diff options
author | Matthew Edmonds <edmondsw@us.ibm.com> | 2016-06-03 14:54:54 -0400 |
---|---|---|
committer | Matthew Edmonds <edmondsw@us.ibm.com> | 2016-06-09 10:18:02 -0400 |
commit | 0a5740a96d237feabc835c7e6c097df19aea0919 (patch) | |
tree | 68481ac03c52be2dddf7dbe151c572e20a503a58 | |
parent | a878664f5dbf08626a796e8cfa6fac88cb9e256a (diff) | |
download | keystone-0a5740a96d237feabc835c7e6c097df19aea0919.tar.gz |
Honor ldap_filter on filtered group list
Fix GET /v3/groups?name=<name> to honor conf.ldap.group_filter.
The case where groups are listed for a specific user was already
honoring the filter, but the case where all groups are listed was not.
Moved the check into the get_all_filtered method that is shared by both
cases so that it is not duplicated.
Change-Id: I4a11394de2e6414ba936e01bcf2fcc523bab8ba5
Closes-Bug: #1588927
(cherry picked from commit 1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c)
-rw-r--r-- | keystone/identity/backends/ldap.py | 7 | ||||
-rw-r--r-- | keystone/tests/unit/test_backend_ldap.py | 30 |
2 files changed, 34 insertions, 3 deletions
diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py index fe8e8477d..56769d95a 100644 --- a/keystone/identity/backends/ldap.py +++ b/keystone/identity/backends/ldap.py @@ -386,9 +386,8 @@ class GroupApi(common_ldap.BaseLdap): def list_user_groups_filtered(self, user_dn, hints): """Return a filtered list of groups for which the user is a member.""" user_dn_esc = ldap.filter.escape_filter_chars(user_dn) - query = '(%s=%s)%s' % (self.member_attribute, - user_dn_esc, - self.ldap_filter or '') + query = '(%s=%s)' % (self.member_attribute, + user_dn_esc) return self.get_all_filtered(hints, query) def list_group_users(self, group_id): @@ -420,6 +419,8 @@ class GroupApi(common_ldap.BaseLdap): return common_ldap.filter_entity(group) def get_all_filtered(self, hints, query=None): + if self.ldap_filter: + query = (query or '') + self.ldap_filter query = self.filter_query(hints, query) return [common_ldap.filter_entity(group) for group in self.get_all(query, hints)] diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index cf6186331..a939e6326 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -251,6 +251,36 @@ class BaseLDAPIdentity(identity_tests.IdentityTests, hints=hints) self.assertEqual(0, len(users)) + def test_list_groups_by_name_and_with_filter(self): + # Create some test groups. + domain = self._get_domain_fixture() + group_names = [] + numgroups = 3 + for _ in range(numgroups): + group = unit.new_group_ref(domain_id=domain['id']) + group = self.identity_api.create_group(group) + group_names.append(group['name']) + # confirm that the groups can all be listed + groups = self.identity_api.list_groups( + domain_scope=self._set_domain_scope(domain['id'])) + self.assertEqual(numgroups, len(groups)) + # configure the group filter + driver = self.identity_api._select_identity_driver(domain['id']) + driver.group.ldap_filter = ('(|(ou=%s)(ou=%s))' % + tuple(group_names[:2])) + # confirm that the group filter is working + groups = self.identity_api.list_groups( + domain_scope=self._set_domain_scope(domain['id'])) + self.assertEqual(2, len(groups)) + # confirm that a group is not exposed when it does not match the + # filter setting in conf even if it is requested by name in group list + hints = driver_hints.Hints() + hints.add_filter('name', group_names[2]) + groups = self.identity_api.list_groups( + domain_scope=self._set_domain_scope(domain['id']), + hints=hints) + self.assertEqual(0, len(groups)) + def test_remove_role_grant_from_user_and_project(self): self.assignment_api.create_grant(user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], |