Browse Source

Report correct domain in federated user token

Regardless of what domain the user was in, the domain reported in
the token would be hardcoded to 'Federated' (regardless of the
federated_domain_name config option).

This patch removes the places where the domain was overwritten,
and allows the correct domain to flow to the rendered token.
It also updates the tests where it was being checked for
the 'Federated' domain.

Change-Id: Idad4e077c488d87f75172664fb519232eb78e292
Closes-Bug: 1754048
changes/68/653068/4
Kristi Nikolla 2 years ago
parent
commit
c2be944fb8
6 changed files with 16 additions and 23 deletions
  1. +0
    -3
      keystone/common/render_token.py
  2. +1
    -6
      keystone/federation/utils.py
  3. +6
    -9
      keystone/tests/unit/contrib/federation/test_utils.py
  4. +0
    -3
      keystone/tests/unit/test_cli.py
  5. +3
    -2
      keystone/tests/unit/test_v3_federation.py
  6. +6
    -0
      releasenotes/notes/bug-1754048-correct-federated-domain-47cb889d88d7770a.yaml

+ 0
- 3
keystone/common/render_token.py View File

@ -121,9 +121,6 @@ def render_token_response_from_model(token, include_catalog=True):
token_reference['token']['user']['OS-FEDERATION'] = (
federated_dict
)
token_reference['token']['user']['domain'] = {
'id': 'Federated', 'name': 'Federated'
}
del token_reference['token']['user']['password_expires_at']
if token.access_token_id:
token_reference['token']['OS-OAUTH1'] = {


+ 1
- 6
keystone/federation/utils.py View File

@ -591,12 +591,7 @@ class RuleProcessor(object):
raise exception.ValidationError(msg)
if user_type is None:
user_type = user['type'] = UserType.EPHEMERAL
if user_type == UserType.EPHEMERAL:
user['domain'] = {
'id': CONF.federation.federated_domain_name
}
user['type'] = UserType.EPHEMERAL
# initialize the group_ids as a set to eliminate duplicates
user = {}


+ 6
- 9
keystone/tests/unit/contrib/federation/test_utils.py View File

@ -44,19 +44,18 @@ class MappingRuleEngineTests(unit.BaseTestCase):
"""Check whether mapped properties object has 'user' within.
According to today's rules, RuleProcessor does not have to issue user's
id or name. What's actually required is user's type and for ephemeral
users that would be service domain named 'Federated'.
id or name. What's actually required is user's type.
"""
self.assertIn('user', mapped_properties,
message='Missing user object in mapped properties')
user = mapped_properties['user']
self.assertIn('type', user)
self.assertEqual(user_type, user['type'])
self.assertIn('domain', user)
domain = user['domain']
domain_name_or_id = domain.get('id') or domain.get('name')
domain_ref = domain_id or 'Federated'
self.assertEqual(domain_ref, domain_name_or_id)
if domain_id:
domain = user['domain']
domain_name_or_id = domain.get('id') or domain.get('name')
self.assertEqual(domain_id, domain_name_or_id)
def test_rule_engine_any_one_of_and_direct_mapping(self):
"""Should return user's name and group id EMPLOYEE_GROUP_ID.
@ -912,7 +911,6 @@ class TestMappingLocals(unit.BaseTestCase):
expected = {
'user': {
'name': 'a_user',
'domain': {'id': 'Federated'},
'type': 'ephemeral'
},
'projects': [],
@ -930,7 +928,6 @@ class TestMappingLocals(unit.BaseTestCase):
expected = {
'user': {
'name': 'test_a_user',
'domain': {'id': 'Federated'},
'type': 'ephemeral'
},
'projects': [],


+ 0
- 3
keystone/tests/unit/test_cli.py View File

@ -1798,9 +1798,6 @@ class TestMappingEngineTester(unit.BaseTestCase):
"group_names": [],
"user": {
"type": "ephemeral",
"domain": {
"id": "Federated"
},
"name": "me"
},
"projects": [],


+ 3
- 2
keystone/tests/unit/test_v3_federation.py View File

@ -84,8 +84,9 @@ class FederatedSetupMixin(object):
}
def _check_domains_are_valid(self, token):
self.assertEqual('Federated', token['user']['domain']['id'])
self.assertEqual('Federated', token['user']['domain']['name'])
domain = PROVIDERS.resource_api.get_domain(self.idp['domain_id'])
self.assertEqual(domain['id'], token['user']['domain']['id'])
self.assertEqual(domain['name'], token['user']['domain']['name'])
def _project(self, project):
return (project['id'], project['name'])


+ 6
- 0
releasenotes/notes/bug-1754048-correct-federated-domain-47cb889d88d7770a.yaml View File

@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1754048 <https://bugs.launchpad.net/keystone/+bug/1754048>`_]
The correct user domain is now reported when validating a federated token.
Previously, the domain would always be validated as "Federated."

Loading…
Cancel
Save