Expand implied roles in system-scoped tokens

The implementation for system-scoped tokens lacked support for
expanding implied roles. This patch modifies the token model so that
it generates implied roles on the system in the token response.

Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17
Closes-Bug: 1788694
This commit is contained in:
Lance Bragstad 2018-08-24 14:45:47 +00:00
parent 6d7cfdb4ba
commit 9051d403a3
3 changed files with 23 additions and 9 deletions

View File

@ -12,8 +12,6 @@
"""Unified in-memory token model."""
import itertools
from oslo_log import log
from oslo_serialization import msgpackutils
from oslo_utils import reflection
@ -254,6 +252,7 @@ class TokenModel(object):
roles = []
groups = PROVIDERS.identity_api.list_groups_for_user(self.user_id)
all_group_roles = []
assignments = []
for group in groups:
group_roles = (
PROVIDERS.assignment_api.list_system_grants_for_group(
@ -262,10 +261,25 @@ class TokenModel(object):
)
for role in group_roles:
all_group_roles.append(role)
assignment = {'group_id': group['id'], 'role_id': role['id']}
assignments.append(assignment)
user_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
self.user_id
)
for role in itertools.chain(all_group_roles, user_roles):
for role in user_roles:
assignment = {'user_id': self.user_id, 'role_id': role['id']}
assignments.append(assignment)
# NOTE(lbragstad): The whole reason we need to build out a list of
# "assignments" as opposed to just using the nice list of roles we
# already have is because the add_implied_roles() method operates on a
# list of assignment dictionaries (containing role_id,
# user_id/group_id, project_id, et cetera). That method could probably
# be fixed to be more clear by operating on actual roles instead of
# just assignments.
assignments = PROVIDERS.assignment_api.add_implied_roles(assignments)
for assignment in assignments:
role = PROVIDERS.role_api.get_role(assignment['role_id'])
roles.append({'id': role['id'], 'name': role['name']})
return roles

View File

@ -45,7 +45,6 @@ from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -1860,11 +1859,6 @@ class TokenAPITests(object):
self._create_implied_role_shows_in_v3_token(True)
@test_utils.wip(
"Skipped until system-scoped support expanding implied roles",
expected_exception=matchers._impl.MismatchError,
bug='#1788694'
)
def test_create_implied_role_shows_in_v3_system_token(self):
self.config_fixture.config(group='token', infer_roles=True)
PROVIDERS.assignment_api.create_system_grant_for_user(

View File

@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1788694 <https://bugs.launchpad.net/keystone/+bug/1788694>`_]
System-scoped tokens now support expanding role assignments to include
implied roles in token creation and validation responses.