IndexError if federation mapping doesn't match anything
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Jamie Lennox | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I have a mapping that looks like this:
[
{
"local": [
{
}
}
],
"remote": [
{
}
]
},
{
"local": [
{
}
}
],
"remote": [
{
}
]
},
{
"local": [
{
}
}
],
"remote": [
{
]
}
]
}
]
In the event of the service user who would match the last part of that mapping the REMOTE_USER_GROUPS value is not present in the assertion. Because of the way _verify_
Then because nothing was added to the returned DirectMap object trying to apply the "{0}" fails because there is nothing to interpolate against and i get an error like:
[-] tuple index out of range
Traceback (most recent call last):
File "/usr/lib/
result = method(context, **params)
File "/usr/lib/
return self.authentica
File "/usr/lib/
self.
File "/usr/lib/
auth_context)
File "/usr/lib/
self.
File "/usr/lib/
federation_api, identity_api)
File "/usr/lib/
mapped_
File "/usr/lib/
new_local = self._update_
File "/usr/lib/
new_value = v.format(
IndexError: tuple index out of range
(note this is run against stable/kilo, however the problem still exists).
My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule.
Changed in keystone: | |
importance: | Undecided → Medium |
tags: | added: kilo-backport-potential |
Changed in keystone: | |
milestone: | none → liberty-rc1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-rc1 → 8.0.0 |
Fix proposed to branch: master /review. openstack. org/216088
Review: https:/