trustor_user_id not available in v2 trust token
The trust information in the v2 token is missing the trustor_user_id and impersonation values. This means you are unable to tell who gave you the trust. Change-Id: I7ed215b3353079d8ed9514c586d256c1226a2c19 Closes-bug: #1331882 DocImpact
This commit is contained in:
parent
7b819748c4
commit
16760cd13d
@ -250,6 +250,13 @@ class KeystoneToken(dict):
|
|||||||
else:
|
else:
|
||||||
return self.get('trust', {}).get('trustor_user_id')
|
return self.get('trust', {}).get('trustor_user_id')
|
||||||
|
|
||||||
|
@property
|
||||||
|
def trust_impersonation(self):
|
||||||
|
if self.version is V3:
|
||||||
|
return self.get('OS-TRUST:trust', {}).get('impersonation')
|
||||||
|
else:
|
||||||
|
return self.get('trust', {}).get('impersonation')
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def oauth_scoped(self):
|
def oauth_scoped(self):
|
||||||
return 'OS-OAUTH1' in self
|
return 'OS-OAUTH1' in self
|
||||||
|
@ -1092,6 +1092,35 @@ class AuthWithTrust(AuthTest):
|
|||||||
new_trust['id'])['trust']
|
new_trust['id'])['trust']
|
||||||
self.assertEqual(3, trust['remaining_uses'])
|
self.assertEqual(3, trust['remaining_uses'])
|
||||||
|
|
||||||
|
def test_v2_trust_token_contains_trustor_user_id_and_impersonation(self):
|
||||||
|
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||||
|
auth_response = self.fetch_v2_token_from_trust(new_trust)
|
||||||
|
|
||||||
|
self.assertEqual(new_trust['trustee_user_id'],
|
||||||
|
auth_response['access']['trust']['trustee_user_id'])
|
||||||
|
self.assertEqual(new_trust['trustor_user_id'],
|
||||||
|
auth_response['access']['trust']['trustor_user_id'])
|
||||||
|
self.assertEqual(new_trust['impersonation'],
|
||||||
|
auth_response['access']['trust']['impersonation'])
|
||||||
|
self.assertEqual(new_trust['id'],
|
||||||
|
auth_response['access']['trust']['id'])
|
||||||
|
|
||||||
|
validate_response = self.controller.validate_token(
|
||||||
|
context=dict(is_admin=True, query_string={}),
|
||||||
|
token_id=auth_response['access']['token']['id'])
|
||||||
|
self.assertEqual(
|
||||||
|
new_trust['trustee_user_id'],
|
||||||
|
validate_response['access']['trust']['trustee_user_id'])
|
||||||
|
self.assertEqual(
|
||||||
|
new_trust['trustor_user_id'],
|
||||||
|
validate_response['access']['trust']['trustor_user_id'])
|
||||||
|
self.assertEqual(
|
||||||
|
new_trust['impersonation'],
|
||||||
|
validate_response['access']['trust']['impersonation'])
|
||||||
|
self.assertEqual(
|
||||||
|
new_trust['id'],
|
||||||
|
validate_response['access']['trust']['id'])
|
||||||
|
|
||||||
|
|
||||||
class TokenExpirationTest(AuthTest):
|
class TokenExpirationTest(AuthTest):
|
||||||
|
|
||||||
|
@ -34,7 +34,9 @@ SAMPLE_V2_TOKEN = {
|
|||||||
"access": {
|
"access": {
|
||||||
"trust": {
|
"trust": {
|
||||||
"id": "abc123",
|
"id": "abc123",
|
||||||
"trustee_user_id": "123456"
|
"trustee_user_id": "123456",
|
||||||
|
"trustor_user_id": "333333",
|
||||||
|
"impersonation": False
|
||||||
},
|
},
|
||||||
"serviceCatalog": [
|
"serviceCatalog": [
|
||||||
{
|
{
|
||||||
@ -341,7 +343,9 @@ SAMPLE_V2_TOKEN_WITH_EMBEDED_VERSION = {
|
|||||||
"access": {
|
"access": {
|
||||||
"trust": {
|
"trust": {
|
||||||
"id": "abc123",
|
"id": "abc123",
|
||||||
"trustee_user_id": "123456"
|
"trustee_user_id": "123456",
|
||||||
|
"trustor_user_id": "333333",
|
||||||
|
"impersonation": False
|
||||||
},
|
},
|
||||||
"serviceCatalog": [
|
"serviceCatalog": [
|
||||||
{
|
{
|
||||||
|
@ -180,7 +180,12 @@ class TestKeystoneTokenModel(core.TestCase):
|
|||||||
token_data.project_domain_name)
|
token_data.project_domain_name)
|
||||||
self.assertEqual(self.v2_sample_token['access']['trust']['id'],
|
self.assertEqual(self.v2_sample_token['access']['trust']['id'],
|
||||||
token_data.trust_id)
|
token_data.trust_id)
|
||||||
self.assertIsNone(token_data.trustor_user_id)
|
self.assertEqual(
|
||||||
|
self.v2_sample_token['access']['trust']['trustor_user_id'],
|
||||||
|
token_data.trustor_user_id)
|
||||||
|
self.assertEqual(
|
||||||
|
self.v2_sample_token['access']['trust']['impersonation'],
|
||||||
|
token_data.trust_impersonation)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
self.v2_sample_token['access']['trust']['trustee_user_id'],
|
self.v2_sample_token['access']['trust']['trustee_user_id'],
|
||||||
token_data.trustee_user_id)
|
token_data.trustee_user_id)
|
||||||
|
@ -34,7 +34,8 @@ CONF = config.CONF
|
|||||||
class V2TokenDataHelper(object):
|
class V2TokenDataHelper(object):
|
||||||
"""Creates V2 token data."""
