OpenStack Identity (keystone)

Lack of federated token user object validation

Bug #1489474 reported by Marek Denis on 2015-08-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Marek Denis	OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

In our tests it would be better to add a validation of federated user structure in the token.
The check should ensure there are required attributes as well some of them are meeting specified criteria (like user_id should be always url safe).

See original description

Tags:

OpenStack Infra (hudson-openstack) on 2015-08-27

Changed in keystone:
assignee:	nobody → Marek Denis (marek-denis)
status:	New → In Progress

Marek Denis (marek-denis) on 2015-08-27

Changed in keystone:
importance:	Undecided → Wishlist
milestone:	none → liberty-3
tags:	added: federation test-improvement

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-08-27:

This review should close this bug; but it wasn't linked in the report..

https://review.openstack.org/#/c/217049/

description:

updated

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-08-27:

Raised this from Wishlist to Low because there's no featureful impact for end users.

Changed in keystone:
importance:	Wishlist → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-02: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/217049
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f19860fcd9a15e91d579b3138777e791c246b594
Submitter: Jenkins
Branch: master

commit f19860fcd9a15e91d579b3138777e791c246b594
Author: Marek Denis <email address hidden>
Date: Wed Aug 26 11:09:02 2015 +0200

Validate Mapped User object.

Provide a method for checking whether required attributes identifying
ephemeral user are present in the token response.

Proposed checks include:

    - ensure 'id' is present
    - ensure 'name' is present
    - ensure 'domain' is present
    - ensure 'identity_provider' is present in user['OS-FEDERATION']
    - ensure 'groups' is present in user['OS-FEDERATION']
    - ensure 'protocol' is present in user['OS-FEDERATION']

additionally ensure that 'user_id' is url safe

Closes-Bug: #1489474
Change-Id: I5289fdc4ea4e4f0a682d31121913a828d283eb0d

Changed in keystone:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-09-03

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-3 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.