Add test case for expanding implied roles in system tokens
If a user has a role assignment on the system, which implies another role assignment, the system-scoped token response should include both role assignments. This patch exposes a bug in the system-scoped token implementation where implied roles aren't expanded out before returning the token response to the user. Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e Related-Bug: 1788694
This commit is contained in:
parent
8543dbbc2c
commit
6d7cfdb4ba
|
@ -392,6 +392,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
||||||
})
|
})
|
||||||
return r.headers.get('X-Subject-Token')
|
return r.headers.get('X-Subject-Token')
|
||||||
|
|
||||||
|
def get_system_scoped_token(self):
|
||||||
|
"""Convenience method for requesting system scoped tokens."""
|
||||||
|
r = self.admin_request(
|
||||||
|
method='POST',
|
||||||
|
path='/v3/auth/tokens',
|
||||||
|
body={
|
||||||
|
'auth': {
|
||||||
|
'identity': {
|
||||||
|
'methods': ['password'],
|
||||||
|
'password': {
|
||||||
|
'user': {
|
||||||
|
'name': self.user['name'],
|
||||||
|
'password': self.user['password'],
|
||||||
|
'domain': {
|
||||||
|
'id': self.user['domain_id']
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
'scope': {
|
||||||
|
'system': {'all': True}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
return r.headers.get('X-Subject-Token')
|
||||||
|
|
||||||
def get_domain_scoped_token(self):
|
def get_domain_scoped_token(self):
|
||||||
"""Convenience method for requesting domain scoped token."""
|
"""Convenience method for requesting domain scoped token."""
|
||||||
r = self.admin_request(
|
r = self.admin_request(
|
||||||
|
|
|
@ -45,6 +45,7 @@ from keystone.tests.common import auth as common_auth
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import ksfixtures
|
from keystone.tests.unit import ksfixtures
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
|
from keystone.tests.unit import utils as test_utils
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
@ -1859,6 +1860,28 @@ class TokenAPITests(object):
|
||||||
|
|
||||||
self._create_implied_role_shows_in_v3_token(True)
|
self._create_implied_role_shows_in_v3_token(True)
|
||||||
|
|
||||||
|
@test_utils.wip(
|
||||||
|
"Skipped until system-scoped support expanding implied roles",
|
||||||
|
expected_exception=matchers._impl.MismatchError,
|
||||||
|
bug='#1788694'
|
||||||
|
)
|
||||||
|
def test_create_implied_role_shows_in_v3_system_token(self):
|
||||||
|
self.config_fixture.config(group='token', infer_roles=True)
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
self.user['id'], self.role['id']
|
||||||
|
)
|
||||||
|
|
||||||
|
token_id = self.get_system_scoped_token()
|
||||||
|
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
|
||||||
|
token_roles = r.result['token']['roles']
|
||||||
|
|
||||||
|
prior = token_roles[0]['id']
|
||||||
|
self._create_implied_role(prior)
|
||||||
|
|
||||||
|
r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
|
||||||
|
token_roles = r.result['token']['roles']
|
||||||
|
self.assertEqual(2, len(token_roles))
|
||||||
|
|
||||||
def test_group_assigned_implied_role_shows_in_v3_token(self):
|
def test_group_assigned_implied_role_shows_in_v3_token(self):
|
||||||
self.config_fixture.config(group='token', infer_roles=True)
|
self.config_fixture.config(group='token', infer_roles=True)
|
||||||
is_domain = False
|
is_domain = False
|
||||||
|
|
Loading…
Reference in New Issue