We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
Python 3.11 job now run on Debian Bookwarm which does not provide
some of the packages in bindep. This fixes the bindep file so that
it pulls packages actually available.
This also updates a few assertions of log records in unit tests to make
these robust for any warning logs.
Change-Id: Iae3f4da24418530b61b9a0b64390160d194da05b
assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.
[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277
Change-Id: I7725cead76c0c7349af9a8c8e8a54290caebce9c
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Change-Id: Ic440219814ee0c2b98217e9a821f38f5baf482ec
This patch extends the identity provider API to receive, return
and set the authorization_ttl on an identity provider.
Change-Id: I3c58da290d52149e307280042ed20447da4687f7
Partial-Bug: 1809116
Currently, a keystone IdP does not provide the
groups to which user belong when generating SAML
assertions.This patch adds an additional attribute
called "openstack_groups" in the assertion.
Change-Id: I205e8bbf9a4579b16177f57e29e363f4205a2b48
Closes-Bug: #1641625
The mock library is a third party lib that attempted to bridge the gap
between Python 2 and Python 3 mocking. Now that we have moved to py3
only, there is no need to use a third party lib and we can use the
standard built-in mocking support.
Change-Id: I8bbcedb7ad3f0bc2e06dfa13878a97411ee1dc6d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This is to add remote_id definition in _perform_auth, otherwise
if no remote_id is found, we'll get "NameError: name 'remote_id'
is not defined" exception.
Change-Id: I2ad7dd6d9e7f74dbeaa87a68472be75b04cef631
Closes-Bug: #1844207
In bf67b3c8[1] we introduced an error whereby trying to use WebSSO to
authenticate with one protocol would fail with an uncaught HTTP 404 if
an IdP was found that did not use that protocol. This patch fixes the
issue by ensuring that during the search for an IdP that matches the
given protocol, we ignore invalid IdPs.
This is tested by the existing WebSSOTests unit test class simply by
inserting a dummy IdP and protocol combination into the test data during
setup, since the problem arises when the protocol you are *not* trying
to authenticate with is indexed first in the database.
Since the breaking change was not released yet, this bugfix does not
need a release note.
[1] https://review.opendev.org/637305
Change-Id: Id423f8a304abffbe0c7814ab2ab4458e6a403bb1
Closes-bug: #1838592
Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.
Closes-bug: #1724645
Co-authored-by: Colleen Murphy<colleen@gazlene.net>
Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b
Regardless of what domain the user was in, the domain reported in
the token would be hardcoded to 'Federated' (regardless of the
federated_domain_name config option).
This patch removes the places where the domain was overwritten,
and allows the correct domain to flow to the rendered token.
It also updates the tests where it was being checked for
the 'Federated' domain.
Change-Id: Idad4e077c488d87f75172664fb519232eb78e292
Closes-Bug: 1754048
Raise METHOD NOT ALLOWED for OS-Federation protocols creation
if the protocol_id is not in the URL. The corrective action was to split
the LIST from CRUD resources so that the routing regexes can work as
expected.
Change-Id: I063e3afa1ef8dbf957d62fb4d44dac0f0860ec94
closes-bug: #1817313
This commit introduces a class that implements the JWS token provider
functionality.
bp json-web-tokens
Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
We attempt to be clever about string types in the token formatters.
We do this because in some cases, not all items in a token payload
are serialized to byte strings. To add flexibility for this, we use
tuples with a boolean value that denotes if the accompanying value is
a byte string or not. This helps us safely re-inflate the value from
a byte string back to it's .hex representations, typically with UUID
strings.
With python3, we actually hit an interesting case where what we pass
into the token payload doesn't actually maintain that state due to the
usage of msgpack. The msgpack library returns byte strings even though
the initial value may not have been a byte string. This breaks the
logic we have for the associated boolean value because the string type
changes and the boolean does not.
This commit adds a couple of if/statements to detect if we running on
python3 and if the boolean mismatches the actual value type. Then, it
attempts to do the right thing by decoding the string.
