OpenStack Identity (keystone)

missing type check in SAML RuleProcessor

Bug #1291981 reported by Matthieu Huin on 2014-03-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Marek Denis	OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

RuleProcessor assumes every element in context['environment'] can be splitted as a string as seen here: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L172

This is however not always the case:

  curl -si -d '{
      "auth": {
          "identity": {
              "methods": [
                  "saml2"
              ],
              "saml2": {
                  "identity_provider": "testshib",
                  "protocol": "admin"
              }
          }
  }' -H "Content-type: application/json" http://XXX:5000/v3/auth/tokens

2014-03-10 23:21:34.869 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth contex
t. from (pid=7939) process_request /opt/stack/keystone/keystone/middleware/core.py:270
2014-03-10 23:21:34.871 DEBUG keystone.common.wsgi [-] arg_dict: {} from (pid=7939) __call__ /opt/stack/keystone/keystone/common/wsgi.py:180
2014-03-10 23:21:34.877 ERROR keystone.common.wsgi [-] 'Route' object has no attribute 'split'
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 205, in __call__
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi result = method(context, **params)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 316, in authenticate_for_token
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 416, in authenticate
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi auth_context)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 54, in authenticate
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi fields = self._handle_unscoped_token(context, auth_payload)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/saml2.py", line 77, in _handle_unscoped_token
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi mapped_properties = rule_processor.process(assertion)
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in process
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/contrib/federation/utils.py", line 172, in <genexpr>
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi assertion = dict((n, v.split(';')) for n, v in assertion_data.items())
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi AttributeError: 'Route' object has no attribute 'split'
2014-03-10 23:21:34.877 TRACE keystone.common.wsgi
2014-03-10 23:21:34.881 INFO eventlet.wsgi.server [-] 84.99.59.174 - - [10/Mar/2014 23:21:34] "POST /v3/auth/tokens HTTP/1.1" 500 331 0.012142

---------

Marek Denis (marek-denis) on 2014-03-13

Changed in keystone:
assignee:	nobody → Marek Denis (marek-denis)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80293

Changed in keystone:
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2014-03-13

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Morgan Fainberg (mdrnstm)

Morgan Fainberg (mdrnstm) on 2014-03-13

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Marek Denis (marek-denis)

Dolph Mathews (dolph) on 2014-03-17

Changed in keystone:
milestone:	none → icehouse-rc1
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2014-03-17

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Morgan Fainberg (mdrnstm)

Morgan Fainberg (mdrnstm) on 2014-03-17

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Marek Denis (marek-denis)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-18: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/80293
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5fa119168a784592f11870415ba20f9e23ebe6dd
Submitter: Jenkins
Branch: master

commit 5fa119168a784592f11870415ba20f9e23ebe6dd
Author: Marek Denis <email address hidden>
Date: Thu Mar 13 14:49:44 2014 +0100

Filter out nonstring environment variables before rules mapping.

    Before the requests environment is passed to the RuleProcessor, all
    parameters that are not inheriting from the basestring type should
    be filtered out.

Change-Id: I469107633abfa86232e1dc1f1bc64605cd888dc2
Closes-bug: #1291981

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-03-26

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-rc1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.