Mapping which yield no identities should result in ValidationError

Currently mapping produce a bogus "blind" default identity when no
rules match the incoming attributes. This is unnecessary and downright
dangerous. There's absolutely no use case for the "blind" identity.
Furthermore, consumers of mapped properties assumed that the "blind"
identity is legit. This lead to expected failures such as KeyError when they
try to reference the required identity attributes such as user['name'].

We should raise ValidationError if the rules yield no valid identity.
This patch also removed the tests where the bogus "blind" identity is
expected.

Change-Id: I117621673ffc0b4f8e2c48721329daa3b6090327
Closes-Bug: 1557238

1 files changed, 9 insertions, 0 deletions

diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py
index 18cbf0f28..f97356ec3 100644
--- a/keystone/federation/utils.py
+++ b/keystone/federation/utils.py
@@ -599,6 +599,15 @@ class RuleProcessor(object):
         group_names = list()
         groups_by_domain = dict()
 
+        # if mapping yield no valid identity values, we should bail right away
+        # instead of continuing on with a normalized bogus user
+        if not identity_values:
+            msg = _("Could not map any federated user properties to identity "
+                    "values. Check debug logs or the mapping used for "
+                    "additional details.")
+            LOG.warning(msg)
+            raise exception.ValidationError(msg)
+
         for identity_value in identity_values:
             if 'user' in identity_value:
                 # if a mapping outputs more than one user name, log it