Merge "Enforce scope mutual exclusion for trusts"

2014-03-25 02:19:20 +00:00
parent 82c1ec707b d4892017f4
commit efdeb82e91
2 changed files with 23 additions and 8 deletions
--- a/keystoneclient/auth/identity/v3.py
+++ b/keystoneclient/auth/identity/v3.py
@@ -77,11 +77,15 @@ class Auth(base.BaseIdentityPlugin):
            raise exceptions.AuthorizationFailure('Authentication method '
                                                  'required (e.g. password)')

-        if ((self.domain_id or self.domain_name) and
-                (self.project_id or self.project_name)):
+        mutual_exclusion = [bool(self.domain_id or self.domain_name),
+                            bool(self.project_id or self.project_name),
+                            bool(self.trust_id)]
+
+        if sum(mutual_exclusion) > 1:
            raise exceptions.AuthorizationFailure('Authentication cannot be '
-                                                  'scoped to both domain '
-                                                  'and project.')
+                                                  'scoped to multiple '
+                                                  'targets. Pick one of: '
+                                                  'project, domain or trust')

        if self.domain_id:
            body['auth']['scope'] = {'domain': {'id': self.domain_id}}
@@ -97,10 +101,8 @@ class Auth(base.BaseIdentityPlugin):
                scope['project']['domain'] = {'id': self.project_domain_id}
            elif self.project_domain_name:
                scope['project']['domain'] = {'name': self.project_domain_name}
-
-        if self.trust_id:
-            scope = body['auth'].setdefault('scope', {})
-            scope['OS-TRUST:trust'] = {'id': self.trust_id}
+        elif self.trust_id:
+            body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}}

        resp = session.post(self.token_url, json=body, headers=headers,
                            authenticated=False)
--- a/keystoneclient/tests/auth/test_identity_v3.py
+++ b/keystoneclient/tests/auth/test_identity_v3.py
@@ -219,3 +219,16 @@ class V3IdentityPlugin(utils.TestCase):
               'scope': {'OS-TRUST:trust': {'id': 'trust'}}}}
        self.assertRequestBodyIs(json=req)
        self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
+
+    def test_with_multiple_scopes(self):
+        s = session.Session()
+
+        a = v3.Password(self.TEST_URL,
+                        username=self.TEST_USER, password=self.TEST_PASS,
+                        domain_id='x', project_id='x')
+        self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)
+
+        a = v3.Password(self.TEST_URL,
+                        username=self.TEST_USER, password=self.TEST_PASS,
+                        domain_id='x', trust_id='x')
+        self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)