)]}'
{"keystone/common/policies/token.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e2842de35fcbce521e9afd97ed639f3c6dd83bfb","unresolved":false,"context_lines":[{"line_number":49,"context_line":""},{"line_number":50,"context_line":"token_policies \u003d ["},{"line_number":51,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":52,"context_line":"        name\u003dbase.IDENTITY % \u0027check_token\u0027,"},{"line_number":53,"context_line":"        check_str\u003dSYSTEM_USER_OR_TOKEN_SUBJECT,"},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Check a token.\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"9fb8cfa7_1d32bfa8","line":52,"updated":"2019-06-18 17:36:06.000000000","message":"Do we want to perhaps take this opportunity to deprecate this policy for removal to take care of https://opendev.org/openstack/keystone/src/branch/master/keystone/api/auth.py#L277-L281 ?","commit_id":"092570fc5ef43497c29cf174bfff43323a49fb58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c50d882d9e0f76dbcba3a697c2534dd62b6c3055","unresolved":false,"context_lines":[{"line_number":49,"context_line":""},{"line_number":50,"context_line":"token_policies \u003d ["},{"line_number":51,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":52,"context_line":"        name\u003dbase.IDENTITY % \u0027check_token\u0027,"},{"line_number":53,"context_line":"        check_str\u003dSYSTEM_USER_OR_TOKEN_SUBJECT,"},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Check a token.\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"9fb8cfa7_deb40ef5","line":52,"in_reply_to":"9fb8cfa7_1d32bfa8","updated":"2019-06-19 14:14:12.000000000","message":"SOrry - I was going to look into this yesterday. Now that this merged, I\u0027ll investigate and propose a follow-up if needed.","commit_id":"092570fc5ef43497c29cf174bfff43323a49fb58"}],"keystone/tests/unit/protection/v3/test_tokens.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e2842de35fcbce521e9afd97ed639f3c6dd83bfb","unresolved":false,"context_lines":[{"line_number":386,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN"},{"line_number":387,"context_line":"            )"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"    def test_user_cannot_validate_domain_scoped_token(self):"},{"line_number":390,"context_line":"        domain \u003d PROVIDERS.resource_api.create_domain("},{"line_number":391,"context_line":"            uuid.uuid4().hex, unit.new_domain_ref()"},{"line_number":392,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":3,"id":"9fb8cfa7_5d73574e","line":389,"updated":"2019-06-18 17:36:06.000000000","message":"I\u0027m unclear how this works - where is the rule that says a user can\u0027t use a different token to validate a token that they own?","commit_id":"092570fc5ef43497c29cf174bfff43323a49fb58"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"042b4038f4c54243d0e3692c46e5b837833e0410","unresolved":false,"context_lines":[{"line_number":386,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN"},{"line_number":387,"context_line":"            )"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"    def test_user_cannot_validate_domain_scoped_token(self):"},{"line_number":390,"context_line":"        domain \u003d PROVIDERS.resource_api.create_domain("},{"line_number":391,"context_line":"            uuid.uuid4().hex, unit.new_domain_ref()"},{"line_number":392,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":3,"id":"9fb8cfa7_bd337362","line":389,"in_reply_to":"9fb8cfa7_5d73574e","updated":"2019-06-18 17:41:21.000000000","message":"The token being validated is a domain-scoped token from a completely different user than the user calling the API. Both tokens are owned by different users.\n\nThis is simulating that a user without system-level authorization can\u0027t validate any token with their own token... Granted, if someone has a token all they need to do to validate it is set both of the headers, but...","commit_id":"092570fc5ef43497c29cf174bfff43323a49fb58"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"19d9bea0fadea0f58c810ef146d9e9d111eba993","unresolved":false,"context_lines":[{"line_number":386,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN"},{"line_number":387,"context_line":"            )"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"    def test_user_cannot_validate_domain_scoped_token(self):"},{"line_number":390,"context_line":"        domain \u003d PROVIDERS.resource_api.create_domain("},{"line_number":391,"context_line":"            uuid.uuid4().hex, unit.new_domain_ref()"},{"line_number":392,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":3,"id":"9fb8cfa7_b80dc1e9","line":389,"in_reply_to":"9fb8cfa7_bd337362","updated":"2019-06-18 18:08:21.000000000","message":"Oh I see, I managed to miss that this was a completely different user.","commit_id":"092570fc5ef43497c29cf174bfff43323a49fb58"}]}