Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7384

Some data not encrypted in changelog after upgrade from encrypted topology

    Details

      Description

      Found with 7.0.0-M2020-10.5 and automted test.
      To reproduce following issue run:

      You will need to download tmp.cfg config and put it into config folder (maybe change java paths and hostname).

      python3 run-pybot.py -v -s replication_group3.upgrade -t Encrypted_Replication_Topology --cfg tmp.cfg dj

      The test use DSRS topology (6.5.3) and it enables confidentiality. After it upgrades servers one by one and after each upgrade it tries that replication works. Once the upgrade of both servers is done it checks if changelogDb is encrypted. Here it finds some user UIDs in the changelog, so it determines that the changelog is not encrypted.
      The example of such changelog:

      4\tcn=myself03\x04\tentryUUID1&\x04$14b2ad42-17f8-47f6-998d-
      427ffb11efab\x00\x00\x00\x00\xbb@\x00\x00\x01s\x89\xb2b\xa1\x80\x90\x01'cn=newuser1_encrypt1,o=create,ou=people\x01\x14\xb2\xadB\x1
      7\xf8G\xf6\x99\x8dB\x7f\xfb\x11\xef\xabt0$\n"b'\x01\x020\x1f\x04\x0bdescription1\x10\x04\x0enewdescription0!\n'b'\x01\x020\x1c\x04\
      rmodifiersName1\x0b\x04\tcn=myself0)\n'b"\x01\x020$\x04\x0fmodifyTimestamp1\x11\x04\x0f202007260557\x00\x00\x00\xbb16Z\x00\x00\x00\
      x00\xd0C\x00\x00\x01s\x89\xb2o\xef\x80\x9b\x01'cn=newuser1_encrypt1,o=create,ou=people\x01\x14\xb2\xadB\x17\xf8G\xf6\x99\x8dB\x7f\x
      fb\x11\xef\xab\x01\x15cn=newuser1_encrypt10\x00\x00\x00o0\x1f\n"b'\x01\x000\x1a\x04\x02cn1\x14\x04\x12newuser1_encrypt100!\n'b'\x01
      \x020\x1c\x04\rmodifiersName1\x0b\x04\tcn=myself0)\n'b"\x01\x020$\x04\x0fmodifyTimestamp1\x11\x04\x0f20200726055719Z\x00\x00\x00\x0
      0SB\x00\x00\x01s\x89\xb2{\xaa\x80\xa5\x01(cn=newuser1_encrypt\x00\x00\x00$10,o=create,ou=people\x01\x14\xb2\xadB\x17\xf8G\xf6\x99\x
      8dB\x7f\xfb\x11\xef\xab\x01\tcn=myself\x00\x00\x00\x00\x01FA\x00\x00\x01s\x89\xb3e\xa9\x81X\x01'cn=newuser2_encrypt1,o=create,ou=pe
      ople\x01\xe9CC\x832PAu\x8eD\xb7\x904\xf4\xee$\x01b\xd5X\xecB\x940\x9f\xa3=\x05\x91Y\xfb\xb0\x86\x80\xed0\x1c\x04\x0bobjectclass1\r\
      x04\x03top\x04\x06person0\x19\x04\x02cn1\x

      In above example there is for instance newuser1_encrypt1 string. 

      It is user used to check replication is working after upgrade 1st server. There is also newuser2_encrypt1 which is user used to check replication is working after upgrade of 2nd server.


      Steps:

      1. configure DSRS-DSRS topology (version 6.5.3)
      2. enable confidentiality 
      3. check replication is working (add, mod, del a user)
      4. check changelog is encrypted
      5. upgrade 1st server
      6. check replication is working (add, mod, del a user)
      7. upgrade 2nd server
      8. check replication is working (add, mod, del a user)
      9. check changelog is encrypted

      The last step fails, because it finds mentioned strings in changelog files.

        Attachments

          Activity

            People

            • Assignee:
              ondrej.fuchsik Ondrej Fuchsik
              Reporter:
              ondrej.fuchsik Ondrej Fuchsik
              Dev Assignee:
              Fabio Pistolesi
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: