Support bytes type in generate_public_ID()

python-ldap3.0 or later running on python3 uses str or bytes
data type according to what fields are returned.
local_id may be a bytes data type.
To handle it properly, mapping[key] needs to be examined for
identifying its data type and what python version is used.

Closes-Bug: #1901654
Change-Id: Iac097235fd31e166028c169d14ec0937c663c21c
(cherry picked from commit f7df9fba828328d8b20e85d711c1d27c77089632)
(cherry picked from commit 5b860e0b3b4e318b91325996156bae3f99abd6c7)
(cherry picked from commit f4819fe36f087b2f652dc68fd33880860570f8d9)

3 files changed, 35 insertions, 2 deletions

diff --git a/keystone/identity/id_generators/sha256.py b/keystone/identity/id_generators/sha256.py
index d0f4a57ad..dde9c2dd0 100644
--- a/keystone/identity/id_generators/sha256.py
+++ b/keystone/identity/id_generators/sha256.py
@@ -13,7 +13,6 @@
 # under the License.
 
 import hashlib
-
 from keystone.identity import generator
 
 
@@ -22,5 +21,12 @@ class Generator(generator.IDGenerator):
     def generate_public_ID(self, mapping):
         m = hashlib.sha256()
         for key in sorted(mapping.keys()):
-            m.update(mapping[key].encode('utf-8'))
+            # python-ldap >3.0 returns bytes data type for attribute values
+            # except distinguished names, relative distinguished names,
+            # attribute names, queries on python3.
+            # Please see Bytes/text management in python-ldap module.
+            if isinstance(mapping[key], bytes):
+                m.update(mapping[key])
+            else:
+                m.update(mapping[key].encode('utf-8'))
         return m.hexdigest()
diff --git a/keystone/tests/unit/test_backend_id_mapping_sql.py b/keystone/tests/unit/test_backend_id_mapping_sql.py
index e5aa878cd..baee34e99 100644
--- a/keystone/tests/unit/test_backend_id_mapping_sql.py
+++ b/keystone/tests/unit/test_backend_id_mapping_sql.py
@@ -152,6 +152,23 @@ class SqlIDMapping(test_backend_sql.SqlTests):
         self.assertEqual(
             public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
 
+    def test_id_mapping_handles_bytes(self):
+        initial_mappings = len(mapping_sql.list_id_mappings())
+        local_id = b'FaKeID'
+        local_entity = {'domain_id': self.domainA['id'],
+                        'local_id': local_id,
+                        'entity_type': mapping.EntityType.USER}
+
+        # Check no mappings for the new local entity
+        self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
+
+        # Create the new mapping and then read it back
+        public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
+        self.assertThat(mapping_sql.list_id_mappings(),
+                        matchers.HasLength(initial_mappings + 1))
+        self.assertEqual(
+            public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
+
     def test_delete_public_id_is_silent(self):
         # Test that deleting an invalid public key is silent
         PROVIDERS.id_mapping_api.delete_id_mapping(uuid.uuid4().hex)
diff --git a/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml b/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml
new file mode 100644
index 000000000..0537bb837
--- /dev/null
+++ b/releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    [`bug 1901654 <https://bugs.launchpad.net/keystone/+bug/1901654>`_]
+    Previously, generate_public_ID() in sha256.py assumed the passed arguments is str data type.
+    However, python-ldap 3.0 or later returns bytes data type for attribute values except fields
+    of distinguished names, relative distinguished names, attribute names, queries.
+    If keystone running on Python3 is integrated with LDAP and the LDAP server has local_id variable
+    in its attribute, user login operations will fail due to the assumption and modifiation of python-ldap.
+    By this fix, generate_public_ID() properly handles bytes data type in the parameter.