Handle default string values when using user_enabled_invert

When the user_enabled_invert setting is being used, values returned from LDAP are ultimately converted to a bool type when we reach the inversion logic. If the user_enabled_default value is used due to no value being returned from LDAP, the type is a string. This causes the inversion logic to be evaluated incorrectly, as 'not' will return False for any non-empty string. This results in disabled accounts that should be enabled. Change-Id: Id7b024c12815748305458ca05fc8f8a6324c1908 Closes-bug: #1376053
2014-09-30 17:36:22 -07:00 · 2014-09-30 17:36:22 -07:00 · 50a6312ffa
parent 6778df0d8f
commit 50a6312ffa
2 changed files with 32 additions and 0 deletions
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@ -217,7 +217,14 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
            obj['enabled'] = ((enabled & self.enabled_mask) !=
                              self.enabled_mask)
        elif self.enabled_invert and not self.enabled_emulation:
+            # This could be a bool or a string.  If it's a string,
+            # we need to convert it so we can invert it properly.
            enabled = obj.get('enabled', self.enabled_default)
+            if type(enabled) is str:
+                if enabled.lower == 'true':
+                    enabled = True
+                else:
+                    enabled = False
            obj['enabled'] = not enabled
        obj['dn'] = res[0]

--- a/keystone/tests/test_backend_ldap.py
+++ b/keystone/tests/test_backend_ldap.py
@ -1201,6 +1201,27 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
        # from the resource default.
        self.assertIs(not CONF.ldap.user_enabled_default, user_ref['enabled'])

+    @mock.patch.object(common_ldap_core.BaseLdap, '_ldap_get')
+    def test_user_enabled_invert_default_str_value(self, mock_ldap_get):
+        self.config_fixture.config(group='ldap', user_enabled_invert=True,
+                                   user_enabled_default='False')
+        # Mock the search results to return an entry with
+        # no enabled value.
+        mock_ldap_get.return_value = (
+            'cn=junk,dc=example,dc=com',
+            {
+                'sn': [uuid.uuid4().hex],
+                'email': [uuid.uuid4().hex],
+                'cn': ['junk']
+            }
+        )
+
+        user_api = identity.backends.ldap.UserApi(CONF)
+        user_ref = user_api.get('junk')
+        # Ensure that the model enabled attribute is inverted
+        # from the resource default.
+        self.assertIs(True, user_ref['enabled'])
+
    @mock.patch.object(common_ldap_core.KeystoneLDAPHandler, 'simple_bind_s')
    def test_user_api_get_connection_no_user_password(self, mocked_method):
        """Don't bind in case the user and password are blank."""
@ -1897,6 +1918,10 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
        self.skipTest(
            "N/A: Covered by test_user_enabled_invert")

+    def test_user_enabled_invert_default_str_value(self):
+        self.skipTest(
+            "N/A: Covered by test_user_enabled_invert")
+

 class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
                                tests.TestCase):