Issue #9421: ipa idp-add --provider silently ignores options like --scope - freeipa

freeipa

#9421 ipa idp-add --provider silently ignores options like --scope

Closed: fixed 9 months ago by frenaud. Opened 10 months ago by cheimes.

Issue

When a provider is passed to ipa idp-add, the command silently ignores several parameters like --scope and --idp-user-id.

Steps to Reproduce

ipa idp-add example --provider=keycloak --base-url=https://idp.test --organization=org --scope=customscope --idp-user-id=customid --client-id=clientid

Actual behavior

----------------------------------------
Added Identity Provider server "example"
----------------------------------------
  Identity Provider server name: example
  Authorization URI: https://idp.test/realms/org/protocol/openid-connect/auth
  Device authorization URI: https://idp.test/realms/org/protocol/openid-connect/auth/device
  Token URI: https://idp.test/realms/org/protocol/openid-connect/token
  User info URI: https://idp.test/realms/org/protocol/openid-connect/userinfo
  Client identifier: clientid
  Scope: openid email
  External IdP user identifier attribute: email

Expected behavior

The command should either fail or (preferable) use the options for scope and external id.

  Scope: customscope
  External IdP user identifier attribute: customid

Version/Release/Distribution

ipa-server-4.10.1-8.el9_2.x86_64

abbra commented 10 months ago

A possible solution is to go over individual options after self._convert_provider_to_endpoints() and override in attrs_list both ipaidpscope and ipaidpsub if they present in the options.

cheimes commented 10 months ago

Does entry attrs implement the full dict interface? If yes, then you could use setdefault(key, value) method. The method only adds new keys, never overrides existing keys.

abbra commented 10 months ago

It does but we don't want to have everything from options and we exactly want to override existing keys which were set by the self._convert_provider_to_endpoints().

abbra commented 10 months ago

The following worked for me:

$ git diff
diff --git a/ipaserver/plugins/idp.py b/ipaserver/plugins/idp.py
index 59d942de9..697eb46ca 100644
--- a/ipaserver/plugins/idp.py
+++ b/ipaserver/plugins/idp.py
@@ -350,6 +350,9 @@ class idp_add(LDAPCreate):
                                 name=self.options[s].cli_name,
                                 error=_('value is missing'))
                     points[k] = template_str(v, elements)
+                elif k in elements:
+                    points[k] = elements[k]
+
             entry_attrs.update(points)

     def get_options(self):

frenaud commented 9 months ago

master:

69e4397 idp: when adding an IdP allow to override IdP options

rcritten commented 9 months ago

ipa-4-10:

1ac3784 idp: when adding an IdP allow to override IdP options

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#9421 ipa idp-add --provider silently ignores options like --scope Closed: fixed 9 months ago by frenaud. Opened 10 months ago by cheimes.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Metadata

bug

#9421 ipa idp-add --provider silently ignores options like --scope

Closed: fixed 9 months ago by frenaud. Opened 10 months ago by cheimes.