Maintain tokens after role assignments (bug 1170186)
Conflicts:
tests/test_content_types.py
Change-Id: Iacd2d9e09be4ab3d6a3c5acf4074e4af7e300602
(cherry picked from commit 132ff6d85e
)
This commit is contained in:
parent
27a5b42dbb
commit
f60f742a78
|
@ -305,7 +305,6 @@ class Role(controller.V2Controller):
|
|||
|
||||
self.identity_api.add_role_to_user_and_project(
|
||||
context, user_id, tenant_id, role_id)
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
|
||||
role_ref = self.identity_api.get_role(context, role_id)
|
||||
return {'role': role_ref}
|
||||
|
@ -803,14 +802,6 @@ class RoleV3(controller.V3Controller):
|
|||
self.identity_api.create_grant(
|
||||
context, role_id, user_id, group_id, domain_id, project_id)
|
||||
|
||||
# So that existing tokens don't stop the use of this grant
|
||||
# delete any tokens for this user or, in the case of a group,
|
||||
# tokens from all the uses who are members of this group.
|
||||
if user_id:
|
||||
self._delete_tokens_for_user(context, user_id)
|
||||
else:
|
||||
self._delete_tokens_for_group(context, group_id)
|
||||
|
||||
@controller.protected
|
||||
def list_grants(self, context, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None):
|
||||
|
|
|
@ -232,22 +232,36 @@ class RestfulTestCase(test.TestCase):
|
|||
self.assertValidResponseHeaders(response)
|
||||
return response
|
||||
|
||||
def get_scoped_token(self):
|
||||
def _get_token(self, body):
|
||||
"""Convenience method so that we can test authenticated requests."""
|
||||
r = self.public_request(
|
||||
method='POST',
|
||||
path='/v2.0/tokens',
|
||||
body={
|
||||
'auth': {
|
||||
'passwordCredentials': {
|
||||
'username': self.user_foo['name'],
|
||||
'password': self.user_foo['password'],
|
||||
},
|
||||
'tenantId': self.tenant_bar['id'],
|
||||
},
|
||||
})
|
||||
r = self.public_request(method='POST', path='/v2.0/tokens', body=body)
|
||||
return self._get_token_id(r)
|
||||
|
||||
def get_unscoped_token(self):
|
||||
"""Convenience method so that we can test authenticated requests."""
|
||||
return self._get_token({
|
||||
'auth': {
|
||||
'passwordCredentials': {
|
||||
'username': self.user_foo['name'],
|
||||
'password': self.user_foo['password'],
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
def get_scoped_token(self, tenant_id=None):
|
||||
"""Convenience method so that we can test authenticated requests."""
|
||||
if not tenant_id:
|
||||
tenant_id = self.tenant_bar['id']
|
||||
return self._get_token({
|
||||
'auth': {
|
||||
'passwordCredentials': {
|
||||
'username': self.user_foo['name'],
|
||||
'password': self.user_foo['password'],
|
||||
},
|
||||
'tenantId': tenant_id,
|
||||
},
|
||||
})
|
||||
|
||||
def _get_token_id(self, r):
|
||||
"""Helper method to return a token ID from a response.
|
||||
|
||||
|
|
|
@ -491,6 +491,48 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
group_id=self.group1['id'],
|
||||
project_id=self.projectA['id'])
|
||||
|
||||
def test_unscoped_token_remains_valid_after_role_assignment(self):
|
||||
r = self.post(
|
||||
'/auth/tokens',
|
||||
body=self.build_authentication_request(
|
||||
user_id=self.user1['id'],
|
||||
password=self.user1['password']))
|
||||
unscoped_token = r.getheader('X-Subject-Token')
|
||||
|
||||
r = self.post(
|
||||
'/auth/tokens',
|
||||
body=self.build_authentication_request(
|
||||
token=unscoped_token,
|
||||
project_id=self.projectA['id']))
|
||||
scoped_token = r.getheader('X-Subject-Token')
|
||||
|
||||
# confirm both tokens are valid
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': unscoped_token},
|
||||
expected_status=204)
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': scoped_token},
|
||||
expected_status=204)
|
||||
|
||||
# create a new role
|
||||
role = self.new_role_ref()
|
||||
self.identity_api.create_role(role['id'], role)
|
||||
|
||||
# assign a new role
|
||||
self.put(
|
||||
'/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
|
||||
'project_id': self.projectA['id'],
|
||||
'user_id': self.user1['id'],
|
||||
'role_id': role['id']})
|
||||
|
||||
# both tokens should remain valid
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': unscoped_token},
|
||||
expected_status=204)
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': scoped_token},
|
||||
expected_status=204)
|
||||
|
||||
def test_deleting_user_grant_revokes_token(self):
|
||||
"""Test deleting a user grant revokes token.
|
||||
|
||||
|
@ -522,13 +564,13 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
headers={'X-Subject-Token': token},
|
||||
expected_status=401)
|
||||
|
||||
def test_creating_user_grant_revokes_token(self):
|
||||
"""Test creating a user grant revokes token.
|
||||
def test_domain_user_role_assignment_maintains_token(self):
|
||||
"""Test user-domain role assignment maintains existing token.
|
||||
|
||||
Test Plan:
|
||||
- Get a token for user1, scoped to ProjectA
|
||||
- Create a grant for user1 on DomainB
|
||||
- Check token is no longer valid
|
||||
- Check token is still valid
|
||||
|
||||
"""
|
||||
auth_data = self.build_authentication_request(
|
||||
|
@ -541,7 +583,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': token},
|
||||
expected_status=204)
|
||||
# Delete the grant, which should invalidate the token
|
||||
# Assign a role, which should not affect the token
|
||||
grant_url = (
|
||||
'/domains/%(domain_id)s/users/%(user_id)s/'
|
||||
'roles/%(role_id)s' % {
|
||||
|
@ -551,7 +593,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
self.put(grant_url)
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': token},
|
||||
expected_status=401)
|
||||
expected_status=204)
|
||||
|
||||
def test_deleting_group_grant_revokes_tokens(self):
|
||||
"""Test deleting a group grant revokes tokens.
|
||||
|
@ -614,13 +656,13 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
headers={'X-Subject-Token': token3},
|
||||
expected_status=204)
|
||||
|
||||
def test_creating_group_grant_revokes_token(self):
|
||||
"""Test creating a group grant revokes token.
|
||||
def test_domain_group_role_assignment_maintains_token(self):
|
||||
"""Test domain-group role assignment maintains existing token.
|
||||
|
||||
Test Plan:
|
||||
- Get a token for user1, scoped to ProjectA
|
||||
- Create a grant for group1 on DomainB
|
||||
- Check token is no longer valid
|
||||
- Check token is still longer valid
|
||||
|
||||
"""
|
||||
auth_data = self.build_authentication_request(
|
||||
|
@ -643,7 +685,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
|
|||
self.put(grant_url)
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': token},
|
||||
expected_status=401)
|
||||
expected_status=204)
|
||||
|
||||
def test_group_membership_changes_revokes_token(self):
|
||||
"""Test add/removal to/from group revokes token.
|
||||
|
|
Loading…
Reference in New Issue