[WIP] Log database changes.
Jeremy Allison
jra at samba.org
Wed May 30 23:18:13 UTC 2018
On Wed, May 30, 2018 at 03:28:07PM +1200, Gary Lockyer via samba-technical wrote:
> Attached is the current state of this work.
>
> I plan to clean up the commits and fix any auto build issues tomorrow
> ready for final review and push.
>
> Any comments greatly appreciated
FYI, I *still* hate the void returns on functions that
can fail....
There will be a reconing coming :-) :-).
> From 00f5bf8e61ffe3b652df3d155145ba746cc432c5 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Thu, 17 May 2018 08:03:00 +1200
> Subject: [PATCH 01/10] fix up audit_logging
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> auth/auth_log.c | 22 +----
> lib/audit_logging/audit_logging.c | 115 +++++++++++++++++++++-
> lib/audit_logging/audit_logging.h | 24 ++++-
> lib/audit_logging/tests/audit_logging_test.c | 137 +++++++++++++++++++++++++++
> 4 files changed, 269 insertions(+), 29 deletions(-)
>
> diff --git a/auth/auth_log.c b/auth/auth_log.c
> index 87daf2f..369a5c9 100644
> --- a/auth/auth_log.c
> +++ b/auth/auth_log.c
> @@ -82,31 +82,13 @@ static void log_json(struct imessaging_context *msg_ctx,
> int debug_class,
> int debug_level)
> {
> - char* json = NULL;
> -
> - if (object->error) {
> - return;
> - }
> -
> - json = json_dumps(object->root, 0);
> - if (json == NULL) {
> - DBG_ERR("Unable to convert JSON object to string\n");
> - object->error = true;
> - return;
> - }
> -
> - DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", type, json));
> + audit_log_json(type, object, debug_class, debug_level);
> if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
> audit_message_send(msg_ctx,
> AUTH_EVENT_NAME,
> MSG_AUTH_LOG,
> - json);
> - }
> -
> - if (json) {
> - free(json);
> + object);
> }
> -
> }
>
> /*
> diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c
> index 5c16806..bb63205 100644
> --- a/lib/audit_logging/audit_logging.c
> +++ b/lib/audit_logging/audit_logging.c
> @@ -102,9 +102,47 @@ char* audit_get_timestamp(TALLOC_CTX *frame)
> return ts;
> }
>
> -#ifdef HAVE_JANSSON
> +/*
> + * @brief write an audit message to the audit logs.
> + *
> + * Write the audit message to the samba logs.
> + *
> + * @param prefix Text to be printed at the start of the log line
> + * @param message The content of the log line.
> + * @param debub_class The debug class to log the message with.
> + * @param debug_level The debug level to log the message with.
> + */
> +void audit_log_hr(
> + const char* prefix,
> + const char* message,
> + int debug_class,
> + int debug_level)
> +{
> + DEBUGC(debug_class, debug_level, ("%s %s\n", prefix, message));
> +}
>
> -#include "system/time.h"
> +#ifdef HAVE_JANSSON
> +/*
> + * @brief write a json object to the samba audit logs.
> + *
> + * Write the json object to the audit logs as a formatted string
> + *
> + * @param prefix Text to be printed at the start of the log line
> + * @param message The content of the log line.
> + * @param debub_class The debug class to log the message with.
> + * @param debug_level The debug level to log the message with.
> + */
> +void audit_log_json(
> + const char* prefix,
> + struct json_object* message,
> + int debug_class,
> + int debug_level)
> +{
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + char *s = json_to_string(ctx, message);
> + DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", prefix, s));
> + TALLOC_FREE(ctx);
> +}
>
> /*
> * @brief get a connection to the messaging event server.
> @@ -192,14 +230,18 @@ void audit_message_send(
> struct imessaging_context *msg_ctx,
> const char *server_name,
> uint32_t message_type,
> - const char *message)
> + struct json_object *message)
> {
> struct server_id event_server;
> NTSTATUS status;
> - DATA_BLOB message_blob = data_blob_string_const(message);
> +
> + const char *message_string = NULL;
> + DATA_BLOB message_blob = data_blob_null;
> + TALLOC_CTX *ctx = talloc_new(NULL);
>
> if (msg_ctx == NULL) {
> DBG_DEBUG("No messaging context\n");
> + TALLOC_FREE(ctx);
> return;
> }
>
> @@ -213,9 +255,12 @@ void audit_message_send(
> DBG_ERR("get_event_server for %s returned (%s)\n",
> server_name,
> nt_errstr(status));
> + TALLOC_FREE(ctx);
> return;
> }
>
> + message_string = json_to_string(ctx, message);
> + message_blob = data_blob_string_const(message_string);
> status = imessaging_send(
> msg_ctx,
> event_server,
> @@ -232,6 +277,7 @@ void audit_message_send(
> DBG_ERR("get_event_server for %s returned (%s)\n",
> server_name,
> nt_errstr(status));
> + TALLOC_FREE(ctx);
> return;
> }
> imessaging_send(
> @@ -240,6 +286,7 @@ void audit_message_send(
> message_type,
> &message_blob);
> }
> + TALLOC_FREE(ctx);
> }
>
> /*
> @@ -768,4 +815,64 @@ char *json_to_string(TALLOC_CTX *mem_ctx, struct json_object *object)
>
> return json_string;
> }
> +
> +/*
> + * @brief get a json array named "name" from the json object.
> + *
> + * Get the array attribute named name, creating it if it does not exist.
> + *
> + * @param object the json object.
> + * @param name the name of the array attribute
> + *
> + * @return The array object, will be created if it did not exist.
> + */
> +struct json_object json_get_array(struct json_object *object, const char* name)
> +{
> +
> + struct json_object array = json_new_array();
> + json_t *a = NULL;
> +
> + if (object->error) {
> + array.error = true;
> + return array;
> + }
> +
> + a = json_object_get(object->root, name);
> + if (a == NULL) {
> + return array;
> + }
> + json_array_extend(array.root, a);
> +
> + return array;
> +}
> +
> +/*
> + * @brief get a json object named "name" from the json object.
> + *
> + * Get the object attribute named name, creating it if it does not exist.
> + *
> + * @param object the json object.
> + * @param name the name of the object attribute
> + *
> + * @return The object, will be created if it did not exist.
> + */
> +struct json_object json_get_object(struct json_object *object, const char* name)
> +{
> +
> + struct json_object o = json_new_object();
> + json_t *v = NULL;
> +
> + if (object->error) {
> + o.error = true;
> + return o;
> + }
> +
> + v = json_object_get(object->root, name);
> + if (v == NULL) {
> + return o;
> + }
> + json_object_update(o.root, v);
> +
> + return o;
> +}
> #endif
> diff --git a/lib/audit_logging/audit_logging.h b/lib/audit_logging/audit_logging.h
> index 763f3ed..6f493d8 100644
> --- a/lib/audit_logging/audit_logging.h
> +++ b/lib/audit_logging/audit_logging.h
> @@ -23,12 +23,12 @@
>
> char* audit_get_timestamp(
> TALLOC_CTX *frame);
> +void audit_log_hr(
> + const char *prefix,
> + const char *message,
> + int debug_class,
> + int debug_level);
>
> -void audit_message_send(
> - struct imessaging_context *msg_ctx,
> - const char *server_name,
> - uint32_t message_type,
> - const char *message);
> #ifdef HAVE_JANSSON
> #include <jansson.h>
> /*
> @@ -40,6 +40,16 @@ struct json_object {
> bool error;
> };
>
> +void audit_log_json(
> + const char *prefix,
> + struct json_object *message,
> + int debug_class,
> + int debug_level);
> +void audit_message_send(
> + struct imessaging_context *msg_ctx,
> + const char *server_name,
> + uint32_t message_type,
> + struct json_object *message);
> struct json_object json_new_object(void);
> struct json_object json_new_array(void);
> void json_free(struct json_object *object);
> @@ -85,5 +95,9 @@ void json_add_guid(
> const char *name,
> const struct GUID *guid);
>
> +struct json_object json_get_array(struct json_object *object, const char* name);
> +struct json_object json_get_object(
> + struct json_object *object,
> + const char* name);
> char *json_to_string(TALLOC_CTX *mem_ctx, struct json_object *object);
> #endif
> diff --git a/lib/audit_logging/tests/audit_logging_test.c b/lib/audit_logging/tests/audit_logging_test.c
> index 8385e9c..aba35e8 100644
> --- a/lib/audit_logging/tests/audit_logging_test.c
> +++ b/lib/audit_logging/tests/audit_logging_test.c
> @@ -490,6 +490,141 @@ static void test_json_to_string(void **state)
> json_free(&object);
> TALLOC_FREE(ctx);
> }
> +
> +static void test_json_get_array(void **state)
> +{
> + struct json_object object;
> + struct json_object array;
> + struct json_object stored_array = json_new_array();
> + json_t *value = NULL;
> + json_t *o = NULL;
> + struct json_object o1;
> + struct json_object o2;
> +
> + object = json_new_object();
> +
> + array = json_get_array(&object, "not-there");
> + assert_false(array.error);
> + assert_non_null(array.root);
> + assert_true(json_is_array(array.root));
> + json_free(&array);
> +
> + o1 = json_new_object();
> + json_add_string(&o1, "value", "value-one");
> + json_add_object(&stored_array, NULL, &o1);
> + json_add_object(&object, "stored_array", &stored_array);
> +
> + array = json_get_array(&object, "stored_array");
> + assert_false(array.error);
> + assert_non_null(array.root);
> + assert_true(json_is_array(array.root));
> +
> + assert_int_equal(1, json_array_size(array.root));
> +
> + o = json_array_get(array.root, 0);
> + assert_non_null(o);
> + assert_true(json_is_object(o));
> +
> + value = json_object_get(o, "value");
> + assert_non_null(value);
> + assert_true(json_is_string(value));
> +
> + assert_string_equal("value-one", json_string_value(value));
> + json_free(&array);
> +
> + /*
> + * Now update the array and add it back to the object
> + */
> + array = json_get_array(&object, "stored_array");
> + assert_true(json_is_array(array.root));
> + o2 = json_new_object();
> + json_add_string(&o2, "value", "value-two");
> + assert_false(o2.error);
> + json_add_object(&array, NULL, &o2);
> + assert_true(json_is_array(array.root));
> + json_add_object(&object, "stored_array", &array);
> + assert_true(json_is_array(array.root));
> +
> + array = json_get_array(&object, "stored_array");
> + assert_non_null(array.root);
> + assert_true(json_is_array(array.root));
> + assert_false(array.error);
> + assert_true(json_is_array(array.root));
> +
> + assert_int_equal(2, json_array_size(array.root));
> +
> + o = json_array_get(array.root, 0);
> + assert_non_null(o);
> + assert_true(json_is_object(o));
> +
> + assert_non_null(value);
> + assert_true(json_is_string(value));
> +
> + assert_string_equal("value-one", json_string_value(value));
> +
> + o = json_array_get(array.root, 1);
> + assert_non_null(o);
> + assert_true(json_is_object(o));
> +
> + value = json_object_get(o, "value");
> + assert_non_null(value);
> + assert_true(json_is_string(value));
> +
> + assert_string_equal("value-two", json_string_value(value));
> +
> + json_free(&array);
> + json_free(&object);
> +}
> +
> +static void test_json_get_object(void **state)
> +{
> + struct json_object object;
> + struct json_object o1;
> + struct json_object o2;
> + struct json_object o3;
> + json_t *value = NULL;
> +
> + object = json_new_object();
> +
> + o1 = json_get_object(&object, "not-there");
> + assert_false(o1.error);
> + assert_non_null(o1.root);
> + assert_true(json_is_object(o1.root));
> + json_free(&o1);
> +
> + o1 = json_new_object();
> + json_add_string(&o1, "value", "value-one");
> + json_add_object(&object, "stored_object", &o1);
> +
> + o2 = json_get_object(&object, "stored_object");
> + assert_false(o2.error);
> + assert_non_null(o2.root);
> + assert_true(json_is_object(o2.root));
> +
> + value = json_object_get(o2.root, "value");
> + assert_non_null(value);
> + assert_true(json_is_string(value));
> +
> + assert_string_equal("value-one", json_string_value(value));
> +
> + json_add_string(&o2, "value", "value-two");
> + json_add_object(&object, "stored_object", &o2);
> +
> +
> + o3 = json_get_object(&object, "stored_object");
> + assert_false(o3.error);
> + assert_non_null(o3.root);
> + assert_true(json_is_object(o3.root));
> +
> + value = json_object_get(o3.root, "value");
> + assert_non_null(value);
> + assert_true(json_is_string(value));
> +
> + assert_string_equal("value-two", json_string_value(value));
> +
> + json_free(&o3);
> + json_free(&object);
> +}
> #endif
>
> static void test_audit_get_timestamp(void **state)
> @@ -549,6 +684,8 @@ int main(int argc, const char **argv)
> cmocka_unit_test(test_json_add_sid),
> cmocka_unit_test(test_json_add_guid),
> cmocka_unit_test(test_json_to_string),
> + cmocka_unit_test(test_json_get_array),
> + cmocka_unit_test(test_json_get_object),
> #endif
> cmocka_unit_test(test_audit_get_timestamp),
> };
> --
> 2.7.4
>
>
> From 8c1ea246efa93d0c86232eb1950e95faaf6007aa Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri, 25 May 2018 15:21:33 +1200
> Subject: [PATCH 02/10] auth tests: Deregister the event listener
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> python/samba/tests/auth_log_base.py | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py
> index 5a70ce3..6edd0f6 100644
> --- a/python/samba/tests/auth_log_base.py
> +++ b/python/samba/tests/auth_log_base.py
> @@ -58,6 +58,7 @@ class AuthLogTestBase(samba.tests.TestCase):
> if self.msg_handler_and_context:
> self.msg_ctx.deregister(self.msg_handler_and_context,
> msg_type=MSG_AUTH_LOG)
> + self.msg_ctx.irpc_remove_name(AUTH_EVENT_NAME)
>
> def waitForMessages(self, isLastExpectedMessage, connection=None):
> """Wait for all the expected messages to arrive
> --
> 2.7.4
>
>
> From b06fca729ddeba5ae49c5ef8b2abd77b013ad2e5 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 4 Apr 2018 12:38:25 +1200
> Subject: [PATCH 03/10] cldap: set the remote ip address
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/cldap_server/rootdse.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/source4/cldap_server/rootdse.c b/source4/cldap_server/rootdse.c
> index 3f389ce..a5e1c6b 100644
> --- a/source4/cldap_server/rootdse.c
> +++ b/source4/cldap_server/rootdse.c
> @@ -166,6 +166,13 @@ void cldapd_rootdse_request(struct cldap_socket *cldap,
> cldapd_rootdse_fill(cldapd, tmp_ctx, search, &reply.response,
> reply.result);
>
> + /*
> + * We clear this after cldapd_rootdse_fill as this is shared ldb
> + * and if it was not cleared the audit logging would report changes
> + * made by internal processes as coming from the last cldap requester
> + */
> + ldb_set_opaque(cldapd->samctx, "remoteAddress", NULL);
> +
> status = cldap_reply_send(cldap, &reply);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(2,("cldap rootdse query failed '%s' - %s\n",
> --
> 2.7.4
>
>
> From 1bfc747118903dafe71a610bc10376d298d89951 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri, 25 May 2018 09:53:29 +1200
> Subject: [PATCH 04/10] dsdb acl: Copy dsdb_control_password_acl_validation
> into reply
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/dsdb/samdb/ldb_modules/acl.c | 187 +++++++++++++++++++++++++++++++++--
> 1 file changed, 177 insertions(+), 10 deletions(-)
>
> diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
> index 8b1dcbe..cd7144a 100644
> --- a/source4/dsdb/samdb/ldb_modules/acl.c
> +++ b/source4/dsdb/samdb/ldb_modules/acl.c
> @@ -968,13 +968,15 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
> return ret;
> }
>
> -static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
> - struct ldb_module *module,
> - struct ldb_request *req,
> - struct security_descriptor *sd,
> - struct dom_sid *sid,
> - const struct dsdb_class *objectclass,
> - bool userPassword)
> +static int acl_check_password_rights(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_module *module,
> + struct ldb_request *req,
> + struct security_descriptor *sd,
> + struct dom_sid *sid,
> + const struct dsdb_class *objectclass,
> + bool userPassword,
> + struct dsdb_control_password_acl_validation **control_for_response)
> {
> int ret = LDB_SUCCESS;
> unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
> @@ -996,6 +998,12 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
> talloc_free(tmp_ctx);
> return LDB_ERR_OPERATIONS_ERROR;
> }
> + /*
> + * Set control_for_response to pav so it can be added to the response
> + * and be passed up to the audit_log module which uses it to identify
> + * password reset attempts.
> + */
> + *control_for_response = pav;
>
> c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
> if (c != NULL) {
> @@ -1165,6 +1173,105 @@ checked:
> return LDB_SUCCESS;
> }
>
> +/*
> + * Context needed by acl_callback
> + */
> +struct acl_callback_context {
> + struct ldb_request *request;
> + struct ldb_module *module;
> +};
> +
> +/*
> + * @brief Copy the password validation control to the reply.
> + *
> + * Copy the dsdb_control_password_acl_validation control from the request,
> + * to the reply. The control is used by the audit_log module to identify
> + * password rests.
> + *
> + * @param req the ldb request.
> + * @param ares the result, updated with the control.
> + */
> +static void copy_password_acl_validation_control(
> + struct ldb_request *req,
> + struct ldb_reply *ares)
> +{
> + struct ldb_control *pav_ctrl = NULL;
> + struct dsdb_control_password_acl_validation *pav = NULL;
> +
> + pav_ctrl = ldb_request_get_control(
> + discard_const(req),
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
> + if (pav_ctrl == NULL) {
> + return;
> + }
> +
> + pav = talloc_get_type_abort(
> + pav_ctrl->data,
> + struct dsdb_control_password_acl_validation);
> + if (pav == NULL) {
> + return;
> + }
> + ldb_reply_add_control(
> + ares,
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID,
> + false,
> + pav);
> +}
> +/*
> + * @brief call back function for acl_modify.
> + *
> + * Calls acl_copy to copy the dsdb_control_password_acl_validation from
> + * the request to the reply.
> + *
> + * @param req the ldb_request.
> + * @param ares the operation result.
> + *
> + * @return the LDB_STATUS
> + */
> +static int acl_callback(struct ldb_request *req, struct ldb_reply *ares)
> +{
> + struct acl_callback_context *ac = NULL;
> +
> + ac = talloc_get_type(req->context, struct acl_callback_context);
> +
> + if (!ares) {
> + return ldb_module_done(
> + ac->request,
> + NULL,
> + NULL,
> + LDB_ERR_OPERATIONS_ERROR);
> + }
> +
> + /* pass on to the callback */
> + switch (ares->type) {
> + case LDB_REPLY_ENTRY:
> + return ldb_module_send_entry(
> + ac->request,
> + ares->message,
> + ares->controls);
> +
> + case LDB_REPLY_REFERRAL:
> + return ldb_module_send_referral(
> + ac->request,
> + ares->referral);
> +
> + case LDB_REPLY_DONE:
> + /*
> + * Copy the ACL control from the request to the response
> + */
> + copy_password_acl_validation_control(req, ares);
> + return ldb_module_done(
> + ac->request,
> + ares->controls,
> + ares->response,
> + ares->error);
> +
> + default:
> + /* Can't happen */
> + return LDB_ERR_OPERATIONS_ERROR;
> + }
> +}
> +
> static int acl_modify(struct ldb_module *module, struct ldb_request *req)
> {
> int ret;
> @@ -1187,6 +1294,10 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
> "objectSid",
> NULL
> };
> + struct acl_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct dsdb_control_password_acl_validation *pav = NULL;
> + struct ldb_control **controls = NULL;
>
> if (ldb_dn_is_special(msg->dn)) {
> return ldb_next_request(module, req);
> @@ -1324,6 +1435,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
> } else if (ldb_attr_cmp("unicodePwd", el->name) == 0 ||
> (userPassword && ldb_attr_cmp("userPassword", el->name) == 0) ||
> ldb_attr_cmp("clearTextPassword", el->name) == 0) {
> + /*
> + * Ideally we would do the acl_check_password_rights
> + * before we checked the other attributes, i.e. in a
> + * loop before the current one.
> + * Have not done this as yet in order to limit the size
> + * of the change. To limit the possibility of breaking
> + * the ACL logic.
> + */
> if (password_rights_checked) {
> continue;
> }
> @@ -1333,7 +1452,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
> sd,
> sid,
> objectclass,
> - userPassword);
> + userPassword,
> + &pav);
> if (ret != LDB_SUCCESS) {
> goto fail;
> }
> @@ -1382,10 +1502,57 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
>
> success:
> talloc_free(tmp_ctx);
> - return ldb_next_request(module, req);
> + context = talloc_zero(req, struct acl_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + ret = ldb_build_mod_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.mod.message,
> + req->controls,
> + context,
> + acl_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> fail:
> talloc_free(tmp_ctx);
> - return ret;
> + /*
> + * We copy the pav into the result, so that the password reset
> + * logging code in audit_log can log failed password reset attempts.
> + */
> + if (pav) {
> + struct ldb_control *control = NULL;
> +
> + controls = talloc_zero_array(req, struct ldb_control *, 2);
> + if (controls == NULL) {
> + return ldb_oom(ldb);
> + }
> +
> + control = talloc(controls, struct ldb_control);
> +
> + if (control == NULL) {
> + return ldb_oom(ldb);
> + }
> +
> + control->oid= talloc_strdup(
> + control,
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
> + if (control->oid == NULL) {
> + return ldb_oom(ldb);
> + }
> + control->critical = false;
> + control->data = pav;
> + *controls = control;
> + }
> + return ldb_module_done(req, controls, NULL, ret);
> }
>
> /* similar to the modify for the time being.
> --
> 2.7.4
>
>
> From 5a989963d44753ff10d82094f4cd36272801df5d Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Mon, 21 May 2018 14:31:57 +1200
> Subject: [PATCH 05/10] dsdb partition.c: Make partition_copy_all aysnc.
>
> partition_copy_all uses ldb_wait to wait for the update to the primary
> partition to complete, when updating a special dn. If a module higher
> up the chain inserts a callback, the code blocks in ldb_wait and does
> not complete. This change replaces the ldb_wait logic with a callback.
>
> Currently there is no code that triggers this bug, however the up coming
> audit logging changes do trigger this bug.
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/dsdb/samdb/ldb_modules/partition.c | 200 ++++++++++++++++++++++++++---
> 1 file changed, 179 insertions(+), 21 deletions(-)
>
> diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c
> index 9fb1b9d..0068571 100644
> --- a/source4/dsdb/samdb/ldb_modules/partition.c
> +++ b/source4/dsdb/samdb/ldb_modules/partition.c
> @@ -394,32 +394,37 @@ static int partition_send_all(struct ldb_module *module,
> return partition_call_first(ac);
> }
>
> +struct partition_copy_context {
> + struct ldb_module *module;
> + struct partition_context *partition_context;
> + struct ldb_request *request;
> + struct ldb_dn *dn;
> +};
>
> -/**
> - * send an operation to the top partition, then copy the resulting
> - * object to all other partitions
> +/*
> + * A special DN has been updated in the primary partition. Now propagate those
> + * changes to the remaining partitions.
> + *
> + * Note: that the operations are asyncchonous and this fuction is called
> + * from partition_copy_all_callback_handler in response to an async
> + * callback.
> */
> -static int partition_copy_all(struct ldb_module *module,
> - struct partition_context *ac,
> - struct ldb_request *req,
> - struct ldb_dn *dn)
> +static int partition_copy_all_callback_action(
> + struct ldb_module *module,
> + struct partition_context *ac,
> + struct ldb_request *req,
> + struct ldb_dn *dn,
> + int ret)
> +
> {
> +
> unsigned int i;
> - struct partition_private_data *data = talloc_get_type(ldb_module_get_private(module),
> - struct partition_private_data);
> - int ret, search_ret;
> + struct partition_private_data *data =
> + talloc_get_type(
> + ldb_module_get_private(module),
> + struct partition_private_data);
> + int search_ret;
> struct ldb_result *res;
> -
> - /* do the request on the top level sam.ldb synchronously */
> - ret = ldb_next_request(module, req);
> - if (ret != LDB_SUCCESS) {
> - return ret;
> - }
> - ret = ldb_wait(req->handle, LDB_WAIT_ALL);
> - if (ret != LDB_SUCCESS) {
> - return ret;
> - }
> -
> /* now fetch the resulting object, and then copy it to all the
> * other partitions. We need this approach to cope with the
> * partitions getting out of sync. If for example the
> @@ -521,6 +526,159 @@ static int partition_copy_all(struct ldb_module *module,
> return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
> }
>
> +
> +/*
> + * @brief call back function for the ldb operations on special DN's.
> + *
> + * As the LDB operations are async, and we wish to use the result
> + * the operations, a callback needs to be registered to process the results
> + * of the LDB operations.
> + *
> + * @param req the ldb request
> + * @param res the result of the operation
> + *
> + * @return the LDB_STATUS
> + */
> +static int partition_copy_all_callback_handler(
> + struct ldb_request *req,
> + struct ldb_reply *ares)
> +{
> + struct partition_copy_context *ac = NULL;
> + int error = ares->error;
> +
> + ac = talloc_get_type(
> + req->context,
> + struct partition_copy_context);
> +
> + if (!ares) {
> + return ldb_module_done(
> + ac->request,
> + NULL,
> + NULL,
> + LDB_ERR_OPERATIONS_ERROR);
> + }
> +
> + /* pass on to the callback */
> + switch (ares->type) {
> + case LDB_REPLY_ENTRY:
> + return ldb_module_send_entry(
> + ac->request,
> + ares->message,
> + ares->controls);
> +
> + case LDB_REPLY_REFERRAL:
> + return ldb_module_send_referral(
> + ac->request,
> + ares->referral);
> +
> + case LDB_REPLY_DONE:
> + error = partition_copy_all_callback_action(
> + ac->module,
> + ac->partition_context,
> + ac->request,
> + ac->dn,
> + ares->error);
> + return ldb_module_done(
> + ac->request,
> + ares->controls,
> + ares->response,
> + error);
> +
> + default:
> + /* Can't happen */
> + return LDB_ERR_OPERATIONS_ERROR;
> + }
> +}
> +
> +/**
> + * send an operation to the top partition, then copy the resulting
> + * object to all other partitions.
> + */
> +static int partition_copy_all(
> + struct ldb_module *module,
> + struct partition_context *partition_context,
> + struct ldb_request *req,
> + struct ldb_dn *dn)
> +{
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + struct partition_copy_context *context = NULL;
> +
> + int ret;
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + context = talloc_zero(req, struct partition_copy_context);
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->module = module;
> + context->request = req;
> + context->dn = dn;
> + context->partition_context = partition_context;
> +
> + switch (req->operation) {
> + case LDB_ADD:
> + ret = ldb_build_add_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.add.message,
> + req->controls,
> + context,
> + partition_copy_all_callback_handler,
> + req);
> + break;
> + case LDB_MODIFY:
> + ret = ldb_build_mod_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.mod.message,
> + req->controls,
> + context,
> + partition_copy_all_callback_handler,
> + req);
> + break;
> + case LDB_DELETE:
> + ret = ldb_build_del_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.del.dn,
> + req->controls,
> + context,
> + partition_copy_all_callback_handler,
> + req);
> + break;
> + case LDB_RENAME:
> + ret = ldb_build_rename_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.rename.olddn,
> + req->op.rename.newdn,
> + req->controls,
> + context,
> + partition_copy_all_callback_handler,
> + req);
> + break;
> + default:
> + /*
> + * Shouldn't happen.
> + */
> + ldb_debug(
> + ldb,
> + LDB_DEBUG_ERROR,
> + "Unexpected opertation type (%d)\n", req->operation);
> + ret = LDB_ERR_OPERATIONS_ERROR;
> + break;
> + }
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> /**
> * Figure out which backend a request needs to be aimed at. Some
> * requests must be replicated to all backends
> --
> 2.7.4
>
>
> From 475028c89a49fe51c9c513f03d26b4c238a1eff0 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 30 May 2018 14:43:25 +1200
> Subject: [PATCH 06/10] rpc_server: common routine to open ldb in system
> session
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/rpc_server/common/server_info.c | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c
> index 0aabcda..3532a6d 100644
> --- a/source4/rpc_server/common/server_info.c
> +++ b/source4/rpc_server/common/server_info.c
> @@ -186,3 +186,27 @@ bool dcesrv_common_validate_share_name(TALLOC_CTX *mem_ctx, const char *share_na
>
> return true;
> }
> +
> +/*
> + * Open a ldb connection as the System user.
