Commit Graph

160 Commits

Author SHA1 Message Date
gtema 480ba29709 Fix federation mapping role jsonschema
additionalProperties attribute must be located on the level of "type"
and not inside "properties"
(https://json-schema.org/understanding-json-schema/reference/object#additional-properties).
Sadly this is not violating schema validation, but is wrong and hurts
any reasonable processing of the schema.

Change-Id: Ib537f1dd33dd3f3dc8909873dffc37980d04b4db
2024-02-07 08:49:45 +01:00
Zuul 993e589fa1 Merge "Keystone to honor the "domain" attribute mapping rules." 2024-01-26 17:37:09 +00:00
Rafael Weingärtner 14ac08431f Keystone to honor the "domain" attribute mapping rules.
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.

Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.

Moreover, to facilitate the development and extension concerning
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation_attribute_mapping_schema_version`, which defaults to "1.0".
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.

Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d
Implements: https://bugs.launchpad.net/keystone/+bug/1887515
Closes-Bug: #1887515
2024-01-16 08:54:56 -03:00
Pete Zaitcev 80c6ecc421 fix(federation): follow-up
This mainly was intended to clean up confusing comments, and
to add @staticmethod since we're at it.

Related-Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
Change-Id: I7cd62cdd188da77367820317f4875b48a247ff00
2023-10-12 09:18:23 -05:00
Zuul 093b42a1ab Merge "sql: Remove service_provider.relay_state_prefix default" 2023-07-11 18:35:55 +00:00
Zuul b80e1df2ef Merge "sql: Fix incorrect columns" 2023-07-06 14:14:19 +00:00
Stephen Finucane 845e5b2494 sql: Remove service_provider.relay_state_prefix default
We shouldn't specify a server default for a configurable option since it
means our initial database schema is not consistently reproducible.
Instead, we should specify the default at runtime. It turns out we
already do this and the server default was overkill. We can remove it.

Change-Id: I74e47a9ed986c7c3af19676ac65f4d290bcb4cc0
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-07-06 10:19:05 +01:00
Stephen Finucane 2bf70a10a2 sql: Fix incorrect columns
In these instances, we take the migrations to be the "official" version
- since they're stricter in almost all cases - updating the models to
suit.

This change highlights a slight issue in our use of a config option in
our database schema, which we shouldn't really do. A TODO is left to
address this later. We can also remove a now-unnecessary TODO from our
initial migration related to the same issue: we have our own tooling for
migrations that *does* load and register config options so there is no
longer an issue here.

Change-Id: I906cb8f7b76833c880a40c1aa0584fe7ab93cb7a
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-07-03 12:32:58 +01:00
Zuul 95c99f91c2 Merge "db: Replace use of Query.get()" 2023-06-27 15:41:55 +00:00
Zuul 95288d2ce3 Merge "fix(federation): allow using numerical group names" 2023-04-21 17:30:22 +00:00
Stephen Finucane 5d2ab6c63b db: Replace use of Query.get()
Resolve the following LegacyAPIWarning warning:

  The Query.get() method is considered legacy as of the 1.x series of
  SQLAlchemy and becomes a legacy construct in 2.0. The method is now
  available as Session.get()

Change-Id: I30d0bccaddff6a1d91fcd5660f490f904e7c8965
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-02-28 17:26:39 +00:00
Stephen Finucane 6dfde5b48b requirements: Bump linter requirements
The pep257 dependency does not support Python 3.10 and has been
deprecated in favour of flake8-docstrings. While we're here, we bump the
other linter dependencies and remove a note regarding the order of
dependencies, which is no longer true with the new dependency resolver
introduced in pip 20.3. We also remove an import exception for six.moves
since we no longer use six.

Change-Id: I4aae75f513568126230becf27b2e07d6682d35a1
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2022-10-26 15:14:21 +03:00
Mohammed Naser c70d0c33a5 fix(federation): allow using numerical group names
When using a numerical group name, the current codebase which
relies on ast.literal_eval does not account for the value
being a number.  Therefore, it can be parsed as a number and
fail in further steps since it will not be a list.

