Expand implied roles in trust tokens

Closes-Bug: 1543318

Change-Id: Iadcedaec184c7ca14ecd6ad5035265a310e2d5d2

keystone/assignment/core.py

@@ -601,7 +601,7 @@ class Manager(manager.Manager):
             return expand_group_assignment(ref, user_id)
         return [ref]
 
-    def _add_implied_roles(self, role_refs):
+    def add_implied_roles(self, role_refs):
         """Expand out implied roles.
 
         The role_refs passed in have had all inheritance and group assignments
@@ -821,7 +821,7 @@ class Manager(manager.Manager):
             refs += self._expand_indirect_assignment(
                 ref, user_id, project_id, subtree_ids, expand_groups)
 
-        refs = self._add_implied_roles(refs)
+        refs = self.add_implied_roles(refs)
         if role_id:
             refs = self._filter_by_role_id(role_id, refs)
 

keystone/tests/unit/test_v3_assignment.py

@@ -20,7 +20,6 @@ from testtools import matchers
 
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils
 
 
 CONF = cfg.CONF
@@ -2611,7 +2610,6 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
             implied_role_id=accepted_role1['id'])
         self.put(url, expected_status=http_client.CREATED)
 
-    @utils.wip('This will fail because of bug #1543318.')
     def test_trusts_from_implied_role(self):
         self._create_three_roles()
         self._create_implied_role(self.role_list[0], self.role_list[1])
@@ -2639,11 +2637,12 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
             trust_id=trust['id'])
         r = self.v3_create_token(auth_data)
         token = r.result['token']
-
-        # FIXME(stevemar): See bug 1543318: Only one role appears in the
-        # token, it should have all the implied roles (3).
         self.assertThat(token['roles'],
                         matchers.HasLength(len(self.role_list)))
+        for role in token['roles']:
+            self.assertIn(role, self.role_list)
+        for role in self.role_list:
+            self.assertIn(role, token['roles'])
 
 
 class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):

keystone/token/providers/common.py

@@ -32,7 +32,7 @@ LOG = log.getLogger(__name__)
 CONF = cfg.CONF
 
 
-@dependency.requires('catalog_api', 'resource_api')
+@dependency.requires('catalog_api', 'resource_api', 'assignment_api')
 class V2TokenDataHelper(object):
     """Creates V2 token data."""
 
@@ -401,9 +401,12 @@ class V3TokenDataHelper(object):
                                              token_project_id)
             filtered_roles = []
             if CONF.trust.enabled and trust:
-                for trust_role in trust['roles']:
+                refs = [{'role_id': role['id']} for role in trust['roles']]
+                effective_roles = self.assignment_api.add_implied_roles(refs)
+                for trust_role in effective_roles:
+
                     match_roles = [x for x in roles
-                                   if x['id'] == trust_role['id']]
+                                   if x['id'] == trust_role['role_id']]
                     if match_roles:
                         filtered_roles.append(match_roles[0])
                     else: