Fix revoking domain-scoped tokens

A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.

Partial-Bug: #1349597

Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
(cherry picked from commit 3e035eb)

keystone/contrib/revoke/model.py

@@ -285,7 +285,12 @@ def build_token_values(token_data):
         token_values['assignment_domain_id'] = project['domain']['id']
     else:
         token_values['project_id'] = None
-        token_values['assignment_domain_id'] = None
+
+        domain = token_data.get('domain')
+        if domain is not None:
+            token_values['assignment_domain_id'] = domain['id']
+        else:
+            token_values['assignment_domain_id'] = None
 
     role_list = []
     roles = token_data.get('roles')

keystone/tests/test_revoke.py

@@ -448,11 +448,19 @@ def test_by_domain_project(self):
     def test_by_domain_domain(self):
         # If revoke a domain, then a token scoped to the domain is revoked.
 
-        # FIXME(blk-u): The token translation code doesn't handle domain-scoped
-        # tokens at this point. See bug #1347318. Replace this with test code
-        # similar to test_by_domain_project().
+        user_id = _new_id()
+        user_domain_id = _new_id()
+
+        domain_id = _new_id()
 
-        pass
+        token_data = _sample_blank_token()
+        token_data['user_id'] = user_id
+        token_data['identity_domain_id'] = user_domain_id
+        token_data['assignment_domain_id'] = domain_id
+
+        self._revoke_by_domain(domain_id)
+
+        self._assertTokenRevoked(token_data)
 
     def _assertEmpty(self, collection):
         return self.assertEqual(0, len(collection), "collection not empty")