Make sure LDAP filter is constructed correctly

This fixes an issue where, when querying Keystone via the v3 API, you would get back an invalid LDAP filter, because None was coerced to the string "None" and inserted into the middle of the query. Change-Id: I9d45a4dca265b69e261f134118bb30c8cd128166 Closes-Bug: 1454309
2015-05-21 12:42:40 -04:00 · 2015-05-21 12:42:40 -04:00 · 2c6db4a3bb
parent edb3887b72
commit 2c6db4a3bb
2 changed files with 55 additions and 1 deletions
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@ -1673,7 +1673,7 @@ class BaseLdap(object):
                      'entries': not_deleted_nodes[:3],
                      'dots': '...' if len(not_deleted_nodes) > 3 else ''})

-    def filter_query(self, hints, query=None):
+    def filter_query(self, hints, query=''):
        """Applies filtering to a query.

        :param hints: contains the list of filters, which may be None,
--- a/keystone/tests/unit/common/test_ldap.py
+++ b/keystone/tests/unit/common/test_ldap.py
@ -21,6 +21,7 @@ import mock
 from oslo_config import cfg
 from testtools import matchers

+from keystone.common import driver_hints
 from keystone.common import ldap as ks_ldap
 from keystone.common.ldap import core as common_ldap_core
 from keystone.tests import unit as tests
@ -496,3 +497,56 @@ class CommonLdapTestCase(tests.BaseTestCase):
            py_result = ks_ldap.convert_ldap_result(result)
            # The user name should still be a string value.
            self.assertEqual(user_name, py_result[0][1]['user_name'][0])
+
+
+class LDAPFilterQueryCompositionTest(tests.TestCase):
+    """These test cases test LDAP filter generation."""
+
+    def setUp(self):
+        super(LDAPFilterQueryCompositionTest, self).setUp()
+
+        self.base_ldap = ks_ldap.BaseLdap(self.config_fixture.conf)
+
+        # The tests need an attribute mapping to use.
+        self.attribute_name = uuid.uuid4().hex
+        self.filter_attribute_name = uuid.uuid4().hex
+        self.base_ldap.attribute_mapping = {
+            self.attribute_name: self.filter_attribute_name
+        }
+
+    def test_return_query_with_no_hints(self):
+        hints = driver_hints.Hints()
+        # NOTE: doesn't have to be a real query, we just need to make sure the
+        # same string is returned if there are no hints.
+        query = uuid.uuid4().hex
+        self.assertEqual(query,
+                         self.base_ldap.filter_query(hints=hints, query=query))
+
+        # make sure the default query is an empty string
+        self.assertEqual('', self.base_ldap.filter_query(hints=hints))
+
+    def test_filter_with_empty_query_and_hints_set(self):
+        hints = driver_hints.Hints()
+        username = uuid.uuid4().hex
+        hints.add_filter(name=self.attribute_name,
+                         value=username,
+                         comparator='equals',
+                         case_sensitive=False)
+        expected_ldap_filter = '(&(%s=%s))' % (
+            self.filter_attribute_name, username)
+        self.assertEqual(expected_ldap_filter,
+                         self.base_ldap.filter_query(hints=hints))
+
+    def test_filter_with_both_query_and_hints_set(self):
+        hints = driver_hints.Hints()
+        # NOTE: doesn't have to be a real query, we just need to make sure the
+        # filter string is concatenated correctly
+        query = uuid.uuid4().hex
+        username = uuid.uuid4().hex
+        expected_result = '(&%(query)s(%(user_name_attr)s=%(username)s))' % (
+            {'query': query,
+             'user_name_attr': self.filter_attribute_name,
+             'username': username})
+        hints.add_filter(self.attribute_name, username)
+        self.assertEqual(expected_result,
+                         self.base_ldap.filter_query(hints=hints, query=query))