diff options
| author | Vishakha Agarwal <agarwalvishakha18@gmail.com> | 2018-08-30 11:14:32 +0530 |
|---|---|---|
| committer | Raildo Mascena <rmascena@redhat.com> | 2018-09-24 14:50:31 -0300 |
| commit | a09ba6906573432ec0b7bd4ec0522caf06dc3b8c (patch) | |
| tree | 95d0346aa27a4cc0ff246bc6ff66f866bb5541c4 | |
| parent | ce46cc25dc4d967c062587ab21b2b38cab045e00 (diff) | |
| download | keystone-a09ba6906573432ec0b7bd4ec0522caf06dc3b8c.tar.gz | |
Mapped Groups don't exist breaks WebSSO
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.
Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
(cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)
| -rw-r--r-- | keystone/federation/utils.py | 4 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_federation.py | 9 |
2 files changed, 8 insertions, 5 deletions
diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py index 1eeecf39c..449abbf12 100644 --- a/keystone/federation/utils.py +++ b/keystone/federation/utils.py @@ -409,8 +409,8 @@ def transform_to_group_ids(group_names, mapping_id, group['name'], resolve_domain(group['domain'])) yield group_dict['id'] except exception.GroupNotFound: - raise exception.MappedGroupNotFound(group_id=group['name'], - mapping_id=mapping_id) + LOG.debug('Group %s has no entry in the backend', + group['name']) def get_assertion_params_from_env(request): diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index 23934ab18..d5f9bd15b 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -1890,9 +1890,8 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): self.assertEqual(ref_groups, token_groups) def test_issue_unscoped_tokens_nonexisting_group(self): - self.assertRaises(exception.MappedGroupNotFound, - self._issue_unscoped_token, - assertion='ANOTHER_TESTER_ASSERTION') + r = self._issue_unscoped_token(assertion='ANOTHER_TESTER_ASSERTION') + self.assertIsNotNone(r.headers.get('X-Subject-Token')) def test_issue_unscoped_token_with_remote_no_attribute(self): r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, @@ -2417,6 +2416,10 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): ] } self.federation_api.update_mapping(self.mapping['id'], rules) + r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') + assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(1, len(assigned_group_ids)) + self.assertEqual(group['id'], assigned_group_ids[0]['id']) def test_empty_blacklist_passess_all_values(self): """Test a mapping with empty blacklist specified. |