Update federated user display name with shadow_users_api

When a user comes to the cloud for the first time, a shadow user is created. When the user authenticates again, this shadow user is fetched and returned. Before it is returned, its display name should be updated. But the call to update the display name fails because neither identity manager nor identity drivers have the required method. However, the required method exists in shadow_users_api. The issue was hidden because method shadow_federated_user was cached and while the cache lived, the user could authenticate. Use the method of shadow_user_api instead of identity_api to update federated user display name. Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e Closes-Bug: 1566282 (cherry picked from commit 7ad4f8728c)
2016-04-05 18:50:48 +03:00 · 2016-04-05 18:50:48 +03:00 · 3e5fca06c6
parent dba04cdd23
commit 3e5fca06c6
2 changed files with 30 additions and 2 deletions
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@ -1239,8 +1239,8 @@ class Manager(manager.Manager):
        try:
            user_dict = self.shadow_users_api.get_federated_user(
                idp_id, protocol_id, unique_id)
-            self.update_federated_user_display_name(idp_id, protocol_id,
-                                                    unique_id, display_name)
+            self.shadow_users_api.update_federated_user_display_name(
+                idp_id, protocol_id, unique_id, display_name)
        except exception.UserNotFound:
            federated_dict = {
                'idp_id': idp_id,
--- a/keystone/tests/unit/test_v3_identity.py
+++ b/keystone/tests/unit/test_v3_identity.py
@ -499,6 +499,34 @@ class IdentityTestCase(test_v3.RestfulTestCase):
        self.assertIsNone(user['domain_id'])
        self.assertEqual(user['enabled'], True)

+    def test_shadow_existing_federated_user(self):
+        fed_user = unit.new_federated_user_ref()
+
+        # introduce the user to keystone for the first time
+        shadow_user1 = self.identity_api.shadow_federated_user(
+            fed_user["idp_id"],
+            fed_user["protocol_id"],
+            fed_user["unique_id"],
+            fed_user["display_name"])
+        self.assertEqual(fed_user['display_name'], shadow_user1['name'])
+
+        # shadow the user again, with another name to invalidate the cache
+        # internally, this operation causes request to the driver. It should
+        # not fail.
+        fed_user['display_name'] = uuid.uuid4().hex
+        shadow_user2 = self.identity_api.shadow_federated_user(
+            fed_user["idp_id"],
+            fed_user["protocol_id"],
+            fed_user["unique_id"],
+            fed_user["display_name"])
+        # FIXME(dolph): These assertEqual / assertNotEqual should be reversed,
+        # to illustrate that the display name has been updated as expected.
+        self.assertNotEqual(fed_user['display_name'], shadow_user2['name'])
+        self.assertEqual(shadow_user1['name'], shadow_user2['name'])
+
+        # The shadowed users still share the same unique ID.
+        self.assertEqual(shadow_user1['id'], shadow_user2['id'])
+
    # group crud tests

    def test_create_group(self):