We should think about how we want to do this, or if there is a better
way.
Change-Id: Iaecd45ef985cbf5ff4a6a724df96c1304a927247
Closes-Bug: 1813085
Several of the test clases for testing the service provider API were
duplicating a method to build a request body. Instead of duplicating
a common and useful utility, we can move it to a generic place and
share it.
This commit creates a new method in keystone.tests.unit.core for
building service provider entities to be used in API and backend
tests. A subsequent patch will rely on this for testing policy
protection of the service provider API.
Change-Id: I78e697f9f5fb975b4694ab1a61f608a6dce0fd3b
If a idp is deleted, the related federated user should be
cascade deleted as well.
Change-Id: I2c9b4052413f9a31ffc22c5f3b1bee30dda2c42a
Partial-bug: #1744195
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.
Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
This module was a hodge-podge of common utility methods and a basic
implementation of the token provider API interface. In theory, if
something should be done for all providers, we should try and pull
it into a higher layer, like the token provider Manager. This makes
things easier to share without having to worry about reimplementing
something if we override a specific method of the interface. This is
the pattern we're working towards with the TokenModel object.
It was also home to the V3TokenDataHelper, which was ultimately
responsible for making sure the token API contracts were honored. Now
that we've moved token behavior into the TokenModel and the
representation of a token into the controllers, we don't need this
anymore. We should be able to make this much more clear and clean up
the interfaces for people providing their own token providers.
Partial-Bug: 1778945
Change-Id: I6f069c8c94e625ae553e9b41f0c54fd25bad9408
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
The test that IdP and domain is unique constraint is wrong.
Keystone never support Idp:domain is 1:1.
This patch fixed the error in the test to make sure
Idp:domain is n:1.
Change-Id: I90a0ed677aa9d666a220bd2456dac336378cd3ba
Closes-bug: #1760843
Base on the database schema, the domain_id column in identity_provider
is not unique and has the ForeignKey for project.id. But the IdP sql
model is different. It marks the domain_id is unique and the ForeignKey
is lost.
This patch removes the unique restriction and adds the FK back, ultimately
making the relationship between domains and identity provider 1:many.
Change-Id: I13ecb0ab0434f5614f31d151e708f299cf8e8adb
Partial-bug: #1760843
When deleting a user, the cache for the related shadow user should
be invalidated as well. Otherwise the federation authentication
will not work well and will raise 404 UserNotFound error.
This patch fixes the bug and adds a new function for shadow backend
to get the shadow user information.
Change-Id: I3882f0dc6e8f8f618bb89ebd699736bc4b352261
Closes-bug: #1760205
Keystone uses a library called xmlsec1 to create SAML assertions when
acting as an identity provider. If this library isn't present and
someone attempts to authenticate, keystone will throw an HTTP 500.
The only thing the error says is that a file or directory doesn't
exist.
This patch uses subprocess to check if the provided binary actually
exists on the system and handles cases when it isn't and logs a
useful message for operators.
Change-Id: I41cf87702df5389c1424d35f0abcef9c16301450
Closes-Bug: 1750917
The function __str__ of class subprocess.CalledProcessError
is different between py3.6 and lower python version.
py3.6: Command '%s' returned non-zero exit status %d.
lower version: Command '%s' returned non-zero exit status %d
There is a . in py3.6.
This patch fix the assert error under py3.6
Change-Id: I19ae5711ed7440791583940fa4a8fb770dcdc933
Closes-bug: #1751551
This will help with testing since SQLite will start enforcing the
foreign key relationships.
We will still have a problem with migrations for tables that refer to
each other. SQLite can't alter tables and sqlalchemy-migrates tmp table
strategy for migrations fails in this situation.
