From 0aff9ff3af4a6bc0b3d6128ae35231d1b18d543b Mon Sep 17 00:00:00 2001 From: wanghong Date: Sun, 26 Jan 2014 11:14:46 +0800 Subject: [PATCH] trust creation allowed with empty roles list The docs state "A project_id may not be specified without at least one role, and vice versa.", however /OS-TRUST/trusts does allow you to create a trust with an empty roles list and project_id specified. This results in 401 responses whenever you try to consume the trust, because there are no roles for the trustee on the authorized project. This patch will add a check in trust creation to ensure at least one role exists if project_id is supplied. Change-Id: Iebad0b6b7ed62a029d1e50afb003679bafb1655d Closes-Bug: #1214064 --- keystone/tests/test_auth.py | 11 +++++++---- keystone/tests/test_v3_auth.py | 16 ++++++++++++++-- keystone/trust/controllers.py | 3 +++ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py index 76561c1661..6c8e7bd1f9 100644 --- a/keystone/tests/test_auth.py +++ b/keystone/tests/test_auth.py @@ -696,17 +696,20 @@ class AuthWithTrust(AuthTest): def test_create_trust_bad_data_fails(self): context = self._create_auth_context( self.unscoped_token['access']['token']['id']) - bad_sample_data = {'trustor_user_id': self.trustor['id']} + bad_sample_data = {'trustor_user_id': self.trustor['id'], + 'project_id': self.tenant_bar['id'], + 'roles': [{'id': self.role_browser['id']}]} self.assertRaises(exception.ValidationError, self.trust_controller.create_trust, context, trust=bad_sample_data) def test_create_trust_no_roles(self): - self.new_trust = None + context = {'token_id': self.unscoped_token['access']['token']['id']} self.sample_data['roles'] = [] - self.create_trust() - self.assertEqual([], self.new_trust['roles']) + self.assertRaises(exception.Forbidden, + self.trust_controller.create_trust, + context, trust=self.sample_data) def test_create_trust(self): self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py index c27155fdd6..2cc3c1c120 100644 --- a/keystone/tests/test_v3_auth.py +++ b/keystone/tests/test_v3_auth.py @@ -2247,6 +2247,14 @@ class TestTrustAuth(TestAuthInfo): r = self.post('/OS-TRUST/trusts', body={'trust': ref}) self.assertValidTrustResponse(r, ref) + def test_create_trust_no_roles(self): + ref = self.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id) + del ref['id'] + self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403) + def _initialize_test_consume_trust(self, count): # Make sure remaining_uses is decremented as we consume the trust ref = self.new_trust_ref( @@ -2404,14 +2412,18 @@ class TestTrustAuth(TestAuthInfo): def test_create_trust_trustee_404(self): ref = self.new_trust_ref( trustor_user_id=self.user_id, - trustee_user_id=uuid.uuid4().hex) + trustee_user_id=uuid.uuid4().hex, + project_id=self.project_id, + role_ids=[self.role_id]) del ref['id'] self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404) def test_create_trust_trustor_trustee_backwards(self): ref = self.new_trust_ref( trustor_user_id=self.trustee_user_id, - trustee_user_id=self.user_id) + trustee_user_id=self.user_id, + project_id=self.project_id, + role_ids=[self.role_id]) del ref['id'] self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403) diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index e80d533010..bf8a8af278 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -134,6 +134,9 @@ class TrustV3(controller.V3Controller): if not trust: raise exception.ValidationError(attribute='trust', target='request') + if trust.get('project_id') and not trust.get('roles'): + raise exception.Forbidden( + _('At least one role should be specified.')) try: user_id = self._get_user_id(context) _trustor_only(context, trust, user_id)