> + */
> +struct ldb_context *connect_as_system(
> + TALLOC_CTX *mem_ctx,
> + struct dcesrv_call_state *dce_call)
> +{
> + struct ldb_context *samdb = NULL;
> + samdb = samdb_connect(
> + mem_ctx,
> + dce_call->event_ctx,
> + dce_call->conn->dce_ctx->lp_ctx,
> + system_session(dce_call->conn->dce_ctx->lp_ctx),
> + dce_call->conn->remote_address,
> + 0);
> + if (samdb) {
> + ldb_set_opaque(
> + samdb,
> + "networkSessionInfo",
> + dce_call->conn->auth_state.session_info);
> + }
> + return samdb;
> +}
> --
> 2.7.4
>
>
> From 902fbf1dff2a4948d6116c08486cc0c0b19576e7 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 30 May 2018 14:44:19 +1200
> Subject: [PATCH 07/10] rpc_server lsa: pass remote connection data
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/rpc_server/lsa/dcesrv_lsa.c | 18 ++----------------
> 1 file changed, 2 insertions(+), 16 deletions(-)
>
> diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
> index 8c540ab..ad455e4 100644
> --- a/source4/rpc_server/lsa/dcesrv_lsa.c
> +++ b/source4/rpc_server/lsa/dcesrv_lsa.c
> @@ -3167,8 +3167,6 @@ static NTSTATUS dcesrv_lsa_SetSystemAccessAccount(struct dcesrv_call_state *dce_
> {
> DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
> }
> -
> -
> /*
> lsa_CreateSecret
> */
> @@ -3234,13 +3232,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL
> /* We need to connect to the database as system, as this is one
> * of the rare RPC calls that must read the secrets (and this
> * is denied otherwise) */
> - samdb = samdb_connect(
> - mem_ctx,
> - dce_call->event_ctx,
> - dce_call->conn->dce_ctx->lp_ctx,
> - system_session(dce_call->conn->dce_ctx->lp_ctx),
> - dce_call->conn->remote_address,
> - 0);
> + samdb = connect_as_system(mem_ctx, dce_call);
> secret_state->sam_ldb = talloc_reference(secret_state, samdb);
> NT_STATUS_HAVE_NO_MEMORY(secret_state->sam_ldb);
>
> @@ -3380,13 +3372,7 @@ static NTSTATUS dcesrv_lsa_OpenSecret(struct dcesrv_call_state *dce_call, TALLOC
> if (strncmp("G$", r->in.name.string, 2) == 0) {
> name = &r->in.name.string[2];
> /* We need to connect to the database as system, as this is one of the rare RPC calls that must read the secrets (and this is denied otherwise) */
> - samdb = samdb_connect(
> - mem_ctx,
> - dce_call->event_ctx,
> - dce_call->conn->dce_ctx->lp_ctx,
> - system_session(dce_call->conn->dce_ctx->lp_ctx),
> - dce_call->conn->remote_address,
> - 0);
> + samdb = connect_as_system(mem_ctx, dce_call);
> secret_state->sam_ldb = talloc_reference(secret_state, samdb);
> secret_state->global = true;
>
> --
> 2.7.4
>
>
> From 45cd19604784387ed8121845ee7527f56a4bc076 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 30 May 2018 14:45:03 +1200
> Subject: [PATCH 08/10] rpc_server backupkey:w: pass remote connection data
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> source4/rpc_server/backupkey/dcesrv_backupkey.c | 8 ++------
> source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c | 8 +-------
> 2 files changed, 3 insertions(+), 13 deletions(-)
>
> diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
> index d2c3f2a..ce3cb9a 100644
> --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
> +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
> @@ -22,6 +22,7 @@
>
> #include "includes.h"
> #include "rpc_server/dcerpc_server.h"
> +#include "rpc_server/common/common.h"
> #include "librpc/gen_ndr/ndr_backupkey.h"
> #include "dsdb/common/util.h"
> #include "dsdb/samdb/samdb.h"
> @@ -1774,12 +1775,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
> return WERR_NOT_SUPPORTED;
> }
>
> - ldb_ctx = samdb_connect(mem_ctx,
> - dce_call->event_ctx,
> - dce_call->conn->dce_ctx->lp_ctx,
> - system_session(dce_call->conn->dce_ctx->lp_ctx),
> - dce_call->conn->remote_address,
> - 0);
> + ldb_ctx = connect_as_system(mem_ctx, dce_call);
>
> if (samdb_rodc(ldb_ctx, &is_rodc) != LDB_SUCCESS) {
> talloc_unlink(mem_ctx, ldb_ctx);
> diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c b/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c
> index d2fc480..cd192aa 100644
> --- a/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c
> +++ b/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c
> @@ -1814,13 +1814,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
> return WERR_NOT_SUPPORTED;
> }
>
> - ldb_ctx = samdb_connect(mem_ctx,
> - dce_call->event_ctx,
> - dce_call->conn->dce_ctx->lp_ctx,
> - system_session(dce_call->conn->dce_ctx->lp_ctx),
> - dce_call->conn->remote_address,
> - 0);
> -
> + ldb_ctx = connect_as_system(mem_ctx, dce_call);
> if (samdb_rodc(ldb_ctx, &is_rodc) != LDB_SUCCESS) {
> talloc_unlink(mem_ctx, ldb_ctx);
> return WERR_INVALID_PARAMETER;
> --
> 2.7.4
>
>
> From 9891a095538df1e211829688442c04909319f901 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 4 Apr 2018 11:59:41 +1200
> Subject: [PATCH 09/10] dsdb: audit samdb and password changes
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> python/samba/tests/audit_log_base.py | 150 ++
> python/samba/tests/audit_log_dsdb.py | 594 ++++++
> python/samba/tests/audit_log_pass_change.py | 335 +++
> selftest/target/Samba4.pm | 4 +
> source4/dsdb/samdb/ldb_modules/audit_log.c | 1554 ++++++++++++++
> source4/dsdb/samdb/ldb_modules/audit_util.c | 602 ++++++
> source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 3 +-
> .../dsdb/samdb/ldb_modules/tests/test_audit_log.c | 2248 ++++++++++++++++++++
> .../dsdb/samdb/ldb_modules/tests/test_audit_util.c | 1260 +++++++++++
> source4/dsdb/samdb/ldb_modules/wscript_build | 28 +-
> .../dsdb/samdb/ldb_modules/wscript_build_server | 16 +
> source4/selftest/tests.py | 12 +
> 12 files changed, 6803 insertions(+), 3 deletions(-)
> create mode 100644 python/samba/tests/audit_log_base.py
> create mode 100644 python/samba/tests/audit_log_dsdb.py
> create mode 100644 python/samba/tests/audit_log_pass_change.py
> create mode 100644 source4/dsdb/samdb/ldb_modules/audit_log.c
> create mode 100644 source4/dsdb/samdb/ldb_modules/audit_util.c
> create mode 100644 source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
> create mode 100644 source4/dsdb/samdb/ldb_modules/tests/test_audit_util.c
>
> diff --git a/python/samba/tests/audit_log_base.py b/python/samba/tests/audit_log_base.py
> new file mode 100644
> index 0000000..4f76c56
> --- /dev/null
> +++ b/python/samba/tests/audit_log_base.py
> @@ -0,0 +1,150 @@
> +# Unix SMB/CIFS implementation.
> +# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +from __future__ import print_function
> +"""Tests for DSDB audit logging.
> +"""
> +
> +import samba.tests
> +from samba.messaging import Messaging
> +from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
> +import time
> +import json
> +import os
> +import re
> +
> +
> +class AuditLogTestBase(samba.tests.TestCase):
> +
> + def setUp(self):
> + super(AuditLogTestBase, self).setUp()
> + lp_ctx = self.get_loadparm()
> + self.msg_ctx = Messaging((1,), lp_ctx=lp_ctx)
> + self.msg_ctx.irpc_add_name(self.event_type)
> +
> + def isRemote(message):
> + remote = None
> + if message["type"] == "passwordChange":
> + remote = message["passwordChange"]["remoteAddress"]
> + elif message["type"] == "dsdbChange":
> + remote = message["dsdbChange"]["remoteAddress"]
> + elif message["type"] == "groupChange":
> + remote = message["groupChange"]["remoteAddress"]
> + elif message["type"] == "Authorization":
> + remote = message["Authorization"]["remoteAddress"]
> + else:
> + return False
> +
> + if remote is None:
> + return False
> +
> + try:
> + addr = remote.split(":")
> + return addr[1] == self.remoteAddress
> + except IndexError:
> + return False
> +
> + def messageHandler(context, msgType, src, message):
> + # This does not look like sub unit output and it
> + # makes these tests much easier to debug.
> + print(message)
> + jsonMsg = json.loads(message)
> + if ((jsonMsg["type"] == "passwordChange" or
> + jsonMsg["type"] == "dsdbChange" or
> + jsonMsg["type"] == "groupChange") and
> + isRemote(jsonMsg)):
> + context["messages"].append(jsonMsg)
> + elif jsonMsg["type"] == "dsdbTransaction":
> + context["txnMessage"] = jsonMsg
> +
> + self.context = {"messages": [], "txnMessage": ""}
> + self.msg_handler_and_context = (messageHandler, self.context)
> + self.msg_ctx.register(self.msg_handler_and_context,
> + msg_type=self.message_type)
> +
> + self.msg_ctx.irpc_add_name(AUTH_EVENT_NAME)
> +
> + def authHandler(context, msgType, src, message):
> + jsonMsg = json.loads(message)
> + if jsonMsg["type"] == "Authorization" and isRemote(jsonMsg):
> + # This does not look like sub unit output and it
> + # makes these tests much easier to debug.
> + print(message)
> + context["sessionId"] = jsonMsg["Authorization"]["sessionId"]
> + context["serviceDescription"] =\
> + jsonMsg["Authorization"]["serviceDescription"]
> +
> + self.auth_context = {"sessionId": "", "serviceDescription": ""}
> + self.auth_handler_and_context = (authHandler, self.auth_context)
> + self.msg_ctx.register(self.auth_handler_and_context,
> + msg_type=MSG_AUTH_LOG)
> +
> + self.discardMessages()
> +
> + self.server = os.environ["SERVER"]
> + self.connection = None
> +
> + def tearDown(self):
> + self.discardMessages()
> + self.msg_ctx.irpc_remove_name(self.event_type)
> + self.msg_ctx.irpc_remove_name(AUTH_EVENT_NAME)
> + if self.msg_handler_and_context:
> + self.msg_ctx.deregister(self.msg_handler_and_context,
> + msg_type=self.message_type)
> + if self.auth_handler_and_context:
> + self.msg_ctx.deregister(self.auth_handler_and_context,
> + msg_type=MSG_AUTH_LOG)
> +
> + def waitForMessages(self, number, connection=None):
> + """Wait for all the expected messages to arrive
> + The connection is passed through to keep the connection alive
> + until all the logging messages have been received.
> + """
> +
> + self.connection = connection
> +
> + start_time = time.time()
> + while len(self.context["messages"]) < number:
> + self.msg_ctx.loop_once(0.1)
> + if time.time() - start_time > 1:
> + self.connection = None
> + print("Timed out")
> + return []
> +
> + self.connection = None
> + return self.context["messages"]
> +
> + # Discard any previously queued messages.
> + def discardMessages(self):
> + self.msg_ctx.loop_once(0.001)
> + while len(self.context["messages"]):
> + self.context["messages"] = []
> + self.msg_ctx.loop_once(0.001)
> +
> + GUID_RE = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
> +
> + #
> + # Is the supplied GUID string correctly formatted
> + #
> + def is_guid(self, guid):
> + return re.match(self.GUID_RE, guid)
> +
> + def get_session(self):
> + return self.auth_context["sessionId"]
> +
> + def get_service_description(self):
> + return self.auth_context["serviceDescription"]
> diff --git a/python/samba/tests/audit_log_dsdb.py b/python/samba/tests/audit_log_dsdb.py
> new file mode 100644
> index 0000000..41ed8b7
> --- /dev/null
> +++ b/python/samba/tests/audit_log_dsdb.py
> @@ -0,0 +1,594 @@
> +# Tests for SamDb password change audit logging.
> +# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +from __future__ import print_function
> +"""Tests for the SamDb logging of password changes.
> +"""
> +
> +import samba.tests
> +from samba.dcerpc.messaging import MSG_DSDB_LOG, DSDB_EVENT_NAME
> +from samba.samdb import SamDB
> +from samba.auth import system_session
> +import os
> +import time
> +from samba.tests.audit_log_base import AuditLogTestBase
> +from samba.tests import delete_force
> +from samba.net import Net
> +import samba
> +from samba.dcerpc import security, lsa
> +
> +USER_NAME = "auditlogtestuser"
> +USER_PASS = samba.generate_random_password(32, 32)
> +SECOND_USER_NAME = "auditlogtestuser02"
> +SECOND_USER_PASS = samba.generate_random_password(32, 32)
> +
> +
> +class AuditLogDsdbTests(AuditLogTestBase):
> +
> + def setUp(self):
> + self.message_type = MSG_DSDB_LOG
> + self.event_type = DSDB_EVENT_NAME
> + super(AuditLogDsdbTests, self).setUp()
> +
> + self.remoteAddress = os.environ["CLIENT_IP"]
> + self.server_ip = os.environ["SERVER_IP"]
> +
> + host = "ldap://%s" % os.environ["SERVER"]
> + self.ldb = SamDB(url=host,
> + session_info=system_session(),
> + credentials=self.get_credentials(),
> + lp=self.get_loadparm())
> + self.server = os.environ["SERVER"]
> +
> + # Gets back the basedn
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Get the old "dSHeuristics" if it was set
> + dsheuristics = self.ldb.get_dsheuristics()
> +
> + # Set the "dSHeuristics" to activate the correct "userPassword"
> + # behaviour
> + self.ldb.set_dsheuristics("000000001")
> +
> + # Reset the "dSHeuristics" as they were before
> + self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
> +
> + # Get the old "minPwdAge"
> + minPwdAge = self.ldb.get_minPwdAge()
> +
> + # Set it temporarily to "0"
> + self.ldb.set_minPwdAge("0")
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Reset the "minPwdAge" as it was before
> + self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
> +
> + # (Re)adds the test user USER_NAME with password USER_PASS
> + delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
> + delete_force(
> + self.ldb,
> + "cn=" + SECOND_USER_NAME + ",cn=users," + self.base_dn)
> + self.ldb.add({
> + "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
> + "objectclass": "user",
> + "sAMAccountName": USER_NAME,
> + "userPassword": USER_PASS
> + })
> +
> + def tearDown(self):
> + super(AuditLogDsdbTests, self).tearDown()
> +
> + def waitForTransaction(self, connection=None):
> + """Wait for a transaction message to arrive
> + The connection is passed through to keep the connection alive
> + until all the logging messages have been received.
> + """
> +
> + self.connection = connection
> +
> + start_time = time.time()
> + while self.context["txnMessage"] == "":
> + self.msg_ctx.loop_once(0.1)
> + if time.time() - start_time > 1:
> + self.connection = None
> + return ""
> +
> + self.connection = None
> + return self.context["txnMessage"]
> +
> + def test_net_change_password(self):
> +
> + #
> + # Discard the messages from the Adding of a user in the setup
> + # code
> + messages = self.waitForMessages(6)
> + self.discardMessages()
> +
> + creds = self.insta_creds(template=self.get_credentials())
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> +
> + net.change_password(newpassword=password.encode('utf-8'),
> + username=USER_NAME,
> + oldpassword=USER_PASS)
> +
> + messages = self.waitForMessages(1, net)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Modify", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertTrue(dn.lower(), audit["dn"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + attributes = audit["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["clearTextPassword"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertTrue(actions[0]["redacted"])
> + self.assertEquals("replace", actions[0]["action"])
> +
> + def test_net_set_password(self):
> +
> + #
> + # Discard the messages from the Adding of a user in the setup
> + # code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + creds = self.insta_creds(template=self.get_credentials())
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> + domain = lp.get("workgroup")
> +
> + net.set_password(newpassword=password.encode('utf-8'),
> + account_name=USER_NAME,
> + domain_name=domain)
> + messages = self.waitForMessages(1, net)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Modify", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + attributes = audit["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["clearTextPassword"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertTrue(actions[0]["redacted"])
> + self.assertEquals("replace", actions[0]["action"])
> +
> + def test_ldap_change_password(self):
> +
> + #
> + # Discard the messages from the setup code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + new_password = samba.generate_random_password(32, 32)
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "delete: userPassword\n" +
> + "userPassword: " + USER_PASS + "\n" +
> + "add: userPassword\n" +
> + "userPassword: " + new_password + "\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Modify", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + attributes = audit["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["userPassword"]["actions"]
> + self.assertEquals(2, len(actions))
> + self.assertTrue(actions[0]["redacted"])
> + self.assertEquals("delete", actions[0]["action"])
> + self.assertTrue(actions[1]["redacted"])
> + self.assertEquals("add", actions[1]["action"])
> +
> + def test_ldap_replace_password(self):
> +
> + #
> + # Discard the messages from the setup code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + new_password = samba.generate_random_password(32, 32)
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "replace: userPassword\n" +
> + "userPassword: " + new_password + "\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Modify", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertTrue(dn.lower(), audit["dn"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + attributes = audit["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["userPassword"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertTrue(actions[0]["redacted"])
> + self.assertEquals("replace", actions[0]["action"])
> +
> + def test_ldap_add_user(self):
> +
> + # The setup code adds a user, so we check for the dsdb events
> + # generated by it.
> + messages = self.waitForMessages(5)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(5,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + audit = messages[4]["dsdbChange"]
> + self.assertEquals("Add", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + attributes = audit["attributes"]
> + self.assertEquals(3, len(attributes))
> +
> + actions = attributes["objectclass"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + self.assertEquals(1, len(actions[0]["values"]))
> + self.assertEquals("user", actions[0]["values"][0]["value"])
> +
> + actions = attributes["sAMAccountName"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + self.assertEquals(1, len(actions[0]["values"]))
> + self.assertEquals(USER_NAME, actions[0]["values"][0]["value"])
> +
> + actions = attributes["userPassword"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + self.assertTrue(actions[0]["redacted"])
> +
> + def test_samdb_delete_user(self):
> +
> + #
> + # Discard the messages from the Adding of a user in the setup
> + # code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.deleteuser(USER_NAME)
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Delete", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertTrue(dn.lower(), audit["dn"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + def test_net_set_password_user_without_permission(self):
> +
> + self.ldb.newuser(SECOND_USER_NAME, SECOND_USER_PASS)
> +
> + creds = self.insta_creds(
> + template=self.get_credentials(),
> + username=SECOND_USER_NAME,
> + userpass=SECOND_USER_PASS,
> + kerberos_state=None)
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> + domain = lp.get("workgroup")
> +
> + #
> + # This operation should fail and trigger a transaction roll back.
> + #
> + try:
> + net.set_password(newpassword=password.encode('utf-8'),
> + account_name=USER_NAME,
> + domain_name=domain)
> + self.fail("Expected exception not thrown")
> + except Exception:
> + pass
> +
> + message = self.waitForTransaction(net)
> +
> + audit = message["dsdbTransaction"]
> + self.assertEquals("rollback", audit["action"])
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + def test_create_secret_over_lsa(self):
> +
> + #
> + # Discard the messages from the Adding of a user in the setup
> + # code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + creds = self.insta_creds(template=self.get_credentials())
> + lsa_conn = lsa.lsarpc(
> + "ncacn_np:%s" % self.server,
> + self.get_loadparm(),
> + creds)
> + lsa_handle = lsa_conn.OpenPolicy2(
> + system_name="\\",
> + attr=lsa.ObjectAttribute(),
> + access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED)
> + secret_name = lsa.String()
> + secret_name.string = "G$Test"
> + lsa_conn.CreateSecret(
> + handle=lsa_handle,
> + name=secret_name,
> + access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED)
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + dn = "cn=Test Secret,CN=System," + self.base_dn
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Add", audit["operation"])
> + self.assertTrue(audit["performedAsSystem"])
> + self.assertTrue(dn.lower(), audit["dn"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + attributes = audit["attributes"]
> + self.assertEquals(2, len(attributes))
> +
> + object_class = attributes["objectClass"]
> + self.assertEquals(1, len(object_class["actions"]))
> + action = object_class["actions"][0]
> + self.assertEquals("add", action["action"])
> + values = action["values"]
> + self.assertEquals(1, len(values))
> + self.assertEquals("secret", values[0]["value"])
> +
> + cn = attributes["cn"]
> + self.assertEquals(1, len(cn["actions"]))
> + action = cn["actions"][0]
> + self.assertEquals("add", action["action"])
> + values = action["values"]
> + self.assertEquals(1, len(values))
> + self.assertEquals("Test Secret", values[0]["value"])
> +
> + def test_modify(self):
> +
> + #
> + # Discard the messages from the setup code
> + messages = self.waitForMessages(5)
> + self.discardMessages()
> +
> + #
> + # Add an attribute value
> + #
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "add: carLicense\n" +
> + "carLicense: license-01\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["dsdbChange"]
> + self.assertEquals("Modify", audit["operation"])
> + self.assertFalse(audit["performedAsSystem"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + attributes = audit["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["carLicense"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + values = actions[0]["values"]
> + self.assertEquals(1, len(values))
> + self.assertEquals("license-01", values[0]["value"])
> +
> + #
> + # Add an another value to the attribute
> + #
> + self.discardMessages()
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "add: carLicense\n" +
> + "carLicense: license-02\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + attributes = messages[0]["dsdbChange"]["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["carLicense"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + values = actions[0]["values"]
> + self.assertEquals(1, len(values))
> + self.assertEquals("license-02", values[0]["value"])
> +
> + #
> + # Add an another two values to the attribute
> + #
> + self.discardMessages()
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "add: carLicense\n" +
> + "carLicense: license-03\n" +
> + "carLicense: license-04\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + attributes = messages[0]["dsdbChange"]["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["carLicense"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("add", actions[0]["action"])
> + values = actions[0]["values"]
> + self.assertEquals(2, len(values))
> + self.assertEquals("license-03", values[0]["value"])
> + self.assertEquals("license-04", values[1]["value"])
> +
> + #
> + # delete two values to the attribute
> + #
> + self.discardMessages()
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: delete\n" +
> + "delete: carLicense\n" +
> + "carLicense: license-03\n" +
> + "carLicense: license-04\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + attributes = messages[0]["dsdbChange"]["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["carLicense"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("delete", actions[0]["action"])
> + values = actions[0]["values"]
> + self.assertEquals(2, len(values))
> + self.assertEquals("license-03", values[0]["value"])
> + self.assertEquals("license-04", values[1]["value"])
> +
> + #
> + # replace two values to the attribute
> + #
> + self.discardMessages()
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: delete\n" +
> + "replace: carLicense\n" +
> + "carLicense: license-05\n" +
> + "carLicense: license-06\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + attributes = messages[0]["dsdbChange"]["attributes"]
> + self.assertEquals(1, len(attributes))
> + actions = attributes["carLicense"]["actions"]
> + self.assertEquals(1, len(actions))
> + self.assertEquals("replace", actions[0]["action"])
> + values = actions[0]["values"]
> + self.assertEquals(2, len(values))
> + self.assertEquals("license-05", values[0]["value"])
> + self.assertEquals("license-06", values[1]["value"])
> diff --git a/python/samba/tests/audit_log_pass_change.py b/python/samba/tests/audit_log_pass_change.py
> new file mode 100644
> index 0000000..2f7bfd7
> --- /dev/null
> +++ b/python/samba/tests/audit_log_pass_change.py
> @@ -0,0 +1,335 @@
> +# Tests for SamDb password change audit logging.
> +# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +from __future__ import print_function
> +"""Tests for the SamDb logging of password changes.
> +"""
> +
> +import samba.tests
> +from samba.dcerpc.messaging import MSG_DSDB_PWD_LOG, DSDB_PWD_EVENT_NAME
> +from samba.samdb import SamDB
> +from samba.auth import system_session
> +import os
> +from samba.tests.audit_log_base import AuditLogTestBase
> +from samba.tests import delete_force
> +from samba.net import Net
> +from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
> +
> +USER_NAME = "auditlogtestuser"
> +USER_PASS = samba.generate_random_password(32, 32)
> +
> +SECOND_USER_NAME = "auditlogtestuser02"
> +SECOND_USER_PASS = samba.generate_random_password(32, 32)
> +
> +
> +class AuditLogPassChangeTests(AuditLogTestBase):
> +
> + def setUp(self):
> + self.message_type = MSG_DSDB_PWD_LOG
> + self.event_type = DSDB_PWD_EVENT_NAME
> + super(AuditLogPassChangeTests, self).setUp()
> +
> + self.remoteAddress = os.environ["CLIENT_IP"]
> + self.server_ip = os.environ["SERVER_IP"]
> +
> + host = "ldap://%s" % os.environ["SERVER"]
> + self.ldb = SamDB(url=host,
> + session_info=system_session(),
> + credentials=self.get_credentials(),
> + lp=self.get_loadparm())
> + self.server = os.environ["SERVER"]
> +
> + # Gets back the basedn
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Get the old "dSHeuristics" if it was set
> + dsheuristics = self.ldb.get_dsheuristics()
> +
> + # Set the "dSHeuristics" to activate the correct "userPassword"
> + # behaviour
> + self.ldb.set_dsheuristics("000000001")
> +
> + # Reset the "dSHeuristics" as they were before
> + self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
> +
> + # Get the old "minPwdAge"
> + minPwdAge = self.ldb.get_minPwdAge()
> +
> + # Set it temporarily to "0"
> + self.ldb.set_minPwdAge("0")
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Reset the "minPwdAge" as it was before
> + self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
> +
> + # (Re)adds the test user USER_NAME with password USER_PASS
> + delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
> + delete_force(
> + self.ldb,
> + "cn=" + SECOND_USER_NAME + ",cn=users," + self.base_dn)
> + self.ldb.add({
> + "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
> + "objectclass": "user",
> + "sAMAccountName": USER_NAME,
> + "userPassword": USER_PASS
> + })
> +
> + def tearDown(self):
> + super(AuditLogPassChangeTests, self).tearDown()
> +
> + def test_net_change_password(self):
> +
> + #
> + # Discard messages from the user creation in setup.
> + #
> + messages = self.waitForMessages(1)
> + self.discardMessages()
> +
> + creds = self.insta_creds(template=self.get_credentials())
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> +
> + net.change_password(newpassword=password.encode('utf-8'),
> + username=USER_NAME,
> + oldpassword=USER_PASS)
> +
> + messages = self.waitForMessages(1, net)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Change", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + def test_net_set_password_user_without_permission(self):
> +
> + #
> + # Discard messages from the user creation in setup.
> + #
> + messages = self.waitForMessages(1)
> + self.discardMessages()
> +
> + self.ldb.newuser(SECOND_USER_NAME, SECOND_USER_PASS)
> +
> + #
> + # Get the password reset from the user add
> + #
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + dn = "CN=" + SECOND_USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Reset", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> + self.assertEquals(0, audit["statusCode"])
> + self.assertEquals("Success", audit["status"])
> + self.discardMessages()
> +
> + creds = self.insta_creds(
> + template=self.get_credentials(),
> + username=SECOND_USER_NAME,
> + userpass=SECOND_USER_PASS,
> + kerberos_state=None)
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> + domain = lp.get("workgroup")
> +
> + try:
> + net.set_password(newpassword=password.encode('utf-8'),
> + account_name=USER_NAME,
> + domain_name=domain)
> + self.fail("Expected exception not thrown")
> + except Exception:
> + pass
> +
> + messages = self.waitForMessages(1, net)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Reset", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> + self.assertEquals(ERR_INSUFFICIENT_ACCESS_RIGHTS, audit["statusCode"])
> + self.assertEquals("insufficient access rights", audit["status"])
> +
> + def test_net_set_password(self):
> +
> + #
> + # Discard messages from the user creation in setup.
> + #
> + messages = self.waitForMessages(1)
> + self.discardMessages()
> +
> + creds = self.insta_creds(template=self.get_credentials())
> +
> + lp = self.get_loadparm()
> + net = Net(creds, lp, server=self.server)
> + password = "newPassword!!42"
> + domain = lp.get("workgroup")
> +
> + net.set_password(newpassword=password.encode('utf-8'),
> + account_name=USER_NAME,
> + domain_name=domain)
> +
> + messages = self.waitForMessages(1, net)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Reset", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "DCE/RPC")
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + def test_ldap_change_password(self):
> +
> + #
> + # Discard messages from the user creation in setup.
> + #
> + messages = self.waitForMessages(1)
> + self.discardMessages()
> +
> + new_password = samba.generate_random_password(32, 32)
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "delete: userPassword\n" +
> + "userPassword: " + USER_PASS + "\n" +
> + "add: userPassword\n" +
> + "userPassword: " + new_password + "\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Change", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + def test_ldap_replace_password(self):
> +
> + #
> + # Discard messages from the user creation in setup.
> + #
> + messages = self.waitForMessages(1)
> + self.discardMessages()
> +
> + new_password = samba.generate_random_password(32, 32)
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + self.ldb.modify_ldif(
> + "dn: " + dn + "\n" +
> + "changetype: modify\n" +
> + "replace: userPassword\n" +
> + "userPassword: " + new_password + "\n")
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Reset", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> +
> + def test_ldap_add_user(self):
> +
> + # The setup code adds a user, so we check for the password event
> + # generated by it.
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + #
> + # The first message should be the reset from the Setup code.
> + #
> + dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + audit = messages[0]["passwordChange"]
> + self.assertEquals("Reset", audit["action"])
> + self.assertEquals(dn, audit["dn"])
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + self.assertTrue(self.is_guid(audit["transactionId"]))
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 14e312f..3df226f 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -1524,6 +1524,8 @@ sub provision_ad_dc_ntvfs($$)
> lsa over netlogon = yes
> rpc server port = 1027
> auth event notification = true
> + dsdb event notification = true
> + dsdb password event notification = true
> server schannel = auto
> ";
> my $ret = $self->provision($prefix,
> @@ -1896,6 +1898,8 @@ sub provision_ad_dc($$$$$$)
>
> server schannel = auto
> auth event notification = true
> + dsdb event notification = true
> + dsdb password event notification = true
> $smbconf_args
> ";
>
> diff --git a/source4/dsdb/samdb/ldb_modules/audit_log.c b/source4/dsdb/samdb/ldb_modules/audit_log.c
> new file mode 100644
> index 0000000..40d9703
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/audit_log.c
> @@ -0,0 +1,1554 @@
> +/*
> + ldb database library
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +/*
> + * Provide an audit log of changes made to the database and at a higher level
> + * details of any password changes and resets.
> + *
> + */
> +
> +#include "includes.h"
> +#include "ldb_module.h"
> +#include "lib/audit_logging/audit_logging.h"
> +
> +#include "dsdb/samdb/samdb.h"
> +#include "dsdb/samdb/ldb_modules/util.h"
> +#include "libcli/security/dom_sid.h"
> +#include "auth/common_auth.h"
> +#include "param/param.h"
> +
> +#define OPERATION_JSON_TYPE "dsdbChange"
> +#define OPERATION_HR_TAG "DSDB Change"
> +#define OPERATION_MAJOR 1
> +#define OPERATION_MINOR 0
> +#define OPERATION_LOG_LVL 5
> +
> +#define PASSWORD_JSON_TYPE "passwordChange"
> +#define PASSWORD_HR_TAG "Password Change"
> +#define PASSWORD_MAJOR 1
> +#define PASSWORD_MINOR 0
> +#define PASSWORD_LOG_LVL 5
> +
> +#define TRANSACTION_JSON_TYPE "dsdbTransaction"
> +#define TRANSACTION_HR_TAG "DSDB Transaction"
> +#define TRANSACTION_MAJOR 1
> +#define TRANSACTION_MINOR 0
> +/*
> + * Currently we only log roll backs and prepare commit failures
> + */
> +#define TRANSACTION_LOG_LVL 5
> +
> +#define REPLICATION_JSON_TYPE "replicatedUpdate"
> +#define REPLICATION_HR_TAG "Replicated Update"
> +#define REPLICATION_MAJOR 1
> +#define REPLICATION_MINOR 0
> +#define REPLICATION_LOG_LVL 5
> +/*
> + * Attribute values are truncated in the logs if they are longer than MAX_LENGTH
> + */
> +#define MAX_LENGTH 1024
> +
> +#define min(a, b) (((a)>(b))?(b):(a))
> +
> +/*
> + * Private data for the module, stored in the ldb_module private data
> + */
> +struct audit_context {
> + /*
> + * Should details of database operations be sent over the messaging
> + * bus.
