Add new attribute to the federation protocol API

Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.

Closes-bug: #1724645

Co-authored-by: Colleen Murphy<colleen@gazlene.net>

Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b

3 files changed, 32 insertions, 18 deletions

diff --git a/keystone/federation/backends/sql.py b/keystone/federation/backends/sql.py
index ba26e5560..9451e1a4b 100644
--- a/keystone/federation/backends/sql.py
+++ b/keystone/federation/backends/sql.py
@@ -28,13 +28,14 @@ LOG = log.getLogger(__name__)
 
 class FederationProtocolModel(sql.ModelBase, sql.ModelDictMixin):
     __tablename__ = 'federation_protocol'
-    attributes = ['id', 'idp_id', 'mapping_id']
-    mutable_attributes = frozenset(['mapping_id'])
+    attributes = ['id', 'idp_id', 'mapping_id', 'remote_id_attribute']
+    mutable_attributes = frozenset(['mapping_id', 'remote_id_attribute'])
 
     id = sql.Column(sql.String(64), primary_key=True)
     idp_id = sql.Column(sql.String(64), sql.ForeignKey('identity_provider.id',
                         ondelete='CASCADE'), primary_key=True)
     mapping_id = sql.Column(sql.String(64), nullable=False)
+    remote_id_attribute = sql.Column(sql.String(64))
 
     @classmethod
     def from_dict(cls, dictionary):
diff --git a/keystone/federation/schema.py b/keystone/federation/schema.py
index ca2951592..77d4e63ff 100644
--- a/keystone/federation/schema.py
+++ b/keystone/federation/schema.py
@@ -117,8 +117,14 @@ identity_provider_update = {
     'additionalProperties': False
 }
 
+_remote_id_attribute_properties = {
+    'type': 'string',
+    'maxLength': 64,
+}
+
 _protocol_properties = {
-    'mapping_id': parameter_types.mapping_id_string
+    'mapping_id': parameter_types.mapping_id_string,
+    'remote_id_attribute': _remote_id_attribute_properties
 }
 
 protocol_create = {
diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py
index 78deeb41b..92028fa7d 100644
--- a/keystone/federation/utils.py
+++ b/keystone/federation/utils.py
@@ -22,6 +22,7 @@ from oslo_log import log
 from oslo_utils import timeutils
 import six
 
+from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
 from keystone.i18n import _
@@ -29,6 +30,7 @@ from keystone.i18n import _
 
 CONF = keystone.conf.CONF
 LOG = log.getLogger(__name__)
+PROVIDERS = provider_api.ProviderAPIs
 
 
 class UserType(object):
@@ -277,23 +279,28 @@ def validate_expiration(token):
         raise exception.Unauthorized(_('Federation token is expired'))
 
 
-def get_remote_id_parameter(protocol):
+def get_remote_id_parameter(idp, protocol):
     # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
-    # retrieve the remote_id_attribute of the protocol ID. If it's not
-    # registered in the config, then register the option and try again.
-    # This allows the user to register protocols other than oidc and saml2.
-    remote_id_parameter = None
-    try:
-        remote_id_parameter = CONF[protocol]['remote_id_attribute']
-    except AttributeError:
-        # TODO(dolph): Move configuration registration to keystone.conf
-        CONF.register_opt(cfg.StrOpt('remote_id_attribute'),
-                          group=protocol)
+    # retrieve the remote_id_attribute of the protocol ID. It will look up first
+    # if the remote_id_attribute exists.
+    protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
+    remote_id_parameter = protocol_ref.get('remote_id_attribute')
+    if remote_id_parameter:
+        return remote_id_parameter
+    else:
+        # If it's not registered in the config, then register the option and try again.
+        # This allows the user to register protocols other than oidc and saml2.
         try:
             remote_id_parameter = CONF[protocol]['remote_id_attribute']
-        except AttributeError:  # nosec
-            # No remote ID attr, will be logged and use the default instead.
-            pass
+        except AttributeError:
+            # TODO(dolph): Move configuration registration to keystone.conf
+            CONF.register_opt(cfg.StrOpt('remote_id_attribute'),
+                              group=protocol)
+            try:
+                remote_id_parameter = CONF[protocol]['remote_id_attribute']
+            except AttributeError:  # nosec
+                # No remote ID attr, will be logged and use the default instead.
+                pass
     if not remote_id_parameter:
         LOG.debug('Cannot find "remote_id_attribute" in configuration '
                   'group %s. Trying default location in '
@@ -305,7 +312,7 @@ def get_remote_id_parameter(protocol):
 
 def validate_idp(idp, protocol, assertion):
     """The IdP providing the assertion should be registered for the mapping."""
-    remote_id_parameter = get_remote_id_parameter(protocol)
+    remote_id_parameter = get_remote_id_parameter(idp, protocol)
     if not remote_id_parameter or not idp['remote_ids']:
         LOG.debug('Impossible to identify the IdP %s ', idp['id'])
         # If nothing is defined, the administrator may want to