sanitize all args to strings before sending them to ldap

1 files changed, 35 insertions, 0 deletions

diff --git a/nova/auth/ldapdriver.py b/nova/auth/ldapdriver.py
index e652f1caa..99cbb43f9 100644
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -73,6 +73,23 @@ LOG = logging.getLogger("nova.ldapdriver")
 #             creating this now because I'm expecting an auth refactor
 #             in which we may want to change the interface a bit more.
 
+def _clean(attr):
+    """Clean attr for insertion into ldap"""
+    if attr is None:
+        return None
+    if type(attr) is unicode:
+        return str(attr)
+    return attr
+
+def sanitize(fn):
+    """Decorator to sanitize all args"""
+    def _wrapped(self, *args, **kwargs):
+        args = [_clean(x) for x in args]
+        kwargs = dict((k, _clean(v)) for (k, v) in kwargs)
+        return fn(self, *args, **kwargs)
+    _wrapped.func_name = fn.func_name
+    return _wrapped
+
 
 class LdapDriver(object):
     """Ldap Auth driver
@@ -106,23 +123,27 @@ class LdapDriver(object):
         self.conn.unbind_s()
         return False
 
+    @sanitize
     def get_user(self, uid):
         """Retrieve user by id"""
         attr = self.__get_ldap_user(uid)
         return self.__to_user(attr)
 
+    @sanitize
     def get_user_from_access_key(self, access):
         """Retrieve user by access key"""
         query = '(accessKey=%s)' % access
         dn = FLAGS.ldap_user_subtree
         return self.__to_user(self.__find_object(dn, query))
 
+    @sanitize
     def get_project(self, pid):
         """Retrieve project by id"""
         dn = self.__project_to_dn(pid)
         attr = self.__find_object(dn, LdapDriver.project_pattern)
         return self.__to_project(attr)
 
+    @sanitize
     def get_users(self):
         """Retrieve list of users"""
         attrs = self.__find_objects(FLAGS.ldap_user_subtree,
@@ -134,6 +155,7 @@ class LdapDriver(object):
                 users.append(user)
         return users
 
+    @sanitize
     def get_projects(self, uid=None):
         """Retrieve list of projects"""
         pattern = LdapDriver.project_pattern
@@ -143,6 +165,7 @@ class LdapDriver(object):
                                     pattern)
         return [self.__to_project(attr) for attr in attrs]
 
+    @sanitize
     def create_user(self, name, access_key, secret_key, is_admin):
         """Create a user"""
         if self.__user_exists(name):
@@ -196,6 +219,7 @@ class LdapDriver(object):
             self.conn.add_s(self.__uid_to_dn(name), attr)
             return self.__to_user(dict(attr))
 
+    @sanitize
     def create_project(self, name, manager_uid,
                        description=None, member_uids=None):
         """Create a project"""
@@ -231,6 +255,7 @@ class LdapDriver(object):
         self.conn.add_s(dn, attr)
         return self.__to_project(dict(attr))
 
+    @sanitize
     def modify_project(self, project_id, manager_uid=None, description=None):
         """Modify an existing project"""
         if not manager_uid and not description:
@@ -249,21 +274,25 @@ class LdapDriver(object):
         dn = self.__project_to_dn(project_id)
         self.conn.modify_s(dn, attr)
 
+    @sanitize
     def add_to_project(self, uid, project_id):
         """Add user to project"""
         dn = self.__project_to_dn(project_id)
         return self.__add_to_group(uid, dn)
 
+    @sanitize
     def remove_from_project(self, uid, project_id):
         """Remove user from project"""
         dn = self.__project_to_dn(project_id)
         return self.__remove_from_group(uid, dn)
 
+    @sanitize
     def is_in_project(self, uid, project_id):
         """Check if user is in project"""
         dn = self.__project_to_dn(project_id)
         return self.__is_in_group(uid, dn)
 
+    @sanitize
     def has_role(self, uid, role, project_id=None):
         """Check if user has role
 
@@ -273,6 +302,7 @@ class LdapDriver(object):
         role_dn = self.__role_to_dn(role, project_id)
         return self.__is_in_group(uid, role_dn)
 
+    @sanitize
     def add_role(self, uid, role, project_id=None):
         """Add role for user (or user and project)"""
         role_dn = self.__role_to_dn(role, project_id)
@@ -283,11 +313,13 @@ class LdapDriver(object):
         else:
             return self.__add_to_group(uid, role_dn)
 
+    @sanitize
     def remove_role(self, uid, role, project_id=None):
         """Remove role for user (or user and project)"""
         role_dn = self.__role_to_dn(role, project_id)
         return self.__remove_from_group(uid, role_dn)
 
+    @sanitize
     def get_user_roles(self, uid, project_id=None):
         """Retrieve list of roles for user (or user and project)"""
         if project_id is None:
@@ -307,6 +339,7 @@ class LdapDriver(object):
             roles = self.__find_objects(project_dn, query)
             return [role['cn'][0] for role in roles]
 
+    @sanitize
     def delete_user(self, uid):
         """Delete a user"""
         if not self.__user_exists(uid):
@@ -332,12 +365,14 @@ class LdapDriver(object):
             # Delete entry
             self.conn.delete_s(self.__uid_to_dn(uid))
 
+    @sanitize
     def delete_project(self, project_id):
         """Delete a project"""
         project_dn = self.__project_to_dn(project_id)
         self.__delete_roles(project_dn)
         self.__delete_group(project_dn)
 
+    @sanitize
     def modify_user(self, uid, access_key=None, secret_key=None, admin=None):
         """Modify an existing user"""
         if not access_key and not secret_key and admin is None: