1 files changed, 31 insertions, 31 deletions

diff --git a/keystone-moon/keystone/auth/plugins/mapped.py b/keystone-moon/keystone/auth/plugins/mapped.py
index abf44481..220ff013 100644
--- a/keystone-moon/keystone/auth/plugins/mapped.py
+++ b/keystone-moon/keystone/auth/plugins/mapped.py
@@ -13,14 +13,13 @@
 import functools
 
 from oslo_log import log
-from oslo_serialization import jsonutils
 from pycadf import cadftaxonomy as taxonomy
 from six.moves.urllib import parse
 
 from keystone import auth
 from keystone.auth import plugins as auth_plugins
 from keystone.common import dependency
-from keystone.contrib import federation
+from keystone.contrib.federation import constants as federation_constants
 from keystone.contrib.federation import utils
 from keystone import exception
 from keystone.i18n import _
@@ -33,8 +32,8 @@ LOG = log.getLogger(__name__)
 METHOD_NAME = 'mapped'
 
 
-@dependency.requires('assignment_api', 'federation_api', 'identity_api',
-                     'token_provider_api')
+@dependency.requires('federation_api', 'identity_api',
+                     'resource_api', 'token_provider_api')
 class Mapped(auth.AuthMethodHandler):
 
     def _get_token_ref(self, auth_payload):
@@ -44,7 +43,7 @@ class Mapped(auth.AuthMethodHandler):
                                          token_data=response)
 
     def authenticate(self, context, auth_payload, auth_context):
-        """Authenticate mapped user and return an authentication context.
+        """Authenticate mapped user and set an authentication context.
 
         :param context: keystone's request context
         :param auth_payload: the content of the authentication for a
@@ -66,7 +65,7 @@ class Mapped(auth.AuthMethodHandler):
                                 self.token_provider_api)
         else:
             handle_unscoped_token(context, auth_payload, auth_context,
-                                  self.assignment_api, self.federation_api,
+                                  self.resource_api, self.federation_api,
                                   self.identity_api)
 
 
@@ -101,12 +100,12 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
 
     auth_context['user_id'] = user_id
     auth_context['group_ids'] = group_ids
-    auth_context[federation.IDENTITY_PROVIDER] = identity_provider
-    auth_context[federation.PROTOCOL] = protocol
+    auth_context[federation_constants.IDENTITY_PROVIDER] = identity_provider
+    auth_context[federation_constants.PROTOCOL] = protocol
 
 
 def handle_unscoped_token(context, auth_payload, auth_context,
-                          assignment_api, federation_api, identity_api):
+                          resource_api, federation_api, identity_api):
 
     def is_ephemeral_user(mapped_properties):
         return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL
@@ -115,8 +114,9 @@ def handle_unscoped_token(context, auth_payload, auth_context,
                                      identity_provider, protocol):
         auth_context['user_id'] = user['id']
         auth_context['group_ids'] = mapped_properties['group_ids']
-        auth_context[federation.IDENTITY_PROVIDER] = identity_provider
-        auth_context[federation.PROTOCOL] = protocol
+        auth_context[federation_constants.IDENTITY_PROVIDER] = (
+            identity_provider)
+        auth_context[federation_constants.PROTOCOL] = protocol
 
     def build_local_user_context(auth_context, mapped_properties):
         user_info = auth_plugins.UserAuthInfo.create(mapped_properties,
@@ -139,17 +139,15 @@ def handle_unscoped_token(context, auth_payload, auth_context,
     user_id = None
 
     try:
-        mapped_properties = apply_mapping_filter(
-            identity_provider, protocol, assertion, assignment_api,
+        mapped_properties, mapping_id = apply_mapping_filter(
+            identity_provider, protocol, assertion, resource_api,
             federation_api, identity_api)
 
         if is_ephemeral_user(mapped_properties):
             user = setup_username(context, mapped_properties)
             user_id = user['id']
             group_ids = mapped_properties['group_ids']
-            mapping = federation_api.get_mapping_from_idp_and_protocol(
-                identity_provider, protocol)
-            utils.validate_groups_cardinality(group_ids, mapping['id'])
+            utils.validate_groups_cardinality(group_ids, mapping_id)
             build_ephemeral_user_context(auth_context, user,
                                          mapped_properties,
                                          identity_provider, protocol)
@@ -182,32 +180,29 @@ def extract_assertion_data(context):
 
 
 def apply_mapping_filter(identity_provider, protocol, assertion,
-                         assignment_api, federation_api, identity_api):
+                         resource_api, federation_api, identity_api):
     idp = federation_api.get_idp(identity_provider)
-    utils.validate_idp(idp, assertion)
-    mapping = federation_api.get_mapping_from_idp_and_protocol(
-        identity_provider, protocol)
-    rules = jsonutils.loads(mapping['rules'])
-    LOG.debug('using the following rules: %s', rules)
-    rule_processor = utils.RuleProcessor(rules)
-    mapped_properties = rule_processor.process(assertion)
+    utils.validate_idp(idp, protocol, assertion)
+
+    mapped_properties, mapping_id = federation_api.evaluate(
+        identity_provider, protocol, assertion)
 
     # NOTE(marek-denis): We update group_ids only here to avoid fetching
     # groups identified by name/domain twice.
     # NOTE(marek-denis): Groups are translated from name/domain to their
     # corresponding ids in the auth plugin, as we need information what
-    # ``mapping_id`` was used as well as idenity_api and assignment_api
+    # ``mapping_id`` was used as well as idenity_api and resource_api
     # objects.
     group_ids = mapped_properties['group_ids']
     utils.validate_groups_in_backend(group_ids,
-                                     mapping['id'],
+                                     mapping_id,
                                      identity_api)
     group_ids.extend(
         utils.transform_to_group_ids(
-            mapped_properties['group_names'], mapping['id'],
-            identity_api, assignment_api))
+            mapped_properties['group_names'], mapping_id,
+            identity_api, resource_api))
     mapped_properties['group_ids'] = list(set(group_ids))
-    return mapped_properties
+    return mapped_properties, mapping_id
 
 
 def setup_username(context, mapped_properties):
@@ -241,12 +236,17 @@ def setup_username(context, mapped_properties):
     user_name = user.get('name') or context['environment'].get('REMOTE_USER')
 
     if not any([user_id, user_name]):
-        raise exception.Unauthorized(_("Could not map user"))
+        msg = _("Could not map user while setting ephemeral user identity. "
+                "Either mapping rules must specify user id/name or "
+                "REMOTE_USER environment variable must be set.")
+        raise exception.Unauthorized(msg)
 
     elif not user_name:
         user['name'] = user_id
 
     elif not user_id:
-        user['id'] = parse.quote(user_name)
+        user_id = user_name
+
+    user['id'] = parse.quote(user_id)
 
     return user