Auditlog are not signature the field resolver

maraun · March 4, 2018, 2:21pm

Hello,
why are the version v2.22dev5 (file lib/auditmodules/sqlaudit.py) ignore the field “resolver” in the signature?

Regards.

cornelinux · March 5, 2018, 2:52pm

It is because the resolver is not added in the string, that is signed. This was probably simply forgotton. Or maybe done for a good reason a few years ago - which however I doubt.

The serialization function log_to_string? does not contain the resolver:

github.com

privacyidea/privacyidea/blob/master/privacyidea/lib/auditmodules/sqlaudit.py#L309


@staticmethod
def _log_to_string(le):
    """
    This function creates a string from the logentry so
    that this string can be signed.
    
    Note: Not all elements of the LogEntry are used to generate the
    string (the Signature is not!), otherwise we could have used pickle
    """
    s = "id=%s,date=%s,action=%s,succ=%s,serial=%s,t=%s,u=%s,r=%s,adm=%s,"\
        "ad=%s,i=%s,ps=%s,c=%s,l=%s,cl=%s" % (le.id,
                                              le.date,
                                              le.action,
                                              le.success,
                                              le.serial,
                                              le.token_type,
                                              le.user,
                                              le.realm,
                                              le.administrator,
                                              le.action_detail,
                                              le.info,

I think I open an issue for that - althoug I am currently not sure, how I would resolve this.

maraun · March 5, 2018, 6:23pm

Maybye a new db field with a version what fields are included.
Newer auditlog includes the resolver and the version:

create list with old style
if (version == 1 ) { append resolver and version to the list }
signature(list)

Or the signature get a “salt” that includes the fieldnames or the version