Add test case for expanding implied roles in system tokens

This change is being backported because it provides a helper method in
the unit tests that another change relies on.

If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.

This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.

Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
(cherry picked from commit 6d7cfdb4ba)
(cherry picked from commit 1403a9645d)
This commit is contained in:
Lance Bragstad 2018-08-24 13:56:37 +00:00 committed by Colleen Murphy
parent a131622de4
commit d57733f4e8
2 changed files with 49 additions and 0 deletions

View File

@ -390,6 +390,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
})
return r.headers.get('X-Subject-Token')
def get_system_scoped_token(self):
"""Convenience method for requesting system scoped tokens."""
r = self.admin_request(
method='POST',
path='/v3/auth/tokens',
body={
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.user['name'],
'password': self.user['password'],
'domain': {
'id': self.user['domain_id']
}
}
}
},
'scope': {
'system': {'all': True}
}
}
})
return r.headers.get('X-Subject-Token')
def get_domain_scoped_token(self):
"""Convenience method for requesting domain scoped token."""
r = self.admin_request(

View File

@ -44,6 +44,7 @@ from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -1849,6 +1850,28 @@ class TokenAPITests(object):
self._create_implied_role_shows_in_v3_token(True)
@test_utils.wip(
"Skipped until system-scoped support expanding implied roles",
expected_exception=matchers._impl.MismatchError,
bug='#1788694'
)
def test_create_implied_role_shows_in_v3_system_token(self):
self.config_fixture.config(group='token', infer_roles=True)
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user['id'], self.role['id']
)
token_id = self.get_system_scoped_token()
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
token_roles = r.result['token']['roles']
prior = token_roles[0]['id']
self._create_implied_role(prior)
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
token_roles = r.result['token']['roles']
self.assertEqual(2, len(token_roles))
def test_group_assigned_implied_role_shows_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
is_domain = False