← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #27255

[Bug 1414961] [NEW] regex bypasses eval_type in federation mapping rules

  Thread PreviousDate PreviousThread Next 
Public bug reported:

According to this api document[1], when creating mapping rules, we can
specify "regex: true" to indicate that we would like each string to be
evaluated by regular repression. But in current implementation[2], when
"regex" is true, it's only checked that if the values from assertion
match the values from the mapping rules, and "any_one_of" and
"not_any_of" options are bypassed. So if one specifies "regex: true" and
"not_any_of" at the same time, he will got an unexpected result that
assertion with values in "not_any_of" can pass the check.

I think the expected behaviour, when "regex" is true, should be matching
values in assertion and mapping rules using regular expression, if match
with "any_one_of" or not match with "not_any_of", pass the check,
otherwise fail the check.

[1] https://review.openstack.org/#/c/59848/
[2] https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L565-L578

** Affects: keystone
     Importance: Undecided
     Assignee: Zhiyuan Cai (luckyvega-g)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Zhiyuan Cai (luckyvega-g)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1414961

Title:
  regex bypasses eval_type in federation mapping rules

Status in OpenStack Identity (Keystone):
  New

Bug description:
  According to this api document[1], when creating mapping rules, we can
  specify "regex: true" to indicate that we would like each string to be
  evaluated by regular repression. But in current implementation[2],
  when "regex" is true, it's only checked that if the values from
  assertion match the values from the mapping rules, and "any_one_of"
  and "not_any_of" options are bypassed. So if one specifies "regex:
  true" and "not_any_of" at the same time, he will got an unexpected
  result that assertion with values in "not_any_of" can pass the check.

  I think the expected behaviour, when "regex" is true, should be
  matching values in assertion and mapping rules using regular
  expression, if match with "any_one_of" or not match with "not_any_of",
  pass the check, otherwise fail the check.

  [1] https://review.openstack.org/#/c/59848/
  [2] https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L565-L578

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1414961/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next