Fix revoking domain-scoped tokens

A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.

Partial-Bug: #1349597

Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
(cherry picked from commit 3e035ebb72)
This commit is contained in:
Brant Knudson 2014-07-26 12:24:11 -05:00
parent cccc3f3239
commit 317f9d34b4
2 changed files with 18 additions and 5 deletions

View File

@ -285,6 +285,11 @@ def build_token_values(token_data):
token_values['assignment_domain_id'] = project['domain']['id'] token_values['assignment_domain_id'] = project['domain']['id']
else: else:
token_values['project_id'] = None token_values['project_id'] = None
domain = token_data.get('domain')
if domain is not None:
token_values['assignment_domain_id'] = domain['id']
else:
token_values['assignment_domain_id'] = None token_values['assignment_domain_id'] = None
role_list = [] role_list = []

View File

@ -448,11 +448,19 @@ class RevokeTreeTests(tests.TestCase):
def test_by_domain_domain(self): def test_by_domain_domain(self):
# If revoke a domain, then a token scoped to the domain is revoked. # If revoke a domain, then a token scoped to the domain is revoked.
# FIXME(blk-u): The token translation code doesn't handle domain-scoped user_id = _new_id()
# tokens at this point. See bug #1347318. Replace this with test code user_domain_id = _new_id()
# similar to test_by_domain_project().
pass domain_id = _new_id()
token_data = _sample_blank_token()
token_data['user_id'] = user_id
token_data['identity_domain_id'] = user_domain_id
token_data['assignment_domain_id'] = domain_id
self._revoke_by_domain(domain_id)
self._assertTokenRevoked(token_data)
def _assertEmpty(self, collection): def _assertEmpty(self, collection):
return self.assertEqual(0, len(collection), "collection not empty") return self.assertEqual(0, len(collection), "collection not empty")