Add test case for expanding implied roles in system tokens
This change is being backported because it provides a helper method in the unit tests that another change relies on. If a user has a role assignment on the system, which implies another role assignment, the system-scoped token response should include both role assignments. This patch exposes a bug in the system-scoped token implementation where implied roles aren't expanded out before returning the token response to the user. Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e Related-Bug: 1788694 (cherry picked from commit6d7cfdb4ba
) (cherry picked from commit1403a9645d
)
This commit is contained in:
parent
a131622de4
commit
d57733f4e8
|
@ -390,6 +390,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
})
|
||||
return r.headers.get('X-Subject-Token')
|
||||
|
||||
def get_system_scoped_token(self):
|
||||
"""Convenience method for requesting system scoped tokens."""
|
||||
r = self.admin_request(
|
||||
method='POST',
|
||||
path='/v3/auth/tokens',
|
||||
body={
|
||||
'auth': {
|
||||
'identity': {
|
||||
'methods': ['password'],
|
||||
'password': {
|
||||
'user': {
|
||||
'name': self.user['name'],
|
||||
'password': self.user['password'],
|
||||
'domain': {
|
||||
'id': self.user['domain_id']
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
'scope': {
|
||||
'system': {'all': True}
|
||||
}
|
||||
}
|
||||
})
|
||||
return r.headers.get('X-Subject-Token')
|
||||
|
||||
def get_domain_scoped_token(self):
|
||||
"""Convenience method for requesting domain scoped token."""
|
||||
r = self.admin_request(
|
||||
|
|
|
@ -44,6 +44,7 @@ from keystone.tests.common import auth as common_auth
|
|||
from keystone.tests import unit
|
||||
from keystone.tests.unit import ksfixtures
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -1849,6 +1850,28 @@ class TokenAPITests(object):
|
|||
|
||||
self._create_implied_role_shows_in_v3_token(True)
|
||||
|
||||
@test_utils.wip(
|
||||
"Skipped until system-scoped support expanding implied roles",
|
||||
expected_exception=matchers._impl.MismatchError,
|
||||
bug='#1788694'
|
||||
)
|
||||
def test_create_implied_role_shows_in_v3_system_token(self):
|
||||
self.config_fixture.config(group='token', infer_roles=True)
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
self.user['id'], self.role['id']
|
||||
)
|
||||
|
||||
token_id = self.get_system_scoped_token()
|
||||
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
|
||||
token_roles = r.result['token']['roles']
|
||||
|
||||
prior = token_roles[0]['id']
|
||||
self._create_implied_role(prior)
|
||||
|
||||
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
|
||||
token_roles = r.result['token']['roles']
|
||||
self.assertEqual(2, len(token_roles))
|
||||
|
||||
def test_group_assigned_implied_role_shows_in_v3_token(self):
|
||||
self.config_fixture.config(group='token', infer_roles=True)
|
||||
is_domain = False
|
||||
|
|
Loading…
Reference in New Issue