Commit f361e6b2 authored by Daniel Salzman's avatar Daniel Salzman

nameserver: add explicit conf parameter to process_query_acl_check

parent 41d6352f
......@@ -116,7 +116,7 @@ int ns_put_rr(knot_pkt_t *pkt, const knot_rrset_t *rr,
/*! \brief Require authentication. */
#define NS_NEED_AUTH(qdata, zone_name, action) \
if (!process_query_acl_check((zone_name), (action), (qdata))) { \
if (!process_query_acl_check(conf(), (zone_name), (action), (qdata))) { \
return KNOT_STATE_FAIL; \
} else { \
if (process_query_verify(qdata) != KNOT_EOK) { \
......
......@@ -18,7 +18,6 @@
#include "dnssec/tsig.h"
#include "knot/common/log.h"
#include "knot/conf/conf.h"
#include "knot/nameserver/process_query.h"
#include "knot/nameserver/query_module.h"
#include "knot/nameserver/chaos.h"
......@@ -558,8 +557,8 @@ finish:
return next_state;
}
bool process_query_acl_check(const knot_dname_t *zone_name, acl_action_t action,
struct query_data *qdata)
bool process_query_acl_check(conf_t *conf, const knot_dname_t *zone_name,
acl_action_t action, struct query_data *qdata)
{
knot_pkt_t *query = qdata->query;
const struct sockaddr_storage *query_source = qdata->param->remote;
......@@ -577,8 +576,8 @@ bool process_query_acl_check(const knot_dname_t *zone_name, acl_action_t action,
}
/* Check if authenticated. */
conf_val_t acl = conf_zone_get(conf(), C_ACL, zone_name);
if (!acl_allowed(&acl, action, query_source, &tsig)) {
conf_val_t acl = conf_zone_get(conf, C_ACL, zone_name);
if (!acl_allowed(conf, &acl, action, query_source, &tsig)) {
char addr_str[SOCKADDR_STRLEN] = { 0 };
sockaddr_tostr(addr_str, sizeof(addr_str), query_source);
const knot_lookup_t *act = knot_lookup_by_id((knot_lookup_t *)acl_actions,
......
......@@ -112,13 +112,14 @@ struct rrsig_info {
/*!
* \brief Check current query against ACL.
*
* \param conf Configuration.
* \param zone_name Current zone name.
* \param action ACL action.
* \param qdata Query data.
* \return true if accepted, false if denied.
*/
bool process_query_acl_check(const knot_dname_t *zone_name, acl_action_t action,
struct query_data *qdata);
bool process_query_acl_check(conf_t *conf, const knot_dname_t *zone_name,
acl_action_t action, struct query_data *qdata);
/*!
* \brief Verify current query transaction security and update query data.
......
......@@ -326,10 +326,10 @@ static void forward_requests(conf_t *conf, zone_t *zone, list_t *requests)
}
}
static bool update_tsig_check(struct query_data *qdata, struct knot_request *req)
static bool update_tsig_check(conf_t *conf, struct query_data *qdata, struct knot_request *req)
{
// Check that ACL is still valid.
if (!process_query_acl_check(qdata->zone->name, ACL_ACTION_UPDATE, qdata)) {
if (!process_query_acl_check(conf, qdata->zone->name, ACL_ACTION_UPDATE, qdata)) {
UPDATE_LOG(LOG_WARNING, "ACL check failed");
knot_wire_set_rcode(req->resp->wire, qdata->rcode);
return false;
......@@ -419,7 +419,7 @@ static int init_update_responses(conf_t *conf, const zone_t *zone, list_t *updat
struct query_data qdata;
init_qdata_from_request(&qdata, zone, req, &param);
if (!update_tsig_check(&qdata, req)) {
if (!update_tsig_check(conf, &qdata, req)) {
// ACL/TSIG check failed, send response.
send_update_response(conf, zone, req);
// Remove this request from processing list.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment