keystone.federation.utils module¶

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]¶

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]¶

Add a matched value to the list of matches.

Parameters:	value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]¶

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]¶

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:	assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}

Returns:	dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}

class keystone.federation.utils.UserType[source]¶

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'¶

LOCAL = 'local'¶

keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]¶

keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]¶

keystone.federation.utils.get_assertion_params_from_env()[source]¶

keystone.federation.utils.get_remote_id_parameter(protocol)[source]¶

keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]¶

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]

Parameters:	group_names (list) – list of group identified by name and its domain. mapping_id (str) – id of the mapping used for mapping assertion into local credentials identity_api – identity_api object resource_api – resource manager object
Returns:	generator object with group ids

keystone.federation.utils.validate_expiration(token)[source]¶

keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]¶

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]¶

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:	mapping_id (str) – id of the mapping used for this operation identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises:	keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]¶