Fix duplicate role names in trusts bug

Closes-Bug: #1778109 Change-Id: Id0953190b3b1e0b6765430fbb10d16e7f53f53ee
2018-06-19 18:54:36 +00:00 · 2018-06-19 18:54:36 +00:00 · 50fd6933e8
commit 50fd6933e8
parent 89a5783dd8
3 changed files with 13 additions and 9 deletions
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -44,7 +44,6 @@ from keystone.tests.common import auth as common_auth
 from keystone.tests import unit
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils as test_utils


 CONF = keystone.conf.CONF
@ -3944,12 +3943,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
        role_id_set2 = set(r['id'] for r in trust2['roles'])
        self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2))

-    @test_utils.wip(
-        "Waiting on fix for duplicate role names in token data when trust has "
-        "implied roles",
-        expected_exception=matchers.MismatchError,
-        bug="#1778109"
-    )
    def test_trust_with_implied_roles(self):
        # Create some roles
        role1 = unit.new_role_ref()
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -372,6 +372,9 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
                refs = [{'role_id': role['id']} for role in trust['roles']]
                effective_trust_roles = (
                    PROVIDERS.assignment_api.add_implied_roles(refs))
+                effective_trust_role_ids = (
+                    set([r['role_id'] for r in effective_trust_roles])
+                )
                # Now get the current role assignments for the trustor,
                # including any domain specific roles.
                assignments = PROVIDERS.assignment_api.list_role_assignments(
@ -384,10 +387,10 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
                # Go through each of the effective trust roles, making sure the
                # trustor still has them, if any have been removed, then we
                # will treat the trust as invalid
-                for trust_role in effective_trust_roles:
+                for trust_role_id in effective_trust_role_ids:

                    match_roles = [x for x in current_effective_trustor_roles
-                                   if x == trust_role['role_id']]
+                                   if x == trust_role_id]
                    if match_roles:
                        role = PROVIDERS.role_api.get_role(match_roles[0])
                        if role['domain_id'] is None:
--- a/releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml
+++ b/releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1778109 <https://bugs.launchpad.net/keystone/+bug/1778109>`_]
+    Previously the token data for a trust-scoped token may have contained
+    duplicate roles, when implied roles were present. This is no longer the
+    case, for the sake of accuracy and to prevent the breaking of applications
+    which may consume this role list.