From d57733f4e8849331935951e8a6c3f93d755fea3e Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 24 Aug 2018 13:56:37 +0000 Subject: [PATCH] Add test case for expanding implied roles in system tokens This change is being backported because it provides a helper method in the unit tests that another change relies on. If a user has a role assignment on the system, which implies another role assignment, the system-scoped token response should include both role assignments. This patch exposes a bug in the system-scoped token implementation where implied roles aren't expanded out before returning the token response to the user. Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e Related-Bug: 1788694 (cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8) (cherry picked from commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6) --- keystone/tests/unit/test_v3.py | 26 ++++++++++++++++++++++++++ keystone/tests/unit/test_v3_auth.py | 23 +++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py index 56a5871b9a..48a517e6e2 100644 --- a/keystone/tests/unit/test_v3.py +++ b/keystone/tests/unit/test_v3.py @@ -390,6 +390,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase, }) return r.headers.get('X-Subject-Token') + def get_system_scoped_token(self): + """Convenience method for requesting system scoped tokens.""" + r = self.admin_request( + method='POST', + path='/v3/auth/tokens', + body={ + 'auth': { + 'identity': { + 'methods': ['password'], + 'password': { + 'user': { + 'name': self.user['name'], + 'password': self.user['password'], + 'domain': { + 'id': self.user['domain_id'] + } + } + } + }, + 'scope': { + 'system': {'all': True} + } + } + }) + return r.headers.get('X-Subject-Token') + def get_domain_scoped_token(self): """Convenience method for requesting domain scoped token.""" r = self.admin_request( diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 9ffad8cb01..be2cb1b15c 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -44,6 +44,7 @@ from keystone.tests.common import auth as common_auth from keystone.tests import unit from keystone.tests.unit import ksfixtures from keystone.tests.unit import test_v3 +from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -1849,6 +1850,28 @@ class TokenAPITests(object): self._create_implied_role_shows_in_v3_token(True) + @test_utils.wip( + "Skipped until system-scoped support expanding implied roles", + expected_exception=matchers._impl.MismatchError, + bug='#1788694' + ) + def test_create_implied_role_shows_in_v3_system_token(self): + self.config_fixture.config(group='token', infer_roles=True) + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user['id'], self.role['id'] + ) + + token_id = self.get_system_scoped_token() + r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id}) + token_roles = r.result['token']['roles'] + + prior = token_roles[0]['id'] + self._create_implied_role(prior) + + r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id}) + token_roles = r.result['token']['roles'] + self.assertEqual(2, len(token_roles)) + def test_group_assigned_implied_role_shows_in_v3_token(self): self.config_fixture.config(group='token', infer_roles=True) is_domain = False