From 70e6d58f461bd066a9f149be8ef096884b3ce6b0 Mon Sep 17 00:00:00 2001
From: Ronald De Rose <ronald.de.rose@intel.com>
Date: Fri, 19 Aug 2016 15:40:21 +0000
Subject: [PATCH] Shadowing a nonlocal_user incorrectly creates a local_user

This patch fixes a bug where when shadowing a nonlocal_user (LDAP,
custom driver) it also incorrectly creates a local_user. The error is
related to hybrid properties and calling the class from_dict method,
which set the local_user attributes.

Change-Id: I6e69cce5f337a330f2531ff71db3e931b785271c
Closes-Bug: #1615000
---
 keystone/identity/shadow_backends/sql.py      | 6 ++++++
 keystone/tests/unit/identity/test_backends.py | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py
index 2a2fa3ff52..23b6bc5ec1 100644
--- a/keystone/identity/shadow_backends/sql.py
+++ b/keystone/identity/shadow_backends/sql.py
@@ -90,6 +90,12 @@ class ShadowUsers(base.ShadowUsersDriverV10):
     @sql.handle_conflicts(conflict_type='nonlocal_user')
     def create_nonlocal_user(self, user_dict):
         new_user_dict = copy.deepcopy(user_dict)
+        # remove local_user attributes from new_user_dict
+        keys_to_delete = ['domain_id', 'name', 'password']
+        for key in keys_to_delete:
+            if key in new_user_dict:
+                del new_user_dict[key]
+        # create nonlocal_user dict
         new_nonlocal_user_dict = {
             'domain_id': user_dict['domain_id'],
             'name': user_dict['name']
diff --git a/keystone/tests/unit/identity/test_backends.py b/keystone/tests/unit/identity/test_backends.py
index 30b06ee54e..ccb9e1e549 100644
--- a/keystone/tests/unit/identity/test_backends.py
+++ b/keystone/tests/unit/identity/test_backends.py
@@ -1345,6 +1345,12 @@ class ShadowUsersTests(object):
                           self.shadow_users_api.create_nonlocal_user,
                           new_user)
 
+    def test_create_nonlocal_user_does_not_create_local_user(self):
+        user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
+        new_nonlocal_user = self.shadow_users_api.create_nonlocal_user(user)
+        user_ref = self._get_user_ref(new_nonlocal_user['id'])
+        self.assertIsNone(user_ref.local_user)
+
     def test_get_user(self):
         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
         user.pop('email')