Add test case for expanding implied roles in system tokens

This change is being backported because it provides a helper method in
the unit tests that another change relies on.

If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.

This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.

Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
(cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)

2 files changed, 49 insertions, 0 deletions

diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py
index 447be08e1..14e54e3a0 100644
--- a/keystone/tests/unit/test_v3.py
+++ b/keystone/tests/unit/test_v3.py
@@ -404,6 +404,32 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
             })
         return r.headers.get('X-Subject-Token')
 
+    def get_system_scoped_token(self):
+        """Convenience method for requesting system scoped tokens."""
+        r = self.admin_request(
+            method='POST',
+            path='/v3/auth/tokens',
+            body={
+                'auth': {
+                    'identity': {
+                        'methods': ['password'],
+                        'password': {
+                            'user': {
+                                'name': self.user['name'],
+                                'password': self.user['password'],
+                                'domain': {
+                                    'id': self.user['domain_id']
+                                }
+                            }
+                        }
+                    },
+                    'scope': {
+                        'system': {'all': True}
+                    }
+                }
+            })
+        return r.headers.get('X-Subject-Token')
+
     def get_domain_scoped_token(self):
         """Convenience method for requesting domain scoped token."""
         r = self.admin_request(
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 714e69675..d7156953c 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -45,6 +45,7 @@ from keystone.tests.common import auth as common_auth
 from keystone.tests import unit
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils
 
 
 CONF = keystone.conf.CONF
@@ -1850,6 +1851,28 @@ class TokenAPITests(object):
 
         self._create_implied_role_shows_in_v3_token(True)
 
+    @test_utils.wip(
+        "Skipped until system-scoped support expanding implied roles",
+        expected_exception=matchers._impl.MismatchError,
+        bug='#1788694'
+    )
+    def test_create_implied_role_shows_in_v3_system_token(self):
+        self.config_fixture.config(group='token', infer_roles=True)
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            self.user['id'], self.role['id']
+        )
+
+        token_id = self.get_system_scoped_token()
+        r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
+        token_roles = r.result['token']['roles']
+
+        prior = token_roles[0]['id']
+        self._create_implied_role(prior)
+
+        r = self.get('/auth/tokens', headers={'X-Subject-Token': token_id})
+        token_roles = r.result['token']['roles']
+        self.assertEqual(2, len(token_roles))
+
     def test_group_assigned_implied_role_shows_in_v3_token(self):
         self.config_fixture.config(group='token', infer_roles=True)
         is_domain = False