBER_ROLE_ID)
  683         # TODO(edmondsw) should cleanup users/groups as well, but that raises
  684         # LDAP read-only issues
  685 
  686     def test_add_duplicate_role_grant(self):
  687         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  688             self.user_foo['id'], self.project_bar['id'])
  689         self.assertNotIn(self.role_admin['id'], roles_ref)
  690         PROVIDERS.assignment_api.add_role_to_user_and_project(
  691             self.user_foo['id'], self.project_bar['id'], self.role_admin['id'])
  692         self.assertRaises(
  693             exception.Conflict,
  694             PROVIDERS.assignment_api.add_role_to_user_and_project,
  695             self.user_foo['id'],
  696             self.project_bar['id'],
  697             self.role_admin['id']
  698         )
  699 
  700     def test_get_role_by_user_and_project_with_user_in_group(self):
  701         """Test for get role by user and project, user was added into a group.
  702 
  703         Test Plan:
  704 
  705         - Create a user, a project & a group, add this user to group
  706         - Create roles and grant them to user and project
  707         - Check the role list get by the user and project was as expected
  708 
  709         """
  710         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  711         user_ref = PROVIDERS.identity_api.create_user(user_ref)
  712 
  713         project_ref = unit.new_project_ref(
  714             domain_id=CONF.identity.default_domain_id)
  715         PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
  716 
  717         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  718         group_id = PROVIDERS.identity_api.create_group(group)['id']
  719         PROVIDERS.identity_api.add_user_to_group(user_ref['id'], group_id)
  720 
  721         role_ref_list = []
  722         for i in range(2):
  723             role_ref = unit.new_role_ref()
  724             PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
  725             role_ref_list.append(role_ref)
  726 
  727             PROVIDERS.assignment_api.add_role_to_user_and_project(
  728                 user_id=user_ref['id'],
  729                 project_id=project_ref['id'],
  730                 role_id=role_ref['id'])
  731 
  732         role_list = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  733             user_ref['id'],
  734             project_ref['id'])
  735 
  736         self.assertEqual(set([r['id'] for r in role_ref_list]),
  737                          set(role_list))
  738 
  739     def test_get_role_by_user_and_project(self):
  740         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  741             self.user_foo['id'], self.project_bar['id'])
  742         self.assertNotIn(self.role_admin['id'], roles_ref)
  743         PROVIDERS.assignment_api.add_role_to_user_and_project(
  744             self.user_foo['id'], self.project_bar['id'], self.role_admin['id'])
  745         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  746             self.user_foo['id'], self.project_bar['id'])
  747         self.assertIn(self.role_admin['id'], roles_ref)
  748         self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  749 
  750         PROVIDERS.assignment_api.add_role_to_user_and_project(
  751             self.user_foo['id'],
  752             self.project_bar['id'],
  753             default_fixtures.MEMBER_ROLE_ID)
  754         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  755             self.user_foo['id'], self.project_bar['id'])
  756         self.assertIn(self.role_admin['id'], roles_ref)
  757         self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  758 
  759     def test_get_role_by_trustor_and_project(self):
  760         new_domain = unit.new_domain_ref()
  761         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
  762         new_user = unit.new_user_ref(domain_id=new_domain['id'])
  763         new_user = PROVIDERS.identity_api.create_user(new_user)
  764         new_project = unit.new_project_ref(domain_id=new_domain['id'])
  765         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
  766         role = self._create_role(domain_id=new_domain['id'])
  767 
  768         # Now create the grants (roles are defined in default_fixtures)
  769         PROVIDERS.assignment_api.create_grant(
  770             user_id=new_user['id'],
  771             project_id=new_project['id'],
  772             role_id=default_fixtures.MEMBER_ROLE_ID)
  773         PROVIDERS.assignment_api.create_grant(
  774             user_id=new_user['id'],
  775             domain_id=new_domain['id'],
  776             role_id=role['id'],
  777             inherited_to_projects=True)
  778 
  779         roles_ids = PROVIDERS.assignment_api.get_roles_for_trustor_and_project(
  780             new_user['id'], new_project['id'])
  781         self.assertEqual(2, len(roles_ids))
  782         self.assertIn(self.role_member['id'], roles_ids)
  783         self.assertIn(role['id'], roles_ids)
  784 
  785     def test_get_roles_for_user_and_domain(self):
  786         """Test for getting roles for user on a domain.
  787 
  788         Test Plan:
  789 
  790         - Create a domain, with 2 users
  791         - Check no roles yet exit
  792         - Give user1 two roles on the domain, user2 one role
  793         - Get roles on user1 and the domain - maybe sure we only
  794           get back the 2 roles on user1
  795         - Delete both roles from user1
  796         - Check we get no roles back for user1 on domain
  797 
  798         """
  799         new_domain = unit.new_domain_ref()
  800         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
  801         new_user1 = unit.new_user_ref(domain_id=new_domain['id'])
  802         new_user1 = PROVIDERS.identity_api.create_user(new_user1)
  803         new_user2 = unit.new_user_ref(domain_id=new_domain['id'])
  804         new_user2 = PROVIDERS.identity_api.create_user(new_user2)
  805         roles_ref = PROVIDERS.assignment_api.list_grants(
  806             user_id=new_user1['id'],
  807             domain_id=new_domain['id'])
  808         self.assertEqual(0, len(roles_ref))
  809         # Now create the grants (roles are defined in default_fixtures)
  810         PROVIDERS.assignment_api.create_grant(
  811             user_id=new_user1['id'],
  812             domain_id=new_domain['id'],
  813             role_id=default_fixtures.MEMBER_ROLE_ID)
  814         PROVIDERS.assignment_api.create_grant(
  815             user_id=new_user1['id'],
  816             domain_id=new_domain['id'],
  817             role_id=default_fixtures.OTHER_ROLE_ID)
  818         PROVIDERS.assignment_api.create_grant(
  819             user_id=new_user2['id'],
  820             domain_id=new_domain['id'],
  821             role_id=default_fixtures.ADMIN_ROLE_ID)
  822         # Read back the roles for user1 on domain
  823         roles_ids = PROVIDERS.assignment_api.get_roles_for_user_and_domain(
  824             new_user1['id'], new_domain['id'])
  825         self.assertEqual(2, len(roles_ids))
  826         self.assertIn(self.role_member['id'], roles_ids)
  827         self.assertIn(self.role_other['id'], roles_ids)
  828 
  829         # Now delete both grants for user1
  830         PROVIDERS.assignment_api.delete_grant(
  831             user_id=new_user1['id'],
  832             domain_id=new_domain['id'],
  833             role_id=default_fixtures.MEMBER_ROLE_ID)
  834         PROVIDERS.assignment_api.delete_grant(
  835             user_id=new_user1['id'],
  836             domain_id=new_domain['id'],
  837             role_id=default_fixtures.OTHER_ROLE_ID)
  838         roles_ref = PROVIDERS.assignment_api.list_grants(
  839             user_id=new_user1['id'],
  840             domain_id=new_domain['id'])
  841         self.assertEqual(0, len(roles_ref))
  842 
  843     def test_get_roles_for_user_and_domain_returns_not_found(self):
  844         """Test errors raised when getting roles for user on a domain.
  845 
  846         Test Plan:
  847 
  848         - Check non-existing user gives UserNotFound
  849         - Check non-existing domain gives DomainNotFound
  850 
  851         """
  852         new_domain = self._get_domain_fixture()
  853         new_user1 = unit.new_user_ref(domain_id=new_domain['id'])
  854         new_user1 = PROVIDERS.identity_api.create_user(new_user1)
  855 
  856         self.assertRaises(
  857             exception.UserNotFound,
  858             PROVIDERS.assignment_api.get_roles_for_user_and_domain,
  859             uuid.uuid4().hex,
  860             new_domain['id']
  861         )
  862 
  863         self.assertRaises(
  864             exception.DomainNotFound,
  865             PROVIDERS.assignment_api.get_roles_for_user_and_domain,
  866             new_user1['id'],
  867             uuid.uuid4().hex
  868         )
  869 
  870     def test_get_roles_for_user_and_project_returns_not_found(self):
  871         self.assertRaises(
  872             exception.UserNotFound,
  873             PROVIDERS.assignment_api.get_roles_for_user_and_project,
  874             uuid.uuid4().hex,
  875             self.project_bar['id']
  876         )
  877 
  878         self.assertRaises(
  879             exception.ProjectNotFound,
  880             PROVIDERS.assignment_api.get_roles_for_user_and_project,
  881             self.user_foo['id'],
  882             uuid.uuid4().hex
  883         )
  884 
  885     def test_add_role_to_user_and_project_returns_not_found(self):
  886         self.assertRaises(
  887             exception.ProjectNotFound,
  888             PROVIDERS.assignment_api.add_role_to_user_and_project,
  889             self.user_foo['id'],
  890             uuid.uuid4().hex,
  891             self.role_admin['id']
  892         )
  893 
  894         self.assertRaises(
  895             exception.RoleNotFound,
  896             PROVIDERS.assignment_api.add_role_to_user_and_project,
  897             self.user_foo['id'],
  898             self.project_bar['id'],
  899             uuid.uuid4().hex
  900         )
  901 
  902     def test_add_role_to_user_and_project_no_user(self):
  903         # If add_role_to_user_and_project and the user doesn't exist, then
  904         # no error.
  905         user_id_not_exist = uuid.uuid4().hex
  906         PROVIDERS.assignment_api.add_role_to_user_and_project(
  907             user_id_not_exist, self.project_bar['id'], self.role_admin['id'])
  908 
  909     def test_remove_role_from_user_and_project(self):
  910         PROVIDERS.assignment_api.add_role_to_user_and_project(
  911             self.user_foo['id'],
  912             self.project_bar['id'],
  913             default_fixtures.MEMBER_ROLE_ID)
  914         PROVIDERS.assignment_api.remove_role_from_user_and_project(
  915             self.user_foo['id'],
  916             self.project_bar['id'],
  917             default_fixtures.MEMBER_ROLE_ID)
  918         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
  919             self.user_foo['id'], self.project_bar['id'])
  920         self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref)
  921         self.assertRaises(exception.NotFound,
  922                           PROVIDERS.assignment_api.
  923                           remove_role_from_user_and_project,
  924                           self.user_foo['id'],
  925                           self.project_bar['id'],
  926                           default_fixtures.MEMBER_ROLE_ID)
  927 
  928     def test_get_role_grant_by_user_and_project(self):
  929         roles_ref = PROVIDERS.assignment_api.list_grants(
  930             user_id=self.user_foo['id'],
  931             project_id=self.project_bar['id'])
  932         self.assertEqual(1, len(roles_ref))
  933         PROVIDERS.assignment_api.create_grant(
  934             user_id=self.user_foo['id'], project_id=self.project_bar['id'],
  935             role_id=self.role_admin['id']
  936         )
  937         roles_ref = PROVIDERS.assignment_api.list_grants(
  938             user_id=self.user_foo['id'],
  939             project_id=self.project_bar['id'])
  940         self.assertIn(self.role_admin['id'],
  941                       [role_ref['id'] for role_ref in roles_ref])
  942 
  943         PROVIDERS.assignment_api.create_grant(
  944             user_id=self.user_foo['id'],
  945             project_id=self.project_bar['id'],
  946             role_id=default_fixtures.MEMBER_ROLE_ID)
  947         roles_ref = PROVIDERS.assignment_api.list_grants(
  948             user_id=self.user_foo['id'],
  949             project_id=self.project_bar['id'])
  950 
  951         roles_ref_ids = []
  952         for ref in roles_ref:
  953             roles_ref_ids.append(ref['id'])
  954         self.assertIn(self.role_admin['id'], roles_ref_ids)
  955         self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref_ids)
  956 
  957     def test_remove_role_grant_from_user_and_project(self):
  958         PROVIDERS.assignment_api.create_grant(
  959             user_id=self.user_foo['id'],
  960             project_id=self.project_baz['id'],
  961             role_id=default_fixtures.MEMBER_ROLE_ID)
  962         roles_ref = PROVIDERS.assignment_api.list_grants(
  963             user_id=self.user_foo['id'],
  964             project_id=self.project_baz['id'])
  965         self.assertDictEqual(self.role_member, roles_ref[0])
  966 
  967         PROVIDERS.assignment_api.delete_grant(
  968             user_id=self.user_foo['id'],
  969             project_id=self.project_baz['id'],
  970             role_id=default_fixtures.MEMBER_ROLE_ID)
  971         roles_ref = PROVIDERS.assignment_api.list_grants(
  972             user_id=self.user_foo['id'],
  973             project_id=self.project_baz['id'])
  974         self.assertEqual(0, len(roles_ref))
  975         self.assertRaises(exception.RoleAssignmentNotFound,
  976                           PROVIDERS.assignment_api.delete_grant,
  977                           user_id=self.user_foo['id'],
  978                           project_id=self.project_baz['id'],
  979                           role_id=default_fixtures.MEMBER_ROLE_ID)
  980 
  981     def test_get_role_assignment_by_project_not_found(self):
  982         self.assertRaises(exception.RoleAssignmentNotFound,
  983                           PROVIDERS.assignment_api.check_grant_role_id,
  984                           user_id=self.user_foo['id'],
  985                           project_id=self.project_baz['id'],
  986                           role_id=default_fixtures.MEMBER_ROLE_ID)
  987 
  988         self.assertRaises(exception.RoleAssignmentNotFound,
  989                           PROVIDERS.assignment_api.check_grant_role_id,
  990                           group_id=uuid.uuid4().hex,
  991                           project_id=self.project_baz['id'],
  992                           role_id=default_fixtures.MEMBER_ROLE_ID)
  993 
  994     def test_get_role_assignment_by_domain_not_found(self):
  995         self.assertRaises(exception.RoleAssignmentNotFound,
  996                           PROVIDERS.assignment_api.check_grant_role_id,
  997                           user_id=self.user_foo['id'],
  998                           domain_id=CONF.identity.default_domain_id,
  999                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1000 
 1001         self.assertRaises(exception.RoleAssignmentNotFound,
 1002                           PROVIDERS.assignment_api.check_grant_role_id,
 1003                           group_id=uuid.uuid4().hex,
 1004                           domain_id=CONF.identity.default_domain_id,
 1005                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1006 
 1007     def test_del_role_assignment_by_project_not_found(self):
 1008         self.assertRaises(exception.RoleAssignmentNotFound,
 1009                           PROVIDERS.assignment_api.delete_grant,
 1010                           user_id=self.user_foo['id'],
 1011                           project_id=self.project_baz['id'],
 1012                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1013 
 1014         self.assertRaises(exception.RoleAssignmentNotFound,
 1015                           PROVIDERS.assignment_api.delete_grant,
 1016                           group_id=uuid.uuid4().hex,
 1017                           project_id=self.project_baz['id'],
 1018                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1019 
 1020     def test_del_role_assignment_by_domain_not_found(self):
 1021         self.assertRaises(exception.RoleAssignmentNotFound,
 1022                           PROVIDERS.assignment_api.delete_grant,
 1023                           user_id=self.user_foo['id'],
 1024                           domain_id=CONF.identity.default_domain_id,
 1025                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1026 
 1027         self.assertRaises(exception.RoleAssignmentNotFound,
 1028                           PROVIDERS.assignment_api.delete_grant,
 1029                           group_id=uuid.uuid4().hex,
 1030                           domain_id=CONF.identity.default_domain_id,
 1031                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1032 
 1033     def test_get_and_remove_role_grant_by_group_and_project(self):
 1034         new_domain = unit.new_domain_ref()
 1035         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1036         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1037         new_group = PROVIDERS.identity_api.create_group(new_group)
 1038         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1039         new_user = PROVIDERS.identity_api.create_user(new_user)
 1040         PROVIDERS.identity_api.add_user_to_group(
 1041             new_user['id'], new_group['id']
 1042         )
 1043         roles_ref = PROVIDERS.assignment_api.list_grants(
 1044             group_id=new_group['id'],
 1045             project_id=self.project_bar['id'])
 1046         self.assertEqual(0, len(roles_ref))
 1047         PROVIDERS.assignment_api.create_grant(
 1048             group_id=new_group['id'],
 1049             project_id=self.project_bar['id'],
 1050             role_id=default_fixtures.MEMBER_ROLE_ID)
 1051         roles_ref = PROVIDERS.assignment_api.list_grants(
 1052             group_id=new_group['id'],
 1053             project_id=self.project_bar['id'])
 1054         self.assertDictEqual(self.role_member, roles_ref[0])
 1055 
 1056         PROVIDERS.assignment_api.delete_grant(
 1057             group_id=new_group['id'],
 1058             project_id=self.project_bar['id'],
 1059             role_id=default_fixtures.MEMBER_ROLE_ID)
 1060         roles_ref = PROVIDERS.assignment_api.list_grants(
 1061             group_id=new_group['id'],
 1062             project_id=self.project_bar['id'])
 1063         self.assertEqual(0, len(roles_ref))
 1064         self.assertRaises(exception.RoleAssignmentNotFound,
 1065                           PROVIDERS.assignment_api.delete_grant,
 1066                           group_id=new_group['id'],
 1067                           project_id=self.project_bar['id'],
 1068                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1069 
 1070     def test_get_and_remove_role_grant_by_group_and_domain(self):
 1071         new_domain = unit.new_domain_ref()
 1072         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1073         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1074         new_group = PROVIDERS.identity_api.create_group(new_group)
 1075         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1076         new_user = PROVIDERS.identity_api.create_user(new_user)
 1077         PROVIDERS.identity_api.add_user_to_group(
 1078             new_user['id'], new_group['id']
 1079         )
 1080 
 1081         roles_ref = PROVIDERS.assignment_api.list_grants(
 1082             group_id=new_group['id'],
 1083             domain_id=new_domain['id'])
 1084         self.assertEqual(0, len(roles_ref))
 1085 
 1086         PROVIDERS.assignment_api.create_grant(
 1087             group_id=new_group['id'],
 1088             domain_id=new_domain['id'],
 1089             role_id=default_fixtures.MEMBER_ROLE_ID)
 1090 
 1091         roles_ref = PROVIDERS.assignment_api.list_grants(
 1092             group_id=new_group['id'],
 1093             domain_id=new_domain['id'])
 1094         self.assertDictEqual(self.role_member, roles_ref[0])
 1095 
 1096         PROVIDERS.assignment_api.delete_grant(
 1097             group_id=new_group['id'],
 1098             domain_id=new_domain['id'],
 1099             role_id=default_fixtures.MEMBER_ROLE_ID)
 1100         roles_ref = PROVIDERS.assignment_api.list_grants(
 1101             group_id=new_group['id'],
 1102             domain_id=new_domain['id'])
 1103         self.assertEqual(0, len(roles_ref))
 1104         self.assertRaises(exception.RoleAssignmentNotFound,
 1105                           PROVIDERS.assignment_api.delete_grant,
 1106                           group_id=new_group['id'],
 1107                           domain_id=new_domain['id'],
 1108                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1109 
 1110     def test_get_and_remove_correct_role_grant_from_a_mix(self):
 1111         new_domain = unit.new_domain_ref()
 1112         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1113         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 1114         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 1115         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 1116         new_group = PROVIDERS.identity_api.create_group(new_group)
 1117         new_group2 = unit.new_group_ref(domain_id=new_domain['id'])
