regex bypasses eval_type in federation mapping rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Zhiyuan Cai |
Bug Description
According to this api document[1], when creating mapping rules, we can specify "regex: true" to indicate that we would like each string to be evaluated by regular repression. But in current implementation[2], when "regex" is true, it's only checked that if the values from assertion match the values from the mapping rules, and "any_one_of" and "not_any_of" options are bypassed. So if one specifies "regex: true" and "not_any_of" at the same time, he will got an unexpected result that assertion with values in "not_any_of" can pass the check.
I think the expected behaviour, when "regex" is true, should be matching values in assertion and mapping rules using regular expression, if match with "any_one_of" or not match with "not_any_of", pass the check, otherwise fail the check.
[1] https:/
[2] https:/
Changed in keystone: | |
assignee: | nobody → Zhiyuan Cai (luckyvega-g) |
Changed in keystone: | |
milestone: | none → kilo-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | kilo-3 → 2015.1.0 |
Fix proposed to branch: master /review. openstack. org/151109
Review: https:/