yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1291981] [NEW] missing type check in SAML RuleProcessor

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthieu Huin <mhu@xxxxxxxxxxxx>
Date: Thu, 13 Mar 2014 13:04:08 -0000
Reply-to: Bug 1291981 <1291981@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

RuleProcessor assumes every element in context['environment'] can be
splitted as a string as seen here:
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L172

This is however not always the case:

  curl -si -d '{
      "auth": {
          "identity": {
              "methods": [
                  "saml2"
              ],
              "saml2": {
                  "identity_provider": "testshib",
                  "protocol": "admin"
              }
          }
  }' -H "Content-type: application/json" http://XXX:5000/v3/auth/tokens

2014-03-10 23:21:34.869 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth contex
t. from (pid=7939) process_request /opt/stack/keystone/keystone/middleware/core.py:270
2014-03-10 23:21:34.871 DEBUG keystone.common.wsgi [-] arg_dict: {} from (pid=7939) __call__ /opt/stack/keystone/keystone/common/wsgi.py:180
2014-03-10 23:21:34.877 ERROR keystone.common.wsgi [-] 'Route' object has no attribute 'split'
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/wsgi.py", line 205, in __call__
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     result = method(context, **params)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/controllers.py", line 316, in authenticate_for_token
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     self.authenticate(context, auth_info, auth_context)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/controllers.py", line 416, in authenticate
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     auth_context)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 54, in authenticate
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     fields = self._handle_unscoped_token(context, auth_payload)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 77, in _handle_unscoped_token
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     mapped_properties = rule_processor.process(assertion)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in process
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in <genexpr>
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi AttributeError: 'Route' object has no attribute 'split'
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi 
2014-03-10 23:21:34.881 INFO eventlet.wsgi.server [-] 84.99.59.174 - - [10/Mar/2014 23:21:34] "POST /v3/auth/tokens HTTP/1.1" 500 331 0.012142

---------

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1291981

Title:
  missing type check in SAML RuleProcessor

Status in OpenStack Identity (Keystone):
  New

Bug description:
  RuleProcessor assumes every element in context['environment'] can be
  splitted as a string as seen here:
  https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L172

  This is however not always the case:

    curl -si -d '{
        "auth": {
            "identity": {
                "methods": [
                    "saml2"
                ],
                "saml2": {
                    "identity_provider": "testshib",
                    "protocol": "admin"
                }
            }
    }' -H "Content-type: application/json" http://XXX:5000/v3/auth/tokens

  2014-03-10 23:21:34.869 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth contex
  t. from (pid=7939) process_request /opt/stack/keystone/keystone/middleware/core.py:270
  2014-03-10 23:21:34.871 DEBUG keystone.common.wsgi [-] arg_dict: {} from (pid=7939) __call__ /opt/stack/keystone/keystone/common/wsgi.py:180
  2014-03-10 23:21:34.877 ERROR keystone.common.wsgi [-] 'Route' object has no attribute 'split'
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/wsgi.py", line 205, in __call__
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/controllers.py", line 316, in authenticate_for_token
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     self.authenticate(context, auth_info, auth_context)
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/controllers.py", line 416, in authenticate
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     auth_context)
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 54, in authenticate
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     fields = self._handle_unscoped_token(context, auth_payload)
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 77, in _handle_unscoped_token
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     mapped_properties = rule_processor.process(assertion)
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in process
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi   File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in <genexpr>
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi     assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi AttributeError: 'Route' object has no attribute 'split'
  2014-03-10 23:21:34.877 TRACE keystone.common.wsgi 
  2014-03-10 23:21:34.881 INFO eventlet.wsgi.server [-] 84.99.59.174 - - [10/Mar/2014 23:21:34] "POST /v3/auth/tokens HTTP/1.1" 500 331 0.012142

  ---------

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1291981/+subscriptions
Follow ups

[Bug 1291981] Re: missing type check in SAML RuleProcessor
From: Thierry Carrez, 2014-03-26
[Bug 1291981] [NEW] missing type check in SAML RuleProcessor
From: Matthieu Huin, 2014-03-13
References

[Bug 1291981] [NEW] missing type check in SAML RuleProcessor
From: Matthieu Huin, 2014-03-13