Allows to use application credentials through group membership

When using role assignment through groups, the user cannot use the application credentials created. This allows to look up the membership by checking inherited and group assignments. Conflicts: This change conflicts with newer branches because most of the logic in keystone/token/providers/common.py was refactored into keystone/models/token_model.py during the Rocky release. This refactor causes the stable/queens version to diverge from stable/rocky, stable/stein, and stable/train patches, although it is functionally equivalent to the approach used in later releases. Change-Id: If1bf5bd785a494923303265797311d42018ba7af Closes-Bug: #1773967 (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa) (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2) (cherry picked from commit cf83fc10569e7b52eeb52c0e164dfe36daeec309)
author: Jose Castro Leon <jose.castro.leon@cern.ch> 2019-04-23 15:38:16 +0200
committer: Lance Bragstad <lbragstad@gmail.com> 2019-11-13 15:28:46 +0000
commit: 578be15629a84d1edcfda546a93b7ccbb6959720 (patch)
tree: ea318cff4e573609d9fdbab60b2cbce24ad4303d
parent: e8b04cc4265d672214da50b99ead8c4f8cc49aa2 (diff)
download: keystone-578be15629a84d1edcfda546a93b7ccbb6959720.tar.gz
3 files changed, 51 insertions, 9 deletions
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index f1c09cae9..942c880a7 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -5632,6 +5632,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
             app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
         self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)
 
+    def test_application_credential_through_group_membership(self):
+        user1 = unit.create_user(
+            PROVIDERS.identity_api, domain_id=self.domain_id
+        )
+
+        group1 = unit.new_group_ref(domain_id=self.domain_id)
+        group1 = PROVIDERS.identity_api.create_group(group1)
+
+        PROVIDERS.identity_api.add_user_to_group(
+            user1['id'], group1['id']
+        )
+        PROVIDERS.assignment_api.create_grant(
+            self.role_id, group_id=group1['id'], project_id=self.project_id
+        )
+
+        app_cred = {
+            'id': uuid.uuid4().hex,
+            'name': uuid.uuid4().hex,
+            'secret': uuid.uuid4().hex,
+            'user_id': user1['id'],
+            'project_id': self.project_id,
+            'description': uuid.uuid4().hex,
+            'roles': [{'id': self.role_id}]
+        }
+
+        app_cred_ref = self.app_cred_api.create_application_credential(
+            app_cred)
+
+        auth_data = self.build_authentication_request(
+            app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
+        self.v3_create_token(auth_data, expected_status=http_client.CREATED)
+
     def test_application_credential_cannot_scope(self):
         app_cred = self._make_app_cred()
         app_cred_ref = self.app_cred_api.create_application_credential(
diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py
index 07c0b6ef1..ed88455c1 100644
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@@ -195,16 +195,17 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
     def _get_app_cred_roles(self, app_cred, user_id, domain_id, project_id):
         roles = app_cred['roles']
         token_roles = []
+        assignment_list = PROVIDERS.assignment_api.list_role_assignments(
+            user_id=user_id, project_id=project_id, domain_id=domain_id,
+            effective=True
+        )
+        user_roles = list(set([x['role_id'] for x in assignment_list]))
+
         for role in roles:
-            try:
-                role_ref = PROVIDERS.assignment_api.get_grant(
-                    role['id'], user_id=user_id, domain_id=domain_id,
-                    project_id=project_id)
-                token_roles.append(role_ref)
-            except exception.RoleAssignmentNotFound:
-                pass
-        return [
-            PROVIDERS.role_api.get_role(role['id']) for role in token_roles]
+            if role['id'] in user_roles:
+                token_roles.append({'id': role['id'], 'name': role['name']})
+
+        return roles
 
     def populate_roles_for_federated_user(self, token_data, group_ids,
                                           project_id=None, domain_id=None,
diff --git a/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
new file mode 100644
index 000000000..a4565ccd2
--- /dev/null
+++ b/releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    [`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
+    Fixes an issue where users who had role assignments only via a group
+    membership and not via direct assignment could create but not use
+    application credentials. It is important to note that federated users who
+    only have role assignments via a mapped group membership still cannot
+    create application credentials.
author	Jose Castro Leon <jose.castro.leon@cern.ch>	2019-04-23 15:38:16 +0200
committer	Lance Bragstad <lbragstad@gmail.com>	2019-11-13 15:28:46 +0000
commit	578be15629a84d1edcfda546a93b7ccbb6959720 (patch)
tree	ea318cff4e573609d9fdbab60b2cbce24ad4303d
parent	e8b04cc4265d672214da50b99ead8c4f8cc49aa2 (diff)
download	keystone-578be15629a84d1edcfda546a93b7ccbb6959720.tar.gz