Add an OS-FEDERATION section to scoped federation tokens
In this change, we add an OS-FEDERATION section to the user section in a scoped federation token. We currently do the same for unscoped tokens. This will also help with revocation events, specifically revoking tokens based on IDP id. Change-Id: Ibcb12a4a9db45351127458a96de1161de55d5a18 Closes-Bug: #1351038
This commit is contained in:
parent
f803249fa9
commit
9847ebd90e
|
@ -59,7 +59,9 @@ class Saml2(auth.AuthMethodHandler):
|
|||
utils.validate_groups(group_ids, mapping['id'], self.identity_api)
|
||||
return {
|
||||
'user_id': token_ref['user_id'],
|
||||
'group_ids': group_ids
|
||||
'group_ids': group_ids,
|
||||
federation.IDENTITY_PROVIDER: identity_provider,
|
||||
federation.PROTOCOL: protocol
|
||||
}
|
||||
|
||||
def _handle_unscoped_token(self, context, auth_payload):
|
||||
|
|
|
@ -859,6 +859,11 @@ class FederatedTokenTests(FederationTests):
|
|||
raise AssertionError("You must specify either"
|
||||
"project or domain.")
|
||||
|
||||
self.assertIn('OS-FEDERATION', token['user'])
|
||||
os_federation = token['user']['OS-FEDERATION']
|
||||
self.assertEqual(self.IDP, os_federation['identity_provider']['id'])
|
||||
self.assertEqual(self.PROTOCOL, os_federation['protocol']['id'])
|
||||
|
||||
def _issue_unscoped_token(self,
|
||||
assertion='EMPLOYEE_ASSERTION',
|
||||
environment=None):
|
||||
|
|
|
@ -479,10 +479,16 @@ class BaseProvider(provider.Provider):
|
|||
def _handle_saml2_tokens(self, auth_context, project_id, domain_id):
|
||||
user_id = auth_context['user_id']
|
||||
group_ids = auth_context['group_ids']
|
||||
idp = auth_context[federation.IDENTITY_PROVIDER]
|
||||
protocol = auth_context[federation.PROTOCOL]
|
||||
token_data = {
|
||||
'user': {
|
||||
'id': user_id,
|
||||
'name': parse.unquote(user_id)
|
||||
'name': parse.unquote(user_id),
|
||||
federation.FEDERATION: {
|
||||
'identity_provider': {'id': idp},
|
||||
'protocol': {'id': protocol}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -491,14 +497,8 @@ class BaseProvider(provider.Provider):
|
|||
group_ids, project_id, domain_id, user_id)
|
||||
token_data.update({'roles': roles})
|
||||
else:
|
||||
idp = auth_context[federation.IDENTITY_PROVIDER]
|
||||
protocol = auth_context[federation.PROTOCOL]
|
||||
token_data['user'].update({
|
||||
federation.FEDERATION: {
|
||||
'identity_provider': {'id': idp},
|
||||
'protocol': {'id': protocol},
|
||||
'groups': [{'id': x} for x in group_ids]
|
||||
},
|
||||
token_data['user'][federation.FEDERATION].update({
|
||||
'groups': [{'id': x} for x in group_ids]
|
||||
})
|
||||
return token_data
|
||||
|
||||
|
|
Loading…
Reference in New Issue