Merge "Ensure OAuth1 authorized roles are respected" into stable/pike

keystone/tests/unit/test_v3_oauth1.py

@@ -309,6 +309,19 @@ class OAuthFlowTests(OAuth1Tests):
         self.keystone_token = content.result['token']
         self.assertIsNotNone(self.keystone_token_id)
 
+        # add a new role assignment to ensure it is ignored in the access token
+        new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        self.role_api.create_role(new_role['id'], new_role)
+        self.assignment_api.add_role_to_user_and_project(
+            user_id=self.user_id,
+            tenant_id=self.project_id,
+            role_id=new_role['id'])
+        content = self.post(url, headers=headers, body=body)
+        token = content.result['token']
+        token_roles = [r['id'] for r in token['roles']]
+        self.assertIn(self.role_id, token_roles)
+        self.assertNotIn(new_role['id'], token_roles)
+
 
 class AccessTokenCRUDTests(OAuthFlowTests):
     def test_delete_access_token_dne(self):