yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-rc2

** Tags removed: juno-rc-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1376053

Title:
  user_enabled_invert does not properly handle string values

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The user_enabled_invert setting is supposed to invert the meaning of
  True/False for the user enabled attribute.  This makes "lock"
  attributes useful, where "False" indicates that an account is not
  locked.

  The invert logic expects that we have a bool type that we then invert
  using 'not' in this snippet of code from UserApi._ldap_res_to_model:

  --------------------------------------------------------------------
          elif self.enabled_invert and not self.enabled_emulation:
              enabled = obj.get('enabled', self.enabled_default)
              obj['enabled'] = not enabled
  --------------------------------------------------------------------

  The problem is that we get a string type from the default value, and a
  bool type from LDAP.  Evaluating a string with 'not' will be False for
  any non-empty string.  This means that we will fail to invert a string
  of "False" that is inherited from the default setting if no value is
  returned from LDAP, leading to accounts being inadvertently disabled.
  This code needs to handle converting a str type to bool before
  inverting the value.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1376053/+subscriptions