auth_srv.cc 25.9 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
16
#include <config.h>

17
18
#include <netinet/in.h>

19
#include <algorithm>
20
#include <cassert>
21
#include <iostream>
22
#include <vector>
23
#include <memory>
24

25
26
#include <boost/bind.hpp>

27
28
29
30
31
32
#include <asiolink/asiolink.h>

#include <config/ccsession.h>

#include <cc/data.h>

33
34
#include <exceptions/exceptions.h>

35
#include <util/buffer.h>
36

37
#include <dns/edns.h>
JINMEI Tatuya's avatar
JINMEI Tatuya committed
38
#include <dns/exceptions.h>
39
40
41
#include <dns/messagerenderer.h>
#include <dns/name.h>
#include <dns/question.h>
42
#include <dns/opcode.h>
43
#include <dns/rcode.h>
44
45
46
#include <dns/rrset.h>
#include <dns/rrttl.h>
#include <dns/message.h>
47
#include <dns/tsig.h>
48

Evan Hunt's avatar
Evan Hunt committed
49
50
#include <datasrc/query.h>
#include <datasrc/data_source.h>
51
#include <datasrc/memory_datasrc.h>
Evan Hunt's avatar
Evan Hunt committed
52
53
#include <datasrc/static_datasrc.h>
#include <datasrc/sqlite3_datasrc.h>
54

55
56
#include <xfr/xfrout_client.h>

57
#include <auth/common.h>
58
#include <auth/auth_config.h>
59
#include <auth/auth_srv.h>
60
#include <auth/query.h>
61
#include <auth/statistics.h>
62
#include <auth/auth_log.h>
63
64
65

using namespace std;

66
using namespace isc;
67
using namespace isc::cc;
Evan Hunt's avatar
Evan Hunt committed
68
using namespace isc::datasrc;
69
using namespace isc::dns;
70
using namespace isc::util;
71
using namespace isc::auth;
72
73
using namespace isc::dns::rdata;
using namespace isc::data;
74
using namespace isc::config;
75
using namespace isc::xfr;
76
77
using namespace isc::asiolink;
using namespace isc::asiodns;
78
using namespace isc::server_common::portconfig;
79
using boost::shared_ptr;
80

81
82
83
84
85
86
class AuthSrvImpl {
private:
    // prohibit copy
    AuthSrvImpl(const AuthSrvImpl& source);
    AuthSrvImpl& operator=(const AuthSrvImpl& source);
public:
87
    AuthSrvImpl(const bool use_cache, AbstractXfroutClient& xfrout_client);
Han Feng's avatar
Han Feng committed
88
    ~AuthSrvImpl();
89
    isc::data::ConstElementPtr setDbFile(isc::data::ConstElementPtr config);
90

91
    bool processNormalQuery(const IOMessage& io_message, MessagePtr message,
92
93
                            OutputBufferPtr buffer,
                            auto_ptr<TSIGContext> tsig_context);
94
    bool processAxfrQuery(const IOMessage& io_message, MessagePtr message,
95
96
                          OutputBufferPtr buffer,
                          auto_ptr<TSIGContext> tsig_context);
Michal Vaner's avatar
Michal Vaner committed
97
    bool processNotify(const IOMessage& io_message, MessagePtr message,
98
99
                       OutputBufferPtr buffer,
                       auto_ptr<TSIGContext> tsig_context);
Evan Hunt's avatar
Evan Hunt committed
100

101
102
    IOService io_service_;

Evan Hunt's avatar
Evan Hunt committed
103
104
105
106
    /// Currently non-configurable, but will be.
    static const uint16_t DEFAULT_LOCAL_UDPSIZE = 4096;

    /// These members are public because AuthSrv accesses them directly.
107
    ModuleCCSession* config_session_;
Evan Hunt's avatar
Evan Hunt committed
108
109
    AbstractSession* xfrin_session_;

