The Samba-Bugzilla – Attachment 14548 Details for
Bug 13664
Wrong users logged by the groups membership change auditing.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed bug fix.
bug-13664.patch.txt (text/plain), 29.59 KB, created by
Gary Lockyer
on 2018-10-30 00:15:15 UTC
(
hide
)
Description:
Proposed bug fix.
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2018-10-30 00:15:15 UTC
Size:
29.59 KB
patch
obsolete
>From 9c49ff18cceed9643526d8ba2916ca3e67bdfd22 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 23 Oct 2018 17:14:34 +1300 >Subject: [PATCH 1/5] dsdb group_audit: Test to replicate BUG 13664 > >The group audit code incorrectly logs member additions and deletions. > >Thanks to metze for the debugging that isolated the issue, and for >suggesting the fix to dn_compare. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13664 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > selftest/knownfail.d/bug13664 | 1 + > .../ldb_modules/tests/test_group_audit.c | 260 +++++++++++++++++- > 2 files changed, 260 insertions(+), 1 deletion(-) > create mode 100644 selftest/knownfail.d/bug13664 > >diff --git a/selftest/knownfail.d/bug13664 b/selftest/knownfail.d/bug13664 >new file mode 100644 >index 00000000000..6ffbf1297c3 >--- /dev/null >+++ b/selftest/knownfail.d/bug13664 >@@ -0,0 +1 @@ >+^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_membership_changes_removed >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >index 8551dcbf705..4c406c5fdfa 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >@@ -63,6 +63,142 @@ int dsdb_search_one(struct ldb_context *ldb, > return g_status; > } > >+/* >+ * Mock version of audit_log_json >+ */ >+ >+#define MAX_EXPECTED_MESSAGES 16 >+static struct json_object messages[MAX_EXPECTED_MESSAGES]; >+static size_t messages_sent = 0; >+ >+void audit_message_send( >+ struct imessaging_context *msg_ctx, >+ const char *server_name, >+ uint32_t message_type, >+ struct json_object *message) >+{ >+ messages[messages_sent].root = json_deep_copy(message->root); >+ messages[messages_sent].valid = message->valid; >+ messages_sent++; >+} >+ >+#define check_group_change_message(m, u, a)\ >+ _check_group_change_message(m, u, a, __FILE__, __LINE__); >+/* >+ * declare the internal cmocka cm_print_error so that we can output messages >+ * in sub unit format >+ */ >+void cm_print_error(const char * const format, ...); >+ >+/* >+ * Validate a group change JSON audit message >+ * >+ * It should contain 3 elements. >+ * Have a type of "groupChange" >+ * Have a groupChange element >+ * >+ * The group change element should have 10 elements. >+ * >+ * There should be a user element matching the expected value >+ * There should be an action matching the expected value >+ */ >+static void _check_group_change_message( >+ const int message, >+ const char *user, >+ const char *action, >+ const char *file, >+ const int line) >+{ >+ struct json_object json; >+ json_t *audit = NULL; >+ json_t *v = NULL; >+ const char* value; >+ json = messages[message]; >+ >+ /* >+ * Validate the root JSON element >+ * check the number of elements >+ */ >+ if (json_object_size(json.root) != 3) { >+ cm_print_error( >+ "Unexpected number of elements in root %zu != %d\n", >+ json_object_size(json.root), >+ 3); >+ _fail(file, line); >+ } >+ >+ /* >+ * Check the type element >+ */ >+ v = json_object_get(json.root, "type"); >+ if (v == NULL) { >+ cm_print_error( "No \"type\" element\n"); >+ _fail(file, line); >+ } >+ >+ value = json_string_value(v); >+ if (strncmp("groupChange", value, strlen("groupChange") != 0)) { >+ cm_print_error( >+ "Unexpected type \"%s\" != \"groupChange\"\n", >+ value); >+ _fail(file, line); >+ } >+ >+ >+ audit = json_object_get(json.root, "groupChange"); >+ if (audit == NULL) { >+ cm_print_error("No groupChange element\n"); >+ _fail(file, line); >+ } >+ >+ /* >+ * Validate the groupChange element >+ */ >+ if (json_object_size(audit) != 10) { >+ cm_print_error( >+ "Unexpected number of elements in groupChange " >+ "%zu != %d\n", >+ json_object_size(audit), >+ 10); >+ _fail(file, line); >+ } >+ /* >+ * Validate the user element >+ */ >+ v = json_object_get(audit, "user"); >+ if (v == NULL) { >+ cm_print_error( "No user element\n"); >+ _fail(file, line); >+ } >+ >+ value = json_string_value(v); >+ if (strncmp(user, value, strlen(user) != 0)) { >+ cm_print_error( >+ "Unexpected user name \"%s\" != \"%s\"\n", >+ value, >+ user); >+ _fail(file, line); >+ } >+ >+ /* >+ * Validate the action element >+ */ >+ v = json_object_get(audit, "action"); >+ if (v == NULL) { >+ cm_print_error( "No action element\n"); >+ _fail(file, line); >+ } >+ >+ value = json_string_value(v); >+ if (strncmp(action, value, strlen(action) != 0)) { >+ print_error( >+ "Unexpected action \"%s\" != \"%s\"\n", >+ value, >+ action); >+ _fail(file, line); >+ } >+} >+ > /* > * Test helper to check ISO 8601 timestamps for validity > */ >@@ -621,6 +757,128 @@ static void test_audit_group_json(void **state) > > } > >+static void setup_ldb( >+ TALLOC_CTX *ctx, >+ struct ldb_context **ldb, >+ struct ldb_module **module, >+ const char *ip, >+ const char *session, >+ const char *sid) >+{ >+ struct tsocket_address *ts = NULL; >+ struct audit_context *context = NULL; >+ >+ *ldb = ldb_init(ctx, NULL); >+ ldb_register_samba_handlers(*ldb); >+ >+ >+ *module = talloc_zero(ctx, struct ldb_module); >+ (*module)->ldb = *ldb; >+ >+ context = talloc_zero(*module, struct audit_context); >+ context->send_events = true; >+ context->msg_ctx = (struct imessaging_context *) 0x01; >+ >+ ldb_module_set_private(*module, context); >+ >+ tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts); >+ ldb_set_opaque(*ldb, "remoteAddress", ts); >+ >+ add_session_data(ctx, *ldb, session, sid); >+ >+} >+ >+ >+/* >+ * Test the removal of a user from a group. >+ * >+ * The new element contains one group member >+ * The old element contains two group member >+ * >+ * Expect to see the removed entry logged. >+ * >+ * This test confirms bug 13664 >+ * https://bugzilla.samba.org/show_bug.cgi?id=13664 >+ */ >+static void test_log_membership_changes_removed(void **state) >+{ >+ struct ldb_context *ldb = NULL; >+ struct ldb_module *module = NULL; >+ >+ >+ const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779"; >+ const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const IP = "127.0.0.1"; >+ >+ struct ldb_request *req = NULL; >+ struct ldb_message_element *new_el = NULL; >+ struct ldb_message_element *old_el = NULL; >+ >+ int status = 0; >+ >+ TALLOC_CTX *ctx = talloc_new(NULL); >+ >+ setup_ldb(ctx, &ldb, &module, IP, SESSION, SID); >+ >+ /* >+ * Build the ldb_request >+ */ >+ req = talloc_zero(ctx, struct ldb_request); >+ req->operation = LDB_ADD; >+ add_transaction_id(req, TRANSACTION); >+ >+ /* >+ * Populate the new elements, containing one entry. >+ * Indicating that one element has been removed >+ */ >+ new_el = talloc_zero(ctx, struct ldb_message_element); >+ new_el->num_values = 1; >+ new_el->values = talloc_zero_array(ctx, DATA_BLOB, 1); >+ new_el->values[0] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ >+ /* >+ * Populate the old elements, with two elements >+ * The first is the same as the one in new elements. >+ */ >+ old_el = talloc_zero(ctx, struct ldb_message_element); >+ old_el->num_values = 2; >+ old_el->values = talloc_zero_array(ctx, DATA_BLOB, 2); >+ old_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ old_el->values[1] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ /* >+ * call log_membership_changes >+ */ >+ messages_sent = 0; >+ log_membership_changes(module, req, new_el, old_el, status); >+ >+ /* >+ * Check the results >+ */ >+ assert_int_equal(1, messages_sent); >+ >+ check_group_change_message( >+ 0, >+ "cn=grpadttstuser01,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Removed"); >+ >+ /* >+ * Clean up >+ */ >+ json_free(&messages[0]); >+ TALLOC_FREE(ctx); >+} > /* > * Note: to run under valgrind us: > * valgrind --suppressions=test_group_audit.valgrind bin/test_group_audit >@@ -636,7 +894,7 @@ int