From 23a10e7c4e3af8ed6bc520a25a0ba2bae8de9157 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Sun, 13 Oct 2013 10:44:52 +0100 Subject: [PATCH] Fix v2 token user ref with trust impersonation=True The v2 token controller incorrectly checks for a string instead of a boolean, which results in the wrong user ID (trustee, when it should be the trustor) when impersonation=True. So fix the comparison and tests, adding a test which illustrates the issue. Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096 Closes-Bug: #1239303 --- keystone/tests/test_auth.py | 17 +++++++++++++---- keystone/token/controllers.py | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py index 3fd578ee42..58791a216d 100644 --- a/keystone/tests/test_auth.py +++ b/keystone/tests/test_auth.py @@ -603,7 +603,7 @@ def setUp(self): self.sample_data = {'trustor_user_id': self.trustor['id'], 'trustee_user_id': self.trustee['id'], 'project_id': self.tenant_bar['id'], - 'impersonation': 'True', + 'impersonation': True, 'roles': [{'id': self.role_browser['id']}, {'name': self.role_member['name']}]} expires_at = timeutils.strtime(timeutils.utcnow() + @@ -611,7 +611,7 @@ def setUp(self): fmt=TIME_FORMAT) self.create_trust(expires_at=expires_at) - def create_trust(self, expires_at=None, impersonation='True'): + def create_trust(self, expires_at=None, impersonation=True): username = self.trustor['name'], password = 'foo2' body_dict = _build_user_auth(username=username, password=password) @@ -672,16 +672,25 @@ def test_get_trust(self): self.assertIn(role['id'], role_ids) def test_create_trust_no_impersonation(self): - self.create_trust(expires_at=None, impersonation='False') + self.create_trust(expires_at=None, impersonation=False) self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id']) self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id']) - self.assertEqual(self.new_trust['impersonation'], 'False') + self.assertIs(self.new_trust['impersonation'], False) auth_response = self.fetch_v2_token_from_trust() token_user = auth_response['access']['user'] self.assertEqual(token_user['id'], self.new_trust['trustee_user_id']) # TODO(ayoung): Endpoints + def test_create_trust_impersonation(self): + self.create_trust(expires_at=None) + self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id']) + self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id']) + self.assertIs(self.new_trust['impersonation'], True) + auth_response = self.fetch_v2_token_from_trust() + token_user = auth_response['access']['user'] + self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) + def test_token_from_trust_wrong_user_fails(self): request_body = self.build_v2_token_request('FOO', 'foo2') self.assertRaises( diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 8d2ce878d1..72486a1af5 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -181,7 +181,7 @@ def _authenticate_token(self, context, auth): trust_ref['trustee_user_id']) if not trustee_user_ref['enabled']: raise exception.Forbidden()() - if trust_ref['impersonation'] == 'True': + if trust_ref['impersonation'] is True: current_user_ref = trustor_user_ref else: current_user_ref = trustee_user_ref