1 files changed, 31 insertions, 0 deletions

diff --git a/keystone/tests/unit/test_v3_application_credential.py b/keystone/tests/unit/test_v3_application_credential.py
index 4e8899e56..017031873 100644
--- a/keystone/tests/unit/test_v3_application_credential.py
+++ b/keystone/tests/unit/test_v3_application_credential.py
@@ -166,6 +166,37 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                    expected_status_code=http_client.FORBIDDEN,
                    headers={'X-Auth-Token': token})
 
+    def test_create_application_credential_with_trust(self):
+        second_role = unit.new_role_ref(name='reader')
+        PROVIDERS.role_api.create_role(second_role['id'], second_role)
+        PROVIDERS.assignment_api.add_role_to_user_and_project(
+            self.user_id, self.project_id, second_role['id'])
+        with self.test_client() as c:
+            pw_token = self.get_scoped_token()
+            # create a self-trust - only the roles are important for this test
+            trust_ref = unit.new_trust_ref(
+                trustor_user_id=self.user_id,
+                trustee_user_id=self.user_id,
+                project_id=self.project_id,
+                role_ids=[second_role['id']])
+            resp = c.post('/v3/OS-TRUST/trusts',
+                          headers={'X-Auth-Token': pw_token},
+                          json={'trust': trust_ref})
+            trust_id = resp.json['trust']['id']
+            trust_auth = self.build_authentication_request(
+                user_id=self.user_id,
+                password=self.user['password'],
+                trust_id=trust_id)
+            trust_token = self.v3_create_token(
+                trust_auth).headers['X-Subject-Token']
+            app_cred = self._app_cred_body(roles=[{'id': self.role_id}])
+            # only the roles from the trust token should be allowed, even if
+            # the user has the role assigned on the project
+            c.post('/v3/users/%s/application_credentials' % self.user_id,
+                   headers={'X-Auth-Token': trust_token},
+                   json=app_cred,
+                   expected_status_code=http_client.BAD_REQUEST)
+
     def test_create_application_credential_allow_recursion(self):
         with self.test_client() as c:
             roles = [{'id': self.role_id}]