From c6800ca1ac984c879e75826df6694d6199444ea0 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Mon, 21 Oct 2013 15:31:23 -0500
Subject: [PATCH] Fix remove role assignment adds role using LDAP assignment

When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.

This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.

Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
---
 keystone/assignment/backends/ldap.py | 18 ++++--------------
 keystone/tests/test_backend_ldap.py  |  8 --------
 2 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
index 5e39083548..25179e3bc1 100644
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@@ -451,20 +451,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn,
         try:
             conn.modify_s(role_dn, [(ldap.MOD_DELETE,
                                      self.member_attribute, user_dn)])
-        except ldap.NO_SUCH_OBJECT:
-            if tenant_dn is None:
-                raise exception.RoleNotFound(role_id=role_id)
-            attrs = [('objectClass', [self.object_class]),
-                     (self.member_attribute, [user_dn])]
-
-            if self.use_dumb_member:
-                attrs[1][1].append(self.dumb_member)
-            try:
-                conn.add_s(role_dn, attrs)
-            except Exception as inst:
-                raise inst
-        except ldap.NO_SUCH_ATTRIBUTE:
-            raise exception.UserNotFound(user_id=user_id)
+        except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+            raise exception.RoleNotFound(message=_(
+                'Cannot remove role that has not been granted, %s') %
+                role_id)
         finally:
             conn.unbind_s()
 
diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py
index 5c20b4ea37..12833af4b6 100644
--- a/keystone/tests/test_backend_ldap.py
+++ b/keystone/tests/test_backend_ldap.py
@@ -870,14 +870,6 @@ def test_list_projects_for_alternate_domain(self):
         self.skipTest(
             'N/A: LDAP does not support multiple domains')
 
-    def test_remove_user_role_not_assigned(self):
-        # This raises exception as expected with SQL assignment backend but
-        # not with LDAP (see bug #1242855)
-        self.identity_api.remove_role_from_user_and_project(
-            tenant_id=self.tenant_bar['id'],
-            user_id=self.user_two['id'],
-            role_id=self.role_other['id'])
-
 
 class LDAPIdentityEnabledEmulation(LDAPIdentity):
     def setUp(self):