For ldap, API wrongly reports user is in group

When the ldap identity backend is configured, HEAD v3/groups/{group_id}/users/{user_id} always returns 200, even if the user is not actually in the group. This is because the sql and kvs backend will raise NotFound exception if the user is not in the group, but the ldap backend just return result. Change-Id: Ie1585c8aebe054091bd76fded666bf41125ff9ca Closes-Bug: 1245247
2014-03-17 17:22:08 +08:00 · 2014-03-17 17:22:08 +08:00 · 628f383fbb
parent 58b790f1cc
commit 628f383fbb
4 changed files with 14 additions and 3 deletions
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@ -179,7 +179,8 @@ class Identity(identity.Driver):
            if x['id'] == user_id:
                found = True
                break
-        return found
+        if not found:
+            raise exception.NotFound(_('User not found in group'))


 # TODO(termie): turn this into a data object and move logic to driver
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@ -323,7 +323,7 @@ class UserV3(controller.V3Controller):

    @controller.protected(callback=_check_user_and_group_protection)
    def check_user_in_group(self, context, user_id, group_id):
-        return self.identity_api.check_user_in_group(
+        self.identity_api.check_user_in_group(
            user_id, group_id,
            domain_scope=self._get_domain_id_for_request(context))

--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@ -480,7 +480,7 @@ class Manager(manager.Manager):
    @domains_configured
    def check_user_in_group(self, user_id, group_id, domain_scope=None):
        domain_id, driver = self._get_domain_id_and_driver(domain_scope)
-        return driver.check_user_in_group(user_id, group_id)
+        driver.check_user_in_group(user_id, group_id)

    @domains_configured
    def change_password(self, context, user_id, original_password,
--- a/keystone/tests/test_backend.py
+++ b/keystone/tests/test_backend.py
@ -2249,6 +2249,16 @@ class IdentityTests(object):
                          uuid.uuid4().hex,
                          new_group['id'])

+        new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
+                    'password': uuid.uuid4().hex, 'enabled': True,
+                    'domain_id': DEFAULT_DOMAIN_ID}
+        self.identity_api.create_user(new_user['id'], new_user)
+
+        self.assertRaises(exception.NotFound,
+                          self.identity_api.check_user_in_group,
+                          new_user['id'],
+                          new_group['id'])
+
    def test_list_users_in_group(self):
        domain = self._get_domain_fixture()
        new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],