Merge "Reject user creation using admin token without domain"

2016-01-06 19:19:35 +00:00 · 2016-01-06 19:19:35 +00:00 · 81cfed9d1c
parent 1a67c2a7ef 9a41fbf1da
commit 81cfed9d1c
2 changed files with 31 additions and 1 deletions
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@ -745,7 +745,16 @@ class V3Controller(wsgi.Application):
        being used.

        """
-        token_ref = utils.get_token_ref(context)
+        try:
+            token_ref = utils.get_token_ref(context)
+        except exception.Unauthorized:
+            if context.get('is_admin'):
+                raise exception.ValidationError(
+                    _('You have tried to create a resource using the admin '
+                      'token. As this token is not within a domain you must '
+                      'explicitly include a domain for this resource to '
+                      'belong to.'))
+            raise

        if token_ref.domain_scoped:
            return token_ref.domain_id
--- a/keystone/tests/unit/test_v3_identity.py
+++ b/keystone/tests/unit/test_v3_identity.py
@ -106,6 +106,27 @@ class IdentityTestCase(test_v3.RestfulTestCase):
        ref['domain_id'] = CONF.identity.default_domain_id
        return self.assertValidUserResponse(r, ref)

+    def test_create_user_with_admin_token_and_domain(self):
+        """Call ``POST /users`` with admin token and domain id."""
+        ref = unit.new_user_ref(domain_id=self.domain_id)
+        self.post('/users', body={'user': ref}, token=CONF.admin_token,
+                  expected_status=http_client.CREATED)
+
+    def test_create_user_with_admin_token_and_no_domain(self):
+        """Call ``POST /users`` with admin token but no domain id.
+
+        It should not be possible to use the admin token to create a user
+        while not explicitly passing the domain in the request body.
+
+        """
+        # Passing a valid domain id to new_user_ref() since domain_id is
+        # not an optional parameter.
+        ref = unit.new_user_ref(domain_id=self.domain_id)
+        # Delete the domain id before sending the request.
+        del ref['domain_id']
+        self.post('/users', body={'user': ref}, token=CONF.admin_token,
+                  expected_status=http_client.BAD_REQUEST)
+
    def test_create_user_bad_request(self):
        """Call ``POST /users``."""
        self.post('/users', body={'user': {}},