summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBoris Bobrov <breton@cynicmansion.ru>2017-04-25 14:20:36 +0000
committerLance Bragstad <lbragstad@gmail.com>2017-04-25 14:22:47 +0000
commit05a129e54573b6cbda1ec095f4526f2b9ba90a90 (patch)
tree312c26408b5d91449d0b11bda0a191de844379a5
parent5eba745d962412d0589da78a7e2c87d2cb0626d6 (diff)
Do not fetch group assignments without groups10.0.2
Without the change, the method fetched all assignments for a project or domain, regardless of who has the assignment, user or group. This led to situation when federated user without groups could scope a token with other user's rules. Return empty list of assignments if no groups were passed. Closes-Bug: 1677723 Change-Id: I65f5be915bef2f979e70b043bde27064e970349d (cherry picked from commit 2139639eeabc8f6941f4461fc87d609cde3118c2)
Notes
Notes (review): Code-Review+2: Steve Martinelli <s.martinelli@gmail.com> Code-Review+1: Samuel de Medeiros Queiroz <samueldmq@gmail.com> Code-Review+1: David Stanek <dstanek@dstanek.com> Code-Review+1: Lance Bragstad <lbragstad@gmail.com> Code-Review+2: Morgan Fainberg <morgan.fainberg@gmail.com> Workflow+1: Morgan Fainberg <morgan.fainberg@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 25 Apr 2017 18:17:48 +0000 Reviewed-on: https://review.openstack.org/459713 Project: openstack/keystone Branch: refs/heads/stable/newton
-rw-r--r--keystone/assignment/core.py5
-rw-r--r--keystone/tests/unit/test_v3_federation.py28
2 files changed, 33 insertions, 0 deletions
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index e549abb..6a6717a 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -165,6 +165,11 @@ class Manager(manager.Manager):
165 165
166 def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): 166 def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
167 """Get a list of roles for this group on domain and/or project.""" 167 """Get a list of roles for this group on domain and/or project."""
168 # if no group ids were passed, there are no roles. Without this check,
169 # all assignments for the project or domain will be fetched,
170 # which is not what we want.
171 if not group_ids:
172 return []
168 if project_id is not None: 173 if project_id is not None:
169 self.resource_api.get_project(project_id) 174 self.resource_api.get_project(project_id)
170 assignment_list = self.list_role_assignments( 175 assignment_list = self.list_role_assignments(
diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
index f3e9baa..1a7ce40 100644
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
1776 token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] 1776 token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
1777 self.assertEqual(0, len(token_groups)) 1777 self.assertEqual(0, len(token_groups))
1778 1778
1779 def test_issue_scoped_token_no_groups(self):
1780 """Verify that token without groups cannot get scoped to project.
1781
1782 This test is required because of bug 1677723.
1783 """
1784 # issue unscoped token with no groups
1785 r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
1786 self.assertIsNotNone(r.headers.get('X-Subject-Token'))
1787 token_resp = r.json_body
1788 token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
1789 self.assertEqual(0, len(token_groups))
1790 unscoped_token = r.headers.get('X-Subject-Token')
1791
1792 # let admin get roles in a project
1793 self.proj_employees
1794 admin = unit.new_user_ref(CONF.identity.default_domain_id)
1795 self.identity_api.create_user(admin)
1796 self.assignment_api.create_grant(self.role_admin['id'],
1797 user_id=admin['id'],
1798 project_id=self.proj_employees['id'])
1799
1800 # try to scope the token. It should fail
1801 scope = self._scope_request(
1802 unscoped_token, 'project', self.proj_employees['id']
1803 )
1804 self.v3_create_token(
1805 scope, expected_status=http_client.UNAUTHORIZED)
1806
1779 def test_issue_unscoped_token_malformed_environment(self): 1807 def test_issue_unscoped_token_malformed_environment(self):
1780 """Test whether non string objects are filtered out. 1808 """Test whether non string objects are filtered out.
1781 1809