From a8e885d2d69381adc483d1a506b9f1e739a507f5 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 8 Jul 2015 17:21:57 -0400
Subject: [PATCH 12/20] Ticket 48013 - Inconsistent behaviour of DS when LDAP
Sync is used with an invalid cookie
Bug Description: Some invalid cookies are treated as errors, while others are not.
Fix Description: Perform the cookie parsing and validation in the same step. This
gives consistent results.
https://fedorahosted.org/389/ticket/48013
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit fdf46817fcc3b334bd477316d253bc18f243c0f6)
(cherry picked from commit 41dff5ba7a6368bfb2d8a2057dd5ba5b6a91d175)
---
dirsrvtests/tickets/ticket48013_test.py | 134 +++++++++++++++++++++++++++++++
ldap/servers/plugins/sync/sync_refresh.c | 7 +-
2 files changed, 138 insertions(+), 3 deletions(-)
create mode 100644 dirsrvtests/tickets/ticket48013_test.py
diff --git a/dirsrvtests/tickets/ticket48013_test.py b/dirsrvtests/tickets/ticket48013_test.py
new file mode 100644
index 0000000..0ccdeba
--- /dev/null
+++ b/dirsrvtests/tickets/ticket48013_test.py
@@ -0,0 +1,134 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+import pyasn1
+import pyasn1_modules
+import ldap,ldapurl
+from ldap.ldapobject import SimpleLDAPObject
+from ldap.syncrepl import SyncreplConsumer
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+installation1_prefix = None
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+class SyncObject(SimpleLDAPObject, SyncreplConsumer):
+ def __init__(self, uri):
+ # Init the ldap connection
+ SimpleLDAPObject.__init__(self, uri)
+
+ def sync_search(self, test_cookie):
+ self.syncrepl_search('dc=example,dc=com', ldap.SCOPE_SUBTREE,
+ filterstr='(objectclass=*)', mode='refreshOnly',
+ cookie=test_cookie)
+
+ def poll(self):
+ self.syncrepl_poll(all=1)
+
+
+@pytest.fixture(scope="module")
+def topology(request):
+ global installation1_prefix
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+ # Creating standalone instance ...
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+
+def test_ticket48013(topology):
+ '''
+ Content Synchonization: Test that invalid cookies are caught
+ '''
+
+ cookies = ('#', '##', 'a#a#a', 'a#a#1')
+
+ # Enable dynamic plugins
+ try:
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-dynamic-plugins', 'on')])
+ except ldap.LDAPError as e:
+ ldap.error('Failed to enable dynamic plugin!' + e.message['desc'])
+ assert False
+
+ # Enable retro changelog
+ topology.standalone.plugins.enable(name=PLUGIN_RETRO_CHANGELOG)
+
+ # Enbale content sync plugin
+ topology.standalone.plugins.enable(name=PLUGIN_REPL_SYNC)
+
+ # Set everything up
+ ldap_url = ldapurl.LDAPUrl('ldap://localhost:31389')
+ ldap_connection = SyncObject(ldap_url.initializeUrl())
+
+ # Authenticate
+ try:
+ ldap_connection.simple_bind_s(DN_DM, PASSWORD)
+ except ldap.LDAPError as e:
+ print('Login to LDAP server failed: %s' % e.message['desc'])
+ assert False
+
+ # Test invalid cookies
+ for invalid_cookie in cookies:
+ log.info('Testing cookie: %s' % invalid_cookie)
+ try:
+ ldap_connection.sync_search(invalid_cookie)
+ ldap_connection.poll()
+ log.fatal('Invalid cookie accepted!')
+ assert False
+ except Exception as e:
+ log.info('Invalid cookie correctly rejected: %s' % e.message['info'])
+ pass
+
+ # Success
+ log.info('Test complete')
+
+
+def test_ticket48013_final(topology):
+ topology.standalone.delete()
+ log.info('Testcase PASSED')
+
+
+def run_isolated():
+ global installation1_prefix
+ installation1_prefix = None
+
+ topo = topology(True)
+ test_ticket48013(topo)
+ test_ticket48013_final(topo)
+
+
+if __name__ == '__main__':
+ run_isolated()
+
diff --git a/ldap/servers/plugins/sync/sync_refresh.c b/ldap/servers/plugins/sync/sync_refresh.c
index 1ae2604..beb87ab 100644
--- a/ldap/servers/plugins/sync/sync_refresh.c
+++ b/ldap/servers/plugins/sync/sync_refresh.c
@@ -113,9 +113,10 @@ int sync_srch_refresh_pre_search(Slapi_PBlock *pb)
* -- return e-syncRefreshRequired if the data referenced in the cookie are no
* longer in the history
*/
- if (cookie &&
- ( client_cookie = sync_cookie_parse (cookie))) {
- if (sync_cookie_isvalid(client_cookie, session_cookie)) {
+ if (cookie) {
+ if ((client_cookie = sync_cookie_parse (cookie)) &&
+ sync_cookie_isvalid(client_cookie, session_cookie))
+ {
rc = sync_refresh_update_content(pb, client_cookie, session_cookie);
if (rc == 0)
entries_sent = 1;
--
1.9.3