Merge "add a test that uses trusts and implies roles"

2016-02-13 06:46:34 +00:00 · 2016-02-13 06:46:34 +00:00 · 1c471138c9
parent 68e16ec2c9 98934a3e54
commit 1c471138c9
1 changed files with 35 additions and 0 deletions
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@ -20,6 +20,7 @@ from testtools import matchers

 from keystone.tests import unit
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils


 CONF = cfg.CONF
@ -2610,6 +2611,40 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
            implied_role_id=accepted_role1['id'])
        self.put(url, expected_status=http_client.CREATED)

+    @utils.wip('This will fail because of bug #1543318.')
+    def test_trusts_from_implied_role(self):
+        self._create_three_roles()
+        self._create_implied_role(self.role_list[0], self.role_list[1])
+        self._create_implied_role(self.role_list[1], self.role_list[2])
+        self._assign_top_role_to_user_on_project(self.user, self.project)
+
+        # Create a trustee and assign the prior role to her
+        trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
+        ref = unit.new_trust_ref(
+            trustor_user_id=self.user['id'],
+            trustee_user_id=trustee['id'],
+            project_id=self.project['id'],
+            role_ids=[self.role_list[0]['id']])
+        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
+        trust = r.result['trust']
+
+        # Only the role that was specified is in the trust, NOT implied roles
+        self.assertEqual(self.role_list[0]['id'], trust['roles'][0]['id'])
+        self.assertThat(trust['roles'], matchers.HasLength(1))
+
+        # Authenticate as the trustee
+        auth_data = self.build_authentication_request(
+            user_id=trustee['id'],
+            password=trustee['password'],
+            trust_id=trust['id'])
+        r = self.v3_create_token(auth_data)
+        token = r.result['token']
+
+        # FIXME(stevemar): See bug 1543318: Only one role appears in the
+        # token, it should have all the implied roles (3).
+        self.assertThat(token['roles'],
+                        matchers.HasLength(len(self.role_list)))
+

 class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
    def setUp(self):