This patch adds a test to handle that use case and refactor the
code that leverages ast.literal_eval to be the same everywhere
so that it adds that fix everywhere.

Closes-Bug: #1992186
Change-Id: I665b7e0234650ba07e0d030a2d442d6599d0888a
2022-10-07 17:08:14 +00:00
Stephen Finucane 03238e343a Add support for pysaml2 >= 7.1.0
A constant was renamed in commit 1e59eaa0 [1].

[1] https://github.com/IdentityPython/pysaml2/commit/1e59eaa0

Change-Id: I0489fde7eced9af8a534736960b75a0d2c189933
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-01-05 18:29:07 +00:00
Jason Anderson feaf034438
Support regexes in whitelists/blacklists
This adds support for the "regex" flag for both the "whitelist" and
"blacklist" conditional types. Before, only the "any_one_of" and
"not_any_of" conditionals supported this. Similar to the pre-existing
regex logic, the patterns are matched from the beginning of the string,
meaning you may need prefix them with ".*" if you do not care about the
first characters of the match.

Closes-Bug: #1880252
Change-Id: Ia51f47a58712c7230753f2cfa0c87b83a7339bf9
2020-05-26 11:00:21 -05:00
Andreas Jaeger f36111954b Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Fix problems found.

Update local hacking checks for new flake8.

Change-Id: Ic440219814ee0c2b98217e9a821f38f5baf482ec
2020-04-15 07:17:58 +02:00
Zuul 91fa019034 Merge "Expiring Group Memberships API - Allow set idp authorization_ttl" 2020-04-10 09:37:50 +00:00
Zuul b3d3735138 Merge "Add expiring user group memberships on mapped authentication" 2020-04-10 00:18:37 +00:00
Kristi Nikolla c18956f198 Expiring Group Memberships API - Allow set idp authorization_ttl
This patch extends the identity provider API to receive, return
and set the authorization_ttl on an identity provider.

Change-Id: I3c58da290d52149e307280042ed20447da4687f7
Partial-Bug: 1809116
2020-04-09 01:59:58 +00:00
Zuul 033e7aff87 Merge "Expiring User Group Membership Model" 2020-04-08 15:51:48 +00:00
Kristi Nikolla 8153a9d592 Add expiring user group memberships on mapped authentication
When a federated user authenticates, they are added to their
mapped groups during shadowing.

Closes-Bug: 1809116

Change-Id: I19dc400b2a7aa46709b242cdeef82beaca975ff3
2020-04-07 19:30:57 -04:00
Kristi Nikolla ee54ba0ce4 Expiring User Group Membership Model
Creates the model and migration for the expiring user group
membership table.

Change-Id: I48093403539918f81e6a174bdfa7b6497dd307fb
Partial-Bug: 1809116
2020-04-07 11:04:38 -04:00
Zuul 9f9040257f Merge "Add openstack_groups to assertion" 2020-03-23 19:24:38 +00:00
Vishakha Agarwal dda426b61a Add openstack_groups to assertion
Currently, a keystone IdP does not provide the
groups to which user belong when generating SAML
assertions.This patch adds an additional attribute
called "openstack_groups" in the assertion.

Change-Id: I205e8bbf9a4579b16177f57e29e363f4205a2b48
Closes-Bug: #1641625
2020-03-19 20:14:41 +05:30
Vishakha Agarwal 4530041931 Remove six usage
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.

Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
2020-01-30 06:06:51 +00:00
Zuul 09ba263fb4 Merge "Drop project.id foreign keys" 2019-11-12 20:42:23 +00:00
Colleen Murphy e2d83ae95d Re-enable line-length linter
In 09088690 we mistakenly added E501 to the flake8 ignore list. Since
then, many new violations have been introduced. This patch re-enables
the check and corrects all violations, except in some cases like unit
test names where the subunit output would suffer if we attempted to
shorten the function name.

This may appear to be a pointless no-op that messes with
git-blameability, and it is, but the reason to do this is that if PEP8
violations are introduced in master and then backported to a stable
branch, most stable branches will fail the pep8 job since the flake8
ignore list is correct for those branches. Rather than loosening the
check in older branches or requiring those backports to fix the linter
errors independently of what's been merged in master, we should fix it
now so that we don't introduce more errors in the future and patches can
more easily be backported.

Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
2019-10-21 08:48:47 -07:00
Colleen Murphy c4d6097788 Drop project.id foreign keys
In 2bd88d30 we added a new column domain_id to the user table to
deduplicate the domain_id columns in the local_user and nonlocal_user
tables, and at that point made the user.domain_id column a foreign key
referencing the project.id column. This is a problem that led to
3d46c8a5 in which we removed the ability for the resource driver to be
pluggable, since we had linked two sql backends together and made them
reliant on one another.

This commit removes the foreign key constraint from the user table and
the identity_provider table. For the user table, the sqlalchemy model
never reflected this schema so we don't need to change the model. For
the identity_provider table, we need to update the model. In both cases,
we already enforce, at the manager layer, the constraint that the
domain_id needs to reference a real domain ID[1][2], so we do not need
to rely on this constraint at the database layer.

[1] 43142e4470/keystone/identity/core.py (L935)
[2] 43142e4470/keystone/federation/core.py (L73-L77)

Partial-bug: #1672713

Change-Id: I7c068e350811e22622d1f1e7d8b0a55d4d7cab11
2019-10-11 14:12:57 -07:00
John Dennis b33abb4b07 Federation mapping debug should show direct_maps values
If you use keystone-manage mapping_engine --engine-debug to test your
rules (or when debug logging is on during run time) the diagnostic
output fails to emit a piece of crucial information, the contents
direct map array. What you'll get instead is this:

direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f7121887b00>

That's because the DirectMaps class does not have a __str__() method
and Python resorts to __ref__() in the absence of __str__() and all
__ref__() does is print the class name and it's memory location, not
very useful.

This patch adds a __str__() method to the DirectMaps class so the
debug output now includes the actual direct map data like this:

direct_maps: [['jdoe@example.com'], ['Group1', 'Group3']]

Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I07643fbe3e1e712b7eac716a7f671a2d513e920b
Closes-Bug: 1841486
Signed-off-by: John Dennis <jdennis@redhat.com>
2019-09-19 11:27:53 -07:00
erus bf67b3c884 Add new attribute to the federation protocol API
Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.

Closes-bug: #1724645

Co-authored-by: Colleen Murphy<colleen@gazlene.net>

Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b
2019-07-19 10:46:23 -07:00
Kristi Nikolla c2be944fb8 Report correct domain in federated user token
Regardless of what domain the user was in, the domain reported in
the token would be hardcoded to 'Federated' (regardless of the
federated_domain_name config option).

This patch removes the places where the domain was overwritten,
and allows the correct domain to flow to the rendered token.
It also updates the tests where it was being checked for
the 'Federated' domain.

Change-Id: Idad4e077c488d87f75172664fb519232eb78e292
Closes-Bug: 1754048
2019-06-06 10:13:01 -04:00
Vishakha Agarwal 49ada37ced Fix wrong example for direct_maps
Direct_maps is a list in federation/utils.py.
This list is being appended to another list in
Class DirectMaps in federaton/utils.py.

This patch fixes the example of direct_maps passed
to the function _update_local_mapping.

Change-Id: I82190d421989638ca6c1c6b6a61de871662b2c06
2019-02-11 22:46:48 +05:30
wangxiyuan 3bcd8968e9 Invalidate shadow_federated_user cache when deleting protocol
When delete identity provider protocol, the related
shadow_federated_user cache should be invalidated as well.

Change-Id: Ia1a86724b7a6747fc5177476ee462d8d062978e0
Closes-bug: 1810393
2019-01-04 09:45:42 +08:00
zhufl b71bb438bd Add missing ws seperator between words
This is to add missing ws seperator between words, usually
in log messages.

Change-Id: I65ececa93fd0bee00c44684088162346ac9b09de
2018-11-19 14:36:40 +08:00
Zuul c2c4baaebd Merge "Update doc string for transform_to_group_ids" 2018-10-19 08:34:49 +00:00
morgan fainberg d97832e8e8 Convert auth to flask native dispatching
Convert the /auth paths to flask native dispatching.

