[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50026 - audit logs does not capture the operation where nsslapd-lookthroughlimit is modified - 389-commits - Fedora mailing-lists

13 Feb 2019

This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
     new ebcd082  Ticket 50026 - audit logs does not capture the operation where nsslapd-lookthroughlimit is modified
ebcd082 is described below
commit ebcd08264a0d09ffa714209646abdffb28cdfb2e
Author: Thierry Bordaz tbordaz@redhat.com
AuthorDate: Wed Nov 14 15:09:59 2018 +0100
Ticket 50026 - audit logs does not capture the operation where nsslapd-lookthroughlimit is modified
Bug Description:
    	During a dse update (config, schema,..) the dse callback will process the mods
    	but can also modify them (SLAPI_MODIFY_MODS) leaving only ignored attributes.
    	A consequence is that later audit logging will only log the ignored attributes.
Fix Description:
    	Save a copy of the orignal mods before the dse callback and restore them
    	when dse callback completes.
https://pagure.io/389-ds-base/issue/50026
Reviewed by: Ludwig Krispenz
Platforms tested: F27
Flag Day: no
Doc impact: no
---
 dirsrvtests/tests/suites/basic/basic_test.py | 50 ++++++++++++++++++++++++++++
 ldap/servers/slapd/dse.c                     |  9 +++++
 2 files changed, 59 insertions(+)

diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
index dc366cd..0f7536b 100644
--- a/dirsrvtests/tests/suites/basic/basic_test.py
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
@@ -1069,6 +1069,56 @@ def test_critical_msg_on_empty_range_idl(topology_st):
     # Step 5
     assert not topology_st.standalone.searchErrorsLog('CRIT - list_candidates - NULL idl was recieved from filter_candidates_ext.')
+def audit_pattern_found(server, log_pattern):
+    file_obj = open(server.ds_paths.audit_log, "r")
+
+    found = None
+    # Use a while true iteration because 'for line in file: hit a
+    log.info('Audit log contains')
+    while True:
+        line = file_obj.readline()
+        log.info(line)
+        found = log_pattern.search(line)
+        if ((line == '') or (found)):
+            break
+
+    return found
+
+@pytest.mark.ds50026
+def test_ticketldbm_audit(topology_st):
+    """When updating LDBM config attributes, those attributes/values are not listed
+    in the audit log
+
+    :id: 5bf75c47-a283-430e-a65c-3c5fd8dbadb8
+    :setup: Standalone Instance
+    :steps:
+        1. Enable audit log
+        2. Update a set of config attrs in LDBM config
+        3. Disable audit log (to restore the default config)
+        4. Check that config attrs are listed in the audit log
+    :expectedresults:
+        1. Should succeeds
+        2. Should succeeds
+        3. Should succeeds
+        4. Should succeeds
+    """
+    inst = topology_st[0]
+
+    inst.config.enable_log('audit')
+
+    #inst.ds_paths.audit_log
+    attrs = ['nsslapd-lookthroughlimit', 'nsslapd-pagedidlistscanlimit', 'nsslapd-idlistscanlimit', 'nsslapd-db-locks']
+    mods = []
+    for attr in attrs:
+        mods.append((ldap.MOD_REPLACE, attr, b'10001'))
+    inst.modify_s(DN_CONFIG_LDBM, mods)
+    inst.config.enable_log('audit')
+
+    for attr in attrs:
+        log.info("Check %s is replaced in the audit log" % attr)
+        regex = re.compile("^replace: %s" % attr)
+        assert audit_pattern_found(inst, regex)
+
if __name__ == '__main__':
     # Run isolated
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index 932912c..b22c8e6 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -1695,6 +1695,7 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 {
     int err;             /*House keeping stuff*/
     LDAPMod **mods;      /*Used to apply the modifications*/
+    LDAPMod **original_mods = NULL; /* some mods can be removed by callback, save them for later logging */
     char *errbuf = NULL; /* To get error back */
     struct dse *pdse;
     Slapi_Entry *ec = NULL;
@@ -1761,6 +1762,7 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         global_backend_lock_lock();
         global_lock_owned = PR_TRUE;
     }
+    original_mods = copy_mods(mods);
/* XXXmcs: should we expand objectclass values here?? */
     /* give the dse callbacks the first crack at the modify */
@@ -1958,6 +1960,13 @@ done:
             }
         }
     }
+    /* time to restore original mods */
+    if (original_mods) {
+        LDAPMod **mods_from_callback;
+        slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods_from_callback);
+        ldap_mods_free(mods_from_callback, 1 /* Free the Array and the Elements */);
+        slapi_pblock_set(pb, SLAPI_MODIFY_MODS, original_mods);
+    }
     if (global_lock_owned) {
         global_backend_lock_unlock();
     }
-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

    