openstack
/
keystone
Code Issues Proposed changes

Fix up _ldap_res_to_model for ldap identity backend 

If a user specifies a user enabled attribute, then conditional
for checking if it's a string is insufficient, and will always
come back as False, since it's referencing the method, and not
actually calling it.

Closes-Bug: #1415271
  (cherry picked from commit ad9ecdbab9)

Change-Id: I4ea48929bc175b40ddb706e7750661a57882ed6b
This commit is contained in:
Steve Martinelli 2015-01-27 19:06:37 -05:00
parent 410ade1e2c
commit 0c7535b233
2 changed files with 64 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
keystone/identity/backends/ldap.py
View File

@ -16,6 +16,7 @@ import uuid
import ldap
import ldap.filter
import six
from keystone import clean
from keystone.common import driver_hints
@ -220,8 +221,8 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
# This could be a bool or a string. If it's a string,
# we need to convert it so we can invert it properly.
enabled = obj.get('enabled', self.enabled_default)
if type(enabled) is str:
if enabled.lower == 'true':
if isinstance(enabled, six.string_types):
if enabled.lower() == 'true':
enabled = True
else:
enabled = False

61
keystone/tests/test_backend_ldap.py
View File

@ -1294,6 +1294,47 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
# from the resource default.
self.assertIs(True, user_ref['enabled'])
@mock.patch.object(common_ldap_core.BaseLdap, '_ldap_get')
def test_user_enabled_attribute_handles_expired(self, mock_ldap_get):
# If using 'passwordisexpired' as enabled attribute, and inverting it,
# Then an unauthorized user (expired password) should not be enabled.
self.config_fixture.config(group='ldap', user_enabled_invert=True,
user_enabled_attribute='passwordisexpired')
mock_ldap_get.return_value = (
u'uid=123456789,c=us,ou=our_ldap,o=acme.com',
{
'uid': [123456789],
'mail': ['shaun@acme.com'],
'passwordisexpired': ['TRUE'],
'cn': ['uid=123456789,c=us,ou=our_ldap,o=acme.com']
}
)
user_api = identity.backends.ldap.UserApi(CONF)
user_ref = user_api.get('123456789')
self.assertIs(False, user_ref['enabled'])
@mock.patch.object(common_ldap_core.BaseLdap, '_ldap_get')
def test_user_enabled_attribute_handles_utf8(self, mock_ldap_get):
# If using 'passwordisexpired' as enabled attribute, and inverting it,
# and the result is utf8 encoded, then the an authorized user should
# be enabled.
self.config_fixture.config(group='ldap', user_enabled_invert=True,
user_enabled_attribute='passwordisexpired')
mock_ldap_get.return_value = (
u'uid=123456789,c=us,ou=our_ldap,o=acme.com',
{
'uid': [123456789],
'mail': [u'shaun@acme.com'],
'passwordisexpired': [u'false'],
'cn': [u'uid=123456789,c=us,ou=our_ldap,o=acme.com']
}
)
user_api = identity.backends.ldap.UserApi(CONF)
user_ref = user_api.get('123456789')
self.assertIs(True, user_ref['enabled'])
@mock.patch.object(common_ldap_core.KeystoneLDAPHandler, 'simple_bind_s')
def test_user_api_get_connection_no_user_password(self, mocked_method):
"""Don't bind in case the user and password are blank."""
@ -1988,6 +2029,26 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
self.skipTest(
"N/A: Covered by test_user_enabled_invert")
@mock.patch.object(common_ldap_core.BaseLdap, '_ldap_get')
def test_user_enabled_attribute_handles_utf8(self, mock_ldap_get):
# Since user_enabled_emulation is enabled in this test, this test will
# fail since it's using user_enabled_invert.
self.config_fixture.config(group='ldap', user_enabled_invert=True,
user_enabled_attribute='passwordisexpired')
mock_ldap_get.return_value = (
u'uid=123456789,c=us,ou=our_ldap,o=acme.com',
{
'uid': [123456789],
'mail': [u'shaun@acme.com'],
'passwordisexpired': [u'false'],
'cn': [u'uid=123456789,c=us,ou=our_ldap,o=acme.com']
}
)
user_api = identity.backends.ldap.UserApi(CONF)
user_ref = user_api.get('123456789')
self.assertIs(False, user_ref['enabled'])
class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
tests.TestCase):