From a8e885d2d69381adc483d1a506b9f1e739a507f5 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Wed, 8 Jul 2015 17:21:57 -0400

Subject: [PATCH 12/20] Ticket 48013 - Inconsistent behaviour of DS when LDAP

 Sync is used with an invalid cookie

Bug Description:  Some invalid cookies are treated as errors, while others are not.

Fix Description:  Perform the cookie parsing and validation in the same step. This

                  gives consistent results.

https://fedorahosted.org/389/ticket/48013

Reviewed by: nhosoi(Thanks!)

(cherry picked from commit fdf46817fcc3b334bd477316d253bc18f243c0f6)

(cherry picked from commit 41dff5ba7a6368bfb2d8a2057dd5ba5b6a91d175)

---

 dirsrvtests/tickets/ticket48013_test.py  | 134 +++++++++++++++++++++++++++++++

 ldap/servers/plugins/sync/sync_refresh.c |   7 +-

 2 files changed, 138 insertions(+), 3 deletions(-)

 create mode 100644 dirsrvtests/tickets/ticket48013_test.py

diff --git a/dirsrvtests/tickets/ticket48013_test.py b/dirsrvtests/tickets/ticket48013_test.py

new file mode 100644

index 0000000..0ccdeba

--- /dev/null

+++ b/dirsrvtests/tickets/ticket48013_test.py

@@ -0,0 +1,134 @@

+import os

+import sys

+import time

+import ldap

+import logging

+import pytest

+import pyasn1

+import pyasn1_modules

+import ldap,ldapurl

+from ldap.ldapobject import SimpleLDAPObject

+from ldap.syncrepl import SyncreplConsumer

+from lib389 import DirSrv, Entry, tools, tasks

+from lib389.tools import DirSrvTools

+from lib389._constants import *

+from lib389.properties import *

+from lib389.tasks import *

+from lib389.utils import *

+

+logging.getLogger(__name__).setLevel(logging.DEBUG)

+log = logging.getLogger(__name__)

+

+installation1_prefix = None

+

+

+class TopologyStandalone(object):

+    def __init__(self, standalone):

+        standalone.open()

+        self.standalone = standalone

+

+

+class SyncObject(SimpleLDAPObject, SyncreplConsumer):

+    def __init__(self, uri):

+        # Init the ldap connection

+        SimpleLDAPObject.__init__(self, uri)

+

+    def sync_search(self, test_cookie):

+        self.syncrepl_search('dc=example,dc=com', ldap.SCOPE_SUBTREE,

+                             filterstr='(objectclass=*)', mode='refreshOnly',

+                             cookie=test_cookie)

+

+    def poll(self):

+        self.syncrepl_poll(all=1)

+

+

+@pytest.fixture(scope="module")

+def topology(request):

+    global installation1_prefix

+    if installation1_prefix:

+        args_instance[SER_DEPLOYED_DIR] = installation1_prefix

+

+    # Creating standalone instance ...

+    standalone = DirSrv(verbose=False)

+    args_instance[SER_HOST] = HOST_STANDALONE

+    args_instance[SER_PORT] = PORT_STANDALONE

+    args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE

+    args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX

+    args_standalone = args_instance.copy()

+    standalone.allocate(args_standalone)

+    instance_standalone = standalone.exists()

+    if instance_standalone:

+        standalone.delete()

+    standalone.create()

+    standalone.open()

+

+    # Clear out the tmp dir

+    standalone.clearTmpDir(__file__)

+

+    return TopologyStandalone(standalone)

+

+

+def test_ticket48013(topology):

+    '''

+    Content Synchonization: Test that invalid cookies are caught

+    '''

+

+    cookies = ('#', '##', 'a#a#a', 'a#a#1')

+

+    # Enable dynamic plugins

+    try:

+        topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-dynamic-plugins', 'on')])

+    except ldap.LDAPError as e:

+        ldap.error('Failed to enable dynamic plugin!' + e.message['desc'])

+        assert False

+

+    # Enable retro changelog

+    topology.standalone.plugins.enable(name=PLUGIN_RETRO_CHANGELOG)

+

+    # Enbale content sync plugin

+    topology.standalone.plugins.enable(name=PLUGIN_REPL_SYNC)

+

+    # Set everything up

+    ldap_url = ldapurl.LDAPUrl('ldap://localhost:31389')

+    ldap_connection = SyncObject(ldap_url.initializeUrl())

+

+    # Authenticate

+    try:

+        ldap_connection.simple_bind_s(DN_DM, PASSWORD)

+    except ldap.LDAPError as e:

+        print('Login to LDAP server failed: %s' % e.message['desc'])

+        assert False

+

+    # Test invalid cookies

+    for invalid_cookie in cookies:

+        log.info('Testing cookie: %s' % invalid_cookie)

+        try:

+            ldap_connection.sync_search(invalid_cookie)

+            ldap_connection.poll()

+            log.fatal('Invalid cookie accepted!')

+            assert False

+        except Exception as e:

+            log.info('Invalid cookie correctly rejected: %s' % e.message['info'])

+            pass

+

+    # Success

+    log.info('Test complete')

+

+

+def test_ticket48013_final(topology):

+    topology.standalone.delete()

+    log.info('Testcase PASSED')

+

+

+def run_isolated():

+    global installation1_prefix

+    installation1_prefix = None

+

+    topo = topology(True)

+    test_ticket48013(topo)

+    test_ticket48013_final(topo)

+

+

+if __name__ == '__main__':

+    run_isolated()

+

diff --git a/ldap/servers/plugins/sync/sync_refresh.c b/ldap/servers/plugins/sync/sync_refresh.c

index 1ae2604..beb87ab 100644

--- a/ldap/servers/plugins/sync/sync_refresh.c

+++ b/ldap/servers/plugins/sync/sync_refresh.c

@@ -113,9 +113,10 @@ int sync_srch_refresh_pre_search(Slapi_PBlock *pb)

 			 * 	-- return e-syncRefreshRequired if the data referenced in the cookie are no

 			 * 		longer in the history

 			*/

-			if (cookie && 

-				( client_cookie = sync_cookie_parse (cookie))) {

-				if (sync_cookie_isvalid(client_cookie, session_cookie)) {

+			if (cookie) {

+				if ((client_cookie = sync_cookie_parse (cookie)) &&

+				    sync_cookie_isvalid(client_cookie, session_cookie))

+				{

 					rc = sync_refresh_update_content(pb, client_cookie, session_cookie);

 					if (rc == 0) 

 						entries_sent = 1;

-- 

1.9.3