Fix response for missing attributes in trust

Related-Bug:#1278738 Currently, when the "impersonation" attribute is missing from the trust, the response shows the error message provided by the backend, which is a problem since it exposes the backend that is being used. This patch sets the "impersonation" attribute as mandatory, as specified in the API, in the "OpenStack Identity API v3 OS-TRUST Extension" document. Thus, sending an appropriate error response if this attribute is missing. Additionally, the "trustee_user_id" is now checked in the same way and keystone will return similar response if this attribute is missing. Change-Id: Id20fec6798e54d169662b68413591963481405c8
2014-04-04 15:23:30 +03:00 · 2014-04-04 15:23:30 +03:00 · dc43f94d71
parent 3babe291de
commit dc43f94d71
3 changed files with 33 additions and 0 deletions
--- a/keystone/tests/test_v3.py
+++ b/keystone/tests/test_v3.py
@ -1045,6 +1045,7 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase):
    def assertValidTrust(self, entity, ref=None, summary=False):
        self.assertIsNotNone(entity.get('trustor_user_id'))
        self.assertIsNotNone(entity.get('trustee_user_id'))
+        self.assertIsNotNone(entity.get('impersonation'))

        self.assertIn('expires_at', entity)
        if entity['expires_at'] is not None:
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -2448,6 +2448,34 @@ class TestTrustAuth(TestAuthInfo):
                  body={'trust': ref},
                  expected_status=400)

+    def test_invalid_trust_request_without_impersonation(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
+
+        del ref['id']
+        del ref['impersonation']
+
+        self.post('/OS-TRUST/trusts',
+                  body={'trust': ref},
+                  expected_status=400)
+
+    def test_invalid_trust_request_without_trustee(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
+
+        del ref['id']
+        del ref['trustee_user_id']
+
+        self.post('/OS-TRUST/trusts',
+                  body={'trust': ref},
+                  expected_status=400)
+
    def test_create_unlimited_use_trust(self):
        # by default trusts are unlimited in terms of tokens that can be
        # generated from them, this test creates such a trust explicitly
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@ -135,6 +135,10 @@ class TrustV3(controller.V3Controller):
        if not trust:
            raise exception.ValidationError(attribute='trust',
                                            target='request')
+
+        self._require_attribute(trust, 'impersonation')
+        self._require_attribute(trust, 'trustee_user_id')
+
        if trust.get('project_id') and not trust.get('roles'):
            raise exception.Forbidden(
                _('At least one role should be specified.'))