From d4892017f446ea2f9ae061058b79c1854bb91340 Mon Sep 17 00:00:00 2001
From: Jamie Lennox <jamielennox@redhat.com>
Date: Thu, 6 Mar 2014 10:58:51 +1000
Subject: [PATCH] Enforce scope mutual exclusion for trusts

We already warn if you try to scope a domain and project together. This
should be extended to trust scoping rather than clobbering the existing
scope.

Change-Id: I9d8fe001b65588b1c21e58f38a47456fdad85ee1
Related-Bug: #1288223
---
 keystoneclient/auth/identity/v3.py            | 18 ++++++++++--------
 keystoneclient/tests/auth/test_identity_v3.py | 13 +++++++++++++
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/keystoneclient/auth/identity/v3.py b/keystoneclient/auth/identity/v3.py
index 5f3e7e10f..7422db1e5 100644
--- a/keystoneclient/auth/identity/v3.py
+++ b/keystoneclient/auth/identity/v3.py
@@ -73,11 +73,15 @@ class Auth(base.BaseIdentityPlugin):
             raise exceptions.AuthorizationFailure('Authentication method '
                                                   'required (e.g. password)')
 
-        if ((self.domain_id or self.domain_name) and
-                (self.project_id or self.project_name)):
+        mutual_exclusion = [bool(self.domain_id or self.domain_name),
+                            bool(self.project_id or self.project_name),
+                            bool(self.trust_id)]
+
+        if sum(mutual_exclusion) > 1:
             raise exceptions.AuthorizationFailure('Authentication cannot be '
-                                                  'scoped to both domain '
-                                                  'and project.')
+                                                  'scoped to multiple '
+                                                  'targets. Pick one of: '
+                                                  'project, domain or trust')
 
         if self.domain_id:
             body['auth']['scope'] = {'domain': {'id': self.domain_id}}
@@ -93,10 +97,8 @@ class Auth(base.BaseIdentityPlugin):
                 scope['project']['domain'] = {'id': self.project_domain_id}
             elif self.project_domain_name:
                 scope['project']['domain'] = {'name': self.project_domain_name}
-
-        if self.trust_id:
-            scope = body['auth'].setdefault('scope', {})
-            scope['OS-TRUST:trust'] = {'id': self.trust_id}
+        elif self.trust_id:
+            body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}}
 
         resp = session.post(url, json=body, headers=headers,
                             authenticated=False)
diff --git a/keystoneclient/tests/auth/test_identity_v3.py b/keystoneclient/tests/auth/test_identity_v3.py
index 974b228eb..12c08ed56 100644
--- a/keystoneclient/tests/auth/test_identity_v3.py
+++ b/keystoneclient/tests/auth/test_identity_v3.py
@@ -216,3 +216,16 @@ class V3IdentityPlugin(utils.TestCase):
                'scope': {'OS-TRUST:trust': {'id': 'trust'}}}}
         self.assertRequestBodyIs(json=req)
         self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
+
+    def test_with_multiple_scopes(self):
+        s = session.Session()
+
+        a = v3.Password(self.TEST_URL,
+                        username=self.TEST_USER, password=self.TEST_PASS,
+                        domain_id='x', project_id='x')
+        self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)
+
+        a = v3.Password(self.TEST_URL,
+                        username=self.TEST_USER, password=self.TEST_PASS,
+                        domain_id='x', trust_id='x')
+        self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)