openstack/python-keystoneclient
Code Issues Proposed changes

Merge "Enforce scope mutual exclusion for trusts"

Browse Source
This commit is contained in:
Jenkins
2014-03-25 02:19:20 +00:00
committed by Gerrit Code Review
parent 82c1ec707b d4892017f4
commit efdeb82e91
2 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
keystoneclient/auth/identity/v3.py
View File

@@ -77,11 +77,15 @@ class Auth(base.BaseIdentityPlugin):
raise exceptions.AuthorizationFailure('Authentication method ' raise exceptions.AuthorizationFailure('Authentication method '
'required (e.g. password)') 'required (e.g. password)')
if ((self.domain_id or self.domain_name) and mutual_exclusion = [bool(self.domain_id or self.domain_name),
(self.project_id or self.project_name)): bool(self.project_id or self.project_name),
bool(self.trust_id)]
if sum(mutual_exclusion) > 1:
raise exceptions.AuthorizationFailure('Authentication cannot be ' raise exceptions.AuthorizationFailure('Authentication cannot be '
'scoped to both domain ' 'scoped to multiple '
'and project.') 'targets. Pick one of: '
'project, domain or trust')
if self.domain_id: if self.domain_id:
body['auth']['scope'] = {'domain': {'id': self.domain_id}} body['auth']['scope'] = {'domain': {'id': self.domain_id}}
@@ -97,10 +101,8 @@ class Auth(base.BaseIdentityPlugin):
scope['project']['domain'] = {'id': self.project_domain_id} scope['project']['domain'] = {'id': self.project_domain_id}
elif self.project_domain_name: elif self.project_domain_name:
scope['project']['domain'] = {'name': self.project_domain_name} scope['project']['domain'] = {'name': self.project_domain_name}
elif self.trust_id:
if self.trust_id: body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}}
scope = body['auth'].setdefault('scope', {})
scope['OS-TRUST:trust'] = {'id': self.trust_id}
resp = session.post(self.token_url, json=body, headers=headers, resp = session.post(self.token_url, json=body, headers=headers,
authenticated=False) authenticated=False)

13
keystoneclient/tests/auth/test_identity_v3.py
View File

@@ -219,3 +219,16 @@ class V3IdentityPlugin(utils.TestCase):
'scope': {'OS-TRUST:trust': {'id': 'trust'}}}} 'scope': {'OS-TRUST:trust': {'id': 'trust'}}}}
self.assertRequestBodyIs(json=req) self.assertRequestBodyIs(json=req)
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN) self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
def test_with_multiple_scopes(self):
s = session.Session()
a = v3.Password(self.TEST_URL,
username=self.TEST_USER, password=self.TEST_PASS,
domain_id='x', project_id='x')
self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER, password=self.TEST_PASS,
domain_id='x', trust_id='x')
self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)