Do not revoke all of a user's tokens when a role assignment is deleted
Previously, an overly broad revocation event was being generated that matched all of a user's tokens -- not just those belonging to a user-project pair. Change-Id: I52857029af21ac729f166b0e60aa9a38ffdc553a Closes-Bug: 1488208
This commit is contained in:
parent
9450cd9699
commit
5320b1a335
|
@ -381,7 +381,10 @@ class Manager(manager.Manager):
|
||||||
|
|
||||||
self.driver.remove_role_from_user_and_project(user_id, project_id,
|
self.driver.remove_role_from_user_and_project(user_id, project_id,
|
||||||
role_id)
|
role_id)
|
||||||
self.identity_api.emit_invalidate_user_token_persistence(user_id)
|
if project_id:
|
||||||
|
self._emit_invalidate_grant_token_persistence(user_id, project_id)
|
||||||
|
else:
|
||||||
|
self.identity_api.emit_invalidate_user_token_persistence(user_id)
|
||||||
self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
|
self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
|
||||||
project_id=project_id)
|
project_id=project_id)
|
||||||
|
|
||||||
|
|
|
@ -489,14 +489,7 @@ class AuthWithToken(AuthTest):
|
||||||
self.user_foo['id'], project['id'], role['id'])
|
self.user_foo['id'], project['id'], role['id'])
|
||||||
|
|
||||||
# Ensure it is still valid
|
# Ensure it is still valid
|
||||||
# FIXME(dolph): Due to bug 1488208, the unscoped token is actually
|
self.controller.validate_token(admin_context, token_id=token_id)
|
||||||
# invalid. The assertRaises() should be removed and the token should
|
|
||||||
# validate without error.
|
|
||||||
self.assertRaises(
|
|
||||||
exception.TokenNotFound,
|
|
||||||
self.controller.validate_token,
|
|
||||||
admin_context,
|
|
||||||
token_id=token_id)
|
|
||||||
|
|
||||||
def test_only_original_audit_id_is_kept(self):
|
def test_only_original_audit_id_is_kept(self):
|
||||||
context = {}
|
context = {}
|
||||||
|
@ -1212,18 +1205,11 @@ class AuthWithTrust(AuthTest):
|
||||||
self.controller.authenticate, {}, request_body)
|
self.controller.authenticate, {}, request_body)
|
||||||
|
|
||||||
unscoped_token = self.get_unscoped_token(self.trustor['name'])
|
unscoped_token = self.get_unscoped_token(self.trustor['name'])
|
||||||
# FIXME(dolph): Due to bug 1488208, this token is already "revoked,"
|
context = self._create_auth_context(
|
||||||
# even though we just created it. Further, this token should be valid
|
|
||||||
# because we've only revoked role assignments (we haven't done anything
|
|
||||||
# that should affect unscoped tokens). The code commented out after the
|
|
||||||
# assertRaises should be restored when this bug is fixed.
|
|
||||||
self.assertRaises(
|
|
||||||
exception.TokenNotFound,
|
|
||||||
self._create_auth_context,
|
|
||||||
unscoped_token['access']['token']['id'])
|
unscoped_token['access']['token']['id'])
|
||||||
# trust = self.trust_controller.get_trust(context,
|
trust = self.trust_controller.get_trust(context,
|
||||||
# new_trust['id'])['trust']
|
new_trust['id'])['trust']
|
||||||
# self.assertEqual(3, trust['remaining_uses'])
|
self.assertEqual(3, trust['remaining_uses'])
|
||||||
|
|
||||||
def test_v2_trust_token_contains_trustor_user_id_and_impersonation(self):
|
def test_v2_trust_token_contains_trustor_user_id_and_impersonation(self):
|
||||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||||
|
|
Loading…
Reference in New Issue