diff options
Diffstat (limited to 'keystone-moon/keystone/auth/plugins/mapped.py')
-rw-r--r-- | keystone-moon/keystone/auth/plugins/mapped.py | 62 |
1 files changed, 31 insertions, 31 deletions
diff --git a/keystone-moon/keystone/auth/plugins/mapped.py b/keystone-moon/keystone/auth/plugins/mapped.py index abf44481..220ff013 100644 --- a/keystone-moon/keystone/auth/plugins/mapped.py +++ b/keystone-moon/keystone/auth/plugins/mapped.py @@ -13,14 +13,13 @@ import functools from oslo_log import log -from oslo_serialization import jsonutils from pycadf import cadftaxonomy as taxonomy from six.moves.urllib import parse from keystone import auth from keystone.auth import plugins as auth_plugins from keystone.common import dependency -from keystone.contrib import federation +from keystone.contrib.federation import constants as federation_constants from keystone.contrib.federation import utils from keystone import exception from keystone.i18n import _ @@ -33,8 +32,8 @@ LOG = log.getLogger(__name__) METHOD_NAME = 'mapped' -@dependency.requires('assignment_api', 'federation_api', 'identity_api', - 'token_provider_api') +@dependency.requires('federation_api', 'identity_api', + 'resource_api', 'token_provider_api') class Mapped(auth.AuthMethodHandler): def _get_token_ref(self, auth_payload): @@ -44,7 +43,7 @@ class Mapped(auth.AuthMethodHandler): token_data=response) def authenticate(self, context, auth_payload, auth_context): - """Authenticate mapped user and return an authentication context. + """Authenticate mapped user and set an authentication context. :param context: keystone's request context :param auth_payload: the content of the authentication for a @@ -66,7 +65,7 @@ class Mapped(auth.AuthMethodHandler): self.token_provider_api) else: handle_unscoped_token(context, auth_payload, auth_context, - self.assignment_api, self.federation_api, + self.resource_api, self.federation_api, self.identity_api) @@ -101,12 +100,12 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref, auth_context['user_id'] = user_id auth_context['group_ids'] = group_ids - auth_context[federation.IDENTITY_PROVIDER] = identity_provider - auth_context[federation.PROTOCOL] = protocol + auth_context[federation_constants.IDENTITY_PROVIDER] = identity_provider + auth_context[federation_constants.PROTOCOL] = protocol def handle_unscoped_token(context, auth_payload, auth_context, - assignment_api, federation_api, identity_api): + resource_api, federation_api, identity_api): def is_ephemeral_user(mapped_properties): return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL @@ -115,8 +114,9 @@ def handle_unscoped_token(context, auth_payload, auth_context, identity_provider, protocol): auth_context['user_id'] = user['id'] auth_context['group_ids'] = mapped_properties['group_ids'] - auth_context[federation.IDENTITY_PROVIDER] = identity_provider - auth_context[federation.PROTOCOL] = protocol + auth_context[federation_constants.IDENTITY_PROVIDER] = ( + identity_provider) + auth_context[federation_constants.PROTOCOL] = protocol def build_local_user_context(auth_context, mapped_properties): user_info = auth_plugins.UserAuthInfo.create(mapped_properties, @@ -139,17 +139,15 @@ def handle_unscoped_token(context, auth_payload, auth_context, user_id = None try: - mapped_properties = apply_mapping_filter( - identity_provider, protocol, assertion, assignment_api, + mapped_properties, mapping_id = apply_mapping_filter( + identity_provider, protocol, assertion, resource_api, federation_api, identity_api) if is_ephemeral_user(mapped_properties): user = setup_username(context, mapped_properties) user_id = user['id'] group_ids = mapped_properties['group_ids'] - mapping = federation_api.get_mapping_from_idp_and_protocol( - identity_provider, protocol) - utils.validate_groups_cardinality(group_ids, mapping['id']) + utils.validate_groups_cardinality(group_ids, mapping_id) build_ephemeral_user_context(auth_context, user, mapped_properties, identity_provider, protocol) @@ -182,32 +180,29 @@ def extract_assertion_data(context): def apply_mapping_filter(identity_provider, protocol, assertion, - assignment_api, federation_api, identity_api): + resource_api, federation_api, identity_api): idp = federation_api.get_idp(identity_provider) - utils.validate_idp(idp, assertion) - mapping = federation_api.get_mapping_from_idp_and_protocol( - identity_provider, protocol) - rules = jsonutils.loads(mapping['rules']) - LOG.debug('using the following rules: %s', rules) - rule_processor = utils.RuleProcessor(rules) - mapped_properties = rule_processor.process(assertion) + utils.validate_idp(idp, protocol, assertion) + + mapped_properties, mapping_id = federation_api.evaluate( + identity_provider, protocol, assertion) # NOTE(marek-denis): We update group_ids only here to avoid fetching # groups identified by name/domain twice. # NOTE(marek-denis): Groups are translated from name/domain to their # corresponding ids in the auth plugin, as we need information what - # ``mapping_id`` was used as well as idenity_api and assignment_api + # ``mapping_id`` was used as well as idenity_api and resource_api # objects. group_ids = mapped_properties['group_ids'] utils.validate_groups_in_backend(group_ids, - mapping['id'], + mapping_id, identity_api) group_ids.extend( utils.transform_to_group_ids( - mapped_properties['group_names'], mapping['id'], - identity_api, assignment_api)) + mapped_properties['group_names'], mapping_id, + identity_api, resource_api)) mapped_properties['group_ids'] = list(set(group_ids)) - return mapped_properties + return mapped_properties, mapping_id def setup_username(context, mapped_properties): @@ -241,12 +236,17 @@ def setup_username(context, mapped_properties): user_name = user.get('name') or context['environment'].get('REMOTE_USER') if not any([user_id, user_name]): - raise exception.Unauthorized(_("Could not map user")) + msg = _("Could not map user while setting ephemeral user identity. " + "Either mapping rules must specify user id/name or " + "REMOTE_USER environment variable must be set.") + raise exception.Unauthorized(msg) elif not user_name: user['name'] = user_id elif not user_id: - user['id'] = parse.quote(user_name) + user_id = user_name + + user['id'] = parse.quote(user_id) return user |