Fix v2 token user ref with trust impersonation=True

The v2 token controller incorrectly checks for a string instead of a boolean, which results in the wrong user ID (trustee, when it should be the trustor) when impersonation=True. So fix the comparison and tests, adding a test which illustrates the issue. Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096 Closes-Bug: #1239303
2013-10-13 10:44:52 +01:00 · 2013-10-13 10:44:52 +01:00 · 4285b798a3
parent 71af37b6c3
commit 4285b798a3
2 changed files with 14 additions and 6 deletions
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
@ -603,7 +603,7 @@ class AuthWithTrust(AuthTest):
        self.sample_data = {'trustor_user_id': self.trustor['id'],
                            'trustee_user_id': self.trustee['id'],
                            'project_id': self.tenant_bar['id'],
-                            'impersonation': 'True',
+                            'impersonation': True,
                            'roles': [{'id': self.role_browser['id']},
                                      {'name': self.role_member['name']}]}
        expires_at = timeutils.strtime(timeutils.utcnow() +
@ -611,7 +611,7 @@ class AuthWithTrust(AuthTest):
                                       fmt=TIME_FORMAT)
        self.create_trust(expires_at=expires_at)

-    def create_trust(self, expires_at=None, impersonation='True'):
+    def create_trust(self, expires_at=None, impersonation=True):
        username = self.trustor['name'],
        password = 'foo2'
        body_dict = _build_user_auth(username=username, password=password)
@ -676,13 +676,12 @@ class AuthWithTrust(AuthTest):
            self.assertIn(role['id'], role_ids)

    def test_create_trust_no_impersonation(self):
-        self.create_trust(expires_at=None, impersonation='False')
+        self.create_trust(expires_at=None, impersonation=False)
        self.assertEquals(self.new_trust['trustor_user_id'],
                          self.trustor['id'])
        self.assertEquals(self.new_trust['trustee_user_id'],
                          self.trustee['id'])
-        self.assertEquals(self.new_trust['impersonation'],
-                          'False')
+        self.assertIs(self.new_trust['impersonation'], False)
        auth_response = self.fetch_v2_token_from_trust()
        token_user = auth_response['access']['user']
        self.assertEquals(token_user['id'],
@ -690,6 +689,15 @@ class AuthWithTrust(AuthTest):

        # TODO(ayoung): Endpoints

+    def test_create_trust_impersonation(self):
+        self.create_trust(expires_at=None)
+        self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id'])
+        self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id'])
+        self.assertIs(self.new_trust['impersonation'], True)
+        auth_response = self.fetch_v2_token_from_trust()
+        token_user = auth_response['access']['user']
+        self.assertEqual(token_user['id'], self.new_trust['trustor_user_id'])
+
    def test_token_from_trust_wrong_user_fails(self):
        request_body = self.build_v2_token_request('FOO', 'foo2')
        self.assertRaises(
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@ -181,7 +181,7 @@ class Auth(controller.V2Controller):
                trust_ref['trustee_user_id'])
            if not trustee_user_ref['enabled']:
                raise exception.Forbidden()()
-            if trust_ref['impersonation'] == 'True':
+            if trust_ref['impersonation'] is True:
                current_user_ref = trustor_user_ref
            else:
                current_user_ref = trustee_user_ref