Handle default string values when using user_enabled_invert
When the user_enabled_invert setting is being used, values returned from LDAP are ultimately converted to a bool type when we reach the inversion logic. If the user_enabled_default value is used due to no value being returned from LDAP, the type is a string. This causes the inversion logic to be evaluated incorrectly, as 'not' will return False for any non-empty string. This results in disabled accounts that should be enabled. Change-Id: Id7b024c12815748305458ca05fc8f8a6324c1908 Closes-bug: #1376053
This commit is contained in:
parent
6778df0d8f
commit
50a6312ffa
|
@ -217,7 +217,14 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
|
|||
obj['enabled'] = ((enabled & self.enabled_mask) !=
|
||||
self.enabled_mask)
|
||||
elif self.enabled_invert and not self.enabled_emulation:
|
||||
# This could be a bool or a string. If it's a string,
|
||||
# we need to convert it so we can invert it properly.
|
||||
enabled = obj.get('enabled', self.enabled_default)
|
||||
if type(enabled) is str:
|
||||
if enabled.lower == 'true':
|
||||
enabled = True
|
||||
else:
|
||||
enabled = False
|
||||
obj['enabled'] = not enabled
|
||||
obj['dn'] = res[0]
|
||||
|
||||
|
|
|
@ -1201,6 +1201,27 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
|||
# from the resource default.
|
||||
self.assertIs(not CONF.ldap.user_enabled_default, user_ref['enabled'])
|
||||
|
||||
@mock.patch.object(common_ldap_core.BaseLdap, '_ldap_get')
|
||||
def test_user_enabled_invert_default_str_value(self, mock_ldap_get):
|
||||
self.config_fixture.config(group='ldap', user_enabled_invert=True,
|
||||
user_enabled_default='False')
|
||||
# Mock the search results to return an entry with
|
||||
# no enabled value.
|
||||
mock_ldap_get.return_value = (
|
||||
'cn=junk,dc=example,dc=com',
|
||||
{
|
||||
'sn': [uuid.uuid4().hex],
|
||||
'email': [uuid.uuid4().hex],
|
||||
'cn': ['junk']
|
||||
}
|
||||
)
|
||||
|
||||
user_api = identity.backends.ldap.UserApi(CONF)
|
||||
user_ref = user_api.get('junk')
|
||||
# Ensure that the model enabled attribute is inverted
|
||||
# from the resource default.
|
||||
self.assertIs(True, user_ref['enabled'])
|
||||
|
||||
@mock.patch.object(common_ldap_core.KeystoneLDAPHandler, 'simple_bind_s')
|
||||
def test_user_api_get_connection_no_user_password(self, mocked_method):
|
||||
"""Don't bind in case the user and password are blank."""
|
||||
|
@ -1897,6 +1918,10 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
|||
self.skipTest(
|
||||
"N/A: Covered by test_user_enabled_invert")
|
||||
|
||||
def test_user_enabled_invert_default_str_value(self):
|
||||
self.skipTest(
|
||||
"N/A: Covered by test_user_enabled_invert")
|
||||
|
||||
|
||||
class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
|
||||
tests.TestCase):
|
||||
|
|
Loading…
Reference in New Issue