diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index f1c09cae92..942c880a7b 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5632,6 +5632,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase): app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND) + def test_application_credential_through_group_membership(self): + user1 = unit.create_user( + PROVIDERS.identity_api, domain_id=self.domain_id + ) + + group1 = unit.new_group_ref(domain_id=self.domain_id) + group1 = PROVIDERS.identity_api.create_group(group1) + + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, group_id=group1['id'], project_id=self.project_id + ) + + app_cred = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'secret': uuid.uuid4().hex, + 'user_id': user1['id'], + 'project_id': self.project_id, + 'description': uuid.uuid4().hex, + 'roles': [{'id': self.role_id}] + } + + app_cred_ref = self.app_cred_api.create_application_credential( + app_cred) + + auth_data = self.build_authentication_request( + app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) + self.v3_create_token(auth_data, expected_status=http_client.CREATED) + def test_application_credential_cannot_scope(self): app_cred = self._make_app_cred() app_cred_ref = self.app_cred_api.create_application_credential( diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 07c0b6ef13..ed88455c13 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -195,16 +195,17 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object): def _get_app_cred_roles(self, app_cred, user_id, domain_id, project_id): roles = app_cred['roles'] token_roles = [] + assignment_list = PROVIDERS.assignment_api.list_role_assignments( + user_id=user_id, project_id=project_id, domain_id=domain_id, + effective=True + ) + user_roles = list(set([x['role_id'] for x in assignment_list])) + for role in roles: - try: - role_ref = PROVIDERS.assignment_api.get_grant( - role['id'], user_id=user_id, domain_id=domain_id, - project_id=project_id) - token_roles.append(role_ref) - except exception.RoleAssignmentNotFound: - pass - return [ - PROVIDERS.role_api.get_role(role['id']) for role in token_roles] + if role['id'] in user_roles: + token_roles.append({'id': role['id'], 'name': role['name']}) + + return roles def populate_roles_for_federated_user(self, token_data, group_ids, project_id=None, domain_id=None, diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml new file mode 100644 index 0000000000..a4565ccd2a --- /dev/null +++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1773967 `_] + Fixes an issue where users who had role assignments only via a group + membership and not via direct assignment could create but not use + application credentials. It is important to note that federated users who + only have role assignments via a mapped group membership still cannot + create application credentials.