From 317f9d34b4da20c21edd5b851889298b67c843e1 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Sat, 26 Jul 2014 12:24:11 -0500 Subject: [PATCH] Fix revoking domain-scoped tokens A token scoped to a domain wouldn't be revoked for a domain-wide revocation event. This is because the code to convert a token to a dict for revocation event processing didn't handle domain-scoped tokens. Partial-Bug: #1349597 Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d (cherry picked from commit 3e035ebb726167aef43c4a865c7e7f7d3b0978fb) --- keystone/contrib/revoke/model.py | 7 ++++++- keystone/tests/test_revoke.py | 16 ++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/keystone/contrib/revoke/model.py b/keystone/contrib/revoke/model.py index a88602c1e8..84cab54ad0 100644 --- a/keystone/contrib/revoke/model.py +++ b/keystone/contrib/revoke/model.py @@ -285,7 +285,12 @@ def build_token_values(token_data): token_values['assignment_domain_id'] = project['domain']['id'] else: token_values['project_id'] = None - token_values['assignment_domain_id'] = None + + domain = token_data.get('domain') + if domain is not None: + token_values['assignment_domain_id'] = domain['id'] + else: + token_values['assignment_domain_id'] = None role_list = [] roles = token_data.get('roles') diff --git a/keystone/tests/test_revoke.py b/keystone/tests/test_revoke.py index d174ca770d..ca0ce5ef74 100644 --- a/keystone/tests/test_revoke.py +++ b/keystone/tests/test_revoke.py @@ -448,11 +448,19 @@ class RevokeTreeTests(tests.TestCase): def test_by_domain_domain(self): # If revoke a domain, then a token scoped to the domain is revoked. - # FIXME(blk-u): The token translation code doesn't handle domain-scoped - # tokens at this point. See bug #1347318. Replace this with test code - # similar to test_by_domain_project(). + user_id = _new_id() + user_domain_id = _new_id() - pass + domain_id = _new_id() + + token_data = _sample_blank_token() + token_data['user_id'] = user_id + token_data['identity_domain_id'] = user_domain_id + token_data['assignment_domain_id'] = domain_id + + self._revoke_by_domain(domain_id) + + self._assertTokenRevoked(token_data) def _assertEmpty(self, collection): return self.assertEqual(0, len(collection), "collection not empty")