Fix v2 token user ref with trust impersonation=True

The v2 token controller incorrectly checks for a string instead of a boolean, which results in the wrong user ID (trustee, when it should be the trustor) when impersonation=True. So fix the comparison and tests, adding a test which illustrates the issue. Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096 Closes-Bug: #1239303
openstack · Oct 15, 2013 · 4285b79 · 4285b79
1 parent 71af37b
commit 4285b79
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
@@ -603,15 +603,15 @@ def setUp(self):
         self.sample_data = {'trustor_user_id': self.trustor['id'],
                             'trustee_user_id': self.trustee['id'],
                             'project_id': self.tenant_bar['id'],
-                            'impersonation': 'True',
+                            'impersonation': True,
                             'roles': [{'id': self.role_browser['id']},
                                       {'name': self.role_member['name']}]}
         expires_at = timeutils.strtime(timeutils.utcnow() +
                                        datetime.timedelta(minutes=10),
                                        fmt=TIME_FORMAT)
         self.create_trust(expires_at=expires_at)
 
-    def create_trust(self, expires_at=None, impersonation='True'):
+    def create_trust(self, expires_at=None, impersonation=True):
         username = self.trustor['name'],
         password = 'foo2'
         body_dict = _build_user_auth(username=username, password=password)
@@ -676,20 +676,28 @@ def test_get_trust(self):
             self.assertIn(role['id'], role_ids)
 
     def test_create_trust_no_impersonation(self):
-        self.create_trust(expires_at=None, impersonation='False')
+        self.create_trust(expires_at=None, impersonation=False)
         self.assertEquals(self.new_trust['trustor_user_id'],
                           self.trustor['id'])
         self.assertEquals(self.new_trust['trustee_user_id'],
                           self.trustee['id'])
-        self.assertEquals(self.new_trust['impersonation'],
-                          'False')
+        self.assertIs(self.new_trust['impersonation'], False)
         auth_response = self.fetch_v2_token_from_trust()
         token_user = auth_response['access']['user']
         self.assertEquals(token_user['id'],
                           self.new_trust['trustee_user_id'])
 
         # TODO(ayoung): Endpoints
 
+    def test_create_trust_impersonation(self):
+        self.create_trust(expires_at=None)
+        self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id'])
+        self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id'])
+        self.assertIs(self.new_trust['impersonation'], True)
+        auth_response = self.fetch_v2_token_from_trust()
+        token_user = auth_response['access']['user']
+        self.assertEqual(token_user['id'], self.new_trust['trustor_user_id'])
+
     def test_token_from_trust_wrong_user_fails(self):
         request_body = self.build_v2_token_request('FOO', 'foo2')
         self.assertRaises(

diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
@@ -181,7 +181,7 @@ def _authenticate_token(self, context, auth):
                 trust_ref['trustee_user_id'])
             if not trustee_user_ref['enabled']:
                 raise exception.Forbidden()()
-            if trust_ref['impersonation'] == 'True':
+            if trust_ref['impersonation'] is True:
                 current_user_ref = trustor_user_ref
             else:
                 current_user_ref = trustee_user_ref