Fix response for missing attributes in trust
Related-Bug:#1278738 Currently, when the "impersonation" attribute is missing from the trust, the response shows the error message provided by the backend, which is a problem since it exposes the backend that is being used. This patch sets the "impersonation" attribute as mandatory, as specified in the API, in the "OpenStack Identity API v3 OS-TRUST Extension" document. Thus, sending an appropriate error response if this attribute is missing. Additionally, the "trustee_user_id" is now checked in the same way and keystone will return similar response if this attribute is missing. Change-Id: Id20fec6798e54d169662b68413591963481405c8
This commit is contained in:
parent
3babe291de
commit
dc43f94d71
|
@ -1045,6 +1045,7 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase):
|
|||
def assertValidTrust(self, entity, ref=None, summary=False):
|
||||
self.assertIsNotNone(entity.get('trustor_user_id'))
|
||||
self.assertIsNotNone(entity.get('trustee_user_id'))
|
||||
self.assertIsNotNone(entity.get('impersonation'))
|
||||
|
||||
self.assertIn('expires_at', entity)
|
||||
if entity['expires_at'] is not None:
|
||||
|
|
|
@ -2448,6 +2448,34 @@ class TestTrustAuth(TestAuthInfo):
|
|||
body={'trust': ref},
|
||||
expected_status=400)
|
||||
|
||||
def test_invalid_trust_request_without_impersonation(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
trustee_user_id=self.trustee_user_id,
|
||||
project_id=self.project_id,
|
||||
role_ids=[self.role_id])
|
||||
|
||||
del ref['id']
|
||||
del ref['impersonation']
|
||||
|
||||
self.post('/OS-TRUST/trusts',
|
||||
body={'trust': ref},
|
||||
expected_status=400)
|
||||
|
||||
def test_invalid_trust_request_without_trustee(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
trustee_user_id=self.trustee_user_id,
|
||||
project_id=self.project_id,
|
||||
role_ids=[self.role_id])
|
||||
|
||||
del ref['id']
|
||||
del ref['trustee_user_id']
|
||||
|
||||
self.post('/OS-TRUST/trusts',
|
||||
body={'trust': ref},
|
||||
expected_status=400)
|
||||
|
||||
def test_create_unlimited_use_trust(self):
|
||||
# by default trusts are unlimited in terms of tokens that can be
|
||||
# generated from them, this test creates such a trust explicitly
|
||||
|
|
|
@ -135,6 +135,10 @@ class TrustV3(controller.V3Controller):
|
|||
if not trust:
|
||||
raise exception.ValidationError(attribute='trust',
|
||||
target='request')
|
||||
|
||||
self._require_attribute(trust, 'impersonation')
|
||||
self._require_attribute(trust, 'trustee_user_id')
|
||||
|
||||
if trust.get('project_id') and not trust.get('roles'):
|
||||
raise exception.Forbidden(
|
||||
_('At least one role should be specified.'))
|
||||
|
|
Loading…
Reference in New Issue