yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1711883] Re: An error in function get_user_unique_id_and_display_name()

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1711883@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Jul 2018 23:48:21 -0000
Reply-to: Bug 1711883 <1711883@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/576433
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f4729795ecfbc53ae391204726fd441ce4b462ef
Submitter: Zuul
Branch:    master

commit f4729795ecfbc53ae391204726fd441ce4b462ef
Author: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
Date:   Tue Jun 19 14:21:46 2018 +0530

    Added check to avoid keyerror "user['name']"
    
    In get_user_unique_id_and_display_name() of
    keystone/auth/plugins/mapped.py, the checking
    of user dict's key "name" is not very strict.
    So, we need to add more strict validation here.
    
    Change-Id: Ib147e90e4076c1c2ca7a9fd1cf8d17ce3ddc5e34
    Closes-Bug: #1711883


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1711883

Title:
  An error in function get_user_unique_id_and_display_name()

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Firstly, see the code of function
  get_user_unique_id_and_display_name() of
  keystone/auth/plugins/mapped.py

      # keystone/auth/plugins/mapped.py

      def get_user_unique_id_and_display_name(request,
  mapped_properties):

          user = mapped_properties['user']

          user_id = user.get('id')
          user_name = user.get('name') or request.remote_user

          if not any([user_id, user_name]):
              msg = _("Could not map user while setting ephemeral user identity. "
                      "Either mapping rules must specify user id/name or "
                      "REMOTE_USER environment variable must be set.")
              raise exception.Unauthorized(msg)

          elif not user_name:
              user['name'] = user_id

          elif not user_id:
              user_id = user_name

          user['id'] = parse.quote(user_id)
          return (user['id'], user['name'])

  There is an error inside above function.
  If user.get('name') is None, but request.remote_user is not None, e.g. request.remote_user is "fed_user", then user_name will be "fed_user".
  So, the execution path will not go into "elif not user_name". So, for last line "return (user['id'], user['name'])", user['name'] will raise KeyError exception.

  https://github.com/openstack/keystone/blob/682cfa5c6d135641797ec9e51299287e8191e858/keystone/auth/plugins/mapped.py#L324-L368

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1711883/+subscriptions

References

[Bug 1711883] [NEW] A logic error in function get_user_unique_id_and_display_name()
From: Lei Lei, 2017-08-20