Report correct domain in federated user token
Regardless of what domain the user was in, the domain reported in the token would be hardcoded to 'Federated' (regardless of the federated_domain_name config option). This patch removes the places where the domain was overwritten, and allows the correct domain to flow to the rendered token. It also updates the tests where it was being checked for the 'Federated' domain. Change-Id: Idad4e077c488d87f75172664fb519232eb78e292 Closes-Bug: 1754048
This commit is contained in:
parent
b357a96ac0
commit
c2be944fb8
@ -121,9 +121,6 @@ def render_token_response_from_model(token, include_catalog=True):
|
|||||||
token_reference['token']['user']['OS-FEDERATION'] = (
|
token_reference['token']['user']['OS-FEDERATION'] = (
|
||||||
federated_dict
|
federated_dict
|
||||||
)
|
)
|
||||||
token_reference['token']['user']['domain'] = {
|
|
||||||
'id': 'Federated', 'name': 'Federated'
|
|
||||||
}
|
|
||||||
del token_reference['token']['user']['password_expires_at']
|
del token_reference['token']['user']['password_expires_at']
|
||||||
if token.access_token_id:
|
if token.access_token_id:
|
||||||
token_reference['token']['OS-OAUTH1'] = {
|
token_reference['token']['OS-OAUTH1'] = {
|
||||||
|
@ -591,12 +591,7 @@ class RuleProcessor(object):
|
|||||||
raise exception.ValidationError(msg)
|
raise exception.ValidationError(msg)
|
||||||
|
|
||||||
if user_type is None:
|
if user_type is None:
|
||||||
user_type = user['type'] = UserType.EPHEMERAL
|
user['type'] = UserType.EPHEMERAL
|
||||||
|
|
||||||
if user_type == UserType.EPHEMERAL:
|
|
||||||
user['domain'] = {
|
|
||||||
'id': CONF.federation.federated_domain_name
|
|
||||||
}
|
|
||||||
|
|
||||||
# initialize the group_ids as a set to eliminate duplicates
|
# initialize the group_ids as a set to eliminate duplicates
|
||||||
user = {}
|
user = {}
|
||||||
|
@ -44,19 +44,18 @@ class MappingRuleEngineTests(unit.BaseTestCase):
|
|||||||
"""Check whether mapped properties object has 'user' within.
|
"""Check whether mapped properties object has 'user' within.
|
||||||
|
|
||||||
According to today's rules, RuleProcessor does not have to issue user's
|
According to today's rules, RuleProcessor does not have to issue user's
|
||||||
id or name. What's actually required is user's type and for ephemeral
|
id or name. What's actually required is user's type.
|
||||||
users that would be service domain named 'Federated'.
|
|
||||||
"""
|
"""
|
||||||
self.assertIn('user', mapped_properties,
|
self.assertIn('user', mapped_properties,
|
||||||
message='Missing user object in mapped properties')
|
message='Missing user object in mapped properties')
|
||||||
user = mapped_properties['user']
|
user = mapped_properties['user']
|
||||||
self.assertIn('type', user)
|
self.assertIn('type', user)
|
||||||
self.assertEqual(user_type, user['type'])
|
self.assertEqual(user_type, user['type'])
|
||||||
self.assertIn('domain', user)
|
|
||||||
domain = user['domain']
|
if domain_id:
|
||||||
domain_name_or_id = domain.get('id') or domain.get('name')
|
domain = user['domain']
|
||||||
domain_ref = domain_id or 'Federated'
|
domain_name_or_id = domain.get('id') or domain.get('name')
|
||||||
self.assertEqual(domain_ref, domain_name_or_id)
|
self.assertEqual(domain_id, domain_name_or_id)
|
||||||
|
|
||||||
def test_rule_engine_any_one_of_and_direct_mapping(self):
|
def test_rule_engine_any_one_of_and_direct_mapping(self):
|
||||||
"""Should return user's name and group id EMPLOYEE_GROUP_ID.
|
"""Should return user's name and group id EMPLOYEE_GROUP_ID.
|
||||||
@ -912,7 +911,6 @@ class TestMappingLocals(unit.BaseTestCase):
|
|||||||
expected = {
|
expected = {
|
||||||
'user': {
|
'user': {
|
||||||
'name': 'a_user',
|
'name': 'a_user',
|
||||||
'domain': {'id': 'Federated'},
|
|
||||||
'type': 'ephemeral'
|
'type': 'ephemeral'
|
||||||
},
|
},
|
||||||
'projects': [],
|
'projects': [],
|
||||||
@ -930,7 +928,6 @@ class TestMappingLocals(unit.BaseTestCase):
|
|||||||
expected = {
|
expected = {
|
||||||
'user': {
|
'user': {
|
||||||
'name': 'test_a_user',
|
'name': 'test_a_user',
|
||||||
'domain': {'id': 'Federated'},
|
|
||||||
'type': 'ephemeral'
|
'type': 'ephemeral'
|
||||||
},
|
},
|
||||||
'projects': [],
|
'projects': [],
|
||||||
|
@ -1798,9 +1798,6 @@ class TestMappingEngineTester(unit.BaseTestCase):
|
|||||||
"group_names": [],
|
"group_names": [],
|
||||||
"user": {
|
"user": {
|
||||||
"type": "ephemeral",
|
"type": "ephemeral",
|
||||||
"domain": {
|
|
||||||
"id": "Federated"
|
|
||||||
},
|
|
||||||
"name": "me"
|
"name": "me"
|
||||||
},
|
},
|
||||||
"projects": [],
|
"projects": [],
|
||||||
|
@ -84,8 +84,9 @@ class FederatedSetupMixin(object):
|
|||||||
}
|
}
|
||||||
|
|
||||||
def _check_domains_are_valid(self, token):
|
def _check_domains_are_valid(self, token):
|
||||||
self.assertEqual('Federated', token['user']['domain']['id'])
|
domain = PROVIDERS.resource_api.get_domain(self.idp['domain_id'])
|
||||||
self.assertEqual('Federated', token['user']['domain']['name'])
|
self.assertEqual(domain['id'], token['user']['domain']['id'])
|
||||||
|
self.assertEqual(domain['name'], token['user']['domain']['name'])
|
||||||
|
|
||||||
def _project(self, project):
|
def _project(self, project):
|
||||||
return (project['id'], project['name'])
|
return (project['id'], project['name'])
|
||||||
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1754048 <https://bugs.launchpad.net/keystone/+bug/1754048>`_]
|
||||||
|
The correct user domain is now reported when validating a federated token.
|
||||||
|
Previously, the domain would always be validated as "Federated."
|
Loading…
Reference in New Issue
Block a user