main(void) { > cmocka_unit_test(test_get_parsed_dns), > cmocka_unit_test(test_dn_compare), > cmocka_unit_test(test_get_primary_group_dn), >- >+ cmocka_unit_test(test_log_membership_changes_removed), > }; > > cmocka_set_message_output(CM_OUTPUT_SUBUNIT); >-- >2.17.1 > > >From f45ef0739b5215f686efc0f5d7ec59db651cb8bc Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 25 Oct 2018 10:52:27 +1300 >Subject: [PATCH 2/5] dsdb group audit: align dn_compare with memcmp > >Rename the parameter names and adjust the return codes from dn_compare >so that: >dn_compare(a, b) => > >LESS_THAN means a is less than b. >GREATER_THAN means a is greater than b. > >Thanks to metze for suggesting the correct semantics for dn_compare > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13664 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > selftest/knownfail.d/bug13664 | 1 - > source4/dsdb/samdb/ldb_modules/group_audit.c | 31 ++++++++++--------- > .../ldb_modules/tests/test_group_audit.c | 4 +-- > 3 files changed, 18 insertions(+), 18 deletions(-) > delete mode 100644 selftest/knownfail.d/bug13664 > >diff --git a/selftest/knownfail.d/bug13664 b/selftest/knownfail.d/bug13664 >deleted file mode 100644 >index 6ffbf1297c3..00000000000 >--- a/selftest/knownfail.d/bug13664 >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_membership_changes_removed >diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c >index 1c74805eed0..47b69435195 100644 >--- a/source4/dsdb/samdb/ldb_modules/group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/group_audit.c >@@ -311,35 +311,36 @@ enum dn_compare_result { > GREATER_THAN > }; > /* >- * @brief compare parsed_dns >+ * @brief compare parsed_dn, using GUID ordering > * >- * Compare two parsed_dn structures, parsing the entries if necessary. >+ * Compare two parsed_dn structures, using GUID ordering. > * To avoid the overhead of parsing the DN's this function does a binary >- * compare first. Only parsing the DN's they are not equal at a binary level. >+ * compare first. The DN's tre only parsed if they are not equal at a binary >+ * level. > * > * @param ctx talloc context that will own the parsed dsdb_dn > * @param ldb ldb_context >- * @param old_val The old value >- * @param new_val The old value >+ * @param dn1 The first dn >+ * @param dn2 The second dn > * > * @return BINARY_EQUAL values are equal at a binary level > * EQUAL DN's are equal but the meta data is different >- * LESS_THAN old value < new value >- * GREATER_THAN old value > new value >+ * LESS_THAN dn1's GUID is less than dn2's GUID >+ * GREATER_THAN dn1's GUID is greater than dn2's GUID > * > */ > static enum dn_compare_result dn_compare( > TALLOC_CTX *mem_ctx, > struct ldb_context *ldb, >- struct parsed_dn *old_val, >- struct parsed_dn *new_val) { >+ struct parsed_dn *dn1, >+ struct parsed_dn *dn2) { > > int res = 0; > > /* > * Do a binary compare first to avoid unnecessary parsing > */ >- if (data_blob_cmp(new_val->v, old_val->v) == 0) { >+ if (data_blob_cmp(dn1->v, dn2->v) == 0) { > /* > * Values are equal at a binary level so no need > * for further processing >@@ -351,22 +352,22 @@ static enum dn_compare_result dn_compare( > * do a GUID ordering compare. To do this we will need to ensure > * that the dn's have been parsed. > */ >- if (old_val->dsdb_dn == NULL) { >+ if (dn1->dsdb_dn == NULL) { > really_parse_trusted_dn( > mem_ctx, > ldb, >- old_val, >+ dn1, > LDB_SYNTAX_DN); > } >- if (new_val->dsdb_dn == NULL) { >+ if (dn2->dsdb_dn == NULL) { > really_parse_trusted_dn( > mem_ctx, > ldb, >- new_val, >+ dn2, > LDB_SYNTAX_DN); > } > >- res = ndr_guid_compare(&new_val->guid, &old_val->guid); >+ res = ndr_guid_compare(&dn1->guid, &dn2->guid); > if (res < 0) { > return LESS_THAN; > } else if (res == 0) { >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >index 4c406c5fdfa..9133666e9cd 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >@@ -562,7 +562,7 @@ static void test_dn_compare(void **state) > b->v = &bb; > > res = dn_compare(ctx, ldb, a, b); >- assert_int_equal(GREATER_THAN, res); >+ assert_int_equal(LESS_THAN, res); > /* > * DN's should have been parsed > */ >@@ -590,7 +590,7 @@ static void test_dn_compare(void **state) > b->v = &bb; > > res = dn_compare(ctx, ldb, a, b); >- assert_int_equal(LESS_THAN, res); >+ assert_int_equal(GREATER_THAN, res); > /* > * DN's should have been parsed > */ >-- >2.17.1 > > >From 2fe453e291c161400f69ca82529ce585f1d5e645 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 25 Oct 2018 13:28:09 +1300 >Subject: [PATCH 3/5] dsdb group audit tests: check_timestamp improve > diagnostics > >Change check_timestamp to display the expected, actual along with the >line and name of the failing test, rather than the line in >check_timestamp. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > .../ldb_modules/tests/test_group_audit.c | 36 ++++++++++++++++--- > 1 file changed, 32 insertions(+), 4 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >index 9133666e9cd..ea7067db800 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >@@ -199,10 +199,16 @@ static void _check_group_change_message( > } > } > >+#define check_timestamp(b, t)\ >+ _check_timestamp(b, t, __FILE__, __LINE__); > /* > * Test helper to check ISO 8601 timestamps for validity > */ >-static void check_timestamp(time_t before, const char *timestamp) >+static void _check_timestamp( >+ time_t before, >+ const char *timestamp, >+ const char *file, >+ const int line) > { > int rc; > int usec, tz; >@@ -238,10 +244,32 @@ static void check_timestamp(time_t before, const char *timestamp) > actual = mktime(&tm); > > /* >- * The timestamp should be before <= actual <= after >+ * The time stamp should be before <= actual <= after > */ >- assert_true(difftime(actual, before) >= 0); >- assert_true(difftime(after, actual) >= 0); >+ if (difftime(actual, before) < 0) { >+ char buffer[40]; >+ strftime(buffer, >+ sizeof(buffer)-1, >+ "%Y-%m-%dT%T", >+ localtime(&before)); >+ cm_print_error( >+ "time stamp \"%s\" is before start time \"%s\"\n", >+ timestamp, >+ buffer); >+ _fail(file, line); >+ } >+ if (difftime(after, actual) < 0) { >+ char buffer[40]; >+ strftime(buffer, >+ sizeof(buffer)-1, >+ "%Y-%m-%dT%T", >+ localtime(&after)); >+ cm_print_error( >+ "time stamp \"%s\" is after finish time \"%s\"\n", >+ timestamp, >+ buffer); >+ _fail(file, line); >+ } > } > > /* >-- >2.17.1 > > >From b5f21ce85be36f7916e5c274f3c0352caa0b7124 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 25 Oct 2018 14:38:31 +1300 >Subject: [PATCH 4/5] dsdb group audit tests: check_version improve diagnostics > >Change check_version to display the expected, actual along with the >line and name of the failing test, rather than the line in check_version > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > .../ldb_modules/tests/test_group_audit.c | 60 ++++++++++++++++--- > 1 file changed, 53 insertions(+), 7 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >index ea7067db800..ebb3b4bb8c7 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >@@ -272,23 +272,69 @@ static void _check_timestamp( > } > } > >+#define check_version(v, m, n)\ >+ _check_version(v, m, n, __FILE__, __LINE__); > /* > * Test helper to validate a version object. > */ >-static void check_version(struct json_t *version, int major, int minor) >+static void _check_version( >+ struct json_t *version, >+ int major, >+ int minor, >+ const char* file, >+ const int line) > { > struct json_t *v = NULL; >+ int value; >+ >+ if (!json_is_object(version)) { >+ cm_print_error("version is not a JSON object\n"); >+ _fail(file, line); >+ } > >- assert_true(json_is_object(version)); >- assert_int_equal(2, json_object_size(version)); >+ if (json_object_size(version) != 2) { >+ cm_print_error( >+ "Unexpected number of elements in version %zu != %d\n", >+ json_object_size(version), >+ 2); >+ _fail(file, line); >+ } > >+ /* >+ * Validate the major version number element >+ */ > v = json_object_get(version, "major"); >- assert_non_null(v); >- assert_int_equal(major, json_integer_value(v)); >+ if (v == NULL) { >+ cm_print_error( "No major element\n"); >+ _fail(file, line); >+ } > >+ value = json_integer_value(v); >+ if (value != major) { >+ print_error( >+ "Unexpected major version number \"%d\" != \"%d\"\n", >+ value, >+ major); >+ _fail(file, line); >+ } >+ >+ /* >+ * Validate the minor version number element >+ */ > v = json_object_get(version, "minor"); >- assert_non_null(v); >- assert_int_equal(minor, json_integer_value(v)); >+ if (v == NULL) { >+ cm_print_error( "No minor element\n"); >+ _fail(file, line); >+ } >+ >+ value = json_integer_value(v); >+ if (value != minor) { >+ print_error( >+ "Unexpected minor version number \"%d\" != \"%d\"\n", >+ value, >+ minor); >+ _fail(file, line); >+ } > } > > /* >-- >2.17.1 > > >From 04830e110cdcc7ebf32c39af1c503a7428d8a748 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 25 Oct 2018 10:52:55 +1300 >Subject: [PATCH 5/5] dsdb group audit tests: log_membership_changes extra > tests > >Add extra tests to ensure better test coverage of log_membership_changes > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > .../ldb_modules/tests/test_group_audit.c | 384 +++++++++++++++++- > 1 file changed, 382 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >index ebb3b4bb8c7..8a03836fe80 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c >@@ -914,11 +914,10 @@ static void test_log_membership_changes_removed(void **state) > "CN=testuser131953,CN=Users,DC=addom,DC=samba," > "DC=example,DC=com"); > >- > /* > * Populate the old elements, with two elements > * The first is the same as the one in new elements. >- */ >+ */ > old_el = talloc_zero(ctx, struct ldb_message_element); > old_el->num_values = 2; > old_el->values = talloc_zero_array(ctx, DATA_BLOB, 2); >@@ -953,6 +952,383 @@ static void test_log_membership_changes_removed(void **state) > json_free(&messages[0]); > TALLOC_FREE(ctx); > } >+ >+/* test log_membership_changes >+ * >+ * old contains 2 user dn's >+ * new contains 0 user dn's >+ * >+ * Expect to see both dn's logged as deleted. >+ */ >+static void test_log_membership_changes_remove_all(void **state) >+{ >+ struct ldb_context *ldb = NULL; >+ struct ldb_module *module = NULL; >+ >+ const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779"; >+ const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const IP = "127.0.0.1"; >+ >+ struct ldb_request *req = NULL; >+ struct ldb_message_element *new_el = NULL; >+ struct ldb_message_element *old_el = NULL; >+ >+ int status = 0; >+ >+ TALLOC_CTX *ctx = talloc_new(NULL); >+ >+ setup_ldb(ctx, &ldb, &module, IP, SESSION, SID); >+ >+ /* >+ * Build the ldb_request >+ */ >+ req = talloc_zero(ctx, struct ldb_request); >+ req->operation = LDB_ADD; >+ add_transaction_id(req, TRANSACTION); >+ >+ /* >+ * Populate the new elements, containing no entries. >+ * Indicating that all elements have been removed >+ */ >+ new_el = talloc_zero(ctx, struct ldb_message_element); >+ new_el->num_values = 0; >+ new_el->values = NULL; >+ >+ /* >+ * Populate the old elements, with two elements >+ */ >+ old_el = talloc_zero(ctx, struct ldb_message_element); >+ old_el->num_values = 2; >+ old_el->values = talloc_zero_array(ctx, DATA_BLOB, 2); >+ old_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ old_el->values[1] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ /* >+ * call log_membership_changes >+ */ >+ messages_sent = 0; >+ log_membership_changes( module, req, new_el, old_el, status); >+ >+ /* >+ * Check the results >+ */ >+ assert_int_equal(2, messages_sent); >+ >+ check_group_change_message( >+ 0, >+ "cn=grpadttstuser01,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Removed"); >+ >+ check_group_change_message( >+ 1, >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba,DC=example,DC=com", >+ "Removed"); >+ >+ /* >+ * Clean up >+ */ >+ json_free(&messages[0]); >+ json_free(&messages[1]); >+ TALLOC_FREE(ctx); >+} >+ >+/* test log_membership_changes >+ * >+ * Add an entry. >+ * >+ * Old entries contains a single user dn >+ * New entries contains 2 user dn's, one matching the dn in old entries >+ * >+ * Should see a single new entry logged. >+ */ >+static void test_log_membership_changes_added(void **state) >+{ >+ struct ldb_context *ldb = NULL; >+ struct ldb_module *module = NULL; >+ >+ const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779"; >+ const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const IP = "127.0.0.1"; >+ >+ struct ldb_request *req = NULL; >+ struct ldb_message_element *new_el = NULL; >+ struct ldb_message_element *old_el = NULL; >+ >+ int status = 0; >+ >+ TALLOC_CTX *ctx = talloc_new(NULL); >+ >+ setup_ldb(ctx, &ldb, &module, IP, SESSION, SID); >+ >+ /* >+ * Build the ldb_request >+ */ >+ req = talloc_zero(ctx, struct ldb_request); >+ req->operation = LDB_ADD; >+ add_transaction_id(req, TRANSACTION); >+ >+ /* >+ * Populate the old elements adding a single entry. >+ */ >+ old_el = talloc_zero(ctx, struct ldb_message_element); >+ old_el->num_values = 1; >+ old_el->values = talloc_zero_array(ctx, DATA_BLOB, 1); >+ old_el->values[0] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ /* >+ * Populate the new elements adding two entries. One matches the entry >+ * in old elements. We expect to see the other element logged as Added >+ */ >+ new_el = talloc_zero(ctx, struct ldb_message_element); >+ new_el->num_values = 2; >+ new_el->values = talloc_zero_array(ctx, DATA_BLOB, 2); >+ new_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ new_el->values[1] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ >+ /* >+ * call log_membership_changes >+ */ >+ messages_sent = 0; >+ log_membership_changes( module, req, new_el, old_el, status); >+ >+ /* >+ * Check the results >+ */ >+ assert_int_equal(1, messages_sent); >+ >+ check_group_change_message( >+ 0, >+ "cn=grpadttstuser01,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Added"); >+ >+ /* >+ * Clean up >+ */ >+ json_free(&messages[0]); >+ TALLOC_FREE(ctx); >+} >+ >+/* >+ * test log_membership_changes. >+ * >+ * Old entries is empty >+ * New entries contains 2 user dn's >+ * >+ * Expect to see log messages for two added users >+ */ >+static void test_log_membership_changes_add_to_empty(void **state) >+{ >+ struct ldb_context *ldb = NULL; >+ struct ldb_module *module = NULL; >+ >+ const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779"; >+ const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const IP = "127.0.0.1"; >+ >+ struct ldb_request *req = NULL; >+ struct ldb_message_element *new_el = NULL; >+ struct ldb_message_element *old_el = NULL; >+ >+ int status = 0; >+ >+ TALLOC_CTX *ctx = talloc_new(NULL); >+ >+ /* >+ * Set up the ldb and module structures >+ */ >+ setup_ldb(ctx, &ldb, &module, IP, SESSION, SID); >+ >+ /* >+ * Build the request structure >+ */ >+ req = talloc_zero(ctx, struct ldb_request); >+ req->operation = LDB_ADD; >+ add_transaction_id(req, TRANSACTION); >+ >+ /* >+ * Build the element containing the old values >+ */ >+ old_el = talloc_zero(ctx, struct ldb_message_element); >+ old_el->num_values = 0; >+ old_el->values = NULL; >+ >+ /* >+ * Build the element containing the new values >+ */ >+ new_el = talloc_zero(ctx, struct ldb_message_element); >+ new_el->num_values = 2; >+ new_el->values = talloc_zero_array(ctx, DATA_BLOB, 2); >+ new_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ new_el->values[1] = data_blob_string_const( >+ "<GUID=081519b5-a709-44a0-bc95-dd4bfe809bf8>;" >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba," >+ "DC=example,DC=com"); >+ >+ /* >+ * Run log membership changes >+ */ >+ messages_sent = 0; >+ log_membership_changes( module, req, new_el, old_el, status); >+ assert_int_equal(2, messages_sent); >+ >+ check_group_change_message( >+ 0, >+ "cn=grpadttstuser01,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Added"); >+ >+ check_group_change_message( >+ 1, >+ "CN=testuser131953,CN=Users,DC=addom,DC=samba,DC=example,DC=com", >+ "Added"); >+ >+ json_free(&messages[0]); >+ json_free(&messages[1]); >+ TALLOC_FREE(ctx); >+} >+ >+/* test log_membership_changes >+ * >+ * Test Replication Meta Data flag handling. >+ * >+ * 4 entries in old and new entries with their RMD_FLAGS set as below: >+ * old new >+ * 1) 0 0 Not logged >+ * 2) 1 1 Both deleted, no change not logged >+ * 3) 0 1 New tagged as deleted, log as deleted >+ * 4) 1 0 Has been undeleted, log as an add >+ * >+ * Should see a single new entry logged. >+ */ >+static void test_log_membership_changes_rmd_flags(void **state) >+{ >+ struct ldb_context *ldb = NULL; >+ struct ldb_module *module = NULL; >+ >+ const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779"; >+ const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773"; >+ const char *const IP = "127.0.0.1"; >+ >+ struct ldb_request *req = NULL; >+ struct ldb_message_element *new_el = NULL; >+ struct ldb_message_element *old_el = NULL; >+ >+ int status = 0; >+ >+ TALLOC_CTX *ctx = talloc_new(NULL); >+ >+ setup_ldb(ctx, &ldb, &module, IP, SESSION, SID); >+ >+ /* >+ * Build the ldb_request >+ */ >+ req = talloc_zero(ctx, struct ldb_request); >+ req->operation = LDB_ADD; >+ add_transaction_id(req, TRANSACTION); >+ >+ /* >+ * Populate the old elements. >+ */ >+ old_el = talloc_zero(ctx, struct ldb_message_element); >+ old_el->num_values = 4; >+ old_el->values = talloc_zero_array(ctx, DATA_BLOB, 4); >+ old_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "<RMD_FLAGS=0>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ old_el->values[1] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681c>;" >+ "<RMD_FLAGS=1>;" >+ "cn=grpadttstuser02,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ old_el->values[2] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681d>;" >+ "<RMD_FLAGS=0>;" >+ "cn=grpadttstuser03,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ old_el->values[3] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681e>;" >+ "<RMD_FLAGS=1>;" >+ "cn=grpadttstuser04,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ >+ /* >+ * Populate the new elements. >+ */ >+ new_el = talloc_zero(ctx, struct ldb_message_element); >+ new_el->num_values = 4; >+ new_el->values = talloc_zero_array(ctx, DATA_BLOB, 4); >+ new_el->values[0] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681b>;" >+ "<RMD_FLAGS=0>;" >+ "cn=grpadttstuser01,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ new_el->values[1] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681c>;" >+ "<RMD_FLAGS=1>;" >+ "cn=grpadttstuser02,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ new_el->values[2] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681d>;" >+ "<RMD_FLAGS=1>;" >+ "cn=grpadttstuser03,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ new_el->values[3] = data_blob_string_const( >+ "<GUID=cb8c2777-dcf5-419c-ab57-f645dbdf681e>;" >+ "<RMD_FLAGS=0>;" >+ "cn=grpadttstuser04,cn=users,DC=addom," >+ "DC=samba,DC=example,DC=com"); >+ >+ /* >+ * call log_membership_changes >+ */ >+ messages_sent = 0; >+ log_membership_changes( module, req, new_el, old_el, status); >+ >+ /* >+ * Check the results >+ */ >+ assert_int_equal(2, messages_sent); >+ >+ check_group_change_message( >+ 0, >+ "cn=grpadttstuser03,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Removed"); >+ check_group_change_message( >+ 1, >+ "cn=grpadttstuser04,cn=users,DC=addom,DC=samba,DC=example,DC=com", >+ "Added"); >+ >+ /* >+ * Clean up >+ */ >+ json_free(&messages[0]); >+ json_free(&messages[1]); >+ TALLOC_FREE(ctx); >+} > /* > * Note: to run under valgrind us: > * valgrind --suppressions=test_group_audit.valgrind bin/test_group_audit >@@ -969,6 +1345,10 @@ int main(void) { > cmocka_unit_test(test_dn_compare), > cmocka_unit_test(test_get_primary_group_dn), > cmocka_unit_test(test_log_membership_changes_removed), >+ cmocka_unit_test(test_log_membership_changes_remove_all), >+ cmocka_unit_test(test_log_membership_changes_added), >+ cmocka_unit_test(test_log_membership_changes_add_to_empty), >+ cmocka_unit_test(test_log_membership_changes_rmd_flags), > }; > > cmocka_set_message_output(CM_OUTPUT_SUBUNIT); >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13664
: 14548 |
14560