trustor_user_id not available in v2 trust token
The trust information in the v2 token is missing the trustor_user_id and impersonation values. This means you are unable to tell who gave you the trust. Change-Id: I7ed215b3353079d8ed9514c586d256c1226a2c19 Closes-bug: #1331882 DocImpact
This commit is contained in:
parent
7b819748c4
commit
16760cd13d
@ -250,6 +250,13 @@ class KeystoneToken(dict):
|
||||
else:
|
||||
return self.get('trust', {}).get('trustor_user_id')
|
||||
|
||||
@property
|
||||
def trust_impersonation(self):
|
||||
if self.version is V3:
|
||||
return self.get('OS-TRUST:trust', {}).get('impersonation')
|
||||
else:
|
||||
return self.get('trust', {}).get('impersonation')
|
||||
|
||||
@property
|
||||
def oauth_scoped(self):
|
||||
return 'OS-OAUTH1' in self
|
||||
|
@ -1092,6 +1092,35 @@ class AuthWithTrust(AuthTest):
|
||||
new_trust['id'])['trust']
|
||||
self.assertEqual(3, trust['remaining_uses'])
|
||||
|
||||
def test_v2_trust_token_contains_trustor_user_id_and_impersonation(self):
|
||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||
auth_response = self.fetch_v2_token_from_trust(new_trust)
|
||||
|
||||
self.assertEqual(new_trust['trustee_user_id'],
|
||||
auth_response['access']['trust']['trustee_user_id'])
|
||||
self.assertEqual(new_trust['trustor_user_id'],
|
||||
auth_response['access']['trust']['trustor_user_id'])
|
||||
self.assertEqual(new_trust['impersonation'],
|
||||
auth_response['access']['trust']['impersonation'])
|
||||
self.assertEqual(new_trust['id'],
|
||||
auth_response['access']['trust']['id'])
|
||||
|
||||
validate_response = self.controller.validate_token(
|
||||
context=dict(is_admin=True, query_string={}),
|
||||
token_id=auth_response['access']['token']['id'])
|
||||
self.assertEqual(
|
||||
new_trust['trustee_user_id'],
|
||||
validate_response['access']['trust']['trustee_user_id'])
|
||||
self.assertEqual(
|
||||
new_trust['trustor_user_id'],
|
||||
validate_response['access']['trust']['trustor_user_id'])
|
||||
self.assertEqual(
|
||||
new_trust['impersonation'],
|
||||
validate_response['access']['trust']['impersonation'])
|
||||
self.assertEqual(
|
||||
new_trust['id'],
|
||||
validate_response['access']['trust']['id'])
|
||||
|
||||
|
||||
class TokenExpirationTest(AuthTest):
|
||||
|
||||
|
@ -34,7 +34,9 @@ SAMPLE_V2_TOKEN = {
|
||||
"access": {
|
||||
"trust": {
|
||||
"id": "abc123",
|
||||
"trustee_user_id": "123456"
|
||||
"trustee_user_id": "123456",
|
||||
"trustor_user_id": "333333",
|
||||
"impersonation": False
|
||||
},
|
||||
"serviceCatalog": [
|
||||
{
|
||||
@ -341,7 +343,9 @@ SAMPLE_V2_TOKEN_WITH_EMBEDED_VERSION = {
|
||||
"access": {
|
||||
"trust": {
|
||||
"id": "abc123",
|
||||
"trustee_user_id": "123456"
|
||||
"trustee_user_id": "123456",
|
||||
"trustor_user_id": "333333",
|
||||
"impersonation": False
|
||||
},
|
||||
"serviceCatalog": [
|
||||
{
|
||||
|
@ -180,7 +180,12 @@ class TestKeystoneTokenModel(core.TestCase):
|
||||
token_data.project_domain_name)
|
||||
self.assertEqual(self.v2_sample_token['access']['trust']['id'],
|
||||
token_data.trust_id)
|
||||
self.assertIsNone(token_data.trustor_user_id)
|
||||
self.assertEqual(
|
||||
self.v2_sample_token['access']['trust']['trustor_user_id'],
|
||||
token_data.trustor_user_id)
|
||||
self.assertEqual(
|
||||
self.v2_sample_token['access']['trust']['impersonation'],
|
||||
token_data.trust_impersonation)
|
||||
self.assertEqual(
|
||||
self.v2_sample_token['access']['trust']['trustee_user_id'],
|
||||
token_data.trustee_user_id)
|
||||
|
@ -34,7 +34,8 @@ CONF = config.CONF
|
||||
class V2TokenDataHelper(object):
|
||||
"""Creates V2 token data."""
|
||||
@classmethod
|
||||
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
|
||||
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None,
|
||||
trust_ref=None):
|
||||
audit_info = None
|
||||
user_ref = token_ref['user']
|
||||
metadata_ref = token_ref['metadata']
|
||||
@ -84,10 +85,14 @@ class V2TokenDataHelper(object):
|
||||
o['access']['metadata'] = {'is_admin': 0}
|
||||
if 'roles' in metadata_ref:
|
||||
o['access']['metadata']['roles'] = metadata_ref['roles']
|
||||
if CONF.trust.enabled and 'trust_id' in metadata_ref:
|
||||
if CONF.trust.enabled and trust_ref:
|
||||
o['access']['trust'] = {'trustee_user_id':
|
||||
metadata_ref['trustee_user_id'],
|
||||
'id': metadata_ref['trust_id']
|
||||
trust_ref['trustee_user_id'],
|
||||
'id': trust_ref['id'],
|
||||
'trustor_user_id':
|
||||
trust_ref['trustor_user_id'],
|
||||
'impersonation':
|
||||
trust_ref['impersonation']
|
||||
}
|
||||
return o
|
||||
|
||||
@ -401,8 +406,13 @@ class BaseProvider(provider.Provider):
|
||||
|
||||
def issue_v2_token(self, token_ref, roles_ref=None,
|
||||
catalog_ref=None):
|
||||
metadata_ref = token_ref['metadata']
|
||||
trust_ref = None
|
||||
if CONF.trust.enabled and metadata_ref and 'trust_id' in metadata_ref:
|
||||
trust_ref = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||
|
||||
token_data = self.v2_token_data_helper.format_token(
|
||||
token_ref, roles_ref, catalog_ref)
|
||||
token_ref, roles_ref, catalog_ref, trust_ref)
|
||||
token_id = self._get_token_id(token_data)
|
||||
token_data['access']['token']['id'] = token_id
|
||||
return token_id, token_data
|
||||
@ -551,8 +561,14 @@ class BaseProvider(provider.Provider):
|
||||
token_ref['user']['id'],
|
||||
token_ref['tenant']['id'],
|
||||
metadata_ref)
|
||||
|
||||
trust_ref = None
|
||||
if CONF.trust.enabled and 'trust_id' in metadata_ref:
|
||||
trust_ref = self.trust_api.get_trust(
|
||||
metadata_ref['trust_id'])
|
||||
|
||||
token_data = self.v2_token_data_helper.format_token(
|
||||
token_ref, roles_ref, catalog_ref)
|
||||
token_ref, roles_ref, catalog_ref, trust_ref)
|
||||
return token_data
|
||||
except exception.ValidationError as e:
|
||||
LOG.exception(_('Failed to validate token'))
|
||||
|
Loading…
Reference in New Issue
Block a user