openstack
/
keystone
Code Issues Proposed changes

Store groups ids objects list in the OS-FEDERATION object. 

When issuing unscoped federated token store groups ids
object in the OS-FEDERATION objects instead of standalone
OS-FEDERATION:groups.

Change-Id: I116466c6eefae674d2245796dfd608b12d5d3e6d
Closes-Bug: #1294150
This commit is contained in:
Marek Denis 2014-03-18 15:39:06 +01:00
parent 69409240ff
commit a680f43904
5 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
keystone/auth/plugins/saml2.py
View File

@ -58,11 +58,10 @@ class Saml2(auth.AuthMethodHandler):
def _handle_scoped_token(self, auth_payload):
token_ref = self.token_api.get_token(auth_payload['id'])
self._validate_expiration(token_ref)
group_ids = [group['id'] for group in
token_ref['user'][federation.GROUPS]]
_federation = token_ref['user'][federation.FEDERATION]
identity_provider = _federation['identity_provider']['id']
protocol = _federation['protocol']['id']
group_ids = [group['id'] for group in _federation['groups']]
mapping = self.federation_api.get_mapping_from_idp_and_protocol(
identity_provider, protocol)
self._validate_groups(group_ids, mapping['id'])

4
keystone/common/authorization.py
View File

@ -18,6 +18,7 @@
import collections
from keystone.contrib import federation
from keystone import exception
from keystone.openstack.common import log
@ -83,7 +84,8 @@ def v3_token_to_auth_context(token):
for role in token_data['roles']:
creds['roles'].append(role['name'])
creds['group_ids'] = [
g['id'] for g in token_data['user'].get('OS-FEDERATION:groups', [])]
g['id'] for g in token_data['user'].get(federation.FEDERATION, {}).get(
'groups', [])]
return creds

1
keystone/contrib/federation/core.py
View File

@ -42,7 +42,6 @@ extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
FEDERATION = 'OS-FEDERATION'
GROUPS = 'OS-FEDERATION:groups'
IDENTITY_PROVIDER = 'OS-FEDERATION:identity_provider'
PROTOCOL = 'OS-FEDERATION:protocol'

29
keystone/tests/test_v3_federation.py
View File

@ -15,6 +15,7 @@ import uuid
from keystone.auth import controllers as auth_controllers
from keystone.common import dependency
from keystone.common import serializer
from keystone.common import sql
from keystone.common.sql import migration_helpers
from keystone import config
@ -786,6 +787,17 @@ class FederatedTokenTests(FederationTests):
'rules': rules or self.rules['rules']
}
def _assertSerializeToXML(self, json_body):
"""Serialize JSON body to XML.
Serialize JSON body to XML, then deserialize to JSON
again. Expect both JSON dictionaries to be equal.
"""
xml_body = serializer.to_xml(json_body)
json_deserialized = serializer.from_xml(xml_body)
self.assertDictEqual(json_deserialized, json_body)
def _scope_request(self, unscoped_token_id, scope, scope_id):
return {
'auth': {
@ -850,6 +862,23 @@ class FederatedTokenTests(FederationTests):
r = self._issue_unscoped_token()
self.assertIsNotNone(r.headers.get('X-Subject-Token'))
def test_issue_unscoped_token_serialize_to_xml(self):
"""Issue unscoped token and serialize to XML.
Make sure common.serializer doesn't complain about
the response structure and tag names.
"""
r = self._issue_unscoped_token()
token_resp = r.json_body
# Remove 'extras' if empty or None,
# as JSON and XML (de)serializers treat
# them differently, making dictionaries
# comparisions fail.
if not token_resp['token'].get('extras'):
token_resp['token'].pop('extras')
self._assertSerializeToXML(token_resp)
def test_issue_unscoped_token_no_groups(self):
self.assertRaises(exception.Unauthorized,
self._issue_unscoped_token,

4
keystone/token/providers/common.py
View File

@ -507,9 +507,9 @@ class BaseProvider(provider.Provider):
token_data['user'].update({
federation.FEDERATION: {
'identity_provider': {'id': idp},
'protocol': {'id': protocol}
'protocol': {'id': protocol},
'groups': [{'id': x} for x in group_ids]
},
federation.GROUPS: [{'id': x} for x in group_ids]
})
return token_data