From 9f42d40170b6cd704d67115a3ec9eb367f637cea Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>
Date: Mon, 17 Jun 2013 14:42:34 +0200
Subject: [PATCH] Ticket 47393 - Attribute are not encrypted on a consumer
 after a full initialization

Bug Description:
	During online initialization of a replica encrypted attributes are not encrypted by the import.
	This is because the import job flag job->encrypt is not set.

Fix Description:
	The fix consist to add the config backend attribute "nsslapd-online-import-encrypt" that is by default set to "on".
	During online 'ldbm_back_wire_import' the config attribute is set into the pblock and set into the job->encrypt

https://bugzilla.redhat.com/show_bug.cgi?id=893178

Reviewed by: ?

Platforms tested: fedora 17

Flag Day: no

Doc impact: no
---
 ldap/servers/slapd/back-ldbm/back-ldbm.h      |  1 +
 ldap/servers/slapd/back-ldbm/import-threads.c |  2 ++
 ldap/servers/slapd/back-ldbm/ldbm_config.c    | 21 +++++++++++++++++++++
 ldap/servers/slapd/back-ldbm/ldbm_config.h    |  1 +
 4 files changed, 25 insertions(+)

diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
index 4645561..19c64ac 100644
--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
@@ -654,6 +654,7 @@ struct ldbminfo {
     int li_reslimit_rangelookthrough_handle;
     int li_idl_update;
     int li_old_idl_maxids;
+    int li_online_import_encrypt; /* toggle attribute encryption during ldbm_back_wire_import */
 #define BACKEND_OPT_NO_RUV_UPDATE	0x01
 #define BACKEND_OPT_DBLOCK_INSIDE_TXN	0x02
 #define BACKEND_OPT_MANAGE_ENTRY_BEFORE_DBLOCK 0x04
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index d9ab51f..5cb5663 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -3080,6 +3080,7 @@ static int bulk_import_start(Slapi_PBlock *pb)
     }
 
     slapi_pblock_get(pb, SLAPI_BACKEND, &be);
+    slapi_pblock_get(pb, SLAPI_LDIF2DB_ENCRYPT, &job->encrypt);
     PR_ASSERT(be != NULL);
     li = (struct ldbminfo *)(be->be_database->plg_private);
     job->inst = (ldbm_instance *)be->be_instance_info;
@@ -3411,6 +3412,7 @@ int ldbm_back_wire_import(Slapi_PBlock *pb)
     PR_ASSERT(be != NULL);
     li = (struct ldbminfo *)(be->be_database->plg_private);
     slapi_pblock_get(pb, SLAPI_BULK_IMPORT_STATE, &state);
+    slapi_pblock_set(pb, SLAPI_LDIF2DB_ENCRYPT, &li->li_online_import_encrypt);
     if (state == SLAPI_BI_STATE_START) {
         /* starting a new import */
         int rc = bulk_import_start(pb);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index ae2e8fc..a10f0c7 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -913,6 +913,26 @@ static int ldbm_config_db_private_mem_set(void *arg, void *value, char *errorbuf
     return retval;
 }
 
+static void *ldbm_config_db_online_import_encrypt_get(void *arg) 
+{
+    struct ldbminfo *li = (struct ldbminfo *) arg;
+    
+    return (void *) ((uintptr_t)li->li_online_import_encrypt);
+}
+
+static int ldbm_config_db_online_import_encrypt_set(void *arg, void *value, char *errorbuf, int phase, int apply) 
+{
+    struct ldbminfo *li = (struct ldbminfo *) arg;
+    int retval = LDAP_SUCCESS;
+    int val = (int) ((uintptr_t)value);
+    
+    if (apply) {
+        li->li_online_import_encrypt = val;
+    }
+    
+    return retval;
+}
+
 static void *ldbm_config_db_private_import_mem_get(void *arg) 
 {
     struct ldbminfo *li = (struct ldbminfo *) arg;
@@ -1410,6 +1430,7 @@ static config_info ldbm_config[] = {
     {CONFIG_DB_LOCK, CONFIG_TYPE_INT, "10000", &ldbm_config_db_lock_get, &ldbm_config_db_lock_set, 0},
     {CONFIG_DB_PRIVATE_MEM, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_private_mem_get, &ldbm_config_db_private_mem_set, 0},
     {CONFIG_DB_PRIVATE_IMPORT_MEM, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_private_import_mem_get, &ldbm_config_db_private_import_mem_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
+    {CONDIF_DB_ONLINE_IMPORT_ENCRYPT, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_online_import_encrypt_get, &ldbm_config_db_online_import_encrypt_set, 0},
     {CONFIG_DB_SHM_KEY, CONFIG_TYPE_LONG, "389389", &ldbm_config_db_shm_key_get, &ldbm_config_db_shm_key_set, 0},
     {CONFIG_DB_CACHE, CONFIG_TYPE_INT, "0", &ldbm_config_db_cache_get, &ldbm_config_db_cache_set, 0},
     {CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0},
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.h b/ldap/servers/slapd/back-ldbm/ldbm_config.h
index af6b2d0..b0a7fab 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.h
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.h
@@ -139,6 +139,7 @@ struct config_info {
 #define CONFIG_DB_HOME_DIRECTORY "nsslapd-db-home-directory"
 #define CONFIG_DB_LOCKDOWN "nsslapd-db-lockdown"
 #define CONFIG_DB_TX_MAX "nsslapd-db-tx-max"
+#define CONDIF_DB_ONLINE_IMPORT_ENCRYPT "nsslapd-online-import-encrypt"
 
 #define CONFIG_IDL_SWITCH               "nsslapd-idl-switch"
 #define CONFIG_IDL_UPDATE               "nsslapd-idl-update"
-- 
1.7.11.7