> + */
> + bool send_samdb_events;
> + /*
> + * Should details of password changes and resets be sent over the
> + * messaging bus.
> + */
> + bool send_password_events;
> + /*
> + * The messaging context to send the messages over.
> + * Will only be set if send_samdb_events or send_password_events are
> + * true.
> + */
> + struct imessaging_context *msg_ctx;
> + /*
> + * Unique transaction id for the current transaction
> + */
> + struct GUID transaction_guid;
> +};
> +
> +/*
> + * @brief Has the password changed.
> + *
> + * Does the message contain a change to one of the password attributes? The
> + * password attributes are defined in DSDB_PASSWORD_ATTRIBUTES
> + *
> + * @return true if the message contains a password attribute
> + *
> + */
> +static bool has_password_changed(const struct ldb_message *message)
> +{
> + int i;
> + if (message == NULL) {
> + return false;
> + }
> + for (i=0;i<message->num_elements;i++) {
> + if (is_password_attribute(message->elements[i].name)) {
> + return true;
> + }
> + }
> + return false;
> +}
> +
> +/*
> + * @brief Is the request a password "Change" or a "Reset"
> + *
> + * Get a description of the action being performed on the user password. This
> + * routine assumes that the request contains password attributes and that the
> + * password ACL checks have been performed by acl.c
> + *
> + * @param request the ldb_request to inspect
> + * @param reply the ldb_reply, will contain the password controls
> + *
> + * @return "Change" if the password is being changed.
> + * "Reset" if the password is being reset.
> + */
> +static const char *get_password_action(
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + if(request->operation == LDB_ADD) {
> + return "Reset";
> + } else {
> + struct ldb_control *pav_ctrl = NULL;
> + struct dsdb_control_password_acl_validation *pav = NULL;
> +
> + pav_ctrl = ldb_reply_get_control(
> + discard_const(reply),
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
> + if (pav_ctrl == NULL) {
> + return "Reset";
> + }
> +
> + pav = talloc_get_type_abort(
> + pav_ctrl->data,
> + struct dsdb_control_password_acl_validation);
> +
> + if (pav->pwd_reset) {
> + return "Reset";
> + } else {
> + return "Change";
> + }
> + }
> +}
> +
> +
> +#ifdef HAVE_JANSSON
> +/*
> + * @brief generate a JSON object detailing an ldb operation.
> + *
> + * Generate a JSON object detailing an ldb operation.
> + *
> + * @param module the ldb module
> + * @param request the request
> + * @param reply the result of the operation.
> + *
> + * @return the generated JSON object, should be freed with json_free.
> + *
> + */
> +static struct json_object operation_json(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct ldb_context *ldb = NULL;
> + const struct dom_sid *sid = NULL;
> + bool as_system = false;
> + struct json_object wrapper;
> + struct json_object audit;
> + const struct tsocket_address *remote = NULL;
> + const char *dn = NULL;
> + const char* operation = NULL;
> + const struct GUID *unique_session_token = NULL;
> + const struct ldb_message *message = NULL;
> + struct audit_context *ac = talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + remote = get_remote_address(ldb);
> + if (remote != NULL && is_system_session(module)) {
> + as_system = true;
> + sid = get_actual_sid(ldb);
> + unique_session_token = get_actual_unique_session_token(ldb);
> + } else {
> + sid = get_user_sid(module);
> + unique_session_token = get_unique_session_token(module);
> + }
> + dn = get_primary_dn(request);
> + operation = get_operation_name(request);
> +
> + audit = json_new_object();
> + json_add_version(&audit, OPERATION_MAJOR, OPERATION_MINOR);
> + json_add_int(&audit, "statusCode", reply->error);
> + json_add_string(&audit, "status", ldb_strerror(reply->error));
> + json_add_string(&audit, "operation", operation);
> + json_add_address(&audit, "remoteAddress", remote);
> + json_add_bool(&audit, "performedAsSystem", as_system);
> + json_add_sid(&audit, "userSid", sid);
> + json_add_string(&audit, "dn", dn);
> + json_add_guid(&audit, "transactionId", &ac->transaction_guid);
> + json_add_guid(&audit, "sessionId", unique_session_token);
> +
> + message = get_message(request);
> + if (message != NULL) {
> + struct json_object attributes = attributes_json(
> + request->operation, message);
> + json_add_object(&audit, "attributes", &attributes);
> + }
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", OPERATION_JSON_TYPE);
> + json_add_object(&wrapper, OPERATION_JSON_TYPE, &audit);
> + return wrapper;
> +}
> +
> +/*
> + * @brief generate a JSON object detailing a replicated update.
> + *
> + * Generate a JSON object detailing a replicated update
> + *
> + * @param module the ldb module
> + * @param request the request
> + * @paran reply the result of the operation
> + *
> + * @return the generated JSON object, should be freed with json_free.
> + *
> + */
> +static struct json_object replicated_update_json(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct json_object wrapper;
> + struct json_object audit;
> + struct audit_context *ac = talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> + struct dsdb_extended_replicated_objects *ro = talloc_get_type(
> + request->op.extended.data,
> + struct dsdb_extended_replicated_objects);
> + const char *partition_dn = NULL;
> + const char *error = NULL;
> +
> + partition_dn = ldb_dn_get_linearized(ro->partition_dn);
> + error = get_friendly_werror_msg(ro->error);
> +
> + audit = json_new_object();
> + json_add_version(&audit, REPLICATION_MAJOR, REPLICATION_MINOR);
> + json_add_int(&audit, "statusCode", reply->error);
> + json_add_string(&audit, "status", ldb_strerror(reply->error));
> + json_add_guid(&audit, "transactionId", &ac->transaction_guid);
> + json_add_int(&audit, "objectCount", ro->num_objects);
> + json_add_int(&audit, "linkCount", ro->linked_attributes_count);
> + json_add_string(&audit, "partitionDN", partition_dn);
> + json_add_string(&audit, "error", error);
> + json_add_int(&audit, "errorCode", W_ERROR_V(ro->error));
> + json_add_guid(
> + &audit,
> + "sourceDsa",
> + &ro->source_dsa->source_dsa_obj_guid);
> + json_add_guid(
> + &audit,
> + "invocationId",
> + &ro->source_dsa->source_dsa_invocation_id);
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", REPLICATION_JSON_TYPE);
> + json_add_object(&wrapper, REPLICATION_JSON_TYPE, &audit);
> + return wrapper;
> +}
> +
> +/*
> + * @brief generate a JSON object detailing a password change.
> + *
> + * Generate a JSON object detailing a password change.
> + *
> + * @param module the ldb module
> + * @param request the request
> + * @param reply the result/response
> + * @param status the status code returned for the underlying ldb operation.
> + *
> + * @return the generated JSON object.
> + *
> + */
> +static struct json_object password_change_json(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct ldb_context *ldb = NULL;
> + const struct dom_sid *sid = NULL;
> + const char* dn = NULL;
> + struct json_object wrapper;
> + struct json_object audit;
> + const struct tsocket_address *remote = NULL;
> + const char* action = NULL;
> + const struct GUID *unique_session_token = NULL;
> + struct audit_context *ac = talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> +
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + remote = get_remote_address(ldb);
> + sid = get_user_sid(module);
> + dn = get_primary_dn(request);
> + action = get_password_action(request, reply);
> + unique_session_token = get_unique_session_token(module);
> +
> + audit = json_new_object();
> + json_add_version(&audit, PASSWORD_MAJOR, PASSWORD_MINOR);
> + json_add_int(&audit, "statusCode", reply->error);
> + json_add_string(&audit, "status", ldb_strerror(reply->error));
> + json_add_address(&audit, "remoteAddress", remote);
> + json_add_sid(&audit, "userSid", sid);
> + json_add_string(&audit, "dn", dn);
> + json_add_string(&audit, "action", action);
> + json_add_guid(&audit, "transactionId", &ac->transaction_guid);
> + json_add_guid(&audit, "sessionId", unique_session_token);
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", PASSWORD_JSON_TYPE);
> + json_add_object(&wrapper, PASSWORD_JSON_TYPE, &audit);
> +
> + return wrapper;
> +}
> +
> +
> +/*
> + * @brief create a JSON object containing details of a transaction event.
> + *
> + * Create a JSON object detailing a transaction transaction life cycle events,
> + * i.e. begin, commit, roll back
> + *
> + * @param action a one word description of the event/action
> + * @param transaction_id the GUID identifying the current transaction.
> + *
> + * @return a JSON object detailing the event
> + */
> +static struct json_object transaction_json(
> + const char *action,
> + struct GUID *transaction_id)
> +{
> + struct json_object wrapper;
> + struct json_object audit;
> +
> + audit = json_new_object();
> + json_add_version(&audit, TRANSACTION_MAJOR, TRANSACTION_MINOR);
> + json_add_string(&audit, "action", action);
> + json_add_guid(&audit, "transactionId", transaction_id);
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", TRANSACTION_JSON_TYPE);
> + json_add_object(&wrapper, TRANSACTION_JSON_TYPE, &audit);
> +
> + return wrapper;
> +}
> +
> +
> +/*
> + * @brief generate a JSON object detailing a commit failure.
> + *
> + * Generate a JSON object containing details of a commit failure.
> + *
> + * @param action the commit action, "commit" or "prepare"
> + * @param status the status code returned by commit
> + * @param reason any extra failure information/reason available
> + * @param transaction_id the GUID identifying the current transaction.
> + */
> +static struct json_object commit_failure_json(
> + const char *action,
> + int status,
> + const char *reason,
> + struct GUID *transaction_id)
> +{
> + struct json_object wrapper;
> + struct json_object audit;
> +
> + audit = json_new_object();
> + json_add_version(&audit, TRANSACTION_MAJOR, TRANSACTION_MINOR);
> + json_add_string(&audit, "action", action);
> + json_add_guid(&audit, "transactionId", transaction_id);
> + json_add_int(&audit, "statusCode", status);
> + json_add_string(&audit, "status", ldb_strerror(status));
> + json_add_string(&audit, "reason", reason);
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", TRANSACTION_JSON_TYPE);
> + json_add_object(&wrapper, TRANSACTION_JSON_TYPE, &audit);
> +
> + return wrapper;
> +}
> +
> +#endif
> +/*
> + * @brief Print a human readable log line for a password change event.
> + *
> + * Generate a human readable log line detailing a password change.
> + *
> + * @param mem_ctx The talloc context that will own the generated log line.
> + * @param module the ldb module
> + * @param request the request
> + * @param reply the result/response
> + * @param status the status code returned for the underlying ldb operation.
> + *
> + * @return the generated log line.
> + */
> +static char *password_change_human_readable(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct ldb_context *ldb = NULL;
> + const char *remote_host = NULL;
> + const struct dom_sid *sid = NULL;
> + const char *user_sid = NULL;
> + const char *timestamp = NULL;
> + char *log_entry = NULL;
> + const char *action = NULL;
> + const char *dn = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + remote_host = get_remote_host(ldb, ctx);
> + sid = get_user_sid(module);
> + user_sid = dom_sid_string(ctx, sid);
> + timestamp = audit_get_timestamp(ctx);
> + action = get_password_action(request, reply);
> + dn = get_primary_dn(request);
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "[%s] at [%s] status [%s] "
> + "remote host [%s] SID [%s] DN [%s]",
> + action,
> + timestamp,
> + ldb_strerror(reply->error),
> + remote_host,
> + user_sid,
> + dn);
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +/*
> + * @brief Generate a human readable string, detailing attributes in a message
> + *
> + * For modify operations each attribute is prefixed with the action.
> + * Normal values are enclosed in []
> + * Base64 values are enclosed in {}
> + * Truncated values are indicated by three trailing dots "..."
> + *
> + * @param ldb The ldb_context
> + * @param buffer The attributes will be appended to the buffer.
> + * assumed to have been allocated via talloc.
> + * @param operation The operation type
> + * @param message the message to process
> + *
> + */
> +static char *log_attributes(
> + struct ldb_context *ldb,
> + char *buffer,
> + enum ldb_request_type operation,
> + const struct ldb_message *message)
> +{
> + int i, j;
> + for (i=0;i<message->num_elements;i++) {
> + if (i > 0) {
> + buffer = talloc_asprintf_append_buffer(buffer, " ");
> + }
> +
> + if (message->elements[i].name == NULL) {
> + ldb_debug(
> + ldb,
> + LDB_DEBUG_ERROR,
> + "Error: Invalid element name (NULL) at "
> + "position %d", i);
> + return NULL;
> + }
> +
> + if (operation == LDB_MODIFY) {
> + const char *action =NULL;
> + action = get_modification_action(
> + message->elements[i].flags);
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + "%s: %s ",
> + action,
> + message->elements[i].name);
> + } else {
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + "%s ",
> + message->elements[i].name);
> + }
> +
> + if (redact_attribute(message->elements[i].name)) {
> + /*
> + * Do not log the value of any secret or password
> + * attributes
> + */
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + "[REDACTED SECRET ATTRIBUTE]");
> + continue;
> + }
> +
> + for (j=0;j<message->elements[i].num_values;j++) {
> + struct ldb_val v;
> + bool use_b64_encode = false;
> + int length;
> + if (j > 0) {
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + " ");
> + }
> +
> + v = message->elements[i].values[j];
> + length = min(MAX_LENGTH, v.length);
> + use_b64_encode = ldb_should_b64_encode(ldb, &v);
> + if (use_b64_encode) {
> + const char *encoded = ldb_base64_encode(
> + buffer,
> + (char *)v.data,
> + length);
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + "{%s%s}",
> + encoded,
> + (v.length > MAX_LENGTH ? "..." : ""));
> + } else {
> + buffer = talloc_asprintf_append_buffer(
> + buffer,
> + "[%*.*s%s]",
> + length,
> + length,
> + (char *)v.data,
> + (v.length > MAX_LENGTH ? "..." : ""));
> + }
> + }
> + }
> + return buffer;
> +}
> +
> +/*
> + * @brief generate a human readable log entry detailing an ldb operation.
> + *
> + * Generate a human readable log entry detailing an ldb operation.
> + *
> + * @param mem_ctx The talloc context owning the returned string.
> + * @param module the ldb module
> + * @param request the request
> + * @param reply the result of the operation
> + *
> + * @return the log entry.
> + *
> + */
> +static char *operation_human_readable(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct ldb_context *ldb = NULL;
> + const char *remote_host = NULL;
> + const struct dom_sid *sid = NULL;
> + const char *user_sid = NULL;
> + const char *timestamp = NULL;
> + const char *op_name = NULL;
> + char *log_entry = NULL;
> + const char *dn = NULL;
> + const char *new_dn = NULL;
> + const struct ldb_message *message = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + remote_host = get_remote_host(ldb, ctx);
> + if (remote_host != NULL && is_system_session(module)) {
> + sid = get_actual_sid(ldb);
> + } else {
> + sid = get_user_sid(module);
> + }
> + user_sid = dom_sid_string(ctx, sid);
> + timestamp = audit_get_timestamp(ctx);
> + op_name = get_operation_name(request);
> + dn = get_primary_dn(request);
> + new_dn = get_secondary_dn(request);
> +
> + message = get_message(request);
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "[%s] at [%s] status [%s] "
> + "remote host [%s] SID [%s] DN [%s]",
> + op_name,
> + timestamp,
> + ldb_strerror(reply->error),
> + remote_host,
> + user_sid,
> + dn);
> + if (new_dn != NULL) {
> + log_entry = talloc_asprintf_append_buffer(
> + log_entry,
> + " New DN [%s]",
> + new_dn);
> + }
> + if (message != NULL) {
> + log_entry = talloc_asprintf_append_buffer(log_entry,
> + " attributes [");
> + log_entry = log_attributes(ldb,
> + log_entry,
> + request->operation,
> + message);
> + log_entry = talloc_asprintf_append_buffer(log_entry, "]");
> + }
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +
> +/*
> + * @brief generate a human readable log entry detailing a replicated update
> + * operation.
> + *
> + * Generate a human readable log entry detailing a replicated update operation
> + *
> + * @param mem_ctx The talloc context owning the returned string.
> + * @param module the ldb module
> + * @param request the request
> + * @param reply the result of the operation.
> + *
> + * @return the log entry.
> + *
> + */
> +static char *replicated_update_human_readable(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> + struct dsdb_extended_replicated_objects *ro = talloc_get_type(
> + request->op.extended.data,
> + struct dsdb_extended_replicated_objects);
> + const char *partition_dn = NULL;
> + const char *error = NULL;
> + char *log_entry = NULL;
> + char *timestamp = NULL;
> + struct GUID_txt_buf object_buf;
> + const char *object = NULL;
> + struct GUID_txt_buf invocation_buf;
> + const char *invocation = NULL;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + timestamp = audit_get_timestamp(ctx);
> + error = get_friendly_werror_msg(ro->error);
> + partition_dn = ldb_dn_get_linearized(ro->partition_dn);
> + object = GUID_buf_string(
> + &ro->source_dsa->source_dsa_obj_guid,
> + &object_buf);
> + invocation = GUID_buf_string(
> + &ro->source_dsa->source_dsa_invocation_id,
> + &invocation_buf);
> +
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "at [%s] status [%s] error [%s] partition [%s] objects [%d] "
> + "links [%d] object [%s] invocation [%s]",
> + timestamp,
> + ldb_strerror(reply->error),
> + error,
> + partition_dn,
> + ro->num_objects,
> + ro->linked_attributes_count,
> + object,
> + invocation);
> +
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +/*
> + * @brief create a human readable log entry detailing a transaction event.
> + *
> + * Create a human readable log entry detailing a transaction event.
> + * i.e. begin, commit, roll back
> + *
> + * @param mem_ctx The talloc context owning the returned string.
> + * @param action a one word description of the event/action
> + * @param transaction_id the GUID identifying the current transaction.
> + *
> + * @return the log entry
> + */
> +static char *transaction_human_readable(
> + TALLOC_CTX *mem_ctx,
> + const char* action)
> +{
> + const char *timestamp = NULL;
> + char *log_entry = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + timestamp = audit_get_timestamp(ctx);
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "[%s] at [%s]",
> + action,
> + timestamp);
> +
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +
> +/*
> + * @brief generate a human readable log entry detailing a commit failure.
> + *
> + * Generate generate a human readable log entry detailing a commit failure.
> + *
> + * @param mem_ctx The talloc context owning the returned string.
> + * @param action the commit action, "prepare" or "commit"
> + * @param status the status code returned by commit
> + * @param reason any extra failure information/reason available
> + *
> + * @return the log entry
> + */
> +static char *commit_failure_human_readable(
> + TALLOC_CTX *mem_ctx,
> + const char *action,
> + int status,
> + const char *reason)
> +{
> + const char *timestamp = NULL;
> + char *log_entry = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + timestamp = audit_get_timestamp(ctx);
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "[%s] at [%s] status [%d] reason [%s]",
> + action,
> + timestamp,
> + status,
> + reason);
> +
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +
> +/*
> + * @brief log details of a standard ldb operation.
> + *
> + * Log the details of an ldb operation in JSON and or human readable format
> + * and send over the message bus.
> + *
> + * @param module the ldb_module
> + * @param request the operation request.
> + * @param reply the operation result.
> + * @param the status code returned for the operation.
> + *
> + */
> +static void log_standard_operation(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> +
> + const struct ldb_message *message = get_message(request);
> + bool password_changed = has_password_changed(message);
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_AUDIT, OPERATION_LOG_LVL)) {
> + char *entry = NULL;
> + entry = operation_human_readable(
> + ctx,
> + module,
> + request,
> + reply);
> + audit_log_hr(
> + OPERATION_HR_TAG,
> + entry,
> + DBGC_DSDB_AUDIT,
> + OPERATION_LOG_LVL);
> + TALLOC_FREE(entry);
> + }
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_PWD_AUDIT, PASSWORD_LOG_LVL)) {
> + if (password_changed) {
> + char *entry = NULL;
> + entry = password_change_human_readable(
> + ctx,
> + module,
> + request,
> + reply);
> + audit_log_hr(
> + PASSWORD_HR_TAG,
> + entry,
> + DBGC_DSDB_PWD_AUDIT,
> + PASSWORD_LOG_LVL);
> + TALLOC_FREE(entry);
> + }
> + }
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_AUDIT_JSON, OPERATION_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_password_events)) {
> + struct json_object json;
> + json = operation_json(module, request, reply);
> + audit_log_json(
> + OPERATION_JSON_TYPE,
> + &json,
> + DBGC_DSDB_AUDIT_JSON,
> + OPERATION_LOG_LVL);
> + if (ac->msg_ctx && ac->send_password_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_EVENT_NAME,
> + MSG_DSDB_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_PWD_AUDIT_JSON, PASSWORD_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_password_events)) {
> + if (password_changed) {
> + struct json_object json;
> + json = password_change_json(module, request, reply);
> + audit_log_json(
> + PASSWORD_JSON_TYPE,
> + &json,
> + DBGC_DSDB_PWD_AUDIT_JSON,
> + PASSWORD_LOG_LVL);
> + if (ac->send_password_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_PWD_EVENT_NAME,
> + MSG_DSDB_PWD_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief log details of a replicated update.
> + *
> + * Log the details of a replicated update in JSON and or human readable
> + * format and send over the message bus.
> + *
> + * @param module the ldb_module
> + * @param request the operation request
> + * @param reply the result of the operation.
> + *
> + */
> +static void log_replicated_operation(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> +
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_AUDIT, REPLICATION_LOG_LVL)) {
> + char *entry = NULL;
> + entry = replicated_update_human_readable(
> + ctx,
> + module,
> + request,
> + reply);
> + audit_log_hr(
> + REPLICATION_HR_TAG,
> + entry,
> + DBGC_DSDB_AUDIT,
> + REPLICATION_LOG_LVL);
> + TALLOC_FREE(entry);
> + }
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_AUDIT_JSON, REPLICATION_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_samdb_events)) {
> + struct json_object json;
> + json = replicated_update_json(module, request, reply);
> + audit_log_json(
> + REPLICATION_JSON_TYPE,
> + &json,
> + DBGC_DSDB_AUDIT_JSON,
> + REPLICATION_LOG_LVL);
> + if (ac->send_samdb_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_EVENT_NAME,
> + MSG_DSDB_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief log details of an ldb operation.
> + *
> + * Log the details of an ldb operation in JSON and or human readable format
> + * and send over the message bus.
> + *
> + * @param module the ldb_module
> + * @param request the operation request
> + * @part reply the result of the operation
> + *
> + */
> +static void log_operation(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const struct ldb_reply *reply)
> +{
> +
> + if (request->operation == LDB_EXTENDED) {
> + if (strcmp(
> + request->op.extended.oid,
> + DSDB_EXTENDED_REPLICATED_OBJECTS_OID) != 0) {
> +
> + log_replicated_operation(module, request, reply);
> + }
> + } else {
> + log_standard_operation(module, request, reply);
> + }
> +}
> +
> +/*
> + * @brief log details of a transaction event.
> + *
> + * Log the details of a transaction event in JSON and or human readable format
> + * and send over the message bus.
> + *
> + * @param module the ldb_module
> + * @param action the transaction event i.e. begin, commit, roll back.
> + *
> + */
> +static void log_transaction(
> + struct ldb_module *module,
> + const char *action)
> +{
> +
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_TXN_AUDIT, TRANSACTION_LOG_LVL)) {
> + char* entry = NULL;
> + entry = transaction_human_readable(ctx, action);
> + audit_log_hr(
> + TRANSACTION_HR_TAG,
> + entry,
> + DBGC_DSDB_TXN_AUDIT,
> + TRANSACTION_LOG_LVL);
> + TALLOC_FREE(entry);
> + }
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_TXN_AUDIT_JSON, TRANSACTION_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_samdb_events)) {
> + struct json_object json;
> + json = transaction_json(action, &ac->transaction_guid);
> + audit_log_json(
> + TRANSACTION_JSON_TYPE,
> + &json,
> + DBGC_DSDB_TXN_AUDIT_JSON,
> + TRANSACTION_LOG_LVL);
> + if (ac->send_samdb_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_EVENT_NAME,
> + MSG_DSDB_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief log details of a commit failure.
> + *
> + * Log the details of a commit failure in JSON and or human readable
> + * format and send over the message bus.
> + *
> + * @param module the ldb_module
> + * @param action the commit action "prepare" or "commit"
> + * @param status the ldb status code returned by prepare commit.
> + *
> + */
> +static void log_commit_failure(
> + struct ldb_module *module,
> + const char *action,
> + int status)
> +{
> +
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> + const char* reason = get_ldb_error_string(module, status);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_TXN_AUDIT, TRANSACTION_LOG_LVL)) {
> + char* entry = NULL;
> + entry = commit_failure_human_readable(
> + ctx,
> + action,
> + status,
> + reason);
> + audit_log_hr(
> + TRANSACTION_HR_TAG,
> + entry,
> + DBGC_DSDB_TXN_AUDIT,
> + TRANSACTION_LOG_LVL);
> + TALLOC_FREE(entry);
> + }
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_TXN_AUDIT_JSON, TRANSACTION_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_samdb_events)) {
> + struct json_object json;
> + json = commit_failure_json(
> + action,
> + status,
> + reason,
> + &ac->transaction_guid);
> + audit_log_json(
> + TRANSACTION_JSON_TYPE,
> + &json,
> + DBGC_DSDB_TXN_AUDIT_JSON,
> + TRANSACTION_LOG_LVL);
> + if (ac->send_samdb_events) {
> + audit_message_send(ac->msg_ctx,
> + DSDB_EVENT_NAME,
> + MSG_DSDB_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * Context needed by audit_callback
> + */
> +struct audit_callback_context {
> + struct ldb_request *request;
> + struct ldb_module *module;
> +};
> +
> +/*
> + * @brief call back function for the ldb_operations.
> + *
> + * As the LDB operations are async, and we wish to examine the results of
> + * the operations, a callback needs to be registered to process the results
> + * of the LDB operations.
> + *
> + * @param req the ldb request
> + * @param res the result of the operation
> + *
> + * @return the LDB_STATUS
> + */
> +static int audit_callback(struct ldb_request *req, struct ldb_reply *ares)
> +{
> + struct audit_callback_context *ac = NULL;
> +
> + ac = talloc_get_type(
> + req->context,
> + struct audit_callback_context);
> +
> + if (!ares) {
> + return ldb_module_done(
> + ac->request,
> + NULL,
> + NULL,
> + LDB_ERR_OPERATIONS_ERROR);
> + }
> +
> + /* pass on to the callback */
> + switch (ares->type) {
> + case LDB_REPLY_ENTRY:
> + return ldb_module_send_entry(
> + ac->request,
> + ares->message,
> + ares->controls);
> +
> + case LDB_REPLY_REFERRAL:
> + return ldb_module_send_referral(
> + ac->request,
> + ares->referral);
> +
> + case LDB_REPLY_DONE:
> + /*
> + * Log the operation once DONE
> + */
> + log_operation(ac->module, ac->request, ares);
> + return ldb_module_done(
> + ac->request,
> + ares->controls,
> + ares->response,
> + ares->error);
> +
> + default:
> + /* Can't happen */
> + return LDB_ERR_OPERATIONS_ERROR;
> + }
> +}
> +
> +/*
> + * @brief Add the current transaction identifier to the request.
> + *
> + * Add the current transaction identifier in the module private data,
> + * to the request as a control.
> + *
> + * @param module
> + * @param req the request.
> + *
> + * @return an LDB_STATUS code, LDB_SUCCESS if successful.
> + */
> +static int add_transaction_id(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> + struct dsdb_control_transaction_identifier *transaction_id;
> +
> + transaction_id = talloc_zero(
> + req,
> + struct dsdb_control_transaction_identifier);
> + if (transaction_id == NULL) {
> + struct ldb_context *ldb = ldb_module_get_ctx(module);
> + return ldb_oom(ldb);
> + }
> + transaction_id->transaction_guid = ac->transaction_guid;
> + ldb_request_add_control(req,
> + DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID,
> + false,
> + transaction_id);
> + return LDB_SUCCESS;
> +
> +}
> +
> +/*
> + * @brief log details of an add operation.
> + *
> + * Log the details of an add operation.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_add(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> +
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_add_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.add.message,
> + req->controls,
> + context,
> + audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + ret = add_transaction_id(module, new_req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief log details of an delete operation.
> + *
> + * Log the details of an delete operation.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_delete(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> +
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_del_req(&new_req,
> + ldb,
> + req,
> + req->op.del.dn,
> + req->controls,
> + context,
> + audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + ret = add_transaction_id(module, new_req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief log details of a modify operation.
> + *
> + * Log the details of a modify operation.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_modify(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> +
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_mod_req(
> + & new_req,
> + ldb,
> + req,
> + req->op.mod.message,
> + req->controls,
> + context,
> + audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + ret = add_transaction_id(module, new_req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief process a transaction start.
> + *
> + * process a transaction start, as we don't currently log transaction starts
> + * just generate the new transaction_id.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_start_transaction(struct ldb_module *module)
> +{
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> +
> + /*
> + * We do not log transaction begins
> + * however we do generate a new transaction_id
> + *
> + */
> + ac->transaction_guid = GUID_random();
> + return ldb_next_start_trans(module);
> +}
> +
> +/*
> + * @brief log details of a prepare commit.
> + *
> + * Log the details of a prepare commit, currently only details of
> + * failures are logged.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_prepare_commit(struct ldb_module *module)
> +{
> +
> + int ret = ldb_next_prepare_commit(module);
> + if (ret != LDB_SUCCESS) {
> + /*
> + * We currently only log prepare commit failures
> + */
> + log_commit_failure(module, "prepare", ret);
> + }
> + return ret;
> +}
> +
> +/*
> + * @brief process a transaction end aka commit.
