Fix sample policy to allow user to revoke own token
The sample policy file wouldn't allow a user to revoke their own token. Partial-Bug: 1421825 Change-Id: Iaf9bcd4d083c91991d6bbd71c0e677123c5a86a2
This commit is contained in:
parent
d57e6e3d65
commit
ec31fb69ed
|
@ -4,6 +4,8 @@
|
|||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
|
@ -90,7 +92,7 @@
|
|||
"identity:validate_token": "rule:service_or_admin",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:get_trust": "rule:admin_or_owner",
|
||||
|
|
|
@ -223,6 +223,9 @@ class PolicyJsonTestCase(tests.TestCase):
|
|||
cloud_policy_keys = self._load_entries(
|
||||
tests.dirs.etc('policy.v3cloudsample.json'))
|
||||
|
||||
diffs = set(policy_keys).difference(set(cloud_policy_keys))
|
||||
policy_extra_keys = ['admin_or_token_subject',
|
||||
'token_subject', ]
|
||||
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
|
||||
diffs = set(policy_keys).difference(set(expected_policy_keys))
|
||||
|
||||
self.assertThat(diffs, matchers.Equals(set()))
|
||||
|
|
|
@ -526,23 +526,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
# Given a non-admin user token, the token can be used to revoke
|
||||
# itself.
|
||||
# This is DELETE /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||
# FIXME(blk-u): This test fails, a user can't revoke the same token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'])
|
||||
token = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403
|
||||
self.delete('/auth/tokens', token=token,
|
||||
headers={'X-Subject-Token': token}, expected_status=403)
|
||||
headers={'X-Subject-Token': token})
|
||||
|
||||
def test_user_revoke_user_token(self):
|
||||
# A user can revoke one of their own tokens.
|
||||
# This is DELETE /v3/auth/tokens
|
||||
# FIXME(blk-u): This test fails, a user can't revoke the same token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
@ -550,9 +545,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
token1 = self.get_requested_token(auth)
|
||||
token2 = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403
|
||||
self.delete('/auth/tokens', token=token1,
|
||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
||||
headers={'X-Subject-Token': token2})
|
||||
|
||||
def test_user_revoke_other_user_token_rejected(self):
|
||||
# A user cannot revoke another user's token.
|
||||
|
|
Loading…
Reference in New Issue