Fix websso auth loop

In bf67b3c8[1] we introduced an error whereby trying to use WebSSO to authenticate with one protocol would fail with an uncaught HTTP 404 if an IdP was found that did not use that protocol. This patch fixes the issue by ensuring that during the search for an IdP that matches the given protocol, we ignore invalid IdPs. This is tested by the existing WebSSOTests unit test class simply by inserting a dummy IdP and protocol combination into the test data during setup, since the problem arises when the protocol you are *not* trying to authenticate with is indexed first in the database. Since the breaking change was not released yet, this bugfix does not need a release note. [1] https://review.opendev.org/637305 Change-Id: Id423f8a304abffbe0c7814ab2ab4458e6a403bb1 Closes-bug: #1838592
2019-08-01 12:34:30 -07:00 · 2019-08-01 12:34:30 -07:00 · d8f3ba0429
parent 97d38108d6
commit d8f3ba0429
2 changed files with 17 additions and 2 deletions
--- a/keystone/api/auth.py
+++ b/keystone/api/auth.py
@ -336,8 +336,13 @@ class AuthFederationWebSSOResource(_AuthFederationWebSSOBase):
    def _perform_auth(cls, protocol_id):
        idps = PROVIDERS.federation_api.list_idps()
        for idp in idps:
-            remote_id_name = federation_utils.get_remote_id_parameter(
-                idp, protocol_id)
+            try:
+                remote_id_name = federation_utils.get_remote_id_parameter(
+                    idp, protocol_id)
+            except exception.FederatedProtocolNotFound:
+                # no protocol for this IdP, so this can't be the IdP we're
+                # looking for
+                continue
            remote_id = flask.request.environ.get(remote_id_name)
            if remote_id:
                break
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -736,6 +736,11 @@ class FederatedSetupMixin(object):
            ]
        }

+        # Add unused IdP first so it is indexed first (#1838592)
+        self.dummy_idp = self.idp_ref()
+        PROVIDERS.federation_api.create_idp(
+            self.dummy_idp['id'], self.dummy_idp
+        )
        # Add IDP
        self.idp = self.idp_ref(id=self.IDP)
        PROVIDERS.federation_api.create_idp(
@ -762,6 +767,11 @@ class FederatedSetupMixin(object):
        PROVIDERS.federation_api.create_protocol(
            self.idp_with_remote['id'], self.proto_saml['id'], self.proto_saml
        )
+        # Add unused protocol to go with unused IdP (#1838592)
+        self.proto_dummy = self.proto_ref(mapping_id=self.mapping['id'])
+        PROVIDERS.federation_api.create_protocol(
+            self.dummy_idp['id'], self.proto_dummy['id'], self.proto_dummy
+        )

        with self.make_request():
            self.tokens = {}