A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).

Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.

This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):

* Implemented keystone.common.render_token (module)
  containing render_token_response_from_model and use it instead
  of keystone.common.controller.render_token_response_from_model.

  Minor differences occur in render_token_response_from_model in
  the keystone.common.render_token module, this is simply
  for referencing data from flask instead of the request object.

* Test cases have been modified to no longer rely on the auth
  controller(s) directly

* Test cases now use "make_request" as a context manager
  since authenticate/authenticate_for_token directly
  reference the flask contexts and must have an explicit
  context pushed.

* Test cases no longer pass request objects into methods
  such as authenticate/authenticate_for_token or similar
  methods on the auth plugins

* Test cases for federation reference the token model now
  where possible instead of the rendered token response.
  Rendered token responses are generated where needed.

* Auth Plugin Configuration is done in test core as well.
  This is because Auth controller does not exist.

NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.

Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
2018-10-09 23:23:03 -07:00
Lance Bragstad 3d43b02503 Update doc string for transform_to_group_ids
A previous change updated the implementation of this method to log
a message if the group being transformed didn't exist in the backend:

  https://review.openstack.org/#/c/597992/

This change updates the corresponding documentation string to be
accurate with the implementation.

Change-Id: Id286b3b276ee0a72ba45ac1198c21b5f2c01aa9a
2018-10-08 14:03:40 +00:00
Zuul 498528963e Merge "Mapped Groups don't exist breaks WebSSO" 2018-09-21 20:32:01 +00:00
Vishakha Agarwal ee46f73535 Mapped Groups don't exist breaks WebSSO
The issue occurs if a user has a group that
does not map to a project in OpenStack. At
which point an exception is raised and the
websso login blows up with a 500 message.
This is because of the exception being raised
when the group name not matches thus replacing
that with a log.

Change-Id: Ia7321705db118af28f3dc6e01d5b18e8650aa633
Closes-Bug: #1789450
2018-09-21 08:27:17 +05:30
Morgan Fainberg 94f8f103ab Convert OS-FEDERATION to flask native dispatching
Convert OS-FEDERATION to flask native dispatching.

NOTE: Two changes occured that impact testing in this patch.
      * The JSON Home test now uses assertDictEquals to make it
        easier to debug json_home document errors

      * It was by general good luck that the overloaded relation
        'identity_providers' worked as expected. The relation was
        used for both '/OS-FEDERATION/identity_providers' and
        the Identity-Provider-Specific WebSSO path. The change
        to the JSON Home document and the tests make the
        Identity-Provider-Specific WebSSO path now a relation
        of 'identity_providers_websso' to more closely align
        with 'websso' relation for
        '/auth/OS-FEDERATION/websso/{protocol_id}'. While
        this constitutes a minor break in our contract (the
        output of the json home document) it was required to
        ensure consistency and functionality. The alternative
        is to not represent '/OS-FEDERATION/identity_providers'
        (list endpoint) in the JSON Home document at all, instead
        represent only the WebSSO endpoint.

Change-Id: If746c14491322d4a5f88fa0cbb31105f6d38c240
Partial-Bug: #1776504
2018-09-10 11:22:58 -07:00
Vishakha Agarwal 67435147ec Incorrect use of translation _()
Keystone uses translated strings both in
logging an exceptions. This is incorrect.
All strings that are passed to logging
should remain un-translated. This patch
addresses above issue.

Change-Id: Idf4f0bc1bd63eb8dc6dc61d8a49a9e2a93320474
Closes-Bug: #1777671
2018-09-03 21:52:56 +05:30
Zuul b982f3932e Merge "Simplify the token provider API" 2018-08-01 16:44:47 +00:00
Lance Bragstad df5d75571e Reduce duplication in federated auth APIs
The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains
APIs were introduced to handle tokens from federated users, but now
that GET /v3/auth/projects and GET /v3/auth/domains know how to handle
federated tokens, they're just duplicate APIs.

In the past we deprecated these federated auth APIs, but they still
used separate code paths from GET /v3/auth/projects and GET
/v3/auth/domains. The two code paths are true duplication in that they
don't expect to differ over time and should provide the same user
experience.

Instead of running the risk that comes with two code paths that do the
same thing, we should consolidate them.

Co-Authored-By: Kristi Nikolla <kristi@nikolla.me>

Closes-Bug: 1779205
Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
2018-07-25 15:15:44 +00:00
Lance Bragstad b47e84dac1 Simplify the token provider API
Since we're no longer supporting persistent tokens in tree and we
removed the uuid token provider, it's the perfect time to clean up a
good amount of confusing technical debt.

The token provider API is historically known for being confusing.
This is mainly because the reference that is intended to be returned
to the user is modified all up and down the API. Different parts of
the API use the reference to invoke call hooks in other method making
the code hard to debug. In order to fully understand how tokens are
built, you need to understand where and how tokens are modified by
different layers of the API according to a specific contract of the
authentication API. Another big problem is that it couples the actual
reference of how a token looks too closely to the business logic for
tokens. Which means you have to write a ton of code if you ever want a
token to look differently, like you would if you wanted to support a
new API version.

A token should be an object that the managers and controllers can
query and reason about. From there they should be able to build token
responses accordingly. This will make the actual token provider API
much simpler because it needs to know less about API contracts that
are the responsibility of the controllers. This should lead to simpler
interfaces when new token providers are added, or maintained out of
tree. This also makes it less likely for APIs to behave differently
based on what token provider is configured by being explicitly
building the token reference in one place.

This commit ports the token business logic out of the
keystone.token.providers.common module and into a dedicated token
object, or model. This will result in a cleaner interface between the
token providers and the token provider API. A subsequent patch will
remove the unused code across the token provider API.

Partial-Bug: 1778945
Change-Id: If9ded94e65bacb0d06f5225bb36f659dc7bb8355
2018-07-13 14:45:56 +00:00
Morgan Fainberg 4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Zuul 400263ed2b Merge "Update IdP sql model" 2018-05-21 04:44:22 +00:00
wangxiyuan b6da8a1b89 Update IdP sql model
Base on the database schema, the domain_id column in identity_provider
is not unique and has the ForeignKey for project.id. But the IdP sql
model is different. It marks the domain_id is unique and the ForeignKey
is lost.

This patch removes the unique restriction and adds the FK back, ultimately
making the relationship between domains and identity provider 1:many.

Change-Id: I13ecb0ab0434f5614f31d151e708f299cf8e8adb
Partial-bug: #1760843
2018-05-04 16:42:39 +08:00
wangxiyuan 42cf675c40 Fix 500 error when deleting domain
If there are idps in a domain, when users try to delete the
domain, 500 interal error will raise.

This patch added a new callback event to clean up the related
idps.

Closes-bug: #1760809
Change-Id: I37c8745e4509f69aaa659b130ccbdfe51cf6a1b8
2018-04-11 10:35:31 +08:00
Lance Bragstad ccdf2d976f Add logging for xmlsec1 installation
Keystone uses a library called xmlsec1 to create SAML assertions when
acting as an identity provider. If this library isn't present and
someone attempts to authenticate, keystone will throw an HTTP 500.
The only thing the error says is that a file or directory doesn't
exist.

This patch uses subprocess to check if the provided binary actually
exists on the system and handles cases when it isn't and logs a
useful message for operators.

Change-Id: I41cf87702df5389c1424d35f0abcef9c16301450
Closes-Bug: 1750917
2018-03-19 14:04:42 +00:00
Lance Bragstad dd91f41c0a Simplify federation and oauth token callbacks
The token provider listened for specific callbacks from the
federation and oauth APIs. These were mainly for token invalidation
and token persistence removal. Now that the sql token driver and uuid
token provider have been removed, we can remove the need for
persistence notifications.

Instead, both of these cases can use a generic token cache
invalidation callback. This makes the token provider Manager simpler
because it only has to listen for a single internal notification to
invalidate the token cache, instead of multiple. It also makes the
code sending the notification easier to understand because it's
clearer about what it's doing.

Change-Id: I3281a013ce2764872dda8c183c4e9851974e1d14
2018-02-16 21:41:30 +00:00