diff options
author | lin-hua-cheng <os.lcheng@gmail.com> | 2015-04-08 17:03:23 -0700 |
---|---|---|
committer | Doug Hellmann <doug@doughellmann.com> | 2015-04-15 19:52:25 +0000 |
commit | f1cd53aa5461e28120c97378ab749571c41a5bc1 (patch) | |
tree | 015358886ae437dd487b50d31bfdac2618acaf14 | |
parent | e7f369191bb09c349c3c4b327b5558fbd1c3e77a (diff) | |
download | keystone-f1cd53aa5461e28120c97378ab749571c41a5bc1.tar.gz |
WebSSO should use remote_id_attribute by protocol
WebSSO always use the remote_id_attribute from the
[federation] group. Fix the issue, by consuming the
protocol specific remote_id_attribute if available.
Change-Id: Icdc693965ec53e5ff8f1901af26c9232a20aef7e
Closes-Bug: #1441827
(cherry picked from commit 9b11d13856034e3a2cf6ab1f6ca80a6965818d17)
-rw-r--r-- | keystone/contrib/federation/controllers.py | 2 | ||||
-rw-r--r-- | keystone/contrib/federation/utils.py | 16 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_federation.py | 13 |
3 files changed, 25 insertions, 6 deletions
diff --git a/keystone/contrib/federation/controllers.py b/keystone/contrib/federation/controllers.py index 7ffaad547..cdbba4162 100644 --- a/keystone/contrib/federation/controllers.py +++ b/keystone/contrib/federation/controllers.py @@ -268,7 +268,7 @@ class Auth(auth_controllers.Auth): def federated_sso_auth(self, context, protocol_id): try: - remote_id_name = CONF.federation.remote_id_attribute + remote_id_name = utils.get_remote_id_parameter(protocol_id) remote_id = context['environment'][remote_id_name] except KeyError: msg = _('Missing entity ID from environment') diff --git a/keystone/contrib/federation/utils.py b/keystone/contrib/federation/utils.py index afc4d42e8..6fca2143d 100644 --- a/keystone/contrib/federation/utils.py +++ b/keystone/contrib/federation/utils.py @@ -191,10 +191,7 @@ def validate_groups_cardinality(group_ids, mapping_id): raise exception.MissingGroups(mapping_id=mapping_id) -def validate_idp(idp, protocol, assertion): - """Validate the IdP providing the assertion is registered for the mapping. - """ - +def get_remote_id_parameter(protocol): # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to # retrieve the remote_id_attribute of the protocol ID. If it's not # registered in the config, then register the option and try again. @@ -210,10 +207,19 @@ def validate_idp(idp, protocol, assertion): except AttributeError: pass if not remote_id_parameter: - LOG.debug('Cannot find "remote_id_attibute" in configuration ' + LOG.debug('Cannot find "remote_id_attribute" in configuration ' 'group %s. Trying default location in ' 'group federation.', protocol) remote_id_parameter = CONF.federation.remote_id_attribute + + return remote_id_parameter + + +def validate_idp(idp, protocol, assertion): + """Validate the IdP providing the assertion is registered for the mapping. + """ + + remote_id_parameter = get_remote_id_parameter(protocol) if not remote_id_parameter or not idp['remote_ids']: LOG.debug('Impossible to identify the IdP %s ', idp['id']) # If nothing is defined, the administrator may want to diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index 2207f3500..c1a4a677a 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -3678,6 +3678,7 @@ class WebSSOTests(FederatedTokenTests): SSO_TEMPLATE_PATH = os.path.join(core.dirs.etc(), SSO_TEMPLATE_NAME) TRUSTED_DASHBOARD = 'http://horizon.com' ORIGIN = urllib.parse.quote_plus(TRUSTED_DASHBOARD) + PROTOCOL_REMOTE_ID_ATTR = uuid.uuid4().hex def setUp(self): super(WebSSOTests, self).setUp() @@ -3705,6 +3706,18 @@ class WebSSOTests(FederatedTokenTests): resp = self.api.federated_sso_auth(context, self.PROTOCOL) self.assertIn(self.TRUSTED_DASHBOARD, resp.body) + def test_federated_sso_auth_with_protocol_specific_remote_id(self): + self.config_fixture.config( + group=self.PROTOCOL, + remote_id_attribute=self.PROTOCOL_REMOTE_ID_ATTR) + + environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0]} + context = {'environment': environment} + query_string = {'origin': self.ORIGIN} + self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string) + resp = self.api.federated_sso_auth(context, self.PROTOCOL) + self.assertIn(self.TRUSTED_DASHBOARD, resp.body) + def test_federated_sso_auth_bad_remote_id(self): environment = {self.REMOTE_ID_ATTR: self.IDP} context = {'environment': environment} |