110
    /// In-memory data source.  Currently class IN only for simplicity.
111
    const RRClass memory_datasrc_class_;
112
113
    AuthSrv::MemoryDataSrcPtr memory_datasrc_;

Michal Vaner's avatar
Michal Vaner committed
114
115
    /// Hot spot cache
    isc::datasrc::HotCache cache_;
116

117
118
119
    /// Interval timer for periodic submission of statistics counters.
    IntervalTimer statistics_timer_;

120
    /// Query counters for statistics
121
    AuthCounters counters_;
122
123
124

    /// Addresses we listen on
    AddressList listen_addresses_;
125
126
127

    /// The TSIG keyring
    const shared_ptr<TSIGKeyRing>* keyring_;
Evan Hunt's avatar
Evan Hunt committed
128
129
130
private:
    std::string db_file_;

131
    MetaDataSrc data_sources_;
132
133
134
    /// We keep a pointer to the currently running sqlite datasource
    /// so that we can specifically remove that one should the database
    /// file change
135
    ConstDataSrcPtr cur_datasrc_;
136

137
    bool xfrout_connected_;
138
    AbstractXfroutClient& xfrout_client_;
139

140
    /// Increment query counter
141
    void incCounter(const int protocol);
142
143
};

144
145
AuthSrvImpl::AuthSrvImpl(const bool use_cache,
                         AbstractXfroutClient& xfrout_client) :
146
    config_session_(NULL),
147
    xfrin_session_(NULL),
148
    memory_datasrc_class_(RRClass::IN()),
149
    statistics_timer_(io_service_),
150
    counters_(),
151
    keyring_(NULL),
152
    xfrout_connected_(false),
153
    xfrout_client_(xfrout_client)
154
{
155
156
    // cur_datasrc_ is automatically initialized by the default constructor,
    // effectively being an empty (sqlite) data source.  once ccsession is up
157
    // the datasource will be set by the configuration setting
158

159
    // add static data source
160
    data_sources_.addDataSrc(ConstDataSrcPtr(new StaticDataSrc));
Evan Hunt's avatar
Evan Hunt committed
161
162
163

    // enable or disable the cache
    cache_.setEnabled(use_cache);
164
165
}

Han Feng's avatar
Han Feng committed
166
AuthSrvImpl::~AuthSrvImpl() {
167
    if (xfrout_connected_) {
168
        xfrout_client_.disconnect();
169
        xfrout_connected_ = false;
Han Feng's avatar
Han Feng committed
170
    }
171
}
172

173
// This is a derived class of \c DNSLookup, to serve as a
174
// callback in the asiolink module.  It calls
175
// AuthSrv::processMessage() on a single DNS message.
176
class MessageLookup : public DNSLookup {
177
public:
178
    MessageLookup(AuthSrv* srv) : server_(srv) {}
179
180
181
182
183
    virtual void operator()(const IOMessage& io_message,
                            MessagePtr message,
                            MessagePtr answer_message,
                            OutputBufferPtr buffer,
                            DNSServer* server) const
184
    {
185
        (void) answer_message;
186
        server_->processMessage(io_message, message, buffer, server);
187
188
189
190
191
    }
private:
    AuthSrv* server_;
};

192
193
194
195
196
197
198
199
// This is a derived class of \c DNSAnswer, to serve as a callback in the
// asiolink module.  We actually shouldn't do anything in this class because
// we build complete response messages in the process methods; otherwise
// the response message will contain trailing garbage.  In future, we should
// probably even drop the reliance on DNSAnswer.  We don't need the coroutine
// tricks provided in that framework, and its overhead would be significant
// in terms of performance consideration for the authoritative server
// implementation.
200
201
class MessageAnswer : public DNSAnswer {
public:
202
203
    MessageAnswer(AuthSrv*) {}
    virtual void operator()(const IOMessage&, MessagePtr,
204
                            MessagePtr, OutputBufferPtr) const
205
    {}
206
207
};

