Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

[2027] do ACL check before prereeqs in DDNS

Jelte Jansen 13 years ago
parent
c7da3e0c3a
commit
58abcc59fb
2 changed files with 18 additions and 3 deletions
Unified View Show Diff Stats
  1. 1 1
      src/lib/python/isc/ddns/session.py
  2. 17 2
      src/lib/python/isc/ddns/tests/session_tests.py

+ 1 - 1
src/lib/python/isc/ddns/session.py
View File 

@@ -242,12 +242,12 @@ class UpdateSession:
 
         '''
 
         '''
 
         try:
 
         try:
 
             self._get_update_zone()
 
             self._get_update_zone()
 
+            self.__check_update_acl(self.__zname, self.__zclass)
 
             self._create_diff()
 
             self._create_diff()
 
             prereq_result = self.__check_prerequisites()
 
             prereq_result = self.__check_prerequisites()
 
             if prereq_result != Rcode.NOERROR():
 
             if prereq_result != Rcode.NOERROR():
 
                 self.__make_response(prereq_result)
 
                 self.__make_response(prereq_result)
 
                 return UPDATE_ERROR, self.__zname, self.__zclass
 
                 return UPDATE_ERROR, self.__zname, self.__zclass
 
-            self.__check_update_acl(self.__zname, self.__zclass)
 
             update_result = self.__do_update()
 
             update_result = self.__do_update()
 
             if update_result != Rcode.NOERROR():
 
             if update_result != Rcode.NOERROR():
 
                 self.__make_response(update_result)
 
                 self.__make_response(update_result)

+ 17 - 2
src/lib/python/isc/ddns/tests/session_tests.py
View File 

@@ -657,12 +657,12 @@ class SessionTest(SessionTestBase):
 
         self.assertEqual(str(expected_soa),
 
         self.assertEqual(str(expected_soa),
 
                          str(session._UpdateSession__added_soa))
 
                          str(session._UpdateSession__added_soa))
 
 
 
-    def check_full_handle_result(self, expected, updates):
 
+    def check_full_handle_result(self, expected, updates, prerequisites=[]):
 
         '''Helper method for checking the result of a full handle;
 
         '''Helper method for checking the result of a full handle;
 
            creates an update session, and fills it with the list of rrsets
 
            creates an update session, and fills it with the list of rrsets
 
            from 'updates'. Then checks if __handle()
 
            from 'updates'. Then checks if __handle()
 
            results in a response with rcode 'expected'.'''
 
            results in a response with rcode 'expected'.'''
 
-        msg = create_update_msg([TEST_ZONE_RECORD], [], updates)
 
+        msg = create_update_msg([TEST_ZONE_RECORD], prerequisites, updates)
 
         zconfig = ZoneConfig([], TEST_RRCLASS, self._datasrc_client,
 
         zconfig = ZoneConfig([], TEST_RRCLASS, self._datasrc_client,
 
                              self._acl_map)
 
                              self._acl_map)
 
         session = UpdateSession(msg, TEST_CLIENT4, zconfig)
 
         session = UpdateSession(msg, TEST_CLIENT4, zconfig)
 
@@ -902,6 +902,21 @@ class SessionTest(SessionTestBase):
 
                                 [ b'\x00\x0a\x04mail\x07example\x03org\x00' ])
 
                                 [ b'\x00\x0a\x04mail\x07example\x03org\x00' ])
 
         self.rrset_update_del_rrset_mx = rrset_update_del_rrset_mx
 
         self.rrset_update_del_rrset_mx = rrset_update_del_rrset_mx
 
 
 
+    def test_acl_before_prereq(self):
 
+        name_in_use_no = create_rrset("foo.example.org", RRClass.ANY(),
 
+                                      RRType.ANY(), 0)
 
+
 
+        # Test a prerequisite that would fail
 
+        self.check_full_handle_result(Rcode.NXDOMAIN(), [], [ name_in_use_no ])
 
+
 
+        # Change ACL so that it would be denied
 
+        self._acl_map = {(TEST_ZONE_NAME, TEST_RRCLASS):
 
+                             REQUEST_LOADER.load([{"action": "REJECT"}])}
 
+
 
+        # The prerequisite should now not be reached; it should fail on the
 
+        # ACL
 
+        self.check_full_handle_result(Rcode.REFUSED(), [], [ name_in_use_no ])
 
+
 
     def test_prescan(self):
 
     def test_prescan(self):
 
         '''Test whether the prescan succeeds on data that is ok, and whether
 
         '''Test whether the prescan succeeds on data that is ok, and whether
 
            if notices the SOA if present'''
 
            if notices the SOA if present'''