Ensure username passed by REMOTE_USER can contain '@'

The external authentication support allows the domain to be passed as part of the REMOTE_USER name, by using the '@' as a delineator, but did not handle the case when the actual username itself also contained the '@' character. Fixes bug 1213842 Change-Id: Idffa42fe9c70818c71379669dfcd17d3113738a3
openstack · Aug 20, 2013 · c70a784 · c70a784
1 parent 0b2a160
commit c70a784
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py
@@ -57,16 +57,17 @@ def authenticate(self, context, auth_info, auth_context):
         auth_context is an in-out variable that will be updated with the
         username from the REMOTE_USER environment variable.
 
-        If REMOTE_USER contains an `@` assume that the substring before the @
-        is the username, and the substring after the @ is the domain name.
+        If REMOTE_USER contains an `@` assume that the substring before the
+        rightmost `@` is the username, and the substring after the @ is the
+        domain name.
         """
         try:
             REMOTE_USER = context['REMOTE_USER']
         except KeyError:
             msg = _('No authenticated user')
             raise exception.Unauthorized(msg)
         try:
-            names = REMOTE_USER.split('@')
+            names = REMOTE_USER.rsplit('@', 1)
             username = names.pop(0)
             if names:
                 domain_name = names[0]

diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
@@ -856,7 +856,18 @@ def test_remote_user_with_realm(self):
         api = auth.controllers.Auth()
         context = {'REMOTE_USER': '%s@%s' %
                    (self.user['name'], self.domain['name'])}
-        auth_info = auth.controllers.AuthInfo(None, auth_data)
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        auth_context = {'extras': {}, 'method_names': []}
+        api.authenticate(context, auth_info, auth_context)
+        self.assertEqual(auth_context['user_id'], self.user['id'])
+
+        # Now test to make sure the user name can, itself, contain the
+        # '@' character.
+        user = {'name': 'myname@mydivision'}
+        self.identity_api.update_user(self.user['id'], user)
+        context = {'REMOTE_USER': '%s@%s' %
+                   (user['name'], self.domain['name'])}
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
         auth_context = {'extras': {}, 'method_names': []}
         api.authenticate(context, auth_info, auth_context)
         self.assertEqual(auth_context['user_id'], self.user['id'])