208
// This is a derived class of \c SimpleCallback, to serve
209
// as a callback in the asiolink module.  It checks for queued
210
// configuration messages, and executes them if found.
211
class ConfigChecker : public SimpleCallback {
212
213
public:
    ConfigChecker(AuthSrv* srv) : server_(srv) {}
Michal Vaner's avatar
Michal Vaner committed
214
    virtual void operator()(const IOMessage&) const {
215
216
        if (server_->getConfigSession()->hasQueuedMsgs()) {
            server_->getConfigSession()->checkCommand();
217
218
219
220
221
222
        }
    }
private:
    AuthSrv* server_;
};

223
AuthSrv::AuthSrv(const bool use_cache, AbstractXfroutClient& xfrout_client) :
224
    impl_(new AuthSrvImpl(use_cache, xfrout_client)),
225
    checkin_(new ConfigChecker(this)),
226
227
    dns_lookup_(new MessageLookup(this)),
    dns_answer_(new MessageAnswer(this))
228
{}
229

230
231
void
AuthSrv::stop() {
232
    impl_->io_service_.stop();
233
234
}

235
AuthSrv::~AuthSrv() {
236
    delete impl_;
237
    delete checkin_;
238
239
    delete dns_lookup_;
    delete dns_answer_;
240
241
}

242
namespace {
243
244
class QuestionInserter {
public:
245
    QuestionInserter(MessagePtr message) : message_(message) {}
246
247
248
    void operator()(const QuestionPtr question) {
        message_->addQuestion(question);
    }
249
    MessagePtr message_;
250
251
};

252
void
253
makeErrorMessage(MessagePtr message, OutputBufferPtr buffer,
254
                 const Rcode& rcode, 
255
256
                 std::auto_ptr<TSIGContext> tsig_context =
                 std::auto_ptr<TSIGContext>())
257
{
258
259
260
    // extract the parameters that should be kept.
    // XXX: with the current implementation, it's not easy to set EDNS0
    // depending on whether the query had it.  So we'll simply omit it.
261
    const qid_t qid = message->getQid();
Michal Vaner's avatar
Michal Vaner committed
262
263
    const bool rd = message->getHeaderFlag(Message::HEADERFLAG_RD);
    const bool cd = message->getHeaderFlag(Message::HEADERFLAG_CD);
264
    const Opcode& opcode = message->getOpcode();
265
266
    vector<QuestionPtr> questions;

267
268
269
    // If this is an error to a query or notify, we should also copy the
    // question section.
    if (opcode == Opcode::QUERY() || opcode == Opcode::NOTIFY()) {
270
        questions.assign(message->beginQuestion(), message->endQuestion());
271
    }
272

273
274
275
    message->clear(Message::RENDER);
    message->setQid(qid);
    message->setOpcode(opcode);
Michal Vaner's avatar
Michal Vaner committed
276
    message->setHeaderFlag(Message::HEADERFLAG_QR);
277
    if (rd) {
Michal Vaner's avatar
Michal Vaner committed
278
        message->setHeaderFlag(Message::HEADERFLAG_RD);
279
280
    }
    if (cd) {
Michal Vaner's avatar
Michal Vaner committed
281
        message->setHeaderFlag(Message::HEADERFLAG_CD);
282
    }
283
284
285
286
    for_each(questions.begin(), questions.end(), QuestionInserter(message));
    message->setRcode(rcode);

    MessageRenderer renderer(*buffer);
287
288
289
290
291
    if (tsig_context.get() != NULL) {
        message->toWire(renderer, *tsig_context);
    } else {
        message->toWire(renderer);
    }
292
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_SEND_ERROR_RESPONSE)
293
              .arg(renderer.getLength()).arg(*message);
294
}
295
}
296

297
298
299
300
301
IOService&
AuthSrv::getIOService() {
    return (impl_->io_service_);
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
302
303
304
305
306
307
308
309
310
311
void
AuthSrv::setCacheSlots(const size_t slots) {
    impl_->cache_.setSlots(slots);
}

size_t
AuthSrv::getCacheSlots() const {
    return (impl_->cache_.getSlots());
}

312
void
313
314
AuthSrv::setXfrinSession(AbstractSession* xfrin_session) {
    impl_->xfrin_session_ = xfrin_session;
315
316
}

