Populate context roles when using stored context

Currently we leave the context roles empty when loading the stored context, even though there are roles associated with e.g the trust scoped token used via loading the stored context. Loading the auth ref and populating the roles from the token ensure any RBAC performed on the context roles will work as expected. Change-Id: I7d699bcf947940357a6eb6ae2d17027ec8d6bd04 Closes-Bug: #1529354 (cherry picked from commit ce46629661)
2016-01-05 22:41:05 +00:00 · 2016-01-05 22:41:05 +00:00 · 65fe32d3ac
parent dc8ccd8ee1
commit 65fe32d3ac
4 changed files with 34 additions and 2 deletions
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@ -555,6 +555,10 @@ class KeystoneClientV3(object):
    def auth_token(self):
        return self.context.auth_plugin.get_token(self.session)

+    @property
+    def auth_ref(self):
+        return self.context.auth_plugin.get_access(self.session)
+

 class KeystoneClient(object):

--- a/heat/engine/stack.py
+++ b/heat/engine/stack.py
@ -188,6 +188,8 @@ class Stack(collections.Mapping):

        if use_stored_context:
            self.context = self.stored_context()
+            self.context.roles = self.context.clients.client(
+                'keystone').auth_ref.role_names

        self.clients = self.context.clients

--- a/heat/tests/engine/tools.py
+++ b/heat/tests/engine/tools.py
@ -170,7 +170,7 @@ def setup_keystone_mocks(mocks, stack):
    fkc = test_fakes.FakeKeystoneClient()

    mocks.StubOutWithMock(keystone.KeystoneClientPlugin, '_create')
-    keystone.KeystoneClientPlugin._create().AndReturn(fkc)
+    keystone.KeystoneClientPlugin._create().MultipleTimes().AndReturn(fkc)


 def setup_mock_for_image_constraint(mocks, imageId_input,
--- a/heat/tests/fakes.py
+++ b/heat/tests/fakes.py
@ -99,7 +99,7 @@ class FakeKeystoneClient(object):
    def __init__(self, username='test_username', password='password',
                 user_id='1234', access='4567', secret='8901',
                 credential_id='abcdxyz', auth_token='abcd1234',
-                 context=None):
+                 context=None, stack_domain_id='4321', roles=None):
        self.username = username
        self.password = password
        self.user_id = user_id
@ -110,6 +110,8 @@ class FakeKeystoneClient(object):
        self.token = auth_token
        self.context = context
        self.v3_endpoint = 'http://localhost:5000/v3'
+        self.stack_domain_id = stack_domain_id
+        self.roles = roles or []

        class FakeCred(object):
            id = self.credential_id
@ -194,3 +196,27 @@ class FakeKeystoneClient(object):
            return self.context.auth_plugin.get_token(self.session)
        else:
            return self.token
+
+    @property
+    def auth_ref(self):
+        return FakeAccessInfo(roles=self.roles)
+
+
+class FakeAccessInfo(object):
+    def __init__(self, roles):
+        self.roles = roles
+
+    @property
+    def role_names(self):
+        return self.roles
+
+
+class FakeEventSink(object):
+
+    def __init__(self, evt):
+        self.events = []
+        self.evt = evt
+
+    def consume(self, stack, event):
+        self.events.append(event)
+        self.evt.send(None)