WebSSO should use remote_id_attribute by protocol

WebSSO always use the remote_id_attribute from the [federation] group. Fix the issue, by consuming the protocol specific remote_id_attribute if available. Change-Id: Icdc693965ec53e5ff8f1901af26c9232a20aef7e Closes-Bug: #1441827
2015-04-08 17:03:23 -07:00 · 2015-04-08 17:03:23 -07:00 · 9b11d13856
parent 318d481875
commit 9b11d13856
3 changed files with 25 additions and 6 deletions
--- a/keystone/contrib/federation/controllers.py
+++ b/keystone/contrib/federation/controllers.py
@ -268,7 +268,7 @@ class Auth(auth_controllers.Auth):

    def federated_sso_auth(self, context, protocol_id):
        try:
-            remote_id_name = CONF.federation.remote_id_attribute
+            remote_id_name = utils.get_remote_id_parameter(protocol_id)
            remote_id = context['environment'][remote_id_name]
        except KeyError:
            msg = _('Missing entity ID from environment')
--- a/keystone/contrib/federation/utils.py
+++ b/keystone/contrib/federation/utils.py
@ -191,10 +191,7 @@ def validate_groups_cardinality(group_ids, mapping_id):
        raise exception.MissingGroups(mapping_id=mapping_id)


-def validate_idp(idp, protocol, assertion):
-    """Validate the IdP providing the assertion is registered for the mapping.
-    """
-
+def get_remote_id_parameter(protocol):
    # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
    # retrieve the remote_id_attribute of the protocol ID. If it's not
    # registered in the config, then register the option and try again.
@ -210,10 +207,19 @@ def validate_idp(idp, protocol, assertion):
        except AttributeError:
            pass
    if not remote_id_parameter:
-        LOG.debug('Cannot find "remote_id_attibute" in configuration '
+        LOG.debug('Cannot find "remote_id_attribute" in configuration '
                  'group %s. Trying default location in '
                  'group federation.', protocol)
        remote_id_parameter = CONF.federation.remote_id_attribute
+
+    return remote_id_parameter
+
+
+def validate_idp(idp, protocol, assertion):
+    """Validate the IdP providing the assertion is registered for the mapping.
+    """
+
+    remote_id_parameter = get_remote_id_parameter(protocol)
    if not remote_id_parameter or not idp['remote_ids']:
        LOG.debug('Impossible to identify the IdP %s ', idp['id'])
        # If nothing is defined, the administrator may want to
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -3678,6 +3678,7 @@ class WebSSOTests(FederatedTokenTests):
    SSO_TEMPLATE_PATH = os.path.join(core.dirs.etc(), SSO_TEMPLATE_NAME)
    TRUSTED_DASHBOARD = 'http://horizon.com'
    ORIGIN = urllib.parse.quote_plus(TRUSTED_DASHBOARD)
+    PROTOCOL_REMOTE_ID_ATTR = uuid.uuid4().hex

    def setUp(self):
        super(WebSSOTests, self).setUp()
@ -3705,6 +3706,18 @@ class WebSSOTests(FederatedTokenTests):
        resp = self.api.federated_sso_auth(context, self.PROTOCOL)
        self.assertIn(self.TRUSTED_DASHBOARD, resp.body)

+    def test_federated_sso_auth_with_protocol_specific_remote_id(self):
+        self.config_fixture.config(
+            group=self.PROTOCOL,
+            remote_id_attribute=self.PROTOCOL_REMOTE_ID_ATTR)
+
+        environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
+        context = {'environment': environment}
+        query_string = {'origin': self.ORIGIN}
+        self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
+        resp = self.api.federated_sso_auth(context, self.PROTOCOL)
+        self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
+
    def test_federated_sso_auth_bad_remote_id(self):
        environment = {self.REMOTE_ID_ATTR: self.IDP}
        context = {'environment': environment}