317
void
318
319
AuthSrv::setConfigSession(ModuleCCSession* config_session) {
    impl_->config_session_ = config_session;
320
321
}

322
void
323
324
AuthSrv::setStatisticsSession(AbstractSession* statistics_session) {
    impl_->counters_.setStatisticsSession(statistics_session);
325
326
}

327
ModuleCCSession*
328
AuthSrv::getConfigSession() const {
329
    return (impl_->config_session_);
330
331
}

332
333
AuthSrv::MemoryDataSrcPtr
AuthSrv::getMemoryDataSrc(const RRClass& rrclass) {
334
    // XXX: for simplicity, we only support the IN class right now.
335
    if (rrclass != impl_->memory_datasrc_class_) {
336
337
338
339
340
341
342
343
344
345
346
347
        isc_throw(InvalidParameter,
                  "Memory data source is not supported for RR class "
                  << rrclass);
    }
    return (impl_->memory_datasrc_);
}

void
AuthSrv::setMemoryDataSrc(const isc::dns::RRClass& rrclass,
                          MemoryDataSrcPtr memory_datasrc)
{
    // XXX: see above
348
    if (rrclass != impl_->memory_datasrc_class_) {
349
350
351
        isc_throw(InvalidParameter,
                  "Memory data source is not supported for RR class "
                  << rrclass);
352
    } else if (!impl_->memory_datasrc_ && memory_datasrc) {
353
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_MEM_DATASRC_ENABLED)
354
355
                  .arg(rrclass);
    } else if (impl_->memory_datasrc_ && !memory_datasrc) {
356
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_MEM_DATASRC_DISABLED)
357
                  .arg(rrclass);
358
    }
JINMEI Tatuya's avatar
JINMEI Tatuya committed
359
    impl_->memory_datasrc_ = memory_datasrc;
360
361
}

362
363
uint32_t
AuthSrv::getStatisticsTimerInterval() const {
364
    return (impl_->statistics_timer_.getInterval() / 1000);
365
366
367
368
369
370
371
}

void
AuthSrv::setStatisticsTimerInterval(uint32_t interval) {
    if (interval == impl_->statistics_timer_.getInterval()) {
        return;
    }
372
    if (interval > 86400) {
373
        // It can't occur since the value is checked in
374
375
376
        // statisticsIntervalConfig::build().
        isc_throw(InvalidParameter, "Too long interval: " << interval);
    }
377
378
    if (interval == 0) {
        impl_->statistics_timer_.cancel();
379
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_STATS_TIMER_DISABLED);
380
    } else {
381
382
        impl_->statistics_timer_.setup(boost::bind(&AuthSrv::submitStatistics,
                                                   this),
383
                                       interval * 1000);
384
385
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_STATS_TIMER_SET)
                  .arg(interval);
386
387
388
    }
}

389
void
390
AuthSrv::processMessage(const IOMessage& io_message, MessagePtr message,
391
                        OutputBufferPtr buffer, DNSServer* server)
JINMEI Tatuya's avatar
cleanup    
JINMEI Tatuya committed
392
{
393
394
    InputBuffer request_buffer(io_message.getData(), io_message.getDataSize());

395
396
397
    // First, check the header part.  If we fail even for the base header,
    // just drop the message.
    try {
398
        message->parseHeader(request_buffer);
399
400

        // Ignore all responses.
Michal Vaner's avatar
Michal Vaner committed
401
        if (message->getHeaderFlag(Message::HEADERFLAG_QR)) {
402
            LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_RESPONSE_RECEIVED);
403
            server->resume(false);
404
            return;
405
406
        }
    } catch (const Exception& ex) {
407
408
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_HEADER_PARSE_FAIL)
                  .arg(ex.what());
409
        server->resume(false);
410
        return;
411
412
    }

