Merge "Distinguish between unset and empty black and white lists"
This commit is contained in:
commit
363117d9a6
|
@ -686,10 +686,10 @@ class RuleProcessor(object):
|
||||||
|
|
||||||
# If a blacklist or whitelist is used, we want to map to the
|
# If a blacklist or whitelist is used, we want to map to the
|
||||||
# whole list instead of just its values separately.
|
# whole list instead of just its values separately.
|
||||||
if blacklisted_values:
|
if blacklisted_values is not None:
|
||||||
direct_map_values = [v for v in direct_map_values
|
direct_map_values = [v for v in direct_map_values
|
||||||
if v not in blacklisted_values]
|
if v not in blacklisted_values]
|
||||||
elif whitelisted_values:
|
elif whitelisted_values is not None:
|
||||||
direct_map_values = [v for v in direct_map_values
|
direct_map_values = [v for v in direct_map_values
|
||||||
if v in whitelisted_values]
|
if v in whitelisted_values]
|
||||||
|
|
||||||
|
|
|
@ -2325,7 +2325,6 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
|
||||||
"remote": [
|
"remote": [
|
||||||
{
|
{
|
||||||
"type": "REMOTE_USER_GROUPS",
|
"type": "REMOTE_USER_GROUPS",
|
||||||
"blacklist": ["noblacklist"]
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -2333,10 +2332,290 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
|
||||||
}
|
}
|
||||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||||
|
|
||||||
|
def test_empty_blacklist_passess_all_values(self):
|
||||||
|
"""Test a mapping with empty blacklist specified
|
||||||
|
|
||||||
|
Not adding a ``blacklist`` keyword to the mapping rules has the same
|
||||||
|
effect as adding an empty ``blacklist``.
|
||||||
|
In both cases, the mapping engine will not discard any groups that are
|
||||||
|
associated with apache environment variables.
|
||||||
|
|
||||||
|
This test checks scenario where an empty blacklist was specified.
|
||||||
|
Expected result is to allow any value.
|
||||||
|
|
||||||
|
The test scenario is as follows:
|
||||||
|
- Create group ``EXISTS``
|
||||||
|
- Create group ``NO_EXISTS``
|
||||||
|
- Set mapping rules for existing IdP with a blacklist
|
||||||
|
that passes through as REMOTE_USER_GROUPS
|
||||||
|
- Issue unscoped token with groups ``EXISTS`` and ``NO_EXISTS``
|
||||||
|
assigned
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
domain_id = self.domainA['id']
|
||||||
|
domain_name = self.domainA['name']
|
||||||
|
|
||||||
|
# Add a group "EXISTS"
|
||||||
|
group_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_exists['name'] = 'EXISTS'
|
||||||
|
group_exists = self.identity_api.create_group(group_exists)
|
||||||
|
|
||||||
|
# Add a group "NO_EXISTS"
|
||||||
|
group_no_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_no_exists['name'] = 'NO_EXISTS'
|
||||||
|
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||||
|
|
||||||
|
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||||
|
|
||||||
|
rules = {
|
||||||
|
'rules': [
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"user": {
|
||||||
|
"name": "{0}",
|
||||||
|
"id": "{0}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"groups": "{0}",
|
||||||
|
"domain": {"name": domain_name}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER_GROUPS",
|
||||||
|
"blacklist": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||||
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||||
self.assertEqual(1, len(assigned_group_ids))
|
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||||
self.assertEqual(group['id'], assigned_group_ids[0]['id'])
|
for group in assigned_group_ids:
|
||||||
|
self.assertIn(group['id'], group_ids)
|
||||||
|
|
||||||
|
def test_not_adding_blacklist_passess_all_values(self):
|
||||||
|
"""Test a mapping without blacklist specified.
|
||||||
|
|
||||||
|
Not adding a ``blacklist`` keyword to the mapping rules has the same
|
||||||
|
effect as adding an empty ``blacklist``. In both cases all values will
|
||||||
|
be accepted and passed.
|
||||||
|
|
||||||
|
This test checks scenario where an blacklist was not specified.
|
||||||
|
Expected result is to allow any value.
