1
diff --git a/debian/changelog b/debian/changelog
2
index af4151a..c0f05a0 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,10 @@
6
1
horizon (4:19.3.0-0ubuntu2~cloud0) focal-wallaby; urgency=medium
7
2
8
3
  * d/p/lp1827120.patch: Fix missing project_id in application credential
9
4
    create when user has both project+domain admin role (LP#1827120).
10
5
11
6
 -- Rodrigo Barbieri <rodrigo.barbieri@canonical.com>  Mon, 05 Dec 2022 14:24:41 +0000
12
7
13
1
horizon (4:19.3.0-0ubuntu1~cloud0) focal-wallaby; urgency=medium
8
horizon (4:19.3.0-0ubuntu1~cloud0) focal-wallaby; urgency=medium
14
2
9
15
3
  * New stable point release for OpenStack Wallaby (LP: #1985087).
10
  * New stable point release for OpenStack Wallaby (LP: #1985087).
16
diff --git a/debian/patches/lp1827120.patch b/debian/patches/lp1827120.patch
17
4
new file mode 100644
11
new file mode 100644
18
index 0000000..f66cf3c
19
--- /dev/null
20
+++ b/debian/patches/lp1827120.patch
21
@@ -0,0 +1,125 @@
22
1
From 2f8aaa03e8ed4c2c8e3628f1f723f304b24b1f82 Mon Sep 17 00:00:00 2001
23
2
From: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
24
3
Date: Wed, 7 Sep 2022 10:52:48 -0300
25
4
Subject: [PATCH] Fix app cred create without project_id for domain admins
26
5
27
6
Users with domain admin role that are not cloud admins are
28
7
not able to get scoped context and create an application
29
8
credential with project_id, so this change forces the
30
9
scoped context in that particular case.
31
10
32
11
Closes-bug: #1827120
33
12
Change-Id: I076a97a6f943ab74a2db8bc5179a7db194009db4
34
13
(cherry picked from commit 6eeaf9852478e25ff77c21117664ac126c5357a4)
35
14
(cherry picked from commit 778a52e66aeab883b31db729e04944eeecfec6a2)
36
15
(cherry picked from commit 13e821a079134a458b24593d9593e0e5318e6cd6)
37
16
(cherry picked from commit 084ee8aaea703d99720c0cdc2751b6479dab3b2f)
38
17
---
39
18
 openstack_dashboard/api/keystone.py           | 17 +++++--
40
19
 .../test/unit/api/test_keystone.py            | 44 +++++++++++++++++++
41
20
 2 files changed, 58 insertions(+), 3 deletions(-)
42
21
43
22
diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
44
23
index 6195ee79c..3d21c808c 100644
45
24
--- a/openstack_dashboard/api/keystone.py
46
25
+++ b/openstack_dashboard/api/keystone.py
47
26
@@ -120,7 +120,7 @@ def _get_endpoint_url(request, endpoint_type, catalog=None):
48
27
     return url
49
28
 
50
29
 
51
30
-def keystoneclient(request, admin=False):
52
31
+def keystoneclient(request, admin=False, force_scoped=False):
53
32
     """Returns a client connected to the Keystone backend.
54
33
 
55
34
     Several forms of authentication are supported:
56
35
@@ -152,7 +152,8 @@ def keystoneclient(request, admin=False):
57
36
 
58
37
         # If user is Cloud Admin, Domain Admin or Mixed Domain Admin and there
59
38
         # is no domain context specified, use domain scoped token
60
39
-        if is_domain_admin(request) and not is_domain_context_specified:
61
40
+        if (is_domain_admin(request) and not is_domain_context_specified and
62
41
+                not force_scoped):
63
42
             domain_token = request.session.get('domain_token')
64
43
             if domain_token:
65
44
                 token_id = getattr(domain_token, 'auth_token', None)
66
45
@@ -998,7 +999,17 @@ def application_credential_create(request, name, secret=None,
67
46
                                   roles=None, unrestricted=False,
68
47
                                   access_rules=None):
69
48
     user = request.user.id
70
49
-    manager = keystoneclient(request).application_credentials
71
50
+    # NOTE(ganso): users with domain admin role that are not cloud admins are
72
51
+    # not able to get scoped context and create an application credential with
73
52
+    # project_id, so only in this particular case we force a scoped context
74
53
+    force_scoped = False
75
54
+    if (request.user.project_id and request.session.get("domain_token") and
76
55
+            not policy.check(
77
56
+                (("identity", "identity:update_domain"),), request)):
78
57
+        force_scoped = True
79
58
+
80
59
+    manager = keystoneclient(
81
60
+        request, force_scoped=force_scoped).application_credentials
82
61
     try:
83
62
         return manager.create(name=name, user=user, secret=secret,
84
63
                               description=description, expires_at=expires_at,
85
64
diff --git a/openstack_dashboard/test/unit/api/test_keystone.py b/openstack_dashboard/test/unit/api/test_keystone.py
86
65
index 82221b757..3b682815e 100644
87
66
--- a/openstack_dashboard/test/unit/api/test_keystone.py
88
67
+++ b/openstack_dashboard/test/unit/api/test_keystone.py
89
68
@@ -20,6 +20,7 @@ from unittest import mock
90
69
 
91
70
 from django.test.utils import override_settings
92
71
 from openstack_dashboard import api
93
72
+from openstack_dashboard import policy
94
73
 from openstack_dashboard.test import helpers as test
95
74
 
96
75
 
97
76
@@ -142,3 +143,46 @@ class APIVersionTests(test.APIMockTestCase):
98
77
         keystoneclient.session.get_endpoint_data.assert_called_once_with(
99
78
             service_type='identity')
100
79
         self.assertEqual((3, 10), api_version)
101
80
+
102
81
+
103
82
+class ApplicationCredentialsAPITests(test.APIMockTestCase):
104
83
+
105
84
+    @mock.patch.object(policy, 'check')
106
85
+    @mock.patch.object(api.keystone, 'keystoneclient')
107
86
+    def test_application_credential_create_domain_token_removed(
108
87
+            self, mock_keystoneclient, mock_policy):
109
88
+        self.request.session['domain_token'] = 'some_token'
110
89
+        mock_policy.return_value = False
111
90
+        api.keystone.application_credential_create(self.request, None)
112
91
+        mock_keystoneclient.assert_called_once_with(
113
92
+            self.request, force_scoped=True)
114
93
+
115
94
+    @mock.patch.object(policy, 'check')
116
95
+    @mock.patch.object(api.keystone, 'keystoneclient')
117
96
+    def test_application_credential_create_domain_token_not_removed_policy_true(
118
97
+            self, mock_keystoneclient, mock_policy):
119
98
+        self.request.session['domain_token'] = 'some_token'
120
99
+        mock_policy.return_value = True
121
100
+        api.keystone.application_credential_create(self.request, None)
122
101
+        mock_keystoneclient.assert_called_once_with(
123
102
+            self.request, force_scoped=False)
124
103
+
125
104
+    @mock.patch.object(policy, 'check')
126
105
+    @mock.patch.object(api.keystone, 'keystoneclient')
127
106
+    def test_application_credential_create_domain_token_not_removed_no_token(
128
107
+            self, mock_keystoneclient, mock_policy):
129
108
+        mock_policy.return_value = True
130
109
+        api.keystone.application_credential_create(self.request, None)
131
110
+        mock_keystoneclient.assert_called_once_with(
132
111
+            self.request, force_scoped=False)
133
112
+
134
113
+    @mock.patch.object(policy, 'check')
135
114
+    @mock.patch.object(api.keystone, 'keystoneclient')
136
115
+    def test_application_credential_create_domain_token_not_removed_no_project(
137
116
+            self, mock_keystoneclient, mock_policy):
138
117
+        self.request.session['domain_token'] = 'some_token'
139
118
+        mock_policy.return_value = True
140
119
+        self.request.user.project_id = None
141
120
+        api.keystone.application_credential_create(self.request, None)
142
121
+        mock_keystoneclient.assert_called_once_with(
143
122
+            self.request, force_scoped=False)
144
123
-- 
145
124
2.34.1
146
125
147
diff --git a/debian/patches/series b/debian/patches/series
148
index 88198a3..f7cdd35 100644
149
--- a/debian/patches/series
150
+++ b/debian/patches/series
151
@@ -2,3 +2,4 @@ fix-horizon-test-settings.patch
152
2
fix-dashboard-manage.patch
2
fix-dashboard-manage.patch
153
3
ubuntu_settings.patch
3
ubuntu_settings.patch
154
4
embedded-xstatic.patch
4
embedded-xstatic.patch
155
5
lp1827120.patch
Reviewer	Review Type	Date Requested	Status
Ubuntu OpenStack uploaders		2022-12-05	Pending
Review via email: mp+434097@code.launchpad.net