Merge "Fixes create_saml_assertion() return"

keystone/contrib/federation/controllers.py

@@ -274,12 +274,12 @@ class Auth(auth_controllers.Auth):
         subject = token_ref.user_name
         roles = token_ref.role_names
 
-        if token_ref.project_scoped:
-            project = token_ref.project_name
-        else:
-            raise ValueError(_('Use a project scoped token when attempting to'
-                               'create a SAML assertion'))
+        if not token_ref.project_scoped:
+            action = _('Use a project scoped token when attempting to create '
+                       'a SAML assertion')
+            raise exception.ForbiddenAction(action=action)
 
+        project = token_ref.project_name
         generator = keystone_idp.SAMLGenerator()
         response = generator.samlize_token(issuer, recipient, subject, roles,
                                            project)

keystone/tests/test_v3_federation.py

@@ -1878,6 +1878,8 @@ class SAMLGenerationTests(FederationTests):
         """Test that the SAML generation fails when passing tokens
         not scoped by project.
 
+        The server should return a 403 Forbidden Action.
+
         """
         self.config_fixture.config(group='saml', idp_entity_id=self.ISSUER)
         region_id = self._create_region_with_url()
@@ -1886,10 +1888,8 @@ class SAMLGenerationTests(FederationTests):
 
         with mock.patch.object(keystone_idp, '_sign_assertion',
                                return_value=self.signed_assertion):
-            # NOTE(rodrigods): currently, sending a request using a domain
-            # scoped token returns 500 due bug #1395117
             self.post(self.SAML_GENERATION_ROUTE, body=body,
-                      expected_status=500)
+                      expected_status=403)
 
     def test_generate_saml_route(self):
         """Test that the SAML generation endpoint produces XML.