Enforce scope mutual exclusion for system

we already fail when mutliple scope identifiers are provided, however
not when system scope is involved. As a result of the undocumented
priority of checks, when system scope is specified together with any
other scope, that other scope will silently be used.

Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
This commit is contained in:
Pavlo Shchelokovskyy 2021-07-28 13:39:40 +03:00 committed by Pavlo Shchelokovskyy
parent 11faa0e67d
commit ae646f8d37
1 changed files with 2 additions and 1 deletions

View File

@ -137,13 +137,14 @@ class Auth(BaseAuth):
mutual_exclusion = [bool(self.domain_id or self.domain_name),
bool(self.project_id or self.project_name),
bool(self.trust_id),
bool(self.system_scope),
bool(self.unscoped)]
if sum(mutual_exclusion) > 1:
raise exceptions.AuthorizationFailure(
message='Authentication cannot be scoped to multiple'
' targets. Pick one of: project, domain, '
'trust or unscoped')
'trust, system or unscoped')
if self.domain_id:
body['auth']['scope'] = {'domain': {'id': self.domain_id}}