LDAP list groups with missing member entry

Using the LDAP identity backend,
if a group member entry doesn't exist in the LDAP server anymore
and the group's members are listed using GET /v3/groups/{groupId}/users,
Keystone returns 404 Not Found.

The server should return all the group members that do exist
and ignore the missing members,
and probably log a warning message about the missing user.

Fixes bug 1174585

Change-Id: Idf7c8c7f87affc4a72c5fe5e18e09a0f362e2646

2 files changed, 47 insertions, 2 deletions

diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index faaed168..58ab3bd0 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -21,6 +21,7 @@ import ldap
 from keystone import clean
 from keystone.common import ldap as common_ldap
 from keystone.common.ldap import fakeldap
+from keystone.common import logging
 from keystone.common import models
 from keystone.common import utils
 from keystone import config
@@ -29,6 +30,8 @@ from keystone import identity
 
 CONF = config.CONF
 
+LOG = logging.getLogger(__name__)
+
 
 class Identity(identity.Driver):
     def __init__(self):
@@ -922,8 +925,14 @@ class GroupApi(common_ldap.BaseLdap, ApiShimMixin):
             for user_dn in user_dns:
                 if self.use_dumb_member and user_dn == self.dumb_member:
                     continue
-                user_id = self.user_api._dn_to_id(user_dn)
-                users.append(self.user_api.get(user_id))
+                try:
+                    user_id = self.user_api._dn_to_id(user_dn)
+                    users.append(self.user_api.get(user_id))
+                except exception.UserNotFound:
+                    LOG.debug(_("Group member '%(user_dn)s' not found in"
+                                " '%(group_dn)s'. The user should be removed"
+                                " from the group. The user will be ignored.") %
+                              dict(user_dn=user_dn, group_dn=group_dn))
         return users
 
 
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index fbecab63..ef409902 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -1,6 +1,7 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
 # Copyright 2012 OpenStack LLC
+# Copyright 2013 IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -533,6 +534,41 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
     def test_get_roles_for_user_and_domain(self):
         raise nose.exc.SkipTest('Blocked by bug 1101287')
 
+    def test_list_group_members_missing_entry(self):
+        """List group members with deleted user.
+
+        If a group has a deleted entry for a member, the non-deleted members
+        are returned.
+
+        """
+
+        # Create a group
+        group_id = None
+        group = dict(name=uuid.uuid4().hex)
+        group_id = self.identity_api.create_group(group_id, group)['id']
+
+        # Create a couple of users and add them to the group.
+        user_id = None
+        user = dict(name=uuid.uuid4().hex, id=uuid.uuid4().hex)
+        user_1_id = self.identity_api.create_user(user_id, user)['id']
+
+        self.identity_api.add_user_to_group(user_1_id, group_id)
+
+        user_id = None
+        user = dict(name=uuid.uuid4().hex, id=uuid.uuid4().hex)
+        user_2_id = self.identity_api.create_user(user_id, user)['id']
+
+        self.identity_api.add_user_to_group(user_2_id, group_id)
+
+        # Delete user 2.
+        self.identity_api.user.delete(user_2_id)
+
+        # List group users and verify only user 1.
+        res = self.identity_api.list_users_in_group(group_id)
+
+        self.assertEqual(len(res), 1, "Expected 1 entry (user_1)")
+        self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id")
+
 
 class LDAPIdentityEnabledEmulation(LDAPIdentity):
     def setUp(self):