From 0efbb6ad207bd23aa2459f09b5f46998c428dd93 Mon Sep 17 00:00:00 2001
From: Boris Bobrov <bbobrov@mirantis.com>
Date: Fri, 31 Mar 2017 10:13:41 +0300
Subject: [PATCH] Expose issue with federated user getting wrong role

Change-Id: I530b8bdca0c2fa8d25e186efeb0135b1cb2e183e
Partial-Bug: 1677723
---
 keystone/tests/unit/test_v3_federation.py | 34 +++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
index 8b7d0bc..a9c7eb0 100644
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@@ -3314,6 +3314,40 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
                 self.expected_results[project_name], roles[0]['name']
             )
 
+    def test_user_gets_only_assigned_roles(self):
+        # in bug 1677723 user could get roles outside of what was assigned
+        # to them. This test verifies that this is no longer true.
+        # Authenticate once to create the projects
+        response = self._issue_unscoped_token()
+        self.assertValidMappedUser(response.json_body['token'])
+        unscoped_token = response.headers.get('X-Subject-Token')
+
+        # Assign admin role to newly-created project to another user
+        staging_project = self.resource_api.get_project_by_name(
+            'Staging', self.idp['domain_id']
+        )
+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
+        self.identity_api.create_user(admin)
+        self.assignment_api.create_grant(self.role_admin['id'],
+                                         user_id=admin['id'],
+                                         project_id=staging_project['id'])
+
+        # Authenticate again with the federated user and verify roles
+        response = self._issue_unscoped_token()
+        self.assertValidMappedUser(response.json_body['token'])
+        unscoped_token = response.headers.get('X-Subject-Token')
+        scope = self._scope_request(
+            unscoped_token, 'project', staging_project['id']
+        )
+        response = self.v3_create_token(scope)
+        roles = response.json_body['token']['roles']
+        role_ids = [r['id'] for r in roles]
+        self.assertNotIn(self.role_admin['id'], role_ids)
+
+        #self.assertEqual(
+        #    self.expected_results[project_name], roles[0]['name']
+        #)
+
 
 class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
     JSON_HOME_DATA = {
-- 
2.1.4