Add comment and assert about key history to kadm5_log_replay_modify()

diff --git a/lib/kadm5/log.c b/lib/kadm5/log.c
index 14e0f73a77cdacc93b97f08c4391bb9f404254bb..b70962f5ebc45a998d46933d3712dd8236f5943e 100644 (file)
--- a/lib/kadm5/log.c
+++ b/lib/kadm5/log.c
@@ -699,7 +699,28 @@ kadm5_log_replay_modify (kadm5_server_context *context,
        size_t num;
        size_t i;
 
-       /* XXX Take care of key history!! */
+       /*
+        * We don't need to do anything about key history here because
+        * we always log KADM5_TL_DATA when we change keys/passwords, so
+        * the code below this will handle key history implicitly.
+        * However, if we had to, the code to handle key history here
+        * would look like this:
+        *
+        * HDB_extension *ext;
+        * ...
+        * ext = hdb_find_extension(&log_ent.entry,
+        *                          choice_HDB_extension_data_hist_keys);
+        * if (ext);
+        *    ret = hdb_replace_extension(context->context, &ent.entry, ext);
+        * else
+        *    ret = hdb_clear_extension(context->context, &ent.entry,
+        *                              choice_HDB_extension_data_hist_keys);
+        *
+        * Maybe we should do this here anyways, wasteful as it would
+        * be, as a defensive programming measure?  For now we stick an
+        * assert().
+        */
+       assert( (mask & KADM5_TL_DATA) );
 
        for (i = 0; i < ent.entry.keys.len; ++i)
            free_Key(&ent.entry.keys.val[i]);