trust creation allowed with empty roles list

The docs state "A project_id may not be specified without at least
one role, and vice versa.", however /OS-TRUST/trusts does allow you
to create a trust with an empty roles list and project_id specified.

This results in 401 responses whenever you try to consume the trust,
because there are no roles for the trustee on the authorized project.

This patch will add a check in trust creation to ensure at least one
role exists if project_id is supplied.

Change-Id: Iebad0b6b7ed62a029d1e50afb003679bafb1655d
Closes-Bug: #1214064

keystone/tests/test_auth.py

@@ -696,17 +696,20 @@ class AuthWithTrust(AuthTest):
     def test_create_trust_bad_data_fails(self):
         context = self._create_auth_context(
             self.unscoped_token['access']['token']['id'])
-        bad_sample_data = {'trustor_user_id': self.trustor['id']}
+        bad_sample_data = {'trustor_user_id': self.trustor['id'],
+                           'project_id': self.tenant_bar['id'],
+                           'roles': [{'id': self.role_browser['id']}]}
 
         self.assertRaises(exception.ValidationError,
                           self.trust_controller.create_trust,
                           context, trust=bad_sample_data)
 
     def test_create_trust_no_roles(self):
-        self.new_trust = None
+        context = {'token_id': self.unscoped_token['access']['token']['id']}
         self.sample_data['roles'] = []
-        self.create_trust()
-        self.assertEqual([], self.new_trust['roles'])
+        self.assertRaises(exception.Forbidden,
+                          self.trust_controller.create_trust,
+                          context, trust=self.sample_data)
 
     def test_create_trust(self):
         self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id'])

keystone/tests/test_v3_auth.py

@@ -2247,6 +2247,14 @@ class TestTrustAuth(TestAuthInfo):
         r = self.post('/OS-TRUST/trusts', body={'trust': ref})
         self.assertValidTrustResponse(r, ref)
 
+    def test_create_trust_no_roles(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id)
+        del ref['id']
+        self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403)
+
     def _initialize_test_consume_trust(self, count):
         # Make sure remaining_uses is decremented as we consume the trust
         ref = self.new_trust_ref(
@@ -2404,14 +2412,18 @@ class TestTrustAuth(TestAuthInfo):
     def test_create_trust_trustee_404(self):
         ref = self.new_trust_ref(
             trustor_user_id=self.user_id,
-            trustee_user_id=uuid.uuid4().hex)
+            trustee_user_id=uuid.uuid4().hex,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
         del ref['id']
         self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404)
 
     def test_create_trust_trustor_trustee_backwards(self):
         ref = self.new_trust_ref(
             trustor_user_id=self.trustee_user_id,
-            trustee_user_id=self.user_id)
+            trustee_user_id=self.user_id,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
         del ref['id']
         self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403)
 

keystone/trust/controllers.py

@@ -134,6 +134,9 @@ class TrustV3(controller.V3Controller):
         if not trust:
             raise exception.ValidationError(attribute='trust',
                                             target='request')
+        if trust.get('project_id') and not trust.get('roles'):
+            raise exception.Forbidden(
+                _('At least one role should be specified.'))
         try:
             user_id = self._get_user_id(context)
             _trustor_only(context, trust, user_id)