Commit 4be73a46 authored by Daniel Salzman's avatar Daniel Salzman

conf: add key and acl semantic checks

parent 77c9bbc2
......@@ -374,7 +374,8 @@ match one of them. Empty value means that TSIG key is not required.
\fIDefault:\fP not set
.SS action
.sp
An ordered list of allowed actions.
An ordered list of allowed actions. Empty action list is only allowed if
\fI\%deny\fP is set.
.sp
Possible values:
.INDENT 0.0
......
......@@ -421,7 +421,8 @@ match one of them. Empty value means that TSIG key is not required.
action
------
An ordered list of allowed actions.
An ordered list of allowed actions. Empty action list is only allowed if
:ref:`deny<acl_deny>` is set.
Possible values:
......
......@@ -181,8 +181,8 @@ static const yp_item_t desc_log[] = {
const yp_item_t conf_scheme[] = {
{ C_SRV, YP_TGRP, YP_VGRP = { desc_server } },
{ C_LOG, YP_TGRP, YP_VGRP = { desc_log }, YP_FMULTI },
{ C_KEY, YP_TGRP, YP_VGRP = { desc_key }, YP_FMULTI },
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI },
{ C_KEY, YP_TGRP, YP_VGRP = { desc_key }, YP_FMULTI, { check_key } },
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI, { check_acl } },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_RMT, YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI, { check_remote } },
/* MODULES */
......
......@@ -328,6 +328,50 @@ int check_modref(
return ret;
}
int check_key(
conf_check_t *args)
{
conf_val_t alg = conf_rawid_get_txn(args->conf, args->txn, C_KEY,
C_ALG, args->id, args->id_len);
if (conf_val_count(&alg) == 0) {
args->err_str = "no key algorithm defined";
return KNOT_EINVAL;
}
conf_val_t secret = conf_rawid_get_txn(args->conf, args->txn, C_KEY,
C_SECRET, args->id, args->id_len);
if (conf_val_count(&secret) == 0) {
args->err_str = "no key secret defined";
return KNOT_EINVAL;
}
return KNOT_EOK;
}
int check_acl(
conf_check_t *args)
{
conf_val_t addr = conf_rawid_get_txn(args->conf, args->txn, C_ACL,
C_ADDR, args->id, args->id_len);
conf_val_t key = conf_rawid_get_txn(args->conf, args->txn, C_ACL,
C_KEY, args->id, args->id_len);
if (conf_val_count(&addr) == 0 && conf_val_count(&key) == 0) {
args->err_str = "both ACL address and ACL key not defined";
return KNOT_EINVAL;
}
conf_val_t action = conf_rawid_get_txn(args->conf, args->txn, C_ACL,
C_ACTION, args->id, args->id_len);
conf_val_t deny = conf_rawid_get_txn(args->conf, args->txn, C_ACL,
C_DENY, args->id, args->id_len);
if (conf_val_count(&action) == 0 && conf_val_count(&deny) == 0) {
args->err_str = "no ACL action defined";
return KNOT_EINVAL;
}
return KNOT_EOK;
}
int check_remote(
conf_check_t *args)
{
......
......@@ -81,6 +81,14 @@ int check_modref(
conf_check_t *args
);
int check_key(
conf_check_t *args
);
int check_acl(
conf_check_t *args
);
int check_remote(
conf_check_t *args
);
......
......@@ -182,8 +182,12 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
break;
}
/* Check for action match. */
if (val.code != KNOT_EOK) {
switch (val.code) {
case KNOT_EOK: /* Check for action match. */
break;
case KNOT_ENOENT: /* Empty action list allowed with deny only. */
return false;
default: /* No match. */
goto next_acl;
}
}
......
......@@ -236,6 +236,9 @@ static void test_acl_allowed(void)
" address: [ 240.0.0.2 ]\n"
" action: [ notify ]\n"
" deny: on\n"
" - id: acl_no_action_deny\n"
" address: [ 240.0.0.3 ]\n"
" deny: on\n"
" - id: acl_multi_addr\n"
" address: [ 192.168.1.1, 240.0.0.0/24 ]\n"
" action: [ notify, update ]\n"
......@@ -248,8 +251,9 @@ static void test_acl_allowed(void)
"\n"
"zone:\n"
" - domain: "ZONE"\n"
" acl: [ acl_key_addr, acl_deny, acl_multi_addr, acl_multi_key]\n"
" acl: [ acl_range_addr]";
" acl: [ acl_key_addr, acl_deny, acl_no_action_deny ]\n"
" acl: [ acl_multi_addr, acl_multi_key ]\n"
" acl: [ acl_range_addr ]";
ret = test_conf(conf_str, NULL);
ok(ret == KNOT_EOK, "Prepare configuration");
......@@ -314,6 +318,12 @@ static void test_acl_allowed(void)
ret = acl_allowed(&acl, ACL_ACTION_UPDATE, &addr, &key0);
ok(ret == true, "Denied address match, no key, action not match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.3", 0);
ret = acl_allowed(&acl, ACL_ACTION_UPDATE, &addr, &key0);
ok(ret == false, "Denied address match, no key, no action");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "1.1.1.1", 0);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment