diff options
| author | Vishakha Agarwal <agarwalvishakha18@gmail.com> | 2018-08-30 11:14:32 +0530 |
|---|---|---|
| committer | Raildo Mascena <rmascena@redhat.com> | 2018-09-24 16:06:35 +0000 |
| commit | c4e48ef3a149df81aa563d894cc6eb78f536edb8 (patch) | |
| tree | 48a0b1fd15c58dfb5485de7873b20177d2d1108f | |
| parent | 7693b84c0692f9b9ec756c73df7456d87f54f0cb (diff) | |
| download | keystone-c4e48ef3a149df81aa563d894cc6eb78f536edb8.tar.gz | |
Mapped Groups don't exist breaks WebSSO
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.
Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
(cherry picked from commit ee46f735359cb5381024a7dfa3f2b297badc6247)
| -rw-r--r-- | keystone/federation/utils.py | 4 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_federation.py | 9 |
2 files changed, 8 insertions, 5 deletions
diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py index 1eeecf39c..449abbf12 100644 --- a/keystone/federation/utils.py +++ b/keystone/federation/utils.py @@ -409,8 +409,8 @@ def transform_to_group_ids(group_names, mapping_id, group['name'], resolve_domain(group['domain'])) yield group_dict['id'] except exception.GroupNotFound: - raise exception.MappedGroupNotFound(group_id=group['name'], - mapping_id=mapping_id) + LOG.debug('Group %s has no entry in the backend', + group['name']) def get_assertion_params_from_env(request): diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index 41a2a8e56..be2fc92ec 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -1924,9 +1924,8 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): self.assertEqual(ref_groups, token_groups) def test_issue_unscoped_tokens_nonexisting_group(self): - self.assertRaises(exception.MappedGroupNotFound, - self._issue_unscoped_token, - assertion='ANOTHER_TESTER_ASSERTION') + r = self._issue_unscoped_token(assertion='ANOTHER_TESTER_ASSERTION') + self.assertIsNotNone(r.headers.get('X-Subject-Token')) def test_issue_unscoped_token_with_remote_no_attribute(self): r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, @@ -2474,6 +2473,10 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): ] } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) + r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') + assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(1, len(assigned_group_ids)) + self.assertEqual(group['id'], assigned_group_ids[0]['id']) def test_empty_blacklist_passess_all_values(self): """Test a mapping with empty blacklist specified. |