From 82dcde08f60c45002955875664a3cf82d1d211bc Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Mon, 21 Oct 2013 15:21:12 -0500
Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment

When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.

This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.

Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
(cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
(cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
(cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)
---
 keystone/identity/backends/ldap/core.py | 19 ++++---------------
 tests/test_backend.py                   |  9 +++++++++
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 8ac7395..3d016c0 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -704,21 +704,10 @@ def delete_user(self, role_id, user_id, tenant_id):
         try:
             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
                                      self.member_attribute, user_dn)])
-        except ldap.NO_SUCH_OBJECT:
-            if tenant_id is None or self.get(role_id) is None:
-                raise exception.RoleNotFound(role_id=role_id)
-            attrs = [('objectClass', [self.object_class]),
-                     (self.member_attribute, [user_dn])]
-
-            if self.use_dumb_member:
-                attrs[1][1].append(self.dumb_member)
-            try:
-                conn.add_s(role_dn, attrs)
-            except Exception as inst:
-                raise inst
-
-        except ldap.NO_SUCH_ATTRIBUTE:
-            raise exception.UserNotFound(user_id=user_id)
+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+            raise exception.RoleNotFound(message=_(
+                'Cannot remove role that has not been granted, %s') %
+                role_id)
 
     def get_role_assignments(self, tenant_id):
         conn = self.get_connection()
diff --git a/tests/test_backend.py b/tests/test_backend.py
index d4c2e6c..1af3c16 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -57,6 +57,15 @@ def test_project_add_and_remove_user_role(self):
         user_refs = self.identity_api.get_project_users(self.tenant_bar['id'])
         self.assertNotIn(self.user_two['id'], [x['id'] for x in user_refs])
 
+    def test_remove_user_role_not_assigned(self):
+        # Expect failure if attempt to remove a role that was never assigned to
+        # the user.
+        self.assertRaises(exception.RoleNotFound,
+                          self.identity_api.remove_role_from_user_and_project,
+                          tenant_id=self.tenant_bar['id'],
+                          user_id=self.user_two['id'],
+                          role_id=self.role_other['id'])
+
     def test_authenticate_bad_user(self):
         self.assertRaises(AssertionError,
                           self.identity_api.authenticate,
-- 
1.8.4