← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #22720

[Bug 1376053] [NEW] user_enabled_invert does not properly handle string values

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The user_enabled_invert setting is supposed to invert the meaning of
True/False for the user enabled attribute.  This makes "lock" attributes
useful, where "False" indicates that an account is not locked.

The invert logic expects that we have a bool type that we then invert
using 'not' in this snippet of code from UserApi._ldap_res_to_model:

--------------------------------------------------------------------
        elif self.enabled_invert and not self.enabled_emulation:
            enabled = obj.get('enabled', self.enabled_default)
            obj['enabled'] = not enabled
--------------------------------------------------------------------

The problem is that we get a bool trype from the default value, and a
str type from LDAP.  Evaluating a string with 'not' will be False for
any non-empty string.  This means that we will fail to invert a string
of "False" that is returned from LDAP, leading to accounts being
inadvertently disabled.  This code needs to handle converting a str type
to bool before inverting the value.

** Affects: keystone
     Importance: Medium
     Assignee: Nathan Kinder (nkinder)
         Status: In Progress


** Tags: juno-rc-potential

** Tags added: juno-rc-candidate

** Changed in: keystone
       Status: New => In Progress

** Changed in: keystone
     Assignee: (unassigned) => Nathan Kinder (nkinder)

** Summary changed:

- user_enabled_invert does notproperly handle string values
+ user_enabled_invert does not properly handle string values

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1376053

Title:
  user_enabled_invert does not properly handle string values

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  The user_enabled_invert setting is supposed to invert the meaning of
  True/False for the user enabled attribute.  This makes "lock"
  attributes useful, where "False" indicates that an account is not
  locked.

  The invert logic expects that we have a bool type that we then invert
  using 'not' in this snippet of code from UserApi._ldap_res_to_model:

  --------------------------------------------------------------------
          elif self.enabled_invert and not self.enabled_emulation:
              enabled = obj.get('enabled', self.enabled_default)
              obj['enabled'] = not enabled
  --------------------------------------------------------------------

  The problem is that we get a bool trype from the default value, and a
  str type from LDAP.  Evaluating a string with 'not' will be False for
  any non-empty string.  This means that we will fail to invert a string
  of "False" that is returned from LDAP, leading to accounts being
  inadvertently disabled.  This code needs to handle converting a str
  type to bool before inverting the value.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1376053/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next