diff options
author | erus <erudyn@protonmail.com> | 2019-02-19 17:32:07 -0300 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-07-19 10:46:23 -0700 |
commit | bf67b3c88409d2f0b2086d363ed91394953d85ba (patch) | |
tree | 744bdc474ff6164749c0b83381bf21198a870495 /keystone/federation | |
parent | 10eab4824249a2ba190d80cc58e404f07c3d51e8 (diff) | |
download | keystone-bf67b3c88409d2f0b2086d363ed91394953d85ba.tar.gz |
Add new attribute to the federation protocol API
Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.
Closes-bug: #1724645
Co-authored-by: Colleen Murphy<colleen@gazlene.net>
Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b
Diffstat (limited to 'keystone/federation')
-rw-r--r-- | keystone/federation/backends/sql.py | 5 | ||||
-rw-r--r-- | keystone/federation/schema.py | 8 | ||||
-rw-r--r-- | keystone/federation/utils.py | 37 |
3 files changed, 32 insertions, 18 deletions
diff --git a/keystone/federation/backends/sql.py b/keystone/federation/backends/sql.py index ba26e5560..9451e1a4b 100644 --- a/keystone/federation/backends/sql.py +++ b/keystone/federation/backends/sql.py @@ -28,13 +28,14 @@ LOG = log.getLogger(__name__) class FederationProtocolModel(sql.ModelBase, sql.ModelDictMixin): __tablename__ = 'federation_protocol' - attributes = ['id', 'idp_id', 'mapping_id'] - mutable_attributes = frozenset(['mapping_id']) + attributes = ['id', 'idp_id', 'mapping_id', 'remote_id_attribute'] + mutable_attributes = frozenset(['mapping_id', 'remote_id_attribute']) id = sql.Column(sql.String(64), primary_key=True) idp_id = sql.Column(sql.String(64), sql.ForeignKey('identity_provider.id', ondelete='CASCADE'), primary_key=True) mapping_id = sql.Column(sql.String(64), nullable=False) + remote_id_attribute = sql.Column(sql.String(64)) @classmethod def from_dict(cls, dictionary): diff --git a/keystone/federation/schema.py b/keystone/federation/schema.py index ca2951592..77d4e63ff 100644 --- a/keystone/federation/schema.py +++ b/keystone/federation/schema.py @@ -117,8 +117,14 @@ identity_provider_update = { 'additionalProperties': False } +_remote_id_attribute_properties = { + 'type': 'string', + 'maxLength': 64, +} + _protocol_properties = { - 'mapping_id': parameter_types.mapping_id_string + 'mapping_id': parameter_types.mapping_id_string, + 'remote_id_attribute': _remote_id_attribute_properties } protocol_create = { diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py index 78deeb41b..92028fa7d 100644 --- a/keystone/federation/utils.py +++ b/keystone/federation/utils.py @@ -22,6 +22,7 @@ from oslo_log import log from oslo_utils import timeutils import six +from keystone.common import provider_api import keystone.conf from keystone import exception from keystone.i18n import _ @@ -29,6 +30,7 @@ from keystone.i18n import _ CONF = keystone.conf.CONF LOG = log.getLogger(__name__) +PROVIDERS = provider_api.ProviderAPIs class UserType(object): @@ -277,23 +279,28 @@ def validate_expiration(token): raise exception.Unauthorized(_('Federation token is expired')) -def get_remote_id_parameter(protocol): +def get_remote_id_parameter(idp, protocol): # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to - # retrieve the remote_id_attribute of the protocol ID. If it's not - # registered in the config, then register the option and try again. - # This allows the user to register protocols other than oidc and saml2. - remote_id_parameter = None - try: - remote_id_parameter = CONF[protocol]['remote_id_attribute'] - except AttributeError: - # TODO(dolph): Move configuration registration to keystone.conf - CONF.register_opt(cfg.StrOpt('remote_id_attribute'), - group=protocol) + # retrieve the remote_id_attribute of the protocol ID. It will look up first + # if the remote_id_attribute exists. + protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol) + remote_id_parameter = protocol_ref.get('remote_id_attribute') + if remote_id_parameter: + return remote_id_parameter + else: + # If it's not registered in the config, then register the option and try again. + # This allows the user to register protocols other than oidc and saml2. try: remote_id_parameter = CONF[protocol]['remote_id_attribute'] - except AttributeError: # nosec - # No remote ID attr, will be logged and use the default instead. - pass + except AttributeError: + # TODO(dolph): Move configuration registration to keystone.conf + CONF.register_opt(cfg.StrOpt('remote_id_attribute'), + group=protocol) + try: + remote_id_parameter = CONF[protocol]['remote_id_attribute'] + except AttributeError: # nosec + # No remote ID attr, will be logged and use the default instead. + pass if not remote_id_parameter: LOG.debug('Cannot find "remote_id_attribute" in configuration ' 'group %s. Trying default location in ' @@ -305,7 +312,7 @@ def get_remote_id_parameter(protocol): def validate_idp(idp, protocol, assertion): """The IdP providing the assertion should be registered for the mapping.""" - remote_id_parameter = get_remote_id_parameter(protocol) + remote_id_parameter = get_remote_id_parameter(idp, protocol) if not remote_id_parameter or not idp['remote_ids']: LOG.debug('Impossible to identify the IdP %s ', idp['id']) # If nothing is defined, the administrator may want to |