From 628f383fbb14ae99679957ab05a02562a4d43d91 Mon Sep 17 00:00:00 2001
From: wanghong <w.wanghong@huawei.com>
Date: Mon, 17 Mar 2014 17:22:08 +0800
Subject: [PATCH] For ldap, API wrongly reports user is in group
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the ldap identity backend is configured,
HEAD v3/groups/​{group_id}​/users/​{user_id}
always returns 200, even if the user is not actually in the group.
This is because the sql and kvs backend will raise NotFound
exception if the user is not in the group, but the ldap backend
just return result.

Change-Id: Ie1585c8aebe054091bd76fded666bf41125ff9ca
Closes-Bug: 1245247
---
 keystone/identity/backends/ldap.py |  3 ++-
 keystone/identity/controllers.py   |  2 +-
 keystone/identity/core.py          |  2 +-
 keystone/tests/test_backend.py     | 10 ++++++++++
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index be59e57157..7dcbf60019 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -179,7 +179,8 @@ class Identity(identity.Driver):
             if x['id'] == user_id:
                 found = True
                 break
-        return found
+        if not found:
+            raise exception.NotFound(_('User not found in group'))
 
 
 # TODO(termie): turn this into a data object and move logic to driver
diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
index fe1b391768..48e32e30f1 100644
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@@ -323,7 +323,7 @@ class UserV3(controller.V3Controller):
 
     @controller.protected(callback=_check_user_and_group_protection)
     def check_user_in_group(self, context, user_id, group_id):
-        return self.identity_api.check_user_in_group(
+        self.identity_api.check_user_in_group(
             user_id, group_id,
             domain_scope=self._get_domain_id_for_request(context))
 
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index a8ef7d5f7a..513d2010ec 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -480,7 +480,7 @@ class Manager(manager.Manager):
     @domains_configured
     def check_user_in_group(self, user_id, group_id, domain_scope=None):
         domain_id, driver = self._get_domain_id_and_driver(domain_scope)
-        return driver.check_user_in_group(user_id, group_id)
+        driver.check_user_in_group(user_id, group_id)
 
     @domains_configured
     def change_password(self, context, user_id, original_password,
diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py
index 3bb1217c57..c8d73411dd 100644
--- a/keystone/tests/test_backend.py
+++ b/keystone/tests/test_backend.py
@@ -2249,6 +2249,16 @@ class IdentityTests(object):
                           uuid.uuid4().hex,
                           new_group['id'])
 
+        new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
+                    'password': uuid.uuid4().hex, 'enabled': True,
+                    'domain_id': DEFAULT_DOMAIN_ID}
+        self.identity_api.create_user(new_user['id'], new_user)
+
+        self.assertRaises(exception.NotFound,
+                          self.identity_api.check_user_in_group,
+                          new_user['id'],
+                          new_group['id'])
+
     def test_list_users_in_group(self):
         domain = self._get_domain_fixture()
         new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],