diff options
| author | shenjiatong <yshxxsjt715@gmail.com> | 2019-12-19 13:38:32 +0800 |
|---|---|---|
| committer | norman shen <yshxxsjt715@gmail.com> | 2020-01-02 04:11:58 +0000 |
| commit | c0d5162288f9985f1a15a7c865e0ba688df428ec (patch) | |
| tree | c2b55c3ab73de01edfa2eeb25530d578bcb58c75 | |
| parent | 1b967e0aad133e8260acc2ebfd11699bc6a13b02 (diff) | |
| download | keystone-c0d5162288f9985f1a15a7c865e0ba688df428ec.tar.gz | |
Fix token auth error if federated_groups_id is empty list
`federation_group_ids` could be zero length list, so deciding whether
a token is federated by checking if it is none.
Change-Id: I0f4b9e24d949aa4838ee721a165999b29c684d32
Closes-Bug: #1856962
(cherry picked from commit f0d964e66675037d62ad17847a966e71720dbd54)
| -rw-r--r-- | keystone/tests/unit/token/test_fernet_provider.py | 23 | ||||
| -rw-r--r-- | keystone/token/provider.py | 2 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1856962-2c87d541da61c727.yaml | 6 |
3 files changed, 28 insertions, 3 deletions
diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index a3e6d870c..f84fae094 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -93,7 +93,7 @@ class TestValidate(unit.TestCase): user_ref['password_expires_at'], token.user['password_expires_at'] ) - def test_validate_v3_token_federated_info(self): + def _test_validate_v3_token_federted_info(self, group_ids): # Check the user fields in the token result when use validate_v3_token # when the token has federated info. @@ -107,7 +107,6 @@ class TestValidate(unit.TestCase): method_names = ['mapped'] - group_ids = [uuid.uuid4().hex, ] idp_id = uuid.uuid4().hex idp_ref = { 'id': idp_id, @@ -137,6 +136,18 @@ class TestValidate(unit.TestCase): self.assertEqual(idp_id, token.identity_provider_id) self.assertEqual(protocol, token.protocol_id) + def test_validate_v3_token_federated_info(self): + # Check the user fields in the token result when use validate_v3_token + # when the token has federated info. + + group_ids = [uuid.uuid4().hex, ] + self._test_validate_v3_token_federted_info(group_ids) + + def test_validate_v3_token_federated_info_empty_group(self): + # check when federated users got empty group ids + + self._test_validate_v3_token_federted_info([]) + def test_validate_v3_token_trust(self): # Check the trust fields in the token result when use validate_v3_token # when the token has trust info. @@ -201,6 +212,14 @@ class TestValidate(unit.TestCase): ) +class TestValidateWithoutCache(TestValidate): + + def config_overrides(self): + super(TestValidateWithoutCache, self).config_overrides() + self.config_fixture.config(group='token', caching=False) + self.config_fixture.config(group='token', cache_on_issue=False) + + class TestTokenFormatter(unit.TestCase): def test_restore_padding(self): # 'a' will result in '==' padding, 'aa' will result in '=' padding, and diff --git a/keystone/token/provider.py b/keystone/token/provider.py index e3c45a303..c537d1ba8 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -172,7 +172,7 @@ class Manager(manager.Manager): token.access_token_id = access_token_id token.application_credential_id = app_cred_id token.expires_at = expires_at - if federated_group_ids: + if federated_group_ids is not None: token.is_federated = True token.identity_provider_id = identity_provider_id token.protocol_id = protocol_id diff --git a/releasenotes/notes/bug-1856962-2c87d541da61c727.yaml b/releasenotes/notes/bug-1856962-2c87d541da61c727.yaml new file mode 100644 index 000000000..e66a910e5 --- /dev/null +++ b/releasenotes/notes/bug-1856962-2c87d541da61c727.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1856962 <https://bugs.launchpad.net/keystone/+bug/1856962>`_] + Fixes an issue where federated users could not authenticate if their + mapped group membership was empty. |