From cf83fc10569e7b52eeb52c0e164dfe36daeec309 Mon Sep 17 00:00:00 2001 From: Jose Castro Leon Date: Tue, 23 Apr 2019 15:38:16 +0200 Subject: [PATCH] Allows to use application credentials through group membership When using role assignment through groups, the user cannot use the application credentials created. This allows to look up the membership by checking inherited and group assignments. Change-Id: If1bf5bd785a494923303265797311d42018ba7af Closes-Bug: #1773967 (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa) (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2) --- keystone/models/token_model.py | 16 ++++++---- keystone/tests/unit/test_v3_auth.py | 32 +++++++++++++++++++ .../notes/bug-1773967-b59517a09e0e6141.yaml | 9 ++++++ 3 files changed, 50 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 2e8cc95da0..cbb760dac2 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -395,14 +395,16 @@ class TokenModel(object): def _get_application_credential_roles(self): roles = [] app_cred_roles = self.application_credential['roles'] + assignment_list = PROVIDERS.assignment_api.list_role_assignments( + user_id=self.user_id, + project_id=self.project_id, + domain_id=self.domain_id, + effective=True) + user_roles = list(set([x['role_id'] for x in assignment_list])) + for role in app_cred_roles: - try: - r = PROVIDERS.assignment_api.get_grant( - role['id'], user_id=self.user_id, - domain_id=self.domain_id, project_id=self.project_id) - roles.append({'id': r['id'], 'name': r['name']}) - except exception.RoleAssignmentNotFound: - pass + if role['id'] in user_roles: + roles.append({'id': role['id'], 'name': role['name']}) return roles diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 714e696759..0ab844b0ad 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5392,6 +5392,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase): app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND) + def test_application_credential_through_group_membership(self): + user1 = unit.create_user( + PROVIDERS.identity_api, domain_id=self.domain_id + ) + + group1 = unit.new_group_ref(domain_id=self.domain_id) + group1 = PROVIDERS.identity_api.create_group(group1) + + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, group_id=group1['id'], project_id=self.project_id + ) + + app_cred = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'secret': uuid.uuid4().hex, + 'user_id': user1['id'], + 'project_id': self.project_id, + 'description': uuid.uuid4().hex, + 'roles': [{'id': self.role_id}] + } + + app_cred_ref = self.app_cred_api.create_application_credential( + app_cred) + + auth_data = self.build_authentication_request( + app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) + self.v3_create_token(auth_data, expected_status=http_client.CREATED) + def test_application_credential_cannot_scope(self): app_cred = self._make_app_cred() app_cred_ref = self.app_cred_api.create_application_credential( diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml new file mode 100644 index 0000000000..a4565ccd2a --- /dev/null +++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1773967 `_] + Fixes an issue where users who had role assignments only via a group + membership and not via direct assignment could create but not use + application credentials. It is important to note that federated users who + only have role assignments via a mapped group membership still cannot + create application credentials.