summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorprashkre <prashkre@in.ibm.com>2017-10-26 18:47:33 +0530
committerprashkre <prashkre@in.ibm.com>2017-11-15 01:09:18 +0000
commitd0721d7cf4dc808946a7016b0ca2830c8850d5d9 (patch)
tree10069c0ff50fbed6d128a0b66acd61a35bfc89dd
parentd07677aba54362a4a3aa2d165b155105ffe30d73 (diff)
Filter users/groups in ldap with whitespacesstable/pike
All users and groups are required to have a name. With this fix, Keystone will ignore users and groups that do have only white spaces as value for the LDAP attribute which Keystone has been configured to use for that entity's name. Change-Id: Id539e1b7e1cea8b05cd9bb753707e1fc98244d29 Closes-Bug: #1727726 (cherry picked from commit 789573a0f17fd3ea8abd1a89034b865035925a8f)
Notes
Notes (review): Code-Review+2: Steve Martinelli <s.martinelli@gmail.com> Code-Review+1: YANG Ling <yangling_yl@foxmail.com> Code-Review+2: Morgan Fainberg <morgan.fainberg@gmail.com> Workflow+1: Morgan Fainberg <morgan.fainberg@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 16 Nov 2017 20:56:19 +0000 Reviewed-on: https://review.openstack.org/519846 Project: openstack/keystone Branch: refs/heads/stable/pike
-rw-r--r--keystone/identity/backends/ldap/common.py20
-rw-r--r--keystone/tests/unit/test_backend_ldap.py52
-rw-r--r--releasenotes/notes/bug-1727726-0b47608811a2cd16.yaml9
3 files changed, 79 insertions, 2 deletions
diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index 855ee46..8d632aa 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -1402,8 +1402,24 @@ class BaseLdap(object):
1402 raise ValueError('"%(attr)s" is not a valid value for' 1402 raise ValueError('"%(attr)s" is not a valid value for'
1403 ' "%(attr_name)s"' % {'attr': attr, 1403 ' "%(attr_name)s"' % {'attr': attr,
1404 'attr_name': attr_name}) 1404 'attr_name': attr_name})
1405 return [obj for obj in ldap_result 1405 result = []
1406 if obj[1].get(attr) and obj[1].get(attr)[0]] 1406 # consider attr = "cn" and
1407 # ldap_result = [{'uid': ['fake_id1']},
1408 # {'uid': ['fake_id2'], 'cn': [' ']},
1409 # {'uid': ['fake_id3'], 'cn': ['']},
1410 # {'uid': ['fake_id4'], 'cn': []},
1411 # {'uid': ['fake_id5'], 'cn': ["name"]}]
1412 for obj in ldap_result:
1413 # ignore ldap object(user/group entry) which has no attr set
1414 # in it or whose value is empty list.
1415 if obj[1].get(attr):
1416 # ignore ldap object whose attr value has empty strings or
1417 # contains only whitespaces.
1418 if obj[1].get(attr)[0] and obj[1].get(attr)[0].strip():
1419 result.append(obj)
1420 # except {'uid': ['fake_id5'], 'cn': ["name"]}, all entries
1421 # will be ignored in ldap_result
1422 return result
1407 1423
1408 def _ldap_get(self, object_id, ldap_filter=None): 1424 def _ldap_get(self, object_id, ldap_filter=None):
1409 query = (u'(&(%(id_attr)s=%(id)s)' 1425 query = (u'(&(%(id_attr)s=%(id)s)'
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index 0d49290..e42c678 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -1198,6 +1198,58 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
1198 # from the resource default. 1198 # from the resource default.
1199 self.assertIs(True, user_ref['enabled']) 1199 self.assertIs(True, user_ref['enabled'])
1200 1200
1201 @mock.patch.object(common_ldap.KeystoneLDAPHandler, 'connect')
1202 @mock.patch.object(common_ldap.KeystoneLDAPHandler, 'search_s')
1203 @mock.patch.object(common_ldap.KeystoneLDAPHandler, 'simple_bind_s')
1204 def test_filter_ldap_result_by_attr(self, mock_simple_bind_s,
1205 mock_search_s, mock_connect):
1206
1207 # Mock the ldap search results to return user entries with
1208 # user_name_attribute('sn') value has emptyspaces, emptystring
1209 # and attibute itself is not set.
1210 mock_search_s.return_value = [(
1211 'sn=junk1,dc=example,dc=com',
1212 {
1213 'cn': [uuid.uuid4().hex],
1214 'email': [uuid.uuid4().hex],
1215 'sn': ['junk1']
1216 }
1217 ),
1218 (
1219 '',
1220 {
1221 'cn': [uuid.uuid4().hex],
1222 'email': [uuid.uuid4().hex],
1223 }
1224 ),
1225 (
1226 'sn=,dc=example,dc=com',
1227 {
1228 'cn': [uuid.uuid4().hex],
1229 'email': [uuid.uuid4().hex],
1230 'sn': ['']
1231 }
1232 ),
1233 (
1234 'sn= ,dc=example,dc=com',
1235 {
1236 'cn': [uuid.uuid4().hex],
1237 'email': [uuid.uuid4().hex],
1238 'sn': [' ']
1239 }
1240 )]
1241
1242 user_api = identity.backends.ldap.UserApi(CONF)
1243 user_refs = user_api.get_all()
1244 # validate that keystone.identity.backends.ldap.common.BaseLdap.
1245 # _filter_ldap_result_by_attr() method filtered the ldap query results
1246 # whose name attribute values has emptyspaces, emptystring
1247 # and attibute itself is not set.
1248 self.assertEqual(1, len(user_refs))
1249
1250 self.assertEqual('junk1', user_refs[0]['name'])
1251 self.assertEqual('sn=junk1,dc=example,dc=com', user_refs[0]['dn'])
1252
1201 @mock.patch.object(common_ldap.BaseLdap, '_ldap_get') 1253 @mock.patch.object(common_ldap.BaseLdap, '_ldap_get')
1202 def test_user_enabled_attribute_handles_expired(self, mock_ldap_get): 1254 def test_user_enabled_attribute_handles_expired(self, mock_ldap_get):
1203 # If using 'passwordisexpired' as enabled attribute, and inverting it, 1255 # If using 'passwordisexpired' as enabled attribute, and inverting it,
diff --git a/releasenotes/notes/bug-1727726-0b47608811a2cd16.yaml b/releasenotes/notes/bug-1727726-0b47608811a2cd16.yaml
new file mode 100644
index 0000000..b10285e
--- /dev/null
+++ b/releasenotes/notes/bug-1727726-0b47608811a2cd16.yaml
@@ -0,0 +1,9 @@
1---
2fixes:
3 - |
4 [`bug 1727726 <https://bugs.launchpad.net/keystone/+bug/1727726>`_]
5 All users and groups are required to have a name. Prior to this fix,
6 Keystone was allowing LDAP users and groups whose name has only empty
7 white spaces. Keystone will now ignore users and groups that do have
8 only white spaces as value for the LDAP attribute which Keystone has
9 been configured to use for that entity's name.