← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1487937] [NEW] IndexError if federation mapping doesn't match anything

 

Public bug reported:

I have a mapping that looks like this:

[
     {
         "local": [
             {
                 "user": {
                     "name": "{0}",
                     "id": "{0}",
                      "domain": {"name": "Default"}
                 }
             }
         ],
         "remote": [
             {
                 "type": "REMOTE_USER"
             }
         ]
     },

     {
         "local": [
             {
                 "groups": "{0}",
                 "domain": {
                     "name": "Default"
                 }
             }
         ],
         "remote": [
             {
                 "type": "REMOTE_USER_GROUPS",
                 "whitelist": ["ipausers"]
             }
         ]
     },
    
     { 
         "local": [
             {
                 "groups": {
                     "name": "services",
                     "domain": {
                          "name": "Default"
                     }
                 }
             }
          ],
          "remote": [ 
              {
                  "type": "GSS_NAME",
                  "any_one_of": [
                      "glance/openstack.jamielennox.test@xxxxxxxxxxxxxxxx"
                  ]
              }
          ]
     }
 ]

In the event of the service user who would match the last part of that
mapping the REMOTE_USER_GROUPS value is not present in the assertion.
Because of the way _verify_all_requirements works[1] because the type is
not present in the assertion the direct map part of this rule simply
falls through and returns the direct map object - the equivalent to
accepting the remote rule.

Then because nothing was added to the returned DirectMap object trying
to apply the "{0}" fails because there is nothing to interpolate against
and i get an error like:

[-] tuple index out of range
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication
    return self.authenticate_for_token(context, auth=auth)
  File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token
    self.authenticate(context, auth_info, auth_context)
  File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate
    auth_context)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate
    self.identity_api)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
    federation_api, identity_api)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter
    mapped_properties = rule_processor.process(assertion)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 472, in process
    new_local = self._update_local_mapping(local, direct_maps)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 617, in _update_local_mapping
    new_value = v.format(*direct_maps)
IndexError: tuple index out of range

(note this is run against stable/kilo, however the problem still
exists).


My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule. 


[1]
https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1487937

Title:
  IndexError if federation mapping doesn't match anything

Status in Keystone:
  New

Bug description:
  I have a mapping that looks like this:

  [
       {
           "local": [
               {
                   "user": {
                       "name": "{0}",
                       "id": "{0}",
                        "domain": {"name": "Default"}
                   }
               }
           ],
           "remote": [
               {
                   "type": "REMOTE_USER"
               }
           ]
       },

       {
           "local": [
               {
                   "groups": "{0}",
                   "domain": {
                       "name": "Default"
                   }
               }
           ],
           "remote": [
               {
                   "type": "REMOTE_USER_GROUPS",
                   "whitelist": ["ipausers"]
               }
           ]
       },
      
       { 
           "local": [
               {
                   "groups": {
                       "name": "services",
                       "domain": {
                            "name": "Default"
                       }
                   }
               }
            ],
            "remote": [ 
                {
                    "type": "GSS_NAME",
                    "any_one_of": [
                        "glance/openstack.jamielennox.test@xxxxxxxxxxxxxxxx"
                    ]
                }
            ]
       }
   ]

  In the event of the service user who would match the last part of that
  mapping the REMOTE_USER_GROUPS value is not present in the assertion.
  Because of the way _verify_all_requirements works[1] because the type
  is not present in the assertion the direct map part of this rule
  simply falls through and returns the direct map object - the
  equivalent to accepting the remote rule.

  Then because nothing was added to the returned DirectMap object trying
  to apply the "{0}" fails because there is nothing to interpolate
  against and i get an error like:

  [-] tuple index out of range
  Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
      result = method(context, **params)
    File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication
      return self.authenticate_for_token(context, auth=auth)
    File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token
      self.authenticate(context, auth_info, auth_context)
    File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate
      auth_context)
    File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate
      self.identity_api)
    File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
      federation_api, identity_api)
    File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter
      mapped_properties = rule_processor.process(assertion)
    File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 472, in process
      new_local = self._update_local_mapping(local, direct_maps)
    File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 617, in _update_local_mapping
      new_value = v.format(*direct_maps)
  IndexError: tuple index out of range

  (note this is run against stable/kilo, however the problem still
  exists).

  
  My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule. 



  [1]
  https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1487937/+subscriptions


Follow ups