|
"""Creates V2 token data."""
|
||||||
@classmethod
|
@classmethod
|
||||||
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None):
|
def format_token(cls, token_ref, roles_ref=None, catalog_ref=None,
|
||||||
|
trust_ref=None):
|
||||||
audit_info = None
|
audit_info = None
|
||||||
user_ref = token_ref['user']
|
user_ref = token_ref['user']
|
||||||
metadata_ref = token_ref['metadata']
|
metadata_ref = token_ref['metadata']
|
||||||
@ -84,10 +85,14 @@ class V2TokenDataHelper(object):
|
|||||||
o['access']['metadata'] = {'is_admin': 0}
|
o['access']['metadata'] = {'is_admin': 0}
|
||||||
if 'roles' in metadata_ref:
|
if 'roles' in metadata_ref:
|
||||||
o['access']['metadata']['roles'] = metadata_ref['roles']
|
o['access']['metadata']['roles'] = metadata_ref['roles']
|
||||||
if CONF.trust.enabled and 'trust_id' in metadata_ref:
|
if CONF.trust.enabled and trust_ref:
|
||||||
o['access']['trust'] = {'trustee_user_id':
|
o['access']['trust'] = {'trustee_user_id':
|
||||||
metadata_ref['trustee_user_id'],
|
trust_ref['trustee_user_id'],
|
||||||
'id': metadata_ref['trust_id']
|
'id': trust_ref['id'],
|
||||||
|
'trustor_user_id':
|
||||||
|
trust_ref['trustor_user_id'],
|
||||||
|
'impersonation':
|
||||||
|
trust_ref['impersonation']
|
||||||
}
|
}
|
||||||
return o
|
return o
|
||||||
|
|
||||||
@ -401,8 +406,13 @@ class BaseProvider(provider.Provider):
|
|||||||
|
|
||||||
def issue_v2_token(self, token_ref, roles_ref=None,
|
def issue_v2_token(self, token_ref, roles_ref=None,
|
||||||
catalog_ref=None):
|
catalog_ref=None):
|
||||||
|
metadata_ref = token_ref['metadata']
|
||||||
|
trust_ref = None
|
||||||
|
if CONF.trust.enabled and metadata_ref and 'trust_id' in metadata_ref:
|
||||||
|
trust_ref = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||||
|
|
||||||
token_data = self.v2_token_data_helper.format_token(
|
token_data = self.v2_token_data_helper.format_token(
|
||||||
token_ref, roles_ref, catalog_ref)
|
token_ref, roles_ref, catalog_ref, trust_ref)
|
||||||
token_id = self._get_token_id(token_data)
|
token_id = self._get_token_id(token_data)
|
||||||
token_data['access']['token']['id'] = token_id
|
token_data['access']['token']['id'] = token_id
|
||||||
return token_id, token_data
|
return token_id, token_data
|
||||||
@ -551,8 +561,14 @@ class BaseProvider(provider.Provider):
|
|||||||
token_ref['user']['id'],
|
token_ref['user']['id'],
|
||||||
token_ref['tenant']['id'],
|
token_ref['tenant']['id'],
|
||||||
metadata_ref)
|
metadata_ref)
|
||||||
|
|
||||||
|
trust_ref = None
|
||||||
|
if CONF.trust.enabled and 'trust_id' in metadata_ref:
|
||||||
|
trust_ref = self.trust_api.get_trust(
|
||||||
|
metadata_ref['trust_id'])
|
||||||
|
|
||||||
token_data = self.v2_token_data_helper.format_token(
|
token_data = self.v2_token_data_helper.format_token(
|
||||||
token_ref, roles_ref, catalog_ref)
|
token_ref, roles_ref, catalog_ref, trust_ref)
|
||||||
return token_data
|
return token_data
|
||||||
except exception.ValidationError as e:
|
except exception.ValidationError as e:
|
||||||
LOG.exception(_('Failed to validate token'))
|
LOG.exception(_('Failed to validate token'))
|
||||||
|
Loading…
Reference in New Issue
Block a user