** Changed in: keystone Status: Fix Committed => Fix Released ** Changed in: keystone Milestone: None => liberty-rc1
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1487937 Title: IndexError if federation mapping doesn't match anything Status in Keystone: Fix Released Bug description: I have a mapping that looks like this: [ { "local": [ { "user": { "name": "{0}", "id": "{0}", "domain": {"name": "Default"} } } ], "remote": [ { "type": "REMOTE_USER" } ] }, { "local": [ { "groups": "{0}", "domain": { "name": "Default" } } ], "remote": [ { "type": "REMOTE_USER_GROUPS", "whitelist": ["ipausers"] } ] }, { "local": [ { "groups": { "name": "services", "domain": { "name": "Default" } } } ], "remote": [ { "type": "GSS_NAME", "any_one_of": [ "glance/openstack.jamielennox.t...@jamielennox.test" ] } ] } ] In the event of the service user who would match the last part of that mapping the REMOTE_USER_GROUPS value is not present in the assertion. Because of the way _verify_all_requirements works[1] because the type is not present in the assertion the direct map part of this rule simply falls through and returns the direct map object - the equivalent to accepting the remote rule. Then because nothing was added to the returned DirectMap object trying to apply the "{0}" fails because there is nothing to interpolate against and i get an error like: [-] tuple index out of range Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__ result = method(context, **params) File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication return self.authenticate_for_token(context, auth=auth) File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate auth_context) File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate self.identity_api) File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token federation_api, identity_api) File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter mapped_properties = rule_processor.process(assertion) File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 472, in process new_local = self._update_local_mapping(local, direct_maps) File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 617, in _update_local_mapping new_value = v.format(*direct_maps) IndexError: tuple index out of range (note this is run against stable/kilo, however the problem still exists). My impression here is that if the "type" specified in the remote part of the rule is not present in the assertion then that should be an immediate failure of the rule. [1] https://github.com/openstack/keystone/blob/40ecf5e61e2d6277d38d5b0bf04201db4f58583b/keystone/contrib/federation/utils.py#L675-L722 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1487937/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp