Fix sample policy to allow user to revoke own token

The sample policy file wouldn't allow a user to revoke their own token. Partial-Bug: 1421825 Change-Id: Iaf9bcd4d083c91991d6bbd71c0e677123c5a86a2
2015-03-16 14:47:26 -05:00 · 2015-03-16 14:47:26 -05:00 · ec31fb69ed
parent d57e6e3d65
commit ec31fb69ed
3 changed files with 9 additions and 10 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -4,6 +4,8 @@
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",
+    "token_subject": "user_id:%(target.token.user_id)s",
+    "admin_or_token_subject": "rule:admin_required or rule:token_subject",

    "default": "rule:admin_required",

@ -90,7 +92,7 @@
    "identity:validate_token": "rule:service_or_admin",
    "identity:validate_token_head": "rule:service_or_admin",
    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
+    "identity:revoke_token": "rule:admin_or_token_subject",

    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:get_trust": "rule:admin_or_owner",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -223,6 +223,9 @@ class PolicyJsonTestCase(tests.TestCase):
        cloud_policy_keys = self._load_entries(
            tests.dirs.etc('policy.v3cloudsample.json'))

-        diffs = set(policy_keys).difference(set(cloud_policy_keys))
+        policy_extra_keys = ['admin_or_token_subject',
+                             'token_subject', ]
+        expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
+        diffs = set(policy_keys).difference(set(expected_policy_keys))

        self.assertThat(diffs, matchers.Equals(set()))
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -526,23 +526,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
        # Given a non-admin user token, the token can be used to revoke
        # itself.
        # This is DELETE /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
-        # FIXME(blk-u): This test fails, a user can't revoke the same token,
-        # see bug 1421825.

        auth = self.build_authentication_request(
            user_id=self.just_a_user['id'],
            password=self.just_a_user['password'])
        token = self.get_requested_token(auth)

-        # FIXME(blk-u): remove expected_status=403
        self.delete('/auth/tokens', token=token,
-                    headers={'X-Subject-Token': token}, expected_status=403)
+                    headers={'X-Subject-Token': token})

    def test_user_revoke_user_token(self):
        # A user can revoke one of their own tokens.
        # This is DELETE /v3/auth/tokens
-        # FIXME(blk-u): This test fails, a user can't revoke the same token,
-        # see bug 1421825.

        auth = self.build_authentication_request(
            user_id=self.just_a_user['id'],
@ -550,9 +545,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
        token1 = self.get_requested_token(auth)
        token2 = self.get_requested_token(auth)

-        # FIXME(blk-u): remove expected_status=403
        self.delete('/auth/tokens', token=token1,
-                    headers={'X-Subject-Token': token2}, expected_status=403)
+                    headers={'X-Subject-Token': token2})

    def test_user_revoke_other_user_token_rejected(self):
        # A user cannot revoke another user's token.