diff options
| author | Boris Bobrov <bbobrov@mirantis.com> | 2016-04-05 18:50:48 +0300 |
|---|---|---|
| committer | Steve Martinelli <stevemar@ca.ibm.com> | 2016-04-05 19:32:54 +0000 |
| commit | 3e5fca06c6b7dd6060721faa39428b133edd10f0 (patch) | |
| tree | 3513bd7b2b245c3d202ad41091ac3fd2a8cca507 | |
| parent | dba04cdd232ab72704df58cff791d52c1c99bc90 (diff) | |
| download | keystone-3e5fca06c6b7dd6060721faa39428b133edd10f0.tar.gz | |
Update federated user display name with shadow_users_api9.0.0.0rc39.0.0
When a user comes to the cloud for the first time, a shadow user is
created. When the user authenticates again, this shadow user is
fetched and returned. Before it is returned, its display name should
be updated. But the call to update the display name fails because
neither identity manager nor identity drivers have the required
method. However, the required method exists in shadow_users_api.
The issue was hidden because method shadow_federated_user was
cached and while the cache lived, the user could authenticate.
Use the method of shadow_user_api instead of identity_api to update
federated user display name.
Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
Closes-Bug: 1566282
(cherry picked from commit 7ad4f8728cce354617b5facefe5076d65af311c6)
| -rw-r--r-- | keystone/identity/core.py | 4 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_identity.py | 28 |
2 files changed, 30 insertions, 2 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 8a38198cd..d601d9528 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -1239,8 +1239,8 @@ class Manager(manager.Manager): try: user_dict = self.shadow_users_api.get_federated_user( idp_id, protocol_id, unique_id) - self.update_federated_user_display_name(idp_id, protocol_id, - unique_id, display_name) + self.shadow_users_api.update_federated_user_display_name( + idp_id, protocol_id, unique_id, display_name) except exception.UserNotFound: federated_dict = { 'idp_id': idp_id, diff --git a/keystone/tests/unit/test_v3_identity.py b/keystone/tests/unit/test_v3_identity.py index d853afc33..fee606a98 100644 --- a/keystone/tests/unit/test_v3_identity.py +++ b/keystone/tests/unit/test_v3_identity.py @@ -499,6 +499,34 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.assertIsNone(user['domain_id']) self.assertEqual(user['enabled'], True) + def test_shadow_existing_federated_user(self): + fed_user = unit.new_federated_user_ref() + + # introduce the user to keystone for the first time + shadow_user1 = self.identity_api.shadow_federated_user( + fed_user["idp_id"], + fed_user["protocol_id"], + fed_user["unique_id"], + fed_user["display_name"]) + self.assertEqual(fed_user['display_name'], shadow_user1['name']) + + # shadow the user again, with another name to invalidate the cache + # internally, this operation causes request to the driver. It should + # not fail. + fed_user['display_name'] = uuid.uuid4().hex + shadow_user2 = self.identity_api.shadow_federated_user( + fed_user["idp_id"], + fed_user["protocol_id"], + fed_user["unique_id"], + fed_user["display_name"]) + # FIXME(dolph): These assertEqual / assertNotEqual should be reversed, + # to illustrate that the display name has been updated as expected. + self.assertNotEqual(fed_user['display_name'], shadow_user2['name']) + self.assertEqual(shadow_user1['name'], shadow_user2['name']) + + # The shadowed users still share the same unique ID. + self.assertEqual(shadow_user1['id'], shadow_user2['id']) + # group crud tests def test_create_group(self): |