diff --git a/keystone/identity/id_generators/sha256.py b/keystone/identity/id_generators/sha256.py index d0f4a57ad3..dde9c2dd06 100644 --- a/keystone/identity/id_generators/sha256.py +++ b/keystone/identity/id_generators/sha256.py @@ -13,7 +13,6 @@ # under the License. import hashlib - from keystone.identity import generator @@ -22,5 +21,12 @@ class Generator(generator.IDGenerator): def generate_public_ID(self, mapping): m = hashlib.sha256() for key in sorted(mapping.keys()): - m.update(mapping[key].encode('utf-8')) + # python-ldap >3.0 returns bytes data type for attribute values + # except distinguished names, relative distinguished names, + # attribute names, queries on python3. + # Please see Bytes/text management in python-ldap module. + if isinstance(mapping[key], bytes): + m.update(mapping[key]) + else: + m.update(mapping[key].encode('utf-8')) return m.hexdigest() diff --git a/keystone/tests/unit/test_backend_id_mapping_sql.py b/keystone/tests/unit/test_backend_id_mapping_sql.py index e5aa878cd2..baee34e99f 100644 --- a/keystone/tests/unit/test_backend_id_mapping_sql.py +++ b/keystone/tests/unit/test_backend_id_mapping_sql.py @@ -152,6 +152,23 @@ class SqlIDMapping(test_backend_sql.SqlTests): self.assertEqual( public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity)) + def test_id_mapping_handles_bytes(self): + initial_mappings = len(mapping_sql.list_id_mappings()) + local_id = b'FaKeID' + local_entity = {'domain_id': self.domainA['id'], + 'local_id': local_id, + 'entity_type': mapping.EntityType.USER} + + # Check no mappings for the new local entity + self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity)) + + # Create the new mapping and then read it back + public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity) + self.assertThat(mapping_sql.list_id_mappings(), + matchers.HasLength(initial_mappings + 1)) + self.assertEqual( + public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity)) + def test_delete_public_id_is_silent(self): # Test that deleting an invalid public key is silent PROVIDERS.id_mapping_api.delete_id_mapping(uuid.uuid4().hex) diff --git a/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml b/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml new file mode 100644 index 0000000000..0537bb837b --- /dev/null +++ b/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + [`bug 1901654 `_] + Previously, generate_public_ID() in sha256.py assumed the passed arguments is str data type. + However, python-ldap 3.0 or later returns bytes data type for attribute values except fields + of distinguished names, relative distinguished names, attribute names, queries. + If keystone running on Python3 is integrated with LDAP and the LDAP server has local_id variable + in its attribute, user login operations will fail due to the assumption and modifiation of python-ldap. + By this fix, generate_public_ID() properly handles bytes data type in the parameter.