yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1711883] [NEW] A logic error in function get_user_unique_id_and_display_name()

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lei Lei <leilei4@xxxxxxxxxx>
Date: Sun, 20 Aug 2017 05:02:48 -0000
Reply-to: Bug 1711883 <1711883@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Firstly, see the code of function get_user_unique_id_and_display_name()
of keystone/auth/plugins/mapped.py

    # keystone/auth/plugins/mapped.py

    def get_user_unique_id_and_display_name(request, mapped_properties):

        user = mapped_properties['user']

        user_id = user.get('id')
        user_name = user.get('name') or request.remote_user

        if not any([user_id, user_name]):
            msg = _("Could not map user while setting ephemeral user identity. "
                    "Either mapping rules must specify user id/name or "
                    "REMOTE_USER environment variable must be set.")
            raise exception.Unauthorized(msg)

        elif not user_name:
            user['name'] = user_id

        elif not user_id:
            user_id = user_name

        user['id'] = parse.quote(user_id)
        return (user['id'], user['name'])


There is an error inside above function.   
If user.get('name') is None, but request.remote_user is not None, e.g. request.remote_user is "fed_user", then user_name will be "fed_user". 
So, the execution path will not go into "elif not user_name". So, for last line "return (user['id'], user['name'])", user['name'] will raise KeyError exception.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: federation

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1711883

Title:
  A logic error in function get_user_unique_id_and_display_name()

Status in OpenStack Identity (keystone):
  New

Bug description:
  Firstly, see the code of function
  get_user_unique_id_and_display_name() of
  keystone/auth/plugins/mapped.py

      # keystone/auth/plugins/mapped.py

      def get_user_unique_id_and_display_name(request,
  mapped_properties):

          user = mapped_properties['user']

          user_id = user.get('id')
          user_name = user.get('name') or request.remote_user

          if not any([user_id, user_name]):
              msg = _("Could not map user while setting ephemeral user identity. "
                      "Either mapping rules must specify user id/name or "
                      "REMOTE_USER environment variable must be set.")
              raise exception.Unauthorized(msg)

          elif not user_name:
              user['name'] = user_id

          elif not user_id:
              user_id = user_name

          user['id'] = parse.quote(user_id)
          return (user['id'], user['name'])

  
  There is an error inside above function.   
  If user.get('name') is None, but request.remote_user is not None, e.g. request.remote_user is "fed_user", then user_name will be "fed_user". 
  So, the execution path will not go into "elif not user_name". So, for last line "return (user['id'], user['name'])", user['name'] will raise KeyError exception.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1711883/+subscriptions

Follow ups

[Bug 1711883] Re: An error in function get_user_unique_id_and_display_name()
From: OpenStack Infra, 2018-07-02