> + *
> + * process a transaction end, as we don't currently log transaction ends
> + * just clear transaction_id.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_end_transaction(struct ldb_module *module)
> +{
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> + int ret = 0;
> +
> + /*
> + * Clear the transaction id inserted by log_start_transaction
> + */
> + memset(&ac->transaction_guid, 0, sizeof(struct GUID));
> +
> + ret = ldb_next_end_trans(module);
> + if (ret != LDB_SUCCESS) {
> + /*
> + * We currently only log commit failures
> + */
> + log_commit_failure(module, "commit", ret);
> + }
> + return ret;
> +}
> +
> +/*
> + * @brief log details of a transaction delete aka roll back.
> + *
> + * Log details of a transaction roll back.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_del_transaction(struct ldb_module *module)
> +{
> + struct audit_context *ac =
> + talloc_get_type(ldb_module_get_private(module),
> + struct audit_context);
> +
> + log_transaction(module, "rollback");
> + memset(&ac->transaction_guid, 0, sizeof(struct GUID));
> + return ldb_next_del_trans(module);
> +}
> +
> +/*
> + * @brief log details of an extended operation.
> + *
> + * Log the details of an extended operation.
> + *
> + * @param module the ldb_module
> + * @param req the ldb_request
> + *
> + * @return ldb status code
> + */
> +static int log_extended(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> +
> + /*
> + * Currently we only log replication extended operations
> + */
> + if (strcmp(
> + req->op.extended.oid,
> + DSDB_EXTENDED_REPLICATED_OBJECTS_OID) != 0) {
> +
> + return ldb_next_request(module, req);
> + }
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_extended_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.extended.oid,
> + req->op.extended.data,
> + req->controls,
> + context,
> + audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + ret = add_transaction_id(module, new_req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief module initialisation
> + */
> +static int log_init(struct ldb_module *module)
> +{
> +
> + struct ldb_context *ldb = ldb_module_get_ctx(module);
> + struct audit_context *context = NULL;
> + struct loadparm_context *lp_ctx
> + = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"),
> + struct loadparm_context);
> + struct tevent_context *ec = ldb_get_event_context(ldb);
> + bool sdb_events = false;
> + bool pwd_events = false;
> +
> + context = talloc_zero(module, struct audit_context);
> + if (context == NULL) {
> + return ldb_module_oom(module);
> + }
> +
> + if (lp_ctx != NULL) {
> + sdb_events = lpcfg_dsdb_event_notification(lp_ctx);
> + pwd_events = lpcfg_dsdb_password_event_notification(lp_ctx);
> + }
> + if (sdb_events || pwd_events) {
> + context->send_samdb_events = sdb_events;
> + context->send_password_events = pwd_events;
> + context->msg_ctx = imessaging_client_init(ec, lp_ctx, ec);
> + }
> +
> + ldb_module_set_private(module, context);
> + return ldb_next_init(module);
> +}
> +
> +static const struct ldb_module_ops ldb_audit_log_module_ops = {
> + .name = "audit_log",
> + .init_context = log_init,
> + .add = log_add,
> + .modify = log_modify,
> + .del = log_delete,
> + .start_transaction = log_start_transaction,
> + .prepare_commit = log_prepare_commit,
> + .end_transaction = log_end_transaction,
> + .del_transaction = log_del_transaction,
> + .extended = log_extended,
> +};
> +
> +int ldb_audit_log_module_init(const char *version)
> +{
> + LDB_MODULE_CHECK_VERSION(version);
> + return ldb_register_module(&ldb_audit_log_module_ops);
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/audit_util.c b/source4/dsdb/samdb/ldb_modules/audit_util.c
> new file mode 100644
> index 0000000..71802e5
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/audit_util.c
> @@ -0,0 +1,602 @@
> +/*
> + ldb database module utility library
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +/*
> + * Common utility functions for SamDb audit logging.
> + *
> + */
> +
> +#include "includes.h"
> +#include "ldb_module.h"
> +#include "lib/audit_logging/audit_logging.h"
> +
> +#include "dsdb/samdb/samdb.h"
> +#include "dsdb/samdb/ldb_modules/util.h"
> +#include "libcli/security/dom_sid.h"
> +#include "libcli/security/security_token.h"
> +#include "auth/common_auth.h"
> +#include "param/param.h"
> +#include "dsdb/samdb/ldb_modules/util.h"
> +
> +#define MAX_LENGTH 1024
> +
> +#define min(a, b) (((a)>(b))?(b):(a))
> +
> +/*
> + * List of attributes considered secret or confidential the values of these
> + * attributes should not be displayed in log messages.
> + */
> +static const char * const secret_attributes[] = {
> + DSDB_SECRET_ATTRIBUTES,
> + NULL};
> +/*
> + * List of attributes that contain a password, used to detect password changes
> + */
> +static const char * const password_attributes[] = {
> + DSDB_PASSWORD_ATTRIBUTES,
> + NULL};
> +
> +/*
> + * @brief Should the value of the specified value be redacted.
> + *
> + * The values of secret or password attributes should not be displayed.
> + *
> + * @param name The attributes name.
> + *
> + * @return True if the attribute should be redacted
> + */
> +bool redact_attribute(const char * name)
> +{
> +
> + if (ldb_attr_in_list(secret_attributes, name)) {
> + return true;
> + }
> +
> + if (ldb_attr_in_list(password_attributes, name)) {
> + return true;
> + }
> +
> + return false;
> +}
> +
> +/*
> + * @brief is the attribute a password attribute?
> + *
> + * Is the attribute a password attribute.
> + *
> + * @return True if the attribute is a "Password" attribute.
> + */
> +bool is_password_attribute(const char * name)
> +{
> +
> + bool is_password = ldb_attr_in_list(password_attributes, name);
> + return is_password;
> +}
> +
> +/*
> + * @brief Get the remote address from the ldb context.
> + *
> + * The remote address is stored in the ldb opaque value "remoteAddress"
> + * it is the responsibility of the higher level code to ensure that this
> + * value is set.
> + *
> + * @param ldb the ldb_context.
> + *
> + * @return the remote address if known, otherwise NULL.
> + */
> +const struct tsocket_address *get_remote_address(
> + struct ldb_context *ldb)
> +{
> + void *opaque_remote_address = NULL;
> + struct tsocket_address *remote_address;
> +
> + opaque_remote_address = ldb_get_opaque(ldb,
> + "remoteAddress");
> + if (opaque_remote_address == NULL) {
> + return NULL;
> + }
> +
> + remote_address = talloc_get_type(opaque_remote_address,
> + struct tsocket_address);
> + return remote_address;
> +}
> +
> +/*
> + * @brief Get the actual user SID from ldb context.
> + *
> + * The actual user SID is stored in the ldb opaque value "networkSessionInfo"
> + * it is the responsibility of the higher level code to ensure that this
> + * value is set.
> + *
> + * @param ldb the ldb_context.
> + *
> + * @return the users actual sid.
> + */
> +const struct dom_sid *get_actual_sid(
> + struct ldb_context *ldb)
> +{
> + void *opaque_session = NULL;
> + struct auth_session_info *session = NULL;
> + struct security_token *user_token = NULL;
> +
> + opaque_session = ldb_get_opaque(ldb, "networkSessionInfo");
> + if (opaque_session == NULL) {
> + return NULL;
> + }
> +
> + session = talloc_get_type(opaque_session, struct auth_session_info);
> + if (session == NULL) {
> + return NULL;
> + }
> +
> + user_token = session->security_token;
> + if (user_token == NULL) {
> + return NULL;
> + }
> + return &user_token->sids[0];
> +}
> +/*
> + * @brief get the ldb error string.
> + *
> + * Get the ldb error string if set, otherwise get the generic error code
> + * for the status code.
> + *
> + * @param ldb the ldb_context.
> + * @param status the ldb_status code.
> + *
> + * @return a string describing the error.
> + */
> +const char *get_ldb_error_string(
> + struct ldb_module *module,
> + int status)
> +{
> + struct ldb_context *ldb = ldb_module_get_ctx(module);
> + const char *err_string = ldb_errstring(ldb);
> +
> + if (err_string == NULL) {
> + return ldb_strerror(status);
> + }
> + return err_string;
> +}
> +
> +/*
> + * @brief get the SID of the user performing the operation.
> + *
> + * Get the SID of the user performing the operation.
> + *
> + * @param module the ldb_module.
> + *
> + * @return the SID of the currently logged on user.
> + */
> +const struct dom_sid *get_user_sid(const struct ldb_module *module)
> +{
> + struct security_token *user_token = NULL;
> +
> + /*
> + * acl_user_token does not alter module so it's safe
> + * to discard the const.
> + */
> + user_token = acl_user_token(discard_const(module));
> + if (user_token == NULL) {
> + return NULL;
> + }
> + return &user_token->sids[0];
> +
> +}
> +
> +/*
> + * @brief is operation being performed using the system session.
> + *
> + * Is the operation being performed using the system session.
> + *
> + * @param module the ldb_module.
> + *
> + * @return true if the operation is being performed using the system session.
> + */
> +bool is_system_session(const struct ldb_module *module)
> +{
> + struct security_token *user_token = NULL;
> +
> + /*
> + * acl_user_token does not alter module and security_token_is_system
> + * does not alter the security token so it's safe to discard the const.
> + */
> + user_token = acl_user_token(discard_const(module));
> + if (user_token == NULL) {
> + return false;
> + }
> + return security_token_is_system(user_token);;
> +
> +}
> +
> +/*
> + * @brief get the session identifier GUID
> + *
> + * Get the GUID that uniquely identifies the current authenticated session.
> + *
> + * @param module the ldb_module.
> + *
> + * @return the unique session GUID
> + */
> +const struct GUID *get_unique_session_token(const struct ldb_module *module)
> +{
> + struct ldb_context *ldb = ldb_module_get_ctx(discard_const(module));
> + struct auth_session_info *session_info
> + = (struct auth_session_info *)ldb_get_opaque(
> + ldb,
> + "sessionInfo");
> + if(!session_info) {
> + return NULL;
> + }
> + return &session_info->unique_session_token;
> +}
> +
> +/*
> + * @brief get the actual user session identifier
> + *
> + * Get the GUID that uniquely identifies the current authenticated session.
> + * This is the session of the connected user, as it may differ from the
> + * session the operation is being performed as, i.e. for operations performed
> + * under the system session.
> + *
> + * @param context the ldb_context.
> + *
> + * @return the unique session GUID
> + */
> +const struct GUID *get_actual_unique_session_token(
> + struct ldb_context *ldb)
> +{
> + struct auth_session_info *session_info
> + = (struct auth_session_info *)ldb_get_opaque(
> + ldb,
> + "networkSessionInfo");
> + if(!session_info) {
> + return NULL;
> + }
> + return &session_info->unique_session_token;
> +}
> +
> +/*
> + * @brief Get a printable string value for the remote host address.
> + *
> + * Get a printable string representation of the remote host, for display in the
> + * the audit logs.
> + *
> + * @param ldb the ldb context.
> + * @param mem_ctx the talloc memory context that will own the returned string.
> + *
> + * @return A string representation of the remote host address or "Unknown"
> + *
> + */
> +char *get_remote_host(
> + struct ldb_context *ldb,
> + TALLOC_CTX *mem_ctx)
> +{
> + const struct tsocket_address *remote_address;
> + char* remote_host = NULL;
> +
> + remote_address = get_remote_address(ldb);
> + if (remote_address == NULL) {
> + remote_host = talloc_asprintf(mem_ctx, "Unknown");
> + return remote_host;
> + }
> +
> + remote_host = tsocket_address_string(remote_address, mem_ctx);
> + return remote_host;
> +}
> +
> +/*
> + * @brief get a printable representation of the primary DN.
> + *
> + * Get a printable representation of the primary DN. The primary DN is the
> + * DN of the object being added, deleted, modified or renamed.
> + *
> + * @param the ldb_request.
> + *
> + * @return a printable and linearized DN
> + */
> +const char* get_primary_dn(
> + const struct ldb_request *request)
> +{
> + struct ldb_dn *dn = NULL;
> + switch (request->operation) {
> + case LDB_ADD:
> + if (request->op.add.message != NULL) {
> + dn = request->op.add.message->dn;
> + }
> + break;
> + case LDB_MODIFY:
> + if (request->op.mod.message != NULL) {
> + dn = request->op.mod.message->dn;
> + }
> + break;
> + case LDB_DELETE:
> + dn = request->op.del.dn;
> + break;
> + case LDB_RENAME:
> + dn = request->op.rename.olddn;
> + break;
> + default:
> + dn = NULL;
> + break;
> + }
> + if (dn == NULL) {
> + return NULL;
> + }
> + return ldb_dn_get_linearized(dn);
> +}
> +
> +/*
> + * @brief Get the ldb_message from a request.
> + *
> + * Get the ldb_message for the request, returns NULL is there is no
> + * associated ldb_message
> + *
> + * @param The request
> + *
> + * @return the message associated with this request, or NULL
> + */
> +const struct ldb_message *get_message(
> + const struct ldb_request *request)
> +{
> + switch (request->operation) {
> + case LDB_ADD:
> + return request->op.add.message;
> + case LDB_MODIFY:
> + return request->op.mod.message;
> + default:
> + return NULL;
> + }
> +}
> +
> +/*
> + * @brief get the secondary dn, i.e. the target dn for a rename.
> + *
> + * Get the secondary dn, i.e. the target for a rename. This is only applicable
> + * got a rename operation, for the non rename operations this function returns
> + * NULL.
> + *
> + * @param request the ldb_request.
> + *
> + * @return the secondary dn in a printable and linearized form.
> + */
> +const char *get_secondary_dn(
> + const struct ldb_request *request)
> +{
> + switch (request->operation) {
> + case LDB_RENAME:
> + return ldb_dn_get_linearized(request->op.rename.newdn);
> + default:
> + return NULL;
> + }
> +}
> +
> +/*
> + * @brief Map the request operation to a description.
> + *
> + * Get a description of the operation for logging
> + *
> + * @param request the ldb_request
> + *
> + * @return a string describing the operation, or "Unknown" if the operation
> + * is not known.
> + */
> +const char *get_operation_name(
> + const struct ldb_request *request)
> +{
> + switch (request->operation) {
> + case LDB_SEARCH:
> + return "Search";
> + case LDB_ADD:
> + return "Add";
> + case LDB_MODIFY:
> + return "Modify";
> + case LDB_DELETE:
> + return "Delete";
> + case LDB_RENAME:
> + return "Rename";
> + case LDB_EXTENDED:
> + return "Extended";
> + case LDB_REQ_REGISTER_CONTROL:
> + return "Register Control";
> + case LDB_REQ_REGISTER_PARTITION:
> + return "Register Partition";
> + default:
> + return "Unknown";
> + }
> +}
> +
> +/*
> + * @brief get a description of a modify action for logging.
> + *
> + * Get a brief description of the modification action suitable for logging.
> + *
> + * @param flags the ldb_attributes flags.
> + *
> + * @return a brief description, or "unknown".
> + */
> +const char *get_modification_action(
> + unsigned int flags)
> +{
> + switch (LDB_FLAG_MOD_TYPE(flags)) {
> + case LDB_FLAG_MOD_ADD:
> + return "add";
> + case LDB_FLAG_MOD_DELETE:
> + return "delete";
> + case LDB_FLAG_MOD_REPLACE:
> + return "replace";
> + default:
> + return "unknown";
> + }
> +}
> +
> +/*
> + * @brief Add an ldb_value to a json object array
> + *
> + * Convert the current ldb_value to a JSON object and append it to array.
> + * {
> + * "value":"xxxxxxxx",
> + * "base64":true
> + * "truncated":true
> + * }
> + *
> + * value is the JSON string representation of the ldb_val,
> + * will be null if the value is zero length. The value will be
> + * truncated if it is more than MAX_LENGTH bytes long. It will also
> + * be base64 encoded if it contains any non printable characters.
> + *
> + * base64 Indicates that the value is base64 encoded, will be absent if the
> + * value is not encoded.
> + *
> + * truncated Indicates that the length of the value exceeded MAX_LENGTH and was
> + * truncated. Note that vales are truncated and then base64 encoded.
> + * so an encoded value can be longer than MAX_LENGTH.
> + *
> + * @param array the JSON array to append the value to.
> + * @param lv the ldb_val to convert and append to the array.
> + *
> + */
> +static void add_ldb_value(
> + struct json_object *array,
> + const struct ldb_val lv)
> +{
> +
> + json_assert_is_array(array);
> + if (json_is_invalid(array)) {
> + return;
> + }
> +
> + if (lv.length == 0 || lv.data == NULL) {
> + json_add_object(array, NULL, NULL);
> + return;
> + }
> +
> + bool base64 = ldb_should_b64_encode(NULL, &lv);
> + int len = min(lv.length, MAX_LENGTH);
> + struct json_object value = json_new_object();
> + if (lv.length > MAX_LENGTH) {
> + json_add_bool(&value, "truncated", true);
> + }
> + if (base64) {
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + char *encoded = ldb_base64_encode(
> + ctx,
> + (char*) lv.data,
> + len);
> +
> + json_add_bool(&value, "base64", true);
> + json_add_string(&value, "value", encoded);
> + TALLOC_FREE(ctx);
> + } else {
> + json_add_stringn(&value, "value", (char *)lv.data, len);
> + }
> + /*
> + * As array is a JSON array the element name is NULL
> + */
> + json_add_object(array, NULL, &value);
> +}
> +
> +/*
> + * @brief Build a JSON object containing the attributes in an ldb_message.
> + *
> + * Build a JSON object containing all the attributes in an ldb_message.
> + * The attributes are keyed by attribute name, the values of "secret attributes"
> + * are supressed.
> + *
> + * {
> + * "password":{
> + * "redacted":true,
> + * "action":"delete"
> + * },
> + * "name":{
> + * "values": [
> + * {
> + * "value":"xxxxxxxx",
> + * "base64":true
> + * "truncated":true
> + * },
> + * ],
> + * "action":"add",
> + * }
> + * }
> + *
> + * values is an array of json objects generated by add_ldb_value.
> + * redacted indicates that the attribute is secret.
> + * action is only set for modification operations.
> + *
> + * @param operation the ldb operation being performed
> + * @param message the ldb_message to process.
> + *
> + * @return A populated json object.
> + *
> + */
> +struct json_object attributes_json(
> + enum ldb_request_type operation,
> + const struct ldb_message* message)
> +{
> +
> + struct json_object attributes = json_new_object();
> + int i, j;
> + for (i=0;i<message->num_elements;i++) {
> + struct json_object actions;
> + struct json_object attribute;
> + struct json_object action = json_new_object();
> + const char *name = message->elements[i].name;
> +
> + /*
> + * If this is a modify operation tag the attribute with
> + * the modification action.
> + */
> + if (operation == LDB_MODIFY) {
> + const char *act = NULL;
> + const int flags = message->elements[i].flags;
> + act = get_modification_action(flags);
> + json_add_string(&action, "action" , act);
> + }
> + if (operation == LDB_ADD) {
> + json_add_string(&action, "action" , "add");
> + }
> +
> + /*
> + * If the attribute is a secret attribute, tag it as redacted
> + * and don't include the values
> + */
> + if (redact_attribute(name)) {
> + json_add_bool(&action, "redacted", true);
> + } else {
> + struct json_object values;
> + /*
> + * Add the values for the action
> + */
> + values = json_new_array();
> + for (j=0;j<message->elements[i].num_values;j++) {
> + add_ldb_value(
> + &values,
> + message->elements[i].values[j]);
> + }
> + json_add_object(&action, "values", &values);
> + }
> + attribute = json_get_object(&attributes, name);
> + actions = json_get_array(&attribute, "actions");
> + json_add_object(&actions, NULL, &action);
> + json_add_object(&attribute, "actions", &actions);
> + json_add_object(&attributes, name, &attribute);
> + }
> + return attributes;
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> index 54ec6a2..baa30f9 100644
> --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> @@ -292,7 +292,8 @@ static int samba_dsdb_init(struct ldb_module *module)
> "extended_dn_store",
> NULL };
> /* extended_dn_in or extended_dn_in_openldap goes here */
> - static const char *modules_list1a[] = {"objectclass",
> + static const char *modules_list1a[] = {"audit_log",
> + "objectclass",
> "tombstone_reanimate",
> "descriptor",
> "acl",
> diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
> new file mode 100644
> index 0000000..3cde7ae
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c
> @@ -0,0 +1,2248 @@
> +/*
> + Unit tests for the dsdb audit logging code code in audit_log.c
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +#include <stdarg.h>
> +#include <stddef.h>
> +#include <setjmp.h>
> +#include <unistd.h>
> +#include <cmocka.h>
> +
> +int ldb_audit_log_module_init(const char *version);
> +#include "../audit_log.c"
> +
> +#include "lib/ldb/include/ldb_private.h"
> +#include <regex.h>
> +
> +/*
> + * Test helper to check ISO 8601 timestamps for validity
> + */
> +static void check_timestamp(time_t before, const char* timestamp)
> +{
> + int rc;
> + int usec, tz;
> + char c[2];
> + struct tm tm;
> + time_t after;
> + time_t actual;
> +
> +
> + after = time(NULL);
> +
> + /*
> + * Convert the ISO 8601 timestamp into a time_t
> + * Note for convenience we ignore the value of the microsecond
> + * part of the time stamp.
> + */
> + rc = sscanf(
> + timestamp,
> + "%4d-%2d-%2dT%2d:%2d:%2d.%6d%1c%4d",
> + &tm.tm_year,
> + &tm.tm_mon,
> + &tm.tm_mday,
> + &tm.tm_hour,
> + &tm.tm_min,
> + &tm.tm_sec,
> + &usec,
> + c,
> + &tz);
> + assert_int_equal(9, rc);
> + tm.tm_year = tm.tm_year - 1900;
> + tm.tm_mon = tm.tm_mon - 1;
> + tm.tm_isdst = -1;
> + actual = mktime(&tm);
> +
> + /*
> + * The timestamp should be before <= actual <= after
> + */
> + assert_true(difftime(actual, before) >= 0);
> + assert_true(difftime(after, actual) >= 0);
> +}
> +
> +static void test_has_password_changed(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_message *msg = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + /*
> + * Empty message
> + */
> + msg = ldb_msg_new(ldb);
> + assert_false(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * No password attributes
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "attr01", "value01");
> + assert_false(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * No password attributes >1 entries
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "attr01", "value01");
> + ldb_msg_add_string(msg, "attr02", "value03");
> + ldb_msg_add_string(msg, "attr03", "value03");
> + assert_false(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * userPassword set
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "userPassword", "value01");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * clearTextPassword set
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "clearTextPassword", "value01");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * unicodePwd set
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "unicodePwd", "value01");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * dBCSPwd set
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "dBCSPwd", "value01");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * All attributes set
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "userPassword", "value01");
> + ldb_msg_add_string(msg, "clearTextPassword", "value02");
> + ldb_msg_add_string(msg, "unicodePwd", "value03");
> + ldb_msg_add_string(msg, "dBCSPwd", "value04");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * first attribute is a password attribute
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "userPassword", "value01");
> + ldb_msg_add_string(msg, "attr02", "value02");
> + ldb_msg_add_string(msg, "attr03", "value03");
> + ldb_msg_add_string(msg, "attr04", "value04");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * last attribute is a password attribute
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "attr01", "value01");
> + ldb_msg_add_string(msg, "attr02", "value02");
> + ldb_msg_add_string(msg, "attr03", "value03");
> + ldb_msg_add_string(msg, "clearTextPassword", "value04");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + /*
> + * middle attribute is a password attribute
> + */
> + msg = ldb_msg_new(ldb);
> + ldb_msg_add_string(msg, "attr01", "value01");
> + ldb_msg_add_string(msg, "attr02", "value02");
> + ldb_msg_add_string(msg, "unicodePwd", "pwd");
> + ldb_msg_add_string(msg, "attr03", "value03");
> + ldb_msg_add_string(msg, "attr04", "value04");
> + assert_true(has_password_changed(msg));
> + TALLOC_FREE(msg);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_password_action(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct dsdb_control_password_acl_validation *pav = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + /*
> + * Add request, will always be a reset
> + */
> + ldb_build_add_req(&req, ldb, ctx, NULL, NULL, NULL, NULL, NULL);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + assert_string_equal("Reset", get_password_action(req, reply));
> + TALLOC_FREE(req);
> + TALLOC_FREE(reply);
> +
> + /*
> + * No password control acl, expect "Reset"
> + */
> + ldb_build_mod_req(&req, ldb, ctx, NULL, NULL, NULL, NULL, NULL);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + assert_string_equal("Reset", get_password_action(req, reply));
> + TALLOC_FREE(req);
> + TALLOC_FREE(reply);
> +
> + /*
> + * dsdb_control_password_acl_validation reset = false, expect "Change"
> + */
> + ldb_build_mod_req(&req, ldb, ctx, NULL, NULL, NULL, NULL, NULL);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + pav = talloc_zero(req, struct dsdb_control_password_acl_validation);
> +
> + ldb_reply_add_control(
> + reply,
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID,
> + false,
> + pav);
> + assert_string_equal("Change", get_password_action(req, reply));
> + TALLOC_FREE(req);
> + TALLOC_FREE(reply);
> +
> + /*
> + * dsdb_control_password_acl_validation reset = true, expect "Reset"
> + */
> + ldb_build_mod_req(&req, ldb, ctx, NULL, NULL, NULL, NULL, NULL);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + pav = talloc_zero(req, struct dsdb_control_password_acl_validation);
> + pav->pwd_reset = true;
> +
> + ldb_reply_add_control(
> + reply,
> + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID,
> + false,
> + pav);
> + assert_string_equal("Reset", get_password_action(req, reply));
> + TALLOC_FREE(req);
> + TALLOC_FREE(reply);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +#ifdef HAVE_JANSSON
> +/*
> + * Test helper to validate a version object.
> + */
> +static void check_version(struct json_t *version, int major, int minor)
> +{
> + struct json_t *v = NULL;
> +
> + assert_true(json_is_object(version));
> + assert_int_equal(2, json_object_size(version));
> +
> + v = json_object_get(version, "major");
> + assert_non_null(v);
> + assert_int_equal(major, json_integer_value(v));
> +
> + v = json_object_get(version, "minor");
> + assert_non_null(v);
> + assert_int_equal(minor, json_integer_value(v));
> +}
> +
> +/*
> + * minimal unit test of operation_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_operation_json_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + before = time(NULL);
> + json = operation_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("dsdbChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "dsdbChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(10, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, OPERATION_MAJOR, OPERATION_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_SUCCESS, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Success", json_string_value(v));
> +
> + v = json_object_get(audit, "operation");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + /*
> + * Search operation constant is zero
> + */
> + assert_string_equal("Search", json_string_value(v));
> +
> + v = json_object_get(audit, "remoteAddress");
> + assert_non_null(v);
> + assert_true(json_is_null(v));
> +
> + v = json_object_get(audit, "userSid");
> + assert_non_null(v);
> + assert_true(json_is_null(v));
> +
> + v = json_object_get(audit, "performedAsSystem");
> + assert_non_null(v);
> + assert_true(json_is_boolean(v));
> + assert_true(json_is_false(v));
> +
> +
> + v = json_object_get(audit, "dn");
> + assert_non_null(v);
> + assert_true(json_is_null(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "00000000-0000-0000-0000-000000000000",
> + json_string_value(v));
> +
> + v = json_object_get(audit, "sessionId");
> + assert_non_null(v);
> + assert_true(json_is_null(v));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * unit test of operation_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_operation_json(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + json_t *a = NULL;
> + json_t *b = NULL;
> + json_t *c = NULL;
> + json_t *d = NULL;
> + json_t *e = NULL;
> + json_t *f = NULL;
> + json_t *g = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "attribute", "the-value");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> +
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_ERR_OPERATIONS_ERROR;
> +
> + before = time(NULL);
> + json = operation_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("dsdbChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "dsdbChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(11, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, OPERATION_MAJOR, OPERATION_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_ERR_OPERATIONS_ERROR, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Operations error", json_string_value(v));
> +
> + v = json_object_get(audit, "operation");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Add", json_string_value(v));
> +
> + v = json_object_get(audit, "remoteAddress");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("ipv4:127.0.0.1:0", json_string_value(v));
> +
> + v = json_object_get(audit, "userSid");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SID, json_string_value(v));
> +
> + v = json_object_get(audit, "performedAsSystem");
> + assert_non_null(v);
> + assert_true(json_is_boolean(v));
> + assert_true(json_is_false(v));
> +
> + v = json_object_get(audit, "dn");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(DN, json_string_value(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(TRANSACTION, json_string_value(v));
> +
> + v = json_object_get(audit, "sessionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SESSION, json_string_value(v));
> +
> + o = json_object_get(audit, "attributes");
> + assert_non_null(v);
> + assert_true(json_is_object(o));
> + assert_int_equal(1, json_object_size(o));
> +
> + a = json_object_get(o, "attribute");
> + assert_non_null(a);
> + assert_true(json_is_object(a));
> +
> + b = json_object_get(a, "actions");
> + assert_non_null(b);
> + assert_true(json_is_array(b));
> + assert_int_equal(1, json_array_size(b));
> +
> + c = json_array_get(b, 0);
> + assert_non_null(c);
> + assert_true(json_is_object(c));
> +
> + d = json_object_get(c, "action");
> + assert_non_null(d);
> + assert_true(json_is_string(d));
> + assert_string_equal("add", json_string_value(d));
> +
> + e = json_object_get(c, "values");
> + assert_non_null(b);
> + assert_true(json_is_array(e));
> + assert_int_equal(1, json_array_size(e));
> +
> + f = json_array_get(e, 0);
> + assert_non_null(f);
> + assert_true(json_is_object(f));
> + assert_int_equal(1, json_object_size(f));
> +
> + g = json_object_get(f, "value");
> + assert_non_null(g);
> + assert_true(json_is_string(g));
> + assert_string_equal("the-value", json_string_value(g));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * unit test of operation_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + * In this case for an operation performed as the system user.
