Fix the username value in federated tokens

Currently, in both unscoped and scoped federated tokens, the username value in the token is equal to the userid and not to the value of the username in the external identity provider. This makes WebSSO login to show the userid of the logged-in user in the Horizon dashboard, whereas before it was showing the actual user name. This patch fixes the value of the username in the federated tokens, which will fix the WebSSO issue as well, since Horizon looks at the username value and displays that as the logged-in user. Closes-Bug: #1597101 Closes-Bug: #1482701 Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8 (cherry picked from commit 2042c955c8)
2016-06-29 11:21:13 -07:00 · 2016-06-29 11:21:13 -07:00 · 176cbf2551
parent ee74d157ab
commit 176cbf2551
4 changed files with 29 additions and 6 deletions
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -154,8 +154,8 @@ class FederatedSetupMixin(object):
        self.assertIn('identity_provider', user['OS-FEDERATION'])
        self.assertIn('protocol', user['OS-FEDERATION'])

-        # Make sure user_id is url safe
-        self.assertEqual(urllib.parse.quote(user['name']), user['id'])
+        # Make sure user_name is url safe
+        self.assertEqual(urllib.parse.quote(user['name']), user['name'])

    def _issue_unscoped_token(self,
                              idp=None,
@ -2503,6 +2503,21 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
                          self._issue_unscoped_token,
                          assertion='ANOTHER_LOCAL_USER_ASSERTION')

+    def test_user_name_and_id_in_federation_token(self):
+        r = self._issue_unscoped_token(assertion='EMPLOYEE_ASSERTION')
+        token = r.json_body['token']
+        self.assertEqual(
+            mapping_fixtures.EMPLOYEE_ASSERTION['UserName'],
+            token['user']['name'])
+        self.assertNotEqual(token['user']['name'], token['user']['id'])
+        r = self.v3_create_token(
+            self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE)
+        token = r.json_body['token']
+        self.assertEqual(
+            mapping_fixtures.EMPLOYEE_ASSERTION['UserName'],
+            token['user']['name'])
+        self.assertNotEqual(token['user']['name'], token['user']['id'])
+

 class FernetFederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
    AUTH_METHOD = 'token'
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -129,6 +129,7 @@ class TestValidate(unit.TestCase):
        protocol = uuid.uuid4().hex
        auth_context = {
            'user_id': user_ref['id'],
+            'user_name': user_ref['name'],
            'group_ids': group_ids,
            federation_constants.IDENTITY_PROVIDER: identity_provider,
            federation_constants.PROTOCOL: protocol,
@ -140,7 +141,7 @@ class TestValidate(unit.TestCase):
        token = token_data['token']
        exp_user_info = {
            'id': user_ref['id'],
-            'name': user_ref['id'],
+            'name': user_ref['name'],
            'domain': {'id': CONF.federation.federated_domain_name,
                       'name': CONF.federation.federated_domain_name, },
            federation_constants.FEDERATION: {
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -628,10 +628,14 @@ class BaseProvider(provider.Provider):
        group_ids = auth_context['group_ids']
        idp = auth_context[federation_constants.IDENTITY_PROVIDER]
        protocol = auth_context[federation_constants.PROTOCOL]
+
+        user_dict = self.identity_api.get_user(user_id)
+        user_name = user_dict['name']
+
        token_data = {
            'user': {
                'id': user_id,
-                'name': parse.unquote(user_id),
+                'name': parse.unquote(user_name),
                federation_constants.FEDERATION: {
                    'groups': [{'id': x} for x in group_ids],
                    'identity_provider': {'id': idp},
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@ -22,7 +22,7 @@ from keystone.token.providers.fernet import token_formatters as tf
 CONF = cfg.CONF


-@dependency.requires('trust_api', 'oauth_api')
+@dependency.requires('trust_api', 'oauth_api', 'identity_api')
 class Provider(common.BaseProvider):
    def __init__(self, *args, **kwargs):
        super(Provider, self).__init__(*args, **kwargs)
@ -107,11 +107,14 @@ class Provider(common.BaseProvider):
            'protocol': {'id': protocol_id}
        }

+        user_dict = self.identity_api.get_user(user_id)
+        user_name = user_dict['name']
+
        token_dict = {
            'user': {
                federation_constants.FEDERATION: federated_info,
                'id': user_id,
-                'name': user_id,
+                'name': user_name,
                'domain': {'id': CONF.federation.federated_domain_name,
                           'name': CONF.federation.federated_domain_name, },
            }