Fix duplicate role names in trusts bug

Closes-Bug: #1778109

Change-Id: Id0953190b3b1e0b6765430fbb10d16e7f53f53ee
This commit is contained in:
Jeremy Freudberg 2018-06-19 18:54:36 +00:00
parent 89a5783dd8
commit 50fd6933e8
3 changed files with 13 additions and 9 deletions

View File

@ -44,7 +44,6 @@ from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -3944,12 +3943,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
role_id_set2 = set(r['id'] for r in trust2['roles'])
self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2))
@test_utils.wip(
"Waiting on fix for duplicate role names in token data when trust has "
"implied roles",
expected_exception=matchers.MismatchError,
bug="#1778109"
)
def test_trust_with_implied_roles(self):
# Create some roles
role1 = unit.new_role_ref()

View File

@ -372,6 +372,9 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
refs = [{'role_id': role['id']} for role in trust['roles']]
effective_trust_roles = (
PROVIDERS.assignment_api.add_implied_roles(refs))
effective_trust_role_ids = (
set([r['role_id'] for r in effective_trust_roles])
)
# Now get the current role assignments for the trustor,
# including any domain specific roles.
assignments = PROVIDERS.assignment_api.list_role_assignments(
@ -384,10 +387,10 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
# Go through each of the effective trust roles, making sure the
# trustor still has them, if any have been removed, then we
# will treat the trust as invalid
for trust_role in effective_trust_roles:
for trust_role_id in effective_trust_role_ids:
match_roles = [x for x in current_effective_trustor_roles
if x == trust_role['role_id']]
if x == trust_role_id]
if match_roles:
role = PROVIDERS.role_api.get_role(match_roles[0])
if role['domain_id'] is None:

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1778109 <https://bugs.launchpad.net/keystone/+bug/1778109>`_]
Previously the token data for a trust-scoped token may have contained
duplicate roles, when implied roles were present. This is no longer the
case, for the sake of accuracy and to prevent the breaking of applications
which may consume this role list.