Expose a bug when authenticating for a trust-scoped token

The test added here should pass with a 400 Bad Request, but keystone doesn't validate the OS-TRUST:trust key of the authentication request is actually a dictionary. As a result, it assumes it is a dictionary and attempts to use dictionary methods on. This results in a 500 Internal Server Error when it should really be a 400 Bad Request. A subsequent patch can fix this by enhancing the jsonschema definition for token authentication. Change-Id: I9ea118945870f27dd73000b45673d966ea05ca53 Partial-Bug: #1733754
2017-11-22 18:46:29 +00:00 · 2017-11-22 18:46:29 +00:00 · cf43e3a756
parent 70fe4ec09b
commit cf43e3a756
1 changed files with 30 additions and 0 deletions
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -43,6 +43,7 @@ from keystone.tests.common import auth as common_auth
 from keystone.tests import unit
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils


 CONF = keystone.conf.CONF
@ -3965,6 +3966,35 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
        r = self.v3_create_token(auth_data)
        return trust

+    @test_utils.wip('Waiting on validation to be added from fixing bug '
+                    '1733754')
+    def test_authenticate_without_trust_dict_returns_bad_request(self):
+        # Authenticate for a token to use in the request
+        token = self.v3_create_token(
+            self.build_authentication_request(
+                user_id=self.trustee_user['id'],
+                password=self.trustee_user['password']
+            )
+        ).headers.get('X-Subject-Token')
+
+        auth_data = {
+            'auth': {
+                'identity': {
+                    'methods': ['token'],
+                    'token': {'id': token}
+                },
+                # We don't need a trust to execute this test, the
+                # OS-TRUST:trust key of the request body just has to be a
+                # string instead of a dictionary in order to throw a 500 when
+                # it should a 400 Bad Request.
+                'scope': {'OS-TRUST:trust': ''}
+            }
+        }
+        self.admin_request(
+            method='POST', path='/v3/auth/tokens', body=auth_data,
+            expected_status=http_client.BAD_REQUEST
+        )
+
    def test_consume_trust_once(self):
        trust = self._initialize_test_consume_trust(2)
        # check decremented value