Merge branch 'master' of ssh://git.bind10.isc.org/var/bind10/git/bind10

ChangeLog

@@ -1,3 +1,9 @@
+505.	[bug]		jelte
+	Fixed a bug in b10-xfrin where a wrong call was made during the
+	final check of a TSIG-signed transfer, incorrectly rejecting the
+	transfer.
+	(Trac #2464, git eac81c0cbebee72f6478bdb5cda915f5470d08e1)
+
 504.	[bug]*		naokikambe
 	Fixed an XML format viewed from b10-stats-httpd. Regarding
 	per-zone counters as zones of Xfrout, a part of the item values wasn't

src/bin/xfrin/tests/xfrin_test.py

@@ -570,7 +570,7 @@ class TestXfrinIXFRAdd(TestXfrinState):
         # difference, starting with removing that SOA.
         self.conn._diff.add_data(self.ns_rrset) # put some dummy change
         self.conn._tsig_ctx = MockTSIGContext(TSIG_KEY)
-        self.conn._tsig_ctx.last_has_signature = lambda: False
+        self.conn._tsig_ctx.last_had_signature = lambda: False
         # First, push a starting SOA inside. This should be OK, nothing checked
         # yet.
         self.state.handle_rr(self.conn, self.begin_soa)
@@ -821,7 +821,7 @@ class TestAXFR(TestXfrinConnection):
         mock_ctx = MockTSIGContext(key)
         mock_ctx.error = error
         if not has_last_signature:
-            mock_ctx.last_has_signature = lambda: False
+            mock_ctx.last_had_signature = lambda: False
         return mock_ctx
 
     def __match_exception(self, expected_exception, expected_msg, expression):

src/bin/xfrin/xfrin.py.in

@@ -797,7 +797,7 @@ class XfrinConnection(asyncore.dispatcher):
         Check there's a signature at the last message.
         """
         if self._tsig_ctx is not None:
-            if not self._tsig_ctx.last_has_signature():
+            if not self._tsig_ctx.last_had_signature():
                 raise XfrinProtocolError('TSIG verify fail: no TSIG on last '+
                                          'message')
 

src/lib/python/isc/testutils/tsigctx_mock.py

@@ -52,5 +52,5 @@ class MockTSIGContext(TSIGContext):
             return self.error(self)
         return self.error
 
-    def last_has_signature(self):
+    def last_had_signature(self):
         return True

tests/lettuce/features/terrain/terrain.py

@@ -61,6 +61,8 @@ copylist = [
      "configurations/ddns/noddns.config"],
     ["configurations/xfrin/retransfer_master.conf.orig",
      "configurations/xfrin/retransfer_master.conf"],
+    ["configurations/xfrin/retransfer_slave.conf.orig",
+     "configurations/xfrin/retransfer_slave.conf"],
     ["data/inmem-xfrin.sqlite3.orig",
      "data/inmem-xfrin.sqlite3"],
     ["data/xfrin-notify.sqlite3.orig",

tests/lettuce/features/xfrin_bind10.feature

@@ -1,6 +1,6 @@
-Feature: Xfrin 
+Feature: Xfrin
     Tests for Xfrin, specific for BIND 10 behaviour.
-    
+
     Scenario: Retransfer command
     # Standard check to test (non-)existence of a file.
     # This file is actually automatically created.
@@ -37,3 +37,52 @@ Feature: Xfrin
     # We don't have to specify the address/port here; the defaults will work.
     When I do an AXFR transfer of example.org
     Then transfer result should have 13 rrs
+
+
+
+    Scenario: Transfer with TSIG
+    # Similar setup to the test above, but this time, we add TSIG configuration
+
+    # In order to check that the tests don't give false positives because config
+    # happens to be right (like no TSIG on either side), we take an existing
+    # non-TSIG config, add TSIG on the master side, see it fail, add TSIG
+    # on the slave side, then check again.
+
+    Given I have bind10 running with configuration xfrin/retransfer_master.conf with cmdctl port 47804 as master
+    And wait for master stderr message AUTH_SERVER_STARTED
+    And wait for master stderr message XFROUT_STARTED
+
+    And I have bind10 running with configuration xfrin/retransfer_slave.conf
+    And wait for bind10 stderr message CMDCTL_STARTED
+    And wait for bind10 stderr message XFRIN_STARTED
+
+    # Set slave config for 'automatic' xfrin
+    When I set bind10 configuration Xfrin/zones to [{"master_port": 47806, "name": "example.org", "master_addr": "::1"}]
+
+    # Make sure it is fully open
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_TRANSFER_SUCCESS not XFRIN_XFR_PROCESS_FAILURE
+    And wait for new bind10 stderr message ZONEMGR_RECEIVE_XFRIN_SUCCESS
+
+    # First to master, a transfer should then fail
+    When I send bind10 the following commands with cmdctl port 47804:
+    """
+    config add tsig_keys/keys "example.key.:c2VjcmV0"
+    config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "::1", "key": "example.key."}]
+    config commit
+    """
+
+    # Transfer should fail
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_XFR_TRANSFER_PROTOCOL_ERROR not XFRIN_TRANSFER_SUCCESS
+    # Set client to use TSIG as well
+    When I send bind10 the following commands:
+    """
+    config add tsig_keys/keys "example.key.:c2VjcmV0"
+    config set Xfrin/zones[0]/tsig_key  "example.key.:c2VjcmV0"
+    config commit
+    """
+
+    # Transwer should succeed now
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_TRANSFER_SUCCESS not XFRIN_XFR_PROCESS_FAILURE