|
||||||
|
|
||||||
|
The test scenario is as follows:
|
||||||
|
- Create group ``EXISTS``
|
||||||
|
- Create group ``NO_EXISTS``
|
||||||
|
- Set mapping rules for existing IdP with a blacklist
|
||||||
|
that passes through as REMOTE_USER_GROUPS
|
||||||
|
- Issue unscoped token with on groups ``EXISTS`` and ``NO_EXISTS``
|
||||||
|
assigned
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
domain_id = self.domainA['id']
|
||||||
|
domain_name = self.domainA['name']
|
||||||
|
|
||||||
|
# Add a group "EXISTS"
|
||||||
|
group_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_exists['name'] = 'EXISTS'
|
||||||
|
group_exists = self.identity_api.create_group(group_exists)
|
||||||
|
|
||||||
|
# Add a group "NO_EXISTS"
|
||||||
|
group_no_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_no_exists['name'] = 'NO_EXISTS'
|
||||||
|
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||||
|
|
||||||
|
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||||
|
|
||||||
|
rules = {
|
||||||
|
'rules': [
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"user": {
|
||||||
|
"name": "{0}",
|
||||||
|
"id": "{0}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"groups": "{0}",
|
||||||
|
"domain": {"name": domain_name}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER_GROUPS",
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||||
|
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||||
|
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||||
|
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||||
|
for group in assigned_group_ids:
|
||||||
|
self.assertIn(group['id'], group_ids)
|
||||||
|
|
||||||
|
def test_empty_whitelist_discards_all_values(self):
|
||||||
|
"""Test that empty whitelist blocks all the values
|
||||||
|
|
||||||
|
Not adding a ``whitelist`` keyword to the mapping value is different
|
||||||
|
than adding empty whitelist. The former case will simply pass all the
|
||||||
|
values, whereas the latter would discard all the values.
|
||||||
|
|
||||||
|
This test checks scenario where an empty whitelist was specified.
|
||||||
|
The expected result is that no groups are matched.
|
||||||
|
|
||||||
|
The test scenario is as follows:
|
||||||
|
- Create group ``EXISTS``
|
||||||
|
- Set mapping rules for existing IdP with an empty whitelist
|
||||||
|
that whould discard any values from the assertion
|
||||||
|
- Try issuing unscoped token, expect server to raise
|
||||||
|
``exception.MissingGroups`` as no groups were matched and ephemeral
|
||||||
|
user does not have any group assigned.
|
||||||
|
|
||||||
|
"""
|
||||||
|
domain_id = self.domainA['id']
|
||||||
|
domain_name = self.domainA['name']
|
||||||
|
group = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group['name'] = 'EXISTS'
|
||||||
|
group = self.identity_api.create_group(group)
|
||||||
|
rules = {
|
||||||
|
'rules': [
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"user": {
|
||||||
|
"name": "{0}",
|
||||||
|
"id": "{0}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"groups": "{0}",
|
||||||
|
"domain": {"name": domain_name}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER_GROUPS",
|
||||||
|
"whitelist": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||||
|
|
||||||
|
self.assertRaises(exception.MissingGroups,
|
||||||
|
self._issue_unscoped_token,
|
||||||
|
assertion='UNMATCHED_GROUP_ASSERTION')
|
||||||
|
|
||||||
|
def test_not_setting_whitelist_accepts_all_values(self):
|
||||||
|
"""Test that not setting whitelist passes
|
||||||
|
|
||||||
|
Not adding a ``whitelist`` keyword to the mapping value is different
|
||||||
|
than adding empty whitelist. The former case will simply pass all the
|
||||||
|
values, whereas the latter would discard all the values.
|
||||||
|
|
||||||
|
This test checks a scenario where a ``whitelist`` was not specified.
|
||||||
|
Expected result is that no groups are ignored.
|
||||||
|
|
||||||
|
The test scenario is as follows:
|
||||||
|
- Create group ``EXISTS``
|
||||||
|
- Set mapping rules for existing IdP with an empty whitelist
|
||||||
|
that whould discard any values from the assertion
|
||||||
|
- Issue an unscoped token and make sure ephemeral user is a member of
|
||||||
|
two groups.
|
||||||
|
|
||||||
|
"""
|
||||||
|
domain_id = self.domainA['id']
|
||||||
|
domain_name = self.domainA['name']
|
||||||
|
|
||||||
|
# Add a group "EXISTS"
|
||||||
|
group_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_exists['name'] = 'EXISTS'
|
||||||
|
group_exists = self.identity_api.create_group(group_exists)
|
||||||
|
|
||||||
|
# Add a group "NO_EXISTS"
|
||||||
|
group_no_exists = self.new_group_ref(domain_id=domain_id)
|
||||||
|
group_no_exists['name'] = 'NO_EXISTS'
|
||||||
|
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||||
|
|
||||||
|
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||||
|
|
||||||
|
rules = {
|
||||||
|
'rules': [
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"user": {
|
||||||
|
"name": "{0}",
|
||||||
|
"id": "{0}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"groups": "{0}",
|
||||||
|
"domain": {"name": domain_name}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER_GROUPS",
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||||
|
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||||
|
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||||
|
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||||
|
for group in assigned_group_ids:
|
||||||
|
self.assertIn(group['id'], group_ids)
|
||||||
|
|
||||||
def test_assertion_prefix_parameter(self):
|
def test_assertion_prefix_parameter(self):
|
||||||
"""Test parameters filtering based on the prefix.
|
"""Test parameters filtering based on the prefix.
|
||||||
|
|
Loading…
Reference in New Issue