Merge "Reject rule if assertion type unset"

keystone/contrib/federation/utils.py

@@ -672,15 +672,18 @@ class RuleProcessor(object):
 
         for requirement in requirements:
             requirement_type = requirement['type']
+            direct_map_values = assertion.get(requirement_type)
             regex = requirement.get('regex', False)
 
+            if not direct_map_values:
+                return None
+
             any_one_values = requirement.get(self._EvalType.ANY_ONE_OF)
             if any_one_values is not None:
                 if self._evaluate_requirement(any_one_values,
-                                              requirement_type,
+                                              direct_map_values,
                                               self._EvalType.ANY_ONE_OF,
-                                              regex,
-                                              assertion):
+                                              regex):
                     continue
                 else:
                     return None
@@ -688,10 +691,9 @@ class RuleProcessor(object):
             not_any_values = requirement.get(self._EvalType.NOT_ANY_OF)
             if not_any_values is not None:
                 if self._evaluate_requirement(not_any_values,
-                                              requirement_type,
+                                              direct_map_values,
                                               self._EvalType.NOT_ANY_OF,
-                                              regex,
-                                              assertion):
+                                              regex):
                     continue
                 else:
                     return None
@@ -699,23 +701,21 @@ class RuleProcessor(object):
             # If 'any_one_of' or 'not_any_of' are not found, then values are
             # within 'type'. Attempt to find that 'type' within the assertion,
             # and filter these values if 'whitelist' or 'blacklist' is set.
-            direct_map_values = assertion.get(requirement_type)
-            if direct_map_values:
-                blacklisted_values = requirement.get(self._EvalType.BLACKLIST)
-                whitelisted_values = requirement.get(self._EvalType.WHITELIST)
+            blacklisted_values = requirement.get(self._EvalType.BLACKLIST)
+            whitelisted_values = requirement.get(self._EvalType.WHITELIST)
 
-                # If a blacklist or whitelist is used, we want to map to the
-                # whole list instead of just its values separately.
-                if blacklisted_values is not None:
-                    direct_map_values = [v for v in direct_map_values
-                                         if v not in blacklisted_values]
-                elif whitelisted_values is not None:
-                    direct_map_values = [v for v in direct_map_values
-                                         if v in whitelisted_values]
+            # If a blacklist or whitelist is used, we want to map to the
+            # whole list instead of just its values separately.
+            if blacklisted_values is not None:
+                direct_map_values = [v for v in direct_map_values
+                                     if v not in blacklisted_values]
+            elif whitelisted_values is not None:
+                direct_map_values = [v for v in direct_map_values
+                                     if v in whitelisted_values]
 
-                direct_maps.add(direct_map_values)
+            direct_maps.add(direct_map_values)
 
-                LOG.debug('updating a direct mapping: %s', direct_map_values)
+            LOG.debug('updating a direct mapping: %s', direct_map_values)
 
         return direct_maps
 
@@ -726,8 +726,8 @@ class RuleProcessor(object):
                     return True
         return False
 
-    def _evaluate_requirement(self, values, requirement_type,
-                              eval_type, regex, assertion):
+    def _evaluate_requirement(self, values, assertion_values,
+                              eval_type, regex):
         """Evaluate the incoming requirement and assertion.
 
         If the requirement type does not exist in the assertion data, then
@@ -737,23 +737,16 @@ class RuleProcessor(object):
 
         :param values: list of allowed values, defined in the requirement
         :type values: list
-        :param requirement_type: key to look for in the assertion
-        :type requirement_type: string
+        :param assertion_values: The values from the assertion to evaluate
+        :type assertion_values: list/string
         :param eval_type: determine how to evaluate requirements
         :type eval_type: string
         :param regex: perform evaluation with regex
         :type regex: boolean
-        :param assertion: dict of attributes from the IdP
-        :type assertion: dict
 
         :returns: boolean, whether requirement is valid or not.
 
         """
-
-        assertion_values = assertion.get(requirement_type)
-        if not assertion_values:
-            return False
-
         if regex:
             any_match = self._evaluate_values_by_regex(values,
                                                        assertion_values)

keystone/tests/unit/contrib/federation/test_utils.py

@@ -10,6 +10,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import uuid
 
 from keystone.auth.plugins import mapped
 from keystone.contrib.federation import utils as mapping_utils
@@ -609,3 +610,25 @@ class MappingRuleEngineTests(unit.BaseTestCase):
             self.assertEqual(exp_user_name, mapped_properties['user']['name'])
             self.assertEqual('abc123%40example.com',
                              mapped_properties['user']['id'])
+
+    def test_whitelist_pass_through(self):
+        mapping = mapping_fixtures.MAPPING_GROUPS_WHITELIST_PASS_THROUGH
+        rp = mapping_utils.RuleProcessor(mapping['rules'])
+        assertion = mapping_fixtures.DEVELOPER_ASSERTION
+        mapped_properties = rp.process(assertion)
+        self.assertValidMappedUserObject(mapped_properties)
+
+        self.assertEqual('developacct', mapped_properties['user']['name'])
+        self.assertEqual('Developer',
+                         mapped_properties['group_names'][0]['name'])
+
+    def test_type_not_in_assertion(self):
+        """Test that if the remote "type" is not in the assertion it fails."""
+        mapping = mapping_fixtures.MAPPING_GROUPS_WHITELIST_PASS_THROUGH
+        rp = mapping_utils.RuleProcessor(mapping['rules'])
+        assertion = {uuid.uuid4().hex: uuid.uuid4().hex}
+        mapped_properties = rp.process(assertion)
+        self.assertValidMappedUserObject(mapped_properties)
+
+        self.assertNotIn('id', mapped_properties['user'])
+        self.assertNotIn('name', mapped_properties['user'])

keystone/tests/unit/mapping_fixtures.py

@@ -1146,6 +1146,45 @@ MAPPING_FOR_DEFAULT_EPHEMERAL_USER = {
     ]
 }
 
+MAPPING_GROUPS_WHITELIST_PASS_THROUGH = {
+    "rules": [
+        {
+            "remote": [
+                {
+                    "type": "UserName"
+                }
+            ],
+            "local": [
+                {
+                    "user": {
+                        "name": "{0}",
+                        "domain": {
+                            "id": DEVELOPER_GROUP_DOMAIN_ID
+                        }
+                    }
+                }
+            ]
+        },
+        {
+            "remote": [
+                {
+                    "type": "orgPersonType",
+                    "whitelist": ['Developer']
+                }
+            ],
+            "local": [
+                {
+                    "groups": "{0}",
+                    "domain": {
+                        "id": DEVELOPER_GROUP_DOMAIN_ID
+                    }
+                }
+            ]
+        }
+    ]
+}
+
+
 EMPLOYEE_ASSERTION = {
     'Email': 'tim@example.com',
     'UserName': 'tbo',