Ignore unknown groups in lists for Federation
Ignore groups that don't match ones in the backend. For Federation this will be the norm; groups may pass the blacklist but Keystone doesn't know about them. Otherwise, any in additional groups sent by the external IdP will break the mapping Change-Id: Ic1729da8606f50458db2fd163cd90bc5d89e24fa Closes-Bug: 1429334
This commit is contained in:
parent
55d940c70b
commit
f4708ec55b
|
@ -327,8 +327,8 @@ def transform_to_group_ids(group_names, mapping_id,
|
|||
group['name'], resolve_domain(group['domain']))
|
||||
yield group_dict['id']
|
||||
except exception.GroupNotFound:
|
||||
raise exception.MappedGroupNotFound(
|
||||
group_id=group['name'], mapping_id=mapping_id)
|
||||
LOG.debug('Skip mapping group %s; has no entry in the backend',
|
||||
group['name'])
|
||||
|
||||
|
||||
def get_assertion_params_from_env(context):
|
||||
|
|
|
@ -982,3 +982,8 @@ ANOTHER_LOCAL_USER_ASSERTION = {
|
|||
'UserName': 'marek',
|
||||
'Position': 'DirectorGeneral'
|
||||
}
|
||||
|
||||
UNMATCHED_GROUP_ASSERTION = {
|
||||
'REMOTE_USER': 'Any Momoose',
|
||||
'REMOTE_USER_GROUPS': 'EXISTS;NO_EXISTS'
|
||||
}
|
||||
|
|
|
@ -1887,7 +1887,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
|
|||
self.assertEqual(ref_groups, token_groups)
|
||||
|
||||
def test_issue_unscoped_tokens_nonexisting_group(self):
|
||||
self.assertRaises(exception.MappedGroupNotFound,
|
||||
self.assertRaises(exception.MissingGroups,
|
||||
self._issue_unscoped_token,
|
||||
assertion='ANOTHER_TESTER_ASSERTION')
|
||||
|
||||
|
@ -2249,6 +2249,66 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
|
|||
|
||||
self.v3_authenticate_token(scoped_token, expected_status=500)
|
||||
|
||||
def test_lists_with_missing_group_in_backend(self):
|
||||
"""Test a mapping that points to a group that does not exist
|
||||
|
||||
For explicit mappings, we expect the group to exist in the backend,
|
||||
but for lists, specifically blacklists, a missing group is expected
|
||||
as many groups will be specified by the IdP that are not Keystone
|
||||
groups.
|
||||
|
||||
The test scenario is as follows:
|
||||
- Create group ``EXISTS``
|
||||
- Set mapping rules for existing IdP with a blacklist
|
||||
that passes through as REMOTE_USER_GROUPS
|
||||
- Issue unscoped token with on group ``EXISTS`` id in it
|
||||
|
||||
"""
|
||||
domain_id = self.domainA['id']
|
||||
domain_name = self.domainA['name']
|
||||
group = self.new_group_ref(domain_id=domain_id)
|
||||
group['name'] = 'EXISTS'
|
||||
group = self.identity_api.create_group(group)
|
||||
rules = {
|
||||
'rules': [
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}",
|
||||
"id": "{0}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "REMOTE_USER"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"groups": "{0}",
|
||||
"domain": {"name": domain_name}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "REMOTE_USER_GROUPS",
|
||||
"blacklist": ["noblacklist"]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
|
||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(1, len(assigned_group_ids))
|
||||
self.assertEqual(group['id'], assigned_group_ids[0]['id'])
|
||||
|
||||
def test_assertion_prefix_parameter(self):
|
||||
"""Test parameters filtering based on the prefix.
|
||||
|
||||
|
|
Loading…
Reference in New Issue