413
    try {
414
        // Parse the message.
415
        message->fromWire(request_buffer);
416
    } catch (const DNSProtocolError& error) {
417
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_PACKET_PROTOCOL_ERROR)
418
                  .arg(error.getRcode().toText()).arg(error.what());
419
        makeErrorMessage(message, buffer, error.getRcode());
420
        server->resume(true);
421
        return;
422
    } catch (const Exception& ex) {
423
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_PACKET_PARSE_ERROR)
424
                  .arg(ex.what());
425
        makeErrorMessage(message, buffer, Rcode::SERVFAIL());
426
        server->resume(true);
427
        return;
428
    } // other exceptions will be handled at a higher layer.
429

430
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_PACKET_RECEIVED)
431
              .arg(message->toText());
432

433
    // Perform further protocol-level validation.
434
435
436
437
438
439
440
441
    // TSIG first
    // If this is set to something, we know we need to answer with TSIG as well
    std::auto_ptr<TSIGContext> tsig_context;
    const TSIGRecord* tsig_record(message->getTSIGRecord());
    TSIGError tsig_error(TSIGError::NOERROR());

    // Do we do TSIG?
    // The keyring can be null if we're in test
442
    if (impl_->keyring_ != NULL && tsig_record != NULL) {
443
444
445
        tsig_context.reset(new TSIGContext(tsig_record->getName(),
                                           tsig_record->getRdata().
                                                getAlgorithm(),
446
                                           **impl_->keyring_));
447
448
449
        tsig_error = tsig_context->verify(tsig_record, io_message.getData(),
                                          io_message.getDataSize());
    }
JINMEI Tatuya's avatar
JINMEI Tatuya committed
450

451
    bool sendAnswer = true;
452
    if (tsig_error != TSIGError::NOERROR()) {
453
        makeErrorMessage(message, buffer, tsig_error.toRcode(), tsig_context);
454
455
456
    } else if (message->getOpcode() == Opcode::NOTIFY()) {
        sendAnswer = impl_->processNotify(io_message, message, buffer,
                                          tsig_context);
457
    } else if (message->getOpcode() != Opcode::QUERY()) {
458
459
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_UNSUPPORTED_OPCODE)
                  .arg(message->getOpcode().toText());
460
        makeErrorMessage(message, buffer, Rcode::NOTIMP(), tsig_context);
Michal Vaner's avatar
Michal Vaner committed
461
    } else if (message->getRRCount(Message::SECTION_QUESTION) != 1) {
462
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
463
    } else {
464
        ConstQuestionPtr question = *message->beginQuestion();
465
466
        const RRType &qtype = question->getType();
        if (qtype == RRType::AXFR()) {
467
468
            sendAnswer = impl_->processAxfrQuery(io_message, message, buffer,
                                                 tsig_context);
469
        } else if (qtype == RRType::IXFR()) {
470
            makeErrorMessage(message, buffer, Rcode::NOTIMP(), tsig_context);
471
        } else {
472
473
            sendAnswer = impl_->processNormalQuery(io_message, message, buffer,
                                                   tsig_context);
474
        }
475
    }
476

477
    server->resume(sendAnswer);
478
479
480
}

bool
481
AuthSrvImpl::processNormalQuery(const IOMessage& io_message, MessagePtr message,
482
483
                                OutputBufferPtr buffer,
                                auto_ptr<TSIGContext> tsig_context)
484
{
Michal Vaner's avatar
Michal Vaner committed
485
    ConstEDNSPtr remote_edns = message->getEDNS();
486
    const bool dnssec_ok = remote_edns && remote_edns->getDNSSECAwareness();
487
    const uint16_t remote_bufsize = remote_edns ? remote_edns->getUDPSize() :
488
        Message::DEFAULT_MAX_UDPSIZE;
489

490
    message->makeResponse();
Michal Vaner's avatar
Michal Vaner committed
491
    message->setHeaderFlag(Message::HEADERFLAG_AA);
492
    message->setRcode(Rcode::NOERROR());
493

