From 97b03eb5f744239aae25d57361d18e1a76e5eca7 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Dec 18 2019 09:12:49 +0000
Subject: Ticket 50789: Add err-log for filter verification warning


Bug Description:
	A filter component containing unknown attribute will (1.4.3)
        match no entry. It can return a truncated set of matching entries.
	This is notify in access logs (notes=F) but not in error logs.
        To help admin to detect these problematic filters it need to be
        log in error logs as well

Fix Description:
	add a log when schema checking leads to note=F (FILTER_SCHEMA_WARNING)

https://pagure.io/389-ds-base/issue/50789

Reviewed by: ?

Platforms tested: F30

Flag Day: no

Doc impact: no

---

diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index 6cdb276..efaf164 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -35,7 +35,7 @@ static void log_search_access(Slapi_PBlock *pb, const char *base, int scope, con
 void
 do_search(Slapi_PBlock *pb)
 {
-    Slapi_Operation *operation;
+    Slapi_Operation *operation = NULL;
     BerElement *ber;
     int i, err = 0, attrsonly;
     ber_int_t scope, deref, sizelimit, timelimit;
@@ -220,6 +220,34 @@ do_search(Slapi_PBlock *pb)
         send_ldap_result(pb, err, NULL, errtxt, 0, NULL);
         goto free_and_return;
     }
+    if (r == FILTER_SCHEMA_WARNING) {
+        /* A notes=F will be logged in access log
+         * Anyway make it noisy with a log in error log
+         * as the behavior will change in upcoming release =>
+         * it needs to be fixed
+         */
+        if (config_get_verify_filter_schema() == FILTER_POLICY_WARNING) {
+            /* A component with unknown attribute was possibly processed
+             * with an unindexed scan
+             */
+            slapi_log_err(SLAPI_LOG_WARNING, "do_search",
+                    "Search filter \"%s\" contains unknown attribute. Possible performance impact (conn=%d op=%d).\n",
+                    fstr ? fstr : "NULL",
+                    operation ? operation->o_connid : "unknown",
+                    operation ? operation->o_opid : "unknown");
+        } else if (config_get_verify_filter_schema() == FILTER_POLICY_PROTECT) {
+            /* A component with unknown attribute was translated in
+             * a idl=0 (no entry matching). It protects the server against
+             * unindexed scan but the return result may ignore some
+             * matching entries
+             */
+            slapi_log_err(SLAPI_LOG_WARNING, "do_search",
+                    "Search filter \"%s\" contains unknown attribute. Possible invalid result set (conn=%d op=%d).\n",
+                    fstr ? fstr : "NULL",
+                    operation ? operation->o_connid : "unknown",
+                    operation ? operation->o_opid : "unknown");
+        }
+    }
 
     /* attributes */
     attrs = NULL;