Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.2.0 Backport] CBG-4118: Add type checking to mandatory audit field… #7054

Merged
merged 1 commit into from
Aug 9, 2024
Merged

[3.2.0 Backport] CBG-4118: Add type checking to mandatory audit field… #7054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 12 additions & 16 deletions rest/admin_api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -914,25 +914,21 @@ func mutateConfigFromDbAuditConfigBody(isReplace bool, existingAuditConfig *DbAu
// initialize to non-nil set of defaults before modifying from request
existingAuditConfig.EnabledEvents = &base.DefaultDbAuditEventIDs
}
if existingAuditConfig.EnabledEvents != nil {
for i, event := range *existingAuditConfig.EnabledEvents {
if shouldEnable, ok := eventsToChange[base.AuditID(event)]; ok {
if shouldEnable {
// already enabled
} else {
// disable by removing
*existingAuditConfig.EnabledEvents = append((*existingAuditConfig.EnabledEvents)[:i], (*existingAuditConfig.EnabledEvents)[i+1:]...)
}
// drop from toChange so we don't duplicate IDs
delete(eventsToChange, base.AuditID(event))
}
// build EnabledEvents back up in temp based on request - avoids mutating slice in-place during iteration
// slice[:0] reuses underlying array to avoid alloc of a new slice
newEnabledEvents := (*existingAuditConfig.EnabledEvents)[:0]
for _, event := range *existingAuditConfig.EnabledEvents {
if _, ok := eventsToChange[base.AuditID(event)]; !ok {
// existing enabled event and not in request - don't change
newEnabledEvents = append(newEnabledEvents, event)
}
for id, enabled := range eventsToChange {
if enabled {
*existingAuditConfig.EnabledEvents = append(*existingAuditConfig.EnabledEvents, uint(id))
}
}
for id, enabled := range eventsToChange {
if enabled {
newEnabledEvents = append(newEnabledEvents, uint(id))
}
}
*existingAuditConfig.EnabledEvents = newEnabledEvents
}
}
}
Expand Down
24 changes: 19 additions & 5 deletions rest/adminapitest/admin_api_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4294,19 +4294,33 @@ func TestDatabaseConfigAuditAPI(t *testing.T) {
responseBody = nil
require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &responseBody))
assert.Equal(t, true, responseBody["enabled"].(bool))
assert.False(t, responseBody["events"].(map[string]interface{})[base.AuditIDISGRStatus.String()].(bool), "audit enabled event should be disabled by default")
assert.True(t, responseBody["events"].(map[string]interface{})[base.AuditIDPublicUserAuthenticated.String()].(bool), "public user authenticated event should be enabled by default")
eventsMap, ok := responseBody["events"].(map[string]interface{})
require.True(t, ok)
assert.False(t, eventsMap[base.AuditIDISGRStatus.String()].(bool), "audit enabled event should be disabled by default")
assert.True(t, eventsMap[base.AuditIDPublicUserAuthenticated.String()].(bool), "public user authenticated event should be enabled by default")

// use event IDs returned from GET response to disable all of them
for id := range eventsMap {
eventsMap[id] = false
}
eventsJSON, err := json.Marshal(eventsMap)
require.NoError(t, err)

// CBG-4111: Try to disable events on top of the default (nil) set... either PUT or POST where *all* of the given IDs are set to false. Bug results in a no-op.
resp = rt.SendAdminRequest(http.MethodPost, "/db/_config/audit", fmt.Sprintf(`{"enabled":true,"events":{"%s":false}}`, base.AuditIDPublicUserAuthenticated))
// CBG-4157: Ensure ALL specified events were actually disabled. Bug results in some events remaining 'true', and sometimes panicking by going out-of-bounds in a slice.
resp = rt.SendAdminRequest(http.MethodPost, "/db/_config/audit", fmt.Sprintf(`{"enabled":true,"events":%s}`, eventsJSON))
rest.RequireStatus(t, resp, http.StatusOK)
// check event we just tried to disable
// check all events were actually disabled
resp = rt.SendAdminRequest(http.MethodGet, "/db/_config/audit", "")
rest.RequireStatus(t, resp, http.StatusOK)
resp.DumpBody()
responseBody = nil
require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &responseBody))
assert.False(t, responseBody["events"].(map[string]interface{})[base.AuditIDPublicUserAuthenticated.String()].(bool), "public user authenticated event should be disabled")
eventsMap, ok = responseBody["events"].(map[string]interface{})
require.True(t, ok)
for id, val := range eventsMap {
assert.False(t, val.(bool), "event %s should be disabled", id)
}

// do a PUT to completely replace the full config (events not declared here will be disabled)
// enable AuditEnabled event, but implicitly others
Expand Down
Loading