494
495
496
    // Increment query counter.
    incCounter(io_message.getSocket().getProtocol());

497
498
    if (remote_edns) {
        EDNSPtr local_edns = EDNSPtr(new EDNS());
499
        local_edns->setDNSSECAwareness(dnssec_ok);
500
        local_edns->setUDPSize(AuthSrvImpl::DEFAULT_LOCAL_UDPSIZE);
Michal Vaner's avatar
Michal Vaner committed
501
        message->setEDNS(local_edns);
502
    }
503

504
    try {
Jerry's avatar
Jerry committed
505
506
        // If a memory data source is configured call the separate
        // Query::process()
507
508
        const ConstQuestionPtr question = *message->beginQuestion();
        if (memory_datasrc_ && memory_datasrc_class_ == question->getClass()) {
509
510
            const RRType& qtype = question->getType();
            const Name& qname = question->getName();
511
            auth::Query(*memory_datasrc_, qname, qtype, *message).process();
512
        } else {
513
            datasrc::Query query(*message, cache_, dnssec_ok);
514
515
            data_sources_.doQuery(query);
        }
516
    } catch (const Exception& ex) {
517
        LOG_ERROR(auth_logger, AUTH_PROCESS_FAIL).arg(ex.what());
518
        makeErrorMessage(message, buffer, Rcode::SERVFAIL());
519
        return (true);
520
    }
521

522
    MessageRenderer renderer(*buffer);
523
524
    const bool udp_buffer =
        (io_message.getSocket().getProtocol() == IPPROTO_UDP);
525
    renderer.setLengthLimit(udp_buffer ? remote_bufsize : 65535);
526
527
528
529
530
    if (tsig_context.get() != NULL) {
        message->toWire(renderer, *tsig_context);
    } else {
        message->toWire(renderer);
    }
531
532
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_SEND_NORMAL_RESPONSE)
              .arg(renderer.getLength()).arg(message->toText());
533

534
    return (true);
535
536
}

537
bool
538
AuthSrvImpl::processAxfrQuery(const IOMessage& io_message, MessagePtr message,
539
540
                              OutputBufferPtr buffer,
                              auto_ptr<TSIGContext> tsig_context)
JINMEI Tatuya's avatar
JINMEI Tatuya committed
541
{
542
543
544
    // Increment query counter.
    incCounter(io_message.getSocket().getProtocol());

Han Feng's avatar
Han Feng committed
545
    if (io_message.getSocket().getProtocol() == IPPROTO_UDP) {
546
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_AXFR_UDP);
547
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
548
        return (true);
Han Feng's avatar
Han Feng committed
549
    }
550
551

    try {
552
553
554
555
        if (!xfrout_connected_) {
            xfrout_client_.connect();
            xfrout_connected_ = true;
        }
556
557
558
559
        xfrout_client_.sendXfroutRequestInfo(
            io_message.getSocket().getNative(),
            io_message.getData(),
            io_message.getDataSize());
560
    } catch (const XfroutError& err) {
561
        if (xfrout_connected_) {
JINMEI Tatuya's avatar
JINMEI Tatuya committed
562
            // disconnect() may trigger an exception, but since we try it
563
564
565
566
            // only if we've successfully opened it, it shouldn't happen in
            // normal condition.  Should this occur, we'll propagate it to the
            // upper layer.
            xfrout_client_.disconnect();
567
            xfrout_connected_ = false;
568
        }
569

570
571
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_AXFR_ERROR)
                  .arg(err.what());
572
        makeErrorMessage(message, buffer, Rcode::SERVFAIL(), tsig_context);
573
        return (true);
574
    }
575