> + */
> +static void test_as_system_operation_json(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct auth_session_info *sys_sess = NULL;
> + struct security_token *token = NULL;
> + struct security_token *sys_token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + const char * const SYS_SESSION = "7130cb06-2062-6a1b-409e-3514c26b1998";
> + struct GUID session_id;
> + struct GUID sys_session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + json_t *a = NULL;
> + json_t *b = NULL;
> + json_t *c = NULL;
> + json_t *d = NULL;
> + json_t *e = NULL;
> + json_t *f = NULL;
> + json_t *g = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "networkSessionInfo", sess);
> +
> + sys_sess = talloc_zero(ctx, struct auth_session_info);
> + sys_token = talloc_zero(ctx, struct security_token);
> + sys_token->num_sids = 1;
> + sys_token->sids = discard_const(&global_sid_System);
> + sys_sess->security_token = sys_token;
> + GUID_from_string(SYS_SESSION, &sys_session_id);
> + sess->unique_session_token = sys_session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sys_sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "attribute", "the-value");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> +
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_ERR_OPERATIONS_ERROR;
> +
> + before = time(NULL);
> + json = operation_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("dsdbChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "dsdbChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(11, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, OPERATION_MAJOR, OPERATION_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_ERR_OPERATIONS_ERROR, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Operations error", json_string_value(v));
> +
> + v = json_object_get(audit, "operation");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Add", json_string_value(v));
> +
> + v = json_object_get(audit, "remoteAddress");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("ipv4:127.0.0.1:0", json_string_value(v));
> +
> + v = json_object_get(audit, "userSid");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SID, json_string_value(v));
> +
> + v = json_object_get(audit, "performedAsSystem");
> + assert_non_null(v);
> + assert_true(json_is_boolean(v));
> + assert_true(json_is_true(v));
> +
> + v = json_object_get(audit, "dn");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(DN, json_string_value(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(TRANSACTION, json_string_value(v));
> +
> + v = json_object_get(audit, "sessionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SYS_SESSION, json_string_value(v));
> +
> + o = json_object_get(audit, "attributes");
> + assert_non_null(v);
> + assert_true(json_is_object(o));
> + assert_int_equal(1, json_object_size(o));
> +
> + a = json_object_get(o, "attribute");
> + assert_non_null(a);
> + assert_true(json_is_object(a));
> +
> + b = json_object_get(a, "actions");
> + assert_non_null(b);
> + assert_true(json_is_array(b));
> + assert_int_equal(1, json_array_size(b));
> +
> + c = json_array_get(b, 0);
> + assert_non_null(c);
> + assert_true(json_is_object(c));
> +
> + d = json_object_get(c, "action");
> + assert_non_null(d);
> + assert_true(json_is_string(d));
> + assert_string_equal("add", json_string_value(d));
> +
> + e = json_object_get(c, "values");
> + assert_non_null(b);
> + assert_true(json_is_array(e));
> + assert_int_equal(1, json_array_size(e));
> +
> + f = json_array_get(e, 0);
> + assert_non_null(f);
> + assert_true(json_is_object(f));
> + assert_int_equal(1, json_object_size(f));
> +
> + g = json_object_get(f, "value");
> + assert_non_null(g);
> + assert_true(json_is_string(g));
> + assert_string_equal("the-value", json_string_value(g));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * minimal unit test of password_change_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_password_change_json_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + before = time(NULL);
> + json = password_change_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("passwordChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "passwordChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(9, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "remoteAddress");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "userSid");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "dn");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "sessionId");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "action");
> + assert_non_null(v);
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * minimal unit test of password_change_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_password_change_json(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "planTextPassword", "super-secret");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + before = time(NULL);
> + json = password_change_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("passwordChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "passwordChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(9, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, PASSWORD_MAJOR,PASSWORD_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_SUCCESS, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Success", json_string_value(v));
> +
> + v = json_object_get(audit, "remoteAddress");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("ipv4:127.0.0.1:0", json_string_value(v));
> +
> + v = json_object_get(audit, "userSid");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SID, json_string_value(v));
> +
> + v = json_object_get(audit, "dn");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(DN, json_string_value(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(TRANSACTION, json_string_value(v));
> +
> + v = json_object_get(audit, "sessionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SESSION, json_string_value(v));
> +
> + v = json_object_get(audit, "action");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Reset", json_string_value(v));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +
> +/*
> + * minimal unit test of transaction_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_transaction_json(void **state)
> +{
> +
> + struct GUID guid;
> + const char * const GUID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> + GUID_from_string(GUID, &guid);
> +
> + before = time(NULL);
> + json = transaction_json("delete", &guid);
> +
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("dsdbTransaction", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "dsdbTransaction");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(3, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, TRANSACTION_MAJOR, TRANSACTION_MINOR);
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(GUID, json_string_value(v));
> +
> + v = json_object_get(audit, "action");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("delete", json_string_value(v));
> +
> + json_free(&json);
> +
> +}
> +
> +/*
> + * minimal unit test of commit_failure_json, that ensures that all the
> + * expected attributes and objects are in the json object.
> + */
> +static void test_commit_failure_json(void **state)
> +{
> +
> + struct GUID guid;
> + const char * const GUID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> + GUID_from_string(GUID, &guid);
> +
> + before = time(NULL);
> + json = commit_failure_json(
> + "prepare",
> + LDB_ERR_OPERATIONS_ERROR,
> + "because",
> + &guid);
> +
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("dsdbTransaction", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "dsdbTransaction");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(6, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, TRANSACTION_MAJOR, TRANSACTION_MINOR);
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(GUID, json_string_value(v));
> +
> + v = json_object_get(audit, "action");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("prepare", json_string_value(v));
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_ERR_OPERATIONS_ERROR, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Operations error", json_string_value(v));
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> +
> + v = json_object_get(audit, "reason");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("because", json_string_value(v));
> +
> + json_free(&json);
> +
> +}
> +
> +/*
> + * minimal unit test of replicated_update_json, that ensures that all the
> + * expected attributes and objects are in the json object.
> + */
> +static void test_replicated_update_json_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> + struct dsdb_extended_replicated_objects *ro = NULL;
> + struct repsFromTo1 *source_dsa = NULL;
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + source_dsa = talloc_zero(ctx, struct repsFromTo1);
> + ro = talloc_zero(ctx, struct dsdb_extended_replicated_objects);
> + ro->source_dsa = source_dsa;
> + req = talloc_zero(ctx, struct ldb_request);
> + req->op.extended.data = ro;
> + req->operation = LDB_EXTENDED;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + before = time(NULL);
> + json = replicated_update_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("replicatedUpdate", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "replicatedUpdate");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(11, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, REPLICATION_MAJOR, REPLICATION_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_SUCCESS, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Success", json_string_value(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "00000000-0000-0000-0000-000000000000",
> + json_string_value(v));
> +
> + v = json_object_get(audit, "objectCount");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(0, json_integer_value(v));
> +
> + v = json_object_get(audit, "linkCount");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(0, json_integer_value(v));
> +
> + v = json_object_get(audit, "partitionDN");
> + assert_non_null(v);
> + assert_true(json_is_null(v));
> +
> + v = json_object_get(audit, "error");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "The operation completed successfully.",
> + json_string_value(v));
> +
> + v = json_object_get(audit, "errorCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(0, json_integer_value(v));
> +
> + v = json_object_get(audit, "sourceDsa");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "00000000-0000-0000-0000-000000000000",
> + json_string_value(v));
> +
> + v = json_object_get(audit, "invocationId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "00000000-0000-0000-0000-000000000000",
> + json_string_value(v));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * unit test of replicated_update_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_replicated_update_json(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> + struct dsdb_extended_replicated_objects *ro = NULL;
> + struct repsFromTo1 *source_dsa = NULL;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct GUID source_dsa_obj_guid;
> + const char *const SOURCE_DSA = "7130cb06-2062-6a1b-409e-3514c26b1793";
> +
> + struct GUID invocation_id;
> + const char *const INVOCATION_ID =
> + "7130cb06-2062-6a1b-409e-3514c26b1893";
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + dn = ldb_dn_new(ctx, ldb, DN);
> + GUID_from_string(SOURCE_DSA, &source_dsa_obj_guid);
> + GUID_from_string(INVOCATION_ID, &invocation_id);
> + source_dsa = talloc_zero(ctx, struct repsFromTo1);
> + source_dsa->source_dsa_obj_guid = source_dsa_obj_guid;
> + source_dsa->source_dsa_invocation_id = invocation_id;
> +
> + ro = talloc_zero(ctx, struct dsdb_extended_replicated_objects);
> + ro->source_dsa = source_dsa;
> + ro->num_objects = 808;
> + ro->linked_attributes_count = 2910;
> + ro->partition_dn = dn;
> + ro->error = WERR_NOT_SUPPORTED;
> +
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->op.extended.data = ro;
> + req->operation = LDB_EXTENDED;
> +
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_ERR_NO_SUCH_OBJECT;
> +
> + before = time(NULL);
> + json = replicated_update_json(module, req, reply);
> + assert_int_equal(3, json_object_size(json.root));
> +
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("replicatedUpdate", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "replicatedUpdate");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(11, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, REPLICATION_MAJOR, REPLICATION_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_ERR_NO_SUCH_OBJECT, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("No such object", json_string_value(v));
> +
> + v = json_object_get(audit, "transactionId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(TRANSACTION, json_string_value(v));
> +
> + v = json_object_get(audit, "objectCount");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(808, json_integer_value(v));
> +
> + v = json_object_get(audit, "linkCount");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(2910, json_integer_value(v));
> +
> + v = json_object_get(audit, "partitionDN");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(DN, json_string_value(v));
> +
> + v = json_object_get(audit, "error");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(
> + "The request is not supported.",
> + json_string_value(v));
> +
> + v = json_object_get(audit, "errorCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(W_ERROR_V(WERR_NOT_SUPPORTED), json_integer_value(v));
> +
> + v = json_object_get(audit, "sourceDsa");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(SOURCE_DSA, json_string_value(v));
> +
> + v = json_object_get(audit, "invocationId");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal(INVOCATION_ID, json_string_value(v));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +#endif
> +
> +/*
> + * minimal unit test of operation_human_readable, that ensures that all the
> + * expected attributes and objects are in the json object.
> + */
> +static void test_operation_hr_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> +
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = operation_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[Search] at \\["
> + "[^[]*"
> + "\\] status \\[Success\\] remote host \\[Unknown\\]"
> + " SID \\[(NULL SID)\\] DN \\[(null)\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * unit test of operation_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_operation_hr(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> +
> + int ret;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "attribute", "the-value");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = operation_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[Add\\] at \\["
> + "[^]]*"
> + "\\] status \\[Success\\] "
> + "remote host \\[ipv4:127.0.0.1:0\\] "
> + "SID \\[S-1-5-21-2470180966-3899876309-2637894779\\] "
> + "DN \\[dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG\\] "
> + "attributes \\[attribute \\[the-value\\]\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * unit test of operation_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + * In this case the operation is being performed in a system session.
> + */
> +static void test_as_system_operation_hr(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct auth_session_info *sys_sess = NULL;
> + struct security_token *token = NULL;
> + struct security_token *sys_token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + const char * const SYS_SESSION = "7130cb06-2062-6a1b-409e-3514c26b1999";
> + struct GUID session_id;
> + struct GUID sys_session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> +
> + int ret;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "networkSessionInfo", sess);
> +
> + sys_sess = talloc_zero(ctx, struct auth_session_info);
> + sys_token = talloc_zero(ctx, struct security_token);
> + sys_token->num_sids = 1;
> + sys_token->sids = discard_const(&global_sid_System);
> + sys_sess->security_token = sys_token;
> + GUID_from_string(SYS_SESSION, &sys_session_id);
> + sess->unique_session_token = sys_session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sys_sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "attribute", "the-value");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = operation_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[Add\\] at \\["
> + "[^]]*"
> + "\\] status \\[Success\\] "
> + "remote host \\[ipv4:127.0.0.1:0\\] "
> + "SID \\[S-1-5-21-2470180966-3899876309-2637894779\\] "
> + "DN \\[dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG\\] "
> + "attributes \\[attribute \\[the-value\\]\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * minimal unit test of password_change_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_password_change_hr_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = password_change_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[Reset] at \\["
> + "[^[]*"
> + "\\] status \\[Success\\] remote host \\[Unknown\\]"
> + " SID \\[(NULL SID)\\] DN \\[(null)\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * minimal unit test of password_change_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_password_change_hr(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sid;
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID session_id;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct ldb_message *msg = NULL;
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + string_to_sid(&sid, SID);
> + token->num_sids = 1;
> + token->sids = &sid;
> + sess->security_token = token;
> + GUID_from_string(SESSION, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> +
> + msg = talloc_zero(ctx, struct ldb_message);
> + dn = ldb_dn_new(ctx, ldb, DN);
> + msg->dn = dn;
> + ldb_msg_add_string(msg, "planTextPassword", "super-secret");
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = password_change_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[Reset\\] at \\["
> + "[^[]*"
> + "\\] status \\[Success\\] "
> + "remote host \\[ipv4:127.0.0.1:0\\] "
> + "SID \\[S-1-5-21-2470180966-3899876309-2637894779\\] "
> + "DN \\[dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * minimal unit test of transaction_json, that ensures that all the expected
> + * attributes and objects are in the json object.
> + */
> +static void test_transaction_hr(void **state)
> +{
> +
> + struct GUID guid;
> + const char * const GUID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + GUID_from_string(GUID, &guid);
> +
> + line = transaction_human_readable(ctx, "delete");
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[delete] at \\[[^[]*\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * minimal unit test of commit_failure_hr, that ensures
> + * that all the expected conten is in the log entry.
> + */
> +static void test_commit_failure_hr(void **state)
> +{
> +
> + struct GUID guid;
> + const char * const GUID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + GUID_from_string(GUID, &guid);
> +
> + line = commit_failure_human_readable(
> + ctx,
> + "commit",
> + LDB_ERR_OPERATIONS_ERROR,
> + "because");
> +
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "\\[commit\\] at \\[[^[]*\\] status \\[1\\] reason \\[because\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_add_transaction_id(void **state)
> +{
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct audit_context *ac = NULL;
> + struct GUID guid;
> + const char * const GUID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct ldb_control * control = NULL;
> + int status;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(GUID, &guid);
> + ac->transaction_guid = guid;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + ldb_module_set_private(module, ac);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> +
> + status = add_transaction_id(module, req);
> + assert_int_equal(LDB_SUCCESS, status);
> +
> + control = ldb_request_get_control(
> + req,
> + DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID);
> + assert_non_null(control);
> + assert_memory_equal(
> + &ac->transaction_guid,
> + control->data,
> + sizeof(struct GUID));
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_log_attributes(void **state)
> +{
> + struct ldb_message *msg = NULL;
> +
> + char *buf = NULL;
> + char *str = NULL;
> + char lv[MAX_LENGTH+2];
> + char ex[MAX_LENGTH+80];
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> +
> + /*
> + * Test an empty message
> + * Should get empty attributes representation.
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> +
> + str = log_attributes(ctx, buf, LDB_ADD, msg);
> + assert_string_equal("", str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single secret attribute
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "clearTextPassword", "secret");
> +
> + str = log_attributes(ctx, buf, LDB_ADD, msg);
> + assert_string_equal(
> + "clearTextPassword [REDACTED SECRET ATTRIBUTE]",
> + str);
> + TALLOC_FREE(str);
> + /*
> + * Test as a modify message, should add an action
> + * action will be unknown as there are no ACL's set
> + */
> + buf = talloc_zero(ctx, char);
> + str = log_attributes(ctx, buf, LDB_MODIFY, msg);
> + assert_string_equal(
> + "unknown: clearTextPassword [REDACTED SECRET ATTRIBUTE]",
> + str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single attribute, single valued attribute
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute", "value");
> +
> + str = log_attributes(ctx, buf, LDB_ADD, msg);
> + assert_string_equal(
> + "attribute [value]",
> + str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single attribute, single valued attribute
> + * And as a modify
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute", "value");
> +
> + str = log_attributes(ctx, buf, LDB_MODIFY, msg);
> + assert_string_equal(
> + "unknown: attribute [value]",
> + str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with multiple attributes and a multi-valued attribute
> + *
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute01", "value01");
> + ldb_msg_add_string(msg, "attribute02", "value02");
> + ldb_msg_add_string(msg, "attribute02", "value03");
> +
> + str = log_attributes(ctx, buf, LDB_MODIFY, msg);
> + assert_string_equal(
> + "unknown: attribute01 [value01] "
> + "unknown: attribute02 [value02] [value03]",
> + str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single attribute, single valued attribute
> + * with a non printable character. Should be base64 encoded
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute", "value\n");
> +
> + str = log_attributes(ctx, buf, LDB_ADD, msg);
> + assert_string_equal("attribute {dmFsdWUK}", str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single valued attribute
> + * with more than MAX_LENGTH characters, should be truncated with
> + * trailing ...
> + */
> + buf = talloc_zero(ctx, char);
> + msg = talloc_zero(ctx, struct ldb_message);
> + memset(lv, '\0', sizeof(lv));
> + memset(lv, 'x', MAX_LENGTH+1);
> + ldb_msg_add_string(msg, "attribute", lv);
> +
> + str = log_attributes(ctx, buf, LDB_ADD, msg);
> + snprintf(ex, sizeof(ex), "attribute [%.*s...]", MAX_LENGTH, lv);
> + assert_string_equal(ex, str);
> +
> + TALLOC_FREE(str);
> + TALLOC_FREE(msg);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * minimal unit test of replicated_update_human_readable
> + */
> +static void test_replicated_update_hr_empty(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> + struct dsdb_extended_replicated_objects *ro = NULL;
> + struct repsFromTo1 *source_dsa = NULL;
> +
> + const char* line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ac = talloc_zero(ctx, struct audit_context);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + source_dsa = talloc_zero(ctx, struct repsFromTo1);
> + ro = talloc_zero(ctx, struct dsdb_extended_replicated_objects);
> + ro->source_dsa = source_dsa;
> + req = talloc_zero(ctx, struct ldb_request);
> + req->op.extended.data = ro;
> + req->operation = LDB_EXTENDED;
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_SUCCESS;
> +
> + line = replicated_update_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "at \\[[^[]*\\] "
> + "status \\[Success\\] "
> + "error \\[The operation completed successfully.\\] "
> + "partition \\[(null)\\] objects \\[0\\] links \\[0\\] "
> + "object \\[00000000-0000-0000-0000-000000000000\\] "
> + "invocation \\[00000000-0000-0000-0000-000000000000\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * unit test of replicated_update_human_readable
> + */
> +static void test_replicated_update_hr(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> + struct ldb_reply *reply = NULL;
> + struct audit_context *ac = NULL;
> + struct dsdb_extended_replicated_objects *ro = NULL;
> + struct repsFromTo1 *source_dsa = NULL;
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct ldb_dn *dn = NULL;
> + const char *const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> +
> + struct GUID source_dsa_obj_guid;
> + const char *const SOURCE_DSA = "7130cb06-2062-6a1b-409e-3514c26b1793";
> +
> + struct GUID invocation_id;
> + const char *const INVOCATION_ID =
> + "7130cb06-2062-6a1b-409e-3514c26b1893";
> +
> + const char* line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + ac = talloc_zero(ctx, struct audit_context);
> + GUID_from_string(TRANSACTION, &transaction_id);
> + ac->transaction_guid = transaction_id;
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> + ldb_module_set_private(module, ac);
> +
> + dn = ldb_dn_new(ctx, ldb, DN);
> + GUID_from_string(SOURCE_DSA, &source_dsa_obj_guid);
> + GUID_from_string(INVOCATION_ID, &invocation_id);
> + source_dsa = talloc_zero(ctx, struct repsFromTo1);
> + source_dsa->source_dsa_obj_guid = source_dsa_obj_guid;
> + source_dsa->source_dsa_invocation_id = invocation_id;
> +
> + ro = talloc_zero(ctx, struct dsdb_extended_replicated_objects);
> + ro->source_dsa = source_dsa;
> + ro->num_objects = 808;
> + ro->linked_attributes_count = 2910;
> + ro->partition_dn = dn;
> + ro->error = WERR_NOT_SUPPORTED;
> +
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->op.extended.data = ro;
> + req->operation = LDB_EXTENDED;
> +
> + reply = talloc_zero(ctx, struct ldb_reply);
> + reply->error = LDB_ERR_NO_SUCH_OBJECT;
> +
> + line = replicated_update_human_readable(ctx, module, req, reply);
> + assert_non_null(line);
> +
> + /*
> + * We ignore the timestamp to make this test a little easier
> + * to write.
> + */
> + rs = "at \\[[^[]*\\] "
> + "status \\[No such object\\] "
> + "error \\[The request is not supported.\\] "
> + "partition \\[dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG\\] "
> + "objects \\[808\\] links \\[2910\\] "
> + "object \\[7130cb06-2062-6a1b-409e-3514c26b1793\\] "
> + "invocation \\[7130cb06-2062-6a1b-409e-3514c26b1893\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +}
> +
> +int main(void) {
> + const struct CMUnitTest tests[] = {
> +#ifdef HAVE_JANSSON
> + cmocka_unit_test(test_has_password_changed),
> + cmocka_unit_test(test_get_password_action),
> + cmocka_unit_test(test_operation_json_empty),
> + cmocka_unit_test(test_operation_json),
> + cmocka_unit_test(test_as_system_operation_json),
> + cmocka_unit_test(test_password_change_json_empty),
> + cmocka_unit_test(test_password_change_json),
> + cmocka_unit_test(test_transaction_json),
> + cmocka_unit_test(test_commit_failure_json),
> + cmocka_unit_test(test_replicated_update_json_empty),
> + cmocka_unit_test(test_replicated_update_json),
> +#endif
> + cmocka_unit_test(test_add_transaction_id),
> + cmocka_unit_test(test_operation_hr_empty),
> + cmocka_unit_test(test_operation_hr),
> + cmocka_unit_test(test_as_system_operation_hr),
> + cmocka_unit_test(test_password_change_hr_empty),
> + cmocka_unit_test(test_password_change_hr),
> + cmocka_unit_test(test_transaction_hr),
> + cmocka_unit_test(test_commit_failure_hr),
> + cmocka_unit_test(test_log_attributes),
> + cmocka_unit_test(test_replicated_update_hr_empty),
> + cmocka_unit_test(test_replicated_update_hr),
> + };
> +
> + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
> + return cmocka_run_group_tests(tests, NULL, NULL);
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_util.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_util.c
> new file mode 100644
> index 0000000..4f27a7c
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_util.c
> @@ -0,0 +1,1260 @@
> +/*
> + Unit tests for the dsdb audit logging utility code code in audit_util.c
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +#include <stdarg.h>
> +#include <stddef.h>
> +#include <setjmp.h>
> +#include <unistd.h>
> +#include <cmocka.h>
> +
> +#include "../audit_util.c"
> +
> +#include "lib/ldb/include/ldb_private.h"
> +
> +#ifdef HAVE_JANSSON
> +static void test_add_ldb_value(void **state)
> +{
> + struct json_object object;
> + struct json_object array;
> + struct ldb_val val = data_blob_null;
> + struct json_t *el = NULL;
> + struct json_t *atr = NULL;
> + char* base64 = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + /*
> + * Test a non array object
> + */
> + object = json_new_object();
> + assert_false(json_is_invalid(&object));
> + add_ldb_value(&object, val);
> + assert_true(json_is_invalid(&object));
> + json_free(&object);
> +
> + array = json_new_array();
> + /*
> + * Test a data_blob_null, should encode as a JSON null value.
> + */
> + val = data_blob_null;
> + add_ldb_value(&array, val);
> + el = json_array_get(array.root, 0);
> + assert_true(json_is_null(el));
> +
> + /*
> + * Test a +ve length but a null data ptr, should encode as a null.
> + */
> + val = data_blob_null;
> + val.length = 1;
> + add_ldb_value(&array, val);
> + el = json_array_get(array.root, 1);
> + assert_true(json_is_null(el));
> +
> + /*
> + * Test a zero length but a non null data ptr, should encode as a null.
> + */
> + val = data_blob_null;
> + val.data = discard_const("Data on the stack");
> + add_ldb_value(&array, val);
> + el = json_array_get(array.root, 2);
> + assert_true(json_is_null(el));
> +
> + /*
> + * Test a printable value.
> + * value should not be encoded
> + * truncated and base64 should be missing
> + */
> + val = data_blob_string_const("A value of interest");
> + add_ldb_value(&array, val);
> + el = json_array_get(array.root, 3);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_string_equal("A value of interest", json_string_value(atr));
> + assert_null(json_object_get(el, "truncated"));
> + assert_null(json_object_get(el, "base64"));
> +
> + /*
> + * Test non printable value, should be base64 encoded.
> + * truncated should be missing and base64 should be set.
> + */
> + val = data_blob_string_const("A value of interest\n");
> + add_ldb_value(&array, val);
> + el = json_array_get(array.root, 4);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_string_equal(
> + "QSB2YWx1ZSBvZiBpbnRlcmVzdAo=",
> + json_string_value(atr));
> + atr = json_object_get(el, "base64");
> + assert_true(json_is_boolean(atr));
> + assert_true(json_boolean(atr));
> + assert_null(json_object_get(el, "truncated"));
> +
> + /*
> + * test a printable value exactly max bytes long
> + * should not be truncated or encoded.
> + */
> + val = data_blob_null;
> + val.length = MAX_LENGTH;
> + val.data = (unsigned char *)generate_random_str_list(
> + ctx,
> + MAX_LENGTH,
> + "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
> + "1234567890!@#$%^&*()");
> +
> + add_ldb_value(&array, val);
> +
> + el = json_array_get(array.root, 5);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_int_equal(MAX_LENGTH, strlen(json_string_value(atr)));
> + assert_memory_equal(val.data, json_string_value(atr), MAX_LENGTH);
> +
> + assert_null(json_object_get(el, "base64"));
> + assert_null(json_object_get(el, "truncated"));
> +
> +
> + /*
> + * test a printable value exactly max + 1 bytes long
> + * should be truncated and not encoded.
> + */
> + val = data_blob_null;
> + val.length = MAX_LENGTH + 1;
> + val.data = (unsigned char *)generate_random_str_list(
> + ctx,
> + MAX_LENGTH + 1,
> + "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
> + "1234567890!@#$%^&*()");
> +
> + add_ldb_value(&array, val);
> +
> + el = json_array_get(array.root, 6);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_int_equal(MAX_LENGTH, strlen(json_string_value(atr)));
> + assert_memory_equal(val.data, json_string_value(atr), MAX_LENGTH);
> +
> + atr = json_object_get(el, "truncated");
> + assert_true(json_is_boolean(atr));
> + assert_true(json_boolean(atr));
> +
> + assert_null(json_object_get(el, "base64"));
> +
> + TALLOC_FREE(val.data);
> +
> + /*
> + * test a non-printable value exactly max bytes long
> + * should not be truncated but should be encoded.
> + */
> + val = data_blob_null;
> + val.length = MAX_LENGTH;
> + val.data = (unsigned char *)generate_random_str_list(
> + ctx,
> + MAX_LENGTH,
> + "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
> + "1234567890!@#$%^&*()");
> +
> + val.data[0] = 0x03;
> + add_ldb_value(&array, val);
> + base64 = ldb_base64_encode(ctx, (char*) val.data, MAX_LENGTH);
> +
> + el = json_array_get(array.root, 7);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_int_equal(strlen(base64), strlen(json_string_value(atr)));
> + assert_string_equal(base64, json_string_value(atr));
> +
> + atr = json_object_get(el, "base64");
> + assert_true(json_is_boolean(atr));
> + assert_true(json_boolean(atr));
> +
> + assert_null(json_object_get(el, "truncated"));
> + TALLOC_FREE(base64);
> + TALLOC_FREE(val.data);
> +
> + /*
> + * test a non-printable value exactly max + 1 bytes long
> + * should be truncated and encoded.
> + */
> + val = data_blob_null;
> + val.length = MAX_LENGTH + 1;
> + val.data = (unsigned char *)generate_random_str_list(
> + ctx,
> + MAX_LENGTH + 1,
> + "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
> + "1234567890!@#$%^&*()");
> +
> + val.data[0] = 0x03;
> + add_ldb_value(&array, val);
> + /*
> + * The data is truncated before it is base 64 encoded
> + */
> + base64 = ldb_base64_encode(ctx, (char*) val.data, MAX_LENGTH);
> +
> + el = json_array_get(array.root, 8);
> + assert_true(json_is_object(el));
> + atr = json_object_get(el, "value");
> + assert_true(json_is_string(atr));
> + assert_int_equal(strlen(base64), strlen(json_string_value(atr)));
> + assert_string_equal(base64, json_string_value(atr));
> +
> + atr = json_object_get(el, "base64");
> + assert_true(json_is_boolean(atr));
> + assert_true(json_boolean(atr));
> +
> + atr = json_object_get(el, "truncated");
> + assert_true(json_is_boolean(atr));
> + assert_true(json_boolean(atr));
> +
> + TALLOC_FREE(base64);
> + TALLOC_FREE(val.data);
> +
> + json_free(&array);
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_attributes_json(void **state)
> +{
> + struct ldb_message *msg = NULL;
> +
> + struct json_object o;
> + json_t *a = NULL;
> + json_t *v = NULL;
> + json_t *x = NULL;
> + json_t *y = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> +
> + /*
> + * Test an empty message
> + * Should get an empty attributes object
> + */
> + msg = talloc_zero(ctx, struct ldb_message);
> +
> + o = attributes_json(LDB_ADD, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(0, json_object_size(o.root));
> + json_free(&o);
> +
> + o = attributes_json(LDB_MODIFY, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(0, json_object_size(o.root));
> + json_free(&o);
> +
> + /*
> + * Test a message with a single secret attribute
> + * should only have that object and it should have no value
> + * attribute and redacted should be set.
