From 98934a3e548f8abd8722b01493356fcc8586b1ba Mon Sep 17 00:00:00 2001 From: Steve Martinelli Date: Mon, 8 Feb 2016 03:48:25 -0500 Subject: [PATCH] add a test that uses trusts and implies roles looks like implied roles are not expanded for tokens that were created from trusts Change-Id: I76b94faf094721c254caa6f9d7289d084c957d80 Closes-Bug: 1539240 Related-Bug: 1543318 --- keystone/tests/unit/test_v3_assignment.py | 35 +++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 94942a9747..a00b912909 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -20,6 +20,7 @@ from testtools import matchers from keystone.tests import unit from keystone.tests.unit import test_v3 +from keystone.tests.unit import utils CONF = cfg.CONF @@ -2610,6 +2611,40 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin, implied_role_id=accepted_role1['id']) self.put(url, expected_status=http_client.CREATED) + @utils.wip('This will fail because of bug #1543318.') + def test_trusts_from_implied_role(self): + self._create_three_roles() + self._create_implied_role(self.role_list[0], self.role_list[1]) + self._create_implied_role(self.role_list[1], self.role_list[2]) + self._assign_top_role_to_user_on_project(self.user, self.project) + + # Create a trustee and assign the prior role to her + trustee = unit.create_user(self.identity_api, domain_id=self.domain_id) + ref = unit.new_trust_ref( + trustor_user_id=self.user['id'], + trustee_user_id=trustee['id'], + project_id=self.project['id'], + role_ids=[self.role_list[0]['id']]) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = r.result['trust'] + + # Only the role that was specified is in the trust, NOT implied roles + self.assertEqual(self.role_list[0]['id'], trust['roles'][0]['id']) + self.assertThat(trust['roles'], matchers.HasLength(1)) + + # Authenticate as the trustee + auth_data = self.build_authentication_request( + user_id=trustee['id'], + password=trustee['password'], + trust_id=trust['id']) + r = self.v3_create_token(auth_data) + token = r.result['token'] + + # FIXME(stevemar): See bug 1543318: Only one role appears in the + # token, it should have all the implied roles (3). + self.assertThat(token['roles'], + matchers.HasLength(len(self.role_list))) + class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase): def setUp(self):