Narrow expected responses for CheckUserInGroup
When checking whether a given user is in a given group, keystone will return a 404 Not Found if all went well but the user was not in the group. It may also return a 403 if the user and the group are in different backends, which would also mean that the user was not in the group[1]. Any other 400 response is a client error and any 500 response is a server error to which the user should be alerted. Without this patch, openstackclient treats any exception as a valid "not found" and may end up hiding server errors. This patch reduces the caught exceptions to 403 and 404 responses and treats everything else as an error. [1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group Closes-bug: #1672634 Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f
This commit is contained in:
parent
4a19f6753b
commit
853ea5ab59
@ -102,12 +102,15 @@ class CheckUserInGroup(command.Command):
|
|||||||
|
|
||||||
try:
|
try:
|
||||||
identity_client.users.check_in_group(user_id, group_id)
|
identity_client.users.check_in_group(user_id, group_id)
|
||||||
except Exception:
|
except ks_exc.http.HTTPClientError as e:
|
||||||
msg = _("%(user)s not in group %(group)s\n") % {
|
if e.http_status == 403 or e.http_status == 404:
|
||||||
'user': parsed_args.user,
|
msg = _("%(user)s not in group %(group)s\n") % {
|
||||||
'group': parsed_args.group,
|
'user': parsed_args.user,
|
||||||
}
|
'group': parsed_args.group,
|
||||||
sys.stderr.write(msg)
|
}
|
||||||
|
sys.stderr.write(msg)
|
||||||
|
else:
|
||||||
|
raise e
|
||||||
else:
|
else:
|
||||||
msg = _("%(user)s in group %(group)s\n") % {
|
msg = _("%(user)s in group %(group)s\n") % {
|
||||||
'user': parsed_args.user,
|
'user': parsed_args.user,
|
||||||
|
@ -115,6 +115,23 @@ class TestGroupCheckUser(TestGroup):
|
|||||||
self.user.id, self.group.id)
|
self.user.id, self.group.id)
|
||||||
self.assertIsNone(result)
|
self.assertIsNone(result)
|
||||||
|
|
||||||
|
def test_group_check_user_server_error(self):
|
||||||
|
def server_error(*args):
|
||||||
|
raise ks_exc.http.InternalServerError
|
||||||
|
self.users_mock.check_in_group.side_effect = server_error
|
||||||
|
arglist = [
|
||||||
|
self.group.name,
|
||||||
|
self.user.name,
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
('group', self.group.name),
|
||||||
|
('user', self.user.name),
|
||||||
|
]
|
||||||
|
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
self.assertRaises(ks_exc.http.InternalServerError,
|
||||||
|
self.cmd.take_action, parsed_args)
|
||||||
|
|
||||||
|
|
||||||
class TestGroupCreate(TestGroup):
|
class TestGroupCreate(TestGroup):
|
||||||
|
|
||||||
|
5
releasenotes/notes/bug-1672634-ef754cb5109dd0f2.yaml
Normal file
5
releasenotes/notes/bug-1672634-ef754cb5109dd0f2.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Narrow acceptable negative response codes for ``group contains user``
|
||||||
|
[Bug `1672634 <https://bugs.launchpad.net/python-openstackclient/+bug/1672634>`_]
|
Loading…
x
Reference in New Issue
Block a user