576
    return (false);
577
578
579
}

bool
580
AuthSrvImpl::processNotify(const IOMessage& io_message, MessagePtr message, 
581
582
                           OutputBufferPtr buffer,
                           std::auto_ptr<TSIGContext> tsig_context)
583
{
584
585
    // The incoming notify must contain exactly one question for SOA of the
    // zone name.
Michal Vaner's avatar
Michal Vaner committed
586
    if (message->getRRCount(Message::SECTION_QUESTION) != 1) {
587
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NOTIFY_QUESTIONS)
588
                  .arg(message->getRRCount(Message::SECTION_QUESTION));
589
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
590
591
        return (true);
    }
592
    ConstQuestionPtr question = *message->beginQuestion();
593
    if (question->getType() != RRType::SOA()) {
594
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NOTIFY_RRTYPE)
595
                  .arg(question->getType().toText());
596
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
597
598
599
600
601
602
603
        return (true);
    }

    // According to RFC 1996, rcode should be "no error" and AA bit should be
    // on, but we don't check these conditions.  This behavior is compatible
    // with BIND 9.

604
605
    // TODO check with the conf-mgr whether current server is the auth of the
    // zone
606
607
608
609
610

    // In the code that follows, we simply ignore the notify if any internal
    // error happens rather than returning (e.g.) SERVFAIL.  RFC 1996 is
    // silent about such cases, but there doesn't seem to be anything we can
    // improve at the primary server side by sending an error anyway.
611
    if (xfrin_session_ == NULL) {
612
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NO_XFRIN);
JINMEI Tatuya's avatar
JINMEI Tatuya committed
613
        return (false);
Han Feng's avatar
Han Feng committed
614
    }
615

JINMEI Tatuya's avatar
JINMEI Tatuya committed
616
617
    const string remote_ip_address =
        io_message.getRemoteEndpoint().getAddress().toText();
JINMEI Tatuya's avatar
JINMEI Tatuya committed
618
619
    static const string command_template_start =
        "{\"command\": [\"notify\", {\"zone_name\" : \"";
620
    static const string command_template_master = "\", \"master\" : \"";
621
    static const string command_template_rrclass = "\", \"zone_class\" : \"";
622
    static const string command_template_end = "\"}]}";
623

Han Feng's avatar
Han Feng committed
624
    try {
625
        ConstElementPtr notify_command = Element::fromJSON(
626
                command_template_start + question->getName().toText() +
627
628
                command_template_master + remote_ip_address +
                command_template_rrclass + question->getClass().toText() +
629
                command_template_end);
Han Feng's avatar
Han Feng committed
630
        const unsigned int seq =
631
            xfrin_session_->group_sendmsg(notify_command, "Zonemgr",
632
                                          "*", "*");
633
        ConstElementPtr env, answer, parsed_answer;
634
        xfrin_session_->group_recvmsg(env, answer, false, seq);
Han Feng's avatar
Han Feng committed
635
        int rcode;
636
637
        parsed_answer = parseAnswer(rcode, answer);
        if (rcode != 0) {
638
            LOG_ERROR(auth_logger, AUTH_ZONEMGR_ERROR)
639
                      .arg(parsed_answer->str());
640
            return (false);
Han Feng's avatar
Han Feng committed
641
        }
642
    } catch (const Exception& ex) {
643
        LOG_ERROR(auth_logger, AUTH_ZONEMGR_COMMS).arg(ex.what());
644
        return (false);
645
    }
646

647
    message->makeResponse();
Michal Vaner's avatar
Michal Vaner committed
648
    message->setHeaderFlag(Message::HEADERFLAG_AA);
649
650
651
    message->setRcode(Rcode::NOERROR());

    MessageRenderer renderer(*buffer);
652
653
654
655
656
    if (tsig_context.get() != NULL) {
        message->toWire(renderer, *tsig_context);
    } else {
        message->toWire(renderer);
    }
Han Feng's avatar
Han Feng committed
657
    return (true);
658
659
}

660
void
661
AuthSrvImpl::incCounter(const int protocol) {
662
663
    // Increment query counter.
    if (protocol == IPPROTO_UDP) {
664
        counters_.inc(AuthCounters::COUNTER_UDP_QUERY);
665
    } else if (protocol == IPPROTO_TCP) {
666
        counters_.inc(AuthCounters::COUNTER_TCP_QUERY);
667
668
669
670
671
672
    } else {
        // unknown protocol
        isc_throw(Unexpected, "Unknown protocol: " << protocol);
    }
}

