Correct test_v3_oauth1.test_bad_authorizing_roles_id
The `test_bad_authorizing_roles_id` was using .admin_request and not actually hitting the routed controller method as .admin_request does not prepend /v3 to the url returned from ._authoriz_request_token. `test_bad_authorizing_roles_id` was therefore erroneously expecting a 404 response instead of a proper 401 indicating the user is not authorized due to not having the expected role_id. Due to the policy enforcement, it was required to generate a NEW role to do the oauth1 workflow on, so that the user was still allowed to interact with the controller method (which would also generate a 401, but at the wrong phase of the data flow). Change-Id: Ia36c2a4400c761ac78f065b332d7789ca5ce9a04
This commit is contained in:
parent
90fa2757ca
commit
40f9086b6e
|
@ -870,6 +870,16 @@ class MaliciousOAuth1Tests(OAuth1Tests):
|
|||
consumer_secret = consumer['secret']
|
||||
consumer = {'key': consumer_id, 'secret': consumer_secret}
|
||||
|
||||
# This new role is utilzied to ensure the user still has access to
|
||||
# the project but is authorizing an incorrect role_id for the purposes
|
||||
# of oauth1.
|
||||
new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
PROVIDERS.role_api.create_role(new_role['id'], new_role)
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id=self.user_id,
|
||||
tenant_id=self.project_id,
|
||||
role_id=new_role['id'])
|
||||
|
||||
url, headers = self._create_request_token(consumer, self.project_id)
|
||||
content = self.post(
|
||||
url, headers=headers,
|
||||
|
@ -878,11 +888,14 @@ class MaliciousOAuth1Tests(OAuth1Tests):
|
|||
request_key = credentials['oauth_token'][0]
|
||||
|
||||
PROVIDERS.assignment_api.remove_role_from_user_and_project(
|
||||
self.user_id, self.project_id, self.role_id)
|
||||
self.user_id, self.project_id, new_role['id'])
|
||||
url = self._authorize_request_token(request_key)
|
||||
body = {'roles': [{'id': self.role_id}]}
|
||||
self.admin_request(path=url, method='PUT',
|
||||
body=body, expected_status=http_client.NOT_FOUND)
|
||||
body = {'roles': [{'id': new_role['id']}]}
|
||||
# NOTE(morgan): previous versions of this test erroneously checked for
|
||||
# 404 because an unrouted URI was being hit. It is correct to get a 401
|
||||
# error back as the role is not in the superset of roles the user
|
||||
# has at the time of the Authorization.
|
||||
self.put(path=url, body=body, expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
def test_bad_authorizing_roles_name(self):
|
||||
consumer = self._create_single_consumer()
|
||||
|
|
Loading…
Reference in New Issue