From 503882cb8c251cc948d50d07083666df439bf215 Mon Sep 17 00:00:00 2001 From: wangxiyuan Date: Mon, 6 Nov 2017 11:58:56 +0800 Subject: [PATCH] Fix 500 error when authenticate with "mapped" When authenticate with "mapped" method, if users forget to add "identity_provider" or "protocol" keypair, keystone will raise 500 error. In this case, keystone should raise 400 error(ValidationError). Change-Id: I85feb078b7fb2a5b091407fa69db7409a9c75199 Closes-bug: #1730270 --- keystone/auth/plugins/mapped.py | 12 ++++++++++-- keystone/tests/unit/test_auth_plugin.py | 19 +++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/keystone/auth/plugins/mapped.py b/keystone/auth/plugins/mapped.py index 51504bc1de..17a5147076 100644 --- a/keystone/auth/plugins/mapped.py +++ b/keystone/auth/plugins/mapped.py @@ -202,8 +202,16 @@ def handle_unscoped_token(request, auth_payload, resource_api, federation_api, return resp assertion = extract_assertion_data(request) - identity_provider = auth_payload['identity_provider'] - protocol = auth_payload['protocol'] + try: + identity_provider = auth_payload['identity_provider'] + except KeyError: + raise exception.ValidationError( + attribute='identity_provider', target='mapped') + try: + protocol = auth_payload['protocol'] + except KeyError: + raise exception.ValidationError( + attribute='protocol', target='mapped') utils.assert_enabled_identity_provider(federation_api, identity_provider) diff --git a/keystone/tests/unit/test_auth_plugin.py b/keystone/tests/unit/test_auth_plugin.py index ca29ae1017..bcae1b90b2 100644 --- a/keystone/tests/unit/test_auth_plugin.py +++ b/keystone/tests/unit/test_auth_plugin.py @@ -18,6 +18,7 @@ import mock from keystone import auth from keystone.auth.plugins import base +from keystone.auth.plugins import mapped from keystone import exception from keystone.tests import unit from keystone.tests.unit.ksfixtures import auth_plugins @@ -189,6 +190,24 @@ class TestMapped(unit.TestCase): kwargs) = authenticate.call_args self.assertEqual(method_name, auth_payload['protocol']) + def test_mapped_without_identity_provider_or_protocol(self): + test_mapped = mapped.Mapped() + test_mapped.resource_api = mock.Mock() + test_mapped.federation_api = mock.Mock() + test_mapped.identity_api = mock.Mock() + test_mapped.assignment_api = mock.Mock() + test_mapped.role_api = mock.Mock() + + request = self.make_request() + + auth_payload = {'identity_provider': 'test_provider'} + self.assertRaises(exception.ValidationError, test_mapped.authenticate, + request, auth_payload) + + auth_payload = {'protocol': 'saml2'} + self.assertRaises(exception.ValidationError, test_mapped.authenticate, + request, auth_payload) + def test_supporting_multiple_methods(self): method_names = ('saml2', 'openid', 'x509', 'mapped') self.useFixture(auth_plugins.LoadAuthPlugins(*method_names))