WebSSO should use remote_id_attribute by protocol
WebSSO always use the remote_id_attribute from the [federation] group. Fix the issue, by consuming the protocol specific remote_id_attribute if available. Change-Id: Icdc693965ec53e5ff8f1901af26c9232a20aef7e Closes-Bug: #1441827
This commit is contained in:
parent
318d481875
commit
9b11d13856
|
@ -268,7 +268,7 @@ class Auth(auth_controllers.Auth):
|
|||
|
||||
def federated_sso_auth(self, context, protocol_id):
|
||||
try:
|
||||
remote_id_name = CONF.federation.remote_id_attribute
|
||||
remote_id_name = utils.get_remote_id_parameter(protocol_id)
|
||||
remote_id = context['environment'][remote_id_name]
|
||||
except KeyError:
|
||||
msg = _('Missing entity ID from environment')
|
||||
|
|
|
@ -191,10 +191,7 @@ def validate_groups_cardinality(group_ids, mapping_id):
|
|||
raise exception.MissingGroups(mapping_id=mapping_id)
|
||||
|
||||
|
||||
def validate_idp(idp, protocol, assertion):
|
||||
"""Validate the IdP providing the assertion is registered for the mapping.
|
||||
"""
|
||||
|
||||
def get_remote_id_parameter(protocol):
|
||||
# NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
|
||||
# retrieve the remote_id_attribute of the protocol ID. If it's not
|
||||
# registered in the config, then register the option and try again.
|
||||
|
@ -210,10 +207,19 @@ def validate_idp(idp, protocol, assertion):
|
|||
except AttributeError:
|
||||
pass
|
||||
if not remote_id_parameter:
|
||||
LOG.debug('Cannot find "remote_id_attibute" in configuration '
|
||||
LOG.debug('Cannot find "remote_id_attribute" in configuration '
|
||||
'group %s. Trying default location in '
|
||||
'group federation.', protocol)
|
||||
remote_id_parameter = CONF.federation.remote_id_attribute
|
||||
|
||||
return remote_id_parameter
|
||||
|
||||
|
||||
def validate_idp(idp, protocol, assertion):
|
||||
"""Validate the IdP providing the assertion is registered for the mapping.
|
||||
"""
|
||||
|
||||
remote_id_parameter = get_remote_id_parameter(protocol)
|
||||
if not remote_id_parameter or not idp['remote_ids']:
|
||||
LOG.debug('Impossible to identify the IdP %s ', idp['id'])
|
||||
# If nothing is defined, the administrator may want to
|
||||
|
|
|
@ -3678,6 +3678,7 @@ class WebSSOTests(FederatedTokenTests):
|
|||
SSO_TEMPLATE_PATH = os.path.join(core.dirs.etc(), SSO_TEMPLATE_NAME)
|
||||
TRUSTED_DASHBOARD = 'http://horizon.com'
|
||||
ORIGIN = urllib.parse.quote_plus(TRUSTED_DASHBOARD)
|
||||
PROTOCOL_REMOTE_ID_ATTR = uuid.uuid4().hex
|
||||
|
||||
def setUp(self):
|
||||
super(WebSSOTests, self).setUp()
|
||||
|
@ -3705,6 +3706,18 @@ class WebSSOTests(FederatedTokenTests):
|
|||
resp = self.api.federated_sso_auth(context, self.PROTOCOL)
|
||||
self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
|
||||
|
||||
def test_federated_sso_auth_with_protocol_specific_remote_id(self):
|
||||
self.config_fixture.config(
|
||||
group=self.PROTOCOL,
|
||||
remote_id_attribute=self.PROTOCOL_REMOTE_ID_ATTR)
|
||||
|
||||
environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
|
||||
context = {'environment': environment}
|
||||
query_string = {'origin': self.ORIGIN}
|
||||
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
|
||||
resp = self.api.federated_sso_auth(context, self.PROTOCOL)
|
||||
self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
|
||||
|
||||
def test_federated_sso_auth_bad_remote_id(self):
|
||||
environment = {self.REMOTE_ID_ATTR: self.IDP}
|
||||
context = {'environment': environment}
|
||||
|
|
Loading…
Reference in New Issue