openstack/keystone
Code Issues Proposed changes

Fix revoking domain-scoped tokens

Browse Source 
A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.

Partial-Bug: #1349597

Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
This commit is contained in:
Brant Knudson 2014-07-26 12:24:11 -05:00
parent c4447f16da
commit 3e035ebb72
2 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
keystone/contrib/revoke/model.py
View File

@ -285,7 +285,12 @@ def build_token_values(token_data):
token_values['assignment_domain_id'] = project['domain']['id']
else:
token_values['project_id'] = None
token_values['assignment_domain_id'] = None
domain = token_data.get('domain')
if domain is not None:
token_values['assignment_domain_id'] = domain['id']
else:
token_values['assignment_domain_id'] = None
role_list = []
roles = token_data.get('roles')

16
keystone/tests/test_revoke.py
View File

@ -444,11 +444,19 @@ class RevokeTreeTests(tests.TestCase):
def test_by_domain_domain(self):
# If revoke a domain, then a token scoped to the domain is revoked.
# FIXME(blk-u): The token translation code doesn't handle domain-scoped
# tokens at this point. See bug #1347318. Replace this with test code
# similar to test_by_domain_project().
user_id = _new_id()
user_domain_id = _new_id()
pass
domain_id = _new_id()
token_data = _sample_blank_token()
token_data['user_id'] = user_id
token_data['identity_domain_id'] = user_domain_id
token_data['assignment_domain_id'] = domain_id
self._revoke_by_domain(domain_id)
self._assertTokenRevoked(token_data)
def _assertEmpty(self, collection):
return self.assertEqual(0, len(collection), "collection not empty")