MB-32840, MB-32685: Merge vulcan->alice

* couchbase/vulcan:
  MB-32840: Prevent crash when rotating empty audit log
  MB-32685: Delay updating RBAC db revision number
  MB-32661: [BP] Fix expiration decoding with docflags included

Change-Id: I9c33b179adccd81bdcc6168cab536adc1582fccd

Author: trondn

auditd/src/auditfile.h

@@ -53,7 +53,7 @@ class AuditFile {
                 // closing and then re-opening we can just keep open and
                 // update the open_time.
                 open_time = auditd_time();
-                return true;
+                return false;
             }
             close_and_rotate_log();
             return true;

auditd/tests/auditfile_test.cc

@@ -82,6 +82,28 @@ TEST_F(AuditFileTest, TestFileCreation) {
     EXPECT_EQ(1, files.size());
 }
 
+/**
+ * Test that an empty file is properly rotated using ensure_open()
+ * Seen issues in the past such as MB-32232
+ */
+TEST_F(AuditFileTest, TestRotateEmptyFile) {
+    AuditConfig defaultvalue;
+    config.set_rotate_interval(defaultvalue.get_min_file_rotation_time());
+    config.set_rotate_size(1024*1024);
+
+    AuditFile auditfile;
+    auditfile.reconfigure(config);
+
+    auditfile.ensure_open();
+    cb_timeofday_timetravel(defaultvalue.get_min_file_rotation_time() + 1);
+    auditfile.ensure_open();
+
+    auditfile.close();
+
+    auto files = findFilesWithPrefix(testdir + "/testing");
+    EXPECT_EQ(0, files.size());
+}
+
 /**
  * Test that we can create a file, and as time flies by we rotate
  * to use the next file

rbac/privilege_database.cc

@@ -34,7 +34,12 @@ namespace rbac {
 // Every time we create a new PrivilegeDatabase we bump the generation.
 // The PrivilegeContext contains the generation number it was generated
 // from so that we can easily detect if the PrivilegeContext is stale.
-static std::atomic<uint32_t> generation{0};
+// The current_generation contains the version number of the PrivilegeDatabase
+// currently in use, and create_generation is the counter being used
+// to work around race conditions where multiple threads is trying to
+// create and update the RBAC database (last one wins)
+static std::atomic<uint32_t> current_generation{0};
+static std::atomic<uint32_t> create_generation{0};
 
 // The read write lock needed when you want to build a context
 cb::RWLock rwlock;
@@ -128,7 +133,7 @@ PrivilegeMask UserEntry::parsePrivileges(const cJSON* priv, bool buckets) {
 }
 
 PrivilegeDatabase::PrivilegeDatabase(const cJSON* json)
-    : generation(cb::rbac::generation.operator++()) {
+    : generation(cb::rbac::create_generation.operator++()) {
 
     if (json != nullptr) {
         for (auto it = json->child; it != nullptr; it = it->next) {
@@ -172,7 +177,7 @@ std::pair<PrivilegeContext, bool> PrivilegeDatabase::createInitialContext(
 }
 
 PrivilegeAccess PrivilegeContext::check(Privilege privilege) const {
-    if (generation != cb::rbac::generation) {
+    if (generation != cb::rbac::current_generation) {
         return PrivilegeAccess::Stale;
     }
 
@@ -275,6 +280,7 @@ void loadPrivilegeDatabase(const std::string& filename) {
     // Handle race conditions
     if (db->generation < database->generation) {
         db.swap(database);
+        current_generation = db->generation;
     }
 }