From ae646f8d37f6defca6ee87d8c94f1cb7469253b9 Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Wed, 28 Jul 2021 13:39:40 +0300
Subject: [PATCH] Enforce scope mutual exclusion for system

we already fail when mutliple scope identifiers are provided, however
not when system scope is involved. As a result of the undocumented
priority of checks, when system scope is specified together with any
other scope, that other scope will silently be used.

Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
---
 keystoneauth1/identity/v3/base.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/keystoneauth1/identity/v3/base.py b/keystoneauth1/identity/v3/base.py
index bcd64412..45b9f6c5 100644
--- a/keystoneauth1/identity/v3/base.py
+++ b/keystoneauth1/identity/v3/base.py
@@ -137,13 +137,14 @@ class Auth(BaseAuth):
         mutual_exclusion = [bool(self.domain_id or self.domain_name),
                             bool(self.project_id or self.project_name),
                             bool(self.trust_id),
+                            bool(self.system_scope),
                             bool(self.unscoped)]
 
         if sum(mutual_exclusion) > 1:
             raise exceptions.AuthorizationFailure(
                 message='Authentication cannot be scoped to multiple'
                         ' targets. Pick one of: project, domain, '
-                        'trust or unscoped')
+                        'trust, system or unscoped')
 
         if self.domain_id:
             body['auth']['scope'] = {'domain': {'id': self.domain_id}}