openstack
/
keystone
Code Issues Proposed changes

Ignore unknown groups in lists for Federation 

Ignore groups that don't match ones in the backend.
For Federation this will be the norm;
groups may pass the blacklist but Keystone doesn't know about them.
Otherwise, any in additional groups sent by the external IdP will
break the mapping

Change-Id: Ic1729da8606f50458db2fd163cd90bc5d89e24fa
Closes-Bug: 1429334
This commit is contained in:
Adam Young 2015-03-09 18:43:41 -04:00
parent 55d940c70b
commit f4708ec55b
3 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/contrib/federation/utils.py
View File

@ -327,8 +327,8 @@ def transform_to_group_ids(group_names, mapping_id,
group['name'], resolve_domain(group['domain']))
yield group_dict['id']
except exception.GroupNotFound:
raise exception.MappedGroupNotFound(
group_id=group['name'], mapping_id=mapping_id)
LOG.debug('Skip mapping group %s; has no entry in the backend',
group['name'])
def get_assertion_params_from_env(context):

5
keystone/tests/unit/mapping_fixtures.py
View File

@ -982,3 +982,8 @@ ANOTHER_LOCAL_USER_ASSERTION = {
'UserName': 'marek',
'Position': 'DirectorGeneral'
}
UNMATCHED_GROUP_ASSERTION = {
'REMOTE_USER': 'Any Momoose',
'REMOTE_USER_GROUPS': 'EXISTS;NO_EXISTS'
}

62
keystone/tests/unit/test_v3_federation.py
View File

@ -1887,7 +1887,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self.assertEqual(ref_groups, token_groups)
def test_issue_unscoped_tokens_nonexisting_group(self):
self.assertRaises(exception.MappedGroupNotFound,
self.assertRaises(exception.MissingGroups,
self._issue_unscoped_token,
assertion='ANOTHER_TESTER_ASSERTION')
@ -2249,6 +2249,66 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self.v3_authenticate_token(scoped_token, expected_status=500)
def test_lists_with_missing_group_in_backend(self):
"""Test a mapping that points to a group that does not exist
For explicit mappings, we expect the group to exist in the backend,
but for lists, specifically blacklists, a missing group is expected
as many groups will be specified by the IdP that are not Keystone
groups.
The test scenario is as follows:
- Create group ``EXISTS``
- Set mapping rules for existing IdP with a blacklist
that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on group ``EXISTS`` id in it
"""
domain_id = self.domainA['id']
domain_name = self.domainA['name']
group = self.new_group_ref(domain_id=domain_id)
group['name'] = 'EXISTS'
group = self.identity_api.create_group(group)
rules = {
'rules': [
{
"local": [
{
"user": {
"name": "{0}",
"id": "{0}"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
},
{
"local": [
{
"groups": "{0}",
"domain": {"name": domain_name}
}
],
"remote": [
{
"type": "REMOTE_USER_GROUPS",
"blacklist": ["noblacklist"]
}
]
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
self.assertEqual(1, len(assigned_group_ids))
self.assertEqual(group['id'], assigned_group_ids[0]['id'])
def test_assertion_prefix_parameter(self):
"""Test parameters filtering based on the prefix.