673
674
675
ConstElementPtr
AuthSrvImpl::setDbFile(ConstElementPtr config) {
    ConstElementPtr answer = isc::config::createAnswer();
676
677

    if (config && config->contains("database_file")) {
678
        db_file_ = config->get("database_file")->stringValue();
679
    } else if (config_session_ != NULL) {
680
681
        bool is_default;
        string item("database_file");
682
683
        ConstElementPtr value = config_session_->getValue(is_default, item);
        ElementPtr final = Element::createMap();
684
685
686
687
688
689
690
691
692
693
694
695

        // If the value is the default, and we are running from
        // a specific directory ('from build'), we need to use
        // a different value than the default (which may not exist)
        // (btw, this should not be done here in the end, i think
        //  the from-source script should have a check for this,
        //  but for that we need offline access to config, so for
        //  now this is a decent solution)
        if (is_default && getenv("B10_FROM_BUILD")) {
            value = Element::create(string(getenv("B10_FROM_BUILD")) +
                                    "/bind10_zones.sqlite3");
        }
696
        final->set(item, value);
697
        config = final;
698
699

        db_file_ = value->stringValue();
700
701
702
    } else {
        return (answer);
    }
703
    LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_DATA_SOURCE).arg(db_file_);
704

705
706
707
708
709
710
    // create SQL data source
    // Note: the following step is tricky to be exception-safe and to ensure
    // exception guarantee: We first need to perform all operations that can
    // fail, while acquiring resources in the RAII manner.  We then perform
    // delete and swap operations which should not fail.
    DataSrcPtr datasrc_ptr(DataSrcPtr(new Sqlite3DataSrc));
711
    datasrc_ptr->init(config);
712
    data_sources_.addDataSrc(datasrc_ptr);
713

714
715
716
    // The following code should be exception free.
    if (cur_datasrc_ != NULL) {
        data_sources_.removeDataSrc(cur_datasrc_);
717
    }
718
719
    cur_datasrc_ = datasrc_ptr;

720
    return (answer);
721
722
}

723
724
ConstElementPtr
AuthSrv::updateConfig(ConstElementPtr new_config) {
725
    try {
726
727
        // the ModuleCCSession has already checked if we have
        // the correct ElementPtr type as specified in our .spec file
JINMEI Tatuya's avatar
JINMEI Tatuya committed
728
729
730
        if (new_config) {
            configureAuthServer(*this, new_config);
        }
731
        return (impl_->setDbFile(new_config));
732
    } catch (const isc::Exception& error) {
733
        LOG_ERROR(auth_logger, AUTH_CONFIG_UPDATE_FAIL).arg(error.what());
JINMEI Tatuya's avatar
JINMEI Tatuya committed
734
        return (isc::config::createAnswer(1, error.what()));
735
    }
736
}
737

738
bool AuthSrv::submitStatistics() const {
739
740
741
    return (impl_->counters_.submitStatistics());
}

742
uint64_t
743
AuthSrv::getCounter(const AuthCounters::CounterType type) const {
744
    return (impl_->counters_.getCounter(type));
745
}
746
747
748
749
750
751
752
753
754
755
756
757

const AddressList&
AuthSrv::getListenAddresses() const {
    return (impl_->listen_addresses_);
}

void
AuthSrv::setListenAddresses(const AddressList& addresses) {
    installListenAddresses(addresses, impl_->listen_addresses_, *dnss_);
}

void
758
AuthSrv::setDNSService(isc::asiodns::DNSService& dnss) {
759
760
    dnss_ = &dnss;
}
761
762
763
764
765

void
AuthSrv::setTSIGKeyRing(const shared_ptr<TSIGKeyRing>* keyring) {
    impl_->keyring_ = keyring;
}