Made group membership check only search group instead of subtree. Roles in a group are removed when a user is removed from that group. Added test

2010-08-05 16:56:23 -07:00
parent 181b1a719f
commit 02728ec84d
3 changed files with 34 additions and 12 deletions
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -272,26 +272,30 @@ class LdapDriver(object):
        """Check if project exists"""
        return self.get_project(name) != None

-    def __find_object(self, dn, query = None):
+    def __find_object(self, dn, query=None, scope=None):
        """Find an object by dn and query"""
-        objects = self.__find_objects(dn, query)
+        objects = self.__find_objects(dn, query, scope)
        if len(objects) == 0:
            return None
        return objects[0]

-    def __find_dns(self, dn, query=None):
+    def __find_dns(self, dn, query=None, scope=None):
        """Find dns by query"""
+        if scope is None: # one of the flags is 0!!
+            scope = self.ldap.SCOPE_SUBTREE
        try:
-            res = self.conn.search_s(dn, self.ldap.SCOPE_SUBTREE, query)
+            res = self.conn.search_s(dn, scope, query)
        except self.ldap.NO_SUCH_OBJECT:
            return []
        # just return the DNs
        return [dn for dn, attributes in res]

-    def __find_objects(self, dn, query = None):
+    def __find_objects(self, dn, query=None, scope=None):
        """Find objects by query"""
+        if scope is None: # one of the flags is 0!!
+            scope = self.ldap.SCOPE_SUBTREE
        try:
-            res = self.conn.search_s(dn, self.ldap.SCOPE_SUBTREE, query)
+            res = self.conn.search_s(dn, scope, query)
        except self.ldap.NO_SUCH_OBJECT:
            return []
        # just return the attributes
@@ -361,7 +365,8 @@ class LdapDriver(object):
        if not self.__group_exists(group_dn):
            return False
        res = self.__find_object(group_dn,
-                               '(member=%s)' % self.__uid_to_dn(uid))
+                                 '(member=%s)' % self.__uid_to_dn(uid),
+                                 self.ldap.SCOPE_BASE)
        return res != None

    def __add_to_group(self, uid, group_dn):
@@ -391,7 +396,11 @@ class LdapDriver(object):
        if not self.__is_in_group(uid, group_dn):
            raise exception.NotFound("User %s is not a member of the group" %
                                     (uid,))
-        self.__safe_remove_from_group(uid, group_dn)
+        # NOTE(vish): remove user from group and any sub_groups
+        sub_dns = self.__find_group_dns_with_member(
+                group_dn, uid)
+        for sub_dn in sub_dns:
+            self.__safe_remove_from_group(uid, sub_dn)

    def __safe_remove_from_group(self, uid, group_dn):
        """Remove user from group, deleting group if user is last member"""