← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1414961] Re: regex bypasses eval_type in federation mapping rules

 

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => kilo-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1414961

Title:
  regex bypasses eval_type in federation mapping rules

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  According to this api document[1], when creating mapping rules, we can
  specify "regex: true" to indicate that we would like each string to be
  evaluated by regular repression. But in current implementation[2],
  when "regex" is true, it's only checked that if the values from
  assertion match the values from the mapping rules, and "any_one_of"
  and "not_any_of" options are bypassed. So if one specifies "regex:
  true" and "not_any_of" at the same time, he will got an unexpected
  result that assertion with values in "not_any_of" can pass the check.

  I think the expected behaviour, when "regex" is true, should be
  matching values in assertion and mapping rules using regular
  expression, if match with "any_one_of" or not match with "not_any_of",
  pass the check, otherwise fail the check.

  [1] https://review.openstack.org/#/c/59848/
  [2] https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L565-L578

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1414961/+subscriptions


References