Merge "Allows to use application credentials through group membership"

2019-08-07 00:32:55 +00:00 · 2019-08-07 00:32:55 +00:00 · 71a1fb0437
commit 71a1fb0437
parent f826e5c18b 14b25bc5d1
3 changed files with 50 additions and 7 deletions
--- a/keystone/models/token_model.py
+++ b/keystone/models/token_model.py
@ -409,14 +409,16 @@ class TokenModel(object):
    def _get_application_credential_roles(self):
        roles = []
        app_cred_roles = self.application_credential['roles']
+        assignment_list = PROVIDERS.assignment_api.list_role_assignments(
+            user_id=self.user_id,
+            project_id=self.project_id,
+            domain_id=self.domain_id,
+            effective=True)
+        user_roles = list(set([x['role_id'] for x in assignment_list]))
+
        for role in app_cred_roles:
-            try:
-                r = PROVIDERS.assignment_api.get_grant(
-                    role['id'], user_id=self.user_id,
-                    domain_id=self.domain_id, project_id=self.project_id)
-                roles.append({'id': r['id'], 'name': r['name']})
-            except exception.RoleAssignmentNotFound:
-                pass
+            if role['id'] in user_roles:
+                roles.append({'id': role['id'], 'name': role['name']})

        return roles

--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -5634,6 +5634,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
            app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
        self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)

+    def test_application_credential_through_group_membership(self):
+        user1 = unit.create_user(
+            PROVIDERS.identity_api, domain_id=self.domain_id
+        )
+
+        group1 = unit.new_group_ref(domain_id=self.domain_id)
+        group1 = PROVIDERS.identity_api.create_group(group1)
+
+        PROVIDERS.identity_api.add_user_to_group(
+            user1['id'], group1['id']
+        )
+        PROVIDERS.assignment_api.create_grant(
+            self.role_id, group_id=group1['id'], project_id=self.project_id
+        )
+
+        app_cred = {
+            'id': uuid.uuid4().hex,
+            'name': uuid.uuid4().hex,
+            'secret': uuid.uuid4().hex,
+            'user_id': user1['id'],
+            'project_id': self.project_id,
+            'description': uuid.uuid4().hex,
+            'roles': [{'id': self.role_id}]
+        }
+
+        app_cred_ref = self.app_cred_api.create_application_credential(
+            app_cred)
+
+        auth_data = self.build_authentication_request(
+            app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
+        self.v3_create_token(auth_data, expected_status=http_client.CREATED)
+
    def test_application_credential_cannot_scope(self):
        app_cred = self._make_app_cred()
        app_cred_ref = self.app_cred_api.create_application_credential(
--- a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
+++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    [`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
+    Fixes an issue where users who had role assignments only via a group
+    membership and not via direct assignment could create but not use
+    application credentials. It is important to note that federated users who
+    only have role assignments via a mapped group membership still cannot
+    create application credentials.