Commit 9be35910 authored by Daniel Salzman's avatar Daniel Salzman

server: log no ACL match

parent e91cc5f2
......@@ -48,7 +48,7 @@ static const lookup_table_t key_algs[] = {
{ 0, NULL }
};
static const lookup_table_t acl_actions[] = {
const lookup_table_t acl_actions[] = {
{ ACL_ACTION_NOTIFY, "notify" },
{ ACL_ACTION_TRANSFER, "transfer" },
{ ACL_ACTION_UPDATE, "update" },
......
......@@ -89,4 +89,6 @@ enum {
SERIAL_POLICY_UNIXTIME = 2
};
extern const lookup_table_t acl_actions[];
extern const yp_item_t conf_scheme[];
......@@ -927,7 +927,7 @@ int remote_process(server_t *s, struct sockaddr_storage *ctl_addr, int sock,
rcu_read_unlock();
if (!allowed) {
log_warning("remote control, denied '%s', "
log_warning("remote control, ACL, denied, remote '%s', "
"no matching ACL", addr_str);
remote_senderr(client, pkt->wire, pkt->size);
ret = KNOT_EACCES;
......@@ -943,8 +943,9 @@ int remote_process(server_t *s, struct sockaddr_storage *ctl_addr, int sock,
ret = zones_verify_tsig_query(pkt, &tsig, &ts_rc,
&ts_trc, &ts_tmsigned);
if (ret != KNOT_EOK) {
log_warning("remote control, denied '%s', "
"key verification failed", addr_str);
log_warning("remote control, ACL, denied, "
"remote '%s', key verification (%s)",
addr_str, knot_strerror(ret));
remote_senderr(client, pkt->wire, pkt->size);
ret = KNOT_EACCES;
goto finish;
......
......@@ -804,7 +804,7 @@ int internet_query(knot_pkt_t *response, struct query_data *qdata)
/* No applicable ACL, refuse transaction security. */
if (knot_pkt_has_tsig(qdata->query)) {
/* We have been challenged... */
NS_NEED_AUTH(qdata, qdata->zone->name, ACL_ACTION_TRANSFER);
NS_NEED_AUTH(qdata, qdata->zone->name, ACL_ACTION_NONE);
/* Reserve space for TSIG. */
knot_pkt_reserve(response, knot_tsig_wire_maxsize(&qdata->sign.tsig_key));
......
......@@ -573,7 +573,21 @@ bool process_query_acl_check(const knot_dname_t *zone_name, acl_action_t action,
/* Check if authenticated. */
conf_val_t acl = conf_zone_get(conf(), C_ACL, zone_name);
if (!acl_allowed(&acl, action, query_source, &tsig)) {
dbg_ns("%s: no ACL match => NOTAUTH\n", __func__);
char addr_str[SOCKADDR_STRLEN] = { 0 };
sockaddr_tostr(addr_str, sizeof(addr_str), query_source);
lookup_table_t *act = lookup_by_id((lookup_table_t *)acl_actions,
action);
char *key_name = knot_dname_to_str_alloc(tsig.name);
log_zone_debug(zone_name,
"ACL, denied, action '%s', remote '%s', key %s%s%s",
(act != NULL) ? act->name : "query",
addr_str,
(key_name != NULL) ? "'" : "",
(key_name != NULL) ? key_name : "none",
(key_name != NULL) ? "'" : "");
free(key_name);
qdata->rcode = KNOT_RCODE_NOTAUTH;
qdata->rcode_tsig = KNOT_TSIG_ERR_BADKEY;
return false;
......
......@@ -177,18 +177,20 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
}
/* Check if the action is allowed. */
val = conf_id_get(conf(), C_ACL, C_ACTION, acl);
while (val.code == KNOT_EOK) {
if (conf_opt(&val) != action) {
conf_val_next(&val);
continue;
}
if (action != ACL_ACTION_NONE) {
val = conf_id_get(conf(), C_ACL, C_ACTION, acl);
while (val.code == KNOT_EOK) {
if (conf_opt(&val) != action) {
conf_val_next(&val);
continue;
}
break;
}
/* Check for action match. */
if (val.code != KNOT_EOK) {
goto next_acl;
break;
}
/* Check for action match. */
if (val.code != KNOT_EOK) {
goto next_acl;
}
}
/* Check if denied. */
......
......@@ -254,6 +254,12 @@ static void test_acl_allowed(void)
ret = test_conf(conf_str, NULL);
ok(ret == KNOT_EOK, "Prepare configuration");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_NONE, &addr, &key1);
ok(ret == true, "Address, key, empty action");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment