keystone.federation.utils module

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]

Add a matched value to the list of matches.

Parameters:

value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]

Bases: object

A class to process assertions and mapping rules.

extract_groups(groups_by_domain)[source]
extract_projects(identity_value)[source]
normalize_user(user, default_mapping_domain)[source]

Parse and validate user mapping.

process(assertion_data)[source]

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:

assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester',
}
Returns:

dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {'name': 'group_name_1', 'domain': {'name': 'domain1'}},
        {'name': 'group_name_1_1', 'domain': {'name': 'domain1'}},
        {'name': 'group_name_2', 'domain': {'id': 'xyz132'}},
    ],
}
process_group_by_name(group, groups_by_domain)[source]
class keystone.federation.utils.RuleProcessorToHonorDomainOption(mapping_id, rules)[source]

Bases: RuleProcessor

Handles the default domain configured in the attribute mapping.

This rule processor is designed to handle the domain attribute configured at the root of the attribute mapping. When this attribute is configured, we should take it as the default one for the attribute mapping, instead of the domain of the IdP. Moreover, we should respect the override to it that can take place at the groups, user, and projects attributes definition.

extract_projects(identity_value)[source]
normalize_user(user, default_mapping_domain)[source]

Parse and validate user mapping.

class keystone.federation.utils.UserType[source]

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'
LOCAL = 'local'
keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]
keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]
keystone.federation.utils.create_attribute_mapping_rules_processor(mapping)[source]
keystone.federation.utils.get_assertion_params_from_env()[source]
keystone.federation.utils.get_default_attribute_mapping_schema_version()[source]
keystone.federation.utils.get_remote_id_parameter(idp, protocol)[source]
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.

Example of group_names parameter:

[
    {"name": "group_name", "domain": {"id": "domain_id"}},
    {"name": "group_name_2", "domain": {"name": "domain_name"}},
]
Parameters:
  • group_names (list) – list of group identified by name and its domain.

  • mapping_id (str) – id of the mapping used for mapping assertion into local credentials

  • identity_api – identity_api object

  • resource_api – resource manager object

Returns:

generator object with group ids

keystone.federation.utils.validate_expiration(token)[source]
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:
  • mapping_id (str) – id of the mapping used for this operation

  • identity_api (identity.Manager) – Identity Manager object used for communication with backend

Raises:

keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]