diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 37cc56342e..75ed62ee49 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -12,8 +12,6 @@ """Unified in-memory token model.""" -import itertools - from oslo_log import log from oslo_serialization import msgpackutils from oslo_utils import reflection @@ -254,6 +252,7 @@ class TokenModel(object): roles = [] groups = PROVIDERS.identity_api.list_groups_for_user(self.user_id) all_group_roles = [] + assignments = [] for group in groups: group_roles = ( PROVIDERS.assignment_api.list_system_grants_for_group( @@ -262,10 +261,25 @@ class TokenModel(object): ) for role in group_roles: all_group_roles.append(role) + assignment = {'group_id': group['id'], 'role_id': role['id']} + assignments.append(assignment) user_roles = PROVIDERS.assignment_api.list_system_grants_for_user( self.user_id ) - for role in itertools.chain(all_group_roles, user_roles): + for role in user_roles: + assignment = {'user_id': self.user_id, 'role_id': role['id']} + assignments.append(assignment) + + # NOTE(lbragstad): The whole reason we need to build out a list of + # "assignments" as opposed to just using the nice list of roles we + # already have is because the add_implied_roles() method operates on a + # list of assignment dictionaries (containing role_id, + # user_id/group_id, project_id, et cetera). That method could probably + # be fixed to be more clear by operating on actual roles instead of + # just assignments. + assignments = PROVIDERS.assignment_api.add_implied_roles(assignments) + for assignment in assignments: + role = PROVIDERS.role_api.get_role(assignment['role_id']) roles.append({'id': role['id'], 'name': role['name']}) return roles diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 0c085f7bfa..cdcd654bb3 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -45,7 +45,6 @@ from keystone.tests.common import auth as common_auth from keystone.tests import unit from keystone.tests.unit import ksfixtures from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -1860,11 +1859,6 @@ class TokenAPITests(object): self._create_implied_role_shows_in_v3_token(True) - @test_utils.wip( - "Skipped until system-scoped support expanding implied roles", - expected_exception=matchers._impl.MismatchError, - bug='#1788694' - ) def test_create_implied_role_shows_in_v3_system_token(self): self.config_fixture.config(group='token', infer_roles=True) PROVIDERS.assignment_api.create_system_grant_for_user( diff --git a/releasenotes/notes/bug-1788694-4dc8b3ec47fc6084.yaml b/releasenotes/notes/bug-1788694-4dc8b3ec47fc6084.yaml new file mode 100644 index 0000000000..8296442d02 --- /dev/null +++ b/releasenotes/notes/bug-1788694-4dc8b3ec47fc6084.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1788694 `_] + System-scoped tokens now support expanding role assignments to include + implied roles in token creation and validation responses.