Fix token auth error if federated_groups_id is empty list

`federation_group_ids` could be zero length list, so deciding whether a token is federated by checking if it is none. Change-Id: I0f4b9e24d949aa4838ee721a165999b29c684d32 Closes-Bug: #1856962
2019-12-19 13:38:32 +08:00 · 2019-12-19 13:38:32 +08:00 · f0d964e666
commit f0d964e666
parent 326b014434
3 changed files with 28 additions and 3 deletions
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -93,7 +93,7 @@ class TestValidate(unit.TestCase):
            user_ref['password_expires_at'], token.user['password_expires_at']
        )

-    def test_validate_v3_token_federated_info(self):
+    def _test_validate_v3_token_federted_info(self, group_ids):
        # Check the user fields in the token result when use validate_v3_token
        # when the token has federated info.

@ -107,7 +107,6 @@ class TestValidate(unit.TestCase):

        method_names = ['mapped']

-        group_ids = [uuid.uuid4().hex, ]
        idp_id = uuid.uuid4().hex
        idp_ref = {
            'id': idp_id,
@ -137,6 +136,18 @@ class TestValidate(unit.TestCase):
        self.assertEqual(idp_id, token.identity_provider_id)
        self.assertEqual(protocol, token.protocol_id)

+    def test_validate_v3_token_federated_info(self):
+        # Check the user fields in the token result when use validate_v3_token
+        # when the token has federated info.
+
+        group_ids = [uuid.uuid4().hex, ]
+        self._test_validate_v3_token_federted_info(group_ids)
+
+    def test_validate_v3_token_federated_info_empty_group(self):
+        # check when federated users got empty group ids
+
+        self._test_validate_v3_token_federted_info([])
+
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.
@ -201,6 +212,14 @@ class TestValidate(unit.TestCase):
        )


+class TestValidateWithoutCache(TestValidate):
+
+    def config_overrides(self):
+        super(TestValidateWithoutCache, self).config_overrides()
+        self.config_fixture.config(group='token', caching=False)
+        self.config_fixture.config(group='token', cache_on_issue=False)
+
+
 class TestTokenFormatter(unit.TestCase):
    def test_restore_padding(self):
        # 'a' will result in '==' padding, 'aa' will result in '=' padding, and
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -172,7 +172,7 @@ class Manager(manager.Manager):
        token.access_token_id = access_token_id
        token.application_credential_id = app_cred_id
        token.expires_at = expires_at
-        if federated_group_ids:
+        if federated_group_ids is not None:
            token.is_federated = True
            token.identity_provider_id = identity_provider_id
            token.protocol_id = protocol_id
--- a/releasenotes/notes/bug-1856962-2c87d541da61c727.yaml
+++ b/releasenotes/notes/bug-1856962-2c87d541da61c727.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1856962 <https://bugs.launchpad.net/keystone/+bug/1856962>`_]
+    Fixes an issue where federated users could not authenticate if their
+    mapped group membership was empty.