Merge "Convert user_id back to string"

2019-04-09 15:54:42 +00:00 · 2019-04-09 15:54:42 +00:00 · 3647671516
parent 6d306d936a 44c1b3d284
commit 3647671516
2 changed files with 43 additions and 0 deletions
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -221,6 +221,40 @@ class TestTokenFormatter(unit.TestCase):
            )
            self.assertEqual(encoded_string, encoded_str_with_padding_restored)

+    def test_create_validate_federated_scoped_token_non_uuid_user_id(self):
+        exp_user_id = hashlib.sha256().hexdigest()
+        exp_methods = ['password']
+        exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
+        exp_audit_ids = [provider.random_urlsafe_str()]
+        exp_federated_group_ids = [{'id': uuid.uuid4().hex}]
+        exp_idp_id = uuid.uuid4().hex
+        exp_protocol_id = uuid.uuid4().hex
+        exp_project_id = uuid.uuid4().hex
+
+        token_formatter = token_formatters.TokenFormatter()
+        token = token_formatter.create_token(user_id=exp_user_id,
+                                             expires_at=exp_expires_at,
+                                             audit_ids=exp_audit_ids,
+                                             payload_class=token_formatters.FederatedProjectScopedPayload,
+                                             methods=exp_methods,
+                                             federated_group_ids=exp_federated_group_ids,
+                                             identity_provider_id=exp_idp_id,
+                                             protocol_id=exp_protocol_id,
+                                             project_id=exp_project_id)
+
+        (user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
+         federated_group_ids, identity_provider_id, protocol_id,
+         access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token)
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertTrue(isinstance(user_id, six.string_types))
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_audit_ids, audit_ids)
+        self.assertEqual(exp_project_id, project_id)
+        self.assertEqual(exp_federated_group_ids, federated_group_ids)
+        self.assertEqual(exp_idp_id, identity_provider_id)
+        self.assertEqual(exp_protocol_id, protocol_id)
+

 class TestPayloads(unit.TestCase):
    def assertTimestampsEqual(self, expected, actual):
--- a/keystone/token/token_formatters.py
+++ b/keystone/token/token_formatters.py
@ -607,6 +607,15 @@ class FederatedScopedPayload(FederatedUnscopedPayload):
        (is_stored_as_bytes, user_id) = payload[0]
        if is_stored_as_bytes:
            user_id = cls.convert_uuid_bytes_to_hex(user_id)
+        else:
+            # NOTE(cmurphy): The user ID of shadowed federated users is no
+            # longer a UUID but a sha256 hash string, and so it should not be
+            # converted to a byte string since it is not a UUID format.
+            # However. on python3 msgpack returns the serialized input as a
+            # byte string anyway. Similar to other msgpack'd values in the
+            # payload, we need to explicitly decode it to a string value.
+            if six.PY3 and isinstance(user_id, six.binary_type):
+                user_id = user_id.decode('utf-8')
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        (is_stored_as_bytes, scope_id) = payload[2]
        if is_stored_as_bytes: