From 4b3ae4c9871a7e65dffe260c9e4d3b147b29f7e3 Mon Sep 17 00:00:00 2001 From: Rodrigo Duarte Sousa Date: Fri, 21 Nov 2014 16:34:57 -0300 Subject: [PATCH] Fixes create_saml_assertion() return The create_saml_assertion() method only accepts project scoped tokens. When using a domain scoped one it should return 403 correctly informing the caller about this requirenment. Change-Id: I1223f284a84dee05e4a3907e04345497e5f767c1 Closes-Bug: 1395117 --- keystone/contrib/federation/controllers.py | 10 +++++----- keystone/tests/test_v3_federation.py | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/keystone/contrib/federation/controllers.py b/keystone/contrib/federation/controllers.py index 044d5c1189..159118c1e5 100644 --- a/keystone/contrib/federation/controllers.py +++ b/keystone/contrib/federation/controllers.py @@ -274,12 +274,12 @@ class Auth(auth_controllers.Auth): subject = token_ref.user_name roles = token_ref.role_names - if token_ref.project_scoped: - project = token_ref.project_name - else: - raise ValueError(_('Use a project scoped token when attempting to' - 'create a SAML assertion')) + if not token_ref.project_scoped: + action = _('Use a project scoped token when attempting to create ' + 'a SAML assertion') + raise exception.ForbiddenAction(action=action) + project = token_ref.project_name generator = keystone_idp.SAMLGenerator() response = generator.samlize_token(issuer, recipient, subject, roles, project) diff --git a/keystone/tests/test_v3_federation.py b/keystone/tests/test_v3_federation.py index 28dfb1d06e..9d4ab49fbd 100644 --- a/keystone/tests/test_v3_federation.py +++ b/keystone/tests/test_v3_federation.py @@ -1878,6 +1878,8 @@ class SAMLGenerationTests(FederationTests): """Test that the SAML generation fails when passing tokens not scoped by project. + The server should return a 403 Forbidden Action. + """ self.config_fixture.config(group='saml', idp_entity_id=self.ISSUER) region_id = self._create_region_with_url() @@ -1886,10 +1888,8 @@ class SAMLGenerationTests(FederationTests): with mock.patch.object(keystone_idp, '_sign_assertion', return_value=self.signed_assertion): - # NOTE(rodrigods): currently, sending a request using a domain - # scoped token returns 500 due bug #1395117 self.post(self.SAML_GENERATION_ROUTE, body=body, - expected_status=500) + expected_status=403) def test_generate_saml_route(self): """Test that the SAML generation endpoint produces XML.