Honor ldap_filter on filtered group list

Fix GET /v3/groups?name=<name> to honor conf.ldap.group_filter.

The case where groups are listed for a specific user was already
honoring the filter, but the case where all groups are listed was not.
Moved the check into the get_all_filtered method that is shared by both
cases so that it is not duplicated.

Change-Id: I4a11394de2e6414ba936e01bcf2fcc523bab8ba5
Closes-Bug: #1588927
(cherry picked from commit 1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c)

2 files changed, 34 insertions, 3 deletions

diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index fe8e8477d..56769d95a 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -386,9 +386,8 @@ class GroupApi(common_ldap.BaseLdap):
     def list_user_groups_filtered(self, user_dn, hints):
         """Return a filtered list of groups for which the user is a member."""
         user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
-        query = '(%s=%s)%s' % (self.member_attribute,
-                               user_dn_esc,
-                               self.ldap_filter or '')
+        query = '(%s=%s)' % (self.member_attribute,
+                             user_dn_esc)
         return self.get_all_filtered(hints, query)
 
     def list_group_users(self, group_id):
@@ -420,6 +419,8 @@ class GroupApi(common_ldap.BaseLdap):
         return common_ldap.filter_entity(group)
 
     def get_all_filtered(self, hints, query=None):
+        if self.ldap_filter:
+            query = (query or '') + self.ldap_filter
         query = self.filter_query(hints, query)
         return [common_ldap.filter_entity(group)
                 for group in self.get_all(query, hints)]
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index cf6186331..a939e6326 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -251,6 +251,36 @@ class BaseLDAPIdentity(identity_tests.IdentityTests,
             hints=hints)
         self.assertEqual(0, len(users))
 
+    def test_list_groups_by_name_and_with_filter(self):
+        # Create some test groups.
+        domain = self._get_domain_fixture()
+        group_names = []
+        numgroups = 3
+        for _ in range(numgroups):
+            group = unit.new_group_ref(domain_id=domain['id'])
+            group = self.identity_api.create_group(group)
+            group_names.append(group['name'])
+        # confirm that the groups can all be listed
+        groups = self.identity_api.list_groups(
+            domain_scope=self._set_domain_scope(domain['id']))
+        self.assertEqual(numgroups, len(groups))
+        # configure the group filter
+        driver = self.identity_api._select_identity_driver(domain['id'])
+        driver.group.ldap_filter = ('(|(ou=%s)(ou=%s))' %
+                                    tuple(group_names[:2]))
+        # confirm that the group filter is working
+        groups = self.identity_api.list_groups(
+            domain_scope=self._set_domain_scope(domain['id']))
+        self.assertEqual(2, len(groups))
+        # confirm that a group is not exposed when it does not match the
+        # filter setting in conf even if it is requested by name in group list
+        hints = driver_hints.Hints()
+        hints.add_filter('name', group_names[2])
+        groups = self.identity_api.list_groups(
+            domain_scope=self._set_domain_scope(domain['id']),
+            hints=hints)
+        self.assertEqual(0, len(groups))
+
     def test_remove_role_grant_from_user_and_project(self):
         self.assignment_api.create_grant(user_id=self.user_foo['id'],
                                          project_id=self.tenant_baz['id'],