Merge "Allows to use application credentials through group membership" into stable/stein

3 files changed, 50 insertions, 7 deletions

diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py
index 79791e5dd..7f190286a 100644
--- a/keystone/models/token_model.py
+++ b/keystone/models/token_model.py
@@ -409,14 +409,16 @@ class TokenModel(object):
     def _get_application_credential_roles(self):
         roles = []
         app_cred_roles = self.application_credential['roles']
+        assignment_list = PROVIDERS.assignment_api.list_role_assignments(
+            user_id=self.user_id,
+            project_id=self.project_id,
+            domain_id=self.domain_id,
+            effective=True)
+        user_roles = list(set([x['role_id'] for x in assignment_list]))
+
         for role in app_cred_roles:
-            try:
-                r = PROVIDERS.assignment_api.get_grant(
-                    role['id'], user_id=self.user_id,
-                    domain_id=self.domain_id, project_id=self.project_id)
-                roles.append({'id': r['id'], 'name': r['name']})
-            except exception.RoleAssignmentNotFound:
-                pass
+            if role['id'] in user_roles:
+                roles.append({'id': role['id'], 'name': role['name']})
 
         return roles
 
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 87e9cadb6..f057a3535 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -5696,6 +5696,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
             app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
         self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)
 
+    def test_application_credential_through_group_membership(self):
+        user1 = unit.create_user(
+            PROVIDERS.identity_api, domain_id=self.domain_id
+        )
+
+        group1 = unit.new_group_ref(domain_id=self.domain_id)
+        group1 = PROVIDERS.identity_api.create_group(group1)
+
+        PROVIDERS.identity_api.add_user_to_group(
+            user1['id'], group1['id']
+        )
+        PROVIDERS.assignment_api.create_grant(
+            self.role_id, group_id=group1['id'], project_id=self.project_id
+        )
+
+        app_cred = {
+            'id': uuid.uuid4().hex,
+            'name': uuid.uuid4().hex,
+            'secret': uuid.uuid4().hex,
+            'user_id': user1['id'],
+            'project_id': self.project_id,
+            'description': uuid.uuid4().hex,
+            'roles': [{'id': self.role_id}]
+        }
+
+        app_cred_ref = self.app_cred_api.create_application_credential(
+            app_cred)
+
+        auth_data = self.build_authentication_request(
+            app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
+        self.v3_create_token(auth_data, expected_status=http_client.CREATED)
+
     def test_application_credential_cannot_scope(self):
         app_cred = self._make_app_cred()
         app_cred_ref = self.app_cred_api.create_application_credential(
diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
new file mode 100644
index 000000000..a4565ccd2
--- /dev/null
+++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    [`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
+    Fixes an issue where users who had role assignments only via a group
+    membership and not via direct assignment could create but not use
+    application credentials. It is important to note that federated users who
+    only have role assignments via a mapped group membership still cannot
+    create application credentials.