Merge "Fix checking of roles"

2019-05-29 00:25:41 +00:00 · 2019-05-29 00:25:41 +00:00 · 1e62b12ef3
commit 1e62b12ef3
parent c3e9dd8975 21fa0d77f9
2 changed files with 81 additions and 11 deletions
--- a/config_tempest/tests/test_users.py
+++ b/config_tempest/tests/test_users.py
@ -28,7 +28,7 @@ class TestUsers(BaseConfigTempestTest):
        # Story 2003388
        super(TestUsers, self).setUp()
        self.conf = self._get_conf("v2.0", "v3")
-        self.conf.set("auth", "tempest_roles", "_member_")
+        self.conf.set("auth", "tempest_roles", "fake_role")
        projects_client = self._get_clients(self.conf).projects
        users_client = self._get_clients(self.conf).users
        roles_client = self._get_clients(self.conf).roles
@ -285,3 +285,53 @@ class TestUsers(BaseConfigTempestTest):
        self.Service.give_role_to_user(
            username=self.username,
            role_name=self.role_name)
+
+    def _check_user_roles(self, user_roles, system_roles):
+        self.Service._conf.set('auth', 'tempest_roles', user_roles)
+        return self.Service.check_user_roles(system_roles)
+
+    @mock.patch('logging.Logger.debug')
+    def _check_user_role_does_not_exist(self, system_roles, LOG_mock,
+                                        default_role='member'):
+        roles = self._check_user_roles('doesNotExist', system_roles)
+        # check if it fell down to member
+        conf = self.Service._conf
+        self.assertEqual(conf.get('auth', 'tempest_roles'), default_role)
+        self.assertEqual(roles, [])
+        self.assertEqual(len(LOG_mock.mock_calls), 3)
+
+    def test_check_user_role_exists(self):
+        system_roles = {'roles': [{'name': 'role1'}, {'name': 'role2'}]}
+        roles = self._check_user_roles('role1', system_roles)
+        self.assertEqual(roles[0], 'role1')
+
+    @mock.patch('logging.Logger.debug')
+    def test_check_user_roles_one_exists(self, LOG_mock):
+        system_roles = {'roles': [{'name': 'role1'}, {'name': 'role2'}]}
+        roles = self._check_user_roles('role1, doesNotExist', system_roles)
+        self.assertEqual(roles[0], 'role1')
+        self.assertEqual(len(LOG_mock.mock_calls), 2)
+
+    @mock.patch('logging.Logger.debug')
+    def test_check_user_roles_two_exist(self, LOG_mock):
+        system_roles = {'roles': [{'name': 'role1'}, {'name': 'role2'}]}
+        roles = self._check_user_roles('role1,role2', system_roles)
+        self.assertEqual(roles[0], 'role1')
+        self.assertEqual(roles[1], 'role2')
+        self.assertEqual(len(LOG_mock.mock_calls), 1)
+
+    def test_check_user_role_does_not_exist_fall_to_member(self):
+        system_roles = {'roles': [{'name': 'role1'}, {'name': 'member'}]}
+        self._check_user_role_does_not_exist(system_roles)
+
+    def test_check_user_role_does_not_exist_fall_to_Member(self):
+        system_roles = {'roles': [{'name': 'role1'}, {'name': 'Member'}]}
+        self._check_user_role_does_not_exist(system_roles,
+                                             default_role='Member')
+
+    @mock.patch('logging.Logger.debug')
+    def test_check_user_role_does_not_exist_no_member(self, LOG_mock):
+        system_roles = {'roles': [{'name': 'role1'}]}
+        roles = self._check_user_roles('doesNotExist', system_roles)
+        self.assertEqual(roles, [])
+        self.assertEqual(len(LOG_mock.mock_calls), 4)
--- a/config_tempest/users.py
+++ b/config_tempest/users.py
@ -62,16 +62,7 @@ class Users(object):
        user_ids = [u['id'] for u in users['users'] if u['name'] == username]
        user_id = user_ids[0]
        roles = self.roles_client.list_roles()
-        # check auth.tempest_roles
-        roles_names = [r['name'] for r in roles['roles']]
-        if self._conf.get('auth', 'tempest_roles') not in roles_names:
-            # try 'member', usually it's present in a system
-            if 'member' in roles_names:
-                self._conf.set('auth', 'tempest_roles', 'member')
-            else:
-                # the default role/role given by user or 'member' role are not
-                # present in the system, remove the option completely
-                self._conf.remove_option('auth', 'tempest_roles')
+        self.check_user_roles(roles)
        role_ids = [r['id'] for r in roles['roles'] if r['name'] == role_name]
        if not role_ids:
            if role_required:
@ -88,6 +79,35 @@ class Users(object):
            LOG.debug("(no change) User '%s' already has the '%s' role in"
                      " project '%s'", username, role_name, project_name)

+    def check_user_roles(self, roles):
+        """Check if roles provided by user (or the default one) exist.
+
+        :param roles: value returned by roles_client.list_roles
+        :type roles: dict
+        :return: List of the existing roles given by user (or by defaults)
+        :rtype: list
+        """
+        roles_names = [r['name'] for r in roles['roles']]
+        user_roles = self._conf.get('auth', 'tempest_roles').split(',')
+        available_roles = []
+        for r in user_roles:
+            if r in roles_names:
+                available_roles.append(r)
+            else:
+                LOG.debug("Provided %s role is not present in the system.", r)
+
+        if len(available_roles) == 0:
+            # try 'member' or 'Member', they might present in a system
+            if 'member' in roles_names:
+                self._conf.set('auth', 'tempest_roles', 'member')
+            elif 'Member' in roles_names:
+                self._conf.set('auth', 'tempest_roles', 'Member')
+            else:
+                LOG.debug("Setting auth.tempest_roles to an empty list "
+                          "because none of the provided roles exists.")
+                self._conf.set('auth', 'tempest_roles', "")
+        return available_roles
+
    def create_user_with_project(self, username, password, project_name):
        """Create a user and a project if it doesn't exist.