Fix duplicate role names in trusts bug
Closes-Bug: #1778109 Change-Id: Id0953190b3b1e0b6765430fbb10d16e7f53f53ee
This commit is contained in:
parent
89a5783dd8
commit
50fd6933e8
|
@ -44,7 +44,6 @@ from keystone.tests.common import auth as common_auth
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import ksfixtures
|
from keystone.tests.unit import ksfixtures
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
from keystone.tests.unit import utils as test_utils
|
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
@ -3944,12 +3943,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
|
||||||
role_id_set2 = set(r['id'] for r in trust2['roles'])
|
role_id_set2 = set(r['id'] for r in trust2['roles'])
|
||||||
self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2))
|
self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2))
|
||||||
|
|
||||||
@test_utils.wip(
|
|
||||||
"Waiting on fix for duplicate role names in token data when trust has "
|
|
||||||
"implied roles",
|
|
||||||
expected_exception=matchers.MismatchError,
|
|
||||||
bug="#1778109"
|
|
||||||
)
|
|
||||||
def test_trust_with_implied_roles(self):
|
def test_trust_with_implied_roles(self):
|
||||||
# Create some roles
|
# Create some roles
|
||||||
role1 = unit.new_role_ref()
|
role1 = unit.new_role_ref()
|
||||||
|
|
|
@ -372,6 +372,9 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
||||||
refs = [{'role_id': role['id']} for role in trust['roles']]
|
refs = [{'role_id': role['id']} for role in trust['roles']]
|
||||||
effective_trust_roles = (
|
effective_trust_roles = (
|
||||||
PROVIDERS.assignment_api.add_implied_roles(refs))
|
PROVIDERS.assignment_api.add_implied_roles(refs))
|
||||||
|
effective_trust_role_ids = (
|
||||||
|
set([r['role_id'] for r in effective_trust_roles])
|
||||||
|
)
|
||||||
# Now get the current role assignments for the trustor,
|
# Now get the current role assignments for the trustor,
|
||||||
# including any domain specific roles.
|
# including any domain specific roles.
|
||||||
assignments = PROVIDERS.assignment_api.list_role_assignments(
|
assignments = PROVIDERS.assignment_api.list_role_assignments(
|
||||||
|
@ -384,10 +387,10 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
||||||
# Go through each of the effective trust roles, making sure the
|
# Go through each of the effective trust roles, making sure the
|
||||||
# trustor still has them, if any have been removed, then we
|
# trustor still has them, if any have been removed, then we
|
||||||
# will treat the trust as invalid
|
# will treat the trust as invalid
|
||||||
for trust_role in effective_trust_roles:
|
for trust_role_id in effective_trust_role_ids:
|
||||||
|
|
||||||
match_roles = [x for x in current_effective_trustor_roles
|
match_roles = [x for x in current_effective_trustor_roles
|
||||||
if x == trust_role['role_id']]
|
if x == trust_role_id]
|
||||||
if match_roles:
|
if match_roles:
|
||||||
role = PROVIDERS.role_api.get_role(match_roles[0])
|
role = PROVIDERS.role_api.get_role(match_roles[0])
|
||||||
if role['domain_id'] is None:
|
if role['domain_id'] is None:
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1778109 <https://bugs.launchpad.net/keystone/+bug/1778109>`_]
|
||||||
|
Previously the token data for a trust-scoped token may have contained
|
||||||
|
duplicate roles, when implied roles were present. This is no longer the
|
||||||
|
case, for the sake of accuracy and to prevent the breaking of applications
|
||||||
|
which may consume this role list.
|
Loading…
Reference in New Issue