In the evaluation of federation mapping rules, when "regex" is true,
it's only checked that if the values from assertion match the values
from mapping rules, and "any_one_of" and "not_any_of" options are
bypassed. So if one specifies "regex: True" and "not_any_of" at the
same time, he will got an unexpected result that assertion with values
in "not_any_of" can pass the evaluation.
The expected behaviour, when "regex" is true, should be matching values
in assertion and mapping rules using regular expression, if match with
"any_one_of" or not match with "not_any_of", pass the evaluation,
otherwise fail the evaluation.
Reviewed: https:/ /review. openstack. org/151109 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=ac928df1b92 b35a7d07ce560a3 8cc848954ad0f1
Committed: https:/
Submitter: Jenkins
Branch: master
commit ac928df1b92b35a 7d07ce560a38cc8 48954ad0f1
Author: zhiyuan_cai <email address hidden>
Date: Thu Jan 29 13:16:03 2015 +0800
Fix evaluation logic of federation mapping rules
In the evaluation of federation mapping rules, when "regex" is true,
it's only checked that if the values from assertion match the values
from mapping rules, and "any_one_of" and "not_any_of" options are
bypassed. So if one specifies "regex: True" and "not_any_of" at the
same time, he will got an unexpected result that assertion with values
in "not_any_of" can pass the evaluation.
The expected behaviour, when "regex" is true, should be matching values
in assertion and mapping rules using regular expression, if match with
"any_one_of" or not match with "not_any_of", pass the evaluation,
otherwise fail the evaluation.
Change-Id: Ic6969c6dc23cff 3abce775711f9ed 01ffdf8dcb1
Closes-Bug: #1414961