Browse Source

Fix revoking domain-scoped tokens

A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.

Partial-Bug: #1349597

Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
(cherry picked from commit 3e035ebb72)
changes/84/112084/1
Brant Knudson 7 years ago
parent
commit
317f9d34b4
  1. 7
      keystone/contrib/revoke/model.py
  2. 16
      keystone/tests/test_revoke.py

7
keystone/contrib/revoke/model.py

@ -285,7 +285,12 @@ def build_token_values(token_data):
token_values['assignment_domain_id'] = project['domain']['id']
else:
token_values['project_id'] = None
token_values['assignment_domain_id'] = None
domain = token_data.get('domain')
if domain is not None:
token_values['assignment_domain_id'] = domain['id']
else:
token_values['assignment_domain_id'] = None
role_list = []
roles = token_data.get('roles')

16
keystone/tests/test_revoke.py

@ -448,11 +448,19 @@ class RevokeTreeTests(tests.TestCase):
def test_by_domain_domain(self):
# If revoke a domain, then a token scoped to the domain is revoked.
# FIXME(blk-u): The token translation code doesn't handle domain-scoped
# tokens at this point. See bug #1347318. Replace this with test code
# similar to test_by_domain_project().
user_id = _new_id()
user_domain_id = _new_id()
domain_id = _new_id()
pass
token_data = _sample_blank_token()
token_data['user_id'] = user_id
token_data['identity_domain_id'] = user_domain_id
token_data['assignment_domain_id'] = domain_id
self._revoke_by_domain(domain_id)
self._assertTokenRevoked(token_data)
def _assertEmpty(self, collection):
return self.assertEqual(0, len(collection), "collection not empty")

Loading…
Cancel
Save