** Changed in: keystone/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1487937
Title:
IndexError if federation mapping doesn't match anything
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Released
Bug description:
I have a mapping that looks like this:
[
{
"local": [
{
"user": {
"name": "{0}",
"id": "{0}",
"domain": {"name": "Default"}
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
},
{
"local": [
{
"groups": "{0}",
"domain": {
"name": "Default"
}
}
],
"remote": [
{
"type": "REMOTE_USER_GROUPS",
"whitelist": ["ipausers"]
}
]
},
{
"local": [
{
"groups": {
"name": "services",
"domain": {
"name": "Default"
}
}
}
],
"remote": [
{
"type": "GSS_NAME",
"any_one_of": [
"glance/[email protected]"
]
}
]
}
]
In the event of the service user who would match the last part of that
mapping the REMOTE_USER_GROUPS value is not present in the assertion.
Because of the way _verify_all_requirements works[1] because the type
is not present in the assertion the direct map part of this rule
simply falls through and returns the direct map object - the
equivalent to accepting the remote rule.
Then because nothing was added to the returned DirectMap object trying
to apply the "{0}" fails because there is nothing to interpolate
against and i get an error like:
[-] tuple index out of range
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239,
in __call__
result = method(context, **params)
File
"/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py",
line 267, in federated_authentication
return self.authenticate_for_token(context, auth=auth)
File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line
377, in authenticate_for_token
self.authenticate(context, auth_info, auth_context)
File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line
502, in authenticate
auth_context)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py",
line 70, in authenticate
self.identity_api)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py",
line 144, in handle_unscoped_token
federation_api, identity_api)
File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py",
line 193, in apply_mapping_filter
mapped_properties = rule_processor.process(assertion)
File
"/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line
472, in process
new_local = self._update_local_mapping(local, direct_maps)
File
"/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line
617, in _update_local_mapping
new_value = v.format(*direct_maps)
IndexError: tuple index out of range
(note this is run against stable/kilo, however the problem still
exists).
My impression here is that if the "type" specified in the remote part of the
rule is not present in the assertion then that should be an immediate failure
of the rule.
[1]
https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1487937/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
