Expand implied roles in system-scoped tokens

The implementation for system-scoped tokens lacked support for
expanding implied roles. This patch modifies the token model so that
it generates implied roles on the system in the token response.

Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17
Closes-Bug: 1788694

keystone/models/token_model.py

@@ -12,8 +12,6 @@
 
 """Unified in-memory token model."""
 
-import itertools
-
 from oslo_log import log
 from oslo_serialization import msgpackutils
 from oslo_utils import reflection
@@ -254,6 +252,7 @@ class TokenModel(object):
         roles = []
         groups = PROVIDERS.identity_api.list_groups_for_user(self.user_id)
         all_group_roles = []
+        assignments = []
         for group in groups:
             group_roles = (
                 PROVIDERS.assignment_api.list_system_grants_for_group(
@@ -262,10 +261,25 @@ class TokenModel(object):
             )
             for role in group_roles:
                 all_group_roles.append(role)
+                assignment = {'group_id': group['id'], 'role_id': role['id']}
+                assignments.append(assignment)
         user_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
             self.user_id
         )
-        for role in itertools.chain(all_group_roles, user_roles):
+        for role in user_roles:
+            assignment = {'user_id': self.user_id, 'role_id': role['id']}
+            assignments.append(assignment)
+
+        # NOTE(lbragstad): The whole reason we need to build out a list of
+        # "assignments" as opposed to just using the nice list of roles we
+        # already have is because the add_implied_roles() method operates on a
+        # list of assignment dictionaries (containing role_id,
+        # user_id/group_id, project_id, et cetera). That method could probably
+        # be fixed to be more clear by operating on actual roles instead of
+        # just assignments.
+        assignments = PROVIDERS.assignment_api.add_implied_roles(assignments)
+        for assignment in assignments:
+            role = PROVIDERS.role_api.get_role(assignment['role_id'])
             roles.append({'id': role['id'], 'name': role['name']})
 
         return roles

keystone/tests/unit/test_v3_auth.py

@@ -45,7 +45,6 @@ from keystone.tests.common import auth as common_auth
 from keystone.tests import unit
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils as test_utils
 
 
 CONF = keystone.conf.CONF
@@ -1860,11 +1859,6 @@ class TokenAPITests(object):
 
         self._create_implied_role_shows_in_v3_token(True)
 
-    @test_utils.wip(
-        "Skipped until system-scoped support expanding implied roles",
-        expected_exception=matchers._impl.MismatchError,
-        bug='#1788694'
-    )
     def test_create_implied_role_shows_in_v3_system_token(self):
         self.config_fixture.config(group='token', infer_roles=True)
         PROVIDERS.assignment_api.create_system_grant_for_user(

releasenotes/notes/bug-1788694-4dc8b3ec47fc6084.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1788694 <https://bugs.launchpad.net/keystone/+bug/1788694>`_]
+    System-scoped tokens now support expanding role assignments to include
+    implied roles in token creation and validation responses.