From e27ab158f85fe36db3a9c5620976f38e9ee8a8f4 Mon Sep 17 00:00:00 2001
From: Bryan McCoid <bryan.mccoid@couchbase.com>
Date: Mon, 29 Jan 2024 12:05:28 -0800
Subject: [PATCH] MB-60429: audit properly convert unknown domains

There was an error introduced recently when we began accepting "unknown"
as a valid domain to filter user audit logs which would accept unknown +
any characters after, but would get saved as just "unknown". This isn't
the end of the world but it is confusing so this patch aims to address
this by more carefully converting the entered domain into "unknown"
while still properly handling incorrect/invalid domains.

Change-Id: Ia5f14fc426643a5917d81c4dea8096e69914e4e3
Reviewed-on: https://review.couchbase.org/c/ns_server/+/204618
Well-Formed: Restriction Checker
Tested-by: Build Bot <build@couchbase.com>
Tested-by: Bryan McCoid <bryan.mccoid@couchbase.com>
Reviewed-by: Hareen Kancharla <hareen.kancharla@couchbase.com>
---
 src/menelaus_web_audit.erl | 15 ++++++++++++++-
 src/menelaus_web_rbac.erl  |  1 -
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/menelaus_web_audit.erl b/src/menelaus_web_audit.erl
index a0879ea011..3ab4c883e3 100644
--- a/src/menelaus_web_audit.erl
+++ b/src/menelaus_web_audit.erl
@@ -86,6 +86,8 @@ audit_user_exists({_, ExtOrUnknown}) when ExtOrUnknown =:= external
     %% since external users might not exist in CB users database and still be
     %% able to perform auditable actions
     true;
+audit_user_exists({_, bad_domain}) ->
+    false;
 audit_user_exists(Identity) ->
     SpecIds = [{N, local} || N <- memcached_permissions:spec_users()],
     menelaus_users:user_exists(Identity) orelse lists:member(Identity, SpecIds).
@@ -210,7 +212,7 @@ validate_users(Name, State) ->
               UsersFound =
                   lists:map(
                     fun ({U, [N, S]}) ->
-                            Identity = {N, menelaus_web_rbac:domain_to_atom(S)},
+                            Identity = {N, domain_to_atom(S)},
                             case audit_user_exists(Identity) of
                                 true ->
                                     Identity;
@@ -229,6 +231,17 @@ validate_users(Name, State) ->
               end
       end, Name, State).
 
+known_domains() ->
+    ["local", "external", "unknown"].
+
+domain_to_atom(Domain) ->
+    case lists:member(Domain, known_domains()) of
+        true ->
+            list_to_atom(Domain);
+        false ->
+            bad_domain
+    end.
+
 validators(Config) ->
     Descriptors = orddict:from_list(ns_audit_cfg:get_descriptors(Config)),
     [validator:has_params(_),
diff --git a/src/menelaus_web_rbac.erl b/src/menelaus_web_rbac.erl
index ce0487c884..9c41a1668c 100644
--- a/src/menelaus_web_rbac.erl
+++ b/src/menelaus_web_rbac.erl
@@ -44,7 +44,6 @@
          handle_get_password_policy/1,
          handle_post_password_policy/1,
          assert_no_users_upgrade/0,
-         domain_to_atom/1,
          handle_put_group/2,
          handle_delete_group/2,
          handle_get_groups/2,