summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--keystone/tests/unit/test_v3_auth.py7
-rw-r--r--keystone/token/providers/common.py7
-rw-r--r--releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml8
3 files changed, 13 insertions, 9 deletions
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 1b6f613..7b98bf5 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -44,7 +44,6 @@ from keystone.tests.common import auth as common_auth
44from keystone.tests import unit 44from keystone.tests import unit
45from keystone.tests.unit import ksfixtures 45from keystone.tests.unit import ksfixtures
46from keystone.tests.unit import test_v3 46from keystone.tests.unit import test_v3
47from keystone.tests.unit import utils as test_utils
48 47
49 48
50CONF = keystone.conf.CONF 49CONF = keystone.conf.CONF
@@ -3944,12 +3943,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
3944 role_id_set2 = set(r['id'] for r in trust2['roles']) 3943 role_id_set2 = set(r['id'] for r in trust2['roles'])
3945 self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2)) 3944 self.assertThat(role_id_set1, matchers.GreaterThan(role_id_set2))
3946 3945
3947 @test_utils.wip(
3948 "Waiting on fix for duplicate role names in token data when trust has "
3949 "implied roles",
3950 expected_exception=matchers.MismatchError,
3951 bug="#1778109"
3952 )
3953 def test_trust_with_implied_roles(self): 3946 def test_trust_with_implied_roles(self):
3954 # Create some roles 3947 # Create some roles
3955 role1 = unit.new_role_ref() 3948 role1 = unit.new_role_ref()
diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py
index a9b3f7c..9105733 100644
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@@ -372,6 +372,9 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
372 refs = [{'role_id': role['id']} for role in trust['roles']] 372 refs = [{'role_id': role['id']} for role in trust['roles']]
373 effective_trust_roles = ( 373 effective_trust_roles = (
374 PROVIDERS.assignment_api.add_implied_roles(refs)) 374 PROVIDERS.assignment_api.add_implied_roles(refs))
375 effective_trust_role_ids = (
376 set([r['role_id'] for r in effective_trust_roles])
377 )
375 # Now get the current role assignments for the trustor, 378 # Now get the current role assignments for the trustor,
376 # including any domain specific roles. 379 # including any domain specific roles.
377 assignments = PROVIDERS.assignment_api.list_role_assignments( 380 assignments = PROVIDERS.assignment_api.list_role_assignments(
@@ -384,10 +387,10 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
384 # Go through each of the effective trust roles, making sure the 387 # Go through each of the effective trust roles, making sure the
385 # trustor still has them, if any have been removed, then we 388 # trustor still has them, if any have been removed, then we
386 # will treat the trust as invalid 389 # will treat the trust as invalid
387 for trust_role in effective_trust_roles: 390 for trust_role_id in effective_trust_role_ids:
388 391
389 match_roles = [x for x in current_effective_trustor_roles 392 match_roles = [x for x in current_effective_trustor_roles
390 if x == trust_role['role_id']] 393 if x == trust_role_id]
391 if match_roles: 394 if match_roles:
392 role = PROVIDERS.role_api.get_role(match_roles[0]) 395 role = PROVIDERS.role_api.get_role(match_roles[0])
393 if role['domain_id'] is None: 396 if role['domain_id'] is None:
diff --git a/releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml b/releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml
new file mode 100644
index 0000000..b4c76c4
--- /dev/null
+++ b/releasenotes/notes/bug-1778109-ea15ce6a8207f857.yaml
@@ -0,0 +1,8 @@
1---
2fixes:
3 - |
4 [`bug 1778109 <https://bugs.launchpad.net/keystone/+bug/1778109>`_]
5 Previously the token data for a trust-scoped token may have contained
6 duplicate roles, when implied roles were present. This is no longer the
7 case, for the sake of accuracy and to prevent the breaking of applications
8 which may consume this role list.