This patch did:
1. Add FK support for the tests. Disable it by default.
2. Make sure the Fk is disabled for test_sql_upgrade and
identity.backens.test_sql
Partial-Bug: #1744195
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Change-Id: I276af7c0125dc2cb2c54215d54491665db1caa22
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
Previously, it was possible to validate a federated keystone token
after the identity provider associated by that token was deleted,
which is a security concern.
This commit does two things. First it makes it so that the token
cache is invalidated when identity providers are deleted. Second,
it validates the identity provider in the token data and ensures it
actually exists in the system before considering the token valid.
Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839
Closes-Bug: 1291157
A patch[1] was introduced to demonstrate a bug in federation token
auth[2]. The bug was later fixed[3] but one of the new tests was never
un-WIP'd. It continued to "fail as expected" because it was using a
method that didn't exist, not failing due to the bug it was supposed to
expose. This patch fixes the test and un-WIPs it.
[1] https://review.openstack.org/#/c/229125
[2] https://bugs.launchpad.net/keystone/+bug/1501032
[3] https://review.openstack.org/#/c/431181/
Change-Id: I4d76362256e41fafc87d413cde090fb12450ec83
This commit exposes a bug where it's possible to continue using a
federated token even after the identity provider is deleted.
Change-Id: Id19ff4f7823bdc2b078f27f9dc544f7a5ff9ea99
Partial-Bug: 1291157
This commit removes all the v2.0 token APIs with the exception of the
v2.0 authenticate for token API. POST /v2.0/tokens affects so much
stuff that we can do it in a separate patch and hopefully make it
easier for reviewers.
bp removed-as-of-queens
Change-Id: I508e7350c2a2d25c8fb413ea3523633f8939d80f
We were using a one-liner to prune duplicate role references from a
list of roles, but it didn't work in all cases. This reworks the
logic to pass the existing test case. I also added a comment
explaining why the logic we used previously doesn't work so we can
hopefully avoid the pattern in the future.
Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
Closes-Bug: 1701324
When creating an IdP, if a domain was generated for it and a conflict
was raised while effectively creating the IdP in the database, the
auto-generated domain is now cleaned up.
Change-Id: I9b7c3c1fae32b9412f75323a75d9ebe4ad756729
Closes-Bug: #1688188
In I9a150ded6c4b556627147d2671be15d6a3794ba5 a comments was made that
we should test /auth/projects and /auth/domains in addition to
/OS-FEDERATION/project and /OS-FEDERATION/domains. This commit
ensures both API behave the same when pruning duplicate projects
and domains.
Change-Id: I3bc4f0776a875093ecdf5a7dc80583965585eef9
This commit ensures that all Federated GET APIs have a corresponding
HEAD API if not already specified. This is to be consistent with
other APIs in keystone.
Change-Id: Ifc7c9d73eca9f715a0f3f25701bcee389ddc354d
Partial-Bug: 1696574
When creating an identity provider, a domain will be created with it
if it isn't already provided. If a database conflict occurs when an
identity provider is created, the domain associated with it isn't
cleaned up. This essentially orphans a domain that shouldn't have
been created because the identity provider was never successfully
created.
Change-Id: Ie59d21abda422d4e9668725de4604ab99701dc59
Related-Bug: 1688188
oslo.config will ensure option [saml]/idp_contact_type with parameter
choices only allow values in ('technical', 'support', 'administrative',
'billing', 'other') in runtime, so don't need test in KeyStone.
This commit also remove check code for the option.
Partial-Bug: #1686921
Related-Bug: #1517839
Change-Id: I0c78a25a353d04dbe46e9679771c51b22b677a27
Without the change, the method fetched all assignments for a project
or domain, regardless of who has the assignment, user or group. This
led to situation when federated user without groups could scope a token
with other user's rules.
Return empty list of assignments if no groups were passed.
Closes-Bug: 1677723
Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
Provide a way to provision projects and assignments when a federated
user authenticates for the first time for an unscoped token.
implements bp shadow-mapping
Change-Id: I6029dac8294e8cfc4bf622ac71b5e731956389db
Rafael Weingärtner