Ubuntu
horizon package

Merge ~rodrigo-barbieri2010/ubuntu/+source/horizon:lp1827120_yoga into ~ubuntu-openstack-dev/ubuntu/+source/horizon:stable/yoga

  1. Git
  2. lp:~rodrigo-barbieri2010/ubuntu/+source/horizon
  3. lp1827120_yoga
  4. Merge into stable/yoga
Proposed by Rodrigo Barbieri
Status: Merged
Merged at revision: 16ace3d272f5fde1d020df30650d67ae39b04245
Proposed branch: ~rodrigo-barbieri2010/ubuntu/+source/horizon:lp1827120_yoga
Merge into: ~ubuntu-openstack-dev/ubuntu/+source/horizon:stable/yoga
Diff against target: 153 lines (+131/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp1827120.patch (+123/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Ubuntu OpenStack uploaders Pending
Review via email: mp+434095@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 9390a98..a8000c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1horizon (4:22.1.0-0ubuntu3) jammy; urgency=medium
2
3 * d/p/lp1827120.patch: Fix missing project_id in application credential
4 create when user has both project+domain admin role (LP#1827120).
5
6 -- Rodrigo Barbieri <rodrigo.barbieri@canonical.com> Mon, 05 Dec 2022 13:51:11 +0000
7
1horizon (4:22.1.0-0ubuntu2.1) UNRELEASED; urgency=medium8horizon (4:22.1.0-0ubuntu2.1) UNRELEASED; urgency=medium
29
3 * d/gbp.conf: Create stable/yoga branch.10 * d/gbp.conf: Create stable/yoga branch.
diff --git a/debian/patches/lp1827120.patch b/debian/patches/lp1827120.patch
4new file mode 10064411new file mode 100644
index 0000000..a99e513
--- /dev/null
+++ b/debian/patches/lp1827120.patch
@@ -0,0 +1,123 @@
1From 13e821a079134a458b24593d9593e0e5318e6cd6 Mon Sep 17 00:00:00 2001
2From: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
3Date: Wed, 7 Sep 2022 10:52:48 -0300
4Subject: [PATCH] Fix app cred create without project_id for domain admins
5
6Users with domain admin role that are not cloud admins are
7not able to get scoped context and create an application
8credential with project_id, so this change forces the
9scoped context in that particular case.
10
11Closes-bug: #1827120
12Change-Id: I076a97a6f943ab74a2db8bc5179a7db194009db4
13(cherry picked from commit 6eeaf9852478e25ff77c21117664ac126c5357a4)
14(cherry picked from commit 778a52e66aeab883b31db729e04944eeecfec6a2)
15---
16 openstack_dashboard/api/keystone.py | 17 +++++--
17 .../test/unit/api/test_keystone.py | 44 +++++++++++++++++++
18 2 files changed, 58 insertions(+), 3 deletions(-)
19
20diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
21index d248a223d..b25443251 100644
22--- a/openstack_dashboard/api/keystone.py
23+++ b/openstack_dashboard/api/keystone.py
24@@ -120,7 +120,7 @@ def _get_endpoint_url(request, endpoint_type, catalog=None):
25 return url
26
27
28-def keystoneclient(request, admin=False):
29+def keystoneclient(request, admin=False, force_scoped=False):
30 """Returns a client connected to the Keystone backend.
31
32 Several forms of authentication are supported:
33@@ -152,7 +152,8 @@ def keystoneclient(request, admin=False):
34
35 # If user is Cloud Admin, Domain Admin or Mixed Domain Admin and there
36 # is no domain context specified, use domain scoped token
37- if is_domain_admin(request) and not is_domain_context_specified:
38+ if (is_domain_admin(request) and not is_domain_context_specified and
39+ not force_scoped):
40 domain_token = request.session.get('domain_token')
41 if domain_token:
42 token_id = getattr(domain_token, 'auth_token', None)
43@@ -995,7 +996,17 @@ def application_credential_create(request, name, secret=None,
44 roles=None, unrestricted=False,
45 access_rules=None):
46 user = request.user.id
47- manager = keystoneclient(request).application_credentials
