Allows to use application credentials through group membership

When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.

Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
This commit is contained in:
Jose Castro Leon 2019-04-23 15:38:16 +02:00 committed by Colleen Murphy
parent f185d6630e
commit 14b25bc5d1
3 changed files with 50 additions and 7 deletions

View File

@ -409,14 +409,16 @@ class TokenModel(object):
def _get_application_credential_roles(self):
roles = []
app_cred_roles = self.application_credential['roles']
assignment_list = PROVIDERS.assignment_api.list_role_assignments(
user_id=self.user_id,
project_id=self.project_id,
domain_id=self.domain_id,
effective=True)
user_roles = list(set([x['role_id'] for x in assignment_list]))
for role in app_cred_roles:
try:
r = PROVIDERS.assignment_api.get_grant(
role['id'], user_id=self.user_id,
domain_id=self.domain_id, project_id=self.project_id)
roles.append({'id': r['id'], 'name': r['name']})
except exception.RoleAssignmentNotFound:
pass
if role['id'] in user_roles:
roles.append({'id': role['id'], 'name': role['name']})
return roles

View File

@ -5696,6 +5696,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)
def test_application_credential_through_group_membership(self):
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
group1 = unit.new_group_ref(domain_id=self.domain_id)
group1 = PROVIDERS.identity_api.create_group(group1)
PROVIDERS.identity_api.add_user_to_group(
user1['id'], group1['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_id, group_id=group1['id'], project_id=self.project_id
)
app_cred = {
'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'secret': uuid.uuid4().hex,
'user_id': user1['id'],
'project_id': self.project_id,
'description': uuid.uuid4().hex,
'roles': [{'id': self.role_id}]
}
app_cred_ref = self.app_cred_api.create_application_credential(
app_cred)
auth_data = self.build_authentication_request(
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_application_credential_cannot_scope(self):
app_cred = self._make_app_cred()
app_cred_ref = self.app_cred_api.create_application_credential(

View File

@ -0,0 +1,9 @@
---
fixes:
- |
[`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
Fixes an issue where users who had role assignments only via a group
membership and not via direct assignment could create but not use
application credentials. It is important to note that federated users who
only have role assignments via a mapped group membership still cannot
create application credentials.