Correct test_v3_oauth1.test_bad_authorizing_roles_id

The `test_bad_authorizing_roles_id` was using .admin_request and not actually hitting the routed controller method as .admin_request does not prepend /v3 to the url returned from ._authoriz_request_token. `test_bad_authorizing_roles_id` was therefore erroneously expecting a 404 response instead of a proper 401 indicating the user is not authorized due to not having the expected role_id. Due to the policy enforcement, it was required to generate a NEW role to do the oauth1 workflow on, so that the user was still allowed to interact with the controller method (which would also generate a 401, but at the wrong phase of the data flow). Change-Id: Ia36c2a4400c761ac78f065b332d7789ca5ce9a04
2018-06-01 19:05:57 -07:00 · 2018-06-01 19:05:57 -07:00 · 40f9086b6e
parent 90fa2757ca
commit 40f9086b6e
1 changed files with 17 additions and 4 deletions
--- a/keystone/tests/unit/test_v3_oauth1.py
+++ b/keystone/tests/unit/test_v3_oauth1.py
@ -870,6 +870,16 @@ class MaliciousOAuth1Tests(OAuth1Tests):
        consumer_secret = consumer['secret']
        consumer = {'key': consumer_id, 'secret': consumer_secret}

+        # This new role is utilzied to ensure the user still has access to
+        # the project but is authorizing an incorrect role_id for the purposes
+        # of oauth1.
+        new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        PROVIDERS.role_api.create_role(new_role['id'], new_role)
+        PROVIDERS.assignment_api.add_role_to_user_and_project(
+            user_id=self.user_id,
+            tenant_id=self.project_id,
+            role_id=new_role['id'])
+
        url, headers = self._create_request_token(consumer, self.project_id)
        content = self.post(
            url, headers=headers,
@ -878,11 +888,14 @@ class MaliciousOAuth1Tests(OAuth1Tests):
        request_key = credentials['oauth_token'][0]

        PROVIDERS.assignment_api.remove_role_from_user_and_project(
-            self.user_id, self.project_id, self.role_id)
+            self.user_id, self.project_id, new_role['id'])
        url = self._authorize_request_token(request_key)
-        body = {'roles': [{'id': self.role_id}]}
-        self.admin_request(path=url, method='PUT',
-                           body=body, expected_status=http_client.NOT_FOUND)
+        body = {'roles': [{'id': new_role['id']}]}
+        # NOTE(morgan): previous versions of this test erroneously checked for
+        # 404 because an unrouted URI was being hit. It is correct to get a 401
+        # error back as the role is not in the superset of roles the user
+        # has at the time of the Authorization.
+        self.put(path=url, body=body, expected_status=http_client.UNAUTHORIZED)

    def test_bad_authorizing_roles_name(self):
        consumer = self._create_single_consumer()