48+ # NOTE(ganso): users with domain admin role that are not cloud admins are
49+ # not able to get scoped context and create an application credential with
50+ # project_id, so only in this particular case we force a scoped context
51+ force_scoped = False
52+ if (request.user.project_id and request.session.get("domain_token") and
53+ not policy.check(
54+ (("identity", "identity:update_domain"),), request)):
55+ force_scoped = True
56+
57+ manager = keystoneclient(
58+ request, force_scoped=force_scoped).application_credentials
59 try:
60 return manager.create(name=name, user=user, secret=secret,
61 description=description, expires_at=expires_at,
62diff --git a/openstack_dashboard/test/unit/api/test_keystone.py b/openstack_dashboard/test/unit/api/test_keystone.py
63index 4598c2d50..71e8a6314 100644
64--- a/openstack_dashboard/test/unit/api/test_keystone.py
65+++ b/openstack_dashboard/test/unit/api/test_keystone.py
66@@ -21,6 +21,7 @@ from unittest import mock
67
68 from django.test.utils import override_settings
69 from openstack_dashboard import api
70+from openstack_dashboard import policy
71 from openstack_dashboard.test import helpers as test
72
73
74@@ -164,3 +165,46 @@ class APIVersionTests(test.APIMockTestCase):
75 keystoneclient.session.get_endpoint_data.assert_called_once_with(
76 service_type='identity')
77 self.assertEqual((3, 10), api_version)
78+
79+
80+class ApplicationCredentialsAPITests(test.APIMockTestCase):
81+
82+ @mock.patch.object(policy, 'check')
83+ @mock.patch.object(api.keystone, 'keystoneclient')
84+ def test_application_credential_create_domain_token_removed(
85+ self, mock_keystoneclient, mock_policy):
86+ self.request.session['domain_token'] = 'some_token'
87+ mock_policy.return_value = False
88+ api.keystone.application_credential_create(self.request, None)
89+ mock_keystoneclient.assert_called_once_with(
90+ self.request, force_scoped=True)
91+
92+ @mock.patch.object(policy, 'check')
93+ @mock.patch.object(api.keystone, 'keystoneclient')
94+ def test_application_credential_create_domain_token_not_removed_policy_true(
95+ self, mock_keystoneclient, mock_policy):
96+ self.request.session['domain_token'] = 'some_token'
97+ mock_policy.return_value = True
98+ api.keystone.application_credential_create(self.request, None)
99+ mock_keystoneclient.assert_called_once_with(
100+ self.request, force_scoped=False)
101+
102+ @mock.patch.object(policy, 'check')
103+ @mock.patch.object(api.keystone, 'keystoneclient')
104+ def test_application_credential_create_domain_token_not_removed_no_token(
105+ self, mock_keystoneclient, mock_policy):
106+ mock_policy.return_value = True
107+ api.keystone.application_credential_create(self.request, None)
108+ mock_keystoneclient.assert_called_once_with(
109+ self.request, force_scoped=False)
110+
111+ @mock.patch.object(policy, 'check')
112+ @mock.patch.object(api.keystone, 'keystoneclient')
113+ def test_application_credential_create_domain_token_not_removed_no_project(
114+ self, mock_keystoneclient, mock_policy):
115+ self.request.session['domain_token'] = 'some_token'
116+ mock_policy.return_value = True
117+ self.request.user.project_id = None
118+ api.keystone.application_credential_create(self.request, None)
119+ mock_keystoneclient.assert_called_once_with(
120+ self.request, force_scoped=False)
121--
1222.34.1
123
diff --git a/debian/patches/series b/debian/patches/series
index 88198a3..f7cdd35 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-horizon-test-settings.patch
2fix-dashboard-manage.patch2fix-dashboard-manage.patch
3ubuntu_settings.patch3ubuntu_settings.patch
4embedded-xstatic.patch4embedded-xstatic.patch
5lp1827120.patch

Subscribers

People subscribed via source and target branches