> + */
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "clearTextPassword", "secret");
> +
> + o = attributes_json(LDB_ADD, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(1, json_object_size(o.root));
> +
> + a = json_object_get(o.root, "clearTextPassword");
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + a = json_array_get(v, 0);
> + v = json_object_get(a, "redacted");
> + assert_true(json_is_boolean(v));
> + assert_true(json_boolean(v));
> +
> + json_free(&o);
> +
> + /*
> + * Test as a modify message, should add an action attribute
> + */
> + o = attributes_json(LDB_MODIFY, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(1, json_object_size(o.root));
> +
> + a = json_object_get(o.root, "clearTextPassword");
> + assert_true(json_is_object(a));
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + a = json_array_get(v, 0);
> + v = json_object_get(a, "redacted");
> + assert_true(json_is_boolean(v));
> + assert_true(json_boolean(v));
> +
> + v = json_object_get(a, "action");
> + assert_true(json_is_string(v));
> + assert_string_equal("unknown", json_string_value(v));
> +
> + json_free(&o);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single attribute, single valued attribute
> + */
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute", "value");
> +
> + o = attributes_json(LDB_ADD, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(1, json_object_size(o.root));
> +
> + a = json_object_get(o.root, "attribute");
> + assert_true(json_is_object(a));
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + x = json_array_get(v, 0);
> + assert_int_equal(2, json_object_size(x));
> + y = json_object_get(x, "action");
> + assert_string_equal("add", json_string_value(y));
> +
> + y = json_object_get(x, "values");
> + assert_true(json_is_array(y));
> + assert_int_equal(1, json_array_size(y));
> +
> + x = json_array_get(y, 0);
> + assert_true(json_is_object(x));
> + assert_int_equal(1, json_object_size(x));
> + y = json_object_get(x, "value");
> + assert_string_equal("value", json_string_value(y));
> +
> + json_free(&o);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a single attribute, single valued attribute
> + * And as a modify
> + */
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute", "value");
> +
> + o = attributes_json(LDB_MODIFY, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(1, json_object_size(o.root));
> +
> + a = json_object_get(o.root, "attribute");
> + assert_true(json_is_object(a));
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + x = json_array_get(v, 0);
> + assert_int_equal(2, json_object_size(x));
> + y = json_object_get(x, "action");
> + assert_string_equal("unknown", json_string_value(y));
> +
> + y = json_object_get(x, "values");
> + assert_true(json_is_array(y));
> + assert_int_equal(1, json_array_size(y));
> +
> + x = json_array_get(y, 0);
> + assert_true(json_is_object(x));
> + assert_int_equal(1, json_object_size(x));
> + y = json_object_get(x, "value");
> + assert_string_equal("value", json_string_value(y));
> +
> + json_free(&o);
> + TALLOC_FREE(msg);
> +
> + /*
> + * Test a message with a multivalues attributres
> + */
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb_msg_add_string(msg, "attribute01", "value01");
> + ldb_msg_add_string(msg, "attribute02", "value02");
> + ldb_msg_add_string(msg, "attribute02", "value03");
> +
> + o = attributes_json(LDB_ADD, msg);
> + assert_true(json_is_object(o.root));
> + assert_int_equal(2, json_object_size(o.root));
> +
> + a = json_object_get(o.root, "attribute01");
> + assert_true(json_is_object(a));
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + x = json_array_get(v, 0);
> + assert_int_equal(2, json_object_size(x));
> + y = json_object_get(x, "action");
> + assert_string_equal("add", json_string_value(y));
> +
> + y = json_object_get(x, "values");
> + assert_true(json_is_array(y));
> + assert_int_equal(1, json_array_size(y));
> +
> + x = json_array_get(y, 0);
> + assert_true(json_is_object(x));
> + assert_int_equal(1, json_object_size(x));
> + y = json_object_get(x, "value");
> + assert_string_equal("value01", json_string_value(y));
> +
> + a = json_object_get(o.root, "attribute02");
> + assert_true(json_is_object(a));
> + assert_int_equal(1, json_object_size(a));
> +
> + v = json_object_get(a, "actions");
> + assert_true(json_is_array(v));
> + assert_int_equal(1, json_array_size(v));
> +
> + x = json_array_get(v, 0);
> + assert_int_equal(2, json_object_size(x));
> + y = json_object_get(x, "action");
> + assert_string_equal("add", json_string_value(y));
> +
> + y = json_object_get(x, "values");
> + assert_true(json_is_array(y));
> + assert_int_equal(2, json_array_size(y));
> +
> + x = json_array_get(y, 0);
> + assert_true(json_is_object(x));
> + assert_int_equal(1, json_object_size(x));
> + v = json_object_get(x, "value");
> + assert_string_equal("value02", json_string_value(v));
> +
> + x = json_array_get(y, 1);
> + assert_true(json_is_object(x));
> + assert_int_equal(1, json_object_size(x));
> + v = json_object_get(x, "value");
> + assert_string_equal("value03", json_string_value(v));
> +
> + json_free(&o);
> + TALLOC_FREE(msg);
> +
> + TALLOC_FREE(ctx);
> +}
> +#endif
> +
> +static void test_get_remote_address(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + const struct tsocket_address *ts = NULL;
> + struct tsocket_address *in = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + /*
> + * Test a freshly initialized ldb
> + * should return NULL
> + */
> + ldb = talloc_zero(ctx, struct ldb_context);
> + ts = get_remote_address(ldb);
> + assert_null(ts);
> +
> + /*
> + * opaque set to null, should return NULL
> + */
> + ldb_set_opaque(ldb, "remoteAddress", NULL);
> + ts = get_remote_address(ldb);
> + assert_null(ts);
> +
> + /*
> + * Ensure that the value set is returned
> + */
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &in);
> + ldb_set_opaque(ldb, "remoteAddress", in);
> + ts = get_remote_address(ldb);
> + assert_non_null(ts);
> + assert_ptr_equal(in, ts);
> +
> + TALLOC_FREE(ldb);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +static void test_get_ldb_error_string(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + const char *s = NULL;
> + const char * const text = "Custom reason";
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + /*
> + * No ldb error string set should get the default error description for
> + * the status code
> + */
> + s = get_ldb_error_string(module, LDB_ERR_OPERATIONS_ERROR);
> + assert_string_equal("Operations error", s);
> +
> + /*
> + * Set the error string that should now be returned instead of the
> + * default description.
> + */
> + ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, text);
> + s = get_ldb_error_string(module, LDB_ERR_OPERATIONS_ERROR);
> + /*
> + * Only test the start of the string as ldb_error adds location data.
> + */
> + assert_int_equal(0, strncmp(text, s, strlen(text)));
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_user_sid(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + const struct dom_sid *sid = NULL;
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sids[2];
> + const char * const SID0 = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SID1 = "S-1-5-21-4284042908-2889457889-3672286761";
> + char sid_buf[DOM_SID_STR_BUFLEN];
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + /*
> + * Freshly initialised structures, will be no session data
> + * so expect NULL
> + */
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + /*
> + * Now add a NULL session info
> + */
> + ldb_set_opaque(ldb, "sessionInfo", NULL);
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + /*
> + * Now add a session info with no user sid
> + */
> + sess = talloc_zero(ctx, struct auth_session_info);
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + /*
> + * Now add an empty security token.
> + */
> + token = talloc_zero(ctx, struct security_token);
> + sess->security_token = token;
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + /*
> + * Add a single SID
> + */
> + string_to_sid(&sids[0], SID0);
> + token->num_sids = 1;
> + token->sids = sids;
> + sid = get_user_sid(module);
> + assert_non_null(sid);
> + dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
> + assert_string_equal(SID0, sid_buf);
> +
> + /*
> + * Add a second SID, should still use the first SID
> + */
> + string_to_sid(&sids[1], SID1);
> + token->num_sids = 2;
> + sid = get_user_sid(module);
> + assert_non_null(sid);
> + dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
> + assert_string_equal(SID0, sid_buf);
> +
> +
> + /*
> + * Now test a null sid in the first position
> + */
> + token->num_sids = 1;
> + token->sids = NULL;
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_actual_sid(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + const struct dom_sid *sid = NULL;
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sids[2];
> + const char * const SID0 = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SID1 = "S-1-5-21-4284042908-2889457889-3672286761";
> + char sid_buf[DOM_SID_STR_BUFLEN];
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + /*
> + * Freshly initialised structures, will be no session data
> + * so expect NULL
> + */
> + sid = get_actual_sid(ldb);
> + assert_null(sid);
> +
> + /*
> + * Now add a NULL session info
> + */
> + ldb_set_opaque(ldb, "networkSessionInfo", NULL);
> + sid = get_actual_sid(ldb);
> + assert_null(sid);
> +
> + /*
> + * Now add a session info with no user sid
> + */
> + sess = talloc_zero(ctx, struct auth_session_info);
> + ldb_set_opaque(ldb, "networkSessionInfo", sess);
> + sid = get_actual_sid(ldb);
> + assert_null(sid);
> +
> + /*
> + * Now add an empty security token.
> + */
> + token = talloc_zero(ctx, struct security_token);
> + sess->security_token = token;
> + sid = get_actual_sid(ldb);
> + assert_null(sid);
> +
> + /*
> + * Add a single SID
> + */
> + string_to_sid(&sids[0], SID0);
> + token->num_sids = 1;
> + token->sids = sids;
> + sid = get_actual_sid(ldb);
> + assert_non_null(sid);
> + dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
> + assert_string_equal(SID0, sid_buf);
> +
> + /*
> + * Add a second SID, should still use the first SID
> + */
> + string_to_sid(&sids[1], SID1);
> + token->num_sids = 2;
> + sid = get_actual_sid(ldb);
> + assert_non_null(sid);
> + dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
> + assert_string_equal(SID0, sid_buf);
> +
> +
> + /*
> + * Now test a null sid in the first position
> + */
> + token->num_sids = 1;
> + token->sids = NULL;
> + sid = get_actual_sid(ldb);
> + assert_null(sid);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_is_system_session(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + const struct dom_sid *sid = NULL;
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid sids[2];
> + const char * const SID0 = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SID1 = "S-1-5-21-4284042908-2889457889-3672286761";
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + /*
> + * Freshly initialised structures, will be no session data
> + * so expect NULL
> + */
> + assert_false(is_system_session(module));
> +
> + /*
> + * Now add a NULL session info
> + */
> + ldb_set_opaque(ldb, "sessionInfo", NULL);
> + assert_false(is_system_session(module));
> +
> + /*
> + * Now add a session info with no user sid
> + */
> + sess = talloc_zero(ctx, struct auth_session_info);
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> + assert_false(is_system_session(module));
> +
> + /*
> + * Now add an empty security token.
> + */
> + token = talloc_zero(ctx, struct security_token);
> + sess->security_token = token;
> + assert_false(is_system_session(module));
> +
> + /*
> + * Add a single SID, non system sid
> + */
> + string_to_sid(&sids[0], SID0);
> + token->num_sids = 1;
> + token->sids = sids;
> + assert_false(is_system_session(module));
> +
> + /*
> + * Add the system SID to the second position,
> + * this should be ignored.
> + */
> + token->num_sids = 2;
> + sids[1] = global_sid_System;
> + assert_false(is_system_session(module));
> +
> + /*
> + * Add a single SID, system sid
> + */
> + token->num_sids = 1;
> + sids[0] = global_sid_System;
> + token->sids = sids;
> + assert_true(is_system_session(module));
> +
> + /*
> + * Add a non system SID to position 2
> + */
> + sids[0] = global_sid_System;
> + string_to_sid(&sids[1], SID1);
> + token->num_sids = 2;
> + token->sids = sids;
> + assert_true(is_system_session(module));
> +
> + /*
> + * Now test a null sid in the first position
> + */
> + token->num_sids = 1;
> + token->sids = NULL;
> + sid = get_user_sid(module);
> + assert_null(sid);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_unique_session_token(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct auth_session_info *sess = NULL;
> + const struct GUID *guid;
> + const char * const GUID_S = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID in;
> + char *guid_str;
> + struct GUID_txt_buf guid_buff;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + /*
> + * Test a freshly initialized ldb
> + * should return NULL
> + */
> + guid = get_unique_session_token(module);
> + assert_null(guid);
> +
> + /*
> + * Now add a NULL session info
> + */
> + ldb_set_opaque(ldb, "sessionInfo", NULL);
> + guid = get_unique_session_token(module);
> + assert_null(guid);
> +
> + /*
> + * Now add a session info with no session id
> + * Note if the memory has not been zeroed correctly all bets are
> + * probably off.
> + */
> + sess = talloc_zero(ctx, struct auth_session_info);
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> + guid = get_unique_session_token(module);
> + /*
> + * We will get a GUID, but it's contents will be undefined
> + */
> + assert_non_null(guid);
> +
> + /*
> + * Now set the session id and confirm that we get it back.
> + */
> + GUID_from_string(GUID_S, &in);
> + sess->unique_session_token = in;
> + guid = get_unique_session_token(module);
> + assert_non_null(guid);
> + guid_str = GUID_buf_string(guid, &guid_buff);
> + assert_string_equal(GUID_S, guid_str);
> +
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +static void test_get_actual_unique_session_token(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct auth_session_info *sess = NULL;
> + const struct GUID *guid;
> + const char * const GUID_S = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + struct GUID in;
> + char *guid_str;
> + struct GUID_txt_buf guid_buff;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + /*
> + * Test a freshly initialized ldb
> + * should return NULL
> + */
> + guid = get_actual_unique_session_token(ldb);
> + assert_null(guid);
> +
> + /*
> + * Now add a NULL session info
> + */
> + ldb_set_opaque(ldb, "networkSessionInfo", NULL);
> + guid = get_actual_unique_session_token(ldb);
> + assert_null(guid);
> +
> + /*
> + * Now add a session info with no session id
> + * Note if the memory has not been zeroed correctly all bets are
> + * probably off.
> + */
> + sess = talloc_zero(ctx, struct auth_session_info);
> + ldb_set_opaque(ldb, "networkSessionInfo", sess);
> + guid = get_actual_unique_session_token(ldb);
> + /*
> + * We will get a GUID, but it's contents will be undefined
> + */
> + assert_non_null(guid);
> +
> + /*
> + * Now set the session id and confirm that we get it back.
> + */
> + GUID_from_string(GUID_S, &in);
> + sess->unique_session_token = in;
> + guid = get_actual_unique_session_token(ldb);
> + assert_non_null(guid);
> + guid_str = GUID_buf_string(guid, &guid_buff);
> + assert_string_equal(GUID_S, guid_str);
> +
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +static void test_get_remote_host(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + char *rh = NULL;
> + struct tsocket_address *in = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + /*
> + * Test a freshly initialized ldb
> + * should return "Unknown"
> + */
> + rh = get_remote_host(ldb, ctx);
> + assert_string_equal("Unknown", rh);
> + TALLOC_FREE(rh);
> +
> + /*
> + * opaque set to null, should return NULL
> + */
> + ldb_set_opaque(ldb, "remoteAddress", NULL);
> + rh = get_remote_host(ldb, ctx);
> + assert_string_equal("Unknown", rh);
> + TALLOC_FREE(rh);
> +
> + /*
> + * Ensure that the value set is returned
> + */
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 42, &in);
> + ldb_set_opaque(ldb, "remoteAddress", in);
> + rh = get_remote_host(ldb, ctx);
> + assert_string_equal("ipv4:127.0.0.1:42", rh);
> + TALLOC_FREE(rh);
> +
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +static void test_get_primary_dn(void **state)
> +{
> + struct ldb_request *req = NULL;
> + struct ldb_message *msg = NULL;
> + struct ldb_context *ldb = NULL;
> +
> + struct ldb_dn *dn = NULL;
> +
> + const char * const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> + const char *s = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + msg = talloc_zero(ctx, struct ldb_message);
> + ldb = talloc_zero(ctx, struct ldb_context);
> + dn = ldb_dn_new(ctx, ldb, DN);
> +
> + /*
> + * Try an empty request.
> + */
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Now try an add with a null message.
> + */
> + req->operation = LDB_ADD;
> + req->op.add.message = NULL;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Now try an mod with a null message.
> + */
> + req->operation = LDB_MODIFY;
> + req->op.mod.message = NULL;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Now try an add with a missing dn
> + */
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Now try a mod with a messing dn
> + */
> + req->operation = LDB_ADD;
> + req->op.mod.message = msg;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Add a dn to the message
> + */
> + msg->dn = dn;
> +
> + /*
> + * Now try an add with a dn
> + */
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + s = get_primary_dn(req);
> + assert_non_null(s);
> + assert_string_equal(DN, s);
> +
> + /*
> + * Now try a mod with a dn
> + */
> + req->operation = LDB_MODIFY;
> + req->op.mod.message = msg;
> + s = get_primary_dn(req);
> + assert_non_null(s);
> + assert_string_equal(DN, s);
> +
> + /*
> + * Try a delete without a dn
> + */
> + req->operation = LDB_DELETE;
> + req->op.del.dn = NULL;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Try a delete with a dn
> + */
> + req->operation = LDB_DELETE;
> + req->op.del.dn = dn;
> + s = get_primary_dn(req);
> + assert_non_null(s);
> + assert_string_equal(DN, s);
> +
> + /*
> + * Try a rename without a dn
> + */
> + req->operation = LDB_RENAME;
> + req->op.rename.olddn = NULL;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Try a rename with a dn
> + */
> + req->operation = LDB_RENAME;
> + req->op.rename.olddn = dn;
> + s = get_primary_dn(req);
> + assert_non_null(s);
> + assert_string_equal(DN, s);
> +
> + /*
> + * Try an extended operation, i.e. one that does not have a DN
> + * associated with it for logging purposes.
> + */
> + req->operation = LDB_EXTENDED;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_message(void **state)
> +{
> + struct ldb_request *req = NULL;
> + struct ldb_message *msg = NULL;
> + const struct ldb_message *r = NULL;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + msg = talloc_zero(ctx, struct ldb_message);
> +
> + /*
> + * Test an empty message
> + */
> + r = get_message(req);
> + assert_null(r);
> +
> + /*
> + * Test an add message
> + */
> + req->operation = LDB_ADD;
> + req->op.add.message = msg;
> + r = get_message(req);
> + assert_ptr_equal(msg, r);
> +
> + /*
> + * Test a modify message
> + */
> + req->operation = LDB_MODIFY;
> + req->op.mod.message = msg;
> + r = get_message(req);
> + assert_ptr_equal(msg, r);
> +
> + /*
> + * Test a Delete message, i.e. trigger the default case
> + */
> + req->operation = LDB_DELETE;
> + r = get_message(req);
> + assert_null(r);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_secondary_dn(void **state)
> +{
> + struct ldb_request *req = NULL;
> + struct ldb_context *ldb = NULL;
> +
> + struct ldb_dn *dn = NULL;
> +
> + const char * const DN = "dn=CN=USER,CN=Users,DC=SAMBA,DC=ORG";
> + const char *s = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + ldb = talloc_zero(ctx, struct ldb_context);
> + dn = ldb_dn_new(ctx, ldb, DN);
> +
> + /*
> + * Try an empty request.
> + */
> + s = get_secondary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Try a rename without a dn
> + */
> + req->operation = LDB_RENAME;
> + req->op.rename.newdn = NULL;
> + s = get_secondary_dn(req);
> + assert_null(s);
> +
> + /*
> + * Try a rename with a dn
> + */
> + req->operation = LDB_RENAME;
> + req->op.rename.newdn = dn;
> + s = get_secondary_dn(req);
> + assert_non_null(s);
> + assert_string_equal(DN, s);
> +
> + /*
> + * Try an extended operation, i.e. one that does not have a DN
> + * associated with it for logging purposes.
> + */
> + req->operation = LDB_EXTENDED;
> + s = get_primary_dn(req);
> + assert_null(s);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_operation_name(void **state)
> +{
> + struct ldb_request *req = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> +
> + req->operation = LDB_SEARCH;
> + assert_string_equal("Search", get_operation_name(req));
> +
> + req->operation = LDB_ADD;
> + assert_string_equal("Add", get_operation_name(req));
> +
> + req->operation = LDB_MODIFY;
> + assert_string_equal("Modify", get_operation_name(req));
> +
> + req->operation = LDB_DELETE;
> + assert_string_equal("Delete", get_operation_name(req));
> +
> + req->operation = LDB_RENAME;
> + assert_string_equal("Rename", get_operation_name(req));
> +
> + req->operation = LDB_EXTENDED;
> + assert_string_equal("Extended", get_operation_name(req));
> +
> + req->operation = LDB_REQ_REGISTER_CONTROL;
> + assert_string_equal("Register Control", get_operation_name(req));
> +
> + req->operation = LDB_REQ_REGISTER_PARTITION;
> + assert_string_equal("Register Partition", get_operation_name(req));
> +
> + /*
> + * Trigger the default case
> + */
> + req->operation = -1;
> + assert_string_equal("Unknown", get_operation_name(req));
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_modification_action(void **state)
> +{
> + assert_string_equal(
> + "add",
> + get_modification_action(LDB_FLAG_MOD_ADD));
> + assert_string_equal(
> + "delete",
> + get_modification_action(LDB_FLAG_MOD_DELETE));
> + assert_string_equal(
> + "replace",
> + get_modification_action(LDB_FLAG_MOD_REPLACE));
> + /*
> + * Trigger the default case
> + */
> + assert_string_equal(
> + "unknown",
> + get_modification_action(0));
> +}
> +
> +static void test_is_password_attribute(void **state)
> +{
> + assert_true(is_password_attribute("userPassword"));
> + assert_true(is_password_attribute("clearTextPassword"));
> + assert_true(is_password_attribute("unicodePwd"));
> + assert_true(is_password_attribute("dBCSPwd"));
> +
> + assert_false(is_password_attribute("xserPassword"));
> +}
> +
> +static void test_redact_attribute(void **state)
> +{
> + assert_true(redact_attribute("userPassword"));
> +
> + assert_true(redact_attribute("pekList"));
> + assert_true(redact_attribute("clearTextPassword"));
> + assert_true(redact_attribute("initialAuthIncoming"));
> +
> + assert_false(redact_attribute("supaskrt"));
> +}
> +
> +int main(void) {
> + const struct CMUnitTest tests[] = {
> +#ifdef HAVE_JANSSON
> + cmocka_unit_test(test_add_ldb_value),
> + cmocka_unit_test(test_attributes_json),
> +#endif
> + cmocka_unit_test(test_get_remote_address),
> + cmocka_unit_test(test_get_ldb_error_string),
> + cmocka_unit_test(test_get_user_sid),
> + cmocka_unit_test(test_get_actual_sid),
> + cmocka_unit_test(test_is_system_session),
> + cmocka_unit_test(test_get_unique_session_token),
> + cmocka_unit_test(test_get_actual_unique_session_token),
> + cmocka_unit_test(test_get_remote_host),
> + cmocka_unit_test(test_get_primary_dn),
> + cmocka_unit_test(test_get_message),
> + cmocka_unit_test(test_get_secondary_dn),
> + cmocka_unit_test(test_get_operation_name),
> + cmocka_unit_test(test_get_modification_action),
> + cmocka_unit_test(test_is_password_attribute),
> + cmocka_unit_test(test_redact_attribute),
> + };
> +
> + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
> + return cmocka_run_group_tests(tests, NULL, NULL);
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
> index 9e0ac28..da21e96 100644
> --- a/source4/dsdb/samdb/ldb_modules/wscript_build
> +++ b/source4/dsdb/samdb/ldb_modules/wscript_build
> @@ -7,9 +7,9 @@ bld.SAMBA_LIBRARY('dsdb-module',
> grouping_library=True)
>
> bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPERS',
> - source='util.c acl_util.c schema_util.c netlogon.c',
> + source='util.c acl_util.c schema_util.c netlogon.c audit_util.c',
> autoproto='util_proto.h',
> - deps='ldb ndr samdb-common samba-security'
> + deps='ldb ndr samdb-common samba-security audit_logging'
> )
>
> bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPER_RIDALLOC',
> @@ -40,6 +40,30 @@ bld.SAMBA_BINARY('test_encrypted_secrets',
> DSDB_MODULE_HELPERS
> ''',
> install=False)
> +bld.SAMBA_BINARY('test_audit_util',
> + source='tests/test_audit_util.c',
> + deps='''
> + talloc
> + samba-util
> + samdb-common
> + samdb
> + cmocka
> + audit_logging
> + DSDB_MODULE_HELPERS
> + ''',
> + install=False)
> +bld.SAMBA_BINARY('test_audit_log',
> + source='tests/test_audit_log.c',
> + deps='''
> + talloc
> + samba-util
> + samdb-common
> + samdb
> + cmocka
> + audit_logging
> + DSDB_MODULE_HELPERS
> + ''',
> + install=False)
>
> if bld.AD_DC_BUILD_IS_ENABLED():
> bld.PROCESS_SEPARATE_RULE("server")
> diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build_server b/source4/dsdb/samdb/ldb_modules/wscript_build_server
> index 368260a..6c821fb 100644
> --- a/source4/dsdb/samdb/ldb_modules/wscript_build_server
> +++ b/source4/dsdb/samdb/ldb_modules/wscript_build_server
> @@ -425,3 +425,19 @@ bld.SAMBA_MODULE('ldb_encrypted_secrets',
> gnutls
> '''
> )
> +
> +bld.SAMBA_MODULE('ldb_audit_log',
> + source='audit_log.c',
> + subsystem='ldb',
> + init_function='ldb_audit_log_module_init',
> + module_init_name='ldb_init_module',
> + internal_module=False,
> + deps='''
> + audit_logging
> + talloc
> + samba-util
> + samdb-common
> + DSDB_MODULE_HELPERS
> + samdb
> + '''
> + )
> diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> index 5359316..c317975 100755
> --- a/source4/selftest/tests.py
> +++ b/source4/selftest/tests.py
> @@ -685,6 +685,14 @@ if have_heimdal_support:
> extra_args=['-U"$USERNAME%$PASSWORD"'],
> environ={'CLIENT_IP': '127.0.0.11',
> 'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
> + planoldpythontestsuite("ad_dc:local", "samba.tests.audit_log_pass_change",
> + extra_args=['-U"$USERNAME%$PASSWORD"'],
> + environ={'CLIENT_IP': '127.0.0.11',
> + 'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
> + planoldpythontestsuite("ad_dc:local", "samba.tests.audit_log_dsdb",
> + extra_args=['-U"$USERNAME%$PASSWORD"'],
> + environ={'CLIENT_IP': '127.0.0.11',
> + 'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
>
> planoldpythontestsuite("fl2008r2dc:local",
> "samba.tests.getdcname",
> @@ -1069,3 +1077,7 @@ plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets", "none",
> [os.path.join(bindir(), "test_encrypted_secrets")])
> plantestsuite("lib.audit_logging.audit_logging", "none",
> [os.path.join(bindir(), "audit_logging_test")])
> +plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_util", "none",
> + [os.path.join(bindir(), "test_audit_util")])
> +plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_log", "none",
> + [os.path.join(bindir(), "test_audit_log")])
> --
> 2.7.4
>
>
> From def1dfe01434f987ca1af55b60319efe183dcf55 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Mon, 16 Apr 2018 14:03:14 +1200
> Subject: [PATCH 10/10] SamDb: Audit group membership changes.:w
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> python/samba/tests/group_audit.py | 355 +++++
> selftest/target/Samba4.pm | 2 +
> source4/dsdb/samdb/ldb_modules/group_audit.c | 1362 ++++++++++++++++++++
> source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 +
> .../samdb/ldb_modules/tests/test_group_audit.c | 736 +++++++++++
> .../ldb_modules/tests/test_group_audit.valgrind | 19 +
> source4/dsdb/samdb/ldb_modules/wscript_build | 12 +
> .../dsdb/samdb/ldb_modules/wscript_build_server | 16 +
> source4/selftest/tests.py | 4 +
> 9 files changed, 2507 insertions(+)
> create mode 100644 python/samba/tests/group_audit.py
> create mode 100644 source4/dsdb/samdb/ldb_modules/group_audit.c
> create mode 100644 source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
> create mode 100644 source4/dsdb/samdb/ldb_modules/tests/test_group_audit.valgrind
>
> diff --git a/python/samba/tests/group_audit.py b/python/samba/tests/group_audit.py
> new file mode 100644
> index 0000000..53a8bf6
> --- /dev/null
> +++ b/python/samba/tests/group_audit.py
> @@ -0,0 +1,355 @@
> +# Tests for SamDb password change audit logging.
> +# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +from __future__ import print_function
> +"""Tests for the SamDb logging of password changes.
> +"""
> +
> +import samba.tests
> +from samba.dcerpc.messaging import MSG_GROUP_LOG, DSDB_GROUP_EVENT_NAME
> +from samba.samdb import SamDB
> +from samba.auth import system_session
> +import os
> +from samba.tests.audit_log_base import AuditLogTestBase
> +from samba.tests import delete_force
> +import ldb
> +from ldb import FLAG_MOD_REPLACE
> +
> +USER_NAME = "grpadttstuser01"
> +USER_PASS = samba.generate_random_password(32, 32)
> +
> +SECOND_USER_NAME = "grpadttstuser02"
> +SECOND_USER_PASS = samba.generate_random_password(32, 32)
> +
> +GROUP_NAME_01 = "group-audit-01"
> +GROUP_NAME_02 = "group-audit-02"
> +
> +
> +class GroupAuditTests(AuditLogTestBase):
> +
> + def setUp(self):
> + self.message_type = MSG_GROUP_LOG
> + self.event_type = DSDB_GROUP_EVENT_NAME
> + super(GroupAuditTests, self).setUp()
> +
> + self.remoteAddress = os.environ["CLIENT_IP"]
> + self.server_ip = os.environ["SERVER_IP"]
> +
> + host = "ldap://%s" % os.environ["SERVER"]
> + self.ldb = SamDB(url=host,
> + session_info=system_session(),
> + credentials=self.get_credentials(),
> + lp=self.get_loadparm())
> + self.server = os.environ["SERVER"]
> +
> + # Gets back the basedn
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Get the old "dSHeuristics" if it was set
> + dsheuristics = self.ldb.get_dsheuristics()
> +
> + # Set the "dSHeuristics" to activate the correct "userPassword"
> + # behaviour
> + self.ldb.set_dsheuristics("000000001")
> +
> + # Reset the "dSHeuristics" as they were before
> + self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
> +
> + # Get the old "minPwdAge"
> + minPwdAge = self.ldb.get_minPwdAge()
> +
> + # Set it temporarily to "0"
> + self.ldb.set_minPwdAge("0")
> + self.base_dn = self.ldb.domain_dn()
> +
> + # Reset the "minPwdAge" as it was before
> + self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
> +
> + # (Re)adds the test user USER_NAME with password USER_PASS
> + self.ldb.add({
> + "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
> + "objectclass": "user",
> + "sAMAccountName": USER_NAME,
> + "userPassword": USER_PASS
> + })
> + self.ldb.newgroup(GROUP_NAME_01)
> + self.ldb.newgroup(GROUP_NAME_02)
> +
> + def tearDown(self):
> + super(GroupAuditTests, self).tearDown()
> + delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
> + self.ldb.deletegroup(GROUP_NAME_01)
> + self.ldb.deletegroup(GROUP_NAME_02)
> +
> + def test_add_and_remove_users_from_group(self):
> +
> + #
> + # Wait for the primary group change for the created user.
