Browse Source

Add test case for expanding implied roles in system tokens

This change is being backported because it provides a helper method in
the unit tests that another change relies on.

If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.

This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.

Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
(cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)
(cherry picked from commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6)
tags/13.0.3
Lance Bragstad Colleen Murphy 1 year ago
parent
commit
d57733f4e8
2 changed files with 49 additions and 0 deletions
  1. +26
    -0
      keystone/tests/unit/test_v3.py
  2. +23
    -0
      keystone/tests/unit/test_v3_auth.py

+ 26
- 0
keystone/tests/unit/test_v3.py View File

@@ -390,6 +390,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
})
return r.headers.get('X-Subject-Token')

def get_system_scoped_token(self):
"""Convenience method for requesting system scoped tokens."""
r = self.admin_request(
method='POST',
path='/v3/auth/tokens',
body={
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.user['name'],
'password': self.user['password'],
'domain': {
'id': self.user['domain_id']
}
}
}
},
'scope': {
'system': {'all': True}
}
}
})
return r.headers.get('X-Subject-Token')

def get_domain_scoped_token(self):
"""Convenience method for requesting domain scoped token."""
r = self.admin_request(


+ 23
- 0
keystone/tests/unit/test_v3_auth.py View File

@@ -44,6 +44,7 @@ from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils


CONF = keystone.conf.CONF
@@ -1849,6 +1850,28 @@ class TokenAPITests(object):

self._create_implied_role_shows_in_v3_token(True)

@test_utils.wip(
"Skipped until system-scoped support expanding implied roles",
expected_exception=matchers._impl.MismatchError,
bug='#1788694'
)
def test_create_implied_role_shows_in_v3_system_token(self):
self.config_fixture.config(group='token', infer_roles=True)
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user['id'], self.role['id']
)

token_id = self.get_system_scoped_token()
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
token_roles = r.result['token']['roles']

prior = token_roles[0]['id']
self._create_implied_role(prior)

r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
token_roles = r.result['token']['roles']
self.assertEqual(2, len(token_roles))

def test_group_assigned_implied_role_shows_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
is_domain = False


Loading…
Cancel
Save