Add an OS-FEDERATION section to scoped federation tokens

In this change, we add an OS-FEDERATION section to the user section in a scoped federation token. We currently do the same for unscoped tokens. This will also help with revocation events, specifically revoking tokens based on IDP id. Change-Id: Ibcb12a4a9db45351127458a96de1161de55d5a18 Closes-Bug: #1351038
2014-07-31 16:16:49 -04:00 · 2014-07-31 16:16:49 -04:00 · 9847ebd90e
parent f803249fa9
commit 9847ebd90e
3 changed files with 17 additions and 10 deletions
--- a/keystone/auth/plugins/saml2.py
+++ b/keystone/auth/plugins/saml2.py
@ -59,7 +59,9 @@ class Saml2(auth.AuthMethodHandler):
        utils.validate_groups(group_ids, mapping['id'], self.identity_api)
        return {
            'user_id': token_ref['user_id'],
-            'group_ids': group_ids
+            'group_ids': group_ids,
+            federation.IDENTITY_PROVIDER: identity_provider,
+            federation.PROTOCOL: protocol
        }

    def _handle_unscoped_token(self, context, auth_payload):
--- a/keystone/tests/test_v3_federation.py
+++ b/keystone/tests/test_v3_federation.py
@ -859,6 +859,11 @@ class FederatedTokenTests(FederationTests):
            raise AssertionError("You must specify either"
                                 "project or domain.")

+        self.assertIn('OS-FEDERATION', token['user'])
+        os_federation = token['user']['OS-FEDERATION']
+        self.assertEqual(self.IDP, os_federation['identity_provider']['id'])
+        self.assertEqual(self.PROTOCOL, os_federation['protocol']['id'])
+
    def _issue_unscoped_token(self,
                              assertion='EMPLOYEE_ASSERTION',
                              environment=None):
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -479,10 +479,16 @@ class BaseProvider(provider.Provider):
    def _handle_saml2_tokens(self, auth_context, project_id, domain_id):
        user_id = auth_context['user_id']
        group_ids = auth_context['group_ids']
+        idp = auth_context[federation.IDENTITY_PROVIDER]
+        protocol = auth_context[federation.PROTOCOL]
        token_data = {
            'user': {
                'id': user_id,
-                'name': parse.unquote(user_id)
+                'name': parse.unquote(user_id),
+                federation.FEDERATION: {
+                    'identity_provider': {'id': idp},
+                    'protocol': {'id': protocol}
+                }
            }
        }

@ -491,14 +497,8 @@ class BaseProvider(provider.Provider):
                group_ids, project_id, domain_id, user_id)
            token_data.update({'roles': roles})
        else:
-            idp = auth_context[federation.IDENTITY_PROVIDER]
-            protocol = auth_context[federation.PROTOCOL]
-            token_data['user'].update({
-                federation.FEDERATION: {
-                    'identity_provider': {'id': idp},
-                    'protocol': {'id': protocol},
-                    'groups': [{'id': x} for x in group_ids]
-                },
+            token_data['user'][federation.FEDERATION].update({
+                'groups': [{'id': x} for x in group_ids]
            })
        return token_data