Fix unscoped federated token formatter

Like in 44c1b3d, the unscoped federated token formatter needs to account for the new user string format too. If it doesn't, the python3 tests may fail. Change-Id: I9529d6bee3e5bb1f618f40f225f69e2ad7e3f64a
2019-04-14 21:34:54 -07:00 · 2019-04-14 21:34:54 -07:00 · 79f468bad6
parent 91daa40e1f
commit 79f468bad6
2 changed files with 40 additions and 0 deletions
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -221,6 +221,37 @@ class TestTokenFormatter(unit.TestCase):
            )
            self.assertEqual(encoded_string, encoded_str_with_padding_restored)

+    def test_create_validate_federated_unscoped_token_non_uuid_user_id(self):
+        exp_user_id = hashlib.sha256().hexdigest()
+        exp_methods = ['password']
+        exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
+        exp_audit_ids = [provider.random_urlsafe_str()]
+        exp_federated_group_ids = [{'id': uuid.uuid4().hex}]
+        exp_idp_id = uuid.uuid4().hex
+        exp_protocol_id = uuid.uuid4().hex
+
+        token_formatter = token_formatters.TokenFormatter()
+        token = token_formatter.create_token(user_id=exp_user_id,
+                                             expires_at=exp_expires_at,
+                                             audit_ids=exp_audit_ids,
+                                             payload_class=token_formatters.FederatedUnscopedPayload,
+                                             methods=exp_methods,
+                                             federated_group_ids=exp_federated_group_ids,
+                                             identity_provider_id=exp_idp_id,
+                                             protocol_id=exp_protocol_id)
+
+        (user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
+         federated_group_ids, identity_provider_id, protocol_id,
+         access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token)
+
+        self.assertEqual(exp_user_id, user_id)
+        self.assertTrue(isinstance(user_id, six.string_types))
+        self.assertEqual(exp_methods, methods)
+        self.assertEqual(exp_audit_ids, audit_ids)
+        self.assertEqual(exp_federated_group_ids, federated_group_ids)
+        self.assertEqual(exp_idp_id, identity_provider_id)
+        self.assertEqual(exp_protocol_id, protocol_id)
+
    def test_create_validate_federated_scoped_token_non_uuid_user_id(self):
        exp_user_id = hashlib.sha256().hexdigest()
        exp_methods = ['password']
--- a/keystone/token/token_formatters.py
+++ b/keystone/token/token_formatters.py
@ -558,6 +558,15 @@ class FederatedUnscopedPayload(BasePayload):
        (is_stored_as_bytes, user_id) = payload[0]
        if is_stored_as_bytes:
            user_id = cls.convert_uuid_bytes_to_hex(user_id)
+        else:
+            # NOTE(cmurphy): The user ID of shadowed federated users is no
+            # longer a UUID but a sha256 hash string, and so it should not be
+            # converted to a byte string since it is not a UUID format.
+            # However. on python3 msgpack returns the serialized input as a
+            # byte string anyway. Similar to other msgpack'd values in the
+            # payload, we need to explicitly decode it to a string value.
+            if six.PY3 and isinstance(user_id, six.binary_type):
+                user_id = user_id.decode('utf-8')
        methods = auth_plugins.convert_integer_to_method_list(payload[1])
        group_ids = list(map(cls.unpack_group_id, payload[2]))
        (is_stored_as_bytes, idp_id) = payload[3]