openstack-experimental
diff --git a/‎policy/project/user/role/revoke.rego‎
Lines changed: 27 additions & 0 deletions b/‎policy/project/user/role/revoke.rego‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎policy/project/user/role/revoke_test.rego‎
Lines changed: 20 additions & 0 deletions b/‎policy/project/user/role/revoke_test.rego‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/api/error.rs‎
Lines changed: 4 additions & 0 deletions b/‎src/api/error.rs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/api/v3/role_assignment/project/user/role.rs‎
Lines changed: 2 additions & 1 deletion b/‎src/api/v3/role_assignment/project/user/role.rs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/api/v3/role_assignment/project/user/role/grant.rs‎
Lines changed: 3 additions & 3 deletions b/‎src/api/v3/role_assignment/project/user/role/grant.rs‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,27 @@
+package identity.project.user.role.revoke
+
+import data.identity
+import data.identity.assignment
+
+# Revoke user a role on a project
+
+default allow := false
+
+allow if {
+    "admin" in input.credentials.roles
+}
+
+allow if {
+    "manager" in input.credentials.roles
+    assignment.project_role_domain_matches
+}
+
+
+violation contains {"field": "domain_id", "msg": "revoking a role from a user on a project requires admin or manager role in the domain scope."} if {
+	not "admin" in input.credentials.roles
+	not "manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "revoking a role from a user on a project requires domain scope matching the domain_id of the target project and role (or a global role)."} if {
+	assignment.project_role_domain_matches
+}
@@ -0,0 +1,20 @@
+package test_project_user_role_revoke
+
+import data.identity.project.user.role.revoke
+
+test_allowed if {
+	revoke.allow with input as {"credentials": {"roles": ["admin"]}}
+	revoke.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo"}, "role": {"domain_id": null}}}
+	revoke.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+}
+
+test_forbidden if {
+	not revoke.allow with input as {"credentials": {"roles": []}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "system": "foo"}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not revoke.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+	not revoke.allow with input as {"credentials": {"roles": ["member"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}, "user": {"domain_id": "foo"}}}
+}
@@ -175,6 +175,10 @@ impl From<AuthenticationError> for KeystoneApiError {
 impl From<AssignmentProviderError> for KeystoneApiError {
     fn from(source: AssignmentProviderError) -> Self {
         match source {
+            AssignmentProviderError::AssignmentNotFound(x) => Self::NotFound {
+                resource: "assignment".into(),
+                identifier: x,
+            },
             AssignmentProviderError::RoleNotFound(x) => Self::NotFound {
                 resource: "role".into(),
                 identifier: x,
 
@@ -18,7 +18,8 @@ use crate::keystone::ServiceState;
 
 mod check;
 mod grant;
+mod revoke;
 
 pub(crate) fn openapi_router() -> OpenApiRouter<ServiceState> {
-    OpenApiRouter::new().routes(routes!(check::check, grant::grant))
+    OpenApiRouter::new().routes(routes!(check::check, grant::grant, revoke::revoke))
 }
@@ -33,15 +33,15 @@ use crate::{
     resource::ResourceApi,
 };
 
-/// Assign role to group on project
+/// Assign role to user on project
 ///
-/// Assigns a role to a group on a project.
+/// Assigns a role to a user on a project.
 #[utoipa::path(
     put,
     path = "/projects/{project_id}/users/{user_id}/roles/{role_id}",
     operation_id = "/project/user/role:put",
     params(
-      ("role_id" = String, Path, description = "The user ID."),
+      ("role_id" = String, Path, description = "The role ID."),
       ("project_id" = String, Path, description = "The project ID."),
       ("user_id" = String, Path, description = "The user ID.")
     ),
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,8 @@ use crate::keystone::ServiceState;`
`18`	`18`
`19`	`19`	`mod check;`
`20`	`20`	`mod grant;`
	`21`	`+mod revoke;`
`21`	`22`
`22`	`23`	`pub(crate) fn openapi_router() -> OpenApiRouter<ServiceState> {`
`23`		`- OpenApiRouter::new().routes(routes!(check::check, grant::grant))`
	`24`	`+ OpenApiRouter::new().routes(routes!(check::check, grant::grant, revoke::revoke))`
`24`	`25`	`}`