Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

[trac772] Perform the ACL check

Michal 'vorner' Vaner 14 years ago
parent
49f1d2d2e7
commit
e77575c3c8
2 changed files with 30 additions and 1 deletions
Split View Show Diff Stats
  1. 23 0
      src/bin/xfrout/tests/xfrout_test.py.in
  2. 7 1
      src/bin/xfrout/xfrout.py.in

+ 23 - 0
src/bin/xfrout/tests/xfrout_test.py.in
View File 

@@ -141,6 +141,29 @@ class TestXfroutSession(unittest.TestCase):
 
         self.assertEqual(rcode.to_text(), "NOERROR")
 
         self.assertTrue(self.xfrsess._tsig_ctx is not None)
 
 
+        # ACL checks, put some ACL inside
 
+        self.xfrsess._acl = isc.acl.dns.REQUEST_LOADER.load([
 
+            {
 
+                "from": "127.0.0.1",
 
+                "action": "ACCEPT"
 
+            },
 
+            {
 
+                "from": "192.0.2.1",
 
+                "action": "DROP"
 
+            }
 
+        ])
 
+        # Localhost (the default in this test) is accepted
 
+        rcode, msg = self.xfrsess._parse_query_message(self.mdata)
 
+        self.assertEqual(rcode.to_text(), "NOERROR")
 
+        # This should be dropped completely, therefore returning None
 
+        self.xfrsess._remote = ('192.0.2.1', 12345)
 
+        rcode, msg = self.xfrsess._parse_query_message(self.mdata)
 
+        self.assertTrue(rcode is None)
 
+        # This should be rejected, therefore NOTAUTH
 
+        self.xfrsess._remote = ('192.0.2.2', 12345)
 
+        rcode, msg = self.xfrsess._parse_query_message(self.mdata)
 
+        self.assertEqual(rcode.to_text(), "REFUSED")
 
+
 
     def test_get_query_zone_name(self):
 
         msg = self.getmsg()
 
         self.assertEqual(self.xfrsess._get_query_zone_name(msg), "example.com.")

+ 7 - 1
src/bin/xfrout/xfrout.py.in
View File 

@@ -144,7 +144,13 @@ class XfroutSession():
 
             # TSIG related checks
 
             rcode = self._check_request_tsig(msg, mdata)
 
 
-            # TODO The ACL check comes here
 
+            # ACL checks
 
+            acl_result = self._acl.execute(
 
+                isc.acl.dns.RequestContext(self._remote))
 
+            if acl_result == isc.acl.acl.DROP:
 
+                return None, None
 
+            elif acl_result == isc.acl.acl.REJECT:
 
+                return Rcode.REFUSED(), msg
 
 
         except Exception as err:
 
             logger.error(XFROUT_PARSE_QUERY_ERROR, str(err))