Do not fetch group assignments without groups
Without the change, the method fetched all assignments for a project
or domain, regardless of who has the assignment, user or group. This
led to situation when federated user without groups could scope a token
with other user's rules.
Return empty list of assignments if no groups were passed.
Closes-Bug: 1677723
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
(cherry picked from commit 2139639eea
)
This commit is contained in:
parent
5eba745d96
commit
05a129e545
|
@ -165,6 +165,11 @@ class Manager(manager.Manager):
|
|||
|
||||
def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
|
||||
"""Get a list of roles for this group on domain and/or project."""
|
||||
# if no group ids were passed, there are no roles. Without this check,
|
||||
# all assignments for the project or domain will be fetched,
|
||||
# which is not what we want.
|
||||
if not group_ids:
|
||||
return []
|
||||
if project_id is not None:
|
||||
self.resource_api.get_project(project_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
|
|
|
@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(0, len(token_groups))
|
||||
|
||||
def test_issue_scoped_token_no_groups(self):
|
||||
"""Verify that token without groups cannot get scoped to project.
|
||||
|
||||
This test is required because of bug 1677723.
|
||||
"""
|
||||
# issue unscoped token with no groups
|
||||
r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
|
||||
self.assertIsNotNone(r.headers.get('X-Subject-Token'))
|
||||
token_resp = r.json_body
|
||||
token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(0, len(token_groups))
|
||||
unscoped_token = r.headers.get('X-Subject-Token')
|
||||
|
||||
# let admin get roles in a project
|
||||
self.proj_employees
|
||||
admin = unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
self.identity_api.create_user(admin)
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
user_id=admin['id'],
|
||||
project_id=self.proj_employees['id'])
|
||||
|
||||
# try to scope the token. It should fail
|
||||
scope = self._scope_request(
|
||||
unscoped_token, 'project', self.proj_employees['id']
|
||||
)
|
||||
self.v3_create_token(
|
||||
scope, expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
def test_issue_unscoped_token_malformed_environment(self):
|
||||
"""Test whether non string objects are filtered out.
|
||||
|
||||
|
|
Loading…
Reference in New Issue