OpenStack Identity (keystone)

IndexError if federation mapping doesn't match anything

Bug #1487937 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Jamie Lennox
OpenStack Identity (keystone) 8.0.0 "liberty"
Kilo
Fix Released
Undecided
Unassigned
OpenStack Identity (keystone) 2015.1.3

Bug Description

I have a mapping that looks like this:

[
     {
         "local": [
             {
                 "user": {
                     "name": "{0}",
                     "id": "{0}",
                      "domain": {"name": "Default"}
                 }
             }
         ],
         "remote": [
             {
                 "type": "REMOTE_USER"
             }
         ]
     },

     {
         "local": [
             {
                 "groups": "{0}",
                 "domain": {
                     "name": "Default"
                 }
             }
         ],
         "remote": [
             {
                 "type": "REMOTE_USER_GROUPS",
                 "whitelist": ["ipausers"]
             }
         ]
     },

     {
         "local": [
             {
                 "groups": {
                     "name": "services",
                     "domain": {
                          "name": "Default"
                     }
                 }
             }
          ],
          "remote": [
              {
                  "type": "GSS_NAME",
                  "any_one_of": [
                      "<email address hidden>"
                  ]
              }
          ]
     }
 ]

In the event of the service user who would match the last part of that mapping the REMOTE_USER_GROUPS value is not present in the assertion. Because of the way _verify_all_requirements works[1] because the type is not present in the assertion the direct map part of this rule simply falls through and returns the direct map object - the equivalent to accepting the remote rule.

Then because nothing was added to the returned DirectMap object trying to apply the "{0}" fails because there is nothing to interpolate against and i get an error like:

[-] tuple index out of range
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication
    return self.authenticate_for_token(context, auth=auth)
  File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token
    self.authenticate(context, auth_info, auth_context)
  File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate
    auth_context)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate
    self.identity_api)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token
    federation_api, identity_api)
  File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter
    mapped_properties = rule_processor.process(assertion)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 472, in process
    new_local = self._update_local_mapping(local, direct_maps)
  File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 617, in _update_local_mapping
    new_value = v.format(*direct_maps)
IndexError: tuple index out of range

(note this is run against stable/kilo, however the problem still exists).

My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule.

[1] https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/216088

Changed in keystone:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
tags: added: kilo-backport-potential
Revision history for this message
Steve Martinelli (stevemar) wrote :

the evaluation of *that* specific rule should fail, but the mapping as a whole should still work.

Revision history for this message
Jamie Lennox (jamielennox) wrote :

Steve: correct. I want the mapping as a whole to succeed as i need to match the following remote section. Just that middle REMOTE_USER_GROUPS rule should fail.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/216088
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=21b0c7e81691a513b7f6c39a71313ff06b957c94
Submitter: Jenkins
Branch: master

commit 21b0c7e81691a513b7f6c39a71313ff06b957c94
Author: Jamie Lennox <email address hidden>
Date: Mon Aug 24 13:33:07 2015 +1000

    Reject rule if assertion type unset

    When the "type" of the remote rule is not present in the assertion this
    should constitute a failure to match and reject the local change.

    Change-Id: Idba9a95f31a28401b2d49545347175ee0f324ab5
    Closes-Bug: #1487937

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/225516

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → liberty-rc1
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/225516
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8a2da01cb8b4a8369af4f5cf5cc7e20b1bf4453a
Submitter: Jenkins
Branch: stable/kilo

commit 8a2da01cb8b4a8369af4f5cf5cc7e20b1bf4453a
Author: Jamie Lennox <email address hidden>
Date: Mon Aug 24 13:33:07 2015 +1000

    Reject rule if assertion type unset

    When the "type" of the remote rule is not present in the assertion this
    should constitute a failure to match and reject the local change.

    Conflicts:
     keystone/tests/unit/contrib/federation/test_utils.py
     keystone/tests/unit/mapping_fixtures.py

    Change-Id: Idba9a95f31a28401b2d49545347175ee0f324ab5
    Closes-Bug: #1487937
    (cherry picked from commit 21b0c7e81691a513b7f6c39a71313ff06b957c94)

tags: added: in-stable-kilo
Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-rc1 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.