 1118         new_group2 = PROVIDERS.identity_api.create_group(new_group2)
 1119         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1120         new_user = PROVIDERS.identity_api.create_user(new_user)
 1121         new_user2 = unit.new_user_ref(domain_id=new_domain['id'])
 1122         new_user2 = PROVIDERS.identity_api.create_user(new_user2)
 1123         PROVIDERS.identity_api.add_user_to_group(
 1124             new_user['id'], new_group['id']
 1125         )
 1126         # First check we have no grants
 1127         roles_ref = PROVIDERS.assignment_api.list_grants(
 1128             group_id=new_group['id'],
 1129             domain_id=new_domain['id'])
 1130         self.assertEqual(0, len(roles_ref))
 1131         # Now add the grant we are going to test for, and some others as
 1132         # well just to make sure we get back the right one
 1133         PROVIDERS.assignment_api.create_grant(
 1134             group_id=new_group['id'],
 1135             domain_id=new_domain['id'],
 1136             role_id=default_fixtures.MEMBER_ROLE_ID)
 1137 
 1138         PROVIDERS.assignment_api.create_grant(
 1139             group_id=new_group2['id'], domain_id=new_domain['id'],
 1140             role_id=self.role_admin['id']
 1141         )
 1142         PROVIDERS.assignment_api.create_grant(
 1143             user_id=new_user2['id'], domain_id=new_domain['id'],
 1144             role_id=self.role_admin['id']
 1145         )
 1146         PROVIDERS.assignment_api.create_grant(
 1147             group_id=new_group['id'], project_id=new_project['id'],
 1148             role_id=self.role_admin['id']
 1149         )
 1150 
 1151         roles_ref = PROVIDERS.assignment_api.list_grants(
 1152             group_id=new_group['id'],
 1153             domain_id=new_domain['id'])
 1154         self.assertDictEqual(self.role_member, roles_ref[0])
 1155 
 1156         PROVIDERS.assignment_api.delete_grant(
 1157             group_id=new_group['id'],
 1158             domain_id=new_domain['id'],
 1159             role_id=default_fixtures.MEMBER_ROLE_ID)
 1160         roles_ref = PROVIDERS.assignment_api.list_grants(
 1161             group_id=new_group['id'],
 1162             domain_id=new_domain['id'])
 1163         self.assertEqual(0, len(roles_ref))
 1164         self.assertRaises(exception.RoleAssignmentNotFound,
 1165                           PROVIDERS.assignment_api.delete_grant,
 1166                           group_id=new_group['id'],
 1167                           domain_id=new_domain['id'],
 1168                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1169 
 1170     def test_get_and_remove_role_grant_by_user_and_domain(self):
 1171         new_domain = unit.new_domain_ref()
 1172         PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 1173         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 1174         new_user = PROVIDERS.identity_api.create_user(new_user)
 1175         roles_ref = PROVIDERS.assignment_api.list_grants(
 1176             user_id=new_user['id'],
 1177             domain_id=new_domain['id'])
 1178         self.assertEqual(0, len(roles_ref))
 1179         PROVIDERS.assignment_api.create_grant(
 1180             user_id=new_user['id'],
 1181             domain_id=new_domain['id'],
 1182             role_id=default_fixtures.MEMBER_ROLE_ID)
 1183         roles_ref = PROVIDERS.assignment_api.list_grants(
 1184             user_id=new_user['id'],
 1185             domain_id=new_domain['id'])
 1186         self.assertDictEqual(self.role_member, roles_ref[0])
 1187 
 1188         PROVIDERS.assignment_api.delete_grant(
 1189             user_id=new_user['id'],
 1190             domain_id=new_domain['id'],
 1191             role_id=default_fixtures.MEMBER_ROLE_ID)
 1192         roles_ref = PROVIDERS.assignment_api.list_grants(
 1193             user_id=new_user['id'],
 1194             domain_id=new_domain['id'])
 1195         self.assertEqual(0, len(roles_ref))
 1196         self.assertRaises(exception.RoleAssignmentNotFound,
 1197                           PROVIDERS.assignment_api.delete_grant,
 1198                           user_id=new_user['id'],
 1199                           domain_id=new_domain['id'],
 1200                           role_id=default_fixtures.MEMBER_ROLE_ID)
 1201 
 1202     def test_get_and_remove_role_grant_by_group_and_cross_domain(self):
 1203         group1_domain1_role = unit.new_role_ref()
 1204         PROVIDERS.role_api.create_role(
 1205             group1_domain1_role['id'], group1_domain1_role
 1206         )
 1207         group1_domain2_role = unit.new_role_ref()
 1208         PROVIDERS.role_api.create_role(
 1209             group1_domain2_role['id'], group1_domain2_role
 1210         )
 1211         domain1 = unit.new_domain_ref()
 1212         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1213         domain2 = unit.new_domain_ref()
 1214         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1215         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1216         group1 = PROVIDERS.identity_api.create_group(group1)
 1217         roles_ref = PROVIDERS.assignment_api.list_grants(
 1218             group_id=group1['id'],
 1219             domain_id=domain1['id'])
 1220         self.assertEqual(0, len(roles_ref))
 1221         roles_ref = PROVIDERS.assignment_api.list_grants(
 1222             group_id=group1['id'],
 1223             domain_id=domain2['id'])
 1224         self.assertEqual(0, len(roles_ref))
 1225         PROVIDERS.assignment_api.create_grant(
 1226             group_id=group1['id'], domain_id=domain1['id'],
 1227             role_id=group1_domain1_role['id']
 1228         )
 1229         PROVIDERS.assignment_api.create_grant(
 1230             group_id=group1['id'], domain_id=domain2['id'],
 1231             role_id=group1_domain2_role['id']
 1232         )
 1233         roles_ref = PROVIDERS.assignment_api.list_grants(
 1234             group_id=group1['id'],
 1235             domain_id=domain1['id'])
 1236         self.assertDictEqual(group1_domain1_role, roles_ref[0])
 1237         roles_ref = PROVIDERS.assignment_api.list_grants(
 1238             group_id=group1['id'],
 1239             domain_id=domain2['id'])
 1240         self.assertDictEqual(group1_domain2_role, roles_ref[0])
 1241 
 1242         PROVIDERS.assignment_api.delete_grant(
 1243             group_id=group1['id'], domain_id=domain2['id'],
 1244             role_id=group1_domain2_role['id']
 1245         )
 1246         roles_ref = PROVIDERS.assignment_api.list_grants(
 1247             group_id=group1['id'],
 1248             domain_id=domain2['id'])
 1249         self.assertEqual(0, len(roles_ref))
 1250         self.assertRaises(exception.RoleAssignmentNotFound,
 1251                           PROVIDERS.assignment_api.delete_grant,
 1252                           group_id=group1['id'],
 1253                           domain_id=domain2['id'],
 1254                           role_id=group1_domain2_role['id'])
 1255 
 1256     def test_get_and_remove_role_grant_by_user_and_cross_domain(self):
 1257         user1_domain1_role = unit.new_role_ref()
 1258         PROVIDERS.role_api.create_role(
 1259             user1_domain1_role['id'], user1_domain1_role
 1260         )
 1261         user1_domain2_role = unit.new_role_ref()
 1262         PROVIDERS.role_api.create_role(
 1263             user1_domain2_role['id'], user1_domain2_role
 1264         )
 1265         domain1 = unit.new_domain_ref()
 1266         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1267         domain2 = unit.new_domain_ref()
 1268         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1269         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1270         user1 = PROVIDERS.identity_api.create_user(user1)
 1271         roles_ref = PROVIDERS.assignment_api.list_grants(
 1272             user_id=user1['id'],
 1273             domain_id=domain1['id'])
 1274         self.assertEqual(0, len(roles_ref))
 1275         roles_ref = PROVIDERS.assignment_api.list_grants(
 1276             user_id=user1['id'],
 1277             domain_id=domain2['id'])
 1278         self.assertEqual(0, len(roles_ref))
 1279         PROVIDERS.assignment_api.create_grant(
 1280             user_id=user1['id'], domain_id=domain1['id'],
 1281             role_id=user1_domain1_role['id']
 1282         )
 1283         PROVIDERS.assignment_api.create_grant(
 1284             user_id=user1['id'], domain_id=domain2['id'],
 1285             role_id=user1_domain2_role['id']
 1286         )
 1287         roles_ref = PROVIDERS.assignment_api.list_grants(
 1288             user_id=user1['id'],
 1289             domain_id=domain1['id'])
 1290         self.assertDictEqual(user1_domain1_role, roles_ref[0])
 1291         roles_ref = PROVIDERS.assignment_api.list_grants(
 1292             user_id=user1['id'],
 1293             domain_id=domain2['id'])
 1294         self.assertDictEqual(user1_domain2_role, roles_ref[0])
 1295 
 1296         PROVIDERS.assignment_api.delete_grant(
 1297             user_id=user1['id'], domain_id=domain2['id'],
 1298             role_id=user1_domain2_role['id']
 1299         )
 1300         roles_ref = PROVIDERS.assignment_api.list_grants(
 1301             user_id=user1['id'],
 1302             domain_id=domain2['id'])
 1303         self.assertEqual(0, len(roles_ref))
 1304         self.assertRaises(exception.RoleAssignmentNotFound,
 1305                           PROVIDERS.assignment_api.delete_grant,
 1306                           user_id=user1['id'],
 1307                           domain_id=domain2['id'],
 1308                           role_id=user1_domain2_role['id'])
 1309 
 1310     def test_role_grant_by_group_and_cross_domain_project(self):
 1311         role1 = unit.new_role_ref()
 1312         PROVIDERS.role_api.create_role(role1['id'], role1)
 1313         role2 = unit.new_role_ref()
 1314         PROVIDERS.role_api.create_role(role2['id'], role2)
 1315         domain1 = unit.new_domain_ref()
 1316         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1317         domain2 = unit.new_domain_ref()
 1318         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1319         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1320         group1 = PROVIDERS.identity_api.create_group(group1)
 1321         project1 = unit.new_project_ref(domain_id=domain2['id'])
 1322         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1323         roles_ref = PROVIDERS.assignment_api.list_grants(
 1324             group_id=group1['id'],
 1325             project_id=project1['id'])
 1326         self.assertEqual(0, len(roles_ref))
 1327         PROVIDERS.assignment_api.create_grant(
 1328             group_id=group1['id'], project_id=project1['id'],
 1329             role_id=role1['id']
 1330         )
 1331         PROVIDERS.assignment_api.create_grant(
 1332             group_id=group1['id'], project_id=project1['id'],
 1333             role_id=role2['id']
 1334         )
 1335         roles_ref = PROVIDERS.assignment_api.list_grants(
 1336             group_id=group1['id'],
 1337             project_id=project1['id'])
 1338 
 1339         roles_ref_ids = []
 1340         for ref in roles_ref:
 1341             roles_ref_ids.append(ref['id'])
 1342         self.assertIn(role1['id'], roles_ref_ids)
 1343         self.assertIn(role2['id'], roles_ref_ids)
 1344 
 1345         PROVIDERS.assignment_api.delete_grant(
 1346             group_id=group1['id'], project_id=project1['id'],
 1347             role_id=role1['id']
 1348         )
 1349         roles_ref = PROVIDERS.assignment_api.list_grants(
 1350             group_id=group1['id'],
 1351             project_id=project1['id'])
 1352         self.assertEqual(1, len(roles_ref))
 1353         self.assertDictEqual(role2, roles_ref[0])
 1354 
 1355     def test_role_grant_by_user_and_cross_domain_project(self):
 1356         role1 = unit.new_role_ref()
 1357         PROVIDERS.role_api.create_role(role1['id'], role1)
 1358         role2 = unit.new_role_ref()
 1359         PROVIDERS.role_api.create_role(role2['id'], role2)
 1360         domain1 = unit.new_domain_ref()
 1361         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1362         domain2 = unit.new_domain_ref()
 1363         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 1364         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1365         user1 = PROVIDERS.identity_api.create_user(user1)
 1366         project1 = unit.new_project_ref(domain_id=domain2['id'])
 1367         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1368         roles_ref = PROVIDERS.assignment_api.list_grants(
 1369             user_id=user1['id'],
 1370             project_id=project1['id'])
 1371         self.assertEqual(0, len(roles_ref))
 1372         PROVIDERS.assignment_api.create_grant(
 1373             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1374         )
 1375         PROVIDERS.assignment_api.create_grant(
 1376             user_id=user1['id'], project_id=project1['id'], role_id=role2['id']
 1377         )
 1378         roles_ref = PROVIDERS.assignment_api.list_grants(
 1379             user_id=user1['id'],
 1380             project_id=project1['id'])
 1381 
 1382         roles_ref_ids = []
 1383         for ref in roles_ref:
 1384             roles_ref_ids.append(ref['id'])
 1385         self.assertIn(role1['id'], roles_ref_ids)
 1386         self.assertIn(role2['id'], roles_ref_ids)
 1387 
 1388         PROVIDERS.assignment_api.delete_grant(
 1389             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1390         )
 1391         roles_ref = PROVIDERS.assignment_api.list_grants(
 1392             user_id=user1['id'],
 1393             project_id=project1['id'])
 1394         self.assertEqual(1, len(roles_ref))
 1395         self.assertDictEqual(role2, roles_ref[0])
 1396 
 1397     def test_delete_user_grant_no_user(self):
 1398         # Can delete a grant where the user doesn't exist.
 1399         role = unit.new_role_ref()
 1400         role_id = role['id']
 1401         PROVIDERS.role_api.create_role(role_id, role)
 1402 
 1403         user_id = uuid.uuid4().hex
 1404 
 1405         PROVIDERS.assignment_api.create_grant(
 1406             role_id, user_id=user_id, project_id=self.project_bar['id']
 1407         )
 1408 
 1409         PROVIDERS.assignment_api.delete_grant(
 1410             role_id, user_id=user_id, project_id=self.project_bar['id']
 1411         )
 1412 
 1413     def test_delete_group_grant_no_group(self):
 1414         # Can delete a grant where the group doesn't exist.
 1415         role = unit.new_role_ref()
 1416         role_id = role['id']
 1417         PROVIDERS.role_api.create_role(role_id, role)
 1418 
 1419         group_id = uuid.uuid4().hex
 1420 
 1421         PROVIDERS.assignment_api.create_grant(
 1422             role_id, group_id=group_id, project_id=self.project_bar['id']
 1423         )
 1424 
 1425         PROVIDERS.assignment_api.delete_grant(
 1426             role_id, group_id=group_id, project_id=self.project_bar['id']
 1427         )
 1428 
 1429     def test_grant_crud_throws_exception_if_invalid_role(self):
 1430         """Ensure RoleNotFound thrown if role does not exist."""
 1431         def assert_role_not_found_exception(f, **kwargs):
 1432             self.assertRaises(exception.RoleNotFound, f,
 1433                               role_id=uuid.uuid4().hex, **kwargs)
 1434 
 1435         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1436         user_resp = PROVIDERS.identity_api.create_user(user)
 1437         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1438         group_resp = PROVIDERS.identity_api.create_group(group)
 1439         project = unit.new_project_ref(
 1440             domain_id=CONF.identity.default_domain_id)
 1441         project_resp = PROVIDERS.resource_api.create_project(
 1442             project['id'], project
 1443         )
 1444 
 1445         for manager_call in [PROVIDERS.assignment_api.create_grant,
 1446                              PROVIDERS.assignment_api.get_grant]:
 1447             assert_role_not_found_exception(
 1448                 manager_call,
 1449                 user_id=user_resp['id'], project_id=project_resp['id'])
 1450             assert_role_not_found_exception(
 1451                 manager_call,
 1452                 group_id=group_resp['id'], project_id=project_resp['id'])
 1453             assert_role_not_found_exception(
 1454                 manager_call,
 1455                 user_id=user_resp['id'],
 1456                 domain_id=CONF.identity.default_domain_id)
 1457             assert_role_not_found_exception(
 1458                 manager_call,
 1459                 group_id=group_resp['id'],
 1460                 domain_id=CONF.identity.default_domain_id)
 1461 
 1462         assert_role_not_found_exception(
 1463             PROVIDERS.assignment_api.delete_grant,
 1464             user_id=user_resp['id'], project_id=project_resp['id'])
 1465         assert_role_not_found_exception(
 1466             PROVIDERS.assignment_api.delete_grant,
 1467             group_id=group_resp['id'], project_id=project_resp['id'])
 1468         assert_role_not_found_exception(
 1469             PROVIDERS.assignment_api.delete_grant,
 1470             user_id=user_resp['id'],
 1471             domain_id=CONF.identity.default_domain_id)
 1472         assert_role_not_found_exception(
 1473             PROVIDERS.assignment_api.delete_grant,
 1474             group_id=group_resp['id'],
 1475             domain_id=CONF.identity.default_domain_id)
 1476 
 1477     def test_multi_role_grant_by_user_group_on_project_domain(self):
 1478         role_list = []
 1479         for _ in range(10):
 1480             role = unit.new_role_ref()
 1481             PROVIDERS.role_api.create_role(role['id'], role)
 1482             role_list.append(role)
 1483         domain1 = unit.new_domain_ref()
 1484         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1485         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1486         user1 = PROVIDERS.identity_api.create_user(user1)
 1487         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1488         group1 = PROVIDERS.identity_api.create_group(group1)
 1489         group2 = unit.new_group_ref(domain_id=domain1['id'])
 1490         group2 = PROVIDERS.identity_api.create_group(group2)
 1491         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1492         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1493 
 1494         PROVIDERS.identity_api.add_user_to_group(
 1495             user1['id'], group1['id']
 1496         )
 1497         PROVIDERS.identity_api.add_user_to_group(
 1498             user1['id'], group2['id']
 1499         )
 1500 
 1501         roles_ref = PROVIDERS.assignment_api.list_grants(
 1502             user_id=user1['id'],
 1503             project_id=project1['id'])
 1504         self.assertEqual(0, len(roles_ref))
 1505         PROVIDERS.assignment_api.create_grant(
 1506             user_id=user1['id'], domain_id=domain1['id'],
 1507             role_id=role_list[0]['id']
 1508         )
 1509         PROVIDERS.assignment_api.create_grant(
 1510             user_id=user1['id'], domain_id=domain1['id'],
 1511             role_id=role_list[1]['id']
 1512         )
 1513         PROVIDERS.assignment_api.create_grant(
 1514             group_id=group1['id'], domain_id=domain1['id'],
 1515             role_id=role_list[2]['id']
 1516         )
 1517         PROVIDERS.assignment_api.create_grant(
 1518             group_id=group1['id'], domain_id=domain1['id'],
 1519             role_id=role_list[3]['id']
 1520         )
 1521         PROVIDERS.assignment_api.create_grant(
 1522             user_id=user1['id'], project_id=project1['id'],
 1523             role_id=role_list[4]['id']
 1524         )
 1525         PROVIDERS.assignment_api.create_grant(
 1526             user_id=user1['id'], project_id=project1['id'],
 1527             role_id=role_list[5]['id']
 1528         )
 1529         PROVIDERS.assignment_api.create_grant(
 1530             group_id=group1['id'], project_id=project1['id'],
 1531             role_id=role_list[6]['id']
 1532         )
 1533         PROVIDERS.assignment_api.create_grant(
 1534             group_id=group1['id'], project_id=project1['id'],
 1535             role_id=role_list[7]['id']
 1536         )
 1537         roles_ref = PROVIDERS.assignment_api.list_grants(
 1538             user_id=user1['id'], domain_id=domain1['id']
 1539         )
 1540         self.assertEqual(2, len(roles_ref))
 1541         self.assertIn(role_list[0], roles_ref)
 1542         self.assertIn(role_list[1], roles_ref)
 1543         roles_ref = PROVIDERS.assignment_api.list_grants(
 1544             group_id=group1['id'], domain_id=domain1['id']
 1545         )
 1546         self.assertEqual(2, len(roles_ref))
 1547         self.assertIn(role_list[2], roles_ref)
 1548         self.assertIn(role_list[3], roles_ref)
 1549         roles_ref = PROVIDERS.assignment_api.list_grants(
 1550             user_id=user1['id'], project_id=project1['id']
 1551         )
 1552         self.assertEqual(2, len(roles_ref))
 1553         self.assertIn(role_list[4], roles_ref)
 1554         self.assertIn(role_list[5], roles_ref)
 1555         roles_ref = PROVIDERS.assignment_api.list_grants(
 1556             group_id=group1['id'], project_id=project1['id']
 1557         )
 1558         self.assertEqual(2, len(roles_ref))
 1559         self.assertIn(role_list[6], roles_ref)
 1560         self.assertIn(role_list[7], roles_ref)
 1561 
 1562         # Now test the alternate way of getting back lists of grants,
 1563         # where user and group roles are combined.  These should match
 1564         # the above results.
 1565         combined_list = (
 1566             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1567                 user1['id'], project1['id']
 1568             )
 1569         )
 1570         self.assertEqual(4, len(combined_list))
 1571         self.assertIn(role_list[4]['id'], combined_list)
 1572         self.assertIn(role_list[5]['id'], combined_list)
 1573         self.assertIn(role_list[6]['id'], combined_list)
 1574         self.assertIn(role_list[7]['id'], combined_list)
 1575 
 1576         combined_role_list = (
 1577             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 1578                 user1['id'], domain1['id']
 1579             )
 1580         )
 1581         self.assertEqual(4, len(combined_role_list))
 1582         self.assertIn(role_list[0]['id'], combined_role_list)
 1583         self.assertIn(role_list[1]['id'], combined_role_list)
 1584         self.assertIn(role_list[2]['id'], combined_role_list)
 1585         self.assertIn(role_list[3]['id'], combined_role_list)
 1586 
 1587     def test_multi_group_grants_on_project_domain(self):
 1588         """Test multiple group roles for user on project and domain.
 1589 
 1590         Test Plan:
 1591 
 1592         - Create 6 roles
 1593         - Create a domain, with a project, user and two groups
 1594         - Make the user a member of both groups
 1595         - Check no roles yet exit
 1596         - Assign a role to each user and both groups on both the
 1597           project and domain
 1598         - Get a list of effective roles for the user on both the
 1599           project and domain, checking we get back the correct three
 1600           roles
 1601 
 1602         """
 1603         role_list = []
 1604         for _ in range(6):
 1605             role = unit.new_role_ref()
 1606             PROVIDERS.role_api.create_role(role['id'], role)
 1607             role_list.append(role)
 1608         domain1 = unit.new_domain_ref()
 1609         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1610         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1611         user1 = PROVIDERS.identity_api.create_user(user1)
 1612         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1613         group1 = PROVIDERS.identity_api.create_group(group1)
 1614         group2 = unit.new_group_ref(domain_id=domain1['id'])
 1615         group2 = PROVIDERS.identity_api.create_group(group2)
 1616         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1617         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1618 
 1619         PROVIDERS.identity_api.add_user_to_group(
 1620             user1['id'], group1['id']
 1621         )
 1622         PROVIDERS.identity_api.add_user_to_group(
 1623             user1['id'], group2['id']
 1624         )
 1625 
 1626         roles_ref = PROVIDERS.assignment_api.list_grants(
 1627             user_id=user1['id'],
 1628             project_id=project1['id'])
 1629         self.assertEqual(0, len(roles_ref))
 1630         PROVIDERS.assignment_api.create_grant(
 1631             user_id=user1['id'], domain_id=domain1['id'],
 1632             role_id=role_list[0]['id']
 1633         )
 1634         PROVIDERS.assignment_api.create_grant(
 1635             group_id=group1['id'], domain_id=domain1['id'],
 1636             role_id=role_list[1]['id']
 1637         )
 1638         PROVIDERS.assignment_api.create_grant(
 1639             group_id=group2['id'], domain_id=domain1['id'],
 1640             role_id=role_list[2]['id']
 1641         )
 1642         PROVIDERS.assignment_api.create_grant(
 1643             user_id=user1['id'], project_id=project1['id'],
 1644             role_id=role_list[3]['id']
 1645         )
 1646         PROVIDERS.assignment_api.create_grant(
 1647             group_id=group1['id'], project_id=project1['id'],
 1648             role_id=role_list[4]['id']
 1649         )
 1650         PROVIDERS.assignment_api.create_grant(
 1651             group_id=group2['id'], project_id=project1['id'],
 1652             role_id=role_list[5]['id']
 1653         )
 1654 
 1655         # Read by the roles, ensuring we get the correct 3 roles for
 1656         # both project and domain
 1657         combined_list = (
 1658             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1659                 user1['id'], project1['id']
 1660             )
 1661         )
 1662         self.assertEqual(3, len(combined_list))
 1663         self.assertIn(role_list[3]['id'], combined_list)
 1664         self.assertIn(role_list[4]['id'], combined_list)
 1665         self.assertIn(role_list[5]['id'], combined_list)
 1666 
 1667         combined_role_list = (
 1668             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 1669                 user1['id'], domain1['id']
 1670             )
 1671         )
 1672         self.assertEqual(3, len(combined_role_list))
 1673         self.assertIn(role_list[0]['id'], combined_role_list)
 1674         self.assertIn(role_list[1]['id'], combined_role_list)
 1675         self.assertIn(role_list[2]['id'], combined_role_list)
 1676 
 1677     def test_delete_role_with_user_and_group_grants(self):
 1678         role1 = unit.new_role_ref()
 1679         PROVIDERS.role_api.create_role(role1['id'], role1)
 1680         domain1 = unit.new_domain_ref()
 1681         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 1682         project1 = unit.new_project_ref(domain_id=domain1['id'])
 1683         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1684         user1 = unit.new_user_ref(domain_id=domain1['id'])
 1685         user1 = PROVIDERS.identity_api.create_user(user1)
 1686         group1 = unit.new_group_ref(domain_id=domain1['id'])
 1687         group1 = PROVIDERS.identity_api.create_group(group1)
 1688         PROVIDERS.assignment_api.create_grant(
 1689             user_id=user1['id'], project_id=project1['id'], role_id=role1['id']
 1690         )
 1691         PROVIDERS.assignment_api.create_grant(
 1692             user_id=user1['id'], domain_id=domain1['id'], role_id=role1['id']
 1693         )
 1694         PROVIDERS.assignment_api.create_grant(
 1695             group_id=group1['id'], project_id=project1['id'],
 1696             role_id=role1['id']
 1697         )
 1698         PROVIDERS.assignment_api.create_grant(
 1699             group_id=group1['id'], domain_id=domain1['id'], role_id=role1['id']
 1700         )
 1701         roles_ref = PROVIDERS.assignment_api.list_grants(
 1702             user_id=user1['id'],
 1703             project_id=project1['id'])
 1704         self.assertEqual(1, len(roles_ref))
 1705         roles_ref = PROVIDERS.assignment_api.list_grants(
 1706             group_id=group1['id'],
 1707             project_id=project1['id'])
 1708         self.assertEqual(1, len(roles_ref))
 1709         roles_ref = PROVIDERS.assignment_api.list_grants(
 1710             user_id=user1['id'],
 1711             domain_id=domain1['id'])
 1712         self.assertEqual(1, len(roles_ref))
 1713         roles_ref = PROVIDERS.assignment_api.list_grants(
 1714             group_id=group1['id'],
 1715             domain_id=domain1['id'])
 1716         self.assertEqual(1, len(roles_ref))
 1717         PROVIDERS.role_api.delete_role(role1['id'])
 1718         roles_ref = PROVIDERS.assignment_api.list_grants(
 1719             user_id=user1['id'],
 1720             project_id=project1['id'])
 1721         self.assertEqual(0, len(roles_ref))
 1722         roles_ref = PROVIDERS.assignment_api.list_grants(
 1723             group_id=group1['id'],
 1724             project_id=project1['id'])
 1725         self.assertEqual(0, len(roles_ref))
 1726         roles_ref = PROVIDERS.assignment_api.list_grants(
 1727             user_id=user1['id'],
 1728             domain_id=domain1['id'])
 1729         self.assertEqual(0, len(roles_ref))
 1730         roles_ref = PROVIDERS.assignment_api.list_grants(
 1731             group_id=group1['id'],
 1732             domain_id=domain1['id'])
 1733         self.assertEqual(0, len(roles_ref))
 1734 
 1735     def test_list_role_assignment_by_domain(self):
 1736         """Test listing of role assignment filtered by domain."""
 1737         test_plan = {
 1738             # A domain with 3 users, 1 group, a spoiler domain and 2 roles.
 1739             'entities': {'domains': [{'users': 3, 'groups': 1}, 1],
 1740                          'roles': 2},
 1741             # Users 1 & 2 are in the group
 1742             'group_memberships': [{'group': 0, 'users': [1, 2]}],
 1743             # Assign a role for user 0 and the group
 1744             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1745                             {'group': 0, 'role': 1, 'domain': 0}],
 1746             'tests': [
 1747                 # List all effective assignments for domain[0].
 1748                 # Should get one direct user role and user roles for each of
 1749                 # the users in the group.
 1750                 {'params': {'domain': 0, 'effective': True},
 1751                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1752                              {'user': 1, 'role': 1, 'domain': 0,
 1753                               'indirect': {'group': 0}},
 1754                              {'user': 2, 'role': 1, 'domain': 0,
 1755                               'indirect': {'group': 0}}
 1756                              ]},
 1757                 # Using domain[1] should return nothing
 1758                 {'params': {'domain': 1, 'effective': True},
 1759                  'results': []},
 1760             ]
 1761         }
 1762         self.execute_assignment_plan(test_plan)
 1763 
 1764     def test_list_role_assignment_by_user_with_domain_group_roles(self):
 1765         """Test listing assignments by user, with group roles on a domain."""
 1766         test_plan = {
 1767             # A domain with 3 users, 3 groups, a spoiler domain
 1768             # plus 3 roles.
 1769             'entities': {'domains': [{'users': 3, 'groups': 3}, 1],
 1770                          'roles': 3},
 1771             # Users 1 & 2 are in the group 0, User 1 also in group 1
 1772             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1773                                   {'group': 1, 'users': [0]}],
 1774             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1775                             {'group': 0, 'role': 1, 'domain': 0},
 1776                             {'group': 1, 'role': 2, 'domain': 0},
 1777                             # ...and two spoiler assignments
 1778                             {'user': 1, 'role': 1, 'domain': 0},
 1779                             {'group': 2, 'role': 2, 'domain': 0}],
 1780             'tests': [
 1781                 # List all effective assignments for user[0].
 1782                 # Should get one direct user role and a user roles for each of
 1783                 # groups 0 and 1
 1784                 {'params': {'user': 0, 'effective': True},
 1785                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1786                              {'user': 0, 'role': 1, 'domain': 0,
 1787                               'indirect': {'group': 0}},
 1788                              {'user': 0, 'role': 2, 'domain': 0,
 1789                               'indirect': {'group': 1}}
 1790                              ]},
 1791                 # Adding domain[0] as a filter should return the same data
 1792                 {'params': {'user': 0, 'domain': 0, 'effective': True},
 1793                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 1794                              {'user': 0, 'role': 1, 'domain': 0,
 1795                               'indirect': {'group': 0}},
 1796                              {'user': 0, 'role': 2, 'domain': 0,
 1797                               'indirect': {'group': 1}}
 1798                              ]},
 1799                 # Using domain[1] should return nothing
 1800                 {'params': {'user': 0, 'domain': 1, 'effective': True},
 1801                  'results': []},
 1802                 # Using user[2] should return nothing
 1803                 {'params': {'user': 2, 'domain': 0, 'effective': True},
 1804                  'results': []},
 1805             ]
 1806         }
 1807         self.execute_assignment_plan(test_plan)
 1808 
 1809     def test_list_role_assignment_using_sourced_groups(self):
 1810         """Test listing assignments when restricted by source groups."""
 1811         test_plan = {
 1812             # The default domain with 3 users, 3 groups, 3 projects,
 1813             # plus 3 roles.
 1814             'entities': {'domains': {'id': CONF.identity.default_domain_id,
 1815                                      'users': 3, 'groups': 3, 'projects': 3},
 1816                          'roles': 3},
 1817             # Users 0 & 1 are in the group 0, User 0 also in group 1
 1818             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1819                                   {'group': 1, 'users': [0]}],
 1820             # Spread the assignments around - we want to be able to show that
 1821             # if sourced by group, assignments from other sources are excluded
 1822             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 1823                             {'group': 0, 'role': 1, 'project': 1},
 1824                             {'group': 1, 'role': 2, 'project': 0},
 1825                             {'group': 1, 'role': 2, 'project': 1},
 1826                             {'user': 2, 'role': 1, 'project': 1},
 1827                             {'group': 2, 'role': 2, 'project': 2}
 1828                             ],
 1829             'tests': [
 1830                 # List all effective assignments sourced from groups 0 and 1
 1831                 {'params': {'source_from_group_ids': [0, 1],
 1832                             'effective': True},
 1833                  'results': [{'group': 0, 'role': 1, 'project': 1},
 1834                              {'group': 1, 'role': 2, 'project': 0},
 1835                              {'group': 1, 'role': 2, 'project': 1}
 1836                              ]},
 1837                 # Adding a role a filter should further restrict the entries
 1838                 {'params': {'source_from_group_ids': [0, 1], 'role': 2,
 1839                             'effective': True},
 1840                  'results': [{'group': 1, 'role': 2, 'project': 0},
 1841                              {'group': 1, 'role': 2, 'project': 1}
 1842                              ]},
 1843             ]
 1844         }
 1845         self.execute_assignment_plan(test_plan)
 1846 
 1847     def test_list_role_assignment_using_sourced_groups_with_domains(self):
 1848         """Test listing domain assignments when restricted by source groups."""
 1849         test_plan = {
 1850             # A domain with 3 users, 3 groups, 3 projects, a second domain,
 1851             # plus 3 roles.
 1852             'entities': {'domains': [{'users': 3, 'groups': 3, 'projects': 3},
 1853                                      1],
 1854                          'roles': 3},
 1855             # Users 0 & 1 are in the group 0, User 0 also in group 1
 1856             'group_memberships': [{'group': 0, 'users': [0, 1]},
 1857                                   {'group': 1, 'users': [0]}],
 1858             # Spread the assignments around - we want to be able to show that
 1859             # if sourced by group, assignments from other sources are excluded
 1860             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 1861                             {'group': 0, 'role': 1, 'domain': 1},
 1862                             {'group': 1, 'role': 2, 'project': 0},
 1863                             {'group': 1, 'role': 2, 'project': 1},
 1864                             {'user': 2, 'role': 1, 'project': 1},
 1865                             {'group': 2, 'role': 2, 'project': 2}
 1866                             ],
 1867             'tests': [
 1868                 # List all effective assignments sourced from groups 0 and 1
 1869                 {'params': {'source_from_group_ids': [0, 1],
 1870                             'effective': True},
 1871                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 1872                              {'group': 1, 'role': 2, 'project': 0},
 1873                              {'group': 1, 'role': 2, 'project': 1}
 1874                              ]},
 1875                 # Adding a role a filter should further restrict the entries
 1876                 {'params': {'source_from_group_ids': [0, 1], 'role': 1,
 1877                             'effective': True},
 1878                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 1879                              ]},
 1880             ]
 1881         }
 1882         self.execute_assignment_plan(test_plan)
 1883 
 1884     def test_list_role_assignment_fails_with_userid_and_source_groups(self):
 1885         """Show we trap this unsupported internal combination of params."""
 1886         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1887         group = PROVIDERS.identity_api.create_group(group)
 1888         self.assertRaises(exception.UnexpectedError,
 1889                           PROVIDERS.assignment_api.list_role_assignments,
 1890                           effective=True,
 1891                           user_id=self.user_foo['id'],
 1892                           source_from_group_ids=[group['id']])
 1893 
 1894     def test_list_user_project_ids_returns_not_found(self):
 1895         self.assertRaises(exception.UserNotFound,
 1896                           PROVIDERS.assignment_api.list_projects_for_user,
 1897                           uuid.uuid4().hex)
 1898 
 1899     def test_delete_user_with_project_association(self):
 1900         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1901         user = PROVIDERS.identity_api.create_user(user)
 1902         role_member = unit.new_role_ref()
 1903         PROVIDERS.role_api.create_role(role_member['id'], role_member)
 1904         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1905             user['id'], self.project_bar['id'], role_member['id']
 1906         )
 1907         PROVIDERS.identity_api.delete_user(user['id'])
 1908         self.assertRaises(exception.UserNotFound,
 1909                           PROVIDERS.assignment_api.list_projects_for_user,
 1910                           user['id'])
 1911 
 1912     def test_delete_user_with_project_roles(self):
 1913         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1914         user = PROVIDERS.identity_api.create_user(user)
 1915         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1916             user['id'],
 1917             self.project_bar['id'],
 1918             self.role_member['id'])
 1919         PROVIDERS.identity_api.delete_user(user['id'])
 1920         self.assertRaises(exception.UserNotFound,
 1921                           PROVIDERS.assignment_api.list_projects_for_user,
 1922                           user['id'])
 1923 
 1924     def test_delete_role_returns_not_found(self):
 1925         self.assertRaises(exception.RoleNotFound,
 1926                           PROVIDERS.role_api.delete_role,
 1927                           uuid.uuid4().hex)
 1928 
 1929     def test_delete_project_with_role_assignments(self):
 1930         project = unit.new_project_ref(
 1931             domain_id=CONF.identity.default_domain_id)
 1932         PROVIDERS.resource_api.create_project(project['id'], project)
 1933         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1934             self.user_foo['id'],
 1935             project['id'],
 1936             default_fixtures.MEMBER_ROLE_ID)
 1937         PROVIDERS.resource_api.delete_project(project['id'])
 1938         self.assertRaises(exception.ProjectNotFound,
 1939                           PROVIDERS.assignment_api.list_user_ids_for_project,
 1940                           project['id'])
 1941 
 1942     def test_delete_role_check_role_grant(self):
 1943         role = unit.new_role_ref()
 1944         alt_role = unit.new_role_ref()
 1945         PROVIDERS.role_api.create_role(role['id'], role)
 1946         PROVIDERS.role_api.create_role(alt_role['id'], alt_role)
 1947         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1948             self.user_foo['id'], self.project_bar['id'], role['id'])
 1949         PROVIDERS.assignment_api.add_role_to_user_and_project(
 1950             self.user_foo['id'], self.project_bar['id'], alt_role['id'])
 1951         PROVIDERS.role_api.delete_role(role['id'])
 1952         roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project(
 1953             self.user_foo['id'], self.project_bar['id'])
 1954         self.assertNotIn(role['id'], roles_ref)
 1955         self.assertIn(alt_role['id'], roles_ref)
 1956 
 1957     def test_list_projects_for_user(self):
 1958         domain = unit.new_domain_ref()
 1959         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 1960         user1 = unit.new_user_ref(domain_id=domain['id'])
 1961         user1 = PROVIDERS.identity_api.create_user(user1)
 1962         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 1963             user1['id']
 1964         )
 1965         self.assertEqual(0, len(user_projects))
 1966         PROVIDERS.assignment_api.create_grant(
 1967             user_id=user1['id'], project_id=self.project_bar['id'],
 1968             role_id=self.role_member['id']
 1969         )
 1970         PROVIDERS.assignment_api.create_grant(
 1971             user_id=user1['id'], project_id=self.project_baz['id'],
 1972             role_id=self.role_member['id']
 1973         )
 1974         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 1975             user1['id']
 1976         )
 1977         self.assertEqual(2, len(user_projects))
 1978 
 1979     def test_list_projects_for_user_with_grants(self):
 1980         # Create two groups each with a role on a different project, and
 1981         # make user1 a member of both groups.  Both these new projects
 1982         # should now be included, along with any direct user grants.
 1983         domain = unit.new_domain_ref()
 1984         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 1985         user1 = unit.new_user_ref(domain_id=domain['id'])
 1986         user1 = PROVIDERS.identity_api.create_user(user1)
 1987         group1 = unit.new_group_ref(domain_id=domain['id'])
 1988         group1 = PROVIDERS.identity_api.create_group(group1)
 1989         group2 = unit.new_group_ref(domain_id=domain['id'])
 1990         group2 = PROVIDERS.identity_api.create_group(group2)
 1991         project1 = unit.new_project_ref(domain_id=domain['id'])
 1992         PROVIDERS.resource_api.create_project(project1['id'], project1)
 1993         project2 = unit.new_project_ref(domain_id=domain['id'])
 1994         PROVIDERS.resource_api.create_project(project2['id'], project2)
 1995         PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
 1996         PROVIDERS.identity_api.add_user_to_group(user1['id'], group2['id'])
 1997 
 1998         # Create 3 grants, one user grant, the other two as group grants
 1999         PROVIDERS.assignment_api.create_grant(
 2000             user_id=user1['id'], project_id=self.project_bar['id'],
 2001             role_id=self.role_member['id']
 2002         )
 2003         PROVIDERS.assignment_api.create_grant(
 2004             group_id=group1['id'], project_id=project1['id'],
 2005             role_id=self.role_admin['id']
 2006         )
 2007         PROVIDERS.assignment_api.create_grant(
 2008             group_id=group2['id'], project_id=project2['id'],
 2009             role_id=self.role_admin['id']
 2010         )
 2011         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 2012             user1['id']
 2013         )
 2014         self.assertEqual(3, len(user_projects))
 2015 
 2016     def test_create_grant_no_user(self):
 2017         # If call create_grant with a user that doesn't exist, doesn't fail.
 2018         PROVIDERS.assignment_api.create_grant(
 2019             self.role_other['id'],
 2020             user_id=uuid.uuid4().hex,
 2021             project_id=self.project_bar['id'])
 2022 
 2023     def test_create_grant_no_group(self):
 2024         # If call create_grant with a group that doesn't exist, doesn't fail.
 2025         PROVIDERS.assignment_api.create_grant(
 2026             self.role_other['id'],
 2027             group_id=uuid.uuid4().hex,
 2028             project_id=self.project_bar['id'])
 2029 
 2030     def test_delete_group_removes_role_assignments(self):
 2031         # When a group is deleted any role assignments for the group are
 2032         # removed.
 2033 
 2034         def get_member_assignments():
 2035             assignments = PROVIDERS.assignment_api.list_role_assignments()
 2036             return ([x for x in assignments if x['role_id'] ==
 2037                     default_fixtures.MEMBER_ROLE_ID])
 2038 
 2039         orig_member_assignments = get_member_assignments()
 2040 
 2041         # Create a group.
 2042         new_group = unit.new_group_ref(
 2043             domain_id=CONF.identity.default_domain_id)
 2044         new_group = PROVIDERS.identity_api.create_group(new_group)
 2045 
 2046         # Create a project.
 2047         new_project = unit.new_project_ref(
 2048             domain_id=CONF.identity.default_domain_id)
 2049         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2050 
 2051         # Assign a role to the group.
 2052         PROVIDERS.assignment_api.create_grant(
 2053             group_id=new_group['id'], project_id=new_project['id'],
 2054             role_id=default_fixtures.MEMBER_ROLE_ID)
 2055 
 2056         # Delete the group.
 2057         PROVIDERS.identity_api.delete_group(new_group['id'])
 2058 
 2059         # Check that the role assignment for the group is gone
 2060         member_assignments = get_member_assignments()
 2061 
 2062         self.assertThat(member_assignments,
 2063                         matchers.Equals(orig_member_assignments))
 2064 
 2065     def test_get_roles_for_groups_on_domain(self):
 2066         """Test retrieving group domain roles.
 2067 
 2068         Test Plan:
 2069 
 2070         - Create a domain, three groups and three roles
 2071         - Assign one an inherited and the others a non-inherited group role
 2072           to the domain
 2073         - Ensure that only the non-inherited roles are returned on the domain
 2074 
 2075         """
 2076         domain1 = unit.new_domain_ref()
 2077         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2078         group_list = []
 2079         group_id_list = []
 2080         role_list = []
 2081         for _ in range(3):
 2082             group = unit.new_group_ref(domain_id=domain1['id'])
 2083             group = PROVIDERS.identity_api.create_group(group)
 2084             group_list.append(group)
 2085             group_id_list.append(group['id'])
 2086 
 2087             role = unit.new_role_ref()
 2088             PROVIDERS.role_api.create_role(role['id'], role)
 2089             role_list.append(role)
 2090 
 2091         # Assign the roles - one is inherited
 2092         PROVIDERS.assignment_api.create_grant(
 2093             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2094             role_id=role_list[0]['id']
 2095         )
 2096         PROVIDERS.assignment_api.create_grant(
 2097             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2098             role_id=role_list[1]['id']
 2099         )
 2100         PROVIDERS.assignment_api.create_grant(
 2101             group_id=group_list[2]['id'], domain_id=domain1['id'],
 2102             role_id=role_list[2]['id'], inherited_to_projects=True
 2103         )
 2104 
 2105         # Now get the effective roles for the groups on the domain project. We
 2106         # shouldn't get back the inherited role.
 2107 
 2108         role_refs = PROVIDERS.assignment_api.get_roles_for_groups(
 2109             group_id_list, domain_id=domain1['id'])
 2110 
 2111         self.assertThat(role_refs, matchers.HasLength(2))
 2112         self.assertIn(role_list[0], role_refs)
 2113         self.assertIn(role_list[1], role_refs)
 2114 
 2115     def test_get_roles_for_groups_on_project(self):
 2116         """Test retrieving group project roles.
 2117 
 2118         Test Plan:
 2119 
 2120         - Create two domains, two projects, six groups and six roles
 2121         - Project1 is in Domain1, Project2 is in Domain2
 2122         - Domain2/Project2 are spoilers
 2123         - Assign a different direct group role to each project as well
 2124           as both an inherited and non-inherited role to each domain
 2125         - Get the group roles for Project 1 - depending on whether we have
 2126           enabled inheritance, we should either get back just the direct role
 2127           or both the direct one plus the inherited domain role from Domain 1
 2128 
 2129         """
 2130         domain1 = unit.new_domain_ref()
 2131         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2132         domain2 = unit.new_domain_ref()
 2133         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 2134         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2135         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2136         project2 = unit.new_project_ref(domain_id=domain2['id'])
 2137         PROVIDERS.resource_api.create_project(project2['id'], project2)
 2138         group_list = []
 2139         group_id_list = []
 2140         role_list = []
 2141         for _ in range(6):
 2142             group = unit.new_group_ref(domain_id=domain1['id'])
 2143             group = PROVIDERS.identity_api.create_group(group)
 2144             group_list.append(group)
 2145             group_id_list.append(group['id'])
 2146 
 2147             role = unit.new_role_ref()
 2148             PROVIDERS.role_api.create_role(role['id'], role)
 2149             role_list.append(role)
 2150 
 2151         # Assign the roles - one inherited and one non-inherited on Domain1,
 2152         # plus one on Project1
 2153         PROVIDERS.assignment_api.create_grant(
 2154             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2155             role_id=role_list[0]['id']
 2156         )
 2157         PROVIDERS.assignment_api.create_grant(
 2158             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2159             role_id=role_list[1]['id'], inherited_to_projects=True
 2160         )
 2161         PROVIDERS.assignment_api.create_grant(
 2162             group_id=group_list[2]['id'], project_id=project1['id'],
 2163             role_id=role_list[2]['id']
 2164         )
 2165 
 2166         # ...and a duplicate set of spoiler assignments to Domain2/Project2
 2167         PROVIDERS.assignment_api.create_grant(
 2168             group_id=group_list[3]['id'], domain_id=domain2['id'],
 2169             role_id=role_list[3]['id']
 2170         )
 2171         PROVIDERS.assignment_api.create_grant(
 2172             group_id=group_list[4]['id'], domain_id=domain2['id'],
 2173             role_id=role_list[4]['id'], inherited_to_projects=True
 2174         )
 2175         PROVIDERS.assignment_api.create_grant(
 2176             group_id=group_list[5]['id'], project_id=project2['id'],
 2177             role_id=role_list[5]['id']
 2178         )
 2179 
 2180         # With inheritance on, we should also get back the inherited role from
 2181         # its owning domain.
 2182 
 2183         role_refs = PROVIDERS.assignment_api.get_roles_for_groups(
 2184             group_id_list, project_id=project1['id'])
 2185 
 2186         self.assertThat(role_refs, matchers.HasLength(2))
 2187         self.assertIn(role_list[1], role_refs)
 2188         self.assertIn(role_list[2], role_refs)
 2189 
 2190     def test_list_domains_for_groups(self):
 2191         """Test retrieving domains for a list of groups.
 2192 
 2193         Test Plan:
 2194 
 2195         - Create three domains, three groups and one role
 2196         - Assign a non-inherited group role to two domains, and an inherited
 2197           group role to the third
 2198         - Ensure only the domains with non-inherited roles are returned
 2199 
 2200         """
 2201         domain_list = []
 2202         group_list = []
 2203         group_id_list = []
 2204         for _ in range(3):
 2205             domain = unit.new_domain_ref()
 2206             PROVIDERS.resource_api.create_domain(domain['id'], domain)
 2207             domain_list.append(domain)
 2208 
 2209             group = unit.new_group_ref(domain_id=domain['id'])
 2210             group = PROVIDERS.identity_api.create_group(group)
 2211             group_list.append(group)
 2212             group_id_list.append(group['id'])
 2213 
 2214         role1 = unit.new_role_ref()
 2215         PROVIDERS.role_api.create_role(role1['id'], role1)
 2216 
 2217         # Assign the roles - one is inherited
 2218         PROVIDERS.assignment_api.create_grant(
 2219             group_id=group_list[0]['id'], domain_id=domain_list[0]['id'],
 2220             role_id=role1['id']
 2221         )
 2222         PROVIDERS.assignment_api.create_grant(
 2223             group_id=group_list[1]['id'], domain_id=domain_list[1]['id'],
 2224             role_id=role1['id']
 2225         )
 2226         PROVIDERS.assignment_api.create_grant(
 2227             group_id=group_list[2]['id'], domain_id=domain_list[2]['id'],
 2228             role_id=role1['id'], inherited_to_projects=True
 2229         )
 2230 
 2231         # Now list the domains that have roles for any of the 3 groups
 2232         # We shouldn't get back domain[2] since that had an inherited role.
 2233 
 2234         domain_refs = (
 2235             PROVIDERS.assignment_api.list_domains_for_groups(group_id_list))
 2236 
 2237         self.assertThat(domain_refs, matchers.HasLength(2))
 2238         self.assertIn(domain_list[0], domain_refs)
 2239         self.assertIn(domain_list[1], domain_refs)
 2240 
 2241     def test_list_projects_for_groups(self):
 2242         """Test retrieving projects for a list of groups.
 2243 
 2244         Test Plan:
 2245 
 2246         - Create two domains, four projects, seven groups and seven roles
 2247         - Project1-3 are in Domain1, Project4 is in Domain2
 2248         - Domain2/Project4 are spoilers
 2249         - Project1 and 2 have direct group roles, Project3 has no direct
 2250           roles but should inherit a group role from Domain1
 2251         - Get the projects for the group roles that are assigned to Project1
 2252           Project2 and the inherited one on Domain1. Depending on whether we
 2253           have enabled inheritance, we should either get back just the projects
 2254           with direct roles (Project 1 and 2) or also Project3 due to its
 2255           inherited role from Domain1.
 2256 
 2257         """
 2258         domain1 = unit.new_domain_ref()
 2259         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2260         domain2 = unit.new_domain_ref()
 2261         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 2262         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2263         project1 = PROVIDERS.resource_api.create_project(
 2264             project1['id'], project1
 2265         )
 2266         project2 = unit.new_project_ref(domain_id=domain1['id'])
 2267         project2 = PROVIDERS.resource_api.create_project(
 2268             project2['id'], project2
 2269         )
 2270         project3 = unit.new_project_ref(domain_id=domain1['id'])
 2271         project3 = PROVIDERS.resource_api.create_project(
 2272             project3['id'], project3
 2273         )
 2274         project4 = unit.new_project_ref(domain_id=domain2['id'])
 2275         project4 = PROVIDERS.resource_api.create_project(
 2276             project4['id'], project4
 2277         )
 2278         group_list = []
 2279         role_list = []
 2280         for _ in range(7):
 2281             group = unit.new_group_ref(domain_id=domain1['id'])
 2282             group = PROVIDERS.identity_api.create_group(group)
 2283             group_list.append(group)
 2284 
 2285             role = unit.new_role_ref()
 2286             PROVIDERS.role_api.create_role(role['id'], role)
 2287             role_list.append(role)
 2288 
 2289         # Assign the roles - one inherited and one non-inherited on Domain1,
 2290         # plus one on Project1 and Project2
 2291         PROVIDERS.assignment_api.create_grant(
 2292             group_id=group_list[0]['id'], domain_id=domain1['id'],
 2293             role_id=role_list[0]['id']
 2294         )
 2295         PROVIDERS.assignment_api.create_grant(
 2296             group_id=group_list[1]['id'], domain_id=domain1['id'],
 2297             role_id=role_list[1]['id'], inherited_to_projects=True
 2298         )
 2299         PROVIDERS.assignment_api.create_grant(
 2300             group_id=group_list[2]['id'], project_id=project1['id'],
 2301             role_id=role_list[2]['id']
 2302         )
 2303         PROVIDERS.assignment_api.create_grant(
 2304             group_id=group_list[3]['id'], project_id=project2['id'],
 2305             role_id=role_list[3]['id']
 2306         )
 2307 
 2308         # ...and a few of spoiler assignments to Domain2/Project4
 2309         PROVIDERS.assignment_api.create_grant(
 2310             group_id=group_list[4]['id'], domain_id=domain2['id'],
 2311             role_id=role_list[4]['id']
 2312         )
 2313         PROVIDERS.assignment_api.create_grant(
 2314             group_id=group_list[5]['id'], domain_id=domain2['id'],
 2315             role_id=role_list[5]['id'], inherited_to_projects=True
 2316         )
 2317         PROVIDERS.assignment_api.create_grant(
 2318             group_id=group_list[6]['id'], project_id=project4['id'],
 2319             role_id=role_list[6]['id']
 2320         )
 2321 
 2322         group_id_list = [group_list[1]['id'], group_list[2]['id'],
 2323                          group_list[3]['id']]
 2324 
 2325         # With inheritance on, we should also get back the Project3 due to the
 2326         # inherited role from its owning domain.
 2327         project_refs = (
 2328             PROVIDERS.assignment_api.list_projects_for_groups(group_id_list))
 2329 
 2330         self.assertThat(project_refs, matchers.HasLength(3))
 2331         self.assertIn(project1, project_refs)
 2332         self.assertIn(project2, project_refs)
 2333         self.assertIn(project3, project_refs)
 2334 
 2335     def test_update_role_no_name(self):
 2336         # A user can update a role and not include the name.
 2337 
 2338         # description is picked just because it's not name.
 2339         PROVIDERS.role_api.update_role(
 2340             self.role_member['id'], {'description': uuid.uuid4().hex}
 2341         )
 2342         # If the previous line didn't raise an exception then the test passes.
 2343 
 2344     def test_update_role_same_name(self):
 2345         # A user can update a role and set the name to be the same as it was.
 2346 
 2347         PROVIDERS.role_api.update_role(
 2348             self.role_member['id'], {'name': self.role_member['name']}
 2349         )
 2350         # If the previous line didn't raise an exception then the test passes.
 2351 
 2352     def _test_list_role_assignment_containing_names(self, domain_role=False):
 2353         # Create Refs
 2354         new_domain = self._get_domain_fixture()
 2355         if domain_role:
 2356             new_role = unit.new_role_ref(domain_id=new_domain['id'])
 2357         else:
 2358             new_role = unit.new_role_ref()
 2359         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 2360         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 2361         new_group = unit.new_group_ref(domain_id=new_domain['id'])
 2362         # Create entities
 2363         new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role)
 2364         new_user = PROVIDERS.identity_api.create_user(new_user)
 2365         new_group = PROVIDERS.identity_api.create_group(new_group)
 2366         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2367         PROVIDERS.assignment_api.create_grant(
 2368             user_id=new_user['id'], project_id=new_project['id'],
 2369             role_id=new_role['id']
 2370         )
 2371         PROVIDERS.assignment_api.create_grant(
 2372             group_id=new_group['id'], project_id=new_project['id'],
 2373             role_id=new_role['id']
 2374         )
 2375         PROVIDERS.assignment_api.create_grant(
 2376             domain_id=new_domain['id'], user_id=new_user['id'],
 2377             role_id=new_role['id']
 2378         )
 2379         # Get the created assignments with the include_names flag
 2380         _asgmt_prj = PROVIDERS.assignment_api.list_role_assignments(
 2381             user_id=new_user['id'],
 2382             project_id=new_project['id'],
 2383             include_names=True)
 2384         _asgmt_grp = PROVIDERS.assignment_api.list_role_assignments(
 2385             group_id=new_group['id'],
 2386             project_id=new_project['id'],
 2387             include_names=True)
 2388         _asgmt_dmn = PROVIDERS.assignment_api.list_role_assignments(
 2389             domain_id=new_domain['id'],
 2390             user_id=new_user['id'],
 2391             include_names=True)
 2392         # Make sure we can get back the correct number of assignments
 2393         self.assertThat(_asgmt_prj, matchers.HasLength(1))
 2394         self.assertThat(_asgmt_grp, matchers.HasLength(1))
 2395         self.assertThat(_asgmt_dmn, matchers.HasLength(1))
 2396         # get the first assignment
 2397         first_asgmt_prj = _asgmt_prj[0]
 2398         first_asgmt_grp = _asgmt_grp[0]
 2399         first_asgmt_dmn = _asgmt_dmn[0]
 2400         # Assert the names are correct in the project response
 2401         self.assertEqual(new_project['name'],
 2402                          first_asgmt_prj['project_name'])
 2403         self.assertEqual(new_project['domain_id'],
 2404                          first_asgmt_prj['project_domain_id'])
 2405         self.assertEqual(new_user['name'],
 2406                          first_asgmt_prj['user_name'])
 2407         self.assertEqual(new_user['domain_id'],
 2408                          first_asgmt_prj['user_domain_id'])
 2409         self.assertEqual(new_role['name'],
 2410                          first_asgmt_prj['role_name'])
 2411         if domain_role:
 2412             self.assertEqual(new_role['domain_id'],
 2413                              first_asgmt_prj['role_domain_id'])
 2414         # Assert the names are correct in the group response
 2415         self.assertEqual(new_group['name'],
 2416                          first_asgmt_grp['group_name'])
 2417         self.assertEqual(new_group['domain_id'],
 2418                          first_asgmt_grp['group_domain_id'])
 2419         self.assertEqual(new_project['name'],
 2420                          first_asgmt_grp['project_name'])
 2421         self.assertEqual(new_project['domain_id'],
 2422                          first_asgmt_grp['project_domain_id'])
 2423         self.assertEqual(new_role['name'],
 2424                          first_asgmt_grp['role_name'])
 2425         if domain_role:
 2426             self.assertEqual(new_role['domain_id'],
 2427                              first_asgmt_grp['role_domain_id'])
 2428         # Assert the names are correct in the domain response
 2429         self.assertEqual(new_domain['name'],
 2430                          first_asgmt_dmn['domain_name'])
 2431         self.assertEqual(new_user['name'],
 2432                          first_asgmt_dmn['user_name'])
 2433         self.assertEqual(new_user['domain_id'],
 2434                          first_asgmt_dmn['user_domain_id'])
 2435         self.assertEqual(new_role['name'],
 2436                          first_asgmt_dmn['role_name'])
 2437         if domain_role:
 2438             self.assertEqual(new_role['domain_id'],
 2439                              first_asgmt_dmn['role_domain_id'])
 2440 
 2441     def test_list_role_assignment_containing_names_global_role(self):
 2442         self._test_list_role_assignment_containing_names()
 2443 
 2444     def test_list_role_assignment_containing_names_domain_role(self):
 2445         self._test_list_role_assignment_containing_names(domain_role=True)
 2446 
 2447     def test_list_role_assignment_does_not_contain_names(self):
 2448         """Test names are not included with list role assignments.
 2449 
 2450         Scenario:
 2451             - names are NOT included by default
 2452             - names are NOT included when include_names=False
 2453 
 2454         """
 2455         def assert_does_not_contain_names(assignment):
 2456             first_asgmt_prj = assignment[0]
 2457             self.assertNotIn('project_name', first_asgmt_prj)
 2458             self.assertNotIn('project_domain_id', first_asgmt_prj)
 2459             self.assertNotIn('user_name', first_asgmt_prj)
 2460             self.assertNotIn('user_domain_id', first_asgmt_prj)
 2461             self.assertNotIn('role_name', first_asgmt_prj)
 2462             self.assertNotIn('role_domain_id', first_asgmt_prj)
 2463 
 2464         # Create Refs
 2465         new_role = unit.new_role_ref()
 2466         new_domain = self._get_domain_fixture()
 2467         new_user = unit.new_user_ref(domain_id=new_domain['id'])
 2468         new_project = unit.new_project_ref(domain_id=new_domain['id'])
 2469         # Create entities
 2470         new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role)
 2471         new_user = PROVIDERS.identity_api.create_user(new_user)
 2472         PROVIDERS.resource_api.create_project(new_project['id'], new_project)
 2473         PROVIDERS.assignment_api.create_grant(
 2474             user_id=new_user['id'], project_id=new_project['id'],
 2475             role_id=new_role['id']
 2476         )
 2477         # Get the created assignments with NO include_names flag
 2478         role_assign_without_names = (
 2479             PROVIDERS.assignment_api.list_role_assignments(
 2480                 user_id=new_user['id'], project_id=new_project['id']
 2481             )
 2482         )
 2483         assert_does_not_contain_names(role_assign_without_names)
 2484         # Get the created assignments with include_names=False
 2485         role_assign_without_names = (
 2486             PROVIDERS.assignment_api.list_role_assignments(
 2487                 user_id=new_user['id'],
 2488                 project_id=new_project['id'],
 2489                 include_names=False
 2490             )
 2491         )
 2492         assert_does_not_contain_names(role_assign_without_names)
 2493 
 2494     def test_delete_user_assignments_user_same_id_as_group(self):
 2495         """Test deleting user assignments when user_id == group_id.
 2496 
 2497         In this scenario, only user assignments must be deleted (i.e.
 2498         USER_DOMAIN or USER_PROJECT).
 2499 
 2500         Test plan:
 2501         * Create a user and a group with the same ID;
 2502         * Create four roles and assign them to both user and group;
 2503         * Delete all user assignments;
 2504         * Group assignments must stay intact.
 2505         """
 2506         # Create a common ID
 2507         common_id = uuid.uuid4().hex
 2508         # Create a project
 2509         project = unit.new_project_ref(
 2510             domain_id=CONF.identity.default_domain_id)
 2511         project = PROVIDERS.resource_api.create_project(project['id'], project)
 2512         # Create a user
 2513         user = unit.new_user_ref(id=common_id,
 2514                                  domain_id=CONF.identity.default_domain_id)
 2515         user = PROVIDERS.identity_api.driver.create_user(common_id, user)
 2516         self.assertEqual(common_id, user['id'])
 2517         # Create a group
 2518         group = unit.new_group_ref(id=common_id,
 2519                                    domain_id=CONF.identity.default_domain_id)
 2520         group = PROVIDERS.identity_api.driver.create_group(common_id, group)
 2521         self.assertEqual(common_id, group['id'])
 2522         # Create four roles
 2523         roles = []
 2524         for _ in range(4):
 2525             role = unit.new_role_ref()
 2526             roles.append(PROVIDERS.role_api.create_role(role['id'], role))
 2527         # Assign roles for user
 2528         PROVIDERS.assignment_api.driver.create_grant(
 2529             user_id=user['id'], domain_id=CONF.identity.default_domain_id,
 2530             role_id=roles[0]['id'])
 2531         PROVIDERS.assignment_api.driver.create_grant(
 2532             user_id=user['id'], project_id=project['id'],
 2533             role_id=roles[1]['id']
 2534         )
 2535         # Assign roles for group
 2536         PROVIDERS.assignment_api.driver.create_grant(
 2537             group_id=group['id'], domain_id=CONF.identity.default_domain_id,
 2538             role_id=roles[2]['id'])
 2539         PROVIDERS.assignment_api.driver.create_grant(
 2540             group_id=group['id'], project_id=project['id'],
 2541             role_id=roles[3]['id']
 2542         )
 2543         # Make sure they were assigned
 2544         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2545             user_id=user['id'])
 2546         self.assertThat(user_assignments, matchers.HasLength(2))
 2547         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2548             group_id=group['id'])
 2549         self.assertThat(group_assignments, matchers.HasLength(2))
 2550         # Delete user assignments
 2551         PROVIDERS.assignment_api.delete_user_assignments(user_id=user['id'])
 2552         # Assert only user assignments were deleted
 2553         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2554             user_id=user['id'])
 2555         self.assertThat(user_assignments, matchers.HasLength(0))
 2556         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2557             group_id=group['id'])
 2558         self.assertThat(group_assignments, matchers.HasLength(2))
 2559         # Make sure these remaining assignments are group-related
 2560         for assignment in group_assignments:
 2561             self.assertThat(assignment.keys(), matchers.Contains('group_id'))
 2562 
 2563     def test_delete_group_assignments_group_same_id_as_user(self):
 2564         """Test deleting group assignments when group_id == user_id.
 2565 
 2566         In this scenario, only group assignments must be deleted (i.e.
 2567         GROUP_DOMAIN or GROUP_PROJECT).
 2568 
 2569         Test plan:
 2570         * Create a group and a user with the same ID;
 2571         * Create four roles and assign them to both group and user;
 2572         * Delete all group assignments;
 2573         * User assignments must stay intact.
 2574         """
 2575         # Create a common ID
 2576         common_id = uuid.uuid4().hex
 2577         # Create a project
 2578         project = unit.new_project_ref(
 2579             domain_id=CONF.identity.default_domain_id)
 2580         project = PROVIDERS.resource_api.create_project(project['id'], project)
 2581         # Create a user
 2582         user = unit.new_user_ref(id=common_id,
 2583                                  domain_id=CONF.identity.default_domain_id)
 2584         user = PROVIDERS.identity_api.driver.create_user(common_id, user)
 2585         self.assertEqual(common_id, user['id'])
 2586         # Create a group
 2587         group = unit.new_group_ref(id=common_id,
 2588                                    domain_id=CONF.identity.default_domain_id)
 2589         group = PROVIDERS.identity_api.driver.create_group(common_id, group)
 2590         self.assertEqual(common_id, group['id'])
 2591         # Create four roles
 2592         roles = []
 2593         for _ in range(4):
 2594             role = unit.new_role_ref()
 2595             roles.append(PROVIDERS.role_api.create_role(role['id'], role))
 2596         # Assign roles for user
 2597         PROVIDERS.assignment_api.driver.create_grant(
 2598             user_id=user['id'], domain_id=CONF.identity.default_domain_id,
 2599             role_id=roles[0]['id'])
 2600         PROVIDERS.assignment_api.driver.create_grant(
 2601             user_id=user['id'], project_id=project['id'],
 2602             role_id=roles[1]['id']
 2603         )
 2604         # Assign roles for group
 2605         PROVIDERS.assignment_api.driver.create_grant(
 2606             group_id=group['id'], domain_id=CONF.identity.default_domain_id,
 2607             role_id=roles[2]['id'])
 2608         PROVIDERS.assignment_api.driver.create_grant(
 2609             group_id=group['id'], project_id=project['id'],
 2610             role_id=roles[3]['id']
 2611         )
 2612         # Make sure they were assigned
 2613         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2614             user_id=user['id'])
 2615         self.assertThat(user_assignments, matchers.HasLength(2))
 2616         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2617             group_id=group['id'])
 2618         self.assertThat(group_assignments, matchers.HasLength(2))
 2619         # Delete group assignments
 2620         PROVIDERS.assignment_api.delete_group_assignments(group_id=group['id'])
 2621         # Assert only group assignments were deleted
 2622         group_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2623             group_id=group['id'])
 2624         self.assertThat(group_assignments, matchers.HasLength(0))
 2625         user_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2626             user_id=user['id'])
 2627         self.assertThat(user_assignments, matchers.HasLength(2))
 2628         # Make sure these remaining assignments are user-related
 2629         for assignment in group_assignments:
 2630             self.assertThat(assignment.keys(), matchers.Contains('user_id'))
 2631 
 2632     def test_remove_foreign_assignments_when_deleting_a_domain(self):
 2633         # A user and a group are in default domain and have assigned a role on
 2634         # two new domains. This test makes sure that when one of the new
 2635         # domains is deleted, the role assignments for the user and the group
 2636         # from the default domain are deleted only on that domain.
 2637         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2638         group = PROVIDERS.identity_api.create_group(group)
 2639 
 2640         role = unit.new_role_ref()
 2641         role = PROVIDERS.role_api.create_role(role['id'], role)
 2642 
 2643         new_domains = [unit.new_domain_ref(), unit.new_domain_ref()]
 2644         for new_domain in new_domains:
 2645             PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
 2646 
 2647             PROVIDERS.assignment_api.create_grant(
 2648                 group_id=group['id'], domain_id=new_domain['id'],
 2649                 role_id=role['id']
 2650             )
 2651             PROVIDERS.assignment_api.create_grant(
 2652                 user_id=self.user_two['id'], domain_id=new_domain['id'],
 2653                 role_id=role['id']
 2654             )
 2655 
 2656         # Check there are 4 role assignments for that role
 2657         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2658             role_id=role['id'])
 2659         self.assertThat(role_assignments, matchers.HasLength(4))
 2660 
 2661         # Delete first new domain and check only 2 assignments were left
 2662         PROVIDERS.resource_api.update_domain(
 2663             new_domains[0]['id'], {'enabled': False}
 2664         )
 2665         PROVIDERS.resource_api.delete_domain(new_domains[0]['id'])
 2666 
 2667         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2668             role_id=role['id'])
 2669         self.assertThat(role_assignments, matchers.HasLength(2))
 2670 
 2671         # Delete second new domain and check no assignments were left
 2672         PROVIDERS.resource_api.update_domain(
 2673             new_domains[1]['id'], {'enabled': False}
 2674         )
 2675         PROVIDERS.resource_api.delete_domain(new_domains[1]['id'])
 2676 
 2677         role_assignments = PROVIDERS.assignment_api.list_role_assignments(
 2678             role_id=role['id'])
 2679         self.assertEqual([], role_assignments)
 2680 
 2681 
 2682 class InheritanceTests(AssignmentTestHelperMixin):
 2683 
 2684     def test_role_assignments_user_domain_to_project_inheritance(self):
 2685         test_plan = {
 2686             'entities': {'domains': {'users': 2, 'projects': 1},
 2687                          'roles': 3},
 2688             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 2689                             {'user': 0, 'role': 1, 'project': 0},
 2690                             {'user': 0, 'role': 2, 'domain': 0,
 2691                              'inherited_to_projects': True},
 2692                             {'user': 1, 'role': 1, 'project': 0}],
 2693             'tests': [
 2694                 # List all direct assignments for user[0]
 2695                 {'params': {'user': 0},
 2696                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 2697                              {'user': 0, 'role': 1, 'project': 0},
 2698                              {'user': 0, 'role': 2, 'domain': 0,
 2699                               'inherited_to_projects': 'projects'}]},
 2700                 # Now the effective ones - so the domain role should turn into
 2701                 # a project role
 2702                 {'params': {'user': 0, 'effective': True},
 2703                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 2704                              {'user': 0, 'role': 1, 'project': 0},
 2705                              {'user': 0, 'role': 2, 'project': 0,
 2706                               'indirect': {'domain': 0}}]},
 2707                 # Narrow down to effective roles for user[0] and project[0]
 2708                 {'params': {'user': 0, 'project': 0, 'effective': True},
 2709                  'results': [{'user': 0, 'role': 1, 'project': 0},
 2710                              {'user': 0, 'role': 2, 'project': 0,
 2711                               'indirect': {'domain': 0}}]}
 2712             ]
 2713         }
 2714         self.execute_assignment_plan(test_plan)
 2715 
 2716     def _test_crud_inherited_and_direct_assignment(self, **kwargs):
 2717         """Test inherited and direct assignments for the actor and target.
 2718 
 2719         Ensure it is possible to create both inherited and direct role
 2720         assignments for the same actor on the same target. The actor and the
 2721         target are specified in the kwargs as ('user_id' or 'group_id') and
 2722         ('project_id' or 'domain_id'), respectively.
 2723 
 2724         """
 2725         # Create a new role to avoid assignments loaded from default fixtures
 2726         role = unit.new_role_ref()
 2727         role = PROVIDERS.role_api.create_role(role['id'], role)
 2728 
 2729         # Define the common assignment entity
 2730         assignment_entity = {'role_id': role['id']}
 2731         assignment_entity.update(kwargs)
 2732 
 2733         # Define assignments under test
 2734         direct_assignment_entity = assignment_entity.copy()
 2735         inherited_assignment_entity = assignment_entity.copy()
 2736         inherited_assignment_entity['inherited_to_projects'] = 'projects'
 2737 
 2738         # Create direct assignment and check grants
 2739         PROVIDERS.assignment_api.create_grant(
 2740             inherited_to_projects=False, **assignment_entity
 2741         )
 2742 
 2743         grants = PROVIDERS.assignment_api.list_role_assignments(
 2744             role_id=role['id']
 2745         )
 2746         self.assertThat(grants, matchers.HasLength(1))
 2747         self.assertIn(direct_assignment_entity, grants)
 2748 
 2749         # Now add inherited assignment and check grants
 2750         PROVIDERS.assignment_api.create_grant(
 2751             inherited_to_projects=True, **assignment_entity
 2752         )
 2753 
 2754         grants = PROVIDERS.assignment_api.list_role_assignments(
 2755             role_id=role['id']
 2756         )
 2757         self.assertThat(grants, matchers.HasLength(2))
 2758         self.assertIn(direct_assignment_entity, grants)
 2759         self.assertIn(inherited_assignment_entity, grants)
 2760 
 2761         # Delete both and check grants
 2762         PROVIDERS.assignment_api.delete_grant(
 2763             inherited_to_projects=False, **assignment_entity
 2764         )
 2765         PROVIDERS.assignment_api.delete_grant(
 2766             inherited_to_projects=True, **assignment_entity
 2767         )
 2768 
 2769         grants = PROVIDERS.assignment_api.list_role_assignments(
 2770             role_id=role['id']
 2771         )
 2772         self.assertEqual([], grants)
 2773 
 2774     def test_crud_inherited_and_direct_assignment_for_user_on_domain(self):
 2775         self._test_crud_inherited_and_direct_assignment(
 2776             user_id=self.user_foo['id'],
 2777             domain_id=CONF.identity.default_domain_id)
 2778 
 2779     def test_crud_inherited_and_direct_assignment_for_group_on_domain(self):
 2780         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2781         group = PROVIDERS.identity_api.create_group(group)
 2782 
 2783         self._test_crud_inherited_and_direct_assignment(
 2784             group_id=group['id'], domain_id=CONF.identity.default_domain_id)
 2785 
 2786     def test_crud_inherited_and_direct_assignment_for_user_on_project(self):
 2787         self._test_crud_inherited_and_direct_assignment(
 2788             user_id=self.user_foo['id'], project_id=self.project_baz['id'])
 2789 
 2790     def test_crud_inherited_and_direct_assignment_for_group_on_project(self):
 2791         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2792         group = PROVIDERS.identity_api.create_group(group)
 2793 
 2794         self._test_crud_inherited_and_direct_assignment(
 2795             group_id=group['id'], project_id=self.project_baz['id'])
 2796 
 2797     def test_inherited_role_grants_for_user(self):
 2798         """Test inherited user roles.
 2799 
 2800         Test Plan:
 2801 
 2802         - Enable OS-INHERIT extension
 2803         - Create 3 roles
 2804         - Create a domain, with a project and a user
 2805         - Check no roles yet exit
 2806         - Assign a direct user role to the project and a (non-inherited)
 2807           user role to the domain
 2808         - Get a list of effective roles - should only get the one direct role
 2809         - Now add an inherited user role to the domain
 2810         - Get a list of effective roles - should have two roles, one
 2811           direct and one by virtue of the inherited user role
 2812         - Also get effective roles for the domain - the role marked as
 2813           inherited should not show up
 2814 
 2815         """
 2816         role_list = []
 2817         for _ in range(3):
 2818             role = unit.new_role_ref()
 2819             PROVIDERS.role_api.create_role(role['id'], role)
 2820             role_list.append(role)
 2821         domain1 = unit.new_domain_ref()
 2822         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2823         user1 = unit.new_user_ref(domain_id=domain1['id'])
 2824         user1 = PROVIDERS.identity_api.create_user(user1)
 2825         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2826         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2827 
 2828         roles_ref = PROVIDERS.assignment_api.list_grants(
 2829             user_id=user1['id'],
 2830             project_id=project1['id'])
 2831         self.assertEqual(0, len(roles_ref))
 2832 
 2833         # Create the first two roles - the domain one is not inherited
 2834         PROVIDERS.assignment_api.create_grant(
 2835             user_id=user1['id'], project_id=project1['id'],
 2836             role_id=role_list[0]['id']
 2837         )
 2838         PROVIDERS.assignment_api.create_grant(
 2839             user_id=user1['id'], domain_id=domain1['id'],
 2840             role_id=role_list[1]['id']
 2841         )
 2842 
 2843         # Now get the effective roles for the user and project, this
 2844         # should only include the direct role assignment on the project
 2845         combined_list = (
 2846             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2847                 user1['id'], project1['id']
 2848             )
 2849         )
 2850         self.assertEqual(1, len(combined_list))
 2851         self.assertIn(role_list[0]['id'], combined_list)
 2852 
 2853         # Now add an inherited role on the domain
 2854         PROVIDERS.assignment_api.create_grant(
 2855             user_id=user1['id'], domain_id=domain1['id'],
 2856             role_id=role_list[2]['id'], inherited_to_projects=True
 2857         )
 2858 
 2859         # Now get the effective roles for the user and project again, this
 2860         # should now include the inherited role on the domain
 2861         combined_list = (
 2862             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2863                 user1['id'], project1['id']
 2864             )
 2865         )
 2866         self.assertEqual(2, len(combined_list))
 2867         self.assertIn(role_list[0]['id'], combined_list)
 2868         self.assertIn(role_list[2]['id'], combined_list)
 2869 
 2870         # Finally, check that the inherited role does not appear as a valid
 2871         # directly assigned role on the domain itself
 2872         combined_role_list = (
 2873             PROVIDERS.assignment_api.get_roles_for_user_and_domain(
 2874                 user1['id'], domain1['id']
 2875             )
 2876         )
 2877         self.assertEqual(1, len(combined_role_list))
 2878         self.assertIn(role_list[1]['id'], combined_role_list)
 2879 
 2880         # TODO(henry-nash): The test above uses get_roles_for_user_and_project
 2881         # and get_roles_for_user_and_domain, which will, in a subsequent patch,
 2882         # be re-implemented to simply call list_role_assignments (see blueprint
 2883         # remove-role-metadata).
 2884         #
 2885         # The test plan below therefore mirrors this test, to ensure that
 2886         # list_role_assignments works the same. Once get_roles_for_user_and
 2887         # project/domain have been re-implemented then the manual tests above
 2888         # can be refactored to simply ensure it gives the same answers.
 2889         test_plan = {
 2890             # A domain with a user & project, plus 3 roles.
 2891             'entities': {'domains': {'users': 1, 'projects': 1},
 2892                          'roles': 3},
 2893             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 2894                             {'user': 0, 'role': 1, 'domain': 0},
 2895                             {'user': 0, 'role': 2, 'domain': 0,
 2896                              'inherited_to_projects': True}],
 2897             'tests': [
 2898                 # List all effective assignments for user[0] on project[0].
 2899                 # Should get one direct role and one inherited role.
 2900                 {'params': {'user': 0, 'project': 0, 'effective': True},
 2901                  'results': [{'user': 0, 'role': 0, 'project': 0},
 2902                              {'user': 0, 'role': 2, 'project': 0,
 2903                               'indirect': {'domain': 0}}]},
 2904                 # Ensure effective mode on the domain does not list the
 2905                 # inherited role on that domain
 2906                 {'params': {'user': 0, 'domain': 0, 'effective': True},
 2907                  'results': [{'user': 0, 'role': 1, 'domain': 0}]},
 2908                 # Ensure non-inherited mode also only returns the non-inherited
 2909                 # role on the domain
 2910                 {'params': {'user': 0, 'domain': 0, 'inherited': False},
 2911                  'results': [{'user': 0, 'role': 1, 'domain': 0}]},
 2912             ]
 2913         }
 2914         self.execute_assignment_plan(test_plan)
 2915 
 2916     def test_inherited_role_grants_for_group(self):
 2917         """Test inherited group roles.
 2918 
 2919         Test Plan:
 2920 
 2921         - Enable OS-INHERIT extension
 2922         - Create 4 roles
 2923         - Create a domain, with a project, user and two groups
 2924         - Make the user a member of both groups
 2925         - Check no roles yet exit
 2926         - Assign a direct user role to the project and a (non-inherited)
 2927           group role on the domain
 2928         - Get a list of effective roles - should only get the one direct role
 2929         - Now add two inherited group roles to the domain
 2930         - Get a list of effective roles - should have three roles, one
 2931           direct and two by virtue of inherited group roles
 2932 
 2933         """
 2934         role_list = []
 2935         for _ in range(4):
 2936             role = unit.new_role_ref()
 2937             PROVIDERS.role_api.create_role(role['id'], role)
 2938             role_list.append(role)
 2939         domain1 = unit.new_domain_ref()
 2940         PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
 2941         user1 = unit.new_user_ref(domain_id=domain1['id'])
 2942         user1 = PROVIDERS.identity_api.create_user(user1)
 2943         group1 = unit.new_group_ref(domain_id=domain1['id'])
 2944         group1 = PROVIDERS.identity_api.create_group(group1)
 2945         group2 = unit.new_group_ref(domain_id=domain1['id'])
 2946         group2 = PROVIDERS.identity_api.create_group(group2)
 2947         project1 = unit.new_project_ref(domain_id=domain1['id'])
 2948         PROVIDERS.resource_api.create_project(project1['id'], project1)
 2949 
 2950         PROVIDERS.identity_api.add_user_to_group(
 2951             user1['id'], group1['id']
 2952         )
 2953         PROVIDERS.identity_api.add_user_to_group(
 2954             user1['id'], group2['id']
 2955         )
 2956 
 2957         roles_ref = PROVIDERS.assignment_api.list_grants(
 2958             user_id=user1['id'],
 2959             project_id=project1['id'])
 2960         self.assertEqual(0, len(roles_ref))
 2961 
 2962         # Create two roles - the domain one is not inherited
 2963         PROVIDERS.assignment_api.create_grant(
 2964             user_id=user1['id'], project_id=project1['id'],
 2965             role_id=role_list[0]['id']
 2966         )
 2967         PROVIDERS.assignment_api.create_grant(
 2968             group_id=group1['id'], domain_id=domain1['id'],
 2969             role_id=role_list[1]['id']
 2970         )
 2971 
 2972         # Now get the effective roles for the user and project, this
 2973         # should only include the direct role assignment on the project
 2974         combined_list = (
 2975             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2976                 user1['id'], project1['id']
 2977             )
 2978         )
 2979         self.assertEqual(1, len(combined_list))
 2980         self.assertIn(role_list[0]['id'], combined_list)
 2981 
 2982         # Now add to more group roles, both inherited, to the domain
 2983         PROVIDERS.assignment_api.create_grant(
 2984             group_id=group2['id'], domain_id=domain1['id'],
 2985             role_id=role_list[2]['id'], inherited_to_projects=True
 2986         )
 2987         PROVIDERS.assignment_api.create_grant(
 2988             group_id=group2['id'], domain_id=domain1['id'],
 2989             role_id=role_list[3]['id'], inherited_to_projects=True
 2990         )
 2991 
 2992         # Now get the effective roles for the user and project again, this
 2993         # should now include the inherited roles on the domain
 2994         combined_list = (
 2995             PROVIDERS.assignment_api.get_roles_for_user_and_project(
 2996                 user1['id'], project1['id']
 2997             )
 2998         )
 2999         self.assertEqual(3, len(combined_list))
 3000         self.assertIn(role_list[0]['id'], combined_list)
 3001         self.assertIn(role_list[2]['id'], combined_list)
 3002         self.assertIn(role_list[3]['id'], combined_list)
 3003 
 3004         # TODO(henry-nash): The test above uses get_roles_for_user_and_project
 3005         # which will, in a subsequent patch, be re-implemented to simply call
 3006         # list_role_assignments (see blueprint remove-role-metadata).
 3007         #
 3008         # The test plan below therefore mirrors this test, to ensure that
 3009         # list_role_assignments works the same. Once
 3010         # get_roles_for_user_and_project has been re-implemented then the
 3011         # manual tests above can be refactored to simply ensure it gives
 3012         # the same answers.
 3013         test_plan = {
 3014             # A domain with a user and project, 2 groups, plus 4 roles.
 3015             'entities': {'domains': {'users': 1, 'projects': 1, 'groups': 2},
 3016                          'roles': 4},
 3017             'group_memberships': [{'group': 0, 'users': [0]},
 3018                                   {'group': 1, 'users': [0]}],
 3019             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3020                             {'group': 0, 'role': 1, 'domain': 0},
 3021                             {'group': 1, 'role': 2, 'domain': 0,
 3022                              'inherited_to_projects': True},
 3023                             {'group': 1, 'role': 3, 'domain': 0,
 3024                              'inherited_to_projects': True}],
 3025             'tests': [
 3026                 # List all effective assignments for user[0] on project[0].
 3027                 # Should get one direct role and both inherited roles, but
 3028                 # not the direct one on domain[0], even though user[0] is
 3029                 # in group[0].
 3030                 {'params': {'user': 0, 'project': 0, 'effective': True},
 3031                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3032                              {'user': 0, 'role': 2, 'project': 0,
 3033                               'indirect': {'domain': 0, 'group': 1}},
 3034                              {'user': 0, 'role': 3, 'project': 0,
 3035                               'indirect': {'domain': 0, 'group': 1}}]}
 3036             ]
 3037         }
 3038         self.execute_assignment_plan(test_plan)
 3039 
 3040     def test_list_projects_for_user_with_inherited_grants(self):
 3041         """Test inherited user roles.
 3042 
 3043         Test Plan:
 3044 
 3045         - Enable OS-INHERIT extension
 3046         - Create a domain, with two projects and a user
 3047         - Assign an inherited user role on the domain, as well as a direct
 3048           user role to a separate project in a different domain
 3049         - Get a list of projects for user, should return all three projects
 3050 
 3051         """
 3052         domain = unit.new_domain_ref()
 3053         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 3054         user1 = unit.new_user_ref(domain_id=domain['id'])
 3055         user1 = PROVIDERS.identity_api.create_user(user1)
 3056         project1 = unit.new_project_ref(domain_id=domain['id'])
 3057         PROVIDERS.resource_api.create_project(project1['id'], project1)
 3058         project2 = unit.new_project_ref(domain_id=domain['id'])
 3059         PROVIDERS.resource_api.create_project(project2['id'], project2)
 3060 
 3061         # Create 2 grants, one on a project and one inherited grant
 3062         # on the domain
 3063         PROVIDERS.assignment_api.create_grant(
 3064             user_id=user1['id'], project_id=self.project_bar['id'],
 3065             role_id=self.role_member['id']
 3066         )
 3067         PROVIDERS.assignment_api.create_grant(
 3068             user_id=user1['id'], domain_id=domain['id'],
 3069             role_id=self.role_admin['id'], inherited_to_projects=True
 3070         )
 3071         # Should get back all three projects, one by virtue of the direct
 3072         # grant, plus both projects in the domain
 3073         user_projects = (
 3074             PROVIDERS.assignment_api.list_projects_for_user(user1['id'])
 3075         )
 3076         self.assertEqual(3, len(user_projects))
 3077 
 3078         # TODO(henry-nash): The test above uses list_projects_for_user
 3079         # which may, in a subsequent patch, be re-implemented to call
 3080         # list_role_assignments and then report only the distinct projects.
 3081         #
 3082         # The test plan below therefore mirrors this test, to ensure that
 3083         # list_role_assignments works the same. Once list_projects_for_user
 3084         # has been re-implemented then the manual tests above can be
 3085         # refactored.
 3086         test_plan = {
 3087             # A domain with 1 project, plus a second domain with 2 projects,
 3088             # as well as a user. Also, create 2 roles.
 3089             'entities': {'domains': [{'projects': 1},
 3090                                      {'users': 1, 'projects': 2}],
 3091                          'roles': 2},
 3092             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3093                             {'user': 0, 'role': 1, 'domain': 1,
 3094                              'inherited_to_projects': True}],
 3095             'tests': [
 3096                 # List all effective assignments for user[0]
 3097                 # Should get one direct role plus one inherited role for each
 3098                 # project in domain
 3099                 {'params': {'user': 0, 'effective': True},
 3100                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3101                              {'user': 0, 'role': 1, 'project': 1,
 3102                               'indirect': {'domain': 1}},
 3103                              {'user': 0, 'role': 1, 'project': 2,
 3104                               'indirect': {'domain': 1}}]}
 3105             ]
 3106         }
 3107         self.execute_assignment_plan(test_plan)
 3108 
 3109     def test_list_projects_for_user_with_inherited_user_project_grants(self):
 3110         """Test inherited role assignments for users on nested projects.
 3111 
 3112         Test Plan:
 3113 
 3114         - Enable OS-INHERIT extension
 3115         - Create a hierarchy of projects with one root and one leaf project
 3116         - Assign an inherited user role on root project
 3117         - Assign a non-inherited user role on root project
 3118         - Get a list of projects for user, should return both projects
 3119         - Disable OS-INHERIT extension
 3120         - Get a list of projects for user, should return only root project
 3121 
 3122         """
 3123         # Enable OS-INHERIT extension
 3124         root_project = unit.new_project_ref(
 3125             domain_id=CONF.identity.default_domain_id)
 3126         root_project = PROVIDERS.resource_api.create_project(
 3127             root_project['id'], root_project
 3128         )
 3129         leaf_project = unit.new_project_ref(
 3130             domain_id=CONF.identity.default_domain_id,
 3131             parent_id=root_project['id'])
 3132         leaf_project = PROVIDERS.resource_api.create_project(
 3133             leaf_project['id'], leaf_project
 3134         )
 3135 
 3136         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3137         user = PROVIDERS.identity_api.create_user(user)
 3138 
 3139         # Grant inherited user role
 3140         PROVIDERS.assignment_api.create_grant(
 3141             user_id=user['id'], project_id=root_project['id'],
 3142             role_id=self.role_admin['id'], inherited_to_projects=True
 3143         )
 3144         # Grant non-inherited user role
 3145         PROVIDERS.assignment_api.create_grant(
 3146             user_id=user['id'], project_id=root_project['id'],
 3147             role_id=self.role_member['id']
 3148         )
 3149         # Should get back both projects: because the direct role assignment for
 3150         # the root project and inherited role assignment for leaf project
 3151         user_projects = (
 3152             PROVIDERS.assignment_api.list_projects_for_user(user['id'])
 3153         )
 3154         self.assertEqual(2, len(user_projects))
 3155         self.assertIn(root_project, user_projects)
 3156         self.assertIn(leaf_project, user_projects)
 3157 
 3158         # TODO(henry-nash): The test above uses list_projects_for_user
 3159         # which may, in a subsequent patch, be re-implemented to call
 3160         # list_role_assignments and then report only the distinct projects.
 3161         #
 3162         # The test plan below therefore mirrors this test, to ensure that
 3163         # list_role_assignments works the same. Once list_projects_for_user
 3164         # has been re-implemented then the manual tests above can be
 3165         # refactored.
 3166         test_plan = {
 3167             # A domain with a project and sub-project, plus a user.
 3168             # Also, create 2 roles.
 3169             'entities': {
 3170                 'domains': {'id': CONF.identity.default_domain_id, 'users': 1,
 3171                             'projects': {'project': 1}},
 3172                 'roles': 2},
 3173             # A direct role and an inherited role on the parent
 3174             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3175                             {'user': 0, 'role': 1, 'project': 0,
 3176                              'inherited_to_projects': True}],
 3177             'tests': [
 3178                 # List all effective assignments for user[0] - should get back
 3179                 # one direct role plus one inherited role.
 3180                 {'params': {'user': 0, 'effective': True},
 3181                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3182                              {'user': 0, 'role': 1, 'project': 1,
 3183                               'indirect': {'project': 0}}]}
 3184             ]
 3185         }
 3186         self.execute_assignment_plan(test_plan)
 3187 
 3188     def test_list_projects_for_user_with_inherited_group_grants(self):
 3189         """Test inherited group roles.
 3190 
 3191         Test Plan:
 3192 
 3193         - Enable OS-INHERIT extension
 3194         - Create two domains, each with two projects
 3195         - Create a user and group
 3196         - Make the user a member of the group
 3197         - Assign a user role two projects, an inherited
 3198           group role to one domain and an inherited regular role on
 3199           the other domain
 3200         - Get a list of projects for user, should return both pairs of projects
 3201           from the domain, plus the one separate project
 3202 
 3203         """
 3204         domain = unit.new_domain_ref()
 3205         PROVIDERS.resource_api.create_domain(domain['id'], domain)
 3206         domain2 = unit.new_domain_ref()
 3207         PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
 3208         project1 = unit.new_project_ref(domain_id=domain['id'])
 3209         PROVIDERS.resource_api.create_project(project1['id'], project1)
 3210         project2 = unit.new_project_ref(domain_id=domain['id'])
 3211         PROVIDERS.resource_api.create_project(project2['id'], project2)
 3212         project3 = unit.new_project_ref(domain_id=domain2['id'])
 3213         PROVIDERS.resource_api.create_project(project3['id'], project3)
 3214         project4 = unit.new_project_ref(domain_id=domain2['id'])
 3215         PROVIDERS.resource_api.create_project(project4['id'], project4)
 3216         user1 = unit.new_user_ref(domain_id=domain['id'])
 3217         user1 = PROVIDERS.identity_api.create_user(user1)
 3218         group1 = unit.new_group_ref(domain_id=domain['id'])
 3219         group1 = PROVIDERS.identity_api.create_group(group1)
 3220         PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
 3221 
 3222         # Create 4 grants:
 3223         # - one user grant on a project in domain2
 3224         # - one user grant on a project in the default domain
 3225         # - one inherited user grant on domain
 3226         # - one inherited group grant on domain2
 3227         PROVIDERS.assignment_api.create_grant(
 3228             user_id=user1['id'], project_id=project3['id'],
 3229             role_id=self.role_member['id']
 3230         )
 3231         PROVIDERS.assignment_api.create_grant(
 3232             user_id=user1['id'], project_id=self.project_bar['id'],
 3233             role_id=self.role_member['id']
 3234         )
 3235         PROVIDERS.assignment_api.create_grant(
 3236             user_id=user1['id'], domain_id=domain['id'],
 3237             role_id=self.role_admin['id'], inherited_to_projects=True
 3238         )
 3239         PROVIDERS.assignment_api.create_grant(
 3240             group_id=group1['id'], domain_id=domain2['id'],
 3241             role_id=self.role_admin['id'], inherited_to_projects=True
 3242         )
 3243         # Should get back all five projects, but without a duplicate for
 3244         # project3 (since it has both a direct user role and an inherited role)
 3245         user_projects = (
 3246             PROVIDERS.assignment_api.list_projects_for_user(user1['id'])
 3247         )
 3248         self.assertEqual(5, len(user_projects))
 3249 
 3250         # TODO(henry-nash): The test above uses list_projects_for_user
 3251         # which may, in a subsequent patch, be re-implemented to call
 3252         # list_role_assignments and then report only the distinct projects.
 3253         #
 3254         # The test plan below therefore mirrors this test, to ensure that
 3255         # list_role_assignments works the same. Once list_projects_for_user
 3256         # has been re-implemented then the manual tests above can be
 3257         # refactored.
 3258         test_plan = {
 3259             # A domain with a 1 project, plus a second domain with 2 projects,
 3260             # as well as a user & group and a 3rd domain with 2 projects.
 3261             # Also, created 2 roles.
 3262             'entities': {'domains': [{'projects': 1},
 3263                                      {'users': 1, 'groups': 1, 'projects': 2},
 3264                                      {'projects': 2}],
 3265                          'roles': 2},
 3266             'group_memberships': [{'group': 0, 'users': [0]}],
 3267             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3268                             {'user': 0, 'role': 0, 'project': 3},
 3269                             {'user': 0, 'role': 1, 'domain': 1,
 3270                              'inherited_to_projects': True},
 3271                             {'user': 0, 'role': 1, 'domain': 2,
 3272                              'inherited_to_projects': True}],
 3273             'tests': [
 3274                 # List all effective assignments for user[0]
 3275                 # Should get back both direct roles plus roles on both projects
 3276                 # from each domain. Duplicates should not be filtered out.
 3277                 {'params': {'user': 0, 'effective': True},
 3278                  'results': [{'user': 0, 'role': 0, 'project': 3},
 3279                              {'user': 0, 'role': 0, 'project': 0},
 3280                              {'user': 0, 'role': 1, 'project': 1,
 3281                               'indirect': {'domain': 1}},
 3282                              {'user': 0, 'role': 1, 'project': 2,
 3283                               'indirect': {'domain': 1}},
 3284                              {'user': 0, 'role': 1, 'project': 3,
 3285                               'indirect': {'domain': 2}},
 3286                              {'user': 0, 'role': 1, 'project': 4,
 3287                               'indirect': {'domain': 2}}]}
 3288             ]
 3289         }
 3290         self.execute_assignment_plan(test_plan)
 3291 
 3292     def test_list_projects_for_user_with_inherited_group_project_grants(self):
 3293         """Test inherited role assignments for groups on nested projects.
 3294 
 3295         Test Plan:
 3296 
 3297         - Enable OS-INHERIT extension
 3298         - Create a hierarchy of projects with one root and one leaf project
 3299         - Assign an inherited group role on root project
 3300         - Assign a non-inherited group role on root project
 3301         - Get a list of projects for user, should return both projects
 3302         - Disable OS-INHERIT extension
 3303         - Get a list of projects for user, should return only root project
 3304 
 3305         """
 3306         root_project = unit.new_project_ref(
 3307             domain_id=CONF.identity.default_domain_id)
 3308         root_project = PROVIDERS.resource_api.create_project(
 3309             root_project['id'], root_project
 3310         )
 3311         leaf_project = unit.new_project_ref(
 3312             domain_id=CONF.identity.default_domain_id,
 3313             parent_id=root_project['id'])
 3314         leaf_project = PROVIDERS.resource_api.create_project(
 3315             leaf_project['id'], leaf_project
 3316         )
 3317 
 3318         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3319         user = PROVIDERS.identity_api.create_user(user)
 3320 
 3321         group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 3322         group = PROVIDERS.identity_api.create_group(group)
 3323         PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
 3324 
 3325         # Grant inherited group role
 3326         PROVIDERS.assignment_api.create_grant(
 3327             group_id=group['id'], project_id=root_project['id'],
 3328             role_id=self.role_admin['id'], inherited_to_projects=True
 3329         )
 3330         # Grant non-inherited group role
 3331         PROVIDERS.assignment_api.create_grant(
 3332             group_id=group['id'], project_id=root_project['id'],
 3333             role_id=self.role_member['id']
 3334         )
 3335         # Should get back both projects: because the direct role assignment for
 3336         # the root project and inherited role assignment for leaf project
 3337         user_projects = PROVIDERS.assignment_api.list_projects_for_user(
 3338             user['id']
 3339         )
 3340         self.assertEqual(2, len(user_projects))
 3341         self.assertIn(root_project, user_projects)
 3342         self.assertIn(leaf_project, user_projects)
 3343 
 3344         # TODO(henry-nash): The test above uses list_projects_for_user
 3345         # which may, in a subsequent patch, be re-implemented to call
 3346         # list_role_assignments and then report only the distinct projects.
 3347         #
 3348         # The test plan below therefore mirrors this test, to ensure that
 3349         # list_role_assignments works the same. Once list_projects_for_user
 3350         # has been re-implemented then the manual tests above can be
 3351         # refactored.
 3352         test_plan = {
 3353             # A domain with a project and sub-project, plus a user.
 3354             # Also, create 2 roles.
 3355             'entities': {
 3356                 'domains': {'id': CONF.identity.default_domain_id, 'users': 1,
 3357                             'groups': 1,
 3358                             'projects': {'project': 1}},
 3359                 'roles': 2},
 3360             'group_memberships': [{'group': 0, 'users': [0]}],
 3361             # A direct role and an inherited role on the parent
 3362             'assignments': [{'group': 0, 'role': 0, 'project': 0},
 3363                             {'group': 0, 'role': 1, 'project': 0,
 3364                              'inherited_to_projects': True}],
 3365             'tests': [
 3366                 # List all effective assignments for user[0] - should get back
 3367                 # one direct role plus one inherited role.
 3368                 {'params': {'user': 0, 'effective': True},
 3369                  'results': [{'user': 0, 'role': 0, 'project': 0,
 3370                               'indirect': {'group': 0}},
 3371                              {'user': 0, 'role': 1, 'project': 1,
 3372                               'indirect': {'group': 0, 'project': 0}}]}
 3373             ]
 3374         }
 3375         self.execute_assignment_plan(test_plan)
 3376 
 3377     def test_list_assignments_for_tree(self):
 3378         """Test we correctly list direct assignments for a tree."""
 3379         # Enable OS-INHERIT extension
 3380 
 3381         test_plan = {
 3382             # Create a domain with a project hierarchy 3 levels deep:
 3383             #
 3384             #                      project 0
 3385             #             ____________|____________
 3386             #            |                         |
 3387             #         project 1                 project 4
 3388             #      ______|_____              ______|_____
 3389             #     |            |            |            |
 3390             #  project 2    project 3    project 5    project 6
 3391             #
 3392             # Also, create 1 user and 4 roles.
 3393             'entities': {
 3394                 'domains': {
 3395                     'projects': {'project': [{'project': 2},
 3396                                              {'project': 2}]},
 3397                     'users': 1},
 3398                 'roles': 4},
 3399             'assignments': [
 3400                 # Direct assignment to projects 1 and 2
 3401                 {'user': 0, 'role': 0, 'project': 1},
 3402                 {'user': 0, 'role': 1, 'project': 2},
 3403                 # Also an inherited assignment on project 1
 3404                 {'user': 0, 'role': 2, 'project': 1,
 3405                  'inherited_to_projects': True},
 3406                 # ...and two spoiler assignments, one to the root and one
 3407                 # to project 4
 3408                 {'user': 0, 'role': 0, 'project': 0},
 3409                 {'user': 0, 'role': 3, 'project': 4}],
 3410             'tests': [
 3411                 # List all assignments for project 1 and its subtree.
 3412                 {'params': {'project': 1, 'include_subtree': True},
 3413                  'results': [
 3414                      # Only the actual assignments should be returned, no
 3415                      # expansion of inherited assignments
 3416                      {'user': 0, 'role': 0, 'project': 1},
 3417                      {'user': 0, 'role': 1, 'project': 2},
 3418                      {'user': 0, 'role': 2, 'project': 1,
 3419                       'inherited_to_projects': 'projects'}]}
 3420             ]
 3421         }
 3422 
 3423         self.execute_assignment_plan(test_plan)
 3424 
 3425     def test_list_effective_assignments_for_tree(self):
 3426         """Test we correctly list effective assignments for a tree."""
 3427         test_plan = {
 3428             # Create a domain with a project hierarchy 3 levels deep:
 3429             #
 3430             #                      project 0
 3431             #             ____________|____________
 3432             #            |                         |
 3433             #         project 1                 project 4
 3434             #      ______|_____              ______|_____
 3435             #     |            |            |            |
 3436             #  project 2    project 3    project 5    project 6
 3437             #
 3438             # Also, create 1 user and 4 roles.
 3439             'entities': {
 3440                 'domains': {
 3441                     'projects': {'project': [{'project': 2},
 3442                                              {'project': 2}]},
 3443                     'users': 1},
 3444                 'roles': 4},
 3445             'assignments': [
 3446                 # An inherited assignment on project 1
 3447                 {'user': 0, 'role': 1, 'project': 1,
 3448                  'inherited_to_projects': True},
 3449                 # A direct assignment to project 2
 3450                 {'user': 0, 'role': 2, 'project': 2},
 3451                 # ...and two spoiler assignments, one to the root and one
 3452                 # to project 4
 3453                 {'user': 0, 'role': 0, 'project': 0},
 3454                 {'user': 0, 'role': 3, 'project': 4}],
 3455             'tests': [
 3456                 # List all effective assignments for project 1 and its subtree.
 3457                 {'params': {'project': 1, 'effective': True,
 3458                             'include_subtree': True},
 3459                  'results': [
 3460                      # The inherited assignment on project 1 should appear only
 3461                      # on its children
 3462                      {'user': 0, 'role': 1, 'project': 2,
 3463                       'indirect': {'project': 1}},
 3464                      {'user': 0, 'role': 1, 'project': 3,
 3465                       'indirect': {'project': 1}},
 3466                      # And finally the direct assignment on project 2
 3467                      {'user': 0, 'role': 2, 'project': 2}]}
 3468             ]
 3469         }
 3470 
 3471         self.execute_assignment_plan(test_plan)
 3472 
 3473     def test_list_effective_assignments_for_tree_with_mixed_assignments(self):
 3474         """Test that we correctly combine assignments for a tree.
 3475 
 3476         In this test we want to ensure that when asking for a list of
 3477         assignments in a subtree, any assignments inherited from above the
 3478         subtree are correctly combined with any assignments within the subtree
 3479         itself.
 3480 
 3481         """
 3482         test_plan = {
 3483             # Create a domain with a project hierarchy 3 levels deep:
 3484             #
 3485             #                      project 0
 3486             #             ____________|____________
 3487             #            |                         |
 3488             #         project 1                 project 4
 3489             #      ______|_____              ______|_____
 3490             #     |            |            |            |
 3491             #  project 2    project 3    project 5    project 6
 3492             #
 3493             # Also, create 2 users, 1 group and 4 roles.
 3494             'entities': {
 3495                 'domains': {
 3496                     'projects': {'project': [{'project': 2},
 3497                                              {'project': 2}]},
 3498                     'users': 2, 'groups': 1},
 3499                 'roles': 4},
 3500             # Both users are part of the same group
 3501             'group_memberships': [{'group': 0, 'users': [0, 1]}],
 3502             # We are going to ask for listing of assignment on project 1 and
 3503             # it's subtree. So first we'll add two inherited assignments above
 3504             # this (one user and one for a group that contains this user).
 3505             'assignments': [{'user': 0, 'role': 0, 'project': 0,
 3506                              'inherited_to_projects': True},
 3507                             {'group': 0, 'role': 1, 'project': 0,
 3508                              'inherited_to_projects': True},
 3509                             # Now an inherited assignment on project 1 itself,
 3510                             # which should ONLY show up on its children
 3511                             {'user': 0, 'role': 2, 'project': 1,
 3512                              'inherited_to_projects': True},
 3513                             # ...and a direct assignment on one of those
 3514                             # children
 3515                             {'user': 0, 'role': 3, 'project': 2},
 3516                             # The rest are spoiler assignments
 3517                             {'user': 0, 'role': 2, 'project': 5},
 3518                             {'user': 0, 'role': 3, 'project': 4}],
 3519             'tests': [
 3520                 # List all effective assignments for project 1 and its subtree.
 3521                 {'params': {'project': 1, 'user': 0, 'effective': True,
 3522                             'include_subtree': True},
 3523                  'results': [
 3524                      # First, we should see the inherited user assignment from
 3525                      # project 0 on all projects in the subtree
 3526                      {'user': 0, 'role': 0, 'project': 1,
 3527                       'indirect': {'project': 0}},
 3528                      {'user': 0, 'role': 0, 'project': 2,
 3529                       'indirect': {'project': 0}},
 3530                      {'user': 0, 'role': 0, 'project': 3,
 3531                       'indirect': {'project': 0}},
 3532                      # Also the inherited group assignment from project 0 on
 3533                      # the subtree
 3534                      {'user': 0, 'role': 1, 'project': 1,
 3535                       'indirect': {'project': 0, 'group': 0}},
 3536                      {'user': 0, 'role': 1, 'project': 2,
 3537                       'indirect': {'project': 0, 'group': 0}},
 3538                      {'user': 0, 'role': 1, 'project': 3,
 3539                       'indirect': {'project': 0, 'group': 0}},
 3540                      # The inherited assignment on project 1 should appear only
 3541                      # on its children
 3542                      {'user': 0, 'role': 2, 'project': 2,
 3543                       'indirect': {'project': 1}},
 3544                      {'user': 0, 'role': 2, 'project': 3,
 3545                       'indirect': {'project': 1}},
 3546                      # And finally the direct assignment on project 2
 3547                      {'user': 0, 'role': 3, 'project': 2}]}
 3548             ]
 3549         }
 3550 
 3551         self.execute_assignment_plan(test_plan)
 3552 
 3553     def test_list_effective_assignments_for_tree_with_domain_assignments(self):
 3554         """Test we correctly honor domain inherited assignments on the tree."""
 3555         test_plan = {
 3556             # Create a domain with a project hierarchy 3 levels deep:
 3557             #
 3558             #                      project 0
 3559             #             ____________|____________
 3560             #            |                         |
 3561             #         project 1                 project 4
 3562             #      ______|_____              ______|_____
 3563             #     |            |            |            |
 3564             #  project 2    project 3    project 5    project 6
 3565             #
 3566             # Also, create 1 user and 4 roles.
 3567             'entities': {
 3568                 'domains': {
 3569                     'projects': {'project': [{'project': 2},
 3570                                              {'project': 2}]},
 3571                     'users': 1},
 3572                 'roles': 4},
 3573             'assignments': [
 3574                 # An inherited assignment on the domain (which should be
 3575                 # applied to all the projects)
 3576                 {'user': 0, 'role': 1, 'domain': 0,
 3577                  'inherited_to_projects': True},
 3578                 # A direct assignment to project 2
 3579                 {'user': 0, 'role': 2, 'project': 2},
 3580                 # ...and two spoiler assignments, one to the root and one
 3581                 # to project 4
 3582                 {'user': 0, 'role': 0, 'project': 0},
 3583                 {'user': 0, 'role': 3, 'project': 4}],
 3584             'tests': [
 3585                 # List all effective assignments for project 1 and its subtree.
 3586                 {'params': {'project': 1, 'effective': True,
 3587                             'include_subtree': True},
 3588                  'results': [
 3589                      # The inherited assignment from the domain should appear
 3590                      # only on the part of the subtree we are interested in
 3591                      {'user': 0, 'role': 1, 'project': 1,
 3592                       'indirect': {'domain': 0}},
 3593                      {'user': 0, 'role': 1, 'project': 2,
 3594                       'indirect': {'domain': 0}},
 3595                      {'user': 0, 'role': 1, 'project': 3,
 3596                       'indirect': {'domain': 0}},
 3597                      # And finally the direct assignment on project 2
 3598                      {'user': 0, 'role': 2, 'project': 2}]}
 3599             ]
 3600         }
 3601 
 3602         self.execute_assignment_plan(test_plan)
 3603 
 3604     def test_list_user_ids_for_project_with_inheritance(self):
 3605         test_plan = {
 3606             # A domain with a project and sub-project, plus four users,
 3607             # two groups, as well as 4 roles.
 3608             'entities': {
 3609                 'domains': {'id': CONF.identity.default_domain_id, 'users': 4,
 3610                             'groups': 2,
 3611                             'projects': {'project': 1}},
 3612                 'roles': 4},
 3613             # Each group has a unique user member
 3614             'group_memberships': [{'group': 0, 'users': [1]},
 3615                                   {'group': 1, 'users': [3]}],
 3616             # Set up assignments so that there should end up with four
 3617             # effective assignments on project 1 - one direct, one due to
 3618             # group membership and one user assignment inherited from the
 3619             # parent and one group assignment inherited from the parent.
 3620             'assignments': [{'user': 0, 'role': 0, 'project': 1},
 3621                             {'group': 0, 'role': 1, 'project': 1},
 3622                             {'user': 2, 'role': 2, 'project': 0,
 3623                              'inherited_to_projects': True},
 3624                             {'group': 1, 'role': 3, 'project': 0,
 3625                              'inherited_to_projects': True}],
 3626         }
 3627         # Use assignment plan helper to create all the entities and
 3628         # assignments - then we'll run our own tests using the data
 3629         test_data = self.execute_assignment_plan(test_plan)
 3630         user_ids = PROVIDERS.assignment_api.list_user_ids_for_project(
 3631             test_data['projects'][1]['id'])
 3632         self.assertThat(user_ids, matchers.HasLength(4))
 3633         for x in range(0, 4):
 3634             self.assertIn(test_data['users'][x]['id'], user_ids)
 3635 
 3636     def test_list_role_assignment_using_inherited_sourced_groups(self):
 3637         """Test listing inherited assignments when restricted by groups."""
 3638         test_plan = {
 3639             # A domain with 3 users, 3 groups, 3 projects, a second domain,
 3640             # plus 3 roles.
 3641             'entities': {'domains': [{'users': 3, 'groups': 3, 'projects': 3},
 3642                                      1],
 3643                          'roles': 3},
 3644             # Users 0 & 1 are in the group 0, User 0 also in group 1
 3645             'group_memberships': [{'group': 0, 'users': [0, 1]},
 3646                                   {'group': 1, 'users': [0]}],
 3647             # Spread the assignments around - we want to be able to show that
 3648             # if sourced by group, assignments from other sources are excluded
 3649             'assignments': [{'user': 0, 'role': 0, 'domain': 0},
 3650                             {'group': 0, 'role': 1, 'domain': 1},
 3651                             {'group': 1, 'role': 2, 'domain': 0,
 3652                              'inherited_to_projects': True},
 3653                             {'group': 1, 'role': 2, 'project': 1},
 3654                             {'user': 2, 'role': 1, 'project': 1,
 3655                              'inherited_to_projects': True},
 3656                             {'group': 2, 'role': 2, 'project': 2}
 3657                             ],
 3658             'tests': [
 3659                 # List all effective assignments sourced from groups 0 and 1.
 3660                 # We should see the inherited group assigned on the 3 projects
 3661                 # from domain 0, as well as the direct assignments.
 3662                 {'params': {'source_from_group_ids': [0, 1],
 3663                             'effective': True},
 3664                  'results': [{'group': 0, 'role': 1, 'domain': 1},
 3665                              {'group': 1, 'role': 2, 'project': 0,
 3666                               'indirect': {'domain': 0}},
 3667                              {'group': 1, 'role': 2, 'project': 1,
 3668                               'indirect': {'domain': 0}},
 3669                              {'group': 1, 'role': 2, 'project': 2,
 3670                               'indirect': {'domain': 0}},
 3671                              {'group': 1, 'role': 2, 'project': 1}
 3672                              ]},
 3673             ]
 3674         }
 3675         self.execute_assignment_plan(test_plan)
 3676 
 3677 
 3678 class ImpliedRoleTests(AssignmentTestHelperMixin):
 3679 
 3680     def test_implied_role_crd(self):
 3681         prior_role_ref = unit.new_role_ref()
 3682         PROVIDERS.role_api.create_role(prior_role_ref['id'], prior_role_ref)
 3683         implied_role_ref = unit.new_role_ref()
 3684         PROVIDERS.role_api.create_role(
 3685             implied_role_ref['id'], implied_role_ref
 3686         )
 3687 
 3688         PROVIDERS.role_api.create_implied_role(
 3689             prior_role_ref['id'],
 3690             implied_role_ref['id'])
 3691         implied_role = PROVIDERS.role_api.get_implied_role(
 3692             prior_role_ref['id'],
 3693             implied_role_ref['id'])
 3694         expected_implied_role_ref = {
 3695             'prior_role_id': prior_role_ref['id'],
 3696             'implied_role_id': implied_role_ref['id']}
 3697         self.assertDictContainsSubset(
 3698             expected_implied_role_ref,
 3699             implied_role)
 3700 
 3701         PROVIDERS.role_api.delete_implied_role(
 3702             prior_role_ref['id'],
 3703             implied_role_ref['id'])
 3704         self.assertRaises(exception.ImpliedRoleNotFound,
 3705                           PROVIDERS.role_api.get_implied_role,
 3706                           uuid.uuid4().hex,
 3707                           uuid.uuid4().hex)
 3708 
 3709     def test_delete_implied_role_returns_not_found(self):
 3710         self.assertRaises(exception.ImpliedRoleNotFound,
 3711                           PROVIDERS.role_api.delete_implied_role,
 3712                           uuid.uuid4().hex,
 3713                           uuid.uuid4().hex)
 3714 
 3715     def test_role_assignments_simple_tree_of_implied_roles(self):
 3716         """Test that implied roles are expanded out."""
 3717         test_plan = {
 3718             'entities': {'domains': {'users': 1, 'projects': 1},
 3719                          'roles': 4},
 3720             # Three level tree of implied roles
 3721             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3722                               {'role': 1, 'implied_roles': [2, 3]}],
 3723             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3724             'tests': [
 3725                 # List all direct assignments for user[0], this should just
 3726                 # show the one top level role assignment
 3727                 {'params': {'user': 0},
 3728                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3729                 # Listing in effective mode should show the implied roles
 3730                 # expanded out
 3731                 {'params': {'user': 0, 'effective': True},
 3732                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3733                              {'user': 0, 'role': 1, 'project': 0,
 3734                               'indirect': {'role': 0}},
 3735                              {'user': 0, 'role': 2, 'project': 0,
 3736                               'indirect': {'role': 1}},
 3737                              {'user': 0, 'role': 3, 'project': 0,
 3738                               'indirect': {'role': 1}}]},
 3739             ]
 3740         }
 3741         self.execute_assignment_plan(test_plan)
 3742 
 3743     def test_circular_inferences(self):
 3744         """Test that implied roles are expanded out."""
 3745         test_plan = {
 3746             'entities': {'domains': {'users': 1, 'projects': 1},
 3747                          'roles': 4},
 3748             # Three level tree of implied roles
 3749             'implied_roles': [{'role': 0, 'implied_roles': [1]},
 3750                               {'role': 1, 'implied_roles': [2, 3]},
 3751                               {'role': 3, 'implied_roles': [0]}],
 3752             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3753             'tests': [
 3754                 # List all direct assignments for user[0], this should just
 3755                 # show the one top level role assignment
 3756                 {'params': {'user': 0},
 3757                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3758                 # Listing in effective mode should show the implied roles
 3759                 # expanded out
 3760                 {'params': {'user': 0, 'effective': True},
 3761                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3762                              {'user': 0, 'role': 0, 'project': 0,
 3763                               'indirect': {'role': 3}},
 3764                              {'user': 0, 'role': 1, 'project': 0,
 3765                               'indirect': {'role': 0}},
 3766                              {'user': 0, 'role': 2, 'project': 0,
 3767                               'indirect': {'role': 1}},
 3768                              {'user': 0, 'role': 3, 'project': 0,
 3769                               'indirect': {'role': 1}}]},
 3770             ]
 3771         }
 3772         self.execute_assignment_plan(test_plan)
 3773 
 3774     def test_role_assignments_directed_graph_of_implied_roles(self):
 3775         """Test that a role can have multiple, different prior roles."""
 3776         test_plan = {
 3777             'entities': {'domains': {'users': 1, 'projects': 1},
 3778                          'roles': 6},
 3779             # Three level tree of implied roles, where one of the roles at the
 3780             # bottom is implied by more than one top level role
 3781             'implied_roles': [{'role': 0, 'implied_roles': [1, 2]},
 3782                               {'role': 1, 'implied_roles': [3, 4]},
 3783                               {'role': 5, 'implied_roles': 4}],
 3784             # The user gets both top level roles
 3785             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3786                             {'user': 0, 'role': 5, 'project': 0}],
 3787             'tests': [
 3788                 # The implied roles should be expanded out and there should be
 3789                 # two entries for the role that had two different prior roles.
 3790                 {'params': {'user': 0, 'effective': True},
 3791                  'results': [{'user': 0, 'role': 0, 'project': 0},
 3792                              {'user': 0, 'role': 5, 'project': 0},
 3793                              {'user': 0, 'role': 1, 'project': 0,
 3794                               'indirect': {'role': 0}},
 3795                              {'user': 0, 'role': 2, 'project': 0,
 3796                               'indirect': {'role': 0}},
 3797                              {'user': 0, 'role': 3, 'project': 0,
 3798                               'indirect': {'role': 1}},
 3799                              {'user': 0, 'role': 4, 'project': 0,
 3800                               'indirect': {'role': 1}},
 3801                              {'user': 0, 'role': 4, 'project': 0,
 3802                               'indirect': {'role': 5}}]},
 3803             ]
 3804         }
 3805         test_data = self.execute_assignment_plan(test_plan)
 3806 
 3807         # We should also be able to get a similar (yet summarized) answer to
 3808         # the above by calling get_roles_for_user_and_project(), which should
 3809         # list the role_ids, yet remove any duplicates
 3810         role_ids = PROVIDERS.assignment_api.get_roles_for_user_and_project(
 3811             test_data['users'][0]['id'], test_data['projects'][0]['id'])
 3812         # We should see 6 entries, not 7, since role index 5 appeared twice in
 3813         # the answer from list_role_assignments
 3814         self.assertThat(role_ids, matchers.HasLength(6))
 3815         for x in range(0, 5):
 3816             self.assertIn(test_data['roles'][x]['id'], role_ids)
 3817 
 3818     def test_role_assignments_implied_roles_filtered_by_role(self):
 3819         """Test that you can filter by role even if roles are implied."""
 3820         test_plan = {
 3821             'entities': {'domains': {'users': 1, 'projects': 2},
 3822                          'roles': 4},
 3823             # Three level tree of implied roles
 3824             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3825                               {'role': 1, 'implied_roles': [2, 3]}],
 3826             'assignments': [{'user': 0, 'role': 0, 'project': 0},
 3827                             {'user': 0, 'role': 3, 'project': 1}],
 3828             'tests': [
 3829                 # List effective roles filtering by one of the implied roles,
 3830                 # showing that the filter was implied post expansion of
 3831                 # implied roles (and that non implied roles are included in
 3832                 # the filter
 3833                 {'params': {'role': 3, 'effective': True},
 3834                  'results': [{'user': 0, 'role': 3, 'project': 0,
 3835                               'indirect': {'role': 1}},
 3836                              {'user': 0, 'role': 3, 'project': 1}]},
 3837             ]
 3838         }
 3839         self.execute_assignment_plan(test_plan)
 3840 
 3841     def test_role_assignments_simple_tree_of_implied_roles_on_domain(self):
 3842         """Test that implied roles are expanded out when placed on a domain."""
 3843         test_plan = {
 3844             'entities': {'domains': {'users': 1},
 3845                          'roles': 4},
 3846             # Three level tree of implied roles
 3847             'implied_roles': [{'role': 0, 'implied_roles': 1},
 3848                               {'role': 1, 'implied_roles': [2, 3]}],
 3849             'assignments': [{'user': 0, 'role': 0, 'domain': 0}],
 3850             'tests': [
 3851                 # List all direct assignments for user[0], this should just
 3852                 # show the one top level role assignment
 3853                 {'params': {'user': 0},
 3854                  'results': [{'user': 0, 'role': 0, 'domain': 0}]},
 3855                 # Listing in effective mode should how the implied roles
 3856                 # expanded out
 3857                 {'params': {'user': 0, 'effective': True},
 3858                  'results': [{'user': 0, 'role': 0, 'domain': 0},
 3859                              {'user': 0, 'role': 1, 'domain': 0,
 3860                               'indirect': {'role': 0}},
 3861                              {'user': 0, 'role': 2, 'domain': 0,
 3862                               'indirect': {'role': 1}},
 3863                              {'user': 0, 'role': 3, 'domain': 0,
 3864                               'indirect': {'role': 1}}]},
 3865             ]
 3866         }
 3867         self.execute_assignment_plan(test_plan)
 3868 
 3869     def test_role_assignments_inherited_implied_roles(self):
 3870         """Test that you can intermix inherited and implied roles."""
 3871         test_plan = {
 3872             'entities': {'domains': {'users': 1, 'projects': 1},
 3873                          'roles': 4},
 3874             # Simply one level of implied roles
 3875             'implied_roles': [{'role': 0, 'implied_roles': 1}],
 3876             # Assign to top level role as an inherited assignment to the
 3877             # domain
 3878             'assignments': [{'user': 0, 'role': 0, 'domain': 0,
 3879                              'inherited_to_projects': True}],
 3880             'tests': [
 3881                 # List all direct assignments for user[0], this should just
 3882                 # show the one top level role assignment
 3883                 {'params': {'user': 0},
 3884                  'results': [{'user': 0, 'role': 0, 'domain': 0,
 3885                               'inherited_to_projects': 'projects'}]},
 3886                 # List in effective mode - we should only see the initial and
 3887                 # implied role on the project (since inherited roles are not
 3888                 # active on their anchor point).
 3889                 {'params': {'user': 0, 'effective': True},
 3890                  'results': [{'user': 0, 'role': 0, 'project': 0,
 3891                               'indirect': {'domain': 0}},
 3892                              {'user': 0, 'role': 1, 'project': 0,
 3893                               'indirect': {'domain': 0, 'role': 0}}]},
 3894             ]
 3895         }
 3896         self.execute_assignment_plan(test_plan)
 3897 
 3898     def test_role_assignments_domain_specific_with_implied_roles(self):
 3899         test_plan = {
 3900             'entities': {'domains': {'users': 1, 'projects': 1, 'roles': 2},
 3901                          'roles': 2},
 3902             # Two level tree of implied roles, with the top and 1st level being
 3903             # domain specific roles, and the bottom level being inferred global
 3904             # roles.
 3905             'implied_roles': [{'role': 0, 'implied_roles': [1]},
 3906                               {'role': 1, 'implied_roles': [2, 3]}],
 3907             'assignments': [{'user': 0, 'role': 0, 'project': 0}],
 3908             'tests': [
 3909                 # List all direct assignments for user[0], this should just
 3910                 # show the one top level role assignment, even though this is a
 3911                 # domain specific role (since we are in non-effective mode and
 3912                 # we show any direct role assignment in that mode).
 3913                 {'params': {'user': 0},
 3914                  'results': [{'user': 0, 'role': 0, 'project': 0}]},
 3915                 # Now the effective ones - so the implied roles should be
 3916                 # expanded out, as well as any domain specific roles should be
 3917                 # removed.
 3918                 {'params': {'user': 0, 'effective': True},
 3919                  'results': [{'user': 0, 'role': 2, 'project': 0,
 3920                               'indirect': {'role': 1}},
 3921                              {'user': 0, 'role': 3, 'project': 0,
 3922                               'indirect': {'role': 1}}]},
 3923             ]
 3924         }
 3925         self.execute_assignment_plan(test_plan)
 3926 
 3927 
 3928 class SystemAssignmentTests(AssignmentTestHelperMixin):
 3929     def test_create_system_grant_for_user(self):
 3930         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3931         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3932         role_ref = self._create_role()
 3933 
 3934         PROVIDERS.assignment_api.create_system_grant_for_user(
 3935             user_id, role_ref['id']
 3936         )
 3937         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3938             user_id
 3939         )
 3940         self.assertEqual(len(system_roles), 1)
 3941         self.assertIsNone(system_roles[0]['domain_id'])
 3942         self.assertEqual(system_roles[0]['id'], role_ref['id'])
 3943         self.assertEqual(system_roles[0]['name'], role_ref['name'])
 3944 
 3945     def test_list_system_grants_for_user(self):
 3946         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3947         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3948         first_role = self._create_role()
 3949         second_role = self._create_role()
 3950 
 3951         PROVIDERS.assignment_api.create_system_grant_for_user(
 3952             user_id, first_role['id']
 3953         )
 3954         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3955             user_id
 3956         )
 3957         self.assertEqual(len(system_roles), 1)
 3958 
 3959         PROVIDERS.assignment_api.create_system_grant_for_user(
 3960             user_id, second_role['id']
 3961         )
 3962         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3963             user_id
 3964         )
 3965         self.assertEqual(len(system_roles), 2)
 3966 
 3967     def test_check_system_grant_for_user(self):
 3968         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3969         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3970         role = self._create_role()
 3971 
 3972         self.assertRaises(
 3973             exception.RoleAssignmentNotFound,
 3974             PROVIDERS.assignment_api.check_system_grant_for_user,
 3975             user_id,
 3976             role['id']
 3977         )
 3978 
 3979         PROVIDERS.assignment_api.create_system_grant_for_user(
 3980             user_id, role['id']
 3981         )
 3982         PROVIDERS.assignment_api.check_system_grant_for_user(
 3983             user_id, role['id']
 3984         )
 3985 
 3986     def test_delete_system_grant_for_user(self):
 3987         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 3988         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 3989         role = self._create_role()
 3990 
 3991         PROVIDERS.assignment_api.create_system_grant_for_user(
 3992             user_id, role['id']
 3993         )
 3994         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 3995             user_id
 3996         )
 3997         self.assertEqual(len(system_roles), 1)
 3998 
 3999         PROVIDERS.assignment_api.delete_system_grant_for_user(
 4000             user_id, role['id']
 4001         )
 4002         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 4003             user_id
 4004         )
 4005         self.assertEqual(len(system_roles), 0)
 4006 
 4007     def test_check_system_grant_for_user_with_invalid_role_fails(self):
 4008         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4009         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4010 
 4011         self.assertRaises(
 4012             exception.RoleAssignmentNotFound,
 4013             PROVIDERS.assignment_api.check_system_grant_for_user,
 4014             user_id,
 4015             uuid.uuid4().hex
 4016         )
 4017 
 4018     def test_check_system_grant_for_user_with_invalid_user_fails(self):
 4019         role = self._create_role()
 4020 
 4021         self.assertRaises(
 4022             exception.RoleAssignmentNotFound,
 4023             PROVIDERS.assignment_api.check_system_grant_for_user,
 4024             uuid.uuid4().hex,
 4025             role['id']
 4026         )
 4027 
 4028     def test_delete_system_grant_for_user_with_invalid_role_fails(self):
 4029         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4030         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4031         role = self._create_role()
 4032 
 4033         PROVIDERS.assignment_api.create_system_grant_for_user(
 4034             user_id, role['id']
 4035         )
 4036         self.assertRaises(
 4037             exception.RoleAssignmentNotFound,
 4038             PROVIDERS.assignment_api.delete_system_grant_for_user,
 4039             user_id,
 4040             uuid.uuid4().hex
 4041         )
 4042 
 4043     def test_delete_system_grant_for_user_with_invalid_user_fails(self):
 4044         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4045         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4046         role = self._create_role()
 4047 
 4048         PROVIDERS.assignment_api.create_system_grant_for_user(
 4049             user_id, role['id']
 4050         )
 4051         self.assertRaises(
 4052             exception.RoleAssignmentNotFound,
 4053             PROVIDERS.assignment_api.delete_system_grant_for_user,
 4054             uuid.uuid4().hex,
 4055             role['id']
 4056         )
 4057 
 4058     def test_list_system_grants_for_user_returns_empty_list(self):
 4059         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4060         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4061 
 4062         system_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
 4063             user_id
 4064         )
 4065         self.assertFalse(system_roles)
 4066 
 4067     def test_create_system_grant_for_user_fails_with_domain_role(self):
 4068         user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 4069         user_id = PROVIDERS.identity_api.create_user(user_ref)['id']
 4070         role = self._create_role(domain_id=CONF.identity.default_domain_id)
 4071 
 4072         self.assertRaises(
 4073             exception.ValidationError,
 4074             PROVIDERS.assignment_api.create_system_grant_for_user,
 4075             user_id,
 4076             role['id']
 4077         )
 4078 
 4079     def test_create_system_grant_for_group(self):
 4080         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4081         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4082         role_ref = self._create_role()
 4083 
 4084         PROVIDERS.assignment_api.create_system_grant_for_group(
 4085             group_id, role_ref['id']
 4086         )
 4087         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4088             group_id
 4089         )
 4090         self.assertEqual(len(system_roles), 1)
 4091         self.assertIsNone(system_roles[0]['domain_id'])
 4092         self.assertEqual(system_roles[0]['id'], role_ref['id'])
 4093         self.assertEqual(system_roles[0]['name'], role_ref['name'])
 4094 
 4095     def test_list_system_grants_for_group(self):
 4096         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4097         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4098         first_role = self._create_role()
 4099         second_role = self._create_role()
 4100 
 4101         PROVIDERS.assignment_api.create_system_grant_for_group(
 4102             group_id, first_role['id']
 4103         )
 4104         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4105             group_id
 4106         )
 4107         self.assertEqual(len(system_roles), 1)
 4108 
 4109         PROVIDERS.assignment_api.create_system_grant_for_group(
 4110             group_id, second_role['id']
 4111         )
 4112         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4113             group_id
 4114         )
 4115         self.assertEqual(len(system_roles), 2)
 4116 
 4117     def test_check_system_grant_for_group(self):
 4118         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4119         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4120         role = self._create_role()
 4121 
 4122         self.assertRaises(
 4123             exception.RoleAssignmentNotFound,
 4124             PROVIDERS.assignment_api.check_system_grant_for_group,
 4125             group_id,
 4126             role['id']
 4127         )
 4128 
 4129         PROVIDERS.assignment_api.create_system_grant_for_group(
 4130             group_id, role['id']
 4131         )
 4132         PROVIDERS.assignment_api.check_system_grant_for_group(
 4133             group_id, role['id']
 4134         )
 4135 
 4136     def test_delete_system_grant_for_group(self):
 4137         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4138         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4139         role = self._create_role()
 4140 
 4141         PROVIDERS.assignment_api.create_system_grant_for_group(
 4142             group_id, role['id']
 4143         )
 4144         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4145             group_id
 4146         )
 4147         self.assertEqual(len(system_roles), 1)
 4148 
 4149         PROVIDERS.assignment_api.delete_system_grant_for_group(
 4150             group_id, role['id']
 4151         )
 4152         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4153             group_id
 4154         )
 4155         self.assertEqual(len(system_roles), 0)
 4156 
 4157     def test_check_system_grant_for_group_with_invalid_role_fails(self):
 4158         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4159         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4160 
 4161         self.assertRaises(
 4162             exception.RoleAssignmentNotFound,
 4163             PROVIDERS.assignment_api.check_system_grant_for_group,
 4164             group_id,
 4165             uuid.uuid4().hex
 4166         )
 4167 
 4168     def test_check_system_grant_for_group_with_invalid_group_fails(self):
 4169         role = self._create_role()
 4170 
 4171         self.assertRaises(
 4172             exception.RoleAssignmentNotFound,
 4173             PROVIDERS.assignment_api.check_system_grant_for_group,
 4174             uuid.uuid4().hex,
 4175             role['id']
 4176         )
 4177 
 4178     def test_delete_system_grant_for_group_with_invalid_role_fails(self):
 4179         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4180         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4181         role = self._create_role()
 4182 
 4183         PROVIDERS.assignment_api.create_system_grant_for_group(
 4184             group_id, role['id']
 4185         )
 4186         self.assertRaises(
 4187             exception.RoleAssignmentNotFound,
 4188             PROVIDERS.assignment_api.delete_system_grant_for_group,
 4189             group_id,
 4190             uuid.uuid4().hex
 4191         )
 4192 
 4193     def test_delete_system_grant_for_group_with_invalid_group_fails(self):
 4194         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4195         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4196         role = self._create_role()
 4197 
 4198         PROVIDERS.assignment_api.create_system_grant_for_group(
 4199             group_id, role['id']
 4200         )
 4201         self.assertRaises(
 4202             exception.RoleAssignmentNotFound,
 4203             PROVIDERS.assignment_api.delete_system_grant_for_group,
 4204             uuid.uuid4().hex,
 4205             role['id']
 4206         )
 4207 
 4208     def test_list_system_grants_for_group_returns_empty_list(self):
 4209         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4210         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4211 
 4212         system_roles = PROVIDERS.assignment_api.list_system_grants_for_group(
 4213             group_id
 4214         )
 4215         self.assertFalse(system_roles)
 4216 
 4217     def test_create_system_grant_for_group_fails_with_domain_role(self):
 4218         group_ref = unit.new_group_ref(CONF.identity.default_domain_id)
 4219         group_id = PROVIDERS.identity_api.create_group(group_ref)['id']
 4220         role = self._create_role(CONF.identity.default_domain_id)
 4221 
 4222         self.assertRaises(
 4223             exception.ValidationError,
 4224             PROVIDERS.assignment_api.create_system_grant_for_group,
 4225             group_id,
 4226             role['id']
 4227         )