Allow setting EndpointReference in ADFSPassword

The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value specified in the ‘service-provider-endpoint’ option. This may not be desirable if the Service Provider's SAML entity ID differs from the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse. This commit introduces the ability to specify the EndpointReference used in the RequestSecurityToken message via the 'service-provider-entity-id' option. If omitted, the EndpointReference defaults to the value provided in the ‘service-provider-endpoint' option to preserve backward compatibility. Change-Id: I842427232db79d628dc29f5a1dcf68e011667dfa Closes-Bug: #1689424
2017-04-29 17:54:20 -07:00 · 2017-04-29 17:54:20 -07:00 · 4ca1a1f028
commit 4ca1a1f028
parent 6cbd95bb8d
4 changed files with 35 additions and 2 deletions
--- a/keystoneauth1/extras/_saml2/_loading.py
+++ b/keystoneauth1/extras/_saml2/_loading.py
@ -52,8 +52,13 @@ class ADFSPassword(loading.BaseFederationLoader):
        options = super(ADFSPassword, self).get_options()

        options.extend([
+            loading.Opt('identity-provider-url',
+                        help=('An Identity Provider URL, where the SAML '
+                              'authentication request will be sent.')),
            loading.Opt('service-provider-endpoint',
                        help="Service Provider's Endpoint"),
+            loading.Opt('service-provider-entity-id',
+                        help="Service Provider's SAML Entity ID"),
            loading.Opt('username', help='Username'),
            loading.Opt('password', secret=True, help='Password')
        ])
--- a/keystoneauth1/extras/_saml2/v3/adfs.py
+++ b/keystoneauth1/extras/_saml2/v3/adfs.py
@ -50,7 +50,7 @@ class Password(base.BaseSAMLPlugin):

    def __init__(self, auth_url, identity_provider, identity_provider_url,
                 service_provider_endpoint, username, password,
-                 protocol, **kwargs):
+                 protocol, service_provider_entity_id=None, **kwargs):
        """Constructor for ``ADFSPassword``.

        :param auth_url: URL of the Identity Service
@ -69,6 +69,8 @@ class Password(base.BaseSAMLPlugin):
        :param service_provider_endpoint: Endpoint where an assertion is being
            sent, for instance: ``https://host.domain/Shibboleth.sso/ADFS``
        :type service_provider_endpoint: string
+        :param service_provider_entity_id: Service Provider SAML Entity ID
+        :type service_provider_entity_id: string

        :param username: User's login
        :type username: string
@ -83,6 +85,7 @@ class Password(base.BaseSAMLPlugin):
            username=username, password=password, protocol=protocol)

        self.service_provider_endpoint = service_provider_endpoint
+        self.service_provider_entity_id = service_provider_entity_id

    def _cookies(self, session):
        """Check if cookie jar is not empty.
@ -256,7 +259,8 @@ class Password(base.BaseSAMLPlugin):
        username.text = self.username
        password.text = self.password
        to.text = self.identity_provider_url
-        wsa_address.text = self.service_provider_endpoint
+        wsa_address.text = (self.service_provider_entity_id or
+                            self.service_provider_endpoint)

        self.prepared_request = root

--- a/keystoneauth1/tests/unit/extras/saml2/test_auth_adfs.py
+++ b/keystoneauth1/tests/unit/extras/saml2/test_auth_adfs.py
@ -70,6 +70,7 @@ class AuthenticateviaADFSTests(utils.TestCase):
            self.TEST_URL,
            'OS-FEDERATION/identity_providers/adfs/protocols/saml2/auth')
        self.SP_ENDPOINT = 'https://openstack4.local/Shibboleth.sso/ADFS'
+        self.SP_ENTITYID = 'https://openstack4.local'

        self.adfsplugin = saml2.V3ADFSPassword(
            self.TEST_URL, self.IDENTITY_PROVIDER,
@ -120,6 +121,16 @@ class AuthenticateviaADFSTests(utils.TestCase):
            self.ADDRESS_XPATH, namespaces=self.NAMESPACES)[0]
        self.assertEqual(self.SP_ENDPOINT, address.text)

+    def test_prepare_adfs_request_custom_endpointreference(self):
+        self.adfsplugin = saml2.V3ADFSPassword(
+            self.TEST_URL, self.IDENTITY_PROVIDER,
+            self.IDENTITY_PROVIDER_URL, self.SP_ENDPOINT,
+            self.TEST_USER, self.TEST_TOKEN, self.PROTOCOL, self.SP_ENTITYID)
+        self.adfsplugin._prepare_adfs_request()
+        address = self.adfsplugin.prepared_request.xpath(
+            self.ADDRESS_XPATH, namespaces=self.NAMESPACES)[0]
+        self.assertEqual(self.SP_ENTITYID, address.text)
+
    def test_prepare_sp_request(self):
        assertion = etree.XML(self.ADFS_SECURITY_TOKEN_RESPONSE)
        assertion = assertion.xpath(
--- a/releasenotes/notes/bug-1689424-set-adfspassword-endpointreference-f186d84a54007b09.yaml
+++ b/releasenotes/notes/bug-1689424-set-adfspassword-endpointreference-f186d84a54007b09.yaml
@ -0,0 +1,13 @@
+---
+prelude: >
+    Allow setting EndpointReference in ADFSPassword
+features:
+  - >
+    Add the ability to specify the WS-Policy EndpointReference used in the
+    ADFSPassword plugin's RequestSecurityToken message via the
+    'service-provider-entity-id' option. Also added 'identity-provider-url'
+    option which was required, but missing from option list.
+fixes:
+  - >
+    [`bug 1689424 <https://bugs.launchpad.net/keystoneauth/+bug/1689424>`_]
+    Allow setting EndpointReference in ADFSPassword.