openstack/keystone
Code Issues Proposed changes

Fix validation of role assignment subtree list

Browse Source 
Without this patch, if a project ID is not passed as query argument, a
target of {} is passed to the enforcer and causes a type error to be
raised ("'NoneType' object is not callable") which then is emitted as a
validation error to the user rather than as a server error. This patch
fixes the issue by correctly passing in None as the default target,
which is what the enforcer expects, which then allows the validation to
continue and return a more helpful error message about the required
query parameter.

Change-Id: If7f0fa4dd072b0f00172161da4f7b91f8c1e1f10
This commit is contained in:
Colleen Murphy
2019-09-17 14:19:56 -07:00
committed by Colleen Murphy
parent 5e35efd55f
commit 12bda9fc3a
2 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
keystone/api/role_assignments.py
View File

@@ -80,12 +80,12 @@ class RoleAssignmentsResource(ks_flask.ResourceBase):
'group.id', 'role.id', 'scope.domain.id', 'scope.project.id', 'group.id', 'role.id', 'scope.domain.id', 'scope.project.id',
'scope.OS-INHERIT:inherited_to', 'user.id' 'scope.OS-INHERIT:inherited_to', 'user.id'
] ]
target = {} target = None
if 'scope.project.id' in flask.request.args: if 'scope.project.id' in flask.request.args:
project_id = flask.request.args['scope.project.id'] project_id = flask.request.args['scope.project.id']
if project_id: if project_id:
target['project'] = PROVIDERS.resource_api.get_project( target = {'project': PROVIDERS.resource_api.get_project(
project_id) project_id)}
ENFORCER.enforce_call(action='identity:list_role_assignments_for_tree', ENFORCER.enforce_call(action='identity:list_role_assignments_for_tree',
filters=filters, target_attr=target) filters=filters, target_attr=target)
if not flask.request.args.get('scope.project.id'): if not flask.request.args.get('scope.project.id'):

14
keystone/tests/unit/test_v3_assignment.py
View File

@@ -2596,11 +2596,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
def test_project_id_specified_if_include_subtree_specified(self): def test_project_id_specified_if_include_subtree_specified(self):
"""When using include_subtree, you must specify a project ID.""" """When using include_subtree, you must specify a project ID."""
self.get('/role_assignments?include_subtree=True', r = self.get('/role_assignments?include_subtree=True',
expected_status=http_client.BAD_REQUEST) expected_status=http_client.BAD_REQUEST)
self.get('/role_assignments?scope.project.id&' error_msg = ("scope.project.id must be specified if include_subtree "
'include_subtree=True', "is also specified")
expected_status=http_client.BAD_REQUEST) self.assertEqual(error_msg, r.result['error']['message'])
r = self.get('/role_assignments?scope.project.id&'
'include_subtree=True',
expected_status=http_client.BAD_REQUEST)
self.assertEqual(error_msg, r.result['error']['message'])
def test_get_role_assignments_for_project_tree(self): def test_get_role_assignments_for_project_tree(self):
"""Get role_assignment?scope.project.id=X&include_subtree``. """Get role_assignment?scope.project.id=X&include_subtree``.