Skip to content

GitLab

Commit e77575c3 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

[trac772] Perform the ACL check

parent 49f1d2d2
Hide whitespace changes
Inline Side-by-side
src/bin/xfrout/tests/xfrout_test.py.in
View file @ e77575c3
......@@ -141,6 +141,29 @@ class TestXfroutSession(unittest.TestCase):
self.assertEqual(rcode.to_text(), "NOERROR")
self.assertTrue(self.xfrsess._tsig_ctx is not None)
# ACL checks, put some ACL inside
self.xfrsess._acl = isc.acl.dns.REQUEST_LOADER.load([
{
"from": "127.0.0.1",
"action": "ACCEPT"
},
{
"from": "192.0.2.1",
"action": "DROP"
}
])
# Localhost (the default in this test) is accepted
rcode, msg = self.xfrsess._parse_query_message(self.mdata)
self.assertEqual(rcode.to_text(), "NOERROR")
# This should be dropped completely, therefore returning None
self.xfrsess._remote = ('192.0.2.1', 12345)
rcode, msg = self.xfrsess._parse_query_message(self.mdata)
self.assertTrue(rcode is None)
# This should be rejected, therefore NOTAUTH
self.xfrsess._remote = ('192.0.2.2', 12345)
rcode, msg = self.xfrsess._parse_query_message(self.mdata)
self.assertEqual(rcode.to_text(), "REFUSED")
def test_get_query_zone_name(self):
msg = self.getmsg()
self.assertEqual(self.xfrsess._get_query_zone_name(msg), "example.com.")
......
src/bin/xfrout/xfrout.py.in
View file @ e77575c3
......@@ -144,7 +144,13 @@ class XfroutSession():
# TSIG related checks
rcode = self._check_request_tsig(msg, mdata)
# TODO The ACL check comes here
# ACL checks
acl_result = self._acl.execute(
isc.acl.dns.RequestContext(self._remote))
if acl_result == isc.acl.acl.DROP:
return None, None
elif acl_result == isc.acl.acl.REJECT:
return Rcode.REFUSED(), msg
except Exception as err:
logger.error(XFROUT_PARSE_QUERY_ERROR, str(err))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment