diff options
| author | Zuul <zuul@review.opendev.org> | 2019-11-14 01:10:37 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2019-11-14 01:10:37 +0000 |
| commit | 200dda218de19c19ee1f5d1a735da7e0a4fc7db5 (patch) | |
| tree | 4d63268bbe395cf225f2123a2430ea901e7b9964 | |
| parent | 50b10f40663418c0c3c1dbfd4d13b30ed3e17c0e (diff) | |
| parent | cf83fc10569e7b52eeb52c0e164dfe36daeec309 (diff) | |
| download | keystone-200dda218de19c19ee1f5d1a735da7e0a4fc7db5.tar.gz | |
Merge "Allows to use application credentials through group membership" into stable/rocky
| -rw-r--r-- | keystone/models/token_model.py | 16 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 32 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml | 9 |
3 files changed, 50 insertions, 7 deletions
diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 2e8cc95da..cbb760dac 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -395,14 +395,16 @@ class TokenModel(object): def _get_application_credential_roles(self): roles = [] app_cred_roles = self.application_credential['roles'] + assignment_list = PROVIDERS.assignment_api.list_role_assignments( + user_id=self.user_id, + project_id=self.project_id, + domain_id=self.domain_id, + effective=True) + user_roles = list(set([x['role_id'] for x in assignment_list])) + for role in app_cred_roles: - try: - r = PROVIDERS.assignment_api.get_grant( - role['id'], user_id=self.user_id, - domain_id=self.domain_id, project_id=self.project_id) - roles.append({'id': r['id'], 'name': r['name']}) - except exception.RoleAssignmentNotFound: - pass + if role['id'] in user_roles: + roles.append({'id': role['id'], 'name': role['name']}) return roles diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 9253c8fbf..f61a5d611 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5431,6 +5431,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase): app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND) + def test_application_credential_through_group_membership(self): + user1 = unit.create_user( + PROVIDERS.identity_api, domain_id=self.domain_id + ) + + group1 = unit.new_group_ref(domain_id=self.domain_id) + group1 = PROVIDERS.identity_api.create_group(group1) + + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, group_id=group1['id'], project_id=self.project_id + ) + + app_cred = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'secret': uuid.uuid4().hex, + 'user_id': user1['id'], + 'project_id': self.project_id, + 'description': uuid.uuid4().hex, + 'roles': [{'id': self.role_id}] + } + + app_cred_ref = self.app_cred_api.create_application_credential( + app_cred) + + auth_data = self.build_authentication_request( + app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) + self.v3_create_token(auth_data, expected_status=http_client.CREATED) + def test_application_credential_cannot_scope(self): app_cred = self._make_app_cred() app_cred_ref = self.app_cred_api.create_application_credential( diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml new file mode 100644 index 000000000..a4565ccd2 --- /dev/null +++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_] + Fixes an issue where users who had role assignments only via a group + membership and not via direct assignment could create but not use + application credentials. It is important to note that federated users who + only have role assignments via a mapped group membership still cannot + create application credentials. |