Enforce scope mutual exclusion for system

we already fail when mutliple scope identifiers are provided, however not when system scope is involved. As a result of the undocumented priority of checks, when system scope is specified together with any other scope, that other scope will silently be used. Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
2 years ago · ae646f8d37
parent 11faa0e67d
commit ae646f8d37
1 changed files with 2 additions and 1 deletions
--- a/keystoneauth1/identity/v3/base.py
+++ b/keystoneauth1/identity/v3/base.py
@ -137,13 +137,14 @@ class Auth(BaseAuth):
        mutual_exclusion = [bool(self.domain_id or self.domain_name),
                            bool(self.project_id or self.project_name),
                            bool(self.trust_id),
+                            bool(self.system_scope),
                            bool(self.unscoped)]

        if sum(mutual_exclusion) > 1:
            raise exceptions.AuthorizationFailure(
                message='Authentication cannot be scoped to multiple'
                        ' targets. Pick one of: project, domain, '
-                        'trust or unscoped')
+                        'trust, system or unscoped')

        if self.domain_id:
            body['auth']['scope'] = {'domain': {'id': self.domain_id}}