Fix the username value in federated tokens

Currently, in both unscoped and scoped federated tokens, the username value in the token is equal to the userid and not to the value of the username in the external identity provider. This makes WebSSO login to show the userid of the logged-in user in the Horizon dashboard, whereas before it was showing the actual user name. This patch fixes the value of the username in the federated tokens, which will fix the WebSSO issue as well, since Horizon looks at the username value and displays that as the logged-in user. Closes-Bug: #1597101 Closes-Bug: #1482701 Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8
2016-06-29 11:21:13 -07:00 · 2016-06-29 11:21:13 -07:00 · 2042c955c8
parent 0ce20cb08c
commit 2042c955c8
4 changed files with 29 additions and 6 deletions
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -151,8 +151,8 @@ class FederatedSetupMixin(object):
        self.assertIn('identity_provider', user['OS-FEDERATION'])
        self.assertIn('protocol', user['OS-FEDERATION'])

-        # Make sure user_id is url safe
-        self.assertEqual(urllib.parse.quote(user['name']), user['id'])
+        # Make sure user_name is url safe
+        self.assertEqual(urllib.parse.quote(user['name']), user['name'])

    def _issue_unscoped_token(self,
                              idp=None,
@ -2504,6 +2504,21 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
                          self._issue_unscoped_token,
                          assertion='ANOTHER_LOCAL_USER_ASSERTION')

+    def test_user_name_and_id_in_federation_token(self):
+        r = self._issue_unscoped_token(assertion='EMPLOYEE_ASSERTION')
+        token = r.json_body['token']
+        self.assertEqual(
+            mapping_fixtures.EMPLOYEE_ASSERTION['UserName'],
+            token['user']['name'])
+        self.assertNotEqual(token['user']['name'], token['user']['id'])
+        r = self.v3_create_token(
+            self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE)
+        token = r.json_body['token']
+        self.assertEqual(
+            mapping_fixtures.EMPLOYEE_ASSERTION['UserName'],
+            token['user']['name'])
+        self.assertNotEqual(token['user']['name'], token['user']['id'])
+

 class FernetFederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
    AUTH_METHOD = 'token'
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -129,6 +129,7 @@ class TestValidate(unit.TestCase):
        protocol = uuid.uuid4().hex
        auth_context = {
            'user_id': user_ref['id'],
+            'user_name': user_ref['name'],
            'group_ids': group_ids,
            federation_constants.IDENTITY_PROVIDER: identity_provider,
            federation_constants.PROTOCOL: protocol,
@ -140,7 +141,7 @@ class TestValidate(unit.TestCase):
        token = token_data['token']
        exp_user_info = {
            'id': user_ref['id'],
-            'name': user_ref['id'],
+            'name': user_ref['name'],
            'domain': {'id': CONF.federation.federated_domain_name,
                       'name': CONF.federation.federated_domain_name, },
            federation_constants.FEDERATION: {
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -641,10 +641,14 @@ class BaseProvider(provider.Provider):
        group_ids = auth_context['group_ids']
        idp = auth_context[federation_constants.IDENTITY_PROVIDER]
        protocol = auth_context[federation_constants.PROTOCOL]
+
+        user_dict = self.identity_api.get_user(user_id)
+        user_name = user_dict['name']
+
        token_data = {
            'user': {
                'id': user_id,
-                'name': parse.unquote(user_id),
+                'name': parse.unquote(user_name),
                federation_constants.FEDERATION: {
                    'groups': [{'id': x} for x in group_ids],
                    'identity_provider': {'id': idp},
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@ -25,7 +25,7 @@ from keystone.token.providers.fernet import token_formatters as tf
 CONF = keystone.conf.CONF


-@dependency.requires('trust_api', 'oauth_api')
+@dependency.requires('trust_api', 'oauth_api', 'identity_api')
 class Provider(common.BaseProvider):
    def __init__(self, *args, **kwargs):
        super(Provider, self).__init__(*args, **kwargs)
@ -124,11 +124,14 @@ class Provider(common.BaseProvider):
            'protocol': {'id': protocol_id}
        }

+        user_dict = self.identity_api.get_user(user_id)
+        user_name = user_dict['name']
+
        token_dict = {
            'user': {
                federation_constants.FEDERATION: federated_info,
                'id': user_id,
-                'name': user_id,
+                'name': user_name,
                'domain': {'id': CONF.federation.federated_domain_name,
                           'name': CONF.federation.federated_domain_name, },
            }