keystone.federation.utils module

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]

Add a matched value to the list of matches.

Parameters:

value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:

assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}
Returns:

dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}
class keystone.federation.utils.UserType[source]

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'
LOCAL = 'local'
keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]
keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]
keystone.federation.utils.get_assertion_params_from_env()[source]
keystone.federation.utils.get_remote_id_parameter(idp, protocol)[source]
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]
Parameters:
  • group_names (list) – list of group identified by name and its domain.

  • mapping_id (str) – id of the mapping used for mapping assertion into local credentials

  • identity_api – identity_api object

  • resource_api – resource manager object

Returns:

generator object with group ids

keystone.federation.utils.validate_expiration(token)[source]
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:
  • mapping_id (str) – id of the mapping used for this operation

  • identity_api (identity.Manager) – Identity Manager object used for communication with backend

Raises:

keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]