Store groups ids objects list in the OS-FEDERATION object.
When issuing unscoped federated token store groups ids object in the OS-FEDERATION objects instead of standalone OS-FEDERATION:groups. Change-Id: I116466c6eefae674d2245796dfd608b12d5d3e6d Closes-Bug: #1294150
This commit is contained in:
parent
69409240ff
commit
a680f43904
|
@ -58,11 +58,10 @@ class Saml2(auth.AuthMethodHandler):
|
|||
def _handle_scoped_token(self, auth_payload):
|
||||
token_ref = self.token_api.get_token(auth_payload['id'])
|
||||
self._validate_expiration(token_ref)
|
||||
group_ids = [group['id'] for group in
|
||||
token_ref['user'][federation.GROUPS]]
|
||||
_federation = token_ref['user'][federation.FEDERATION]
|
||||
identity_provider = _federation['identity_provider']['id']
|
||||
protocol = _federation['protocol']['id']
|
||||
group_ids = [group['id'] for group in _federation['groups']]
|
||||
mapping = self.federation_api.get_mapping_from_idp_and_protocol(
|
||||
identity_provider, protocol)
|
||||
self._validate_groups(group_ids, mapping['id'])
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
|
||||
import collections
|
||||
|
||||
from keystone.contrib import federation
|
||||
from keystone import exception
|
||||
from keystone.openstack.common import log
|
||||
|
||||
|
@ -83,7 +84,8 @@ def v3_token_to_auth_context(token):
|
|||
for role in token_data['roles']:
|
||||
creds['roles'].append(role['name'])
|
||||
creds['group_ids'] = [
|
||||
g['id'] for g in token_data['user'].get('OS-FEDERATION:groups', [])]
|
||||
g['id'] for g in token_data['user'].get(federation.FEDERATION, {}).get(
|
||||
'groups', [])]
|
||||
return creds
|
||||
|
||||
|
||||
|
|
|
@ -42,7 +42,6 @@ extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|||
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
||||
|
||||
FEDERATION = 'OS-FEDERATION'
|
||||
GROUPS = 'OS-FEDERATION:groups'
|
||||
IDENTITY_PROVIDER = 'OS-FEDERATION:identity_provider'
|
||||
PROTOCOL = 'OS-FEDERATION:protocol'
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@ import uuid
|
|||
|
||||
from keystone.auth import controllers as auth_controllers
|
||||
from keystone.common import dependency
|
||||
from keystone.common import serializer
|
||||
from keystone.common import sql
|
||||
from keystone.common.sql import migration_helpers
|
||||
from keystone import config
|
||||
|
@ -786,6 +787,17 @@ class FederatedTokenTests(FederationTests):
|
|||
'rules': rules or self.rules['rules']
|
||||
}
|
||||
|
||||
def _assertSerializeToXML(self, json_body):
|
||||
"""Serialize JSON body to XML.
|
||||
|
||||
Serialize JSON body to XML, then deserialize to JSON
|
||||
again. Expect both JSON dictionaries to be equal.
|
||||
|
||||
"""
|
||||
xml_body = serializer.to_xml(json_body)
|
||||
json_deserialized = serializer.from_xml(xml_body)
|
||||
self.assertDictEqual(json_deserialized, json_body)
|
||||
|
||||
def _scope_request(self, unscoped_token_id, scope, scope_id):
|
||||
return {
|
||||
'auth': {
|
||||
|
@ -850,6 +862,23 @@ class FederatedTokenTests(FederationTests):
|
|||
r = self._issue_unscoped_token()
|
||||
self.assertIsNotNone(r.headers.get('X-Subject-Token'))
|
||||
|
||||
def test_issue_unscoped_token_serialize_to_xml(self):
|
||||
"""Issue unscoped token and serialize to XML.
|
||||
|
||||
Make sure common.serializer doesn't complain about
|
||||
the response structure and tag names.
|
||||
|
||||
"""
|
||||
r = self._issue_unscoped_token()
|
||||
token_resp = r.json_body
|
||||
# Remove 'extras' if empty or None,
|
||||
# as JSON and XML (de)serializers treat
|
||||
# them differently, making dictionaries
|
||||
# comparisions fail.
|
||||
if not token_resp['token'].get('extras'):
|
||||
token_resp['token'].pop('extras')
|
||||
self._assertSerializeToXML(token_resp)
|
||||
|
||||
def test_issue_unscoped_token_no_groups(self):
|
||||
self.assertRaises(exception.Unauthorized,
|
||||
self._issue_unscoped_token,
|
||||
|
|
|
@ -507,9 +507,9 @@ class BaseProvider(provider.Provider):
|
|||
token_data['user'].update({
|
||||
federation.FEDERATION: {
|
||||
'identity_provider': {'id': idp},
|
||||
'protocol': {'id': protocol}
|
||||
'protocol': {'id': protocol},
|
||||
'groups': [{'id': x} for x in group_ids]
|
||||
},
|
||||
federation.GROUPS: [{'id': x} for x in group_ids]
|
||||
})
|
||||
return token_data
|
||||
|
||||
|
|
Loading…
Reference in New Issue