Merge "Strengthen Mapping Validation in Federation Mappings"

2016-01-23 10:19:03 +00:00 · 2016-01-23 10:19:03 +00:00 · 18082380e2
parent dc01e06ab4 cc2cfff50f
commit 18082380e2
3 changed files with 73 additions and 1 deletions
--- a/keystone/federation/utils.py
+++ b/keystone/federation/utils.py
@ -42,7 +42,52 @@ MAPPING_SCHEMA = {
                "additionalProperties": False,
                "properties": {
                    "local": {
-                        "type": "array"
+                        "type": "array",
+                        "items": {
+                            "type": "object",
+                            "additionalProperties": False,
+                            "properties": {
+                                "user": {
+                                    "type": "object",
+                                    "properties": {
+                                        "id": {"type": "string"},
+                                        "name": {"type": "string"},
+                                        "email": {"type": "string"},
+                                        "domain": {
+                                            "type": "object",
+                                            "properties": {
+                                                "id": {"type": "string"},
+                                                "name": {"type": "string"}
+                                            },
+                                            "additionalProperties": False,
+                                        }
+                                    },
+                                    "additionalProperties": False
+                                },
+                                "group": {
+                                    "type": "object",
+                                    "properties": {
+                                        "id": {"type": "string"},
+                                        "name": {"type": "string"}
+                                    },
+                                    "additionalProperties": False,
+                                },
+                                "groups": {
+                                    "type": "string"
+                                },
+                                "group_ids": {
+                                    "type": "string"
+                                },
+                                "domain": {
+                                    "type": "object",
+                                    "properties": {
+                                        "id": {"type": "string"},
+                                        "name": {"type": "string"}
+                                    },
+                                    "additionalProperties": False
+                                }
+                            }
+                        }
                    },
                    "remote": {
                        "minItems": 1,
--- a/keystone/tests/unit/contrib/federation/test_utils.py
+++ b/keystone/tests/unit/contrib/federation/test_utils.py
@ -610,6 +610,12 @@ class MappingRuleEngineTests(unit.BaseTestCase):
        self.assertEqual('Developer',
                         mapped_properties['group_names'][0]['name'])

+    def test_mapping_with_incorrect_local_keys(self):
+        mapping = mapping_fixtures.MAPPING_BAD_LOCAL_SETUP
+        self.assertRaises(exception.ValidationError,
+                          mapping_utils.validate_mapping_structure,
+                          mapping)
+
    def test_type_not_in_assertion(self):
        """Test that if the remote "type" is not in the assertion it fails."""
        mapping = mapping_fixtures.MAPPING_GROUPS_WHITELIST_PASS_THROUGH
--- a/keystone/tests/unit/mapping_fixtures.py
+++ b/keystone/tests/unit/mapping_fixtures.py
@ -1256,6 +1256,27 @@ MAPPING_GROUPS_WHITELIST_PASS_THROUGH = {
    ]
 }

+MAPPING_BAD_LOCAL_SETUP = {
+    "rules": [
+        {
+            "local": [
+                {
+                    "user": {
+                        "name": "{0}",
+                        "domain": {"id": "default"}
+                    },
+                    "whatisthis": "local"
+                }
+            ],
+            "remote": [
+                {
+                    "type": "UserName"
+                }
+            ]
+        }
+    ]
+}
+
 EMPLOYEE_ASSERTION = {
    'Email': 'tim@example.com',
    'UserName': 'tbo',