yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #38823
[Bug 1487937] Re: IndexError if federation mapping doesn't match anything
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => liberty-rc1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1487937
Title:
IndexError if federation mapping doesn't match anything
Status in Keystone:
Fix Released
Bug description:
I have a mapping that looks like this:
[
{
"local": [
{
"user": {
"name": "{0}",
"id": "{0}",
"domain": {"name": "Default"}
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
},
{
"local": [
{
"groups": "{0}",
"domain": {
"name": "Default"
}
}
],
"remote": [
{
"type": "REMOTE_USER_GROUPS",
"whitelist": ["ipausers"]
}
]
},
{
"local": [
{
"groups": {
"name": "services",
"domain": {
"name": "Default"
}
}
}
],
"remote": [
{
"type": "GSS_NAME",
"any_one_of": [
"glance/openstack.jamielennox.test@xxxxxxxxxxxxxxxx"
]
}
]
}
]
In the event of the service user who would match the last part of that
mapping the REMOTE_USER_GROUPS value is not present in the assertion.
Because of the way _verify_all_requirements works[1] because the type
is not present in the assertion the direct map part of this rule
simply falls through and returns the direct map object - the
equivalent to accepting the remote rule.
Then because nothing was added to the returned DirectMap object trying
to apply the "{0}" fails because there is nothing to interpolate
against and i get an error like:
[-] tuple index out of range
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
result = method(context, **params)
File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication
return self.authenticate_for_token(context, auth=auth)
File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token
self.authenticate(context, auth_info, auth_context)
File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate
auth_context)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate
self.identity_api)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
federation_api, identity_api)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter
mapped_properties = rule_processor.process(assertion)
File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 472, in process
new_local = self._update_local_mapping(local, direct_maps)
File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 617, in _update_local_mapping
new_value = v.format(*direct_maps)
IndexError: tuple index out of range
(note this is run against stable/kilo, however the problem still
exists).
My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule.
[1]
https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1487937/+subscriptions
References