> + #
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("PrimaryGroup", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=domain users,cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Add the user to a group
> + #
> + self.discardMessages()
> +
> + self.ldb.add_remove_group_members(GROUP_NAME_01, [USER_NAME])
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("Added", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Add the user to another group
> + #
> + self.discardMessages()
> + self.ldb.add_remove_group_members(GROUP_NAME_02, [USER_NAME])
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("Added", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_02 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Remove the user from a group
> + #
> + self.discardMessages()
> + self.ldb.add_remove_group_members(
> + GROUP_NAME_01,
> + [USER_NAME],
> + add_members_operation=False)
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("Removed", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Re-add the user to a group
> + #
> + self.discardMessages()
> + self.ldb.add_remove_group_members(GROUP_NAME_01, [USER_NAME])
> +
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("Added", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + def test_change_primary_group(self):
> +
> + #
> + # Wait for the primary group change for the created user.
> + #
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("PrimaryGroup", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=domain users,cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Add the user to a group, the user needs to be a member of a group
> + # before there primary group can be set to that group.
> + #
> + self.discardMessages()
> +
> + self.ldb.add_remove_group_members(GROUP_NAME_01, [USER_NAME])
> + messages = self.waitForMessages(1)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(1,
> + len(messages),
> + "Did not receive the expected number of messages")
> + audit = messages[0]["groupChange"]
> +
> + self.assertEqual("Added", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + #
> + # Change the primary group of a user
> + #
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + # get the primaryGroupToken of the group
> + res = self.ldb.search(base=group_dn, attrs=["primaryGroupToken"],
> + scope=ldb.SCOPE_BASE)
> + group_id = res[0]["primaryGroupToken"]
> +
> + # set primaryGroupID attribute of the user to that group
> + m = ldb.Message()
> + m.dn = ldb.Dn(self.ldb, user_dn)
> + m["primaryGroupID"] = ldb.MessageElement(
> + group_id,
> + FLAG_MOD_REPLACE,
> + "primaryGroupID")
> + self.discardMessages()
> + self.ldb.modify(m)
> +
> + #
> + # Wait for the primary group change.
> + # Will see the user removed from the new group
> + # the user added to their old primary group
> + # and a new primary group event.
> + #
> + messages = self.waitForMessages(3)
> + print("Received %d messages" % len(messages))
> + self.assertEquals(3,
> + len(messages),
> + "Did not receive the expected number of messages")
> +
> + audit = messages[0]["groupChange"]
> + self.assertEqual("Removed", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + audit = messages[1]["groupChange"]
> +
> + self.assertEqual("Added", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=domain users,cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> +
> + audit = messages[2]["groupChange"]
> +
> + self.assertEqual("PrimaryGroup", audit["action"])
> + user_dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
> + group_dn = "cn=" + GROUP_NAME_01 + ",cn=users," + self.base_dn
> + self.assertTrue(user_dn.lower(), audit["user"].lower())
> + self.assertTrue(group_dn.lower(), audit["group"].lower())
> + self.assertRegexpMatches(audit["remoteAddress"],
> + self.remoteAddress)
> + self.assertTrue(self.is_guid(audit["sessionId"]))
> + session_id = self.get_session()
> + self.assertEquals(session_id, audit["sessionId"])
> + service_description = self.get_service_description()
> + self.assertEquals(service_description, "LDAP")
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 3df226f..7abc16e 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -1526,6 +1526,7 @@ sub provision_ad_dc_ntvfs($$)
> auth event notification = true
> dsdb event notification = true
> dsdb password event notification = true
> + dsdb group change notification = true
> server schannel = auto
> ";
> my $ret = $self->provision($prefix,
> @@ -1900,6 +1901,7 @@ sub provision_ad_dc($$$$$$)
> auth event notification = true
> dsdb event notification = true
> dsdb password event notification = true
> + dsdb group change notification = true
> $smbconf_args
> ";
>
> diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c
> new file mode 100644
> index 0000000..415b669
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/group_audit.c
> @@ -0,0 +1,1362 @@
> +/*
> + ldb database library
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +/*
> + * Provide an audit log of changes made to group memberships
> + *
> + */
> +
> +#include "includes.h"
> +#include "ldb_module.h"
> +#include "lib/audit_logging/audit_logging.h"
> +
> +#include "dsdb/samdb/samdb.h"
> +#include "dsdb/samdb/ldb_modules/util.h"
> +#include "libcli/security/dom_sid.h"
> +#include "auth/common_auth.h"
> +#include "param/param.h"
> +
> +#define AUDIT_JSON_TYPE "groupChange"
> +#define AUDIT_HR_TAG "Group Change"
> +#define AUDIT_MAJOR 1
> +#define AUDIT_MINOR 0
> +#define GROUP_LOG_LVL 5
> +
> +static const char * const member_attr[] = {"member", NULL};
> +static const char * const primary_group_attr[] = {
> + "primaryGroupID",
> + "objectSID",
> + NULL};
> +
> +struct audit_context {
> + bool send_events;
> + struct imessaging_context *msg_ctx;
> +};
> +
> +struct audit_callback_context {
> + struct ldb_request *request;
> + struct ldb_module *module;
> + struct ldb_message_element *members;
> + uint32_t primary_group;
> + void (*log_changes)(
> + struct audit_callback_context *acc,
> + const int status);
> +};
> +
> +/*
> + * @brief get the transaction id.
> + *
> + * Get the id of the transaction that the current request is contained in.
> + *
> + * @param req the request.
> + *
> + * @return the transaction id GUID, or NULL if it is not there.
> + */
> +static struct GUID *get_transaction_id(
> + const struct ldb_request *request)
> +{
> + struct ldb_control *control;
> + struct dsdb_control_transaction_identifier *transaction_id;
> +
> + control = ldb_request_get_control(
> + discard_const(request),
> + DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID);
> + if (control == NULL) {
> + return NULL;
> + }
> + transaction_id = talloc_get_type(
> + control->data,
> + struct dsdb_control_transaction_identifier);
> + if (transaction_id == NULL) {
> + return NULL;
> + }
> + return &transaction_id->transaction_guid;
> +}
> +
> +#ifdef HAVE_JANSSON
> +/*
> + * @brief generate a JSON log entry for a group change.
> + *
> + * Generate a JSON object containing details of a users group change.
> + *
> + * @param module the ldb module
> + * @param request the ldb_request
> + * @param action the change action being performed
> + * @param user the user name
> + * @param group the group name
> + * @param status the ldb status code for the ldb operation.
> + *
> + * @return A json object containing the details.
> + */
> +static struct json_object audit_group_json(
> + const struct ldb_module *module,
> + const struct ldb_request *request,
> + const char *action,
> + const char *user,
> + const char *group,
> + const int status)
> +{
> + struct ldb_context *ldb = NULL;
> + const struct dom_sid *sid = NULL;
> + struct json_object wrapper;
> + struct json_object audit;
> + const struct tsocket_address *remote = NULL;
> + const struct GUID *unique_session_token = NULL;
> + struct GUID *transaction_id = NULL;
> +
> + ldb = ldb_module_get_ctx(discard_const(module));
> +
> + remote = get_remote_address(ldb);
> + sid = get_user_sid(module);
> + unique_session_token = get_unique_session_token(module);
> + transaction_id = get_transaction_id(request);
> +
> + audit = json_new_object();
> + json_add_version(&audit, AUDIT_MAJOR, AUDIT_MINOR);
> + json_add_int(&audit, "statusCode", status);
> + json_add_string(&audit, "status", ldb_strerror(status));
> + json_add_string(&audit, "action", action);
> + json_add_address(&audit, "remoteAddress", remote);
> + json_add_sid(&audit, "userSid", sid);
> + json_add_string(&audit, "group", group);
> + json_add_guid(&audit, "transactionId", transaction_id);
> + json_add_guid(&audit, "sessionId", unique_session_token);
> + json_add_string(&audit, "user", user);
> +
> + wrapper = json_new_object();
> + json_add_timestamp(&wrapper);
> + json_add_string(&wrapper, "type", AUDIT_JSON_TYPE);
> + json_add_object(&wrapper, AUDIT_JSON_TYPE, &audit);
> +
> + return wrapper;
> +}
> +#endif
> +
> +/*
> + * @brief generate a human readable log entry for a group change.
> + *
> + * Generate a human readable log entry containing details of a users group
> + * change.
> + *
> + * @param ctx the talloc context owning the returned log entry
> + * @param module the ldb module
> + * @param request the ldb_request
> + * @param action the change action being performed
> + * @param user the user name
> + * @param group the group name
> + * @param status the ldb status code for the ldb operation.
> + *
> + * @return A human readable log line.
> + */
> +static char *audit_group_human_readable(
> + TALLOC_CTX *mem_ctx,
> + const struct ldb_module *module,
> + const struct ldb_request *request,
> + const char *action,
> + const char *user,
> + const char *group,
> + const int status)
> +{
> + struct ldb_context *ldb = NULL;
> + const char *remote_host = NULL;
> + const struct dom_sid *sid = NULL;
> + const char *user_sid = NULL;
> + const char *timestamp = NULL;
> + char *log_entry = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = ldb_module_get_ctx(discard_const(module));
> +
> + remote_host = get_remote_host(ldb, ctx);
> + sid = get_user_sid(module);
> + user_sid = dom_sid_string(ctx, sid);
> + timestamp = audit_get_timestamp(ctx);
> +
> + log_entry = talloc_asprintf(
> + mem_ctx,
> + "[%s] at [%s] status [%s] "
> + "Remote host [%s] SID [%s] Group [%s] User [%s]",
> + action,
> + timestamp,
> + ldb_strerror(status),
> + remote_host,
> + user_sid,
> + group,
> + user);
> + TALLOC_FREE(ctx);
> + return log_entry;
> +}
> +
> +/*
> + * @brief generate an array of parsed_dns, deferring the actual parsing.
> + *
> + * Get an array of 'struct parsed_dns' without the parsing.
> + * The parsed_dns are parsed only when needed to avoid the expense of parsing.
> + *
> + * This procedure assumes that the dn's are sorted in GUID order and contains
> + * no duplicates. This should be valid as the module sits below repl_meta_data
> + * which ensures this.
> + *
> + * @param mem_ctx The memory context that will own the generated array
> + * @param el The message element used to generate the array.
> + *
> + * @return an array of struct parsed_dns, or NULL in the event of an error
> + */
> +static struct parsed_dn *get_parsed_dns(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_message_element *el)
> +{
> + struct parsed_dn *pdn = NULL;
> +
> + int i;
> +
> + if (el == NULL || el->num_values == 0) {
> + return NULL;
> + }
> +
> + pdn = talloc_zero_array(mem_ctx, struct parsed_dn, el->num_values);
> + if (pdn == NULL) {
> + DBG_ERR("Out of memory\n");
> + return NULL;
> + }
> +
> + for (i = 0; i < el->num_values; i++) {
> + pdn[i].v = &el->values[i];
> + }
> + return pdn;
> +
> +}
> +
> +enum dn_compare_result {
> + LESS_THAN,
> + BINARY_EQUAL,
> + EQUAL,
> + GREATER_THAN
> +};
> +/*
> + * @brief compare parsed_dns
> + *
> + * Compare two parsed_dn structures, parsing the entries if necessary.
> + * To avoid the overhead of parsing the DN's this function does a binary
> + * compare first. Only parsing the DN's they are not equal at a binary level.
> + *
> + * @param ctx talloc context that will own the parsed dsdb_dn
> + * @param ldb ldb_context
> + * @param old_val The old value
> + * @param new_val The old value
> + *
> + * @return BINARY_EQUAL values are equal at a binary level
> + * EQUAL DN's are equal but the meta data is different
> + * LESS_THAN old value < new value
> + * GREATER_THAN old value > new value
> + *
> + */
> +static enum dn_compare_result dn_compare(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_context *ldb,
> + struct parsed_dn *old_val,
> + struct parsed_dn *new_val) {
> +
> + int res = 0;
> +
> + /*
> + * Do a binary compare first to avoid unnecessary parsing
> + */
> + if (data_blob_cmp(new_val->v, old_val->v) == 0) {
> + /*
> + * Values are equal at a binary level so no need
> + * for further processing
> + */
> + return BINARY_EQUAL;
> + }
> + /*
> + * Values not equal at the binary level, so lets
> + * do a GUID ordering compare. To do this we will need to ensure
> + * that the dn's have been parsed.
> + */
> + if (old_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + mem_ctx,
> + ldb,
> + old_val,
> + LDB_SYNTAX_DN);
> + }
> + if (new_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + mem_ctx,
> + ldb,
> + new_val,
> + LDB_SYNTAX_DN);
> + }
> +
> + res = ndr_guid_compare(&new_val->guid, &old_val->guid);
> + if (res < 0) {
> + return LESS_THAN;
> + } else if (res == 0) {
> + return EQUAL;
> + } else {
> + return GREATER_THAN;
> + }
> +}
> +
> +/*
> + * @brief Get the DN of a users primary group as a printable string.
> + *
> + * Get the DN of a users primary group as a printable string.
> + *
> + * @param mem_ctx Talloc context the the returned string will be allocated on.
> + * @param module The ldb module
> + * @param account_sid The SID for the uses account.
> + * @param primary_group_rid The RID for the users primary group.
> + *
> + * @return a formatted DN, or null if there is an error.
> + */
> +static const char *get_primary_group_dn(
> + TALLOC_CTX *mem_ctx,
> + struct ldb_module *module,
> + struct dom_sid *account_sid,
> + uint32_t primary_group_rid)
> +{
> + NTSTATUS status;
> +
> + struct ldb_context *ldb = NULL;
> + struct dom_sid *domain_sid = NULL;
> + struct dom_sid *primary_group_sid = NULL;
> + char *sid = NULL;
> + struct ldb_dn *dn = NULL;
> + struct ldb_message *msg = NULL;
> + int rc;
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + status = dom_sid_split_rid(mem_ctx, account_sid, &domain_sid, NULL);
> + if (!NT_STATUS_IS_OK(status)) {
> + return NULL;
> + }
> +
> + primary_group_sid = dom_sid_add_rid(
> + mem_ctx,
> + domain_sid,
> + primary_group_rid);
> + if (!primary_group_sid) {
> + return NULL;
> + }
> +
> + sid = dom_sid_string(mem_ctx, primary_group_sid);
> + if (sid == NULL) {
> + return NULL;
> + }
> +
> + dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>", sid);
> + if(dn == NULL) {
> + return sid;
> + }
> + rc = dsdb_search_one(
> + ldb,
> + mem_ctx,
> + &msg,
> + dn,
> + LDB_SCOPE_BASE,
> + NULL,
> + 0,
> + NULL);
> + if (rc != LDB_SUCCESS) {
> + return NULL;
> + }
> +
> + return ldb_dn_get_linearized(msg->dn);
> +}
> +
> +/*
> + * @brief Log details of a change to a users primary group.
> + *
> + * Log details of a change to a users primary group.
> + *
> + * @param module The ldb module.
> + * @param request The request deing logged.
> + * @param action Description of the action being performed.
> + * @param group The linearized for of the group DN
> + * @param status the LDB status code for the processing of the request.
> + *
> + */
> +static void log_primary_group_change(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const char *action,
> + const char *group,
> + const int status)
> +{
> + const char *user = NULL;
> +
> + struct audit_context *ac =
> + talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + user = get_primary_dn(request);
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT, GROUP_LOG_LVL)) {
> + char *message = NULL;
> + message = audit_group_human_readable(
> + ctx,
> + module,
> + request,
> + action,
> + user,
> + group,
> + status);
> + audit_log_hr(
> + AUDIT_HR_TAG,
> + message,
> + DBGC_DSDB_GROUP_AUDIT,
> + GROUP_LOG_LVL);
> + TALLOC_FREE(message);
> + }
> +
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_events)) {
> +
> + struct json_object json;
> + json = audit_group_json(
> + module,
> + request,
> + action,
> + user,
> + group,
> + status);
> + audit_log_json(
> + AUDIT_JSON_TYPE,
> + &json,
> + DBGC_DSDB_GROUP_AUDIT_JSON,
> + GROUP_LOG_LVL);
> + if (ac->send_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_GROUP_EVENT_NAME,
> + MSG_GROUP_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief Log details of a single change to a users group membership.
> + *
> + * Log details of a change to a users group membership, except for changes
> + * to their primary group which is handled by log_primary_group_change.
> + *
> + * @param module The ldb module.
> + * @param request The request being logged.
> + * @param action Description of the action being performed.
> + * @param user The linearized form of the users DN
> + * @param status the LDB status code for the processing of the request.
> + *
> + */
> +static void log_membership_change(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + const char *action,
> + const char *user,
> + const int status)
> +{
> + const char *group = NULL;
> + struct audit_context *ac =
> + talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + group = get_primary_dn(request);
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT, GROUP_LOG_LVL)) {
> + char *message = NULL;
> + message = audit_group_human_readable(
> + ctx,
> + module,
> + request,
> + action,
> + user,
> + group,
> + status);
> + audit_log_hr(
> + AUDIT_HR_TAG,
> + message,
> + DBGC_DSDB_GROUP_AUDIT,
> + GROUP_LOG_LVL);
> + TALLOC_FREE(message);
> + }
> +
> +#ifdef HAVE_JANSSON
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_events)) {
> + struct json_object json;
> + json = audit_group_json(
> + module,
> + request,
> + action,
> + user,
> + group,
> + status);
> + audit_log_json(
> + AUDIT_JSON_TYPE,
> + &json,
> + DBGC_DSDB_GROUP_AUDIT_JSON,
> + GROUP_LOG_LVL);
> + if (ac->send_events) {
> + audit_message_send(
> + ac->msg_ctx,
> + DSDB_GROUP_EVENT_NAME,
> + MSG_GROUP_LOG,
> + &json);
> + }
> + json_free(&json);
> + }
> +#endif
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief Log all the changes to a users group membership.
> + *
> + * Log details of a change to a users group memberships, except for changes
> + * to their primary group which is handled by log_primary_group_change.
> + *
> + * @param module The ldb module.
> + * @param request The request being logged.
> + * @param action Description of the action being performed.
> + * @param user The linearized form of the users DN
> + * @param status the LDB status code for the processing of the request.
> + *
> + */
> +static void log_membership_changes(
> + struct ldb_module *module,
> + const struct ldb_request *request,
> + struct ldb_message_element *el,
> + struct ldb_message_element *old_el,
> + int status)
> +{
> + unsigned int i, old_i, new_i;
> + unsigned int old_num_values;
> + unsigned int max_num_values;
> + unsigned int new_num_values;
> + struct parsed_dn *old_val = NULL;
> + struct parsed_dn *new_val = NULL;
> + struct parsed_dn *new_values = NULL;
> + struct parsed_dn *old_values = NULL;
> + struct ldb_context *ldb = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + old_num_values = old_el ? old_el->num_values : 0;
> + new_num_values = el ? el->num_values : 0;
> + max_num_values = old_num_values + new_num_values;
> +
> + if (max_num_values == 0) {
> + /*
> + * There is nothing to do!
> + */
> + TALLOC_FREE(ctx);
> + return;
> + }
> +
> + old_values = get_parsed_dns(ctx, old_el);
> + new_values = get_parsed_dns(ctx, el);
> + ldb = ldb_module_get_ctx(module);
> +
> + old_i = 0;
> + new_i = 0;
> + for (i = 0; i < max_num_values; i++) {
> + enum dn_compare_result cmp;
> + if (old_i < old_num_values && new_i < new_num_values) {
> + /*
> + * Both list have values, so compare the values
> + */
> + old_val = &old_values[old_i];
> + new_val = &new_values[new_i];
> + cmp = dn_compare(ctx, ldb, old_val, new_val);
> + } else if (old_i < old_num_values) {
> + /*
> + * the new list is empty, read the old list
> + */
> + old_val = &old_values[old_i];
> + new_val = NULL;
> + cmp = LESS_THAN;
> + } else if (new_i < new_num_values) {
> + /*
> + * the old list is empty, read new list
> + */
> + old_val = NULL;
> + new_val = &new_values[new_i];
> + cmp = GREATER_THAN;
> + } else {
> + break;
> + }
> +
> + if (cmp == LESS_THAN) {
> + /*
> + * Have an entry in the original record that is not in
> + * the new record. So it's been deleted
> + */
> + const char *user = NULL;
> + if (old_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + ctx,
> + ldb,
> + old_val,
> + LDB_SYNTAX_DN);
> + }
> + user = ldb_dn_get_linearized(old_val->dsdb_dn->dn);
> + log_membership_change(
> + module,
> + request,
> + "Removed",
> + user,
> + status);
> + old_i++;
> + } else if (cmp == BINARY_EQUAL) {
> + /*
> + * DN's unchanged at binary level so nothing to do.
> + */
> + old_i++;
> + new_i++;
> + } else if (cmp == EQUAL) {
> + /*
> + * DN is unchanged now need to check the flags to
> + * determine if a record has been deleted or undeleted
> + */
> + uint32_t old_flags;
> + uint32_t new_flags;
> + if (old_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + ctx,
> + ldb,
> + old_val,
> + LDB_SYNTAX_DN);
> + }
> + if (new_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + ctx,
> + ldb,
> + new_val,
> + LDB_SYNTAX_DN);
> + }
> +
> + dsdb_get_extended_dn_uint32(
> + old_val->dsdb_dn->dn,
> + &old_flags,
> + "RMD_FLAGS");
> + dsdb_get_extended_dn_uint32(
> + new_val->dsdb_dn->dn,
> + &new_flags,
> + "RMD_FLAGS");
> + if (new_flags == old_flags) {
> + /*
> + * No changes to the Repl meta data so can
> + * no need to log the change
> + */
> + old_i++;
> + new_i++;
> + continue;
> + }
> + if (new_flags & DSDB_RMD_FLAG_DELETED) {
> + /*
> + * DN has been deleted.
> + */
> + const char *user = NULL;
> + user = ldb_dn_get_linearized(
> + old_val->dsdb_dn->dn);
> + log_membership_change(
> + module,
> + request,
> + "Removed",
> + user,
> + status);
> + } else {
> + /*
> + * DN has been re-added
> + */
> + const char *user = NULL;
> + user = ldb_dn_get_linearized(
> + new_val->dsdb_dn->dn);
> + log_membership_change(
> + module,
> + request,
> + "Added",
> + user,
> + status);
> + }
> + old_i++;
> + new_i++;
> + } else {
> + /*
> + * Member in the updated record that's not in the
> + * original, so it must have been added.
> + */
> + const char *user = NULL;
> + if ( new_val->dsdb_dn == NULL) {
> + really_parse_trusted_dn(
> + ctx,
> + ldb,
> + new_val,
> + LDB_SYNTAX_DN);
> + }
> + user = ldb_dn_get_linearized(new_val->dsdb_dn->dn);
> + log_membership_change(
> + module,
> + request,
> + "Added",
> + user,
> + status);
> + new_i++;
> + }
> + }
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +
> +/*
> + * @brief Log the details of a primary group change.
> + *
> + * Retrieve the users primary groupo after the operation has completed
> + * and call log_primary_group_change to log the actual changes.
> + *
> + * @param acc details of the primary group before the operation.
> + * @param status The status code returned by the operation.
> + *
> + * @return an LDB status code.
> + */
> +static void log_user_primary_group_change(
> + struct audit_callback_context *acc,
> + const int status)
> +{
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + uint32_t new_rid;
> + struct dom_sid *account_sid = NULL;
> + int ret;
> + const struct ldb_message *msg = get_message(acc->request);
> + if (status == LDB_SUCCESS && msg != NULL) {
> + struct ldb_result *res = NULL;
> + ret = dsdb_module_search_dn(
> + acc->module,
> + ctx,
> + &res,
> + msg->dn,
> + primary_group_attr,
> + DSDB_FLAG_NEXT_MODULE |
> + DSDB_SEARCH_REVEAL_INTERNALS |
> + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
> + NULL);
> + if (ret == LDB_SUCCESS) {
> + new_rid = ldb_msg_find_attr_as_uint(
> + msg,
> + "primaryGroupID",
> + ~0);
> + account_sid = samdb_result_dom_sid(
> + ctx,
> + res->msgs[0],
> + "objectSid");
> + }
> + }
> + /*
> + * If we don't have a new value then the user has been deleted
> + * which we currently do not log.
> + * Otherwise only log if the primary group has actually changed.
> + */
> + if (account_sid != NULL &&
> + new_rid != ~0 &&
> + acc->primary_group != new_rid) {
> + const char* group = get_primary_group_dn(
> + ctx,
> + acc->module,
> + account_sid,
> + new_rid);
> + log_primary_group_change(
> + acc->module,
> + acc->request,
> + "PrimaryGroup",
> + group,
> + status);
> + }
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief log the changes to users group membership.
> + *
> + * Retrieve the users group memberships after the operation has completed
> + * and call log_membership_changes to log the actual changes.
> + *
> + * @param acc details of the group memberships before the operation.
> + * @param status The status code returned by the operation.
> + *
> + * @return an LDB status code.
> + */
> +static void log_group_membership_changes(
> + struct audit_callback_context *acc,
> + const int status)
> +{
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + struct ldb_message_element *new_val = NULL;
> + int ret;
> + const struct ldb_message *msg = get_message(acc->request);
> + if (status == LDB_SUCCESS && msg != NULL) {
> + struct ldb_result *res = NULL;
> + ret = dsdb_module_search_dn(
> + acc->module,
> + ctx,
> + &res,
> + msg->dn,
> + member_attr,
> + DSDB_FLAG_NEXT_MODULE |
> + DSDB_SEARCH_REVEAL_INTERNALS |
> + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
> + NULL);
> + if (ret == LDB_SUCCESS) {
> + new_val = ldb_msg_find_element(res->msgs[0], "member");
> + }
> + }
> + log_membership_changes(
> + acc->module,
> + acc->request,
> + new_val,
> + acc->members,
> + status);
> + TALLOC_FREE(ctx);
> +}
> +
> +/*
> + * @brief call back function to log changes to the group memberships.
> + *
> + * Call back function to log changes to the uses broup memberships.
> + *
> + * @param req the ldb request.
> + * @param ares the ldb result
> + *
> + * @return am LDB status code.
> + */
> +static int group_audit_callback(
> + struct ldb_request *req,
> + struct ldb_reply *ares)
> +{
> + struct audit_callback_context *ac = NULL;
> +
> + ac = talloc_get_type(
> + req->context,
> + struct audit_callback_context);
> +
> + if (!ares) {
> + return ldb_module_done(
> + ac->request, NULL, NULL,
> + LDB_ERR_OPERATIONS_ERROR);
> + }
> +
> + /* pass on to the callback */
> + switch (ares->type) {
> + case LDB_REPLY_ENTRY:
> + return ldb_module_send_entry(
> + ac->request,
> + ares->message,
> + ares->controls);
> +
> + case LDB_REPLY_REFERRAL:
> + return ldb_module_send_referral(
> + ac->request,
> + ares->referral);
> +
> + case LDB_REPLY_DONE:
> + /*
> + * Log on DONE now we have a result code
> + */
> + ac->log_changes(ac, ares->error);
> + return ldb_module_done(
> + ac->request,
> + ares->controls,
> + ares->response,
> + ares->error);
> + break;
> +
> + default:
> + /* Can't happen */
> + return LDB_ERR_OPERATIONS_ERROR;
> + }
> +}
> +
> +/*
> + * @brief Does this request change the primary group.
> + *
> + * Does the request change the primary group, i.e. does it contain the
> + * primaryGroupID attribute.
> + *
> + * @param req the request to examine.
> + *
> + * @return True if the request modifies the primary group.
> + */
> +static bool has_primary_group_id(struct ldb_request *req)
> +{
> + struct ldb_message_element *el = NULL;
> + const struct ldb_message *msg = NULL;
> +
> + msg = get_message(req);
> + el = ldb_msg_find_element(msg, "primaryGroupID");
> +
> + return (el != NULL);
> +}
> +
> +/*
> + * @brief Does this request change group membership.
> + *
> + * Does the request change the ses group memberships, i.e. does it contain the
> + * member attribute.
> + *
> + * @param req the request to examine.
> + *
> + * @return True if the request modifies the users group memberships.
> + */
> +static bool has_group_membership_changes(struct ldb_request *req)
> +{
> + struct ldb_message_element *el = NULL;
> + const struct ldb_message *msg = NULL;
> +
> + msg = get_message(req);
> + el = ldb_msg_find_element(msg, "member");
> +
> + return (el != NULL);
> +}
> +
> +
> +
> +/*
> + * @brief Install the callback function to log an add request.
> + *
> + * Install the callback function to log an add request changing the users
> + * group memberships. As we want to log the returned status code, we need to
> + * register a callback function that will be called once the operation has
> + * completed.
> + *
> + * This function reads the current user record so that we can log the before
> + * and after state.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int set_group_membership_add_callback(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> + /*
> + * Adding group memberships so will need to log the changes.
> + */
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + context->log_changes = log_group_membership_changes;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_add_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.add.message,
> + req->controls,
> + context,
> + group_audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +
> +/*
> + * @brief Install the callback function to log a modify request.
> + *
> + * Install the callback function to log a modify request changing the primary
> + * group . As we want to log the returned status code, we need to register a
> + * callback function that will be called once the operation has completed.
> + *
> + * This function reads the current user record so that we can log the before
> + * and after state.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int set_primary_group_modify_callback(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + const struct ldb_message *msg = NULL;
> + struct ldb_result *res = NULL;
> + int ret;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = ldb_module_get_ctx(module);
> +
> + context = talloc_zero(req, struct audit_callback_context);
> + if (context == NULL) {
> + ret = ldb_oom(ldb);
> + goto exit;
> + }
> + context->request = req;
> + context->module = module;
> + context->log_changes = log_user_primary_group_change;
> +
> + msg = get_message(req);
> + ret = dsdb_module_search_dn(
> + module,
> + ctx,
> + &res,
> + msg->dn,
> + primary_group_attr,
> + DSDB_FLAG_NEXT_MODULE |
> + DSDB_SEARCH_REVEAL_INTERNALS |
> + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
> + NULL);
> + if (ret == LDB_SUCCESS) {
> + uint32_t pg;
> + pg = ldb_msg_find_attr_as_uint(
> + res->msgs[0],
> + "primaryGroupID",
> + ~0);
> + context->primary_group = pg;
> + }
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_mod_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.add.message,
> + req->controls,
> + context,
> + group_audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + goto exit;
> + }
> + ret = ldb_next_request(module, new_req);
> +exit:
> + TALLOC_FREE(ctx);
> + return ret;
> +}
> +
> +/*
> + * @brief Install the callback function to log an add request.
