Fix: allow users with cross-domain role assignments to log in

Author: dhague

pkg/api/keystone/keystone_requests.go

@@ -93,23 +93,36 @@ type auth_response_struct struct {
 }
 
 type auth_token_struct struct {
-	Roles      []auth_roles_struct `json:"roles"`
-	Expires_at string              `json:"expires_at"`
+	Roles      []auth_roles_struct       `json:"roles"`
+	Expires_at string                    `json:"expires_at"`
+	User       auth_user_response_struct `json:"user"`
 }
 
 type auth_roles_struct struct {
 	Id   string `json:"id"`
 	Name string `json:"name"`
 }
 
+type auth_user_response_struct struct {
+	Name   string                          `json:"name"`
+	Id     string                          `json:"id"`
+	Domain auth_userdomain_response_struct `json:"domain"`
+}
+
+type auth_userdomain_response_struct struct {
+	Name string `json:"name"`
+	Id   string `json:"id"`
+}
+
 // Projects Response
 type project_response_struct struct {
 	Projects []project_struct
 }
 
 type project_struct struct {
-	Name    string
-	Enabled bool
+	Name     string
+	Enabled  bool
+	DomainId string `json:"domain_id"`
 }
 
 ////////////////////////
@@ -120,6 +133,7 @@ type project_struct struct {
 type Auth_data struct {
 	Server        string
 	Domain        string
+	DomainId      string
 	Username      string
 	Password      string
 	Project       string
@@ -205,6 +219,7 @@ func authenticate(data *Auth_data, b []byte) error {
 	data.Token = resp.Header.Get("X-Subject-Token")
 	data.Expiration = auth_response.Token.Expires_at
 	data.Roles = auth_response.Token.Roles
+	data.DomainId = auth_response.Token.User.Domain.Id
 
 	return nil
 }
@@ -225,8 +240,9 @@ func anonymisePasswordsTokens(data *Auth_data, json []byte) []byte {
 
 // Projects Section
 type Projects_data struct {
-	Token  string
-	Server string
+	Token    string
+	Server   string
+	DomainId string
 	//response
 	Projects []string
 }
@@ -264,7 +280,7 @@ func GetProjects(data *Projects_data) error {
 		return err
 	}
 	for _, project := range project_response.Projects {
-		if project.Enabled {
+		if project.Enabled && (project.DomainId == data.DomainId) {
 			data.Projects = append(data.Projects, project.Name)
 		}
 	}

pkg/login/keystone.go

@@ -13,6 +13,7 @@ import (
 type keystoneAuther struct {
 	server      string
 	domainname  string
+	domainId    string
 	defaultrole string
 	roles       map[m.RoleType][]string
 	admin_roles []string
@@ -67,6 +68,7 @@ func (a *keystoneAuther) authenticate(username, password string) error {
 		return err
 	}
 	a.token = auth.Token
+	a.domainId = auth.DomainId
 	return nil
 }
 
@@ -292,8 +294,9 @@ func (a *keystoneAuther) syncOrgRoles(username, password string, user *m.User) e
 func (a *keystoneAuther) getProjectList(username, password string) error {
 	log.Trace("getProjectList() with username %s", username)
 	projects_data := keystone.Projects_data{
-		Token:  a.token,
-		Server: a.server,
+		Token:    a.token,
+		Server:   a.server,
+		DomainId: a.domainId,
 	}
 	if err := keystone.GetProjects(&projects_data); err != nil {
 		return err