Accepts Group IDs from the IdP without domain
If group_ids is explicitly set in the saml2 assertion, add those ids to the mapped_properties. Change-Id: Idd3c218684b946603701de902d14f6a718acca40 Implements: blueprint federation-group-ids-mapped-without-domain-reference
This commit is contained in:
Olivier Pilotte
Olivier Pilotte
parent
f468f32d8f
commit
13156ef1c5
|
|
@ -497,6 +497,9 @@ class RuleProcessor(object):
|
|||
'domain': {
|
||||
'name': 'default_domain'
|
||||
}
|
||||
},
|
||||
{
|
||||
'group_ids': ['abc123', 'def456', '0cd5e9']
|
||||
}
|
||||
]
|
||||
|
||||
|
|
@ -568,6 +571,17 @@ class RuleProcessor(object):
|
|||
group_names_list]
|
||||
|
||||
group_names.extend(group_dicts)
|
||||
if 'group_ids' in identity_value:
|
||||
# If identity_values['group_ids'] is a string representation
|
||||
# of a list, parse it to a real list. Also, if the provided
|
||||
# group_ids parameter contains only one element, it will be
|
||||
# parsed as a simple string, and not a list or the
|
||||
# representation of a list.
|
||||
try:
|
||||
group_ids.update(
|
||||
ast.literal_eval(identity_value['group_ids']))
|
||||
except (ValueError, SyntaxError):
|
||||
group_ids.update([identity_value['group_ids']])
|
||||
|
||||
normalize_user(user)
|
||||
|
||||
|
|
|
|||
|
|
@ -620,3 +620,52 @@ class MappingRuleEngineTests(unit.BaseTestCase):
|
|||
|
||||
self.assertNotIn('id', mapped_properties['user'])
|
||||
self.assertNotIn('name', mapped_properties['user'])
|
||||
|
||||
def test_rule_engine_group_ids_mapping_whitelist(self):
|
||||
"""Test mapping engine when group_ids is explicitly set
|
||||
|
||||
Also test whitelists on group ids
|
||||
|
||||
"""
|
||||
mapping = mapping_fixtures.MAPPING_GROUPS_IDS_WHITELIST
|
||||
assertion = mapping_fixtures.GROUP_IDS_ASSERTION
|
||||
rp = mapping_utils.RuleProcessor(mapping['rules'])
|
||||
mapped_properties = rp.process(assertion)
|
||||
self.assertIsNotNone(mapped_properties)
|
||||
self.assertEqual('opilotte', mapped_properties['user']['name'])
|
||||
self.assertListEqual([], mapped_properties['group_names'])
|
||||
self.assertItemsEqual(['abc123', 'ghi789', 'klm012'],
|
||||
mapped_properties['group_ids'])
|
||||
|
||||
def test_rule_engine_group_ids_mapping_blacklist(self):
|
||||
"""Test mapping engine when group_ids is explicitly set.
|
||||
|
||||
Also test blacklists on group ids
|
||||
|
||||
"""
|
||||
mapping = mapping_fixtures.MAPPING_GROUPS_IDS_BLACKLIST
|
||||
assertion = mapping_fixtures.GROUP_IDS_ASSERTION
|
||||
rp = mapping_utils.RuleProcessor(mapping['rules'])
|
||||
mapped_properties = rp.process(assertion)
|
||||
self.assertIsNotNone(mapped_properties)
|
||||
self.assertEqual('opilotte', mapped_properties['user']['name'])
|
||||
self.assertListEqual([], mapped_properties['group_names'])
|
||||
self.assertItemsEqual(['abc123', 'ghi789', 'klm012'],
|
||||
mapped_properties['group_ids'])
|
||||
|
||||
def test_rule_engine_group_ids_mapping_only_one_group(self):
|
||||
"""Test mapping engine when group_ids is explicitly set.
|
||||
|
||||
If the group ids list has only one group,
|
||||
test if the transformation is done correctly
|
||||
|
||||
"""
|
||||
mapping = mapping_fixtures.MAPPING_GROUPS_IDS_WHITELIST
|
||||
assertion = mapping_fixtures.GROUP_IDS_ASSERTION_ONLY_ONE_GROUP
|
||||
rp = mapping_utils.RuleProcessor(mapping['rules'])
|
||||
mapped_properties = rp.process(assertion)
|
||||
self.assertIsNotNone(mapped_properties)
|
||||
self.assertEqual('opilotte', mapped_properties['user']['name'])
|
||||
self.assertListEqual([], mapped_properties['group_names'])
|
||||
self.assertItemsEqual(['210mlk', '321cba'],
|
||||
mapped_properties['group_ids'])
|
||||
|
|
|
|||
|
|
@ -1036,6 +1036,78 @@ MAPPING_WITH_DOMAINID_ONLY = {
|
|||
]
|
||||
}
|
||||
|
||||
MAPPING_GROUPS_IDS_WHITELIST = {
|
||||
"rules": [
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
}
|
||||
},
|
||||
{
|
||||
"group_ids": "{1}"
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"id": "{2}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "name"
|
||||
},
|
||||
{
|
||||
"type": "group_ids",
|
||||
"whitelist": [
|
||||
"abc123", "ghi789", "321cba"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "group"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
MAPPING_GROUPS_IDS_BLACKLIST = {
|
||||
"rules": [
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
}
|
||||
},
|
||||
{
|
||||
"group_ids": "{1}"
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"id": "{2}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "name"
|
||||
},
|
||||
{
|
||||
"type": "group_ids",
|
||||
"blacklist": [
|
||||
"def456"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "group"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
# Mapping used by tokenless test cases, it maps the domain_name only.
|
||||
MAPPING_WITH_DOMAINNAME_ONLY = {
|
||||
'rules': [
|
||||
|
|
@ -1184,7 +1256,6 @@ MAPPING_GROUPS_WHITELIST_PASS_THROUGH = {
|
|||
]
|
||||
}
|
||||
|
||||
|
||||
EMPLOYEE_ASSERTION = {
|
||||
'Email': 'tim@example.com',
|
||||
'UserName': 'tbo',
|
||||
|
|
@ -1310,3 +1381,15 @@ UNMATCHED_GROUP_ASSERTION = {
|
|||
'REMOTE_USER': 'Any Momoose',
|
||||
'REMOTE_USER_GROUPS': 'EXISTS;NO_EXISTS'
|
||||
}
|
||||
|
||||
GROUP_IDS_ASSERTION = {
|
||||
'name': 'opilotte',
|
||||
'group_ids': 'abc123;def456;ghi789',
|
||||
'group': 'klm012'
|
||||
}
|
||||
|
||||
GROUP_IDS_ASSERTION_ONLY_ONE_GROUP = {
|
||||
'name': 'opilotte',
|
||||
'group_ids': '321cba',
|
||||
'group': '210mlk'
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue