diff options
author | Zuul <zuul@review.opendev.org> | 2019-10-18 20:10:26 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2019-10-18 20:10:26 +0000 |
commit | 1efa20fc36b24ae2f56ec4187115bf5e75bee32d (patch) | |
tree | 4bffb6724782188c7e1bce2f2493f1019e02dd42 | |
parent | 429923fbb3be7229b0c6c1b6136b230d86672bcf (diff) | |
parent | 933ea511d150ed2cbbd4265fc7513a9b3435baa2 (diff) | |
download | keystone-1efa20fc36b24ae2f56ec4187115bf5e75bee32d.tar.gz |
Merge "Allows to use application credentials through group membership" into stable/stein
-rw-r--r-- | keystone/models/token_model.py | 16 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 32 | ||||
-rw-r--r-- | releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml | 9 |
3 files changed, 50 insertions, 7 deletions
diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py index 79791e5dd..7f190286a 100644 --- a/keystone/models/token_model.py +++ b/keystone/models/token_model.py @@ -409,14 +409,16 @@ class TokenModel(object): def _get_application_credential_roles(self): roles = [] app_cred_roles = self.application_credential['roles'] + assignment_list = PROVIDERS.assignment_api.list_role_assignments( + user_id=self.user_id, + project_id=self.project_id, + domain_id=self.domain_id, + effective=True) + user_roles = list(set([x['role_id'] for x in assignment_list])) + for role in app_cred_roles: - try: - r = PROVIDERS.assignment_api.get_grant( - role['id'], user_id=self.user_id, - domain_id=self.domain_id, project_id=self.project_id) - roles.append({'id': r['id'], 'name': r['name']}) - except exception.RoleAssignmentNotFound: - pass + if role['id'] in user_roles: + roles.append({'id': role['id'], 'name': role['name']}) return roles diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 87e9cadb6..f057a3535 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5696,6 +5696,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase): app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND) + def test_application_credential_through_group_membership(self): + user1 = unit.create_user( + PROVIDERS.identity_api, domain_id=self.domain_id + ) + + group1 = unit.new_group_ref(domain_id=self.domain_id) + group1 = PROVIDERS.identity_api.create_group(group1) + + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, group_id=group1['id'], project_id=self.project_id + ) + + app_cred = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'secret': uuid.uuid4().hex, + 'user_id': user1['id'], + 'project_id': self.project_id, + 'description': uuid.uuid4().hex, + 'roles': [{'id': self.role_id}] + } + + app_cred_ref = self.app_cred_api.create_application_credential( + app_cred) + + auth_data = self.build_authentication_request( + app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret']) + self.v3_create_token(auth_data, expected_status=http_client.CREATED) + def test_application_credential_cannot_scope(self): app_cred = self._make_app_cred() app_cred_ref = self.app_cred_api.create_application_credential( diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml new file mode 100644 index 000000000..a4565ccd2 --- /dev/null +++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_] + Fixes an issue where users who had role assignments only via a group + membership and not via direct assignment could create but not use + application credentials. It is important to note that federated users who + only have role assignments via a mapped group membership still cannot + create application credentials. |