Added Email of Keystone to Identity (#1681)

* Added Email of Keystone to Identity

After the successful login to keystone, the Email of the logged in user
is fetch from keystone and provided to `identity.Email`.

This is useful for upstream software that uses the Email as the primary
identification.

* Removed unnecessary code from getUsers

* Changed creation of userResponse in keystone

* Fixing linter error

Co-authored-by: Christoph Glaubitz <christoph.glaubitz@innovo-cloud.de>
This commit is contained in:
Ken Perkins 2020-04-06 06:40:17 -07:00 committed by GitHub
parent ebef257dcd
commit f6476b62f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 125 additions and 33 deletions

View file

@ -95,6 +95,14 @@ type groupsResponse struct {
Groups []group `json:"groups"` Groups []group `json:"groups"`
} }
type userResponse struct {
User struct {
Name string `json:"name"`
Email string `json:"email"`
ID string `json:"id"`
} `json:"user"`
}
var ( var (
_ connector.PasswordConnector = &conn{} _ connector.PasswordConnector = &conn{}
_ connector.RefreshConnector = &conn{} _ connector.RefreshConnector = &conn{}
@ -143,6 +151,16 @@ func (p *conn) Login(ctx context.Context, scopes connector.Scopes, username, pas
} }
identity.Username = username identity.Username = username
identity.UserID = tokenResp.Token.User.ID identity.UserID = tokenResp.Token.User.ID
user, err := p.getUser(ctx, tokenResp.Token.User.ID, token)
if err != nil {
return identity, false, err
}
if user.User.Email != "" {
identity.Email = user.User.Email
identity.EmailVerified = true
}
return identity, true, nil return identity, true, nil
} }
@ -216,26 +234,43 @@ func (p *conn) getAdminToken(ctx context.Context) (string, error) {
} }
func (p *conn) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) { func (p *conn) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
user, err := p.getUser(ctx, userID, token)
return user != nil, err
}
func (p *conn) getUser(ctx context.Context, userID string, token string) (*userResponse, error) {
// https://developer.openstack.org/api-ref/identity/v3/#show-user-details // https://developer.openstack.org/api-ref/identity/v3/#show-user-details
userURL := p.Host + "/v3/users/" + userID userURL := p.Host + "/v3/users/" + userID
client := &http.Client{} client := &http.Client{}
req, err := http.NewRequest("GET", userURL, nil) req, err := http.NewRequest("GET", userURL, nil)
if err != nil { if err != nil {
return false, err return nil, err
} }
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
req = req.WithContext(ctx) req = req.WithContext(ctx)
resp, err := client.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return false, err return nil, err
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode == 200 { if resp.StatusCode != 200 {
return true, nil return nil, err
} }
return false, err
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
user := userResponse{}
err = json.Unmarshal(data, &user)
if err != nil {
return nil, err
}
return &user, nil
} }
func (p *conn) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) { func (p *conn) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {

View file

@ -35,12 +35,6 @@ var (
groupsURL = "" groupsURL = ""
) )
type userResponse struct {
User struct {
ID string `json:"id"`
} `json:"user"`
}
type groupResponse struct { type groupResponse struct {
Group struct { Group struct {
ID string `json:"id"` ID string `json:"id"`
@ -144,7 +138,7 @@ func createUser(t *testing.T, token, userName, userEmail, userPass string) strin
} }
// delete group or user // delete group or user
func delete(t *testing.T, token, id, uri string) { func deleteResource(t *testing.T, token, id, uri string) {
t.Helper() t.Helper()
client := &http.Client{} client := &http.Client{}
@ -246,20 +240,86 @@ func TestIncorrectCredentialsLogin(t *testing.T) {
func TestValidUserLogin(t *testing.T) { func TestValidUserLogin(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identity, validPW, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
t.Log(identity)
if !validPW { type tUser struct {
t.Fatal("Valid password was not accepted") username string
domain string
email string
password string
}
type expect struct {
username string
email string
verifiedEmail bool
}
var tests = []struct {
name string
input tUser
expected expect
}{
{
name: "test with email address",
input: tUser{
username: testUser,
domain: testDomain,
email: testEmail,
password: testPass,
},
expected: expect{
username: testUser,
email: testEmail,
verifiedEmail: true,
},
},
{
name: "test without email address",
input: tUser{
username: testUser,
domain: testDomain,
email: "",
password: testPass,
},
expected: expect{
username: testUser,
email: "",
verifiedEmail: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
userID := createUser(t, token, tt.input.username, tt.input.email, tt.input.password)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: tt.input.domain,
AdminUsername: adminUser, AdminPassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identity, validPW, err := c.Login(context.Background(), s, tt.input.username, tt.input.password)
if err != nil {
t.Fatal(err.Error())
}
t.Log(identity)
if identity.Username != tt.expected.username {
t.Fatalf("Invalid user. Got: %v. Wanted: %v", identity.Username, tt.expected.username)
}
if identity.UserID == "" {
t.Fatalf("Didn't get any UserID back")
}
if identity.Email != tt.expected.email {
t.Fatalf("Invalid email. Got: %v. Wanted: %v", identity.Email, tt.expected.email)
}
if identity.EmailVerified != tt.expected.verifiedEmail {
t.Fatalf("Invalid verifiedEmail. Got: %v. Wanted: %v", identity.EmailVerified, tt.expected.verifiedEmail)
}
if !validPW {
t.Fatal("Valid password was not accepted")
}
})
} }
delete(t, token, userID, usersURL)
} }
func TestUseRefreshToken(t *testing.T) { func TestUseRefreshToken(t *testing.T) {
@ -267,6 +327,7 @@ func TestUseRefreshToken(t *testing.T) {
token, adminID := getAdminToken(t, adminUser, adminPass) token, adminID := getAdminToken(t, adminUser, adminPass)
groupID := createGroup(t, token, "Test group description", testGroup) groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, adminID) addUserToGroup(t, token, groupID, adminID)
defer deleteResource(t, token, groupID, groupsURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -282,8 +343,6 @@ func TestUseRefreshToken(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, groupID, groupsURL)
expectEquals(t, 1, len(identityRefresh.Groups)) expectEquals(t, 1, len(identityRefresh.Groups))
expectEquals(t, testGroup, identityRefresh.Groups[0]) expectEquals(t, testGroup, identityRefresh.Groups[0])
} }
@ -307,7 +366,7 @@ func TestUseRefreshTokenUserDeleted(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, userID, usersURL) deleteResource(t, token, userID, usersURL)
_, err = c.Refresh(context.Background(), s, identityLogin) _, err = c.Refresh(context.Background(), s, identityLogin)
if !strings.Contains(err.Error(), "does not exist") { if !strings.Contains(err.Error(), "does not exist") {
@ -319,6 +378,7 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -338,15 +398,13 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
groupID := createGroup(t, token, "Test group", testGroup) groupID := createGroup(t, token, "Test group", testGroup)
addUserToGroup(t, token, groupID, userID) addUserToGroup(t, token, groupID, userID)
defer deleteResource(t, token, groupID, groupsURL)
identityRefresh, err = c.Refresh(context.Background(), s, identityLogin) identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil { if err != nil {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
expectEquals(t, 1, len(identityRefresh.Groups)) expectEquals(t, 1, len(identityRefresh.Groups))
} }
@ -354,6 +412,7 @@ func TestNoGroupsInScope(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -361,6 +420,7 @@ func TestNoGroupsInScope(t *testing.T) {
groupID := createGroup(t, token, "Test group", testGroup) groupID := createGroup(t, token, "Test group", testGroup)
addUserToGroup(t, token, groupID, userID) addUserToGroup(t, token, groupID, userID)
defer deleteResource(t, token, groupID, groupsURL)
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass) identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil { if err != nil {
@ -373,9 +433,6 @@ func TestNoGroupsInScope(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
expectEquals(t, 0, len(identityRefresh.Groups)) expectEquals(t, 0, len(identityRefresh.Groups))
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
} }
func setupVariables(t *testing.T) { func setupVariables(t *testing.T) {