OpenStack Identity (keystone)

regex bypasses eval_type in federation mapping rules

Bug #1414961 reported by Zhiyuan Cai
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Zhiyuan Cai
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

According to this api document[1], when creating mapping rules, we can specify "regex: true" to indicate that we would like each string to be evaluated by regular repression. But in current implementation[2], when "regex" is true, it's only checked that if the values from assertion match the values from the mapping rules, and "any_one_of" and "not_any_of" options are bypassed. So if one specifies "regex: true" and "not_any_of" at the same time, he will got an unexpected result that assertion with values in "not_any_of" can pass the check.

I think the expected behaviour, when "regex" is true, should be matching values in assertion and mapping rules using regular expression, if match with "any_one_of" or not match with "not_any_of", pass the check, otherwise fail the check.

[1] https://review.openstack.org/#/c/59848/
[2] https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L565-L578

Zhiyuan Cai (luckyvega-g)
Changed in keystone:
assignee: nobody → Zhiyuan Cai (luckyvega-g)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151109

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/151109
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ac928df1b92b35a7d07ce560a38cc848954ad0f1
Submitter: Jenkins
Branch: master

commit ac928df1b92b35a7d07ce560a38cc848954ad0f1
Author: zhiyuan_cai <email address hidden>
Date: Thu Jan 29 13:16:03 2015 +0800

    Fix evaluation logic of federation mapping rules

    In the evaluation of federation mapping rules, when "regex" is true,
    it's only checked that if the values from assertion match the values
    from mapping rules, and "any_one_of" and "not_any_of" options are
    bypassed. So if one specifies "regex: True" and "not_any_of" at the
    same time, he will got an unexpected result that assertion with values
    in "not_any_of" can pass the evaluation.

    The expected behaviour, when "regex" is true, should be matching values
    in assertion and mapping rules using regular expression, if match with
    "any_one_of" or not match with "not_any_of", pass the evaluation,
    otherwise fail the evaluation.

    Change-Id: Ic6969c6dc23cff3abce775711f9ed01ffdf8dcb1
    Closes-Bug: #1414961

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → kilo-3
status: Fix Committed → Fix Released
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.