> + *
> + * Install the callback function to log an add request changing the primary
> + * group . As we want to log the returned status code, we need to register a
> + * callback function that will be called once the operation has completed.
> + *
> + * This function reads the current user record so that we can log the before
> + * and after state.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int set_primary_group_add_callback(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + int ret;
> + /*
> + * Adding a user with a primary group.
> + */
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + context->log_changes = log_user_primary_group_change;
> + /*
> + * We want to log the return code status, so we need to register
> + * a callback function to get the actual result.
> + * We need to take a new copy so that we don't alter the callers copy
> + */
> + ret = ldb_build_add_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.add.message,
> + req->controls,
> + context,
> + group_audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief Module handler for add operations.
> + *
> + * Inspect the current add request, and if needed log any group membership
> + * changes.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int group_add(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> +
> + struct audit_context *ac =
> + talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> + /*
> + * Currently we don't log replicated group changes
> + */
> + if (ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
> + return ldb_next_request(module, req);
> + }
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT, GROUP_LOG_LVL) ||
> + CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_events)) {
> + /*
> + * Avoid the overheads of logging unless it has been
> + * enabled
> + */
> + if (has_group_membership_changes(req)) {
> + return set_group_membership_add_callback(module, req);
> + }
> + if (has_primary_group_id(req)) {
> + return set_primary_group_add_callback(module, req);
> + }
> + }
> + return ldb_next_request(module, req);
> +}
> +
> +/*
> + * @brief Module handler for delete operations.
> + *
> + * Currently there is no logging for delete operations.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int group_delete(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + return ldb_next_request(module, req);
> +}
> +
> +/*
> + * @brief Install the callback function to log a modify request.
> + *
> + * Install the callback function to log a modify request. As we want to log the
> + * returned status code, we need to register a callback function that will be
> + * called once the operation has completed.
> + *
> + * This function reads the current user record so that we can log the before
> + * and after state.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int set_group_modify_callback(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> + struct audit_callback_context *context = NULL;
> + struct ldb_request *new_req = NULL;
> + struct ldb_context *ldb = NULL;
> + struct ldb_result *res = NULL;
> + int ret;
> +
> + ldb = ldb_module_get_ctx(module);
> + context = talloc_zero(req, struct audit_callback_context);
> +
> + if (context == NULL) {
> + return ldb_oom(ldb);
> + }
> + context->request = req;
> + context->module = module;
> + context->log_changes = log_group_membership_changes;
> +
> + /*
> + * About to change the group memberships need to read
> + * the current state from the database.
> + */
> + ret = dsdb_module_search_dn(
> + module,
> + context,
> + &res,
> + req->op.add.message->dn,
> + member_attr,
> + DSDB_FLAG_NEXT_MODULE |
> + DSDB_SEARCH_REVEAL_INTERNALS |
> + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
> + NULL);
> + if (ret == LDB_SUCCESS) {
> + context->members = ldb_msg_find_element(res->msgs[0], "member");
> + }
> +
> + ret = ldb_build_mod_req(
> + &new_req,
> + ldb,
> + req,
> + req->op.mod.message,
> + req->controls,
> + context,
> + group_audit_callback,
> + req);
> + if (ret != LDB_SUCCESS) {
> + return ret;
> + }
> + return ldb_next_request(module, new_req);
> +}
> +
> +/*
> + * @brief Module handler for modify operations.
> + *
> + * Inspect the current modify request, and if needed log any group membership
> + * changes.
> + *
> + * @param module The ldb module.
> + * @param req The modify request.
> + *
> + * @return and LDB status code.
> + */
> +static int group_modify(
> + struct ldb_module *module,
> + struct ldb_request *req)
> +{
> +
> + struct audit_context *ac =
> + talloc_get_type(
> + ldb_module_get_private(module),
> + struct audit_context);
> + /*
> + * Currently we don't log replicated group changes
> + */
> + if (ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
> + return ldb_next_request(module, req);
> + }
> +
> + if (CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT, GROUP_LOG_LVL) ||
> + CHECK_DEBUGLVLC(DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL) ||
> + (ac->msg_ctx && ac->send_events)) {
> + /*
> + * Avoid the overheads of logging unless it has been
> + * enabled
> + */
> + if (has_group_membership_changes(req)) {
> + return set_group_modify_callback(module, req);
> + }
> + if (has_primary_group_id(req)) {
> + return set_primary_group_modify_callback(module, req);
> + }
> + }
> + return ldb_next_request(module, req);
> +}
> +
> +/*
> + * @brief ldb module initialisation
> + *
> + * Initialise the module, loading the private data etc.
> + *
> + * @param module The ldb module to initialise.
> + *
> + * @return An LDB status code.
> + */
> +static int group_init(struct ldb_module *module)
> +{
> +
> + struct ldb_context *ldb = ldb_module_get_ctx(module);
> + struct audit_context *context = NULL;
> + struct loadparm_context *lp_ctx
> + = talloc_get_type_abort(
> + ldb_get_opaque(ldb, "loadparm"),
> + struct loadparm_context);
> + struct tevent_context *ec = ldb_get_event_context(ldb);
> +
> + context = talloc_zero(module, struct audit_context);
> + if (context == NULL) {
> + return ldb_module_oom(module);
> + }
> +
> + if (lp_ctx && lpcfg_dsdb_group_change_notification(lp_ctx)) {
> + context->send_events = true;
> + context->msg_ctx = imessaging_client_init(ec, lp_ctx, ec);
> + }
> +
> + ldb_module_set_private(module, context);
> + return ldb_next_init(module);
> +}
> +
> +static const struct ldb_module_ops ldb_group_audit_log_module_ops = {
> + .name = "group_audit_log",
> + .add = group_add,
> + .modify = group_modify,
> + .del = group_delete,
> + .init_context = group_init,
> +};
> +
> +int ldb_group_audit_log_module_init(const char *version)
> +{
> + LDB_MODULE_CHECK_VERSION(version);
> + return ldb_register_module(&ldb_group_audit_log_module_ops);
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> index baa30f9..fa58f19 100644
> --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
> @@ -313,6 +313,7 @@ static int samba_dsdb_init(struct ldb_module *module)
> "rdn_name",
> "subtree_delete",
> "repl_meta_data",
> + "group_audit_log",
> "encrypted_secrets",
> "operational",
> "unique_object_sids",
> diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
> new file mode 100644
> index 0000000..3d451a5
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
> @@ -0,0 +1,736 @@
> +/*
> + Unit tests for the dsdb group auditing code in group_audit.c
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2018
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>.
> +*/
> +
> +#include <stdarg.h>
> +#include <stddef.h>
> +#include <setjmp.h>
> +#include <unistd.h>
> +#include <cmocka.h>
> +
> +int ldb_group_audit_log_module_init(const char *version);
> +#include "../group_audit.c"
> +
> +#include "lib/ldb/include/ldb_private.h"
> +#include <regex.h>
> +
> +/*
> + * Mock version of dsdb_search_one
> + */
> +struct ldb_dn *g_basedn = NULL;
> +enum ldb_scope g_scope;
> +const char * const *g_attrs = NULL;
> +uint32_t g_dsdb_flags;
> +const char *g_exp_fmt;
> +const char *g_dn = NULL;
> +int g_status = LDB_SUCCESS;
> +
> +int dsdb_search_one(struct ldb_context *ldb,
> + TALLOC_CTX *mem_ctx,
> + struct ldb_message **msg,
> + struct ldb_dn *basedn,
> + enum ldb_scope scope,
> + const char * const *attrs,
> + uint32_t dsdb_flags,
> + const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
> +{
> + struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb, g_dn);
> + struct ldb_message *m = talloc_zero(mem_ctx, struct ldb_message);
> + m->dn = dn;
> + *msg = m;
> +
> + g_basedn = basedn;
> + g_scope = scope;
> + g_attrs = attrs;
> + g_dsdb_flags = dsdb_flags;
> + g_exp_fmt = exp_fmt;
> +
> + return g_status;
> +}
> +
> +/*
> + * Mocking for audit_log_hr to capture the called parameters
> + */
> +const char *audit_log_hr_prefix = NULL;
> +const char *audit_log_hr_message = NULL;
> +int audit_log_hr_debug_class = 0;
> +int audit_log_hr_debug_level = 0;
> +
> +static void audit_log_hr_init(void)
> +{
> + audit_log_hr_prefix = NULL;
> + audit_log_hr_message = NULL;
> + audit_log_hr_debug_class = 0;
> + audit_log_hr_debug_level = 0;
> +}
> +
> +void audit_log_hr(
> + const char *prefix,
> + const char *message,
> + int debug_class,
> + int debug_level)
> +{
> + audit_log_hr_prefix = prefix;
> + audit_log_hr_message = message;
> + audit_log_hr_debug_class = debug_class;
> + audit_log_hr_debug_level = debug_level;
> +}
> +
> +/*
> + * Test helper to check ISO 8601 timestamps for validity
> + */
> +static void check_timestamp(time_t before, const char *timestamp)
> +{
> + int rc;
> + int usec, tz;
> + char c[2];
> + struct tm tm;
> + time_t after;
> + time_t actual;
> +
> +
> + after = time(NULL);
> +
> + /*
> + * Convert the ISO 8601 timestamp into a time_t
> + * Note for convenience we ignore the value of the microsecond
> + * part of the time stamp.
> + */
> + rc = sscanf(
> + timestamp,
> + "%4d-%2d-%2dT%2d:%2d:%2d.%6d%1c%4d",
> + &tm.tm_year,
> + &tm.tm_mon,
> + &tm.tm_mday,
> + &tm.tm_hour,
> + &tm.tm_min,
> + &tm.tm_sec,
> + &usec,
> + c,
> + &tz);
> + assert_int_equal(9, rc);
> + tm.tm_year = tm.tm_year - 1900;
> + tm.tm_mon = tm.tm_mon - 1;
> + tm.tm_isdst = -1;
> + actual = mktime(&tm);
> +
> + /*
> + * The timestamp should be before <= actual <= after
> + */
> + assert_true(difftime(actual, before) >= 0);
> + assert_true(difftime(after, actual) >= 0);
> +}
> +
> +/*
> + * Test helper to validate a version object.
> + */
> +static void check_version(struct json_t *version, int major, int minor)
> +{
> + struct json_t *v = NULL;
> +
> + assert_true(json_is_object(version));
> + assert_int_equal(2, json_object_size(version));
> +
> + v = json_object_get(version, "major");
> + assert_non_null(v);
> + assert_int_equal(major, json_integer_value(v));
> +
> + v = json_object_get(version, "minor");
> + assert_non_null(v);
> + assert_int_equal(minor, json_integer_value(v));
> +}
> +
> +/*
> + * Test helper to insert a transaction_id into a request.
> + */
> +static void add_transaction_id(struct ldb_request *req, const char *id)
> +{
> + struct GUID guid;
> + struct dsdb_control_transaction_identifier *transaction_id = NULL;
> +
> + transaction_id = talloc_zero(
> + req,
> + struct dsdb_control_transaction_identifier);
> + assert_non_null(transaction_id);
> + GUID_from_string(id, &guid);
> + transaction_id->transaction_guid = guid;
> + ldb_request_add_control(
> + req,
> + DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID,
> + false,
> + transaction_id);
> +}
> +
> +/*
> + * Test helper to add a session id and user SID
> + */
> +static void add_session_data(
> + TALLOC_CTX *ctx,
> + struct ldb_context *ldb,
> + const char *session,
> + const char *user_sid)
> +{
> + struct auth_session_info *sess = NULL;
> + struct security_token *token = NULL;
> + struct dom_sid *sid = NULL;
> + struct GUID session_id;
> +
> + sess = talloc_zero(ctx, struct auth_session_info);
> + token = talloc_zero(ctx, struct security_token);
> + sid = talloc_zero(ctx, struct dom_sid);
> + string_to_sid(sid, user_sid);
> + token->sids = sid;
> + sess->security_token = token;
> + GUID_from_string(session, &session_id);
> + sess->unique_session_token = session_id;
> + ldb_set_opaque(ldb, "sessionInfo", sess);
> +}
> +
> +static void test_get_transaction_id(void **state)
> +{
> + struct ldb_request *req = NULL;
> + struct GUID *guid;
> + const char * const ID = "7130cb06-2062-6a1b-409e-3514c26b1773";
> + char *guid_str = NULL;
> + struct GUID_txt_buf guid_buff;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> +
> + /*
> + * No transaction id, should return a zero guid
> + */
> + req = talloc_zero(ctx, struct ldb_request);
> + guid = get_transaction_id(req);
> + assert_null(guid);
> + TALLOC_FREE(req);
> +
> + /*
> + * And now test with the transaction_id set
> + */
> + req = talloc_zero(ctx, struct ldb_request);
> + assert_non_null(req);
> + add_transaction_id(req, ID);
> +
> + guid = get_transaction_id(req);
> + guid_str = GUID_buf_string(guid, &guid_buff);
> + assert_string_equal(ID, guid_str);
> + TALLOC_FREE(req);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_audit_group_hr(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> +
> + char *line = NULL;
> + const char *rs = NULL;
> + regex_t regex;
> + int ret;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + GUID_from_string(TRANSACTION, &transaction_id);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + add_session_data(ctx, ldb, SESSION, SID);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + add_transaction_id(req, TRANSACTION);
> +
> + line = audit_group_human_readable(
> + ctx,
> + module,
> + req,
> + "the-action",
> + "the-user-name",
> + "the-group-name",
> + LDB_ERR_OPERATIONS_ERROR);
> + assert_non_null(line);
> +
> + rs = "\\[the-action\\] at \\["
> + "[^]]*"
> + "\\] status \\[Operations error\\] "
> + "Remote host \\[ipv4:127.0.0.1:0\\] "
> + "SID \\[S-1-5-21-2470180966-3899876309-2637894779\\] "
> + "Group \\[the-group-name\\] "
> + "User \\[the-user-name\\]";
> +
> + ret = regcomp(®ex, rs, 0);
> + assert_int_equal(0, ret);
> +
> + ret = regexec(®ex, line, 0, NULL, 0);
> + assert_int_equal(0, ret);
> +
> + regfree(®ex);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +/*
> + * test get_parsed_dns
> + * For this test we assume Valgrind or Address Sanitizer will detect any over
> + * runs. Also we don't care that the values are DN's only that the value in the
> + * element is copied to the parsed_dns.
> + */
> +static void test_get_parsed_dns(void **state)
> +{
> + struct ldb_message_element *el = NULL;
> + struct parsed_dn *dns = NULL;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + el = talloc_zero(ctx, struct ldb_message_element);
> +
> + /*
> + * empty element, zero dns
> + */
> + dns = get_parsed_dns(ctx, el);
> + assert_null(dns);
> +
> + /*
> + * one entry
> + */
> + el->num_values = 1;
> + el->values = talloc_zero_array(ctx, DATA_BLOB, 1);
> + el->values[0] = data_blob_string_const("The first value");
> +
> + dns = get_parsed_dns(ctx, el);
> +
> + assert_ptr_equal(el->values[0].data, dns[0].v->data);
> + assert_int_equal(el->values[0].length, dns[0].v->length);
> +
> + TALLOC_FREE(dns);
> + TALLOC_FREE(el);
> +
> +
> + /*
> + * Multiple values
> + */
> + el = talloc_zero(ctx, struct ldb_message_element);
> + el->num_values = 2;
> + el->values = talloc_zero_array(ctx, DATA_BLOB, 2);
> + el->values[0] = data_blob_string_const("The first value");
> + el->values[0] = data_blob_string_const("The second value");
> +
> + dns = get_parsed_dns(ctx, el);
> +
> + assert_ptr_equal(el->values[0].data, dns[0].v->data);
> + assert_int_equal(el->values[0].length, dns[0].v->length);
> +
> + assert_ptr_equal(el->values[1].data, dns[1].v->data);
> + assert_int_equal(el->values[1].length, dns[1].v->length);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_dn_compare(void **state)
> +{
> +
> + struct ldb_context *ldb = NULL;
> + struct parsed_dn *a;
> + DATA_BLOB ab;
> +
> + struct parsed_dn *b;
> + DATA_BLOB bb;
> +
> + int res;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> + const struct GUID *ZERO_GUID = talloc_zero(ctx, struct GUID);
> +
> + ldb = ldb_init(ctx, NULL);
> + ldb_register_samba_handlers(ldb);
> +
> +
> + /*
> + * Identical binary DN's
> + */
> + ab = data_blob_string_const(
> + "<GUID=fbee08fd-6f75-4bd4-af3f-e4f063a6379e>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=org");
> + a = talloc_zero(ctx, struct parsed_dn);
> + a->v = &ab;
> +
> + bb = data_blob_string_const(
> + "<GUID=fbee08fd-6f75-4bd4-af3f-e4f063a6379e>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=org");
> + b = talloc_zero(ctx, struct parsed_dn);
> + b->v = &bb;
> +
> + res = dn_compare(ctx, ldb, a, b);
> + assert_int_equal(BINARY_EQUAL, res);
> + /*
> + * DN's should not have been parsed
> + */
> + assert_null(a->dsdb_dn);
> + assert_memory_equal(ZERO_GUID, &a->guid, sizeof(struct GUID));
> + assert_null(b->dsdb_dn);
> + assert_memory_equal(ZERO_GUID, &b->guid, sizeof(struct GUID));
> +
> + TALLOC_FREE(a);
> + TALLOC_FREE(b);
> +
> + /*
> + * differing binary DN's but equal GUID's
> + */
> + ab = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651e>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=com");
> + a = talloc_zero(ctx, struct parsed_dn);
> + a->v = &ab;
> +
> + bb = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651e>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=org");
> + b = talloc_zero(ctx, struct parsed_dn);
> + b->v = &bb;
> +
> + res = dn_compare(ctx, ldb, a, b);
> + assert_int_equal(EQUAL, res);
> + /*
> + * DN's should have been parsed
> + */
> + assert_non_null(a->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &a->guid, sizeof(struct GUID));
> + assert_non_null(b->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &b->guid, sizeof(struct GUID));
> +
> + TALLOC_FREE(a);
> + TALLOC_FREE(b);
> +
> + /*
> + * differing binary DN's but and second guid greater
> + */
> + ab = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651d>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=com");
> + a = talloc_zero(ctx, struct parsed_dn);
> + a->v = &ab;
> +
> + bb = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651e>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=org");
> + b = talloc_zero(ctx, struct parsed_dn);
> + b->v = &bb;
> +
> + res = dn_compare(ctx, ldb, a, b);
> + assert_int_equal(GREATER_THAN, res);
> + /*
> + * DN's should have been parsed
> + */
> + assert_non_null(a->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &a->guid, sizeof(struct GUID));
> + assert_non_null(b->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &b->guid, sizeof(struct GUID));
> +
> + TALLOC_FREE(a);
> + TALLOC_FREE(b);
> +
> + /*
> + * differing binary DN's but and second guid less
> + */
> + ab = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651d>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=com");
> + a = talloc_zero(ctx, struct parsed_dn);
> + a->v = &ab;
> +
> + bb = data_blob_string_const(
> + "<GUID=efdc91e5-5a5a-493e-9606-166ed0c2651c>;"
> + "OU=Domain Controllers,DC=ad,DC=testing,DC=samba,DC=org");
> + b = talloc_zero(ctx, struct parsed_dn);
> + b->v = &bb;
> +
> + res = dn_compare(ctx, ldb, a, b);
> + assert_int_equal(LESS_THAN, res);
> + /*
> + * DN's should have been parsed
> + */
> + assert_non_null(a->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &a->guid, sizeof(struct GUID));
> + assert_non_null(b->dsdb_dn);
> + assert_memory_not_equal(ZERO_GUID, &b->guid, sizeof(struct GUID));
> +
> + TALLOC_FREE(a);
> + TALLOC_FREE(b);
> +
> + TALLOC_FREE(ctx);
> +}
> +
> +static void test_get_primary_group_dn(void **state)
> +{
> +
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + const uint32_t RID = 71;
> + struct dom_sid sid;
> + const char *SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char *DN = "OU=Things,DC=ad,DC=testing,DC=samba,DC=org";
> + const char *dn;
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = ldb_init(ctx, NULL);
> + ldb_register_samba_handlers(ldb);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + /*
> + * Pass an empty dom sid this will cause dom_sid_split_rid to fail;
> + * assign to sid.num_auths to suppress a valgrind warning.
> + */
> + sid.num_auths = 0;
> + dn = get_primary_group_dn(ctx, module, &sid, RID);
> + assert_null(dn);
> +
> + /*
> + * A valid dom sid
> + */
> + assert_true(string_to_sid(&sid, SID));
> + g_dn = DN;
> + dn = get_primary_group_dn(ctx, module, &sid, RID);
> + assert_non_null(dn);
> + assert_string_equal(DN, dn);
> + assert_int_equal(LDB_SCOPE_BASE, g_scope);
> + assert_int_equal(0, g_dsdb_flags);
> + assert_null(g_attrs);
> + assert_null(g_exp_fmt);
> + assert_string_equal
> + ("<SID=S-1-5-21-2470180966-3899876309-71>",
> + ldb_dn_get_extended_linearized(ctx, g_basedn, 1));
> +
> + /*
> + * Test dsdb search failure
> + */
> + g_status = LDB_ERR_NO_SUCH_OBJECT;
> + dn = get_primary_group_dn(ctx, module, &sid, RID);
> + assert_null(dn);
> +
> + TALLOC_FREE(ldb);
> + TALLOC_FREE(ctx);
> +}
> +
> +#ifdef HAVE_JANSSON
> +/*
> + * Mocking for audit_log_json to capture the called parameters
> + */
> +const char *audit_log_json_prefix = NULL;
> +struct json_object *audit_log_json_message = NULL;
> +int audit_log_json_debug_class = 0;
> +int audit_log_json_debug_level = 0;
> +
> +static void audit_log_json_init(void)
> +{
> + audit_log_json_prefix = NULL;
> + audit_log_json_message = NULL;
> + audit_log_json_debug_class = 0;
> + audit_log_json_debug_level = 0;
> +}
> +
> +void audit_log_json(
> + const char* prefix,
> + struct json_object* message,
> + int debug_class,
> + int debug_level)
> +{
> + audit_log_json_prefix = prefix;
> + audit_log_json_message = message;
> + audit_log_json_debug_class = debug_class;
> + audit_log_json_debug_level = debug_level;
> +}
> +
> +/*
> + * Mocking for audit_message_send to capture the called parameters
> + */
> +struct imessaging_context *audit_message_send_msg_ctx = NULL;
> +const char *audit_message_send_server_name = NULL;
> +uint32_t audit_message_send_message_type = 0;
> +struct json_object *audit_message_send_message = NULL;
> +
> +static void audit_message_send_init(void) {
> + audit_message_send_msg_ctx = NULL;
> + audit_message_send_server_name = NULL;
> + audit_message_send_message_type = 0;
> + audit_message_send_message = NULL;
> +}
> +void audit_message_send(
> + struct imessaging_context *msg_ctx,
> + const char *server_name,
> + uint32_t message_type,
> + struct json_object *message)
> +{
> + audit_message_send_msg_ctx = msg_ctx;
> + audit_message_send_server_name = server_name;
> + audit_message_send_message_type = message_type;
> + audit_message_send_message = message;
> +}
> +
> +static void test_audit_group_json(void **state)
> +{
> + struct ldb_context *ldb = NULL;
> + struct ldb_module *module = NULL;
> + struct ldb_request *req = NULL;
> +
> + struct tsocket_address *ts = NULL;
> +
> + const char *const SID = "S-1-5-21-2470180966-3899876309-2637894779";
> + const char * const SESSION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> + struct GUID transaction_id;
> + const char *const TRANSACTION = "7130cb06-2062-6a1b-409e-3514c26b1773";
> +
> +
> + struct json_object json;
> + json_t *audit = NULL;
> + json_t *v = NULL;
> + json_t *o = NULL;
> + time_t before;
> +
> +
> + TALLOC_CTX *ctx = talloc_new(NULL);
> +
> + ldb = talloc_zero(ctx, struct ldb_context);
> +
> + GUID_from_string(TRANSACTION, &transaction_id);
> +
> + module = talloc_zero(ctx, struct ldb_module);
> + module->ldb = ldb;
> +
> + tsocket_address_inet_from_strings(ctx, "ip", "127.0.0.1", 0, &ts);
> + ldb_set_opaque(ldb, "remoteAddress", ts);
> +
> + add_session_data(ctx, ldb, SESSION, SID);
> +
> + req = talloc_zero(ctx, struct ldb_request);
> + req->operation = LDB_ADD;
> + add_transaction_id(req, TRANSACTION);
> +
> + before = time(NULL);
> + json = audit_group_json(
> + module,
> + req,
> + "the-action",
> + "the-user-name",
> + "the-group-name",
> + LDB_ERR_OPERATIONS_ERROR);
> + assert_int_equal(3, json_object_size(json.root));
> +
> + v = json_object_get(json.root, "type");
> + assert_non_null(v);
> + assert_string_equal("groupChange", json_string_value(v));
> +
> + v = json_object_get(json.root, "timestamp");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + check_timestamp(before, json_string_value(v));
> +
> + audit = json_object_get(json.root, "groupChange");
> + assert_non_null(audit);
> + assert_true(json_is_object(audit));
> + assert_int_equal(10, json_object_size(audit));
> +
> + o = json_object_get(audit, "version");
> + assert_non_null(o);
> + check_version(o, AUDIT_MAJOR, AUDIT_MINOR);
> +
> + v = json_object_get(audit, "statusCode");
> + assert_non_null(v);
> + assert_true(json_is_integer(v));
> + assert_int_equal(LDB_ERR_OPERATIONS_ERROR, json_integer_value(v));
> +
> + v = json_object_get(audit, "status");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("Operations error", json_string_value(v));
> +
> + v = json_object_get(audit, "user");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("the-user-name", json_string_value(v));
> +
> + v = json_object_get(audit, "group");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("the-group-name", json_string_value(v));
> +
> + v = json_object_get(audit, "action");
> + assert_non_null(v);
> + assert_true(json_is_string(v));
> + assert_string_equal("the-action", json_string_value(v));
> +
> + json_free(&json);
> + TALLOC_FREE(ctx);
> +
> +}
> +
> +static void test_place_holder(void **state)
> +{
> + audit_log_json_init();
> + audit_log_hr_init();
> + audit_message_send_init();
> +}
> +#endif /* #ifdef HAVE_JANSSON */
> +
> +/*
> + * Note: to run under valgrind us:
> + * valgrind --suppressions=test_group_audit.valgrind bin/test_group_audit
> + * This suppresses the errors generated because the ldb_modules are not
> + * de-registered.
> + *
> + */
> +int main(void) {
> + const struct CMUnitTest tests[] = {
> +#ifdef HAVE_JANSSON
> + cmocka_unit_test(test_audit_group_json),
> + cmocka_unit_test(test_place_holder),
> +#endif
> + cmocka_unit_test(test_get_transaction_id),
> + cmocka_unit_test(test_audit_group_hr),
> + cmocka_unit_test(test_get_parsed_dns),
> + cmocka_unit_test(test_dn_compare),
> + cmocka_unit_test(test_get_primary_group_dn),
> +
> + };
> +
> + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
> + return cmocka_run_group_tests(tests, NULL, NULL);
> +}
> diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.valgrind b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.valgrind
> new file mode 100644
> index 0000000..1cf2b4e
> --- /dev/null
> +++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.valgrind
> @@ -0,0 +1,19 @@
> +{
> + ldb_modules_load modules not are freed
> + Memcheck:Leak
> + match-leak-kinds: possible
> + fun:malloc
> + fun:__talloc_with_prefix
> + fun:__talloc
> + fun:_talloc_named_const
> + fun:talloc_named_const
> + fun:ldb_register_module
> + fun:ldb_init_module
> + fun:ldb_modules_load_path
> + fun:ldb_modules_load_dir
> + fun:ldb_modules_load_path
> + fun:ldb_modules_load
> + fun:ldb_init
> +}
> +
> +
> diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
> index da21e96..93c3563 100644
> --- a/source4/dsdb/samdb/ldb_modules/wscript_build
> +++ b/source4/dsdb/samdb/ldb_modules/wscript_build
> @@ -64,6 +64,18 @@ bld.SAMBA_BINARY('test_audit_log',
> DSDB_MODULE_HELPERS
> ''',
> install=False)
> +bld.SAMBA_BINARY('test_group_audit',
> + source='tests/test_group_audit.c',
> + deps='''
> + talloc
> + samba-util
> + samdb-common
> + samdb
> + cmocka
> + audit_logging
> + DSDB_MODULE_HELPERS
> + ''',
> + install=False)
>
> if bld.AD_DC_BUILD_IS_ENABLED():
> bld.PROCESS_SEPARATE_RULE("server")
> diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build_server b/source4/dsdb/samdb/ldb_modules/wscript_build_server
> index 6c821fb..e5c5032 100644
> --- a/source4/dsdb/samdb/ldb_modules/wscript_build_server
> +++ b/source4/dsdb/samdb/ldb_modules/wscript_build_server
> @@ -441,3 +441,19 @@ bld.SAMBA_MODULE('ldb_audit_log',
> samdb
> '''
> )
> +
> +bld.SAMBA_MODULE('ldb_group_audit_log',
> + source='group_audit.c',
> + subsystem='ldb',
> + init_function='ldb_group_audit_log_module_init',
> + module_init_name='ldb_init_module',
> + internal_module=False,
> + deps='''
> + audit_logging
> + talloc
> + samba-util
> + samdb-common
> + DSDB_MODULE_HELPERS
> + samdb
> + '''
> + )
> diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> index c317975..c7f4105 100755
> --- a/source4/selftest/tests.py
> +++ b/source4/selftest/tests.py
> @@ -693,6 +693,10 @@ if have_heimdal_support:
> extra_args=['-U"$USERNAME%$PASSWORD"'],
> environ={'CLIENT_IP': '127.0.0.11',
> 'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
> + planoldpythontestsuite("ad_dc:local", "samba.tests.group_audit",
> + extra_args=['-U"$USERNAME%$PASSWORD"'],
> + environ={'CLIENT_IP': '127.0.0.11',
> + 'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
>
> planoldpythontestsuite("fl2008r2dc:local",
> "samba.tests.getdcname",
> --
> 2.7.4
>
More information about the samba-technical
mailing list