diff options
| author | Michael Basnight <mbasnight@gmail.com> | 2012-03-06 21:36:01 -0600 |
|---|---|---|
| committer | Michael Basnight <mbasnight@gmail.com> | 2012-03-07 15:11:27 -0600 |
| commit | 98170a73dd28cebf9737c012d03554ffce5fd1f5 (patch) | |
| tree | e9daa0235e2bea919086cfe67fd988dcce499bf2 | |
| parent | fe6414c8c1f769e6cc87fc001b6c52c5fea0f160 (diff) | |
fixes bug lp#948439 belongs_to and serviceCatalog behavior
* removing belongs_to as a kwarg and getting from the context
* adding a serviceCatalog for belongs_to calls to tokens
* adding test to validate belongs_to behavior in tokens
Change-Id: If6f6a7007a6830c57a5ac71aef0090e57a064232
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | keystone/service.py | 22 | ||||
| -rw-r--r-- | tests/test_content_types.py | 22 |
3 files changed, 38 insertions, 7 deletions
@@ -66,6 +66,7 @@ Liem Nguyen <liem.m.nguyen@hp.com> lzyeval <lzyeval@gmail.com> Mark Gius <mgius7096@gmail.com> Mark McLoughlin <markmc@redhat.com> +Michael Basnight <mbasnight@gmail.com> Michael Still <mikal@stillhq.com> Monty Taylor <mordred@inaugust.com> Pádraig Brady <P@draigBrady.com> diff --git a/keystone/service.py b/keystone/service.py index fdc16433..a92dc15a 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -370,7 +370,7 @@ class TokenController(wsgi.Application): return token_ref # admin only - def validate_token_head(self, context, token_id, belongs_to=None): + def validate_token_head(self, context, token_id): """Check that a token is valid. Optionally, also ensure that it is owned by a specific tenant. @@ -378,10 +378,11 @@ class TokenController(wsgi.Application): Identical to ``validate_token``, except does not return a response. """ + belongs_to = context['query_string'].get("belongs_to") assert self._get_token_ref(context, token_id, belongs_to) # admin only - def validate_token(self, context, token_id, belongs_to=None): + def validate_token(self, context, token_id): """Check that a token is valid. Optionally, also ensure that it is owned by a specific tenant. @@ -389,6 +390,7 @@ class TokenController(wsgi.Application): Returns metadata about the token along any associated roles. """ + belongs_to = context['query_string'].get("belongs_to") token_ref = self._get_token_ref(context, token_id, belongs_to) # TODO(termie): optimize this call at some point and put it into the @@ -398,7 +400,17 @@ class TokenController(wsgi.Application): roles_ref = [] for role_id in metadata_ref.get('roles', []): roles_ref.append(self.identity_api.get_role(context, role_id)) - return self._format_token(token_ref, roles_ref) + + # Get a service catalog if belongs_to is not none + # This is needed for on-behalf-of requests + catalog_ref = None + if belongs_to is not None: + catalog_ref = self.catalog_api.get_catalog( + context=context, + user_id=token_ref['user']['id'], + tenant_id=token_ref['tenant']['id'], + metadata=metadata_ref) + return self._format_token(token_ref, roles_ref, catalog_ref) def delete_token(self, context, token_id): """Delete a token, effectively invalidating it for authz.""" @@ -416,7 +428,7 @@ class TokenController(wsgi.Application): o['access']['serviceCatalog'] = self._format_catalog(catalog_ref) return o - def _format_token(self, token_ref, roles_ref): + def _format_token(self, token_ref, roles_ref, catalog_ref=None): user_ref = token_ref['user'] metadata_ref = token_ref['metadata'] expires = token_ref['expires'] @@ -437,6 +449,8 @@ class TokenController(wsgi.Application): if 'tenant' in token_ref and token_ref['tenant']: token_ref['tenant']['enabled'] = True o['access']['token']['tenant'] = token_ref['tenant'] + if catalog_ref is not None: + o['access']['serviceCatalog'] = self._format_catalog(catalog_ref) return o def _format_catalog(self, catalog_ref): diff --git a/tests/test_content_types.py b/tests/test_content_types.py index b98ae773..d98330a4 100644 --- a/tests/test_content_types.py +++ b/tests/test_content_types.py @@ -352,6 +352,14 @@ class CoreApiTests(object): token=token) self.assertValidAuthenticationResponse(r) + def test_validate_token_belongs_to(self): + token = self.get_scoped_token() + path = ('/v2.0/tokens/%s?belongs_to=%s' + % (token, self.tenant_bar['id'])) + r = self.admin_request(path=path,token=token) + self.assertValidAuthenticationResponse(r, + require_service_catalog=True) + def test_validate_token_head(self): """The same call as above, except using HEAD. @@ -448,7 +456,8 @@ class JsonTestCase(RestfulTestCase, CoreApiTests): def assertValidExtensionResponse(self, r): self.assertValidExtension(r.body.get('extension')) - def assertValidAuthenticationResponse(self, r): + def assertValidAuthenticationResponse(self, r, + require_service_catalog=False): self.assertIsNotNone(r.body.get('access')) self.assertIsNotNone(r.body['access'].get('token')) self.assertIsNotNone(r.body['access'].get('user')) @@ -466,8 +475,11 @@ class JsonTestCase(RestfulTestCase, CoreApiTests): self.assertIsNotNone(r.body['access']['user'].get('id')) self.assertIsNotNone(r.body['access']['user'].get('name')) + serviceCatalog = r.body['access'].get('serviceCatalog') # validate service catalog - if r.body['access'].get('serviceCatalog') is not None: + if require_service_catalog: + self.assertIsNotNone(serviceCatalog) + if serviceCatalog is not None: self.assertTrue(len(r.body['access']['serviceCatalog'])) for service in r.body['access']['serviceCatalog']: # validate service @@ -627,7 +639,8 @@ class XmlTestCase(RestfulTestCase, CoreApiTests): for role in r.body.findall(self._tag('role')): self.assertValidRole(role) - def assertValidAuthenticationResponse(self, r): + def assertValidAuthenticationResponse(self, r, + require_service_catalog=False): xml = r.body self.assertEqual(xml.tag, self._tag('access')) @@ -648,6 +661,9 @@ class XmlTestCase(RestfulTestCase, CoreApiTests): self.assertIsNotNone(user.get('name')) serviceCatalog = xml.find(self._tag('serviceCatalog')) + # validate the serviceCatalog + if require_service_catalog: + self.assertIsNotNone(serviceCatalog) if serviceCatalog is not None: self.assertTrue(len(serviceCatalog.findall(self._tag('service')))) for service in serviceCatalog.findall(self._tag('service')): |