Ubuntu
horizon package

 diff --git a/debian/changelog b/debian/changelog
 index af4151a..c0f05a0 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,10 @@
++horizon (4:19.3.0-0ubuntu2~cloud0) focal-wallaby; urgency=medium
++
++  * d/p/lp1827120.patch: Fix missing project_id in application credential
++    create when user has both project+domain admin role (LP#1827120).
++
++ -- Rodrigo Barbieri <rodrigo.barbieri@canonical.com>  Mon, 05 Dec 2022 14:24:41 +0000
++
  horizon (4:19.3.0-0ubuntu1~cloud0) focal-wallaby; urgency=medium
    * New stable point release for OpenStack Wallaby (LP: #1985087).
 diff --git a/debian/patches/lp1827120.patch b/debian/patches/lp1827120.patch
 new file mode 100644
 index 0000000..f66cf3c
 --- /dev/null
 +++ b/debian/patches/lp1827120.patch
@@ -0,0 +1,125 @@
++From 2f8aaa03e8ed4c2c8e3628f1f723f304b24b1f82 Mon Sep 17 00:00:00 2001
++From: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
++Date: Wed, 7 Sep 2022 10:52:48 -0300
++Subject: [PATCH] Fix app cred create without project_id for domain admins
++
++Users with domain admin role that are not cloud admins are
++not able to get scoped context and create an application
++credential with project_id, so this change forces the
++scoped context in that particular case.
++
++Closes-bug: #1827120
++Change-Id: I076a97a6f943ab74a2db8bc5179a7db194009db4
++(cherry picked from commit 6eeaf9852478e25ff77c21117664ac126c5357a4)
++(cherry picked from commit 778a52e66aeab883b31db729e04944eeecfec6a2)
++(cherry picked from commit 13e821a079134a458b24593d9593e0e5318e6cd6)
++(cherry picked from commit 084ee8aaea703d99720c0cdc2751b6479dab3b2f)
++---
++ openstack_dashboard/api/keystone.py           | 17 +++++--
++ .../test/unit/api/test_keystone.py            | 44 +++++++++++++++++++
++ 2 files changed, 58 insertions(+), 3 deletions(-)
++
++diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
++index 6195ee79c..3d21c808c 100644
++--- a/openstack_dashboard/api/keystone.py
+++++ b/openstack_dashboard/api/keystone.py
++@@ -120,7 +120,7 @@ def _get_endpoint_url(request, endpoint_type, catalog=None):
++     return url
++
++
++-def keystoneclient(request, admin=False):
+++def keystoneclient(request, admin=False, force_scoped=False):
++     """Returns a client connected to the Keystone backend.
++
++     Several forms of authentication are supported:
++@@ -152,7 +152,8 @@ def keystoneclient(request, admin=False):
++
++         # If user is Cloud Admin, Domain Admin or Mixed Domain Admin and there
++         # is no domain context specified, use domain scoped token
++-        if is_domain_admin(request) and not is_domain_context_specified:
+++        if (is_domain_admin(request) and not is_domain_context_specified and
+++                not force_scoped):
++             domain_token = request.session.get('domain_token')
++             if domain_token:
++                 token_id = getattr(domain_token, 'auth_token', None)
++@@ -998,7 +999,17 @@ def application_credential_create(request, name, secret=None,
++                                   roles=None, unrestricted=False,
++                                   access_rules=None):
++     user = request.user.id
++-    manager = keystoneclient(request).application_credentials
+++    # NOTE(ganso): users with domain admin role that are not cloud admins are
+++    # not able to get scoped context and create an application credential with
+++    # project_id, so only in this particular case we force a scoped context
+++    force_scoped = False
+++    if (request.user.project_id and request.session.get("domain_token") and
+++            not policy.check(
+++                (("identity", "identity:update_domain"),), request)):
+++        force_scoped = True
+++
+++    manager = keystoneclient(
+++        request, force_scoped=force_scoped).application_credentials
++     try:
++         return manager.create(name=name, user=user, secret=secret,
++                               description=description, expires_at=expires_at,
++diff --git a/openstack_dashboard/test/unit/api/test_keystone.py b/openstack_dashboard/test/unit/api/test_keystone.py
++index 82221b757..3b682815e 100644
++--- a/openstack_dashboard/test/unit/api/test_keystone.py
+++++ b/openstack_dashboard/test/unit/api/test_keystone.py
++@@ -20,6 +20,7 @@ from unittest import mock
++
++ from django.test.utils import override_settings
++ from openstack_dashboard import api
+++from openstack_dashboard import policy
++ from openstack_dashboard.test import helpers as test
++
++
++@@ -142,3 +143,46 @@ class APIVersionTests(test.APIMockTestCase):
++         keystoneclient.session.get_endpoint_data.assert_called_once_with(
++             service_type='identity')
++         self.assertEqual((3, 10), api_version)
+++
+++
+++class ApplicationCredentialsAPITests(test.APIMockTestCase):
+++
+++    @mock.patch.object(policy, 'check')
+++    @mock.patch.object(api.keystone, 'keystoneclient')
+++    def test_application_credential_create_domain_token_removed(
+++            self, mock_keystoneclient, mock_policy):
+++        self.request.session['domain_token'] = 'some_token'
+++        mock_policy.return_value = False
+++        api.keystone.application_credential_create(self.request, None)
+++        mock_keystoneclient.assert_called_once_with(
+++            self.request, force_scoped=True)
+++
+++    @mock.patch.object(policy, 'check')
+++    @mock.patch.object(api.keystone, 'keystoneclient')
+++    def test_application_credential_create_domain_token_not_removed_policy_true(
+++            self, mock_keystoneclient, mock_policy):
+++        self.request.session['domain_token'] = 'some_token'
+++        mock_policy.return_value = True
+++        api.keystone.application_credential_create(self.request, None)
+++        mock_keystoneclient.assert_called_once_with(
+++            self.request, force_scoped=False)
+++
+++    @mock.patch.object(policy, 'check')
+++    @mock.patch.object(api.keystone, 'keystoneclient')
+++    def test_application_credential_create_domain_token_not_removed_no_token(
+++            self, mock_keystoneclient, mock_policy):
+++        mock_policy.return_value = True
+++        api.keystone.application_credential_create(self.request, None)
+++        mock_keystoneclient.assert_called_once_with(
+++            self.request, force_scoped=False)
+++
+++    @mock.patch.object(policy, 'check')
+++    @mock.patch.object(api.keystone, 'keystoneclient')
+++    def test_application_credential_create_domain_token_not_removed_no_project(
+++            self, mock_keystoneclient, mock_policy):
+++        self.request.session['domain_token'] = 'some_token'
+++        mock_policy.return_value = True
+++        self.request.user.project_id = None
+++        api.keystone.application_credential_create(self.request, None)
+++        mock_keystoneclient.assert_called_once_with(
+++            self.request, force_scoped=False)
++--
++2.34.1
++
 diff --git a/debian/patches/series b/debian/patches/series
 index 88198a3..f7cdd35 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-horizon-test-settings.patch
  fix-dashboard-manage.patch
  ubuntu_settings.patch
  embedded-xstatic.patch
++lp1827120.patch

Ubuntu
horizon package

Merge ~rodrigo-barbieri2010/ubuntu/+source/horizon:lp1827120_wallaby into ~ubuntu-openstack-dev/ubuntu/+source/horizon:stable/wallaby

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntuhorizon package

Merge ~rodrigo-barbieri2010/ubuntu/+source/horizon:lp1827120_wallaby into ~ubuntu-openstack-dev/ubuntu/+source/horizon:stable/wallaby

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
horizon package